Thursday, February 27, 2020

Threat Source newsletter (Feb. 27, 2020)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We know we’ve kept you waiting for a while, but the new Snort Resources page is finally here. We’ve got new and improved documentation, but our most exciting feature is the new Snort 101 video series. In these short tutorials, you’ll learn everything you need to know about configuring Snort 2 and 3, and even dives a little bit into rule writing. Head over to the Snort blog for more.

If you’re hanging out at RSA, what better way to escape the crowds for a few minutes than slinking off to listen to the new Beers with Talos episode. It’s shorter than usual, but we’ve still got plenty of talk of vulnerability research and software licenses.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Upcoming public engagements

Event: Cisco Live Australia 
Location: Melbourne Convention & Exhibition Centre, Melbourne, Australia
Date: March 3 - 6
Speakers: Nick Biasini
Synopsis: Cisco Talos specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In Nick's talk at Cisco Live, he will perform a deep analysis of recent threats and show how Talos leverages large datasets to deliver product improvements and mitigation strategies.

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Makuhari Messe, Tokyo, Japan
Date: April 13 - 15
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review


  • Cisco announced the new SecureX security platform at the RSA conference earlier this week. The new product aims to simplify the patching process by bringing multiple products under one interface. 
  • The actors behind the DoppelPaymer ransomware launched a new site that they say will be used to post the information of victims who do not pay the requested extortion payment. There are already vague references to four different victims along with the information the actors stole. 
  • Verizon became the latest company to pull out of the RSA conference right before the conference was slated to begin earlier this week. Several security vendors have cited concerns over travel and coronavirus fears.  
  • Several security experts at RSA urged American election officials to switch to paper ballots for voting. Members of a panel suggested that technology be used as a check to audit voting results rather than the first line of defense.  
  • More than 120 million employees and customers of French sporting goods company Decathlon had their information leaked. An unsecured server contained information including email addresses and employee contracts. 
  • An attacker stole the information of more than 200,000 people connected to the Defense Information Systems Agency. The agency is responsible for overseeing communications between the White House and other defense agencies.  
  • Huawei says it is still open to licensing its 5G technology to an American company. Huawei, a large Chinese tech company, is still locked in a battle with the American government over cyber security concerns. 
  • Google released a patch for its Chrome web browser that fixes a type confusion vulnerability in its V8 engine that was being used in the wild. This is the third zero-day discovered in Chrome in the past year. 
  • The U.S. Department of Justice is hoping to pass legislation to force tech companies to help them decrypt users’ devices if they are involved in a criminal case. Companies like Apple have rebuked multiple asks from the U.S. Attorney General’s office to unlock iPhones in the past. 

Notable recent security issues

Title: ObliqueRAT spreads via malicious documents
Description: Cisco Talos has observed a malware campaign that utilizes malicious Microsoft Office documents (maldocs) to spread a remote access trojan (RAT) we're calling "ObliqueRAT." These maldocs use malicious macros to deliver the second-stage RAT payload. Network-based detection, although important, should be combined with endpoint protections to combat this threat and provide multiple layers of security. According to Talos researchers, ObliqueRAT has connections to the adversaries behind the CrimsonRAT discovered last year.
Snort SIDs: 53152 - 53163

Title: Multiple vulnerabilities in Cisco Data Center Network Manager 
Description: Cisco Data Center Network Manager contains a privilege escalation vulnerability and a cross-site request forgery vulnerability. Cisco disclosed the high-severity vulnerabilities late last week. In the casea of the privilege escalation vulnerability, an attacker could exploit the Network Manager in a way that would allow them to interact with the API with administrator-level privileges. A successful exploit could allow the attacker to interact with the API with administrative privileges.
References: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200219-dcnm-priv-esc

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200219-dcnm-csrf
Snort SIDs: 53171 - 53176

Most prevalent malware files this week

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f 
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7 
MD5: 88cbadec77cf90357f46a3629b6737e6
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Services
Detection Name: PUA.Win.File.2144flashplayer::tpd 

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment