Thursday, June 18, 2020

Threat Source newsletter for June 18, 2020


Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

Now that Cisco Live is over, you can access both of Talos’ talks on-demand here if you registered for the online event. 

The latest Beers with Talos episode covers how to push your career in cyber security forward when you feel like you’re stuck in a rut. Surprisingly, the hosts actually had some helpful insights to offer.

We also have our latest quarterly insights from Cisco Talos Incident Response, which recaps the most prevalent malware our responders have seen in the field so far this summer.

Cyber Security Week in Review

  • Many dark web forums have become more popular during the COVID-19 pandemic. Many notorious sites have recently posted new positions for moderators and community managers in recent weeks, specifically citing the pandemic creating more need. 
  • Discord deactivated several servers dedicated to spreading pirated adult movies. A recent report found many pages where users were trading and selling pirated images and videos stolen from their original creators, along with tools for additional scraping. 
  • Amazon Web Services says it fought off the largest ever recorded distributed denial-of-service attack. A newly released report says AWS’ Shield protection service discovered a 2.3 Tbps attack in mid-February this year. 
  • Concerns of a global DDoS attack spread quickly this week as wireless carriers experienced service interruptions. However, it’s believed the issues came from a misconfiguration on the part of T-Mobile. 
  • Many of the largest American tech companies are now pushing for a national law regulating facial recognition technology. The wave of support came after law enforcement agencies used the technology to identified pro-Black Lives Matter protestors and the topic was featured on the popular HBO show “Last Week Tonight.” 
  • Activists in New York City are using a network of traffic cameras to track police violence against protestors. A group is archiving hundreds of gigabytes of data to hold police accountable as they respond to pro-Black Lives Matter marches and demonstrations. 
  • Fake COVID-19-tracing apps are spreading on third-party stores for Android devices that actually spread malware. Once infected, the apps steal the user’s personal information and track their location. 
  • Cisco Talos has identified a resurgence of activity by Tor2Mine, a cryptocurrency mining group that was likely last active in 2018. Tor2Mine is deploying additional malware to harvest credentials and steal more money, including AZORult, an information-stealing malware; the remote access tool Remcos; the DarkVNC backdoor trojan; and a clipboard cryptocurrency stealer. 
  • Beta builds of Google Chrome hint that the web browser may change its settings so that users see less of the full URL of the site they’re visiting. Security experts believe this could make it easier for users to be tricked into visiting malicious pages. 
  • Facebook says it will allow all users to opt-out of seeing political ads leading up to the November general election. The new feature is part of the social network’s broader push to stop the spread of misinformation. 

Notable recent security issues

Title: Indian human rights advocates targeted by NetWire malware
Description: Attackers targeted several human rights activists in India between January and October of 2019 with the NetWire malware, attempting to intercept their communications. Researchers say the victims opened spear-phishing emails, which eventually led to the infection. NetWire can steal users’ audio recordings, steal credentials and log keystrokes. All the targets are advocating for the release of protestors who were jailed after demonstrations in 2018.
Snort SIDs: 54284, 54285

Title: Remote code execution vulnerability in Firefox’s SharedWorkerService function
Description: The Mozilla Firefox web browser contains a vulnerability in its SharedWorkerService function that could allow an attacker to gain the ability to remotely execute code on a target’s machine. This vulnerability can be triggered if the user visits a malicious web page. The attacker can design this page in a way that it would cause a race condition, eventually leading to a use-after-free vulnerability and remote code execution.
Snort SIDs: 53759, 53760

Most prevalent malware files this week

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd 
MD5: 8193b63313019b614d5be721c538486b
Typical Filename: SAntivirusService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: 094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188
MD5: a10a6d9dfc0328a391a3fdb1a9fb18db 
Typical Filename: FlashHelperServices.exe 
Claimed Product: Flash Helper Service 
Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc

SHA 256: 32155b070c7e1b9d6bdc021778c5129edfb9cf7e330b8f07bb140dedb5c9aae7
MD5: 73d1de319c7d61e0333471c82f2fc104
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e 
Detection Name: Win.Dropper.Zudochka::in03.talos  

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment