Thursday, March 19, 2020

Threat Source newsletter (March 19, 2020)

Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We hope everyone is staying home (if possible) and staying safe. Unfortunately, the bad guys aren’t going anywhere, so we’re still plugging away remotely. Hasn’t anyone told them we need a break?

COVID-19 is obviously on the top of everyone’s mind. We are working on some new content around working from home and COVID-related malware. In the meantime, go back and read our post from February about attackers trying to take advantage of coronavirus panic.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Upcoming public engagements

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Makuhari Messe, Tokyo, Japan
Date: June 10 - 12
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

  • Attackers are capitalizing on the COVID-19 pandemic, sending out a massive wave of spam and themed malware. The usual advice remains — check your sources; if it’s too good, it probably is; and don’t click on any emails unless you know who sent it. 
  • More workers are also working from home than ever. This presents its own set of security risks, including a lack of security resources on home networks and an increasing reliance on cloud storage solutions. 
  • Federal officials with the U.S. say they are consistently fighting off cyber attacks seeking to sow fear and doubt during its COVID-19 response. Some experts are already pointing fingers at Russian and Chinese online adversaries. 
  • The U.S. Department of Health and Human Services was one of the first targets. Officials said the department’s networks were not affected though the attempted intrusion came at an inopportune time. 
  • More Americans may be looking to have a virtual visit with a health care professional during the pandemic to avoid physically entering a doctor’s office. But President Donald Trump’s loosening of rules around those visits opens individuals to a new type of cyber scam
  • While Congress works on bills to support businesses during the COVID-19 pandemic, there is also a quieter push to give the government a bypass around end-to-end encryption. The sponsors of the bill say it is designed to protect children from being exploited. 
  • Cisco patched high-risk vulnerabilities in SD-WAN that could allow an attacker to obtain root privileges. The bugs could open many routers, controller software and network management systems to compromise. 
  • Microsoft unintentionally fixed a vulnerability in its Azure cloud platform that could have given attackers access to the target’s cloud services. Researchers believe there was only a two-week window where adversaries could have exploited the bug earlier this year. 

Notable recent security issues

Title: Parallax malware-for-sale increasingly spread through spam 
Description: The Parallax remote access trojan has been increasingly seen in spam emails as its become publicly available on hacker forums. The malware-as-a-service costs roughly $65 a month. Attackers attempt to use the RAT to gain access to a victim’s machine, and then steal their login credentials and files and execute code. Users are recommended to be vigilant for phony emails that may contain malicious links pointing to a Parallax download.
Snort SIDs: 53437 - 53440

Title: Zoho ManageEngine contains remote code execution vulnerability, being exploited in the wild
Description: Attackers are exploiting a remote code execution vulnerability in Zoho ManageEngine in the wild. The bug, identified as CVE-2020-10189, could allow an attacker to deserialize data and then execute arbitrary code on the victim machine with SYSTEM or root privileges. One security researcher discovered 2,300 unprotected instances utilizing ManageEngine.
Snort SIDs: 53433 - 53435

Most prevalent malware files this week

SHA 256: 8e0aea169927ae791dbafe063a567485d33154198cd539ee7efcd81a734ea325
MD5: 5fb477098fc975fd1b314c8fb0e4ec06
Typical Filename: upxarch.exe
Claimed Product: N/A 
Detection Name: Win.Dropper.Ranumbot::in07.talos

SHA 256: 1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7 
MD5: 88cbadec77cf90357f46a3629b6737e6
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Services
Detection Name: PUA.Win.File.2144flashplayer::tpd

SHA 256: 1bbcd367a317af33aee72ae06f5f38067f27b27a0f321b54325cfb0f7431ebe7 
MD5: 06fad4d91f0e79143d1270ad0b1fce3f
Typical Filename: set-up.exe
Claimed Product: ĀµTorrent
Detection Name: W32.1BBCD367A3-100.SBX.VIOC

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name:

SHA 256: 64f3633e009650708c070751bd7c7c28cd127b7a65d4ab4907dbe8ddaa01ec8b
MD5: 42143a53581e0304b08f61c2ef8032d7
Typical Filename: myfile.exe
Claimed Product: N/A 
Detection Name: Pdf.Phishing.Phishing::malicious.tht.talos 

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.