Thursday, June 11, 2020

Threat Source newsletter for June 11, 2020


Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

We are back this week with new content, mainly around Microsoft Patch Tuesday. We have our complete breakdown of all the vulns here, as well as in-depth information on two remote code execution vulnerabilities one of our researchers discovered in Excel. 

We also have new dates for Cisco Live, which will take place on June 15 - 17. You can see the full signup details below, and after the 17th, you can access Talos’ two talks on-demand. 

Upcoming public engagements

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Streaming on the conference's website
Date: June 10 - 12
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Event: Cisco Live U.S.
Location: Streaming online
Date: June 15 - 17
Speakers: Craig Williams and Sean Mason
Synopsis: Join the free, virtual Cisco Live U.S. conference. There will be many talks spread across two days. Specific to Talos, Craig Williams of the Outreach team will give an overview of recent threats and provide viewers with an update on Talos’ latest research efforts. Sean Mason, the head of Cisco Talos Incident Response, will also give a separate talk on IR’s advancements over the past year and go over how CTIR can help you prepare for the worst.

Cyber Security Week in Review

  • Given the recent wave of Black Lives Matter demonstrations and protests across the U.S., foreign actors are likely to try and play off America’s racial divide. Experts say that as the nation edges closer to the November General Election, fake social media accounts will attempt to capitalize on disagreements over the protests. 
  • Human rights groups who have seen an uptick in donations and interest during the demonstrations have also become popular targets of cyber attacks. Specifically, there’s been an increase in attempted distributed denial-of-service attacks against these organizations.  
  • The U.S. Department of Homeland Security issued a warning regarding a newly discovered wormable bug in Windows 10. Microsoft patched the vulnerability as part of this month’s Patch Tuesday. 
  • A ransomware attack took down some of Honda’s international production this week. However, the car maker says no personal information is in jeopardy. 
  • Federal and state law enforcement agencies are investing in new cell phone tracking tech known as “Crossbow.” The device is an improved version of the Stringray, which is used among many local police departments. 
  • Online voting software used in five U.S. states contains inadequate security protections. Researchers from MIT pointed out the flaws in the software, which was recently used in three primary elections. 
  • An Alabama city agreed to pay a quarter-million-dollar ransom payment to a group that infected its systems and encrypted many files. The town’s government seemed to be infected with the DopplePaymer ransomware. 
  • The Defense Advanced Research Projects Agency (DARPA) launched a new bug bounty program this year, asking researchers to look for hardware vulnerabilities. The devices are designed to defend against cyber attacks. 
  • Amazon is putting a one-year hold on police departments being able to use its facial-recognition software. The company says it hopes to give the federal government time to develop new regulations. 
  • A cyber security firm set up a honeypot disguised as fake critical infrastructure systems — and it took a very short amount of time for attackers to swarm to it. 

Notable recent security issues

Title: Remote code execution bugs in Word, SMB disclosed as part of Patch Tuesday
Description: Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its array of products. While none of the vulnerabilities disclosed have been exploited in the wild, users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation. The security updates cover several different products including the VBScript engine, SharePoint file-sharing service and GDI+.
Snort SIDs: 52213 - 52217, 54191 - 54194, 54219, 54220, 54230 - 54240, 54245 - 54250, 54270 and 54271

Title: Cisco patches vulnerabilities in IOS XE, affecting some industrial routers 
Description: Cisco disclosed three critical vulnerabilities in its IOS and IOS XE software and industrial router group. Many of the alerts concern a command injection vulnerability that would allow an adversary to execute arbitrary code on the affected operating system. One of the most severe bugs could allow a remote attacker to obtain an authorization token on the affected system and execute their choice of IOx API commands on the device.
Snort SIDs: 53497 – 53504, 54155, 54159 - 54164

Most prevalent malware files this week

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos

SHA 256: 094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188 
MD5: a10a6d9dfc0328a391a3fdb1a9fb18db
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc

SHA 256: 8bf5d91950033ef6f40ffbd2340d8b0add0ffdcbbb4cfd309218d6d0810d85be
MD5: 4709a871ba0c0a3598eb78dadfe90aec
Typical Filename: tapout.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Zudochka::in03.talos

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A 
Detection Name: Win.Downloader.Generic::1201

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment