Thursday, August 13, 2020

Threat Source newsletter for Aug. 13, 2020

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

It’s really tough to attribute cyber attacks. We know it. You know it. But why is that, exactly? And why do we want to attribute attacks so badly anyway? In our latest blog post, we look at why attribution is challenging, and what pitfalls private researchers and government agencies alike face.  

If you haven’t already, you need to update your Microsoft products. Patch Tuesday was this week, and with it came more than 100 vulnerabilities that you should know about. Here’s a rundown of the most notable bugs and what Snort rules can help. 

Cyber Security Week in Review

  • COVID-19 creates another level of challenge to securing America’s 2020 presidential election. Several speakers at Blackhat and DEFCON last week highlighted the pitfalls that come along with vote by mail and fake news around the pandemic. 
  • States are also pushing to do away with all-electronic voting machines ahead of the election. Paperless mechanisms pose a bevy of challenges, but that change has been inconsistent, at best. 
  • A confidential White House document reportedly states that Russia wants to influence the election in a way that gets Donald Trump re-elected. Past reports came to the same conclusion during the 2016 election. 
  • Security researchers discovered a vulnerability in Windows machines that dates back to the Windows 2000 operating system. If exploited, an attacker could stop the spooler service that sends information to printers. 
  • TikTok’s status in the U.S. is still up in the air. While President Donald Trump still wants to ban the Chinese-made app, the company also says it will sue the administration to keep its status on app stores. 
  • Some Qualcomm chips spanning multiple generations contain a combined 400-some vulnerabilities, the most severe of which could allow attackers to spy on users’ personal information contained on smartphones made by the likes of Google and Samsung. 
  • Israel says it fought off an attack from a North Korean state-sponsored threat actor. Israeli officials say the attackers were trying to steal information from defense contractors. 
  • Threat actors can eavesdrop on cell phone calls with about $7,000 in equipment. Researchers say there are limitations to this attack method in the wild, but proof of concept tests have so far been successful. 

Notable recent security issues

Description: Microsoft released its monthly security update Tuesday, disclosing 120 vulnerabilities across its array of products. Sixteen of the vulnerabilities are considered “critical,” including one that Microsoft says is currently being exploited in the wild. Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. Microsoft Media Foundation contains the largest number of these critical vulnerabilities. The bugs (CVE-2020-1379, CVE-2020-1477, CVE-2020-1492, CVE-2020-1525 and CVE-2020-1554) could all allow an adversary to corrupt memory in a way that would allow them to execute code remotely on the victim machine. Any of these vulnerabilities could be triggered if the target opens a specially crafted document or web page. 
Snort SIDs: 54733 - 54746, 54753, 54754 

Description: Cisco warned users last week to update multiple lines of switches and routers, as well as the company’s VPN service. Some of the affected products could be force-rebooted and knocked offline. The AnyConnect VPN client for Windows also has a bug that could allow an adversary to perform a dynamic link library (DLL) hijacking attack. If a malicious user was to obtain credentials for the targeted Windows system, they could then execute malicious code with system-level privileges. 
Snort SIDs: 54698 - 59702 

Most prevalent malware files this week

MD5: 8c80dd97c37525927c1e549cb59bcbf3 
Typical Filename: Eter.exe 
Claimed Product: N/A 
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos 

MD5: 47b97de62ae8b2b927542aa5d7f3c858 
Typical Filename: qmreportupload.exe 
Claimed Product: qmreportupload 
Detection Name: Win.Trojan.Generic::in10.talos 

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201

MD5: 799b30f47060ca05d80ece53866e01cc 
Typical Filename: mf2016341595.exe 
Claimed Product: N/A 
Detection Name: Win.Downloader.Generic::1201 

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment