Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

Whether you want to read Talos’ research or listen to it, we’ve got plenty of options for you this week.

Beers with Talos hit its 100th episode last week. To celebrate, we brought Nigel back out of retirement to update us on the Mighty Reds and talk about SolarWinds. What’s your favorite Beers with Talos moment of the past 100 episodes? Tag us on Twitter @TalosSecurity.

The latest Talos Takes episode is also special because it’s our celebration of Snort 3. Nick Mavis joins the show to talk about the benefits of upgrading to Snort 3 while he reflects on how far it’s come.

If the written word is more your thing, we have a full writeup on some changes we’ve recently seen with the Masslogger malware. Once installed on a victim machine, it steals users’ login credentials from crucial places like Microsoft Outlook and Google Chrome.

Upcoming public engagements with Talos

Title: Cisco Live 2021

Date: March 30 – April 1

Speakers: Nick Biasini, more TBA

Overview: Join us for the annual Cisco Live conference, this year taking place across the globe at the same time virtually for the first time. Cisco Live is your destination for year-round technical education and training. There will be many on-demand sessions to choose from throughout the conference. Nick Biasini of Talos Outreach will provide a broad overview of the past year’s threats and trends we’ve been seeing, with a specific focus on dual-use tools and supply chain attacks. Additional sessions will be announced in the coming weeks.

Cybersecurity week in review

• The French government stated that “several French entities” were targeted in an extended cyber attack over the past few years. State-sponsored adversaries targeted a French software firm, which lists clients including Airbus and the French Ministry of Justice.
• A cyber attack on a Florida town’s water supply system last week is a sign of attackers’ larger interest in SCADA systems. The breach highlighted several problems smaller governments face, including a lack of budget for cybersecurity needs and the use of outdated operating systems.
• Microsoft stated as many as 1,000 developers may have touched code involved in the SolarWinds supply chain attack. The company’s president also called the campaign “the largest and most sophisticated attack the world has ever seen.”
• Attackers who breached video game developer CD Projekt Red’s systems say they’ve sold the source code of some of the studio's games on the dark web. The Polish developer did not pay the requested ransom payment, leading to the attackers claiming they sold stolen data for $7 million.
• Virginia is set to become the second state in the U.S. to pass a comprehensive data privacy law. Once in effect, the law would allow individuals to ask organizations what information’s being collected on them and opt out of any personalized ad targeting.
• International lawmakers, influential organizations and some independent doctors are among the worst culprits for spreading disinformation around COVID-19. A new study also finds that one of the leading conspiracy theories about the virus, that it was created in a factory, started in China.
• U.S. President Joe Biden’s administration says it could still be months before an investigation into the SolarWinds data breach is finished. The administration is also working on an executive order that aims to prevent attacks like this in the future.
• Adversaries are working on malware that specifically targets Apple’s M1 processors. A security researcher recently discovered a malicious Safari extension that looks like a standard adware but could have features added on in the future.
• American law enforcement charged several North Koreans in a massive cryptocurrency theft scheme. The actors allegedly carried out several spear-phishing attacks targeting the U.S. Defense Department, the State Department, and workers at U.S.-cleared defense contractors, among other organizations.

Notable recent security issues

Title: Long-running trojan now targeting Android devices

Description: The developers of LodaRAT have added Android as a targeted platform. A new iteration of LodaRAT for Windows has been identified with improved sound recording capabilities. This new malware follows the same principles of other Android-based RATs that we have seen on the threat landscape. Along with this new Android variant, an updated version of Loda for Windows has been identified in the same campaign. These new versions for Loda4Windows and Loda4Android show that the development effort is clearly carried out by the same group Cisco Talos calls "Kasablanca." The operators behind LodaRAT tied to a specific campaign targeting Bangladesh, although others have been seen.

Snort SID: 53031

ClamAV signatures: Win.Packed.LokiBot-6963314-0, Doc.Exploit.Cve_2017_11882-7570663-1, Doc.Downloader.Loda-7570590-0

Title: Accusoft ImageGear vulnerabilities could lead to code execution

Description: Accusoft ImageGear contains two remote code execution vulnerabilities. ImageGear is a document and imaging library from Accusoft that developers can use to build their applications. The library contains the entire document imaging lifecycle. These vulnerabilities are present in the Accusoft ImageGear library, which is a document-imaging developer toolkit. An adversary could exploit any of these vulnerabilities to cause various conditions, including an out-of-bounds write, to eventually execute code. A target needs to open a specially crafted file to trigger these vulnerabilities.

Snort SIDs: 43608, 43609, 56158 - 56161, 56365, 56366, 56451, 56452

Most prevalent malware files this week

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: svchost.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: 4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b

MD5: f37167c1e62e78b0a222b8cc18c20ba7

Typical Filename: flashhelperservice.exe

Claimed Product: Flash Helper Service

Detection Name: W32.4647F1A085.in12.Talos

SHA 256: 23a80df363e2f5ec6594bf952db3569e7ca59d4163283f808753775c215dd652

MD5: 259f42bd7d2f513c5c579d6554d9db66

Typical Filename: ethm2.exe

Claimed Product: N/A

Detection Name: WinGoRanumBot::mURLin::W32.Auto:23a80df363.in03.Talos

SHA 256: 1a8a17b615799f504d1e801b7b7f15476ee94d242affc103a4359c4eb5d9ad7f

MD5: 88781be104a4dcb13846189a2b1ea055

Typical Filename: ActivityElement.dp

Claimed Product: N/A

Detection Name: Win.Trojan.Generic::sso.talos

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.