Thursday, April 30, 2020

Threat Source newsletter for April 30, 2020

Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Our newest research post focuses on the Aggah campaign. Threat actors are pushing Aggah to victims via malicious Microsoft Word documents, eventually using the infection to install Agent Tesla, njRAT and Nanocore RAT. Here’s what to be on the lookout for, and what you can do to fend off these attacks.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Upcoming public engagements

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Makuhari Messe, Tokyo, Japan
Date: June 10 - 12
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

  • Microsoft patched a vulnerability in its Teams application that could allow an attacker to scrape account information with a specific GIF. Teams has become increasingly popular as more employees work from home and rely on video and text chat for communication. 
  • The World Health Organization says it’s seen a five-fold increase in cyber attacks targeted toward its staff. The organization said there were hundreds of emails leaked online connected to workers responding to the COVID-19 pandemic. 
  • The American and Australian governments both released warnings that state-sponsored threat actors should not be targeting the health care sector. Citing international cyber laws, the countries issued the statements after the Czech Republic reported its largest COVID-19 testing lab was hit with an attack. 
  • U.S. lawmakers are pushing for additional funding for the College of Information and Cyberspace, a component of the National Defense University, as the college inches closer toward closing. There are concerns that the closure of the college could lead to a workforce shortage. 
  • A group of apps on the Google Play store have been spreading malware since 2018. The apps have since been removed once researchers notified Google. 
  • Sophos warned users of a vulnerability in its firewall that could allow an adversary to inject malicious SQL codes. The company said it does not believe any attackers were able to steal information by exploiting the bug. 
  • Adobe patched 21 critical vulnerabilities in its Illustrator and Bridge programs. Illustrator specifically contained five memory corruption vulnerabilities that could allow an adversary to gain remote code execution abilities. 
  • Microsoft Office 365 added a new feature that makes it more difficult for phishing scams to be successful. Users can now edit, print and copy Office documents without exiting the “Protected Mode” which usually prevents the docs from executing malicious code. 
  • A new poll suggests less than half of Americans would be open to downloading coronavirus-tracking software. Apple and Google are currently developing a service that would alert users if they’ve been in contact with anyone who’s tested positive for COVID-19, information that governments say is key before reopening economies. 

Notable recent security issues

Title: MedusaLocker ransomware continues to remap drives, encrypt victims’ files
Description: MedusaLocker is a ransomware family that has been observed being deployed since its discovery in 2019. Since its introduction to the threat landscape, there have been several variants observed. However, most of the functionality remains consistent. The most notable differences are changes to the file extension used for encrypted files and the look and feel of the ransom note that is left on systems following the encryption process.
Snort SIDs: 53662 - 53664 

Title: Kwampirs malware goes after the health care sector
Description: The FBI recently released a warning to health care organizations warning them to be on the lookout for the Kwampirs malware. The RAT infects systems and then opens a backdoor on the victims’ network. Adversaries using Kwampirs have already been successful in infecting health care-related networks across the globe, according to the FBI’s report. Attackers are attempting to capitalize on the fear, uncertainty and a large amount of work that are coming with the COVID-19 pandemic.
Snort SIDs: 53738 – 53741

Most prevalent malware files this week

SHA 256: fb022bbec694d9b38e8a0e80dd0bfdfe0a462ac0d180965d314651a7bc0614f4 
MD5: c6dc7326766f3769575caa3ccab71f63 
Typical Filename: wupxarch.exe
Claimed Product: N/A 
Detection Name: Win.Dropper.Ranumbot::in03.talos

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name:

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858  
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f 
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b 
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.