Thursday, December 19, 2019

Threat Source newsletter (Dec. 19, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We have an early holiday present for you! This week, we introduced a new podcast to the Talos family. Talos Takes, a new short-form show, takes listeners through a quick breakdown of a particular topic or security news story, with our Talos spin. The first three episodes are available now on the Talos podcasts page, and on the Beers with Talos feed. In 2020, we’ll give Talos Takes its own feed you’ll be able to subscribe to.

Not to be overshadowed, there is also a new Beers with Talos episode available just in time for your holiday road trip. This week’s episode features special guest Joe Marshall from the Talos Outreach team, who brings his expertise on IoT and ICS security to the table.

To wrap up the year, we released a blog post running through the top malware and cyber news stories of 2019. This post is a perfect place to look back on all the major research we put out this year.

Cisco’s annual winter shutdown begins next week, so this will be the last Threat Source newsletter until Jan. 9. See you in 2020!

Cyber Security Week in Review

  • The city of New Orleans declared a State of Emergency days after it was hit with a cyber attack. Many government services went down, although emergency services like 911 were not impacted. Local officials say they’ve engaged the FBI to assist with their recovery and an investigation into the attack. 
  • Meanwhile, the city of Pensacola, Florida still recovers from its own ransomware attack. The city brought in an outside firm to launch an investigation into what kind of malware its systems were hit with and provide recommendations on how to recover. 
  • Congress approved $425 million in funding to improve America’s election security. But some lawmakers and security experts say it’s too little, too late, to protect the 2020 presidential election. 
  • GSuite is banning the use of what it considers “less secure” apps. Beginning in June 2020, developers will only Google will only allow users to sign into apps that only rely on a username and password via their Google Account. Google considers secure apps to be those that rely on OAuth tokens. 
  • Ring security cameras continue to come under fire for a series of negative headlines around its security. There are several key security features the service is missing, including the lack of alerts when a new user logs into the account from an unknown IP address or if there are multiple users signed into an account at the same time. 
  • In response to many of these stories, Amazon, the company behind Ring, said many of these hacks are the result of users relying on unsecure username and password combinations. They also recommended opting into two-factor authentication. 
  • Canadian lab testing company LifeLabs says it recently suffered an attack that compromised 15 million individuals’ personal information and paid a ransom to retrieve that data. Representatives from the company say they believe that paying the ransom ensures the compromised data will not be used in additional attacks. 
  • Google released an emergency update for its Chrome web browser after a bug appeared that wiped data from other Android apps. Chrome 79 mistakenly cleared information from apps that are completed unrelated to Chrome, including the Finance app.  
  • Microsoft released an out-of-band security update for SharePoint. CVE-2019-1491 could allow an attacker to obtain sensitive information, and then use that information in additional attacks. 

Notable recent security issues

Title: New malware-as-a-service family targets tech, health care companies
Description: The new Zeppelin malware is targeting health care and tech companies in the U.S. and Europe. Researchers believe Zeppelin is a variant of the ransomware-as-a-service family known as Vega. While Vega started out earlier this year targeting Russian-speaking victims, researchers believe the malware could be in a new adversaries’ hands now that they are targeting users elsewhere. Zeppelin is highly configurable and can be deployed as an EXE, DLL, or wrapped in a PowerShell loader.
Snort SIDs: 52451 – 52453 (By Nicholas Mavis)

Title: Gamaredon attacks spread to Ukrainian journalists, law enforcement agencies
Description: A well-known APT is expanding its pool of targets, now going after journalists and law enforcement agencies in Ukraine. The group, which is believed to have Russian ties based on the language used in their malware, previously went after Ukrainian military and government agencies. There are also new TTPs associated with this group, including the use template injection in their malware.
Snort SIDs: 52445 - 52448 (By Joanne Kim)

Most prevalent malware files this week

SHA 256: d73ea76f6f07f96b337335213418b58e3fbc7e4b519fec0ef3fbd19c1d335d81 
MD5: 5142c721e7182065b299951a54d4fe80
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::1201

SHA 256: 0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94
MD5: 7c38a43d2ed9af80932749f6e80fea6f
Typical Filename: xme64-520.exe
Claimed Product: N/A
Detection Name: PUA.Win.File.Coinminer::1201

SHA 256: 1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871
MD5: c2406fc0fce67ae79e625013325e2a68
Typical Filename: SegurazoIC.exe
Claimed Product: Digital Communications Inc.
Detection Name: PUA.Win.Adware.Ursu::95.sbx.tg

SHA 256: f917be677daab5ee91dd3e9ec3f8fd027a58371524f46dd314a13aefc78b2ddc
MD5: c5608e40f6f47ad84e2985804957c342
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA:2144FlashPlayer-tpd

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment