Good afternoon, Talos readers.
Now that Cisco Live is over, you can access both of Talos’ talks on-demand here if you registered for the online event.
The latest Beers with Talos episode covers how to push your career in cyber security forward when you feel like you’re stuck in a rut. Surprisingly, the hosts actually had some helpful insights to offer.
We also have our latest quarterly insights from Cisco Talos Incident Response, which recaps the most prevalent malware our responders have seen in the field so far this summer.
Cyber Security Week in Review
- Many dark web forums have become more popular during the COVID-19 pandemic. Many notorious sites have recently posted new positions for moderators and community managers in recent weeks, specifically citing the pandemic creating more need.
- Discord deactivated several servers dedicated to spreading pirated adult movies. A recent report found many pages where users were trading and selling pirated images and videos stolen from their original creators, along with tools for additional scraping.
- Amazon Web Services says it fought off the largest ever recorded distributed denial-of-service attack. A newly released report says AWS’ Shield protection service discovered a 2.3 Tbps attack in mid-February this year.
- Concerns of a global DDoS attack spread quickly this week as wireless carriers experienced service interruptions. However, it’s believed the issues came from a misconfiguration on the part of T-Mobile.
- Many of the largest American tech companies are now pushing for a national law regulating facial recognition technology. The wave of support came after law enforcement agencies used the technology to identified pro-Black Lives Matter protestors and the topic was featured on the popular HBO show “Last Week Tonight.”
- Activists in New York City are using a network of traffic cameras to track police violence against protestors. A group is archiving hundreds of gigabytes of data to hold police accountable as they respond to pro-Black Lives Matter marches and demonstrations.
- Fake COVID-19-tracing apps are spreading on third-party stores for Android devices that actually spread malware. Once infected, the apps steal the user’s personal information and track their location.
- Cisco Talos has identified a resurgence of activity by Tor2Mine, a cryptocurrency mining group that was likely last active in 2018. Tor2Mine is deploying additional malware to harvest credentials and steal more money, including AZORult, an information-stealing malware; the remote access tool Remcos; the DarkVNC backdoor trojan; and a clipboard cryptocurrency stealer.
- Beta builds of Google Chrome hint that the web browser may change its settings so that users see less of the full URL of the site they’re visiting. Security experts believe this could make it easier for users to be tricked into visiting malicious pages.
- Facebook says it will allow all users to opt-out of seeing political ads leading up to the November general election. The new feature is part of the social network’s broader push to stop the spread of misinformation.
Notable recent security issues
Title: Indian human rights advocates targeted by NetWire malware
Description: Attackers targeted several human rights activists in India between January and October of 2019 with the NetWire malware, attempting to intercept their communications. Researchers say the victims opened spear-phishing emails, which eventually led to the infection. NetWire can steal users’ audio recordings, steal credentials and log keystrokes. All the targets are advocating for the release of protestors who were jailed after demonstrations in 2018.
Snort SIDs: 54284, 54285
Title: Remote code execution vulnerability in Firefox’s SharedWorkerService function
Description: The Mozilla Firefox web browser contains a vulnerability in its SharedWorkerService function that could allow an attacker to gain the ability to remotely execute code on a target’s machine. This vulnerability can be triggered if the user visits a malicious web page. The attacker can design this page in a way that it would cause a race condition, eventually leading to a use-after-free vulnerability and remote code execution.
Snort SIDs: 53759, 53760
Most prevalent malware files this week
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.