Thursday, May 21, 2020

Threat Source newsletter for May 21, 2020


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Beers with Talos chugs on during quarantine with the latest episode of “The In-Between.” Once again, the hosts talk about everything but security, answering listener questions from Twitter.

The most pressing threat we have this week is WolfRAT, a variant of the DenDroid Android malware. WolfRAT is attempting to exploit users on different messaging apps like Facebook Messenger, WhatsApp and Line — specifically, users in Thailand.

And if you’re really ready to get into security nitty-gritty, we have a deep dive on a vulnerability some Cisco researchers recently discovered that leave cars with on-board computers open to attack.  

Upcoming public engagements

Event: Cisco Live U.S.
Location: Streaming online
Date: June 2 - 3
Speakers: Craig Williams and Sean Mason
Synopsis: Join the free, virtual Cisco Live U.S. conference. There will be many talks spread across two days. Specific to Talos, Craig Williams of the Outreach team will give an overview of recent threats and provide viewers with an update on Talos’ latest research efforts. Sean Mason, the head of Cisco Talos Incident Response, will also give a separate talk on IR’s advancements over the past year and go over how CTIR can help you prepare for the worst. 

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Streaming on the conference's website
Date: June 10 - 12
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

  • Hackers used a never-before-seen backdoor to infect several online multiplayer video games. In one case, the adversaries stole in-game virtual currency, and another led to victims being infected with additional malware.
  • A group of malicious actors may be overwhelming states' unemployment websites with fraudulent claims. There have been reports of adversaries brute-forcing these sites with stolen data to attempt to claim unemployment benefits during the COVID-19 pandemic.
  • A Swiss airline recently suffered a data breach, exposing 9 million customers' information. The company says it has no evidence that this information has been used maliciously yet.
  • Ukrainian officials arrested the actor behind a major data leak in 2019. The "Collection#1" data dump disclosed 773 million email addresses. 
  • Several so-called "malware testing services" offer malicious actors quality assurance for their campaigns. These groups attempt to eliminate vulnerabilities that security researchers may use to reverse-engineering the malware or develop detection.
  • A group of U.S. senators are pushing for all calls between all members of Congress to be encrypted. As more lawmakers work and vote remotely, the group is asking for the Senate to develop an encryption plan by June 12.
  • Hundreds of Israeli websites were hit with the same cyber attack this week, with adversaries posting anti-Israel materials. The sites were defaced with videos of many major Israeli cities burning, along with an additional warning. 
  • An existing Android malware has changed its tactics to be themed around COVID-19. Once infected, the malware can steal users' contacts and SMS messages.
  • France is defending its government-developed COVID-tracing app, saying that all the data it keeps will be centralized and protected. Countries across Europe are struggling balancing privacy with tracking the pandemic as private companies and governments develop their own solution.
  • An online cyber security school is gaining traction in the U.K., with free classes encouraging teenagers to enter the field. And interest is expected to rise as summer camps and other in-person activities are being canceled due to the pandemic.

Notable recent security issues

Title: Researchers believe Gh0st RAT played large role in Asian spying campaign
Description: A joint analysis from two security firms found that malicious actors in Asia are using the Gh0st RAT backdoor to conduct espionage campaigns across Asia. The targets allegedly include a government agency, a telecommunications company and a gas company. The RAT allows the adversaries to take screenshots, execute console commands and exfiltrate data to a command and control (C2) server. 
Snort SIDs: 53961, 53962

Title: DenDroid variant goes after Android users in Thailand
Description: Thai Android devices and users are being targeted by a modified version of DenDroid researchers at Cisco Talos are calling "WolfRAT," that is looking to exploit messaging apps like WhatsApp, Facebook Messenger and Line. Talos assesses with high confidence that this modified version is operated by the infamous Wolf Research. This actor has shown a surprising level of amateur actions, including code overlaps, open-source project copy/paste, classes never being instanced, unstable packages and unsecured panels.
Snort SIDs: 54004

Most prevalent malware files this week

SHA 256: 64f3633e009650708c070751bd7c7c28cd127b7a65d4ab4907dbe8ddaa01ec8b 
MD5: 42143a53581e0304b08f61c2ef8032d7
Typical Filename: JPMorganChase Instructions SMG 82749206.pdf
Claimed Product: N/A
Detection Name: Pdf.Phishing.Phishing::malicious.tht.talos 

SHA 256: dddbfa95401a3f2d9999055b976a0b4ae963e128f7f0d5b043efae29e4306c4a
MD5: 3409ff801cb177f6df26cfec8f4528ae
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Services
Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos

SHA 256: 28c33a9676f04274b2868c1a2c092503a57d38833f0f8b964d55458623b82b6e
MD5: b065af93b5fd551526705b5968d0ca10
Typical Filename: vscekgp.exe
Claimed Product: NTLM Shared Functionality
Detection Name: W32.28C33A9676-100.SBX.TG

SHA 256: a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776
MD5: 5d34464531ddbdc7b0a4dba5b4c1cfea
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Services
Detection Name: PUA.Win.Adware.Flashserv::in03.talos

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.