Newsletter compiled by Jon Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
What’s old is new again.
Our research this week centers around a series of long-lasting threat actors and malware that have been given new life.
China Chopper, a 9-year-old web shell, is more prevalent than ever now that the source code is out there, so any threat actor could conceivably use it. We recently discovered three distinct campaigns using it for a variety of malicious activities.
We’ve also discovered threat actors using two of the most popular RATs — Orcus RAT and RevengeRAT — to target government entities, financial services organizations, information technology service providers and consultancies.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
Event:“DNS on Fire” at Virus Bulletin 2019
**Location:**Novotel London West hotel, London, U.K.
**Date:**Oct. 2 - 4
**Speaker:**Warren Mercer and Paul Rascagneres
**Synopsis:**In this talk, Paul and Warren will walk through two campaigns Talos discovered targeted DNS. The first actor developed a piece of malware, named “DNSpionage,” targeting several government agencies in the Middle East, as well as an airline. During the research process for DNSpionage, we also discovered an effort to redirect DNSs from the targets and discovered some registered SSL certificates for them. The talk will go through the two actors’ tactics, techniques and procedures and the makeup of their targets.
** **Event: “It’s never DNS…It was DNS: How adversaries are abusing network blind spots” at SecTor **Location: **Metro Toronto Convention Center, Toronto, Canada **Date: **Oct. 7 - 10 **Speaker: **Edmund Brumaghin and Earl Carter **Synopsis: **While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.
**Title:**Critical vulnerabilities found in some Cisco smart switches
**Description:**Two vulnerabilities in Cisco’s 220 series of smart switches for small businesses could allow an attacker to leak sensitive information or inject malicious code. CVE-2019-1912 could allow an attacker to bypass security checks on the switch and upload arbitrary files. And CVE-2019-1913 opens the switches to a buffer overflow attack, which could be used to gain the ability to remotely execute code on the machine with root privileges.
**Snort SIDs:**51293 – 51295 (Written by John Levy), 51298 – 51300 (Written by Amit Raut), 51306 - 51307 (Written by Tim Muniz)
** **Title: PopularVPN services open to attack, data leaks
**Description:**Attackers are actively exploiting vulnerabilities in the Fortigate and Pulse VPN services to steal encryption keys, passwords and other sensitive data. These campaigns, which started last week, target the Webmin utility for managing Linux and *NIX systems. These are devices in enterprise networks, and the vulnerabilities involved could allow an attacker to take complete control of a system.
**Snort SIDs:**51240 – 51243 (Written by John Levy), 51288, 51289 (Written by Joanne Kim)
SHA 256:3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3** ** **MD5: **47b97de62ae8b2b927542aa5d7f3c858 **Typical Filename: **qmreportupload.exe **Claimed Product: **qmreportupload **Detection Name: Win.Trojan.Generic::in10.talos **
****SHA 256:7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510 **** **MD5: **4a50780ddb3db16ebab57b0ca42da0fb **Typical Filename: **xme64-2141.exe **Claimed Product: N/A Detection Name: W32.7ACF71AFA8-95.SBX.TG **
****SHA 256:1755c179f08a648a618043a5af2314d6a679d6bdf77d4d9fca5117ebd9f3ea7c **MD5: **c785a8b0be77a216a5223c41d8dd937f **Typical Filename: **cslast.gif **Claimed Product:**N/A **Detection Name: W32.1755C179F0-100.SBX.TG **
SHA 256:46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08 **MD5: **db69eaaea4d49703f161c81e6fdd036f **Typical Filename: **invoice.exe **Claimed Product:N/A Detection Name: W32.46B241E3D3-95.SBX.TG **
****SHA 256:093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7 **MD5: **3c7be1dbe9eecfc73f4476bf18d1df3f **Typical Filename: **sayext.gif **Claimed Product: **N/A **Detection Name: **W32.093CC39350-100.SBX.TG