Thursday, January 16, 2020

Threat Source newsletter (Jan. 16, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

This wasn’t your average Patch Tuesday. Microsoft’s monthly security update was notable for a few reasons. For starters, it’s really time to give up Windows 7, since this is the last free update Microsoft will issue for the operating system.

There was also a vulnerability that made headlines for leaving Windows open to cryptographic spoofing, which could allow an attacker to sign a malicious file as if it came from a trusted source. The bug was so severe that Microsoft even reached out to the U.S. military ahead of time to issue them an early patch. For more on Patch Tuesday, you can check out our roundup here and our Snort rule release here.

Elsewhere in the vulnerability department, we also released new Snort rules to protect users against some notable Citrix bugs that have been used in the wild.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Upcoming public engagements

Event: Talos Insights: The State of Cyber Security at Cisco Live Barcelona
Location: Fira Barcelona, Barcelona, Spain
Date: Jan. 27 - 31
Speakers: Warren Mercer
Synopsis: Cisco Talos specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. We are responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk, we will perform a deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies.

Cyber Security Week in Review

  • Apple once again denied the FBI’s request for the company to unlock an iPhone belonging to someone involved in a criminal investigation. The agency is attempting to access a device belonging to a man who shot and killed multiple people at a naval base last year. 
  • This caused U.S. President Donald Trump to enter the fold. Trump tweeted that he was unhappy with Apple denying law enforcement access to devices "used by killers, drug dealers and other violent criminal elements.” 
  • More than two weeks after a ransomware attack, foreign currency exchange service Travelex is finally resuming normal operations. The company recently said it was making “good progress” on recovery and was expecting customer-facing systems to return soon. 
  • The Travelex attack prompted the U.S. government to release a new warning that users need to update their VPN services as soon as possible. Vulnerabilities disclosed last year in Pulse Secure VPN leave users open to cyber attacks similar to the ransomware infection on Travelex, according to the U.S. Cybersecurity and Infrastructure Security Agency. 
  • The Democratic party in Iowa says it will still use a mobile app to report primary election results, despite warnings that it is a security risk. Election judges will use the apps to count polling results during the presidential primaries and report those results on their mobile devices, though officials say there will be paper backups to verify the results. 
  • The estimated cost of a recent cyber attack on the city of New Orleans is above $7 million, $3 million of which the city says it will recoup from its cyber insurance policy. Officials say it will still take months to rebuild their internal network, and departments are still digging out from having to manually carry out many functions for weeks. 
  • The U.S. election security czar warned that attempts to interfere in the U.S.’ upcoming presidential election will be more sophisticated than ever. Shelby Pierson said at a recent presentation America is tracking several hacking groups, including a recent effort uncovered to breach a Ukrainian company at the center of President Donald Trump’s impeachment trial. 
  • A critical vulnerability in a popular WordPress plugin leaves more than 300,000 sites open to attack. An attacker could exploit a bug in InfiniteWP to log in as an administrator on any affected site.  
  • Android devices infected with the Faketoken malware began sending offensive SMS messages last week. It sends these messages to foreign numbers, potentially costing the victim money based on their carrier’s policies. 
  • The U.S. may invest more than $1 billion into researching alternatives for 5G to avoid working with Chinese tech companies Huawei and ZTE. Legislation submitted in the Senate urged America to counter the Chinese government’s investment in the telecom space.

Notable recent security issues

Title: Microsoft patches 49 vulnerabilities as part of Patch Tuesday
Description: Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. Patch Tuesday covers 49 vulnerabilities, eight of which are considered critical. This month's security update is particularly important for its disclosure of two vulnerabilities related to a core cryptographic component in all versions of Windows. CVE-2020-0601 could allow an attacker to use cryptography to sign a malicious executable, making the file appear as if it was from a trusted source. The victim would have no way of knowing if the file was malicious. Cyber security reporter Brian Krebs says the vulnerability is so serious, Microsoft secretly deployed a patch to branches of the U.S. military prior to today.
Snort SIDs: 52593 - 51596, 52604, 52605

Title: ZeroCleare wiper malware deployed on oil refinery 
Description: ZeroCleare, a wiper malware connected to an Iranian hacker group, was recently deployed against a national oil refinery in Bahrain. An upgraded version has been spotted in the wild, according to security researchers, which can delete files off infected machines. The latest attacks match previous attacks using this malware family, which have gone after other targets connected to Saudi Arabia. Concerns over Iranian cyber attacks have spiked since the U.S. killed a high-profile Iranian general in a drone strike.
Snort SIDs: 52572 – 52581

Most prevalent malware files this week

SHA 256: 1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871
MD5: c2406fc0fce67ae79e625013325e2a68
Typical Filename: SegurazoIC.exe
Claimed Product: Digital Communications Inc.
Detection Name: PUA.Win.Adware.Ursu::95.sbx.tg

SHA 256: d73ea76f6f07f96b337335213418b58e3fbc7e4b519fec0ef3fbd19c1d335d81 
MD5: 5142c721e7182065b299951a54d4fe80
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::1201

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f 
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin 
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

SHA 256: da231330efd623bc7d116ed233828be88951b9df7cc889e747d31279bdf2c2a0 
MD5: 4a4ee4ce27fa4525be327967b8969e13
Typical Filename: 4a4ee4ce27fa4525be327967b8969e13.exe
Claimed Product: N/A
Detection Name: PUA.Win.File.Coinminer::tpd

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment