Thursday, June 24, 2021

Threat Source newsletter (June 24, 2021)


Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

Even though spam emails asking for gift cards may seem like the oldest trick in the book, they're still effective in 2021. The FBI estimates that business email compromise cost victims around $1.8 billion in 2020, and we've seen recent campaigns that are showing the damage can only get worse.

Attackers are taking over businesses' emails and then sending employees and customers messages themed around everything from COVID-19 to PlayStation 5 sales. So while BEC may not seem like the most exciting threat out there, it's still one that can't be ignored.

Upcoming Talos public engagements

Speaker: Vitor Ventura
Date: Oct. 7 - 8
Location: Virtual
Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.

Cybersecurity week in review

  • Just days after police made several arrests regarding the CLOP ransomware group, the operators posted data they claim came from a new victim. This indicates the group is still active in some way, even though possibly not as strong.
  • Multiple Russian intelligence officials have recently pledged to help the U.S. track down cybercriminals. The comments from the FSB and the country's deputy foreign minister come after U.S. President Joe Biden and Vladimir Putin, his Russian counterpart, met at a rare summit last week.
  • A new proposal circulating in Congress would label certain entities as being potential targets for cyber attacks, then offer them special access to government resources in exchange for improving their security standards. This idea is known as "systemically important critical infrastructure."
  • The U.S. and European Union created a new joint working group to combat ransomware. A joint statement said the group will address the threat "through law enforcement action, raising public awareness on how to protect networks as well as the risk of paying the criminals responsible, and to encourage those states that turn a blind eye to this crime to arrest and extradite or effectively prosecute criminals on their territory."
  • The EU also created a separate Joint Cyber Unit to address emergency, large-scale cyber attacks. A dedicated team of security experts will now be deployed to European countries in the event of a major ransomware attack to assist with response and recovery.
  • A new ransomware called "LV" appears to have copied large swaths of REvil ransomware code. The two families also share similar TTPs, as LV also steals victims' information and then posts the information on leak sites to shame the victim into paying the ransom.
  • Update firmware in more than 30 million Dell computers could leave the devices open to attacks. Security researchers recently discovered four vulnerabilities affecting desktops, laptops and tablets, and Dell plans to release a patch Thursday.
  • John McAfee, the creator of the McAfee anti-virus software and viral personality, was found dead in a Spanish prison this week. McAfee left the security space many years ago, and since ran into a bevy of criminal charges and legal troubles.
  • The Monero cryptocurrency is quickly becoming the virtual currency of choice for threat actors. Monero is harder to trace than bitcoin and obscures the amount of money exchanged during a transaction between sender and receiver.

Notable recent security issues

Description: The Agent Tesla remote access trojan (RAT) is back again, this time using COVID-19-related phishing documents as its initial infection vector. Attackers are sending emails claiming to have a COVID-19 vaccine schedule attached as an RTF document. The malicious attachment exploits a known Microsoft Office remote code execution vulnerability, CVE-2017-11882, to infect the victim with Agent Tesla. This version of the RAT appears to be the most recent, with updated anti-detection capabilities and data theft tools. Although many countries, including the U.S., are starting to loosen pandemic restrictions as vaccination rates increase, this campaign shows that attackers will continue using COVID-19 as a popular spam topic. 
Snort SIDs: 57787 

Title: Attackers may be relying on one another to access corporate networks 
Description: A new report indicates that APTs may be exchanging information and money as part of a vast network of cyber criminals distributing ransomware. Some of these groups buy access from other, independent adversaries who infiltrate major targets and eventually receive part of the proceeds from a successful ransomware infection. As part of this, security researchers at Proofpoint uncovered several new actors. One of these groups, which it named TA577, has been active since mid-2020. It’s used several ransomware payloads including SmokeLoader, IcedID, Ursnif and Cobalt Strike.  

Snort SIDs: 57786, 57791 

Most prevalent malware files this week

MD5: 9a4b7b0849a274f6f7ac13c7577daad8 
Typical Filename: ww31.exe 
Claimed Product: N/A 
Detection Name: W32.GenericKD:Attribute.24ch.1201

MD5: 6be10a13c17391218704dc24b34cf736 
Typical Filename: smbscanlocal0906.exe 
Claimed Product: N/A 
Detection Name: Win.Dropper.Ranumbot::in03.talos 

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
Typical Filename: VID.dat 
Claimed Product: N/A 
Detection Name: Win.Worm.Coinminer::1201 

MD5: 34560233e751b7e95f155b6f61e7419a 
Typical Filename: SAntivirusService.exe 
Claimed Product: A n t i v i r u s S e r v i c e 
Detection Name: PUA.Win.Dropper.Segurazo::tpd 

MD5: 8193b63313019b614d5be721c538486b 
Typical Filename: SAService.exe 
Claimed Product: SAService 
Detection Name: 

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.