Thursday, June 25, 2020

Threat Source newsletter for June 25, 2020

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

We recently decided to replace our use of the terms "blacklist" and "whitelist" with "block list" and "allow list.” Even though these terms are commonly in use in the security industry, we will not go along with casually assigning positive connotations to "white" while assigning negative connotations to "black.”

Elsewhere, we have new episodes of Beers with Talos and Talos Takes up. Check them out on our podcasts page or download them on your favorite podcast app.

Upcoming public engagements

Event: “Help! We need an adult! Engaging an external IR team” at DFIR Summit & Training 2020
Location: Streaming online
Date: July 16 - 25 
Speakers: Liz Waddell
Synopsis: Too often, the decision to bring in a third-party forensic team occurs when an incident has reached crisis level. As an Incident Commander for such a team, Liz has seen many people handle this crisis engagement well, and others – not so much. This presentation will prepare you for what happens when you need additional surge support. We will discuss what to expect during the engagement “how to properly scope and set objectives with your firm, how to prep for both remote and onsite forensics, tool deployment, what data/logs may be asked for and establishing command centers.

Cyber Security Week in Review

  • The BlueKai software, which tracks users' web usage to help serve targeted ads, left a server unprotected on the web. While the vulnerability has since been fixed, anyone could have exploited this server to gain access to millions of records. 
  • Adversaries are increasingly requiring users to interact with CAPTCHAs to eventually download their payloads. The goal is to bypass automated detection platforms security researchers use.  
  • The U.S. Internal Revenue Service used cell phone location data to try and track down criminal suspects. Investigators paid for access to a commercial database that stored millions of Americans’ mobile device locations.  
  • The FBI used Facebook and the online maker space Etsy to track down an arson suspect in the middle of peaceful protests in Minnesota earlier this month. A report later indicated that the FBI was scanning Facebook to look for “potential flashpoints for violence.” 
  • A recent survey from IBM uncovered the many security concerns with more Americans working from home during the COVID-19 pandemic. The company found 52 percent of respondents are using their personal computers to work remotely, and 48 percent have not received new security training from their employers. 
  • More than 1,600 Google employees wrote a letter to their management asking for the company to stop selling its technology to police departments. “Google is profiting off of these racist systems, and we believe this means Google is part of the problem,” the letter reads. 
  • Attackers who steal users’ login credentials to websites are now turning on multi-factor authentication to make it more difficult for the accounts to eventually be recovered. Users are encouraged, as always, to enable multi-factor authentication as soon as possible. 
  • A new collection of records called “BlueLeaks” claims to contain thousands of documents from law enforcement agencies. The hacking group Anonymous claims to be behind the leak, which includes memos and financial records of more than 200 state, local and federal police and law enforcement offices. 
  • China and Australia continue to trade barbs over accusations that state-sponsored Chinese actors were behind a cyber attack on Australian parliament. The U.S. also supported these claims, denouncing China’s actions.  

Notable recent security issues

Title: IndigoDrop spreads via military-themed lures to deliver Cobalt Strike 
Description: Cisco Talos has observed a malware campaign that utilizes military-themed malicious Microsoft Office documents (maldocs) to spread Cobalt Strike beacons containing full-fledged RAT capabilities. These maldocs use malicious macros to deliver a multistage and highly modular infection. This campaign appears to target military and government organizations in South Asia. Network-based detection, although important, should be combined with endpoint protections to combat this threat and provide multiple layers of security.
Snort SIDs: 54373 - 54376

Title: Qbot reemerges, goes after American banks
Description: The ever-changing Qbot information-stealing malware is back again and going after U.S.-based banks. Researchers say the malware family has a six-hour cycle that is uses to adapt and avoid detection. Attackers are spreading the malware via phishing emails, publicly reported exploits or malicious file shares. Qbot waits quietly on the victim machine until they visit a bank’s website, and then it activates to steal the users’ login credentials.
Snort SIDs: 54384 - 54387 

Most prevalent malware files this week

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name:

SHA 256: 094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188 
MD5: a10a6d9dfc0328a391a3fdb1a9fb18db
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A 
Detection Name: Win.Downloader.Generic::1201

SHA 256: 8e03f05ecd08cb78f37ccd92c48cd9d357c438112b85bd154e8261c19e38a56e 
MD5: 60ba2a4b8ea5982a3a671a9e84f9268c
Typical Filename: Diagnostics.txt
Claimed Product: N/A
Detection Name: Win.Dropper.Shadowbrokers::222044.in02

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.