Threat Source newsletter (June 2, 2022) — An RSA Conference primer

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

Many of you readers may be gearing up for a West Coast swing over the next few weeks through San Francisco and Las Vegas for RSA and Cisco Live, respectively. And we’re right behind you!  

Talos will have plenty of representation at both conferences, including giving lightning talks at the Cisco Secure booth, several features talks and spots, live podcast recordings, and more. To get you ready for RSA, I wanted to highlight a few special things we’re doing at the conference you should know about before you go.  

As always, you can keep posted on our latest plans and talk schedule by following us on Twitter. 

Main booth 

Stop by the main Talos and Cisco Secure booth at Moscone North Hall to say hi, ask questions and get the latest information on what we’re up to. 

At the booth, we’ll be premiering a new video series and giving out some of our newest stickers created in the image of our favorite malware “mascots.” Everyone will be jealous if you have one of these on your laptop. 

Evolving Your Defense: Making Heads or Tails of Threat Actor Trends 

Nick Biasini and Pierre Cadieux are hosting our sponsored session on June 7 at 9:40 a.m. PT. In this talk, they’ll be breaking down the latest threat actor tactics, techniques and procedures and telling you which ones you should be worried about and what can be ignored. 

Beers with Talos/Security Stories 

We’re hosting two live podcasts back-to-back at the Marriott Marquis: Sierra C ballroom from 2 – 5 p.m. PT on June 7. Security Stories and Beers with Talos are getting together to play a game of “Would I lie to you?”  

Talos’ vice president, Matt Watchinski, will be on hand for both episodes, along with other special guests.  

The Beers with Talos episode will cover Talos’ work in Ukraine, and we’ll hear from the audience about their hottest security takes.  

  

The one big thing 

A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft Word or via an RTF file. An attacker could exploit this vulnerability to gain the ability to run arbitrary code on the targeted system. 

Why do I care? 

If an attacker were to successfully exploit this vulnerability, they could execute remote code on the targeted machine. Needless to say, that’s bad. This is just the latest in a string of Microsoft vulnerabilities to make headlines over the past 12 months, including PrintNightmare and multiple Exchange Server issues. If those cases have taught us anything, it’s that attackers aren’t afraid to look for vulnerable Microsoft products to try and gain a foothold on a targeted network or machine.  

So now what? 

Although a patch hasn't been released yet, Microsoft has provided workarounds and Windows Defender protections for the CVE and malware exploiting this vulnerability. Cisco Talos has also released coverage to protect against this vulnerability, including multiple Snort rules and a ClamAV signature. 

 

Other news of note

Costa Rica’s government was hit with another ransomware attack, this time from the Hive group. Hive took down the country’s health department’s online services earlier this week, adding to the problems Costa Rica is facing after Conti launched a ransomware attack in May. Security experts say there is evidence that Conti and Hive may be working together to extort the Costa Rican government. This is all going on as the Conti group claims it’s shutting down and splitting up into smaller groups. The Hive operators have not yet declared a ransom amount. (Bleeping Computer, Krebs on Security, CSO Online) 

The U.S. Department of Justice seized three domains associated with selling and collecting stolen and leaked personal information. Authorities said the sites, WeLeakInfo, IPStress and OVH Booster all assisted attackers in carrying out denial-of-service attacks. In 2020, the DoJ seized very similar domains, including “weleakinfo.com,” which at the time, offered users the ability to “review and obtain the personal information illegally obtained in over 10,000 data breaches.” (Recorded Future, Department of Justice) 

The FBI recently thwarted an attempted cyber attack on a Boston children’s hospital, according to the agency’s director. Chris Wray, speaking at an event in Boston, received intelligence last summer ahead of time that allowed the agency to stop what he called “one of the most despicable cyberattacks I've seen.” Wray added that the attack came from an Iranian state-sponsored actor. The same hospital faced similar attacks in 2014 and 2019, he said. (ABC News, NBC 10 Boston) 

Can’t get enough Talos? 

• Researcher Spotlight: Martin Lee, EMEAR lead, Talos Strategic Communications
• Threat Roundup for May 20 - 27
• Talos Takes Ep. #98: Maybe don't panic about that F5 BIG-IP vulnerability

Upcoming events where you can find Talos 

REcon (June 3 – 5, 2022)
Montreal, Canada 

RSA 2022 (June 6 – 9, 2022)
San Francisco, California 

Cisco Live U.S. (June 12 – 16, 2022)
Las Vegas, Nevada 

Most prevalent malware files from Talos telemetry over the past week  

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645    
MD5: 2c8ea737a232fd03ab80db672d50a17a    
Typical Filename: LwssPlayer.scr    
Claimed Product: 梦想之巅幻灯播放器    
Detection Name: Auto.125E12.241442.in02    

SHA 256: 4b34e3637fa7af93ab628ae5adad2c7f3464053316963297844324a4f649a206 
MD5: 3632f27604f5a82cf73b9ade710a1656  
Typical Filename: mediaget_installer_467.exe  
Claimed Product: N/A  
Detection Name: FileRepPup:MediaGet-tpd  

SHA 256: a9f7d7525aad1c7007ae9d1d3fc531a1065b28225c5b7efb7347aaf77d9aba92  
MD5: 8f90e544a48d75f42f9d44811320689c   
Typical Filename: tata communications wholesale retai lpak ncl ethopia napal spice srilanka bd cli bangladesh.wsf  
Claimed Product: N/A   
Detection Name: Xml.Dropper.Valyria::100.sbx.vioc  

SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5   
MD5: 8c80dd97c37525927c1e549cb59bcbf3   
Typical Filename: Eternalblue-2.2.0.exe   
Claimed Product: N/A   
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos