Threat Source newsletter for Aug. 20, 2020

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

Hactivism always seems to cool and noble in the movies. Video games and TV shows have no shortage of their “hacker heroes,” too. But what are the real-world consequences of users who release sensitive information or carry out data breaches in the name of their idea of good?

That's what the newest Beers with Talos episode is all about. The crew also digs deeper into the ethical considerations of hacktivism, pseudo-anonymity and the intended effect of civil disobedience on society.

Cyber Security Week in Review

One of the largest manufacturers and managers of voting machines is under fire from the American Election Assistance Commission. The EAC is asking that the machines remove a claim that says they are certified by the commission.
The Tor browser says it detected exit relays monitoring outbound traffic in May and July. The organization says the group of relays redirected traffic to cryptocurrency exchange sites.
A major solution to the Emotet spam botnet has been distributed for more than six months. The EmoCrash tool essentially works as a killswitch and monitors users if their network has been infected by Emotet.
Oracle is now part of the race to purchase TikTok’s American operations. A sale to Microsoft or another tech company is one possible solution to U.S. President Donald Trump’s threat to ban the popular social media app from U.S. app stores.
The Canadian government had to shut down some public service sites over the weekend after a credential-stuffing attack. Some of the pages provide information on COVID-19 relief.
Election officials’ jobs keep getting harder in the leadup to the 2020 election. On top of the bevy of cyber-related threats, the U.S. postal system is also undergoing some severe changes, including the elimination of key mail-sorting systems that could back up mail-in voting.
Adversaries are copying the attack used to hijack major Twitter accounts last month to infect other organizations. “Voice phishing” is becoming a new popular form of social engineering to trick users into giving up login information.
The infamous Lazarus Group is back with another RAT. The U.S. Cybersecurity and Infrastructure Agency unveiled a new report on a malware called “BLINDINGCAN” that’s been used to target government contractors.
The South African branch of credit reporting agency Experian says it suffered a data breach affecting 24 million users. However, the company says it tracked down the attacker and removed the stolen records from their possession.

Notable recent security issues

Title: American intelligence agencies warn of uptick in Taidoor infections

Description: American intelligence agencies released a joint statement last week warning government agencies, contractors and think tanks of the Taidoor malware. Taidoor is believed to date back to 2008, having been spotted in the wild since 2012. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Department of Defense’s Cyber Command (CyberCom), and the FBI issued a joint statement outlining the new strain of malware, which masks its communication with a command and control (C2) server. The RAT carries out multiple espionage activities, including exfiltrating files.

Snort SIDs: 54801

Title: Linux malware used to infiltrate sensitive networks

Description: A new malware strain believed to originate from Russian state-sponsored actors is targeting networks that hold sensitive intelligence information. Known as Drovorub, CISA says the malware has gone undetected until recently, spying on networks and exfiltrating sensitive information. Drovorub is a fully functioning toolkit that includes the ability to infect Linux devices, a kernel to gain persistence and avoid detection, a server that reaches out to a C2 and an agent to act as an intermediary between infected machines and attacker-controlled servers. Linux users are urged to upgrade to version 3.7 or later.

Snort SIDs: 54793

Most prevalent malware files this week

SHA 256: 449f4a4524c06e798193c1d3ba21c2d9338936375227277898c583780392d4d8

MD5: 179c09b866c9063254083216b55693e6

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.File.Segurazo::95.sbx.tg

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: Eter.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 9836cf123caa799eaf57a449ba6da0cdecf0445f58a8238fa0d98b19e93cdb22

MD5: 26b2996b69542d039c303e2fee6dac81

Typical Filename: 226a60f6-4340-45e9-9b01-d95106369b83

Claimed Product: N/A

Detection Name: W32.9836CF123C-100.SBX.TG

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.

Intelligence Center

Vulnerability Information

Security Resources

Media

Company

Could the Brazilian Supreme Court finally hold people accountable for sharing disinformation?

The internet is already scary enough without April Fool’s jokes

There are plenty of ways to improve cybersecurity that don’t involve making workers return to a physical office

Intelligence Center

Vulnerability Research

Incident Response