Thursday, August 27, 2020

Threat Source newsletter for Aug. 27, 2020

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

As part of our continued look at election security ahead of the November election, we have another research paper out this week. This time, we’re taking a closer look at disinformation campaigns, popularly known as “fake news.”

This paper builds on the first “What to expect when you’re electing” report by focusing on the infrastructure supporting these complex campaigns. 

On the vulnerability side of things, we also have another blog out detailing some vulnerabilities in Microsoft Azure Sphere. This builds off the ones we disclosed last month our researchers conducted as part of the Azure Sphere Security Research Challenge. 

Cyber Security Week in Review

  • American federal agents say they’ve discovered multiple fake websites disguised as providing legitimate information about the upcoming election. The sites existed on typo-squatted domains, meaning the URLs were similar to legitimate political sites. 
  • Companies are still struggling to protect their important data and documents as there’s no end in sight to the work from home trend. Some concerns include employees taking pictures of sensitive information or employees who easily fall for common scams. 
  • Multiple federal agencies issued a warning regarding a new series of attacks that utilize stolen VPN credentials. Adversaries are sending push alerts to users’ two-factor authentication apps in hopes that they’ll inadvertently accept them. 
  • North Korean state-sponsored actors are accused of leading an ATM-cashout campaign across the globe. These attacks execute specific code on ATMs, forcing them to dispense all the cash inside. 
  • American intelligence officials say they so far have found no evidence of vote-by-mail fraud. Prominent politicians have questioned the efficacy of this voting method as more voters opt to stay home due to the COVID-19 pandemic.  
  • Spying technology commonly used by the Chinese government is starting to creep into Hong Kong. The government there is increasingly relying on cameras and other hacks after it passed groundbreaking law enforcement legislation earlier this year. 
  • The final volume from the Senate Intelligence Committee’s report on the 2016 election found that a prominent Trump campaign official passed information to a Russian intelligence officer. The report said the information included "counterintelligence threats and vulnerabilities." 
  • New Zealand’s stock exchange was taken offline on back-to-back days this week due to a cyber attack. All signs so far point to it being a distributed denial-of-service attack. 
  • A Russian citizen is accused of traveling to the U.S. to recruit an American employee hoping to convince them to install malware on their employer’s network. No details have been released on the alleged target outside of it being a company in Nevada.  
  •  

Notable recent security issues

Description: Cisco Talos researchers recently discovered multiple vulnerabilities in Microsoft’s Azure Sphere, a cloud-connected and custom SoC platform designed specifically with IoT application security in mind. Internally, the SoC is made up of a set of several ARM cores that have different roles (e.g. running different types of applications, enforcing security, and managing encryption), and externally the Azure Sphere platform is supported by Microsoft’s Azure Sphere cloud, which handles secure updates, app deployment, and periodically verifying the device integrity to determine whether or not it should be allowed cloud access. Talos discovered four vulnerabilities in Azure Sphere, two of which could lead to unsigned code execution, and the two others for privilege escalation.  
Snort SIDs: 54645, 54646, 54729, 54730  

Description: TinyMCE recently disclosed a vulnerability that could have allowed attackers to completely take over some websites. The open-source content management system and text editor fixed a high-severity cross-site scripting vulnerability. An attacker could input specific HTML code into a forum on an affected website to exploit this vulnerability, allowing them to take control of the websites. Security researchers suggest thousands of sites could be affected.  
Snort SIDs: 54815, 54816 

Most prevalent malware files this week

MD5: 8c80dd97c37525927c1e549cb59bcbf3 
Typical Filename: Eter.exe 
Claimed Product: N/A 
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos 

MD5: e2ea315d9a83e7577053f52c974f6a5a  
Typical Filename: Tempmf582901854.exe  
Claimed Product: N/A  
Detection Name: Win.Dropper.Agentwdcr::1201 

MD5: adad179db8c67696ac24e9e11da2d075  
Typical Filename: FlashHelperServices.exe  
Claimed Product: Flash Helper Service  
Detection Name: W32.7F9446709F-100.SBX.VIOC  

MD5: 799b30f47060ca05d80ece53866e01cc  
Typical Filename: mf2016341595.exe  
Claimed Product: N/A  
Detection Name: Win.Downloader.Generic::1201 

MD5: 47b97de62ae8b2b927542aa5d7f3c858 
Typical Filename: qmreportupload.exe 
Claimed Product: qmreportupload 
Detection Name: Win.Trojan.Generic::in10.talos 

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment