Thursday, May 14, 2020

Threat Source newsletter for May 14, 2020

Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Our main focus this week is on Astaroth. This is a malware family that has been targeting Brazil with a variety of lures, including COVID-19-themed documents, for the past nine to 12 months. Astaroth implements a robust series of anti-analysis/evasion techniques, among the most thorough we've seen recently. We have the full rundown of the threat and our protections against it.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week. 

Upcoming public engagements

Event: “Dynamic Data Resolver IDA plugin” at NSEC Online 
Location: Streaming on Twitch 
Date: May 15 
Speakers: Holger Unterbrink 
Synopsis: Holger will walk through a recent plugin he developed for IDAPro. The plugin can significantly improve the analyzing time of malware samples. Additionally, I think the plugin architecture and the DynamoRIO features are opening many interesting opportunities for own extensions and use cases. 

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Streaming on the conference's website
Date: June 10 - 12
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

  • The U.S. government is blaming multiple state-sponsored actors for cyber attacks targeting research on potential COVID-19 vaccines. An alert from the FBI says “cyber actors and nontraditional collectors” are targeting intellectual property and public health data. 
  • Democrats in Congress are working on legislation to direct the Department of Homeland Security to go after bad actors who are pushing disinformation about the coronavirus pandemic. Some posts and videos on social media have sowed distrust regarding vaccinations and improper treatments for COVID-19. 
  • A new bill in Congress would set guidelines for representatives to vote “by proxy” for other members who cannot attend votes in-person. The bill’s introduction came with several FAQs regarding the proposal’s impact on cyber security. 
  • The FBI seized an iPhone belonging to a U.S. senator as part of an investigation into their stock trades. Since then, the agency has issued a warrant to Apple to provide information on the senator’s iCloud account. 
  • The Department of Homeland Security is working on guidelines for telecommunications companies to protect 5G towers. There’s been an increase in physical attacks on the towers as several conspiracy theories have circulated online regarding 5G’s connection to COVID-19. 
  • A hacker went after a website belonging to the state of Ohio where employers can report employees who refuse to work due to the COVID-19 pandemic. After the denial-of-service attack, the state revised its policies on providing unemployment benefits to those who refuse to work during the pandemic. 
  • A threat group claims to have sensitive information and non-disclosure agreements on many high-profile celebrities. The hackers say they stole the data from famous English law firm Grubman Shire Meiselas & Sacks. 
  • As Apple and Google continue to develop their coronavirus contact-tracing app, many local governments are torn. Local leaders say they are hesitant to use the technology if it tracks and stores users’ locations. 
  • Package logistics company Pitney Bowes fell victim to a ransomware attack for the second time this year. The firm says it believes only “limited” data was accessed.  
  • Some companies are using tracking software to keep tabs on their employees’ online activities while they work from home. Some software promises to flag employees who are storing sensitive information in unsafe locations.  

Notable recent security issues

Title: Microsoft discloses 111 vulnerabilities as part of monthly security update
Description: Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 111 vulnerabilities. Fifteen of the flaws Microsoft disclosed are considered critical. There are also 95 "important" vulnerabilities and six low- and moderate-severity vulnerabilities each. This month’s security update also covers security issues in a variety of Microsoft services and software, including SharePoint, Media Foundation and the Chakra scripting engine.
Snort SIDs: 53916 - 53919, 53924 - 53933, 53940, 53941, 53950, 53951

Title: Adobe releases fixes for 36 vulnerabilities, 12 of which are critical
Description: Adobe disclosed 36 vulnerabilities this week in Acrobat, Reader and DNG. Twelve of the bugs are considered critical. Specifically, in Acrobat, there are six different vulnerabilities that could allow an adversary to execute arbitrary code on the victim machine. The DNG Software Development Kit also contains four heap overflow issues (CVE-2020-9589, CVE-2020-9590 , CVE-2020-9620, CVE-2020-9621) that can all lead to remote code execution attacks.
Snort SIDs: 53563, 53564, 53485, 53486 

Most prevalent malware files this week

SHA 256: fb022bbec694d9b38e8a0e80dd0bfdfe0a462ac0d180965d314651a7bc0614f4 
MD5: c6dc7326766f3769575caa3ccab71f63 
Typical Filename: wupxarch.exe
Claimed Product: N/A 
Detection Name: Win.Dropper.Ranumbot::in03.talos

SHA 256: dddbfa95401a3f2d9999055b976a0b4ae963e128f7f0d5b043efae29e4306c4a
MD5: 3409ff801cb177f6df26cfec8f4528ae
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Services
Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name:

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f 
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b 
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.