Thursday, July 2, 2020

Threat Source newsletter for July 2, 2020



Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

Our latest research you should catch up on is the Valak malware. This information-stealer sneaks its way onto victim machines by hijacking legitimate email threads. The threat actors send their phishing emails and attachments in email threads, hoping to trick users into thinking they’re legitimate.

We also have two vulnerability spotlights that alert users to patches you should make now. One is an information leak in Mozilla Firefox, and the other is a remote code execution bug in the LEADTOOLS kit

Upcoming public engagements

Event: “Help! We need an adult! Engaging an external IR team” at DFIR Summit & Training 2020
Location: Streaming online
Date: July 16 - 25 
Speakers: Liz Waddell
Synopsis: Too often, the decision to bring in a third-party forensic team occurs when an incident has reached crisis level. As an Incident Commander for such a team, Liz has seen many people handle this crisis engagement well, and others – not so much. This presentation will prepare you for what happens when you need additional surge support. We will discuss what to expect during the engagement “how to properly scope and set objectives with your firm, how to prep for both remote and onsite forensics, tool deployment, what data/logs may be asked for and establishing command centers.

Cyber Security Week in Review

  • A study of Amazon’s facial recognition technology found its often inaccurate, especially with non-white individuals. The security researchers behind the test also found that it misidentified more than 100 well-known politicians as criminals. 
  • Apple’s iOS 14 will give users the option to opt out of advertisement tracking. The company also said its new mobile operating system will also allow users to give apps their approximate location rather than a specific point. 
  • Twitter swiftly banned the group behind a leak of a massive trove of data from police departments across the U.S. The so-called “BlueLeaks” included things like email addresses, budgets and details on crime victims.  
  • Republicans in Congress introduced a new bill that would roll back end-to-end encryption. The bill would also force software and hardware makers to include “lawful access” mechanisms. 
  • Coca-Cola, Ford, Nike and Starbucks are just a few of the global brands pausing advertisements on social media. The companies are calling on sites like Twitter and Facebook to take greater steps to block hate speech.  
  • Rice University is working with a non-profit to develop open-source technology aimed at helping states and local municipalities process mail-in ballots. The system would allow elections offices to use off-the-shelf printers and scanners while still keeping voters’ information secure.  
  • The University of California, San Francisco says it paid a $1.14 million ransom to attackers who compromised some of their servers. UCSF is deeply involved in COVID-19 research. 
  • Older versions of G Suite products like Google Docs and Gmail will stop working in August. Google warned users this week they need to update prior to Aug. 12.  
  • School districts across the United States already struggled with keeping students’ data secure prior to COVID-19. And now with more classes moving online, there is a whole new level of complexity with no new funding coming down the pipeline.  
  • Australia’s federal government plans to spend $1 billion over the next 10 years to improve its defensive cyber security capabilities. The announcement came weeks after the country accused state-sponsored actors of targeting government services. 

Notable recent security issues

Title: Evil Corp rolls out new ransomware, variant of Zeus trojan
Description: Evil Corp, known for the creation of the infamous Zeus trojan, is actively attacking large corporations using fake documents disguised as job applications and resumes. The phishing emails claim to be someone looking for employment after losing their job due to the COVID-19 pandemic. The adversaries also recently released a new ransomware called “WastedLocker,” which is believed to be a replacement for the BitPaymer ransomware strain the group used previously.
References: https://www.computerweekly.com/news/252485331/Evil-Corps-latest-ransomware-project-spreading-fast

https://www.techrepublic.com/article/cybercriminals-now-spoofing-job-hunters-to-deploy-password-stealing-malware/
Snort SIDs: 54407, 54408

Title: Valak plugin goes after Microsoft Exchange users
Description: The Valak information-stealing malware now has new capabilities to specifically target Microsoft Exchange servers and steal users’ email logins. Researchers have discovered at least 30 variants of Valak over the past six months, showing the adversaries are quickly adapting. The newest strain uses what’s known as “reply-chain attacks,” where the malware injects a malicious phishing email into an otherwise harmless email chain the user previously replied to. 
Snort SIDs: 54401 - 54404

Most prevalent malware files this week

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
Typical Filename: SAntivirusService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: 094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188 
MD5: a10a6d9dfc0328a391a3fdb1a9fb18db
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3 
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::95.sbx.tg 

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment