Thursday, January 27, 2022

Threat Source Newsletter (Jan. 27, 2022)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

It's great to have New Year's resolutions and all. But we don't want you taking the wrong lessons away from 2021, either. Like just because Log4j happened doesn't mean you should stop logging or stop using open-source software.

The latest Beers with Talos episode dropped this morning, and it's a great reflection on lessons we can learn from the major cyber attacks last year, from SolarWinds to Log4j. It's the perfect audio pairing to the latest Talos Incident Response Threat Assessment Report, which also looks at the trends IR saw in the field last year.

We also disclosed some notable vulnerabilities this week, including one that affects iOS and macOS, as well as a string of issues that could be exploited to completely wipe and reformat a video card on a popular WiFi-enabled camera. 



Cybersecurity week in review


  • Two critical vulnerabilities in Linux servers could allow attackers to execute remote code as root on targeted environments. The issues reside in Control Web Panel (CWP) – a popular web hosting management software used by hundreds of thousands of servers across the globe.
  • Apple released a slew of security updates across its products, including new versions of iOS 15 and WatchOS 8. Among the vulnerabilities the company disclosed is an issue that could allow an attacker to gain access to users' iCloud files.
  • The U.S. Department of Homeland Security warned Americans that Russian state-sponsored actors could launch cyber attacks against critical infrastructure should the U.S. object to any kinetic warfare in Ukraine. Russian forces are currently gathering near the Ukrainian border, leading to concerns of a military conflict. 
  • Concern over large-scale cyber attacks on the U.S. power grid have led to increased emergency drills among defense agencies. It's also led to a better understanding of what an attack of that scale might actually look like.
  • A well-known banking trojan targeting Android phones recently added a new feature that could completely wipe a target's phone. The malware, Brata, factory resets the phone after it executes an unauthorized wire transaction.
  • Threat actors targeted Canada's foreign ministry's network, disrupting some services, though the agency said it did not affect anything critical. The country's leadership had also just recently warned of potential attacks from Russian state-sponsored actors.
  • The entire country of North Korea lost internet access for about six hours this week, possibly due to a distributed denial-of-service attack. This is the second time in as many weeks this happened to the country.
  • The U.S. Cybersecurity and Infrastructure Security Agency added 17 vulnerabilities to its list of bugs all users should patch for immediately. The additions are part of a running list of vulnerabilities that attackers commonly target yet remain unpatched on many networks.
  • A vulnerability in the web servers belonging to the popular video game "Dark Souls 3" could allow an attacker to completely take control of a targeted machine. From Software, the company behind the game, shut down online services to Dark Souls 3 and some of its other games as they work on a fix.


Notable recent security issues


Wiper malware disguised as ransomware targets Ukrainian users, government agencies

Several cyber attacks against Ukrainian government websites — including website defacements and destructive wiper malware — have made headlines over the past few weeks as military tensions along the Russian/Ukrainian border have escalated. Cisco Talos research found that The WhisperGate malware has some strategic similarities to the notorious NotPetya wiper that attacked Ukranian entities in 2017, including masquerading as ransomware and targeting and destroying the master boot record (MBR) instead of encrypting it, it notably has more components designed to inflict additional damage. The multi-stage infection chain downloads a payload that wipes the MBR, then downloads a malicious DLL file hosted on a Discord server, which drops and executes another wiper payload that destroys files on the infected machines.
IOC hashes to blocklist: 
  • a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 
  • dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 
  • 923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6 
  • 9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d 

Vulnerability in Apple iOS, iPad OS and MacOS could lead to disclosure of sensitive memory data 

Cisco Talos recently discovered an out-of-bounds read vulnerability in Apple’s macOS and iOS operating systems that could lead to the disclosure of sensitive memory content. An attacker could capitalize on that information to aid in the exploitation of other vulnerabilities. This vulnerability specifically exists in the DDS image parsing functionality of Apple’s ImageIO library that exists in its desktop and mobile operating systems. The issue arises if an attacker tricks a user into opening a specially crafted, malicious file. An attacker could exploit this vulnerability to leak the target’s heap addresses and other information that could aid in further exploitation if the leaked data can be accessed in the context of a vulnerable application. 
Snort SIDs: 58565 and 58566



Most prevalent malware files this week


MD5: a5e345518e6817f72c9b409915741689 
Typical Filename: swupdater.exe 
Claimed Product: Wavesor SWUpdater 
Detection Name: W32.1B259D8CA9.Wavesor.SSO.Talos 

MD5: 34560233e751b7e95f155b6f61e7419a  
Typical Filename: SAntivirusService.exe  
Claimed Product: A n t i v i r u s S e r v i c e  
Detection Name: PUA.Win.Dropper.Segurazo::tpd 

MD5: 8193b63313019b614d5be721c538486b 
Typical Filename: SAService.exe 
Claimed Product: SAService 
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg 

MD5: eb2f5e1b8f818cf6a7dafe78aea62c93 
Typical Filename: vsb2nasl7.dll 
Claimed Product: N/A 
Detection Name: W32.A4DE11B029.Wavesor.SSO.Talos 

MD5: fe3659119e683e1aa07b2346c1f215af 
Typical Filename: SqlServerWorks.Runner.exe 
Claimed Product: SqlServerWorks.Runner 
Detection Name: W32.8639FD3EF8-95.SBX.TG 

Keep up with all things Talos by following us on TwitterSnort, and ClamAV also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.