Threat Source newsletter for Aug. 13, 2020

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

It’s really tough to attribute cyber attacks. We know it. You know it. But why is that, exactly? And why do we want to attribute attacks so badly anyway? In our latest blog post, we look at why attribution is challenging, and what pitfalls private researchers and government agencies alike face.

If you haven’t already, you need to update your Microsoft products. Patch Tuesday was this week, and with it came more than 100 vulnerabilities that you should know about. Here’s a rundown of the most notable bugs and what Snort rules can help.

Cyber Security Week in Review

COVID-19 creates another level of challenge to securing America’s 2020 presidential election. Several speakers at Blackhat and DEFCON last week highlighted the pitfalls that come along with vote by mail and fake news around the pandemic.
States are also pushing to do away with all-electronic voting machines ahead of the election. Paperless mechanisms pose a bevy of challenges, but that change has been inconsistent, at best.
A confidential White House document reportedly states that Russia wants to influence the election in a way that gets Donald Trump re-elected. Past reports came to the same conclusion during the 2016 election.
Security researchers discovered a vulnerability in Windows machines that dates back to the Windows 2000 operating system. If exploited, an attacker could stop the spooler service that sends information to printers.
TikTok’s status in the U.S. is still up in the air. While President Donald Trump still wants to ban the Chinese-made app, the company also says it will sue the administration to keep its status on app stores.
Some Qualcomm chips spanning multiple generations contain a combined 400-some vulnerabilities, the most severe of which could allow attackers to spy on users’ personal information contained on smartphones made by the likes of Google and Samsung.
Israel says it fought off an attack from a North Korean state-sponsored threat actor. Israeli officials say the attackers were trying to steal information from defense contractors.
Threat actors can eavesdrop on cell phone calls with about $7,000 in equipment. Researchers say there are limitations to this attack method in the wild, but proof of concept tests have so far been successful.

Notable recent security issues

Title: Microsoft disclosed 16 critical vulnerabilities as part of Patch Tuesday

Description: Microsoft released its monthly security update Tuesday, disclosing 120 vulnerabilities across its array of products. Sixteen of the vulnerabilities are considered “critical,” including one that Microsoft says is currently being exploited in the wild. Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. Microsoft Media Foundation contains the largest number of these critical vulnerabilities. The bugs (CVE-2020-1379, CVE-2020-1477, CVE-2020-1492, CVE-2020-1525 and CVE-2020-1554) could all allow an adversary to corrupt memory in a way that would allow them to execute code remotely on the victim machine. Any of these vulnerabilities could be triggered if the target opens a specially crafted document or web page.

Snort SIDs: 54733 - 54746, 54753, 54754

Title: Cisco reports high-severity vulnerabilities in AnyConnect VPN, small business switches and routers

Description: Cisco warned users last week to update multiple lines of switches and routers, as well as the company’s VPN service. Some of the affected products could be force-rebooted and knocked offline. The AnyConnect VPN client for Windows also has a bug that could allow an adversary to perform a dynamic link library (DLL) hijacking attack. If a malicious user was to obtain credentials for the targeted Windows system, they could then execute malicious code with system-level privileges.

Snort SIDs: 54698 - 59702

Most prevalent malware files this week

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: Eter.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: Win.Downloader.Generic::1201

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.

Intelligence Center

Vulnerability Information

Security Resources

Media

Company

Could the Brazilian Supreme Court finally hold people accountable for sharing disinformation?

The internet is already scary enough without April Fool’s jokes

There are plenty of ways to improve cybersecurity that don’t involve making workers return to a physical office

Intelligence Center

Vulnerability Research

Incident Response