Thursday, April 16, 2020

Threat Source newsletter for April 16, 2020

Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

It’s what — week 5 of this quarantine in the U.S.? Week 6? We’ve lost count. And so did the Beers with Talos guys. But lucky for you, that led to a — shall we say — unique podcast episode.

This week was Microsoft Patch Tuesday. The company disclosed more than 100 vulnerabilities and more than a dozen that were considered critical. We have our complete rundown here, as well as in-depth information on one of the vulnerabilities our researchers discovered.

We also have our latest Incident Response quarterly recap, as we reflect on the major incidents CTIR responded to between November 2019 and January 2020.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Upcoming public engagements

Event: “Hiding in Plain Sight: Analyzing recent evolutions in malware loaders” at Hack in the Box Security Conference Lockdown Livestream
Location: Streaming live on YouTube
Date: April 25 - 26
Speakers: Holger Unterbrink and Edmund Brumaghin
Synopsis: Over the past year, Talos observed a significant increase in the volume and variety of malware loaders being distributed worldwide. Rather than leveraging malvertising and extensive TDS infrastructure, adversaries are now distributing loaders and creating new botnets that can be monetized to perform the spread of malware payloads for criminals seeking to deploy RATs, stealers and banking trojans. This new generation of malware loaders features increased obfuscation, modularization, and maximum flexibility for the operators of these botnets. This talk will describe this recent shift in malware distribution, how these loaders are being leveraged, and how obfuscation and multi-stage delivery is being used to maximize efficiency and evade detection. We will also cover techniques for hunting these loaders in a corporate environment and ways to more easily analyze them.

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Makuhari Messe, Tokyo, Japan
Date: June 10 - 12
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

  • Apple and Google say the two companies are working together to create a COVID-19 tracking app that will alert users if they’ve been in contact with someone who’s tested positive for the disease. This location tracking has raised questions over privacy, but the companies say they are prepared to put users’ minds at ease. 
  • The Czech government is warning the country’s hospitals that adversaries are preparing to launch cyber attacks in the coming days and weeks. The second-largest hospital in the country was already targeted by a campaign in February. 
  • More details have emerged regarding a trojan on Android devices that can reinstall itself. New research suggests a trojan known as Triada reinstalls files on the device even after reboot and even prevents deletion.  
  • Adversaries are selling usernames, passwords and email addresses for Zoom users are for sale on the dark web. One data set that recently sold reportedly totaled more than 530,000 accounts. 
  • The popular video conferencing app also offered users the ability to choose which countries their calls are routed through. However, the new feature is only available to paid users. 
  • Currency exchange firm Travelex paid a multi-million-dollar ransom to attackers earlier this year after a data breach. The firm would later run into additional financial troubles in the U.K. 
  • A major Portuguese energy company says attackers are asking for an $11 million extortion payment after a data breach. EDP reportedly was hit with the Ragnar Locker ransomware. 
  • Oracle released patches for 405 vulnerabilities across its range of products this week. The Fusion Middleware alone had 49 bugs that could be exploited remotely without authentication. 
  • A new report suggests the U.S. Pentagon is far behind on improvements to cyber security. The Department of Defense set three goals five years ago, but none of them have been met yet, according to the Government Accountability Office. 

Notable recent security issues

Title: Microsoft releases monthly security update
Description: Microsoft released its monthly security update this week, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 113 vulnerabilities. Eighteen of the flaws Microsoft disclosed are considered critical, while one is considered “moderate.” The remainders are scored as being “important” updates. This month’s security update covers security issues in a variety of Microsoft services and software, including SharePoint, the Windows font library and the Windows kernel.
Snort SIDs: 53489 - 53492, 53619 - 53630, 53652 - 53655

Title: DrayTek routers, switches open to attack
Description: Tech company DrayTek recently patched two zero-day vulnerabilities in some of its routers and switches that could allow malicious actors to monitor traffic and install backdoors on affected networks. DrayTek worked with security researchers to discover the vulnerabilities and active exploitations in December, and patches were made available in late March. Users are encouraged to patch their devices as soon as possible or disable remote admin access.
Snort SIDs: 53591, 53592

Most prevalent malware files this week

SHA 256: a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776
MD5: 5d34464531ddbdc7b0a4dba5b4c1cfea
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::in03.talos

SHA 256: 589d9977a5b0420d29acc0c1968a2ff48102ac3ddc0a1f3188be79d0a4949c82 
MD5: bf1d79fad6471fcf50e38a9ea1f646a5
Typical Filename: wupxarch.exe
Claimed Product: N/A
Detection Name: W32.Auto:589d99.in03.Talos

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name:

SHA 256: 518a8844dae953d7f2510d38ba916f1c4ccc01cfba58f69290938b6ddde8b472
MD5: 9b47b9f19455bf56138ddb81c93b6c0c
Typical Filename: updateprofile.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Generic::tpd

SHA 256: 1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871
MD5: c2406fc0fce67ae79e625013325e2a68
Typical Filename: SegurazoIC.exe
Claimed Product: Segurazo IC
Detection Name:

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.