Thursday, April 2, 2020

Threat Source newsletter (April 2, 2020)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

As long as COVID-19 is in the headlines (which is going to be a long time) actors are going to try and capitalize. We fully expect to see a rise in spam that’s now related to the economic assistance package passed by the U.S. government.

In non-virus-related news, we also have a new overview of the Trickbot banking trojan. This family has been around for a while, but we’ve recently seen a spike in distribution related to the aforementioned COVID-19 campaigns. What does Trickbot look like? And what are some best practices to defend against it? We run through all that here.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Upcoming public engagements

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Makuhari Messe, Tokyo, Japan
Date: June 10 - 12
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

  • U.S. Congressional leaders are pushing for more states to go to a vote-by-mail system during the ongoing COVID-19 pandemic. Some states and local governments may even dip into cyber security grant funds to establish these services.
  • Major tech companies have been gearing up to defend the upcoming General Election in the U.S. But over the past four years, as defenders have been on the lookout for misinformation campaigns, attackers have been changing just as quickly.
  • A new phishing campaign attempts to lure victims in by lying to them that they’ve been exposed to COVID-19. The emails contain a document that asks the user to enable macros, and if they do, the macros will download malware.
  • Cyber security incidents are up across the board. Representatives with the World Health Organization and the U.S. Department of Health and Human Services say hospitals, non-governmental organizations and testing labs have all been targeted with various attacks.
  • So-called “Zoombombers” are taking advantage of the rising popularity of video conferencing app Zoom. These attacks see malicious users hop onto random calls, then share their screen or microphone to shout racial slurs and display other harmful and inappropriate content.
  • Meanwhile, Zoom says it will put a 90-day freeze on developing new features so that it can focus solely on fixing security bugs. The service has gone up from 10 million users in December to 200 million currently.
  • Forty-two million users of a third-party version of the popular Telegram messaging app had their information exposed. Security researchers discovered an unprotected server containing phone numbers and Telegram usernames.
  • Several popular online gambling sites went down for several days this week after a cyber attack on the SBTech platform. The cyber intrusion came just as SBTech was preparing to merge with popular Daily Fantasy Sports site DraftKings.
  • Several tech companies around the globe are developing apps that would help track the spread of COVID-19. However, many of them present security and privacy risks
  • More than 4,000 apps on the Google Play store silently track a list of all the apps a user has installed on their device. A new report states these companies then turn around and build a profile for the user to sell to advertisers.  

Notable recent security issues

Title: Zyxel devices exploited by critical vulnerability, now patched
Description: A variant of the Mirai botnet, known as Mukashi, targeted vulnerable Zyxel network-attached storage devices. CVE-2020-9054 was assigned a critical rating of 9.8 out of 10 and has since been patched. Attackers can exploit this vulnerability to compromise a device and then launch additional distributed denial-of-service attacks and attach the malware to specific TCP ports.
Snort SIDs: 53495, 53496, 53507 – 53510

Title: Ransomware families launch new sites to publish stolen data
Description: Attackers behind several different ransomware families are creating websites where they say they will publish information stolen in attacks if the victims do not pay the requested extortion payment. Malware like Sodinokibi, Nemty and DoppelPaymer are following the lead of the actors behind the Maze ransomware, who launched a similar site in early March. Cisco Talos released new Snort rules this week to prevent the Sodinokibi ransomware from being downloaded onto targeted machines.
Snort SIDs: 53511, 53512

Most prevalent malware files this week

SHA 256: a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776
MD5: 5d34464531ddbdc7b0a4dba5b4c1cfea
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::in03.talos

SHA 256: 8e0aea169927ae791dbafe063a567485d33154198cd539ee7efcd81a734ea325
MD5: 5fb477098fc975fd1b314c8fb0e4ec06
Typical Filename: upxarch.exe
Claimed Product: N/A 
Detection Name: Win.Dropper.Ranumbot::in07.talos

SHA 256: 
c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos

SHA 256: 64f3633e009650708c070751bd7c7c28cd127b7a65d4ab4907dbe8
MD5: 42143a53581e0304b08f61c2ef8032d7
Typical Filename: myfile.exe
Claimed Product: N/A 
Detection Name: Pdf.Phishing.Phishing::malicious.tht.talos

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment