Thursday, July 22, 2021

Threat Source newsletter (July 22, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

I'm compiling this Tuesday for vacation reasons, so apologies for any major stories I'm missing here.

This week's Beers with Talos podcast hits the seas again. And although we've covered sea shanties in the past, this week we're covering the bad guys trying to disrupt those glorious songs of old. 

The guys talk about privateer groups in this episode, which is a new type of threat actor classification we believe the security community needs to better discuss the intricacies of state-sponsored threat actors.

Upcoming Talos public engagements

Date: July 31 - Aug. 5
Location: Virtual and Mandalay Bay hotel and resort, Las Vegas, Nevada
Description: Join Talos and Cisco Secure for a series of sponsored talks, mock debates and incident response lessons at this year's hybrid BlackHat conference.

Speaker: Vitor Ventura
Date: Oct. 7 - 8
Location: Virtual
Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.

Cybersecurity week in review

  • The U.S. and NATO allies formally blamed Chinese state-sponsored actors for exploiting zero-day vulnerabilities in Microsoft Exchange Server. The FBI released a joint announcement detailing 50 tactics, techniques and procedures (TTPs) the attackers are known to use.
  • Many victims of the Kaseya supply chain attack are struggling to recover encrypted files after the REvil group behind the attack went dark. Some companies paid the requested ransom to REvil, only to find out the decryption keys they received did not work.
  • Security researchers uncovered a massive spyware ring based out of Israel. A company that produces the software and reportedly sells it to governments, allowing users to infect and monitor iPhones, Androids, Macs, PCs and cloud accounts.
  • Apple and other mobile phone makers are under pressure to respond to reports that the NSO Group has exploited phones to spy on journalists and activists. The head of WhatsApp even called the newly disclosed information a “wake-up call for security on the internet.”
  • Researchers are raising red flags at a new phone that right-leaning influencers are promoting as being secure and censorship-proof. The devices actually appear to be repurposed devices from overseas manufacturers that are known for producing vulnerability-riddled devices.
  • Apple recently patched a zero-day vulnerability in iOS' WiFi connectivity. At the time, the company said it was a denial-of-service issue, but researchers say it could also be used for remote code execution.
  • The U.S. Department of Justice is offering up to a $10 million reward, paid out in cryptocurrency, for any information leading to the identification of state-sponsored threat actors. The department set up a new report channel on the dark web for researchers to submit information securely and anonymously. 
  • New guidelines from the U.S. Department of Homeland Security have created new security standards for critical American pipelines. The new rules include that all pipeline operators must have a cybersecurity contingency and recovery plan.
  • Popular messaging app WhatsApp is testing new encryption settings for cloud backups on Android devices. But users need to make sure they never forget their 64-character recovery key.

Notable recent security issues

Title: Cisco patches critical issues in WSA, BPA 
Description: Multiple, critical vulnerabilities in Cisco’s Web Security Appliance (WSA) and Business Process Automation (BPA) could allow an attacker to elevate their privileges to the level of an administrator. This opens the door for the attacker to access sensitive data or take over a targeted system. The issues both received a CVSS severity score of 8.8 out of 10. An adversary could exploit these vulnerabilities, identified as CVE-2021-1574 and CVE-2021-1576, by sending specially crafted HTTP messages to the targeted system.  

Snort SIDs: 57882 – 57887 

Description: The U.S. Cybersecurity and Infrastructure Security Agency warned users that attackers are actively exploiting critical remote code execution vulnerabilities in ForgeRock’s Access Management software. Access Management serves as a front end for web apps and remote access setups in enterprise networks. CISA, along with ForgeRock, warned users that the vulnerabilities are actively under exploitation in the wild, although ForgeRock has already released a patch. An adversary could exploit these vulnerabilities to execute commands in the context of the current user. 
Snort SIDs: 57912, 57913 

Most prevalent malware files this week

MD5: 9a4b7b0849a274f6f7ac13c7577daad8 
Typical Filename: ww31.exe 
Claimed Product: N/A 
Detection Name: W32.GenericKD:Attribute.24ch.1201

MD5: 6be10a13c17391218704dc24b34cf736 
Typical Filename: smbscanlocal0906.exe 
Claimed Product: N/A 
Detection Name: Win.Dropper.Ranumbot::in03.talos 

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
Typical Filename: VID001.exe 
Claimed Product: N/A 
Detection Name: Win.Worm.Coinminer::1201  

MD5: 34560233e751b7e95f155b6f61e7419a  
Typical Filename: SAntivirusService.exe  
Claimed Product: A n t i v i r u s S e r v i c e  
Detection Name: PUA.Win.Dropper.Segurazo::tpd 

MD5: 8193b63313019b614d5be721c538486b 
Typical Filename: SAService.exe 
Claimed Product: SAService 
Detection Name: 

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.