Thursday, September 5, 2019

Threat Source newsletter (Sept. 5, 2019)

Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

By now, nearly everyone has heard of BlueKeep. It definitely sounds scary, with of this talk of wormable bugs and WannaCry. But so far, no attackers have used it to launch a large-scale attack.

Of course, we knew this wouldn’t stay quiet forever. Last month, Microsoft disclosed more RDP vulnerabilities in what’s being called “DejaBlue.” These are another set of wormable bugs, but we have a walkthrough for how Cisco Firepower customers can stay protected.

Elsewhere on the vulnerability front, we have advisories out for an information disclosure in Blynk-Library and two bugs in Epignosis eFront.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Upcoming public engagements with Talos

Event: “DNS on Fire” at Virus Bulletin 2019
Location: Novotel London West hotel, London, U.K.
Date: Oct. 2 - 4
Speaker: Warren Mercer and Paul Rascagneres
Synopsis: In this talk, Paul and Warren will walk through two campaigns Talos discovered targeted DNS. The first actor developed a piece of malware, named “DNSpionage,” targeting several government agencies in the Middle East, as well as an airline. During the research process for DNSpionage, we also discovered an effort to redirect DNSs from the targets and discovered some registered SSL certificates for them. The talk will go through the two actors’ tactics, techniques and procedures and the makeup of their targets.

Event: “It’s never DNS...It was DNS: How adversaries are abusing network blind spots” at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.

Cyber Security Week in Review

  • A new study from IBM shows that American taxpayers do not support their tax money going toward paying ransomware extortion requests. The survey found that 80 percent of respondents say they are concerned about a ransomware attack on their city, and 60 percent say they would not want their government using taxpayer dollars to pay off attackers with the promise of returning stolen data.
  • A server containing millions of phone numbers linked to Facebook acccounts was found exposed online, including 133 million U.S. users. The server was not protected by a password, so anyone who found it could access it. 
  • The Federal Trade Commission and the state of New York levied a $170 million fine against YouTube for its mishandling of children’s data. YouTube will now require users uploading content targeted toward children to tag them as such, and will ask for parental consent before tracking children’s usage. 
  • A new report suggests there could be a link between companies and cities that have cyber insurance policies and those who are targeted by ransomware attacks. Organizations with insurance are also more likely to pay any requested extortion payments compared to those without policies. 
  • Chinese tech company Huawei accused the U.S. of launching cyber attacks against it to steal information. They also said the American government has used “unscrupulous means” to disrupt its business. 
  • A recently discovered group of malicious websites targeting mobile devices are believed to be sponsored by China to target Uyghur Muslims. The websites were able to infect iPhones and Android devices just by having the user open the site. 
  • An attack took down a popular online forum used by protestors in Hong Kong. Citizens there have spent weeks pushing back on policies that would closer align the region’s government with China. 
  • Congress introduced a bipartisan bill that would boost the federal government’s cyber defense systems. The proposed law would increase the amount of funding the Department of Homeland Security has to beef up federal government agencies’ internal security. 
  • Google Pixel owners began receiving Android 10 this week. The new mobile operating system includes new security and privacy features, including the ability to change location tracking services on an app-by-app basis on one screen. 

Notable recent security issues

Title: New protection fends off password-stealing attacks from popular VPN service
Description: Last week, attackers began launching password-stealing attacks against the Fortigate and Pulse VPN services. At the time, Cisco Talos released SNORT® rules to protect Pulse VPN, and there is now additional protection for Fortigate. Attackers are attempting to steal encryption keys, passwords and other important data from servers utilizing these two VPN services. These bugs can be exploited by sending the unpatched servers a specialized Web request that contains a special sequence of characters.
Snort SIDs: 51370 – 51372, 51387 (Written by John Levy) 

Title: Multiple vulnerabilities disclosed in Cisco NX-OS software 
Description: Cisco disclosed three denial-of-service vulnerabilities in its NX-OS software: CVE-2019-1965, CVE-2019-1964 and CVE-2019-1962. These bugs can cause a variety of conditions, including forced reboots, crashes or disruption of certain processes. All three are considered high-severity vulnerabilities.
Snort SIDs: 51365 - 51367 (Written by John Levy)

Most prevalent malware files this week

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3 
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 9a082883ad89498af3ad8ece88d982736edbd46d65908617cf292cf7b5836dbc 
MD5: 7a6f7f930217521e47c7b8d91fb79649
Typical Filename: DHL Scan File.img
Detection Name: W32.9A082883AD-100.SBX.TG

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510 
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: 1755c179f08a648a618043a5af2314d6a679d6bdf77d4d9fca5117ebd9f3ea7c 
MD5: c785a8b0be77a216a5223c41d8dd937f
Typical Filename: cslast.gif
Claimed Product: N/A
Detection Name: W32.1755C179F0-100.SBX.TG

SHA 256: 093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7 
MD5: 3c7be1dbe9eecfc73f4476bf18d1df3f
Typical Filename: sayext.gif
Claimed Product: N/A
Detection Name: W32.093CC39350-100.SBX.TG 

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.