Thursday, December 9, 2021

Threat Source Newsletter (Dec. 9, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

The good news keeps rolling in for our Incident Response team, who received another accolade by being featured in Forrester's recent quarterly report on the incident readiness industry. This comes on the heels of the team also being named a leader in IR services in an IDC MarketScape report.

If you are looking for a great holiday gift for the IT lover in your life, you should make sure to get your free copy of the SNORTⓇ calendar now. All you have to do is fill out this quick survey to get your free copy. (Sorry, shipping in the U.S. only.)


Cybersecurity week in review


  • Multiple U.S. State Department employees had their iPhones infected with the Pegasus spyware, according to a recent report. Apple recently sued the NSO Group, the creator of Pegasus, for targeting their devices with the spyware.
  • Someone sent anti-work messages to businesses across the U.S. last week by hijacking receipt printers. The printers produced a long message encouraging employees to talk about their pay with co-workers and to quit if they are unhappy with their jobs.
  • Many large tech companies, including Google, are making multi-factor authentication mandatory for their employees. But attackers are already developing workarounds
  • Several important Maryland Department of Health services were disrupted after a cyber attack. As of Wednesday afternoon, the department had not updated its COVID-19 tracking information as hospitalizations rose in the state. However, officials say so private data has been compromised.
  • A network access broker named "Babam" has become increasingly popular over the past two years, selling stolen VPN credentials to threat actors so they can enter targeted networks and spread malware. Here's what researchers know so far about Babam.
  • Employees in all industries are experiencing serious burnout almost two full years into the COVID-19 pandemic and a new work-from-home reality. That's leading many organizations and individuals to make poor security decisions
  • Microsoft seized more than 10,000 Chinese websites the company says were used by "highly sophisticated" threat actors. The group allegedly targeted government agencies, think tanks, and human rights organizations in the U.S. and 28 other countries since at least 2016.
  • Google says it's successfully disrupted the Glupteba botnet. The company disabled more than 100 Google accounts used by the threat actor, filed a lawsuit against its alleged operators and shut down servers the botnet used.
  • Israel recently led a 10-country exercise that simulated a comprehensive cyber attack on the global financial system. The exercise involved a series of hypothetical attacks against global foreign exchange and bond markets, and transactions between importers and exporters.

Notable recent security issues


Magnat campaigns use malvertising to deliver information stealer, backdoor and malicious Chrome extension

Talos recently observed a malicious campaign offering fake installers of popular software as bait to get users to execute malware on their systems. This campaign includes a set of malware distribution campaigns that started in late 2018 and have targeted mainly Canada, along with the U.S., Australia and some EU countries. Two undocumented malware families (a backdoor and a Google Chrome extension) are consistently delivered together in these campaigns. An unknown actor with the alias "Magnat" is the likely author of these new families and has been constantly developing and improving them. The attacker's motivations appear to be financial gain from selling stolen credentials, fraudulent transactions and Remote Desktop access to systems. 
SNORTⓇ SIDs: 58650 and 58651 
ClamAV signature: Win.Dropper.MagnatExtension-9911899-0
 

Attackers actively exploiting vulnerability in popular patch management software

Software company Zoho warned users that they should update their Desktop Central and Desktop Central MSP services as soon as possible. Attackers are actively exploiting a vulnerability in the products, tracked as CVE-2021-44515, that could allow them to bypass authentication and execute arbitrary code on affected ManageEngine Desktop Central servers. Zoho also released an exploit detection tool for organizations to see if they had been targeted by attackers using this vulnerability.
SNORTⓇ SID: 58703


Most prevalent malware files this week


MD5: ee30d6928c9de84049aa055417cc767e 
Typical Filename: app.exe 
Claimed Product: N/A 
Detection Name: Glupteba::gravity::W32.Auto:0ab024b0da.in03.Talos 

MD5: a6a7eb61172f8d988e47322ebf27bf6d 
Typical Filename: wx.exe
Claimed Product: N/A 
Detection Name: Win.Dropper.Wingo::in07.talos

MD5: a5e345518e6817f72c9b409915741689 
Typical Filename: swupdater.exe 
Claimed Product: Wavesor SWUpdater 
Detection Name: W32.1B259D8CA9.Wavesor.SSO.Talos 
MD5: 6ea750c9d69b7db6532d90ac0960e212 
VirusTotal: 
Typical Filename: deps.zip 
Claimed Product: N/A 
Detection Name: Auto.E5044D5AC2.242358.in07.Talos 

MD5: ee62e8f42ed70e717b2571c372e9de9a 
Typical Filename: lHe 
Claimed Product: N/A 
Detection Name: W32.Gen:MinerDM.24ls.1201 

Keep up with all things Talos by following us on TwitterSnort, and ClamAV also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.