Threat Source newsletter (Jan. 21, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

We know it’s hard to focus on anything happening outside of Washington, D.C. this week. But we would be remiss if we didn’t mention the exciting news that the Snort 3 GA is officially out now! This update has been literally years in the making and is a major upgrade to Snort’s performance and its level of customization. Here’s our announcement post from Tuesday, and for the official downloads and even more resources, check out the Snort 3 hub page.

Talos is also hiring for multiple positions. Please bookmark our Careers page and come back every so often to see if we have any new listings up. But we have several openings now for security experts who want to join our team.

Upcoming public engagements with Talos

Title: “The Crimeware Arms Race: Modern Techniques in Malware Armoring and Evasion”

Event: CactusCon

Date: Feb. 6 - 7

Speakers: Edmund Brumaghin and Nick Biasini

Overview: As the volume of malware samples in the wild has continued to explode in recent years, a lot of effort has been put into the development of automated analysis platforms. These platforms typically execute files in controlled environments to observe their behavior and determine if the file is benign or malicious. As the use of these technologies has increased, adversaries have invested significant resources in developing techniques to circumvent automated analysis and evade detection. Malware developers are also implementing various techniques to make analysis more difficult. Modern botnets have begun leveraging new technologies to make their infrastructure more resilient to disruption by security organizations and law enforcement. This presentation will describe the latest techniques employed by adversaries to evade analysis and detection. It will also cover the new technologies being leveraged to establish C2 communications channels that are resilient against intervention by the security industry and law enforcement. We will discuss specific examples and walk through detailed case studies where these techniques are being employed, as well as how to defend against them more effectively.

Cybersecurity week in review

Security researchers discovered a fourth malware strain that was used in the SolarWinds breach. While it isn’t believed the malware was widely deployed, it does show how there is still much to learn about this campaign.
The techniques used in the SolarWinds attack are likely to show up again, too. Researchers are expecting other threat actors to copy much of what the adversaries did in the wide-ranging effort.
The SolarWinds incident will also likely influence the new Congress’ agenda. In what will be a quick-moving first 100 days in office for new President Joe Biden, the Democratic-controlled legislature will likely take up several cybersecurity-related bills.
Controversial app Parler appears to be coming back online with the help of a Russian company. Web-hosting service Epik is known for supporting other sites that fuel conspiracy theories and far-right users.
A woman who was part of the mob that stormed the U.S. Capitol recently was arrested for stealing House Speaker Nancy Pelosi’s laptop. The woman reportedly wanted to try and send the device to a Russian intelligence agency.
India’s government is asking WhatsApp to withdraw its proposed new privacy policy that would change the way the messaging app shares data with Facebook. India is one of WhatsApp’s largest markets.
The U.S. National Security Agency appointed longtime cybersecurity official Rob Joyce as its new cyber director. Joyce was a special security adviser to former President Donald Trump before Trump eliminated the position.
An error in attackers' code left stolen credentials exposed on the internet. Anyone could use a Google search to find the password associated with stolen email addresses.

Notable recent security issues

Title: Adversaries use BumbleBee tool to target organizations in Kuwait

Description: Researchers recently discovered a webshell called “BumbleBee” being used in an espionage campaign against Microsoft Exchange servers. The affected organizations thus far are located in Kuwait. BumbleBee was observed being used to upload and download files on a targeted Exchange server back in September. The operators behind this campaign, which researchers indicate is the xHunt group, used BumbleBee to execute commands and upload and download files. This is the latest tool xHunt’s added to its arsenal. The group dates back to at least 2018 and has targeted Kuwaiti organizations and government agencies in the past, specifically going after the shipping and trading sectors.

Snort SIDs: 56887 – 56890

Title: Cisco urges users to update to new routers after vulnerabilities disclosed

Description: Cisco disclosed 74 vulnerabilities in some of its RV series of wireless routers last week, urging users to purchase new hardware rather than patching them. The vulnerabilities all exist in products that have already reached their end-of-life. The affected devices include the Cisco Small Business RV110W, RV130, RV130W and RV215W systems, which could all be use as firewalls, VPNs or standard routers. All of the vulnerabilities require that an attacker has login credentials for the targeted device, and therefore are not easily exploitable. This should give users a small runway to upgrade to new gear.

Snort SIDs: 56839 – 56845, 56866 – 56876, 56893, 56894

Most prevalent malware files this week

SHA 256: 8cb8e8c9fafa230ecf2f9513117f7679409e6fd5a94de383a8bc49fb9cdd1ba4

MD5: 176e303bd1072273689db542a7379ea9

Typical Filename: FlashHelperService.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Variant.24cl.1201

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: santivirusservice.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: svchost.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: 6fdfcd051075383b28f5e7833fde1bb7371192f54e381c8bdfa8e68269e3dc30

MD5: 0083bc511149ebc16109025b8b3714d7

Typical Filename: webnavigatorbrowser.exe

Claimed Product: WebNavigatorBrowser

Detection Name: W32.6FDFCD0510-100.SBX.VIOC

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.

Intelligence Center

Vulnerability Information

Security Resources

Media

Company

Badgerboard: A PLC backplane network visibility module

Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers

Year in Malware 2023: Recapping the major cybersecurity stories of the past year

Intelligence Center

Vulnerability Research

Incident Response