Thursday, June 4, 2020

Threat Source newsletter for June 4, 2020

Newsletter compiled by Jon Munshaw.

Our social media content and promotion are on pause this week as there are more important issues being discussed and other voices that need to be heard. However, we still wanted to provide users with the latest IOCs and threats we’re seeing. 

Upcoming public engagements

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Streaming on the conference's website
Date: June 10 - 12
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Event: Cisco Live U.S.
Location: Streaming online
Date: June 15 - 17
Speakers: Craig Williams and Sean Mason
Synopsis: Join the free, virtual Cisco Live U.S. conference. There will be many talks spread across two days. Specific to Talos, Craig Williams of the Outreach team will give an overview of recent threats and provide viewers with an update on Talos’ latest research efforts. Sean Mason, the head of Cisco Talos Incident Response, will also give a separate talk on IR’s advancements over the past year and go over how CTIR can help you prepare for the worst.

Cyber Security Week in Review

  • Hackers targeted the city of Minneapolis’ government over the weekend in response to the death of George Floyd in police custody. Twitter accounts claiming to be related to the Anonymous hacking group were quick to take credit. 
  • Some groups even leaked the email addresses of many police officers in the Minneapolis department. But there’s reason to doubt the attribution to Anonymous
  • Some far-right groups have also used cyber attacks to try and silence Black Lives Matter activists. Many community organizations had their websites targeted by denial-of-service attacks as there’s been an increase in charitable giving and education. 
  • Many leaders in cyber security pledged this week to improve diversity in their organizations. Other prominent researchers also promised to help activists using their tech knowledge. 
  • Congress is working on new legislation to regulate COVID-19-tracing apps. Lawmakers have concerns about what data the apps would collect and how that information is stored. 
  • As more workers return to their offices, companies are using tracking apps to monitor employees’ health and location. Many of the apps ask employees to enter any COVID-19 symptoms they may have and alerts them if they’ve been around someone else who’s tested positive.  
  • A new version of the Strandhogg malware could silently steal information off Android devices. The malware only affects version 9 of Android and earlier. 
  • GitHub warned users that a malware strain is spreading through Java projects on the site. At least 26 projects on GitHub have been infected with the so-called “Octopus Scanner.” 
  • Google disclosed dozens of vulnerabilities in the Android operating system. Among the fixes were patches for two remote code execution vulnerabilities that the company considered critical.  
  • Attackers are increasingly using fake resumes to lure victims into downloading trojans and information stealers. The new infection vector comes as more people across the globe are looking for work due to the COVID-19 pandemic.  

Notable recent security issues

Title: Fake certificate expiration notices used to plant Mokes malware 
Description: Attackers are infecting websites and displaying fake notifications that the site’s certificate is expired. The URL bar still displays the legitimate URL, but a fake image is displayed in the entire window stating that “Security Certificate is out of date.” If the user clicks on a button to download the updated certificate, they are infected with the Buerak downloader and Mokes malware. 
Snort SIDs: 54097 - 54106

Title: Variant of ZeuS malware available for sale online
Description: Attackers are selling a new fork of the infamous ZeuS banking trojan. Known as “Silent Night,” security researchers discovered the malware that appears to date back to November. Silent Night is for sale currently on a Russian dark web forum. It fetches the core malicious module and injects it into other running processes, showing very similar techniques and code to ZeuS. 
Snort SIDs: 54093, 54094

Most prevalent malware files this week

SHA 256: 094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188 
MD5: a10a6d9dfc0328a391a3fdb1a9fb18db
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name:

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A 
Detection Name: Win.Downloader.Generic::1201

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.