Thursday, September 26, 2019

Threat Source newsletter (Sept. 26)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

An attacker known as “Tortoiseshell” is using a phony, malicious website to deliver malware. The site specifically targets U.S. military veterans who may be searching for a job. These types of sites are likely to be shared on social media as the general population hopes to support the veteran population.

Forget about the iPhone 11, impeachment or nation-state cyber attacks. We all know the biggest news of the past week was Area 51. And thankfully, the latest Beers with Talos talks about storming the secret military base. And some other, more cyber security-focused things.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Upcoming public engagements with Talos

Event: “DNS on Fire” at Virus Bulletin 2019
Location: Novotel London West hotel, London, U.K.
Date: Oct. 2 - 4
Speaker: Warren Mercer and Paul Rascagneres
Synopsis: In this talk, Paul and Warren will walk through two campaigns Talos discovered targeted DNS. The first actor developed a piece of malware, named “DNSpionage,” targeting several government agencies in the Middle East, as well as an airline. During the research process for DNSpionage, we also discovered an effort to redirect DNSs from the targets and discovered some registered SSL certificates for them. The talk will go through the two actors’ tactics, techniques and procedures and the makeup of their targets.

Event: “It’s never DNS...It was DNS: How adversaries are abusing network blind spots” at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.

Cyber Security Week in Review

  • Apple released iOS 13 to all mobile users over the past week. There’s a series of new privacy and security features with the latest version of the operating system, though some of them are not working as expected. 
  • Dozens of YouTubers had their account credentials stolen and accounts taken over as part of a wave of attacks over the weekend. Attackers used malicious websites to trick the content creators into entering their login information. 
  • Microsoft released an out-of-band patch for Internet Explorer this week for a critical vulnerability. An attacker could exploit this bug to completely take over a user’s machine.  
  • The U.S. is reportedly looking into several options to carry out a cyber attack against Iran. The goal is to disrupt their military operations without escalating kinetic warfare. 
  • U.S. security firm CrowdStrike got wrapped up in the impeachment investigation into President Donald Trump. The company assisted the U.S. Democratic National Committee in researching cyber attacks during the 2016 presidential election, and Trump asked the Ukrainian national government to research CrowdStrike, thinking the company was located there. 
  • Security firm Symantec discovered 25 apps on the Google Play store spreading malware. Together, they had been downloaded about 2.1 million times. 
  • Amazon unveiled its idea for a new wireless protocol called “Sidewalk” that is designed to connect users’ Amazon-created IoT home devices. The company says Wi-Fi and Bluetooth do not extend far enough, and 5G is currently too expensive. 
  • The actors behind the Magecart malware are testing new code that could target public WiFi hotspots. Security researchers say Magecart Group 5 is preparing the code to be injected into benign JavaScript files. 
  • A new report from the U.S. Government Accountability Office says that the U.S. Department of Energy has not done enough to protect the American electrical grid from cyber attacks. The report states actors across the globe can force power outages via cyber attacks, though the breadth of those outages is currently unknown.  

Notable recent security issues

Title: New Emotet campaign emerges, but protection stays the same 
Description: At the beginning of June 2019, Emotet's operators decided to take an extended summer vacation. Even the command and control (C2) activities saw a major pause in activity. However, as summer draws to a close, Cisco Talos and other researchers started to see increased activity in Emotet's C2 infrastructure. And as of Sept. 16, 2019, the Emotet botnet has fully reawakened, and has resumed spamming operations once again. The malware still mainly relies on socially engineered spam emails to spread. Once the attackers have swiped a victim's email, Emotet constructs new attack messages in reply to some of that victim's unread email messages, quoting the bodies of real messages in the threads.
Snort SIDs: 47616, 47617, 48402, 49889, 43890 – 43892, 44559, 44560

Title: Aspose PDF API contains multiple remote code execution vulnerabilities
Description: There are multiple remote code execution vulnerabilities in the Aspose.PDF API. Aspose provides a series of APIs for manipulating or converting a large family of document formats. These vulnerabilities exist in APIs that help process PDFs. An attacker could exploit these vulnerabilities by sending a specially crafted, malicious file to the target and trick them into opening it while using the corresponding API. 
Snort SIDs: 50730, 50731, 50738, 50739

Most prevalent malware files this week

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510 
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b 
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f 
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
Typical Filename: xme32-2141-gcc.exe 
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG 

No comments:

Post a Comment