Thursday, July 30, 2020

Threat Source newsletter for July 30, 2020

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

Adversaries love to use headlines as part of their spam campaigns. From COVID-19, to Black Lives Matter and even Black Friday every year, the bad guys are wanting to capitalize on current events. Why is this the case, and when do they decide to jump on headlines? 

In our latest blog post, we look at this technique and examine the advantages and disadvantages of trying to leverage the biggest news.  

Cyber Security Week in Review

  • Garmin services are back online after a ransomware attack on the GPS company’s cloud platform. Most users follow Garmin for their exercise trackers and navigation, but perhaps more seriously, the company’s flight-tracking service that amateur pilots use also went dark. 
  • Security researchers are blaming the Evil Corp APT for the attack. The group is known for using the WastedLocker ransomware and Dridex credential-stealer. 
  • Cosmetics giant Avon left one of their Microsoft Azure servers open to the internet without encryption or a password. Security researchers say an adversary could have accessed the server and obtained OAuth other security tokens. 
  • Many consumers assume that the adoption of chip readers on credit cards make their transactions more secure. But the reality is the security measures in place vary between banks
  • North Korean state-sponsored attackers are reportedly targeting American defense and aerospace agencies and private companies. Some of the infection vectors are classic phishing emails that claim to include job offers to potential victims.  
  • Zoom recently disclosed a vulnerability discovered and fixed in April that could allow attackers to join anyone’s meetings by brute-forcing their passwords. The video conferencing platform has skyrocketed in popularity during the COVID-19 pandemic and has become a popular target for malicious actors. 
  • The FBI issued a warning to U.S. and international government agencies about a recent spike in NetWalker ransomware attacks. Victims are urged to not pay any ransom payments and report infections to the FBI immediately. 
  • A hacker infiltrated the Emotet botnet recently and replaced its malicious payload with humorous GIFs. Emotet is known to spread a large amount of the world’s spam emails. 

Notable recent security issues

Title: New botnet supports cryptocurrency mining for Monero
Description: Cisco Talos recently discovered a complex campaign employing a multi-modular botnet with multiple ways to spread and a payload focused on providing financial benefits for the attacker by mining the Monero online currency. Prometei employs various methods to spread across the network, like SMB with stolen credentials, psexec, WMI and SMB exploits. The adversary also uses several crafted tools that helps the botnet increase the amount of systems participating in its Monero-mining pool. Apart from a large focus on spreading across the environment, Prometei also tries to recover administrator passwords. The discovered passwords are sent to the C2 and then reused by other modules that attempt to verify the validity of the passwords on other systems using SMB and RDP protocols.
Snort SIDs: 54610 - 54612

Title: Attackers exploit high-severity vulnerability in Cisco Adaptive Security Appliance
Description: Cisco warned users that attackers are actively exploiting a vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability exists in the software due to improper input validation for URLs in HTTP requests. An adversary could use this exploit to carry out directory traversal attacks.
Snort SIDs: 54598 - 54601

Most prevalent malware files this week

SHA 256: e66d6d13096ec9a62f5c5489d73c0d1dd113ea4668502021075303495fd9ff82
MD5: f0fdc17674950a4eaa4bbaafce5007f6
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: W32.Auto:e66d6d1309.in03.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
Typical Filename: SAntivirusService.exe
Claimed Product: SAService
Detection Name:

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.