Thursday, April 9, 2020

Threat Source newsletter for April 9, 2020


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Nearly all devices have some sort of fingerprint scanner now, used to log users in. But these scanners prevent their own unique attack vector. Two of our researchers discovered that they could trick many devices into unlocking with a replicated fingerprint from a 3-D printer or resin model. For the average user, this may not be a big deal, but it does have consequences for more high-profile targets.

As weeks of working from home turn to months, the Beers with Talos crew is still talking about security while working remotely. And this episode, a new guest talks about what it’s like to be an extremely extroverted person during the work-from-home times.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Upcoming public engagements

Event: “Hiding in Plain Sight: Analyzing recent evolutions in malware loaders” at Hack in the Box Security Conference Lockdown Livestream
Location: Streaming live on YouTube
Date: April 25 - 26
Speakers: Holger Unterbrink and Edmund Brumaghin
Synopsis: Over the past year, Talos observed a significant increase in the volume and variety of malware loaders being distributed worldwide. Rather than leveraging malvertising and extensive TDS infrastructure, adversaries are now distributing loaders and creating new botnets that can be monetized to perform the spread of malware payloads for criminals seeking to deploy RATs, stealers and banking trojans. This new generation of malware loaders features increased obfuscation, modularization, and maximum flexibility for the operators of these botnets. This talk will describe this recent shift in malware distribution, how these loaders are being leveraged, and how obfuscation and multi-stage delivery is being used to maximize efficiency and evade detection. We will also cover techniques for hunting these loaders in a corporate environment and ways to more easily analyze them.

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Makuhari Messe, Tokyo, Japan
Date: June 10 - 12
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review


  • A Zoom shareholder is suing the video-chatting service for allegedly failing to properly disclose its security features and not telling users that their calls are not end-to-end encrypted. Zoom has climbed in popularity as social distancing measures took hold across the globe.
  • Meanwhile, Google banned the use of Zoom by its employees, citing security concerns. Google sent an email to employees saying the app would be deactivated on company-owned devices over "security vulnerabilities."
  • Microsoft recently purchased the controversial domain corp[.]com, keeping it out of the hands of malicious actors. Previous research indicated that whoever owned the domain potentially had access to sensitive data from hundreds of thousands of users across the internet, including many Microsoft services.
  • A new family of malware themed around COVID-19 can completely wipe a victim's machine. Researchers have also discovered it rewriting MBR. 
  • More people than ever are accessing the internet every day and for longer periods of time as social distancing measures and work from home policies take hold across the globe. This changes the threat landscape, as users are using their mobile devices less often and instead spending more time on streaming services like Netflix and YouTube.
  • A new report indicates cyber attacks are up 37 percent over the past four weeks as more attackers attempt to capitalize on the COVID-19 pandemic. As with other major events and yearly milestones, many campaigns try to lure victims in with promises of new information or services related to recent news headlines.
  • More states are weighing the option of switching to mobile voting for their elections this year as the COVID crisis continues on. However, many states have already shot the idea down, citing security concerns.
  • Small business owners who are applying for economic relief through the U.S. Small Business Administration may have had their personal information exposed. The agency already contacted the individuals who were affected and offered one year free of credit monitoring.
  • Google is rolling back its plan to enforce new cookie rules in its Chrome browser. The company said some government and health care sites do not have the appropriate amount of time to prepare for the new "SameSite" cookies features as they focus on the COVID-19 pandemic.
  • The new dark_nexus botnet may be the most effective internet-of-things threats we've seen. The malware has the ability to disguise malicious traffic as legitimate, maintain persistence and infect devices such as home routers, home security cameras and other IoT devices.

Notable recent security issues

Title: Mozilla releases fixes for two use-after-free vulnerabilities in Firefox
Description: Mozilla released patches for two use-after-free vulnerabilities in its Firefox web browser. The company said it saw attackers actively exploiting bugs in the wild, which caused them to release the emergency updates. In both cases, a race condition in the browser can cause a use-after-free condition, though Mozilla has not provided information on how, exactly, these vulnerabilities were used in attacks.
Snort SIDs: 53580, 53581

Title: AZORult brings friends to the party
Description: Cisco Talos recently discovered a complex campaign with several different executable payloads, all focused on providing financial benefits for the attacker in a slightly different way. The first payload is a Monero cryptocurrency miner based on XMRigCC, and the second is a trojan that monitors the clipboard and replaces its content. There's also a variant of the infamous AZORult information-stealing malware, a variant of Remcos remote access tool and, finally, the DarkVNC backdoor trojan.
Coverage: Malware AZORult Registry in OSQuery

Most prevalent malware files this week

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776
MD5: 5d34464531ddbdc7b0a4dba5b4c1cfea
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::in03.talos

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b 
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: f2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.