Thursday, July 23, 2020

Threat Source newsletter for July 23, 2020



Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

While ransomware attacks continue to hog all the headlines, cryptocurrency miners are still running the background, sapping computing power from unsuspecting victims. We have what we believe is the first documentation of a new botnet we're calling "Prometei" that mines for Monero. Here's why you need to be on the lookout for this botnet and why it could be a sign of worse things to come if you're infected.

If you didn't get enough election security news last week with our research paper, the guys on Beers With Talos dug even deeper into the topic in the latest episode.

Cyber Security Week in Review

  • More information continues to come out regarding the massive Twitter hack last week that led to several high-profile accounts being taken over and sending out information on a Bitcoin scam. A new report from the New York Times found that the group behind the hack is a group of younger people who don’t have any ties to state-sponsored actors. 
  • Adding another layer onto the intrusion, Twitter now says that the hackers accessed the private direct messages belonging to 36 of the accounts that were breached. This raises the possibility that the victims could be extorted in the future.
  • This incident highlights that humans can sometimes be an organization's largest security weakness. Some employees have enough personal information out on social media accounts that adversaries can leverage to carry out social engineering attacks, while others may not be properly trained to spot phishing emails. 
  • Israel says it fended off another cyber attack against its public water system. The intrusions in June came after a different attack on Israeli infrastructure in April that the country blamed on Iranian state-sponsored actors.
  • A new report from the British government states that the country did not do enough to fend off foreign interference in its elections. The U.K.'s Intelligence and Security Committee added that Russian actors are the country's greatest threats, and says Britain is "playing catch-up."
  • The Trump administration continues to mull over whether to ban the popular social media app TikTok. While the American government is locked in a battle with Chinese tech companies across the board, security experts say the issues surrounding TikTok are not so black and white.
  • New York state announced plans to formally charge mortgage title insurance company First American Financial Corp. for a massive data leak last year. The penalties are set to be the first of their type under new regulations in the state.
  • A new Android malware that appears to be a spinoff of LokiBot aims to steal users' information off their devices in the background. The BlackRock trojan is going after some of the most popular apps in the world, too, including Netflix and Tinder.

Notable recent security issues

Title: SAP systems vulnerability could allow adversaries to create new user accounts, execute code 
Description: The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released a warning last week urging SAP admins to update their systems as soon as possible to fix a critical vulnerability. CVE-2020-6287 affects the SAP NetWeaver Application Server's Java component LM Configuration Wizard. An attacker could exploit this bug to obtain unrestricted access to SAP systems, allowing them to create their own user accounts and executing arbitrary system commands.
Snort SIDs: 54571 - 54574

Title: Cisco discloses 33 vulnerabilities in small business routers, firewalls 
Description: Cisco disclosed 33 vulnerabilities in their RV series of routers and firewalls earlier this month. The products mainly service small business environments. One of the bugs, CVE-2020-3330, could allow an adversary to completely take over a device if the user hadn’t reset the default admin credentials that came pre-installed on the device. There is also a critical privilege escalation vulnerability in Prime License Manager.
References: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv110w-static-cred-BMTWBWTy

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-rce-AQKREqp

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-code-exec-wH3BNFb

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-prime-priv-esc-HyhwdzBA
Snort SIDs: 54538 - 54567

Most prevalent malware files this week

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 449f4a4524c06e798193c1d3ba21c2d9338936375227277898c583780392d4d8
MD5: 179c09b866c9063254083216b55693e6
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.File.Segurazo::95.sbx.tg

SHA 256: 094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188 
MD5: a10a6d9dfc0328a391a3fdb1a9fb18db
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
Typical Filename: SAntivirusService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment