Thursday, May 28, 2020

Threat Source newsletter for May 28, 2020

Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We need to start things off by wishing a Happy Birthday to Beers with Talos! The first episode was released on May 12, 2017. To celebrate, we have a new episode out this week and are working on another “In Between” for next week.

Send in your questions on Twitter to @TalosSecurity to have them answered on the show. 

Upcoming public engagements

Event: Cisco Live U.S.
Location: Streaming online
Date: June 2 - 3
Speakers: Craig Williams and Sean Mason
Synopsis: Join the free, virtual Cisco Live U.S. conference. There will be many talks spread across two days. Specific to Talos, Craig Williams of the Outreach team will give an overview of recent threats and provide viewers with an update on Talos’ latest research efforts. Sean Mason, the head of Cisco Talos Incident Response, will also give a separate talk on IR’s advancements over the past year and go over how CTIR can help you prepare for the worst. 

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Streaming on the conference's website
Date: June 10 - 12
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

  • New research indicates military personnel can be tracked through their check-ins on the popular beer-rating app Untappd. One example showed a list of users who visited the Pentagon. 
  • German Chancellor Angela Merkel confirmed she was the target of a spying attempt from a Russian actor. A group reportedly stole emails from her office in 2015. 
  • Facial recognition technology is already trying to adapt to the age of coronavirus. Privacy experts believe these pieces of software are using pictures of individuals’ in face coverings to train their algorithms as people across the globe are required to wear them in public. 
  • A group of hackers released a jailbreak for iPhones they say works on every version of iOS since 10. A phone case manufacturer has already purchased advertising inside the jailbreak. 
  • A bill set to renew several surveillance powers for the federal government is in limbo. The U.S. president asked all Republicans in Congress to vote against the bill, citing an unknown political scandal during the Obama era.  
  • Germany and Taiwan have seen the most COVID-19-related spam campaigns of anywhere in the world, according to new research. However, experts indicate that every country is still at risk while more employees are forced to work from home. 
  • Qatar’s COVID-19 contact-tracing app leaked the personal details of more than a million users. The government there is threatening jail time to anyone who does not download the app. 
  • A Chinese tech company says it's taken steps to eliminate one of the largest botnets in the country. The DoubleGuns trojan reportedly infected millions of victims over the past several years. 
  • The infamous Hacking Team IT group is officially dead, according to its founder. Hacking Team was one of the first companies anywhere to develop tools to spy on computers and mobile devices. 
  • A newly discovered vulnerability that affects nearly every version of Android could allow adversaries to disguise malicious apps. Researchers are calling Strandhog 2.0 “nearly undetectable.” 

Notable recent security issues

Title: Threat actors keep updating the EVILNUM malware to carry out various attacks across the financial sector
Description: The EVILNUM malware family is continuously adding anti-detection techniques as its owners target various organizations in the financial sector. The actors use EVILNUM in conjunction with Cardinal RAT to infect systems. In the past, the actors have targeted organizations in Israel, but researchers say there are no clues to where they may strike next. As of earlier this month, only eight anti-virus detection engines on VirusTotal were detecting this malware.
Snort SIDs: 54040 - 54045

Title: Adversaries use SaltStack vulnerabilities to go after data centers
Description: Attackers are using two recently disclosed vulnerabilities in the SaltStack automation software to target data centers. Adversaries quickly reverse-engineered the exploits after SaltStack disclosed the bugs. So far, victims have only been hit with cryptocurrency mining malware, but users are still urged to patch SaltStack, an open-source, Python-based software, as soon as possible.
Snort SIDs: 54030 - 54033

Most prevalent malware files this week

SHA 256: 094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188 
MD5: a10a6d9dfc0328a391a3fdb1a9fb18db
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name:

SHA 256: 682f1025b4c410ae78b1c5bdc4de7ad315f2eff292c66947c13969930028c98d 
MD5: bd3b9dac9198c57238d236435bf391ca
Typical Filename: nssm.exe 
Claimed Product: NSSM 32-bit
Detection Name:

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201 

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A 
Detection Name: Win.Downloader.Generic::1201

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.