Newsletter compiled by Jonathan Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
If you haven’t yet, there’s still time to register for this year’s Talos Threat Research Summit — our second annual conference by defenders, for defenders. This year’s Summit will take place on June 9 in San Diego — the same day Cisco Live kicks off in the same city. We sold out last year, so hurry to register!
This was a heavy week for vulnerability discovery. Snort rules are loaded up with protections against a recent wave of attacks centered around a critical Oracle WebLogic bug. We also discovered vulnerabilities in SQLite and three different Jenkins plugins.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
Event: Copenhagen Cybercrime Conference
Location: Industriens Hus, Copenhagen, Denmark
Date: May 29
Speaker: Paul Rascagnères
Synopsis: Paul will give an overview of an espionage campaign targeting the Middle East that we called “DNSpionage.” First, he will go over the malware and its targets and then talk about the process the attackers took to direct DNSs. The talk will include a timeline of all events in this attack, including an alert from the U.S. Department of Homeland Security.
Event: Bsides London
Location: ILEC Conference Centre, London, England
Date: June 5
Speaker: Paul Rascagnères
Synopsis: Privacy has become a more public issue over time with the advent of instant messaging and social media. Secure Instant Messaging (SIM) has even become a problem for governments to start worrying about. While many people are using these messaging apps, it’s opened up the door for attackers to create phony, malicious apps that claim to offer the same services. In this talk, Paul will show various examples of these cloned applications and the different techniques used to send data back to the attacker.
Title:Attacks using WebLogic bugs expand, evolve
**Description:**Attackers continue to spread malware by exploiting a critical vulnerability in Oracle WebLogic. The bug, identified as CVE-2019-2725, was disclosed and patched last week. However, as users have been slow to update, attackers are still able to exploit this vulnerability to deliver ransomware, specifically Gandcrab and XMRig.
Snort SIDs: 50014 - 50025
Title:Cisco discloses 41 bugs, one of them critical
**Description:**Cisco released a security update for several of its products, including one critical bug in the SSH key management for the Nexus 9000 series Application Centric Infrastructure (ACI) mode switch software. An attacker could exploit this vulnerability by connecting to a machine via SSH, which could allow them to connect to the system with the same privileges as a root user.
Snort SIDs: 49992 - 49996, 50006, 50007
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3 **MD5:**47b97de62ae8b2b927542aa5d7f3c858 **Typical Filename:**qmreportupload.exe **Claimed Product:**qmreportupload Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b **MD5:**799b30f47060ca05d80ece53866e01cc **Typical Filename:**799b30f47060ca05d80ece53866e01cc.vir **Claimed Product:**N/A **Detection Name: **W32.Generic:Gen.21ij.1201
SHA 256:c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a **Typical Filename: **Tempmf582901854.exe **Claimed Product:**N/A **Detection Name: **W32.AgentWDCR:Gen.21gn.1201
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510 **MD5:**4a50780ddb3db16ebab57b0ca42da0fb **Typical Filename: **xme64-2141.exe **Claimed Product:**N/A **Detection Name: **W32.7ACF71AFA8-95.SBX.TG
SHA 256: 9d48f382ec11bd9b35488a2c2b878e5401c2be43f00bcbae30d1619e6e2bf0c1 **MD5:**dd46d0260a6cdf5625d468398bae1f60 **Typical Filename:**N/A **Claimed Product: **N/A **Detection Name: **Win.Dropper.Undefined::tpd