Thursday, October 31, 2019

Threat Source newsletter (Oct. 31, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We’re scared of stalkerware, and you should be, too. These spyware apps are becoming more popular among everyone from nation-states to suspicious spouses who may be wanting to track their partner’s locations. These apps live in a gray area, where they’re not explicitly deemed illegal, but they can be used for illegal purposes.

How can you make sure your mobile device isn’t infected with this type of software? And why is it so popular? Find out in our new post from this week.

The second entry in our CISO Advisory series went up this week, too, this time focusing on security architecture.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Upcoming public engagements with Talos

Event: “It’s Never DNS…. It Was DNS: How Adversaries Are Abusing Network Blind Spots”  at SecureWV/Hack3rCon X
Location: Charleston Coliseum & Convention Center, Charleston, WV
Date: Nov. 15 - 17
Speakers: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.

Event: “Reading Telegram messages abusing the shadows” at BSides Lisbon 
Location: Auditorio FMD-UL, Lisbon, Portugal
Date: Nov. 28 - 29
Speakers: Vitor Ventura
Synopsis: One of the cornerstones of privacy today is secure messaging applications like Telegram, which deploy end-to-end encryption to protect the communications. But several clone applications have been created and distributed with the intent of spying on their users. In this talk, Vitor will demonstrate how the Telegram registration process became abused, allowing message interception on non-rooted Android devices without replacing the official application. This is another example on how encryption is not a panacea, and that side-channel attacks like this are a real problem for otherwise secure applications.

Cyber Security Week in Review

  • The infamous Fancy Bear Russian hacking group may be targeting the 2020 Summer Olympics. New reports suggest the group has disrupted anti-doping agencies to varying degrees of success. 
  • A major nuclear power plant in India confirms it was breached. A North Korea-linked hacking group gained access to the plant’s administrative network, though it has not yet said whether data was stolen. 
  • A massive cyber attack took down web sites across the country of Georgia, along with the country’s national television station. Most of the sites were replaced with images of a former president of Georgia, with him holding a sign that reads “I’ll be back.” 
  • A new malware family has been discovered on Android devices installed on more than 75,000 devices. However, the malware can reinstall itself even after its removed, including after a full device factory reset. 
  • The WhatsApp messaging app now has biometric support for Android devices. Users can now access their profiles using their fingerprint. The feature had been available on iOS devices. 
  • A new report suggests a cyber attack on Asian ports could cost upward of $110 billion. An insurance firm conducted a study, estimating what would happen if an attack hit 15 ports across Japan, Malaysia, Singapore, South Korea and China. 
  • The U.K. has begun work on a new National Cyber Security Strategy, as their previous one nears the end of its life. However, this milestone has brought several critics to the forefront, including one report that says the original program only achieved one of its 12 stated goals. 
  • A non-profit group is preparing to launch its free cyber security program for U.S. political campaigns. Defending Digital Campaigns announced its first group of services, including email security, encrypted messaging and security training for staff. 

Notable recent security issues

Title: Nation-state actors are behind new slew of mobile malware 
Description: A new report highlights how nation-state-backed APTs are utilizing the mobile malware space to conduct espionage activities on their own citizens. Security researchers at BlackBerry discovered new campaigns from actors linked to the Chinese, Iranians, Vietnamese and North Koreans. Among these attackers is the infamous OceanLotus group, which has launched a new attack that contains both mobile and desktop components. OceanLotus is deploying malicious apps onto mobile stores that “spy” on the user’s device.
Snort SIDs: 52004, 52005

Title: Denial of service in VMWare Fusion
Description: VMware Fusion 11 contains an exploitable denial-of-service vulnerability. VMWare Fusion is an application for Mac operating systems that allows users to run other OSs in a virtual environment, such as Windows and Linux. An attacker could exploit this vulnerability by supplying a malformed pixel shader inside of a VMware guest OS. This vulnerability can be triggered from a VMware guest and the VMware host will be affected, leading to a VMware fusion process crash on the host.
Snort SIDs: 50502, 50503

Most prevalent malware files this week

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.WNCryLdrA:Trojan.22k2.1201

SHA 256: 6b01db091507022acfd121cc5d1f6ff0db8103f46a1940a6779dc36cca090854
MD5: 74f4e22e5be90d152521125eaf4da635
Typical Filename: jsonMerge.exe
Claimed Product: ITSPlatform
Detection Name: W32.GenericKD:Attribute.22lk.1201 

No comments:

Post a Comment