Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

Unfortunately, I don’t have any stock tips to give you to help you get rich overnight. But I do have two Vulnerability Spotlights you should read so your network can stay safer. We disclosed multiple vulnerabilities in phpGACL and Micrium uc-HTTP. There are patches available for both products and Snort rules for extra coverage.

The biggest news in the security community this week is a recently disclosed that a state-sponsored actor is targeting security researchers across the globe. There were multiple Talos researchers targeted in this attack, but there are no security risks at this time and our researchers were not compromised in any way.

Upcoming public engagements with Talos

Title: “The Crimeware Arms Race: Modern Techniques in Malware Armoring and Evasion”

Event: CactusCon

Date: Feb. 6 - 7

Speakers: Edmund Brumaghin and Nick Biasini

Overview: As the volume of malware samples in the wild has continued to explode in recent years, a lot of effort has been put into the development of automated analysis platforms. These platforms typically execute files in controlled environments to observe their behavior and determine if the file is benign or malicious. As the use of these technologies has increased, adversaries have invested significant resources in developing techniques to circumvent automated analysis and evade detection. Malware developers are also implementing various techniques to make analysis more difficult. Modern botnets have begun leveraging new technologies to make their infrastructure more resilient to disruption by security organizations and law enforcement. This presentation will describe the latest techniques employed by adversaries to evade analysis and detection. It will also cover the new technologies being leveraged to establish C2 communications channels that are resilient against intervention by the security industry and law enforcement. We will discuss specific examples and walk through detailed case studies where these techniques are being employed, as well as how to defend against them more effectively.

Cybersecurity week in review

  • Email security firm Mimecast disclosed this week it was the victim of the recent SolarWinds breach. The company said adversaries breached their security certificate and exfiltrated encrypted credentials, though there is no evidence to suggest those stolen credentials have been abused.
  • SolarWinds is already shaping U.S. President Joe Biden’s cybersecurity plan. His administration is still unpacking how widespread the attack is and how it could shape cyber espionage campaigns in the future.
  • As the COVID-19 vaccination effort ramps up around the world, cyber actors are — unsurprisingly — trying to capitalize. Adversaries have already started campaigns looking to spread disinformation regarding the vaccine and other researchers say distribution disruptions could follow.
  • Vulnerabilities in Amazon’s Kindle devices could allow an attacker to steal users’ credit card information using a malformed eBook. Ad adversary could string together three exploits to take control of a victim's Kindle and use their credit card on the devices’ store and access personal information stored on the device.
  • U.S. intelligence agencies reportedly purchased commercial cell phone location data from third parties to track individuals without a warrant. The Defense Intelligence Agency has received permission to query that data five times in the last two-and-a-half years.
  • Ransomware groups are now also using distributed denial-of-service attacks to coerce their victims into paying. Researchers have so far confirmed SunCrypt and RagnarLocker as being the two ransomware families utilizing this tactic.
  • A home security technician admitted to hacking into home security cameras to spy on women. The former ADT employee added his personal email to accounts belonging to targeted customers, allowing him to remotely check on their security cameras.
  • Apple urged users to update their iPhones as soon as possible to fix multiple vulnerabilities being exploited in the wild. IOS 14.4 included fixes for exploits that Apple could not yet disclose the details of.

Notable recent security issues

Title: ElectroRAT trojan makes full push to infect cryptocurrency users

Description: A recently discovered trojan known as ElectroRAT is pulling out all the stops to try and infect cryptocurrency wallets. The actors behind this campaign have so far created three cryptocurrency-related apps that are disguised as legitimate. They’ve also invested in a full-fledged marketing campaign trying to encourage users to download the apps. If a victim downloads the trojanized apps, they are infected with the malware that then takes over their cryptocurrency wallet.

Snort SIDs: 56991 - 56993

Title: Cisco SD-WAN vulnerabilities could allow for remote code execution

Description: Cisco disclosed multiple vulnerabilities last week that could allow attackers to execute malicious code remotely on affected devices. Three of these vulnerabilities collectively have a severity score of 9.9 out of 10. An adversary could cause a variety of conditions on the affected products that could eventually lead to remote code execution. These issues affect several Cisco products, including SD-WAN vBond Orchestrator Software, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage Softwareand SD-WAN vSmart Controller Software.

Snort SIDs: 56942 – 56944, 56957 - 56963

Most prevalent malware files this week

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: santivirusservice.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name:  PUA.Win.Dropper.Segurazo::tpd

SHA 256: b76fbd5ff8186d43364d4532243db1f16f3cca3138c1fab391f7000a73de2ea6

MD5: 6a7401614945f66f1c64c6c845a60325

Typical Filename: pmropn.exe

Claimed Product: PremierOpinion

Detection Name: PUA.Win.Adware.Relevantknowledge::231753.in02

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: svchost.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: 6fdfcd051075383b28f5e7833fde1bb7371192f54e381c8bdfa8e68269e3dc30

MD5: 0083bc511149ebc16109025b8b3714d7

Typical Filename: webnavigatorbrowser.exe

Claimed Product: WebNavigatorBrowser

Detection Name: W32.6FDFCD0510-100.SBX.VIOC

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.