Thursday, February 13, 2020

Threat Source newsletter (Feb. 13, 2020)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

This month’s Microsoft Patch Tuesday was particularly hefty, with the company disclosing nearly 100 vulnerabilities — three of which Talos researchers discovered. For our complete wrapup, check out the blog post here, and be sure to update your Microsoft products now if you haven’t already.

Over on our YouTube page, we have a new video series we’re debuting called “Stories from the Field” with the Cisco Talos Incident Response Team. In each video, one of our team members will discuss one incident they remember working on and what lessons they took away from it, and what other defenders can learn.

On the research side of things, we have new findings out about a variant of the Loda RAT. We recently discovered that this malware family added several anti-detection features and is targeting victims across the Americas. 

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Upcoming public engagements

Event: Cisco Live Australia 
Location: Melbourne Convention & Exhibition Centre, Melbourne, Australia
Date: March 3 - 6
Speakers: Nick Biasini
Synopsis: Cisco Talos specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In Nick's talk at Cisco Live, he will perform a deep analysis of recent threats and show how Talos leverages large datasets to deliver product improvements and mitigation strategies.

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Makuhari Messe, Tokyo, Japan
Date: April 13 - 15
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

  • The U.S. charged four members of the Chinese military for their involvement in the massive Equifax data breach. Federal prosecutors allege the men hacked into Equifax’s systems and stole the personal information of nearly half of all Americans. 
  • Political pundits, security researchers and government officials are still unpacking the Iowa caucus debacle. While a results-reporting app has been largely to blame, there are several factors that went into a heavy delay of the democratic presidential primary results. 
  • One factor that may have been involved is a distributed denial-of-service attack on a phone line used to report election results in Iowa. Members of an online forum started an effort to flood the phone line the day of the election, with Iowa Democratic party officials saying they received "an unusually high volume of inbound phone calls to its caucus hotline." 
  • But the app used in Iowa isn’t the only new technology making an appearance in this year’s election. The discourse in Iowa is leading other states’ officials to take a closer look at their election systems and whether they have paper backups in place. 
  • A cyber group in the Gaza strip may be behind a new string of attacks on Palestinians. Attackers use politically themed documents and emails to lure victims into clicking on malicious links, eventually installing backdoors on their machines. 
  • The xHelper trojan on Android devices can even survive a factory reset of the infected device. Instead, users need to scan for specific files on their device and remove them prior to any resets so that the malware does not come pre-installed. 
  • Google says new initiatives for its Play store helped block more than 1.9 billion malware infections in 2019. The company says that new scanning policies and stepped-up privacy rules have cut back on malicious apps. 
  • A powerful Republican Senator blocked three new election security bills from being introduced to the full chamber. One of the bills would have outlawed voting machines from being connected to the internet, while another two would increase the level of cooperation between the FBI and local voting officials. 
  • Iran says it deflected one of the largest cyber attacks in the country’s history. Researchers found that internet access was restricted to roughly 25 percent of all users in Iran during the attack last week for about an hour. 

Notable recent security issues

Title: 12 critical vulnerabilities fixed in latest Microsoft Patch Tuesday  
Description: Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 98 vulnerabilities, 12 of which are considered critical and 84 that are considered important. There are also two bugs that were not assigned a severity. This month's patches include updates to the Windows kernel, the Windows scripting engine and Remote Desktop Procol, among other software and features. Microsoft also provided a critical advisory covering updates to Adobe Flash Player. 
Snort SIDs: 48701, 48702, 53050 - 53056, 53061, 53072, 53073, 53079 - 53089 

Title: Adobe releases updates for Reader, Flash Player and more  
Description: Adobe disclosed 42 new vulnerabilities this week as part of its monthly security update, 35 of which are considered critical. These updates include Acrobat Reader, Flash Player and other Adobe products. Most notable are two bugs in Flash Player and Adobe Framemaker that could allow an attacker to execute arbitrary code on the victim machine. 
Snort SIDs: 52331, 52332

Most prevalent malware files this week

SHA 256: 1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7 
MD5: 88cbadec77cf90357f46a3629b6737e6
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Services
Detection Name: PUA.Win.File.2144flashplayer::tpd 

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos

SHA 256: 97d8ea6cee63296eaf0fa5d97a14898d7cec6fa49fee1bf77c015ca7117a2ba7 
MD5: be52a2a3074a014b163096055df127a0
Typical Filename: xme64-553.exe 
Claimed Product: N/A
Detection Name: Win.Trojan.Coinminer::tpd

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.