Thursday, July 16, 2020

Threat Source newsletter for July 16, 2020



Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

If you haven’t already, we highly recommend you read our in-depth research paper on election security. This paper represents four years of hands-on research, interviews and insight into how things have changed since 2016, and what hurdles remain to secure American elections. 

This is just the first release in a series of papers, blog posts and more that we’ll be releasing in the leadup to the November general election. Stay tuned for more.

Microsoft dominated the headlines otherwise this week, disclosing a critical vulnerability in DNS for Windows servers. We also had a hand in discovering six critical vulnerabilities in the Hyper-V engine. Check out our blog post for the full breakdown and Snort rules.

Upcoming public engagements

Event: "High-speed fingerprint cloning: Myth or reality?” at BSides Portugal
Location: Streaming online
Date: July 23
Speakers: Paul Rascagneres and Vitor Ventura
Synopsis: Users often rely on devices’ fingerprint scanners to unlock their devices, including smartphones, laptops and tablets. But how safe are these features, really? Talos researchers set out to see if they could trick this technology into accepting artificially replicated fingerprints — an attack method that adversaries would not shy away from using. In this talk, Paul and Vitor will cover their findings in this experiment. 

Cyber Security Week in Review

  • Officials from the U.S., U.K. and Canada jointly blamed a Russian state-sponsored actor for allegedly trying to steal information related to the development of COVID-19 vaccines. APT29 is accused of targeting academic institutions and medical research organizations in cyber attacks. 
  • Several high-profile Twitter accounts belonging to major American figures such as Elon Musk, Joe Biden and Bill Gates were hacked this week and used to promote a Bitcoin scan. This led Twitter to temporarily prevent all verified accounts from posting updates. 
  • After the fact, Twitter stated it believed the hacks were part of a “coordinated social engineering attack.” The company added that it believes adversaries targeted Twitter employees who had access to internal tools. 
  • A 17-year-old vulnerability in Windows DNS headlined this month’s Microsoft Patch Tuesday. Microsoft and security researchers jointly warned users on Tuesday to update immediately, as the bug could be used to quickly spread malware. 
  • The U.K. ordered Chinese company Huawei to remove its technology from the country’s 5G network. This was a major reversal for British Prime Minister Boris Johnson, who previously greenlit the company’s involvement.  
  • The CIA recently received broader powers to carry out cyber espionage campaigns, according to a new report. These new powers give the agency the ability to carry out its own cyber operations without first needing approval from the White House. 
  • The U.S. is looking into restrictions or a ban on the popular social media app TikTok. One White House official even said a new set of rules could come within weeks, citing security concerns of the app, which is developed by a Chinese company.  
  • A new Android malware known as “BlackRock” can infect devices and steal login information and credit card data from 337 other apps. Security researchers say the malware is based off the leaked source code for the Xerxes malware. 
  • The latest update to iOS and iPadOS allows users to use a virtual car key to open some BMW cars. Apple says the feature will eventually work with more car manufacturers. 

Notable recent security issues

Title: Patch Tuesday highlighted by DNS bug, critical vulns affecting Intel and AMD
Description: Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its array of products. While only a few vulnerabilities are considered critical, users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation. The security updates cover several different products including the Hyper-V engine, Microsoft Word and the rest of the Microsoft Office suite of products. Six of the critical vulnerabilities that Microsoft fixed this month could allow an adversary to execute remote code by exploiting the RemoteFX feature in the Windows Hyper-V engine. These bugs affect some Intel and AMD drivers.
References: https://blog.talosintelligence.com/2020/07/vuln-spotlight-intel-amd-microsoft-july-2020.html

https://blog.talosintelligence.com/2020/07/microsoft-patch-tuesday-for-july-2020.html
Snort SIDs: 54509 - 54511, 54516 - 54518, 54521 - 54525, 54534, 54535

Title: NetSupport RAT among biggest threats to government agencies
Description: The U.S. Department of Homeland Security recently released a report outlining the three most popular malware families its intrusion prevention system detects. The NetSupport remote access tool leads the group, followed by the Kovter trojan and the XMRig cryptocurrency miner. The NetSupport Manager RAT leverages legitimate administration software to infect victim machines and then remotely take control of them.
Snort SIDs: 54496

Most prevalent malware files this week

SHA 256: 449f4a4524c06e798193c1d3ba21c2d9338936375227277898c583780392d4d8
MD5: 179c09b866c9063254083216b55693e6 
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.File.Segurazo::95.sbx.tg

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos

SHA 256: 094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188 
MD5: a10a6d9dfc0328a391a3fdb1a9fb18db
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
Typical Filename: SAntivirusService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment