Threat Source Newsletter (April 29, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

Ransomware is not just financial extortion. It is crime that transcends business, academic and geographic boundaries. Talos was proud to assist with a newly released report from the international Ransomware Task Force that provides a path forward to mitigate this criminal enterprise. This was a large undertaking by Talos researchers and our cybersecurity partners from across the globe that everyone should read.

And if you're in the mood to watch rather than read, we uploaded a recording of a LinkedIn Live video from earlier this week to our YouTube page. Martin Lee from Talos Outreach joined security blogger Graham Cluley to discuss cybersecurity threats during our current (and likely permanent) work from home situation.

Cybersecurity week in review

U.S. President Joe Biden is shopping around a $2 trillion infrastructure package. But security experts say with all of this new infrastructure comes the challenge of securing it.
Biden is also working on a new executive order that would outline new cybersecurity standards companies must meet before taking on federal contracts. The effort is part of the administration's continued response to the SolarWinds supply chain attack.
Researchers discovered a vulnerability in Apple's AirDrop feature that could allow anyone to view users' personally identifiable information. Attackers could carry out brute-force attacks to guess a user's phone number based on the SHA-256 hash the user's device sends during an AirDrop transaction.
Passwordstate, an Australian-based password manager, was the victim of a recent supply chain attack, potentially exposing users' passwords. The company warned its global customer base that everyone should be changing any stored passwords.
The latest version of Apple's iOS includes a long-awaited privacy feature. Users can now opt out of third-party apps tracking their use and selling that information to other third parties. The update also fixed several vulnerabilities.
Attackers seeking to extort the Washington, D.C. police department have leaked sensitive information about five current former and current officers. The information includes arrest history, polygraph results and previous work history.
A recently discovered Linux backdoor has flown under the radar for years. RotaJakiro remains undetected by anti-virus engines and can allow adversaries to exfiltrate large amounts of data.
An APT group successfully exploited the SolarWinds Orion platform on a U.S. company's network by disguising themselves as legitimate teleworking employees. The actors planted a backdoor called "Supernova" to conduct reconnaissance, data theft and domain mapping.
Some cancer care in the U.S. was delayed after a medical systems company suffered a cyber attack. More than 40 health care sites across the country saw service disrupted to their radiation services earlier this month.
Many cryptocurrency users want to turn to hardware wallets to store their virtual currencies. The Internal Revenue Service is actively seeking ways to break into these wallets in criminal investigations.

Notable recent security issues

Title: Attackers exploiting multiple critical vulnerabilities in Pulse Secure VPN service

Description: Pulse Secure announced that a critical vulnerability (CVE-2021-22893) was discovered in their VPN service "Pulse Secure Connect" in a recent security advisory. The advisory states that, "a vulnerability was discovered under Pulse Connect Secure (PCS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. This vulnerability has a critical CVSS score and poses a significant risk to your deployment." The company released a blog post alongside this advisory disclosing that the vulnerability has been exploited in the wild. The U.S. Cybersecurity and Infrastructure Security Agency also released an alert warning of these vulnerabilities. In the alert, CISA notes that networks belonging to multiple government agencies, critical infrastructure entities and private sector organizations have been compromised going as far back as June 2020.

Snort SIDs: 51288, 51289, 51390, 57452 – 57459 and 57461 - 57468

Title: Targets still seeing a rise in COVID-19-themed malware campaigns

Description: A new report indicates that the amount of malware campaigns using COVID-19-themed lures continue to rise, even more than a year after the pandemic took hold in the U.S. New data shows that COVID-related cyber attack detections rose by 240 percent in the third quarter of 2020 and 114 percent in Q4. Many attackers relied on privilege escalation techniques to spread ransomware and other threats off the backs of these campaigns. Some used PowerShell, while others relied on remote access trojans like Remcos. Several state-sponsored actors have also been involved in these attacks.

Snort SIDs: 57431

Most prevalent malware files this week

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256:e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: 3bc24c618151b74ebffb9fbdaf89569fadcce6682584088fde222685079f7bb9

MD5: d709ea22945c98782dc69e996a98d643

Typical Filename: FlashHelperService.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Auto:3bc24c6181.in03.Talos

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: svchost.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: 17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2

MD5: 96f8e4e2d643568cf242ff40d537cd85

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.File.Segurazo::95.sbx.tg

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.

Intelligence Center

Vulnerability Information

Security Resources

Media

Company

Badgerboard: A PLC backplane network visibility module

Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers

Year in Malware 2023: Recapping the major cybersecurity stories of the past year

Intelligence Center

Vulnerability Research

Incident Response