Thursday, October 8, 2020

Threat Source newsletter for Oct. 8, 2020


Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

We’ve been writing and talking about election security a ton lately. And as the U.S. presidential election draws closer, we decided it was time to summarize some things. So, we released this blog post with our formal recommendations for voters and how they can avoid disinformation and other bad actors trying to influence the election. 

Our researchers are also following the development of the PoetRAT malware. This remote access trojan is still targeting public and private entities in Azerbaijan, and we’ve seen the actor behind the threat make several tweaks over time to make it more agile and difficult to detect. 

If vulnerability research is more your thing, we also have a deep dive into our work discovering bugs in Microsoft Azure Sphere as part of a challenge from Microsoft. In all, we disclosed 16 vulnerabilities. Here’s what you need to know about them and how to stay protected. 


Location: CS3STHLM Virtual 
Date: Oct. 22 
Speakers: Kelly Leaschner 
Synopsis: As more devices are becoming cloud-connected, it is important to understand how this attack surface is different from traditional, socket-based server applications. There is no open port listening with a cloud-connected application, so there is additional work required in order to just get the application to accept attacker-controlled data. This talk will walk through the initial steps necessary to begin vulnerability research on this application. Cloud-based control of physical devices has some security benefits compared to traditional socket programming but, at the end of the day, there is an opportunity for bugs and vulnerabilities in the software responsible for handling cloud messages. This talk will describe changes in research methodology that are necessary for performing vulnerability research on a cloud-connected application. Kelly will also walk through some vulnerabilities she’s discovered — live — by impersonating the industrial vendor cloud application, resulting in root privileges.

Event: A double-edged sword: The threat of dual-use tools 
Location: SecureWV virtual
Date: Nov. 6 - 7
Speakers: Edmund Brumaghin 
Synopsis: It's difficult to read any information security news lately without hearing about large corporations being extorted by cyber criminals. In today's threat landscape, enterprises increasingly rely on red teams to identify risks and mitigate vulnerabilities in their infrastructure, so much so that an entire industry exists around tools to help facilitate this effectively and efficiently as possible. 
Dual-use tools are developed to assist administrators in managing their systems or assist during security testing or red-teaming activities. Unfortunately, many of these same tools are often co-opted by threat actors attempting to compromise systems, attack organizational networks, or otherwise adversely affect companies around the world. This webinar will discuss the topic of dual-use tools and how they have historically been used in various attacks. It will also provide case studies that walk through how native system functionality and dual-use tools are often used in real-world attacks to evade detection at various stages of the attack lifecycle. Finally, we will discuss ways that organizations can defend against malicious abuse of otherwise legitimate technologies and toolsets. 

Cyber Security Week in Review

  • Two North American health care payment processors were infected with card-skimming malware in two separate attacks in May and June. Credit card company Visa disclosed the attacks at two of their clients, reporting that an attacker used three different malware strains in one of the infections. 
  • Facebook shut down numerous hijacked accounts a threat group was using to put fake ads. The advertisements, some of which pointed to malicious sites, pushed fake designer handbags and diet pills.  
  • GitHub released a new vulnerability-scanning tool to allow users to check for vulnerabilities in their code before uploading their products to the site. The tool transforms code into a queryable format and then identifies vulnerabilities and errors in code changes to the developer. 
  • Several Russian disinformation actors have reportedly shifted their sights to popular far-right American sites. The groups post misleading or false information about Democratic lawmakers, with the goal of deepening the political divide in the U.S. 
  • The U.S. Treasury Department says ransomware victims who pay extortion payments in exchange for the return of their data could be punished. American officials say the exchange of funds with some international actors could violate sanctions
  • Some clinical trials of a potential COVID-19 vaccine were interrupted by cyber attacks, according to a new report. No patients were affected, but the researchers had to switch to tracking the patients via pen-and-paper methods. 
  • Popular dating app Grindr recently fixed a vulnerability that could have allowed anyone to hijack other users’ accounts. The app leaked password reset tokens in the browser, meaning anyone could reset another user’s password if they knew their email address. 
  • Universal Health Services says it fully recovered all its data after a ransomware attack last week. The hospital chain said electronic health care records were not affected, and it successfully reestablished connections with those systems. 
  • Facebook deleted a post from the American president relaying false information about COVID-19 and the flu, which could set them up from removing high-profile disinformation in the future. However, the social media giant has yet to say who authorized the removal of the post and under what rules they did so. 

Notable recent security issues

Description: Cisco Talos researchers report seeing a spike in exploitation attempts against the Microsoft vulnerability CVE-2020-1472, an elevation of privilege bug in Netlogon, outlined in the August Microsoft Patch Tuesday report. The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol which — among other things — can be used to update computer passwords by forging an authentication token for specific Netlogon functionality. This flaw allows attackers to impersonate any computer, including the domain controller itself and gain access to domain admin credentials. 
Snort SIDs: 55703, 55704 

Description: Cisco patched several vulnerabilities — many of them considered severe — in its IOS operating system. The updates address denial-of-service, file overwrite and input validation attacks that affect many of Cisco’s products. Two of the vulnerabilities — CVE-2020-3421 and CVE-2020-3480 — exist in Cisco’s Zone-Based Firewall. An attacker could exploit these bugs to cause the affected device to reload or make it stop forwarding traffic through the firewall. 
Snort SIDs: 55815 – 55819, 55830 - 55832 

Most prevalent malware files this week

MD5: 8c80dd97c37525927c1e549cb59bcbf3  
Typical Filename: Eter.exe  
Claimed Product: N/A  
Detection Name: 

MD5: 29f47c2f15d6421bdd813be27a2e3b25 
Typical Filename: FlashHelperServices.exe 
Claimed Product: N/A 
Detection Name: Flash Helper Service 
MD5: 01a607b4d69c549629e6f0dfd3983956 
Typical Filename: wupxarch.exe 
Claimed Product: N/A 
Detection Name: W32.Auto:1eef72aa56.in03.Talos 

MD5: e2ea315d9a83e7577053f52c974f6a5a  
Typical Filename: Tempmf582901854.exe  
Claimed Product: N/A  
Detection Name: Win.Dropper.Agentwdcr::1201 

MD5: 799b30f47060ca05d80ece53866e01cc  
Typical Filename: mf2016341595.exe  
Claimed Product: N/A  
Detection Name: Win.Downloader.Generic::1201 

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.