Threat Source Newsletter (Jan. 27, 2022)

Good afternoon, Talos readers.

It's great to have New Year's resolutions and all. But we don't want you taking the wrong lessons away from 2021, either. Like just because Log4j happened doesn't mean you should stop logging or stop using open-source software.

The latest Beers with Talos episode dropped this morning, and it's a great reflection on lessons we can learn from the major cyber attacks last year, from SolarWinds to Log4j. It's the perfect audio pairing to the latest Talos Incident Response Threat Assessment Report, which also looks at the trends IR saw in the field last year.

We also disclosed some notable vulnerabilities this week, including one that affects iOS and macOS, as well as a string of issues that could be exploited to completely wipe and reformat a video card on a popular WiFi-enabled camera.

Cybersecurity week in review

Two critical vulnerabilities in Linux servers could allow attackers to execute remote code as root on targeted environments. The issues reside in Control Web Panel (CWP) – a popular web hosting management software used by hundreds of thousands of servers across the globe.
Apple released a slew of security updates across its products, including new versions of iOS 15 and WatchOS 8. Among the vulnerabilities the company disclosed is an issue that could allow an attacker to gain access to users' iCloud files.
The U.S. Department of Homeland Security warned Americans that Russian state-sponsored actors could launch cyber attacks against critical infrastructure should the U.S. object to any kinetic warfare in Ukraine. Russian forces are currently gathering near the Ukrainian border, leading to concerns of a military conflict.
Concern over large-scale cyber attacks on the U.S. power grid have led to increased emergency drills among defense agencies. It's also led to a better understanding of what an attack of that scale might actually look like.
A well-known banking trojan targeting Android phones recently added a new feature that could completely wipe a target's phone. The malware, Brata, factory resets the phone after it executes an unauthorized wire transaction.
Threat actors targeted Canada's foreign ministry's network, disrupting some services, though the agency said it did not affect anything critical. The country's leadership had also just recently warned of potential attacks from Russian state-sponsored actors.
The entire country of North Korea lost internet access for about six hours this week, possibly due to a distributed denial-of-service attack. This is the second time in as many weeks this happened to the country.
The U.S. Cybersecurity and Infrastructure Security Agency added 17 vulnerabilities to its list of bugs all users should patch for immediately. The additions are part of a running list of vulnerabilities that attackers commonly target yet remain unpatched on many networks.
A vulnerability in the web servers belonging to the popular video game "Dark Souls 3" could allow an attacker to completely take control of a targeted machine. From Software, the company behind the game, shut down online services to Dark Souls 3 and some of its other games as they work on a fix.

Notable recent security issues

Wiper malware disguised as ransomware targets Ukrainian users, government agencies

Several cyber attacks against Ukrainian government websites — including website defacements and destructive wiper malware — have made headlines over the past few weeks as military tensions along the Russian/Ukrainian border have escalated. Cisco Talos research found that The WhisperGate malware has some strategic similarities to the notorious NotPetya wiper that attacked Ukranian entities in 2017, including masquerading as ransomware and targeting and destroying the master boot record (MBR) instead of encrypting it, it notably has more components designed to inflict additional damage. The multi-stage infection chain downloads a payload that wipes the MBR, then downloads a malicious DLL file hosted on a Discord server, which drops and executes another wiper payload that destroys files on the infected machines.

IOC hashes to blocklist:

a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92
dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6
9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d

Vulnerability in Apple iOS, iPad OS and MacOS could lead to disclosure of sensitive memory data

Cisco Talos recently discovered an out-of-bounds read vulnerability in Apple’s macOS and iOS operating systems that could lead to the disclosure of sensitive memory content. An attacker could capitalize on that information to aid in the exploitation of other vulnerabilities. This vulnerability specifically exists in the DDS image parsing functionality of Apple’s ImageIO library that exists in its desktop and mobile operating systems. The issue arises if an attacker tricks a user into opening a specially crafted, malicious file. An attacker could exploit this vulnerability to leak the target’s heap addresses and other information that could aid in further exploitation if the leaked data can be accessed in the context of a vulnerable application.

Snort SIDs: 58565 and 58566

Most prevalent malware files this week

SHA 256: 1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37

MD5: a5e345518e6817f72c9b409915741689 Typical Filename: swupdater.exe Claimed Product: Wavesor SWUpdater Detection Name: W32.1B259D8CA9.Wavesor.SSO.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9 MD5: 34560233e751b7e95f155b6f61e7419a Typical Filename: SAntivirusService.exe Claimed Product: A n t i v i r u s S e r v i c e Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd MD5: 8193b63313019b614d5be721c538486b Typical Filename: SAService.exe Claimed Product: SAService Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: 2bd102ddc0e618d91a7adc3f3fb92fcfb258680f11b904bb129f5f2f918dcc5f MD5: eb2f5e1b8f818cf6a7dafe78aea62c93 Typical Filename: vsb2nasl7.dll Claimed Product: N/A Detection Name: W32.A4DE11B029.Wavesor.SSO.Talos

SHA 256: 8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2 MD5: fe3659119e683e1aa07b2346c1f215af Typical Filename: SqlServerWorks.Runner.exe Claimed Product: SqlServerWorks.Runner Detection Name: W32.8639FD3EF8-95.SBX.TG

Keep up with all things Talos by following us on Twitter. Snort, and ClamAV also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.

Intelligence Center

Vulnerability Information

Security Resources

Media

Company

Could the Brazilian Supreme Court finally hold people accountable for sharing disinformation?

The internet is already scary enough without April Fool’s jokes

There are plenty of ways to improve cybersecurity that don’t involve making workers return to a physical office

Intelligence Center

Vulnerability Research

Incident Response