Thursday, August 6, 2020

Threat Source newsletter for Aug. 6, 2020



Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

We spend a lot of time talking about what you should do to keep your data safe, and how other organizations should be prepared for the worst. But what happens if the worst happens to you? 

In the latest Beers with Talos episode, we walk you through what to do if you’re the one who gets owned — even if it’s not your fault at all. 

We also have the details out on several vulnerabilities in Microsoft Azure Sphere. Our researchers will even receive an award later this year for their work on these. We also have a new Threat Roundup to give you insight into the IOCs you should be on the lookout for.   

Cyber Security Week in Review

  • Police arrested a 17-year-old in connection with the massive Twitter hack last month. The breach saw many high-profile accounts taken over and used to promote a bitcoin scam, including those belonging to Barack Obama and Elon Musk. 
  • When the man was set to appear in court, hackers interrupted the virtual hearing over Zoom. The local court publicly released information on the meeting ahead of time, essentially allowing anyone to join the hearing. One user sent a pornographic clip that led to the end of the hearing. 
  • Researchers discovered a vulnerability in the PC booting process that could allow malware to remain on a victim machine even after a safe boot. Billions of devices could be affected, which means it would take years to fix or phase out. 
  • The European Union used its powers to sanction nation-states over cyber attacks for the first time. Individuals connected to Russia, China and North Korea all received punishments this week, some connected to the infamous Not Petya attack in 2017. 
  • Security analysts found several vulnerabilities and security flaws in automation technology used in the manufacturing industry. The programming environments manage the robotics used to speed up production. 
  • The U.S. is offering bounties of up to $10 million to anyone who provides information on state-sponsored actors that interfere in the 2020 general election. The state department said it is looking for "any person who works with or for a foreign government for the purpose of interfering with US elections through certain illegal cyber activities." 
  • Cisco disclosed multiple high-severity vulnerabilities in its AnyConnect VPN client and DNA Center software. There are also potential exploits in small business switches that could allow an adversary to carry out a denial-of-service. 
  • The National Security Agency released a new warning to its employees that they should turn off find-my-phone, Bluetooth and WiFi whenever possible on their mobile devices. The advisory also asks employees to use a VPN to obscure their location. 
  • TikTok’s status in the U.S. is still in limbo as President Donald Trump, Microsoft and the Chinese government continue a back-and-forth over the future of the social media app. Reports suggest Microsoft could buy TikTok’s

Notable recent security issues

Description: The WastedLocker ransomware is now using the Windows memory management feature to evade detection. This malware has made headlines recently for its expanded use and has even potentially been linked to a recent cyber attack on GPS service provider Garmin. WastedLocker now can disguise its actions and bypass any ransomware protections that are already deployed on a victim machine. 
Snort SIDs: 54685 - 54692 

Description: Cisco Talos researchers recently discovered seven vulnerabilities in Microsoft’s Azure Sphere, a cloud-connected SoC platform designed specifically with IoT application security in mind. The infrastructure around the Azure Sphere platform is Microsoft’s Azure Sphere cloud, which takes care of secure updates, app deployment, and periodically verifying the device integrity. Internally, the SoC is made up of a set of several ARM cores that have different roles. The researchers discovered two chainable vulnerabilities within Azure Sphere that, assuming an attacker could flash a malicious application, would allow for arbitrary writing to anywhere in the /mnt/config partition, resulting in further privilege escalation. 
Snort SIDs: 54501 - 53504 

Most prevalent malware files this week

SHA 256: e66d6d13096ec9a62f5c5489d73c0d1dd113ea4668502021075303495fd9ff82
MD5: f0fdc17674950a4eaa4bbaafce5007f6
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: W32.Auto:e66d6d1309.in03.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::tpd

MD5: 73d1de319c7d61e0333471c82f2fc104 
Typical Filename: SAntivirusService.exe 
Claimed Product: SAService 
Detection Name: Win.Dropper.Segurazo::tpd 

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201

MD5: 799b30f47060ca05d80ece53866e01cc 
Typical Filename: mf2016341595.exe 
Claimed Product: N/A 
Detection Name: Win.Downloader.Generic::1201 

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment