Thursday, September 2, 2021

Threat Source newsletter (Sept. 2, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

If you haven't seen already, our blog has a lot of cool and new stuff this week.

We first dove into the world of proxyware on Tuesday (aka internet-sharing applications). Attackers are hiding in this newly popular software to steal users' bandwidth and money, while spreading malware along the way. This is a perfect case to show how willing users are to trade away some of their privacy and security for literally a few cents a day.

In another first, we got our hands on the leaked Conti ransomware playbook and translated it to English. Read our blog post and the full translation for some awesome insight into how this ransomware-as-a-service group operates.

Upcoming Talos public engagements

Speaker: Chris DiSalle
Date: Sept. 9
Location: Virtual
Description: Chris DiSalle from Talos Incident Response will join the Technado podcast to share the ins and outs of the IR industry. Chris will talk to host Don Pezet about how he got started in incident response, horror stories he's seen in the field, and much more. 

Chats, Cheats, and Cracks: Abuse of Collaboration Platforms in Malware Campaigns at BSides Charlotte
Speaker: Edmund Brumaghin
Date: Sept. 25
Location: Virtual
Description: Join Edmund Brumaghin from Talos Outreach where he'll be discussing malware campaigns targeting collaboration apps such as Discord and Slack. Following up on Talos' blog post from earlier this year, the presentation will dive into campaigns we've spotted in the wild and discuss how users can stay safe while using these apps. 

Speaker: Vitor Ventura
Date: Oct. 7 - 8
Location: Virtual
Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.

Cybersecurity week in review

  • Several major tech CEOs pledged to invest billions of dollars into the nation's cybersecurity in the coming years. U.S. President Joe Biden met with business leaders and cybersecurity companies last week to discuss recent attacks on critical infrastructure.
  • A 21-year-old is allegedly behind the recent cyber attack on T-Mobile. The person who claims to be the attacker who stole millions of customer records spoke to the Wall Street Journal anonymously, criticizing T-Mobile's security.
  • Security researchers discovered a major vulnerability in Microsoft Azure's cloud platform that could allow attackers to read, write and change database records. Although it was just disclosed, the vulnerability could have existed for months or even years.
  • Microsoft and the U.S. Department of Homeland Security both warned Azure users to update as soon as possible to protect against this attack. After Microsoft first sent the notice to a chunk of users, it eventually told all users to reset their security keys.
  • A new survey found that 61 percent of companies admit to not providing their remote employees with appropriate cybersecurity tools. And half of the respondents said they have relaxed security policies since the beginning of the COVID-19 pandemic or are not enforcing them as much.
  • American government agencies warned organizations they could see a spike in cyber attacks over the long Labor Day weekend. Threat actors have traditionally used holidays while many employees are on vacation or not as engaged in work to spread malware.
  • Apple announced that Arizona and Georgia will be the first two states to test users being able to store their driver's license and other government-issued IDs in their Apple Wallet. The Transportation Security Administration will also open new airport checkpoints and security lanes to accept this form of ID.
  • Despite the recent arrest of its creator, the Mozi botnet is expected to live on. Although its size will shrink in the coming weeks, security experts say its already infected so many devices that its effects will be felt for a long time.
  • The U.S. Security and Exchange Commission fined several brokerage firms for cybersecurity failings that led to hacks on their email systems. Because of security failures, the SEC says attackers gained unauthorized access to cloud-based email accounts, exposing the personal information of thousands of customers and clients at each firm.

Notable recent security issues

Description: Adversaries are finding new ways to monetize their attacks by abusing internet-sharing, or "proxyware" platforms like Honeygain, Nanowire, and others. This poses new challenges to organizations, especially to those whose internet access is rated as residential. But any organization could be at risk, as there are platforms that also allow data center-based internet sharing. Malicious actors are taking multiple avenues to monetize these new platforms in their favor. The most obvious one is the silent installation of the platform client to "sell" the victim's bandwidth without their knowledge. In some cases, the adversaries patch the client to stop any alerts that would warn the victim. As these platforms became more popular, the adversaries started to leverage trojanized installers, which install the legitimate platform client as well as digital currency miners and information stealers. Given the nature of proxyware services, the users expect that their performance will suffer, making it a perfect disguise for coin miners. 
Snort SIDs: 45549, 46237, 58030 – 58033 
Cisco Secure Endpoint OSQueries: malware_honeygain_trojanized_installer, malware_honeygain_loader, malware_honeygain_bot 

Description: A botnet similar to Mirai is actively scanning for wireless routers affected by a recently disclosed denial-of-service vulnerability affecting SDKs for Realtek chipsets. An attacker could exploit the vulnerability by sending specially crafted inputs, eventually crashing the HTTP server running the management interface and eventually the router. Security researchers are calling the botnet in question “Dark.IoT.” The botnet reportedly waits for researchers and organizations to publish proof-of-concepts for newly discovered vulnerabilities, and only takes days to eventually incorporate them. Other Realtek vulnerabilities were disclosed two weeks ago that affect dozens of internet-of-things devices, including internet-connected cameras and WiFi repeaters. 
Snort SIDs: 58052 - 58059 

Most prevalent malware files this week

MD5: 9a4b7b0849a274f6f7ac13c7577daad8 
Typical Filename: ww31.exe 
Claimed Product: N/A 
Detection Name: W32.GenericKD:Attribute.24ch.1201

MD5: 6be10a13c17391218704dc24b34cf736 
Typical Filename: smbscanlocal0906.exe 
Claimed Product: N/A 
Detection Name: Win.Dropper.Ranumbot::in03.talos

MD5: 8c80dd97c37525927c1e549cb59bcbf3 
Typical Filename: Eter.exe 
Claimed Product: N/A 
Detection Name: 

MD5: 8193b63313019b614d5be721c538486b 
Typical Filename: SAService.exe 
Claimed Product: SAService 
Detection Name: 

MD5: 0a13d106fa3997a0c911edd5aa0e147a 
Typical Filename: mg20201223-1.exe 
Claimed Product: N/A 
Detection Name: RanumBot::mURLin::W32.5E46ECFFCF.in12.Talos 

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.