Thursday, May 7, 2020

Threat Source newsletter for May 7, 2020

Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week. 

With all of us working from home, Beers with Talos episodes are coming out faster than ever. This week, we have an actual episode with security discussions rather than the “Cats” movie, including the importance of split-tunneling.  

There are also two Vulnerability Spotlights out alerting users of bugs in 3S CODESYS and Accusoft ImageGear

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week. 

Upcoming public engagements

Event: “Dynamic Data Resolver IDA plugin” at NSEC Online 
Location: Streaming on Twitch 
Date: May 15 
Speakers: Holger Unterbrink 
Synopsis: Holger will walk through a recent plugin he developed for IDAPro. The plugin can significantly improve the analyzing time of malware samples. Additionally, I think the plugin architecture and the DynamoRIO features are opening many interesting opportunities for own extensions and use cases. 

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Streaming on the conference's website
Date: June 10 - 12
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

  • Countries across the globe are starting to launch their COVID-19 contact-tracing apps to help their recovery from the pandemic. A security researcher already discovered a vulnerability in India’s national app that could leak the exact location of users who report a positive diagnosis. 
  • A committee in U.K.’s parliament also warned the country that its contact-tracing apps lack basic security protocols. Some lawmakers are asking for more promises from the government about how users’ data will be stored and used. 
  • Cybercriminals are trying to capitalize on the global pandemic every day, which for some means more income. But other malicious actors have seen their costs to operate rise and their supply lines interrupted. 
  • A new bill introduced in Congress would install new rules to prevent the exploitation of children online. This Democrat-backed bill is a direct response to one introduced earlier by Republicans that also promises to protect children but also could open the doors for the elimination of encryption. 
  • Fresenius, the largest private hospital operating in Europe, was recently the victim of a ransomware attack. The organization says the breach has impacted some of its operations but patient care is continuing uninterrupted. 
  • Threat actors are rolling out new attack methods to steal American taxpayers’ information and siphon their COVID-19 stimulus checks. This data is also being sold on dark web forums between malicious actors. 
  • A new variant of the Dacls remote access trojan is infecting Mac users via a malicious two-factor authentication app. The app seems to mainly targeted users who speak Chinese.  
  • A new ransomware family called “ColdLock” is targeting organizations in Taiwan. The threat appears to target servers and databases, encrypting them until the victim pays an extortion payment. 
  • Congressional leaders continue to debate the validity of remote voting as lawmakers debate whether to return to in-person sessions. However, some have raised concerns about vote manipulation and the ability of lawmakers to install and update software securely. 

Notable recent security issues

Description: A new Aggah campaign pushes malicious Microsoft Office documents (maldocs) via malicious spam (malspam) emails distributing a multi-stage infection to a target user's endpoint. The final payload of the infection consists of a variety of Remote-Access-Tool (RAT) families such as Agent Tesla, njRAT and Nanocore RAT. Consistent with previous Aggah campaigns, this campaign also focuses on the use of pastebin[.]com for all its infrastructure needs. However, this campaign now utilizes multiple Pastebin accounts to host different stages of the attack. 
Snort SIDs: 53745 - 53748 

Description: A series of Remcos campaigns launched across the globe are using COVID-19-themed lure files to infect users. Microsoft says attackers are using specially crafted disk image files that contain malware, targeting major government agencies such as the U.S. Small Business Administration and manufacturing companies in South Korea. The phishing emails use subject lines related to the COVID-19 pandemic to trick users into opening the emails. 
Snort SIDs: 53793 – 53796 

Most prevalent malware files this week

SHA 256: fb022bbec694d9b38e8a0e80dd0bfdfe0a462ac0d180965d314651a7bc0614f4 
MD5: c6dc7326766f3769575caa3ccab71f63 
Typical Filename: wupxarch.exe
Claimed Product: N/A 
Detection Name: Win.Dropper.Ranumbot::in03.talos

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858  
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name:

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f 
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b 
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.