Thursday, November 21, 2019

Threat Source newsletter (Nov. 21, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

It’s nearly holiday shopping season, which means it’s prime scam season. On the latest Beers with Talos episode, we run down the best ways to stay safe while shopping online and how to detect phony emails. It’s also election season, which makes for some good discussion.

And, as it’s time to look back on the year that was, we have a new feature from Talos Incident Response where we take a quarter-by-quarter look at the top threats we’ve seen in the wild. In Q4 of Cisco’s fiscal year, our IR analysts mainly saw ransomware and cryptocurrency miners.

IR also had another exciting announcement this week, with the unveiling of a new cyber range that can help train employees to avoid common scams that can lead to malware infection. The cyber range now comes with any IR retainer.

The Threat Source newsletter is getting a week off next week for the Thanksgiving holiday in the U.S., so we’ll talk to you again in December.

Upcoming public engagements with Talos

Event: “Reading Telegram messages abusing the shadows” at BSides Lisbon 
Location: Auditorio FMD-UL, Lisbon, Portugal
Date: Nov. 28 - 29
Speakers: Vitor Ventura
Synopsis: One of the cornerstones of privacy today is secure messaging applications like Telegram, which deploy end-to-end encryption to protect the communications. But several clone applications have been created and distributed with the intent of spying on their users. In this talk, Vitor will demonstrate how the Telegram registration process became abused, allowing message interception on non-rooted Android devices without replacing the official application. This is another example on how encryption is not a panacea, and that side-channel attacks like this are a real problem for otherwise secure applications.

Event: “Signed, Sealed, Compromised: The Past, Present, and Future of Supply Chain Attacks” at CactusCon
Location: Charleston Coliseum & Convention Center, Charleston, WV
Date: Dec. 6 - 7
Speakers: Edmund Brumaghin and Earl Carter
Synopsis: This talk will discuss the common techniques we’re seeing in supply chain attacks. Supply chain attacks are a broad topic, but one that has continued to evolve and mature over the last decade. Nick and Edmund will walk through what a supply chain attack constitutes, the history of how these attacks have evolved, and where we see this attack technique moving in the future.

Cyber Security Week in Review

  • The highly publicized Checkra1n jailbreak for iOS devices has been on the market for a week now. Here’s what that means for iPhone users and security researchers, and why it poses such an ethical dilemma.  
  • Google and Samsung recently patched a vulnerability in some of their smartphones that could allow an attacker to take over the device’s camera. But other Android devices may still be at risk. 
  • Several government services in Louisiana were taken down due to a ransomware attack. Two days post-infection, the state’s motor vehicles department was still closed. But state officials say no one has paid the ransom requested by the attackers. 
  • The Australian government released a proposal to secure internet-of-things devices. It is a voluntary code the country is asking companies to abide to, including devices like "everyday smart devices that connect to the internet, such as smart TVs, watches, and home speakers.” 
  • Numerous popular apps on the Google Play store are still vulnerable to long-known remote code execution vulnerabilities. A study found that while these apps do have recent updates, they don’t necessarily protect against publicly disclosed bugs. 
  • The Russian government is eager to bring an alleged hacker back into its country after he appeared in a U.S. court to face charges. Research indicates the man may be one of the most well-connected hackers in Russia and the government fears he knows too much. 
  • Microsoft says there is “no evidence” that the Dopplepaymer malware is spreading through Microsoft Teams. The company said after extensive research, it believes the only way Dopplemaymer can spread is through remote human operators using existing Domain Admin credentials. 
  • Many user accounts for the newly launched Disney+ streaming service have been stolen and listed for sale on the dark web. However, Disney says there is no evidence to indicate its servers were breached. 

Notable recent security issues

Title: New, custom dropped delivers variety of information-stealing malware 
Description: A wave of adversaries which are dropping well-known information-stealer like Agent Tesla, Loki-bot and others since at least January 2019 using custom droppers. These droppers inject the final malware into common processes on the victim machine. Once infected, the malware can steal information from many popular pieces of software, including the Google Chrome, Safari and Firefox web browsers. The injection techniques are well-known and have been used for many years, but with the adversaries customizing them, traditional anti-virus systems are having a hard time detecting the embedded malware.
Snort SIDs: 52246

Title: Denial-of-service vulnerability in some Intel graphics drivers
Description: Intel’s IGC64.dll graphics driver contains a denial-of-service vulnerability. An attacker could exploit this bug by supplying a malformed pixel shader if the graphics driver is operating inside a VMware guest operating system. This type of attack can be triggered from VMware guest usermode to cause a denial-of-service attack due to an out-of-bounds read in the driver.
Snort SIDs: 50295, 50296

Most prevalent malware files this week

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.WNCryLdrA:Trojan.22k2.1201

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f 
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: f917be677daab5ee91dd3e9ec3f8fd027a58371524f46dd314a13aefc78b2ddc 
MD5: c5608e40f6f47ad84e2985804957c342
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA:2144FlashPlayer-tpd 

No comments:

Post a Comment