Thursday, February 20, 2020

Threat Source newsletter (Feb. 20, 2020)

Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We’ve got more ways than ever for you to get Talos content. We continue to grow our YouTube page with the second entry in the “Stories from the Field” series, this time with Matt Aubert discussing when to get lawyers involved in an incident.

Our podcast family also continues to grow, with new episodes this week of Talos Takes and Beers with Talos.

On the old-fashioned write-up end of things, we have the latest on our research into adversaries’ use of living-off-the-land binaries (also known as “LoLBins”). Recently, we’ve seen a wave of attacks utilizing the Microsoft Build Engine to conduct post-infection activities.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week. 

Upcoming public engagements

Event: Cisco Live Australia 
Location: Melbourne Convention & Exhibition Centre, Melbourne, Australia
Date: March 3 - 6
Speakers: Nick Biasini
Synopsis: Cisco Talos specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In Nick's talk at Cisco Live, he will perform a deep analysis of recent threats and show how Talos leverages large datasets to deliver product improvements and mitigation strategies.

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Makuhari Messe, Tokyo, Japan
Date: April 13 - 15
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

  • Several American law enforcement and cyber agencies teamed up to detail a massive campaign by North Korean state-sponsored actors. In all, the entities tracked six different malware samples, linking them to the infamous Lazarus Group. 
  • A new report from the Cyber Threat Alliance warns that state-sponsored actors from North Korea, Russia and China could all pose threats to the 2020 Olympics in Japan. Potential attacks include disinformation campaigns and the disruption of key services tied to the games. 
  • The U.S. continues to trade barbs with Chinese tech company Huawei. American leaders even went as far as to warn other countries they may end information-sharing agreements if they use Huawei’s 5G technology. 
  • A vulnerability in a popular WordPress plugin leaves more than 200,000 sites open to be totally wiped. Remote attackers could send specially crafted to these sites and trigger a wiping function in the plugin. 
  • Amazon’s Ring smart doorbell and camera system made two-factor authentication required for all users. The settings change came after months of negative stories in the press regarding hacks of the devices and Amazon’s information-sharing with Facebook and law enforcement agencies. 
  • UCLA canceled its plans to install a new facial recognition system after pushback from students. The college planned to integrate the technology with its campus’ security system. 
  • Government leaders from the U.S. and England jointly blamed Russia for a cyber attack on the country of Georgia in October. State-run and private websites were taken down in the attack, including one belonging to the Georgian prime minister. 
  • An American natural gas pipeline had to be shut down for two days after a ransomware attack. The U.S. Department of Homeland Security has yet to disclose the exact strain of ransomware and the location of the pipeline. 

Notable recent security issues

Title: Snake/Ekans malware adds new functionality to go after ICS
Description: The Snake ransomware (otherwise known as “Ekans”) has added new capabilities aimed at going after industrial industries. Ekans first emerged in December, but now has a relationship with the MEGACORTEX ransomware that could allow it to spread quickly on ICS systems and even force some services to revert to manual operations. The malware’s code now includes direct references to HMI processes and historian clients that are commonly linked to ICS.
Snort SIDs: 53106, 53107

Title: Carrotbat malware, Syscon backdoor team up to target federal government
Description: An American federal agency was targeted in late January with a series of phishing emails utilizing a variant of the Carrotbat malware and the Syscon backdoor. Attackers used six unique email attachments in the campaign, all relating to the ongoing strained relationship between the U.S. and North Korea. Security researchers say these attackers are still active, despite the majority of their activity taking place over the summer.
Snort SIDs: 53129 – 53145

Most prevalent malware files this week

SHA 256: 1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7 
MD5: 88cbadec77cf90357f46a3629b6737e6
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Services
Detection Name: PUA.Win.File.2144flashplayer::tpd 

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name:

SHA 256: 97d8ea6cee63296eaf0fa5d97a14898d7cec6fa49fee1bf77c015ca7117a2ba7 
MD5: be52a2a3074a014b163096055df127a0
Typical Filename: xme64-553.exe 
Claimed Product: N/A
Detection Name: Win.Trojan.Coinminer::tpd

SHA 256: 9e9d85d9e29d6a39f58f4db3617526b92a5200225d41d0ab679a90c0167321b4 
MD5: d45699f36a79b9d4ef91f5db1980d27b 
Typical Filename: profile-6.exe
Claimed Product:  N/A
Detection Name: Win.Dropper.Zbot::222561.in02

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.