Threat Source Newsletter (April 1, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

We hope you’re enjoying Cisco Live this week and only reading this after you’ve caught up on your sessions for the day.

No April Fool’s jokes here (thankfully) — we are just excited to tell you that applications are now open for the Snort scholarship. Find out how to apply here and complete rules here.

And speaking of things that aren’t funny, who likes to be tricked into downloading malware when they’re just trying to turn on some Thomas the Train mods in “Skyrim?” We are tracking a malware campaign that hides inside video game cheat engine and other “mods.” Our blog post has a complete reverse-engineering of the cryptor used in this case that’s going to be useful for all defenders.

Upcoming public engagements with Talos

Title: Cisco Live 2021

Date: March 30 – April 1

Speakers: Nick Biasini, more TBA

Overview: Join us for the annual Cisco Live conference, this year taking place across the globe at the same time virtually for the first time. Cisco Live is your destination for year-round technical education and training. There will be many on-demand sessions to choose from throughout the conference. Nick Biasini of Talos Outreach will provide a broad overview of the past year’s threats and trends we’ve been seeing, with a specific focus on dual-use tools and supply chain attacks. Additional sessions will be announced in the coming weeks.

Title: Analyzing Android Malware: From triage to reverse-engineering

Date: April 7 at 11 a.m. ET

Speakers: Vitor Ventura

Overview: In this free webinar, Vitor Ventura of Talos Outreach will discuss the most recent Android malware he’s seen in the wild. Vitor will reverse-engineer some of these malware samples and discuss what users can do to stay safe. We’ll cover everything from deobfuscating strings, to appropriate patching practices and searching for command and control beacons.

Cybersecurity week in review

American intelligence agencies are expected to publish the most in-depth findings yet on the SolarWinds breach. The report allegedly includes new information on the tools the attackers used in the supply chain attack.
Attackers breached the PHP library and attempted to install a backdoor that would have allowed them to inject remote code into effected websites. The maintainers behind PHP said they will now move the repository over to GitHub rather than their own git instance.
A new Android malware is disguising itself as a system update that must be installed outside the Google Play store. If infected, a user’s device could be completely taken over.
A major television network in Australia had to go offline after a cyber attack. The initial report came on the same day the country’s parliament also reported an attempted cyber intrusion.
Non-fungible tokens are taking the internet by storm. But their increased popularity has also led to uninformed consumers falling for scams, or malicious actors finding ways to make the NFTs disappear.
U.S. President Joe Biden’s administration is having to respond to multiple state-sponsored cyber threats, all while still trying to fill several key cybersecurity positions. Congressional leaders are pushing Biden to fill the role of national cyber director as soon as possible.
The U.K. launched a new, independent Cyber Security Council tasked with formalizing standards across the security industry in the country. This group will now be tasked with creating new tools and resources for cybersecurity experts or those hoping to enter the industry.
The North Korean state-sponsored threat group targeting security researchers set up a fake security firm to lure potential targets. They also created fake recruiter profiles on LinkedIn for the phony company.
The Cybersecurity and Infrastructure Security Agency (CISA) is asking all government agencies running on-premises Microsoft Exchange servers to run Microsoft malware scanners and report their results by April 5. Microsoft’s recently released tool should find any undetected compromises.

Notable recent security issues

Title: OpenSSL issues patches for critical denial-of-service vulnerability

Description: OpenSSL disclosed and patched a denial-of-service vulnerability last week that could allow adversaries to completely crash servers. An attacker could cause a null pointer dereference, and then send a specially crafted, malicious request to crash the targeted server. OpenSSL is one of the most popular software libraries on the internet. It is a toolkit for TLS or SSL and serves as a general cryptographic library. The maintainers behind the toolkit also fixed a separate vulnerability that could prevent apps from detecting and rejecting unsigned TLS certificates.

Snort SID: 56942 – 56944, 56957 - 56963

Title: Critical vulnerabilities in Cisco Jabber for mobile, desktop devices

Description: Cisco fixed multiple vulnerabilities in the Jabber messaging software that affects versions for mobile devices, MacOS and Windows. An attacker could exploit any of these bugs to execute arbitrary programs on the underlying operating system with elevated privileges. They could also potentially access sensitive information, intercept protected network traffic or cause a denial of service. Adversaries only need to exploit one of the vulnerabilities disclosed this week to carry out these malicious actions. They also must be able to authenticate to an Extensible Messaging and Presence Protocol (XMPP) server that the affected software uses and be able to send XMPP messages to a targeted system.

Snort SIDs: 55016 – 55018, 56572, 56573, 56575, 56576, 56588 – 56591, 57351 – 57354, 57359

Most prevalent malware files this week

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: svchost.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: 17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2

MD5: 96f8e4e2d643568cf242ff40d537cd85

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.File.Segurazo::95.sbx.tg

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.

Intelligence Center

Vulnerability Information

Security Resources

Media

Company

Badgerboard: A PLC backplane network visibility module

Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers

Year in Malware 2023: Recapping the major cybersecurity stories of the past year

Intelligence Center

Vulnerability Research

Incident Response