Newsletter compiled by Jon Munshaw.
Good afternoon, Talos readers.
We spend a lot of time talking about what you should do to keep your data safe, and how other organizations should be prepared for the worst. But what happens if the worst happens to you?
In the latest Beers with Talos episode, we walk you through what to do if you’re the one who gets owned — even if it’s not your fault at all.
We also have the details out on several vulnerabilities in Microsoft Azure Sphere. Our researchers will even receive an award later this year for their work on these. We also have a new Threat Roundup to give you insight into the IOCs you should be on the lookout for.
Cyber Security Week in Review
- Police arrested a 17-year-old in connection with the massive Twitter hack last month. The breach saw many high-profile accounts taken over and used to promote a bitcoin scam, including those belonging to Barack Obama and Elon Musk.
- When the man was set to appear in court, hackers interrupted the virtual hearing over Zoom. The local court publicly released information on the meeting ahead of time, essentially allowing anyone to join the hearing. One user sent a pornographic clip that led to the end of the hearing.
- Researchers discovered a vulnerability in the PC booting process that could allow malware to remain on a victim machine even after a safe boot. Billions of devices could be affected, which means it would take years to fix or phase out.
- The European Union used its powers to sanction nation-states over cyber attacks for the first time. Individuals connected to Russia, China and North Korea all received punishments this week, some connected to the infamous Not Petya attack in 2017.
- Security analysts found several vulnerabilities and security flaws in automation technology used in the manufacturing industry. The programming environments manage the robotics used to speed up production.
- The U.S. is offering bounties of up to $10 million to anyone who provides information on state-sponsored actors that interfere in the 2020 general election. The state department said it is looking for "any person who works with or for a foreign government for the purpose of interfering with US elections through certain illegal cyber activities."
- Cisco disclosed multiple high-severity vulnerabilities in its AnyConnect VPN client and DNA Center software. There are also potential exploits in small business switches that could allow an adversary to carry out a denial-of-service.
- The National Security Agency released a new warning to its employees that they should turn off find-my-phone, Bluetooth and WiFi whenever possible on their mobile devices. The advisory also asks employees to use a VPN to obscure their location.
- TikTok’s status in the U.S. is still in limbo as President Donald Trump, Microsoft and the Chinese government continue a back-and-forth over the future of the social media app. Reports suggest Microsoft could buy TikTok’s
Notable recent security issues
Title: WastedLocker adding new techniques, makes headlines
Description: The WastedLocker ransomware is now using the Windows memory management feature to evade detection. This malware has made headlines recently for its expanded use and has even potentially been linked to a recent cyber attack on GPS service provider Garmin. WastedLocker now can disguise its actions and bypass any ransomware protections that are already deployed on a victim machine.
Snort SIDs: 54685 - 54692
Title: Microsoft fixes vulnerabilities in Azure Sphere
Description: Cisco Talos researchers recently discovered seven vulnerabilities in Microsoft’s Azure Sphere, a cloud-connected SoC platform designed specifically with IoT application security in mind. The infrastructure around the Azure Sphere platform is Microsoft’s Azure Sphere cloud, which takes care of secure updates, app deployment, and periodically verifying the device integrity. Internally, the SoC is made up of a set of several ARM cores that have different roles. The researchers discovered two chainable vulnerabilities within Azure Sphere that, assuming an attacker could flash a malicious application, would allow for arbitrary writing to anywhere in the /mnt/config partition, resulting in further privilege escalation.
Snort SIDs: 54501 - 53504
Most prevalent malware files this week
SHA 256: 32155b070c7e1b9d6bdc021778c5129edfb9cf7e330b8f07bb140dedb5c9aae7
MD5: 73d1de319c7d61e0333471c82f2fc104
Typical Filename: SAntivirusService.exe
Claimed Product: SAService
Detection Name: Win.Dropper.Segurazo::tpd
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: Win.Downloader.Generic::1201
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.