Thursday, April 23, 2020

Threat Source newsletter for April 23, 2020


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

There’s a new Beers with Talos podcast out now. And guess what? They actually talk about security this time! The guys are looking for listener questions to answer on the next episode. If you have something you want to ask, just @ us on Twitter. 

Everyone is using some type of video chatting software at this point as we all work from home and look for new ways to communicate with one another. Zoom is one of the most popular options right now, but it hasn’t been without its security hiccups. To that end, we released details of a vulnerability in Zoom that could allow an adversary to silently acquire the emails of everyone in an organization who uses Zoom. For example, they could pull all emails with @cisco.com in the email address.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Upcoming public engagements

Event: “Hiding in Plain Sight: Analyzing recent evolutions in malware loaders” at Hack in the Box Security Conference Lockdown Livestream
Location: Streaming live on YouTube
Date: April 25 - 26
Speakers: Holger Unterbrink and Edmund Brumaghin
Synopsis: Over the past year, Talos observed a significant increase in the volume and variety of malware loaders being distributed worldwide. Rather than leveraging malvertising and extensive TDS infrastructure, adversaries are now distributing loaders and creating new botnets that can be monetized to perform the spread of malware payloads for criminals seeking to deploy RATs, stealers and banking trojans. This new generation of malware loaders features increased obfuscation, modularization, and maximum flexibility for the operators of these botnets. This talk will describe this recent shift in malware distribution, how these loaders are being leveraged, and how obfuscation and multi-stage delivery is being used to maximize efficiency and evade detection. We will also cover techniques for hunting these loaders in a corporate environment and ways to more easily analyze them.

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Makuhari Messe, Tokyo, Japan
Date: June 10 - 12
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

  • Zoom released a series of security updates in its 5.0 release, including changing up its encryption methods. The video conferencing service also added new features that will make it easier for users to prevent "Zoombombing" attacks.
  • A new report from Google says state-sponsored cyber actors are looking to capitalize on coronavirus panic. The company says its seen at least 12 government-backed groups using COVID-19-themed malware and lure documents since February.
  • A Chinese state-sponsored threat actor targeted health care organizations, military branches and oil production facilities earlier this year. A new report states that the infamous APT41 carried out several different attacks in January, as China was working to combat the spread of COVID-19.
  • Apple is reportedly preparing to roll out 5G compatibility in its next iPhone. What is expected to be the iPhone 12 could release in September, though the COVID-19 pandemic could cause a delay due to supply chain and labor disruptions.
  • Apple fixed a longstanding vulnerability in its default Mail app for iPhones and iPads that could allow an adversary to steal victim's information. An attacker could send the victim a specially crafted email, which would overrun the device's memory and allow them to run malicious code.
  • Government cyber agencies in the U.S. and Australia released a joint warning this week, pointing out common vulnerabilities attackers use to install web shells. Attackers usually hide web shells' code inside other applications, allowing them to avoid detection.
  • IT services company Cognizant says it was recently hit with the Maze ransomware. The company says its caused some disruption and service to its customers but did not disclose how widespread the outage was.
  • A new phishing attack attempts to steal users' login credentials to the Skype video calling app. The malicious emails are disguised to look very similar to legitimate emails from Skype that ask users to review notifications on their account.
  • The health care system in Boston provides a window into what hospitals around the globe are dealing with during the coronavirus pandemic. While attackers attempt to capitalize COVID-19, hospitals simply do not have the time or resources to update their security systems in an efficient manner.

Notable recent security issues

Title: New RAT capitalizes on COVID-19 headlines
Description: A new remote access trojan known as “PoetRAT” uses coronavirus-themed documents and emails to lure victims in. This was a previously undiscovered RAT. It uses two components to avoid detection by a single component. The dropper uses an old trick in a new way: It appends the RAT to a Word document. Upon opening the document, a macro is executed that will extract the malware and execute it. The operation seems to be manual, but it's streamlined to deploy additional tools as needed and to avoid unnecessary steps.
Snort SIDs: 53689 - 53691

Title: Cisco discloses 17 critical vulnerabilities in UCS software
Description: Cisco patched 17 critical vulnerabilities last week in its Unified Computing system. The software allows users to build private cloud systems and optimize data-center resources. If successful, and adversary could use these flaws to remotely access systems or cause denial-of-service conditions. The majority of the exploits lie in UCS’ REST API.
Snort SIDs: 53667 – 53683

Most prevalent malware files this week

SHA 256: a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776
MD5: 5d34464531ddbdc7b0a4dba5b4c1cfea
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::in03.talos

SHA 256: fb022bbec694d9b38e8a0e80dd0bfdfe0a462ac0d180965d314651a7bc0614f4 
MD5: c6dc7326766f3769575caa3ccab71f63 
Typical Filename: wupxarch.exe
Claimed Product: N/A 
Detection Name: Win.Dropper.Ranumbot::in03.talos

SHA 256: 9cc2b845bdee4774e45143e00dc82c673bf940c764b687c976f8d27d9f48b704 
MD5: 4202e589899ec68bc2d4fa6fb1218e2f
Typical Filename: app171.exe 
Claimed Product: N/A
Detection Name: Win.Dropper.Ranumbot::sbmt.talos

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f 
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment