Newsletter compiled by Jon Munshaw.
Good afternoon, Talos readers.
As part of our continued look at election security ahead of the November election, we have another research paper out this week. This time, we’re taking a closer look at disinformation campaigns, popularly known as “fake news.”
This paper builds on the first “What to expect when you’re electing” report by focusing on the infrastructure supporting these complex campaigns.
On the vulnerability side of things, we also have another blog out detailing some vulnerabilities in Microsoft Azure Sphere. This builds off the ones we disclosed last month our researchers conducted as part of the Azure Sphere Security Research Challenge.
Cyber Security Week in Review
- American federal agents say they’ve discovered multiple fake websites disguised as providing legitimate information about the upcoming election. The sites existed on typo-squatted domains, meaning the URLs were similar to legitimate political sites.
- Companies are still struggling to protect their important data and documents as there’s no end in sight to the work from home trend. Some concerns include employees taking pictures of sensitive information or employees who easily fall for common scams.
- Multiple federal agencies issued a warning regarding a new series of attacks that utilize stolen VPN credentials. Adversaries are sending push alerts to users’ two-factor authentication apps in hopes that they’ll inadvertently accept them.
- North Korean state-sponsored actors are accused of leading an ATM-cashout campaign across the globe. These attacks execute specific code on ATMs, forcing them to dispense all the cash inside.
- American intelligence officials say they so far have found no evidence of vote-by-mail fraud. Prominent politicians have questioned the efficacy of this voting method as more voters opt to stay home due to the COVID-19 pandemic.
- Spying technology commonly used by the Chinese government is starting to creep into Hong Kong. The government there is increasingly relying on cameras and other hacks after it passed groundbreaking law enforcement legislation earlier this year.
- The final volume from the Senate Intelligence Committee’s report on the 2016 election found that a prominent Trump campaign official passed information to a Russian intelligence officer. The report said the information included "counterintelligence threats and vulnerabilities."
- New Zealand’s stock exchange was taken offline on back-to-back days this week due to a cyber attack. All signs so far point to it being a distributed denial-of-service attack.
- A Russian citizen is accused of traveling to the U.S. to recruit an American employee hoping to convince them to install malware on their employer’s network. No details have been released on the alleged target outside of it being a company in Nevada.
Notable recent security issues
Title: Microsoft issues security update fixing vulnerabilities in Azure Sphere
Description: Cisco Talos researchers recently discovered multiple vulnerabilities in Microsoft’s Azure Sphere, a cloud-connected and custom SoC platform designed specifically with IoT application security in mind. Internally, the SoC is made up of a set of several ARM cores that have different roles (e.g. running different types of applications, enforcing security, and managing encryption), and externally the Azure Sphere platform is supported by Microsoft’s Azure Sphere cloud, which handles secure updates, app deployment, and periodically verifying the device integrity to determine whether or not it should be allowed cloud access. Talos discovered four vulnerabilities in Azure Sphere, two of which could lead to unsigned code execution, and the two others for privilege escalation.
Snort SIDs: 54645, 54646, 54729, 54730
Title: Cross-site scripting bug affects open-source CMS, used by many WordPress sites
Description: TinyMCE recently disclosed a vulnerability that could have allowed attackers to completely take over some websites. The open-source content management system and text editor fixed a high-severity cross-site scripting vulnerability. An attacker could input specific HTML code into a forum on an affected website to exploit this vulnerability, allowing them to take control of the websites. Security researchers suggest thousands of sites could be affected.
Snort SIDs: 54815, 54816
Most prevalent malware files this week
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: Eter.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201
SHA 256: 7f9446709fbd77a21a806d17cf163ba00ce1a70f8b6af197990aa9924356fd36
MD5: adad179db8c67696ac24e9e11da2d075
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: W32.7F9446709F-100.SBX.VIOC
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: Win.Downloader.Generic::1201
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.