Thursday, September 3, 2020

Threat Source newsletter for Sept. 3, 2020

 

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

We recently uncovered a series of email campaigns utilizing links to malicious documents hosted on legitimate file-sharing platforms to spread malware. The campaigns distributed various malware payloads including Gozi ISFB, ZLoader, SmokeLoader and AveMaria, among others. Check out our complete details of the threat and our protections here

We are also excited to show off our fancy new Talos Email Status Portal. Here, you can see any ham or spam you’ve submitted to us for review. 

And, lastly, there’s a new Beers with Talos episode that’s all about FUD. 

Cyber Security Week in Review

  • Tesla CEO Elon Musk confirmed that his company was the target of an alleged scheme to install malware on the company’s network. A Russian tourist was arrested last week for allegedly recruiting a Tesla employee to carry out the hack. 
  • Several states’ Department of Motor Vehicles may overreach in how available they make drivers’ information. Several private investigators indicated to Vice’s Motherboard that they were able to easily buy information under several little-known policies. 
  • Norwegian parliament says it was the victim of a cyber attack. Several government officials’ emails were breached, though the country is still investigating the full extent of the damage. 
  • Facebook shut down a swath of groups it says is tied to Russian threat actors who were attempting to spread disinformation. The social media giant says thanks to partnerships with American intelligence agencies, it is catching these groups earlier on in their lifecycle. 
  • New updates are on their way to iOS and Android that officially implement COVID-19 contact-tracing alerts. The features, which will need to be manually enabled by users, will track users’ potential exposure to COVID-19 using Bluetooth. 
  • New Zealand’s government told private companies in the country to brace for a wave of cyber attacks. The warning came after a fifth attack in two weeks on the country’s stock exchange. 
  • Cisco disclosed two serious vulnerabilities in some of its carrier-grade routers. The company said hackers are actively exploiting the bugs in the wild, which could potentially allow adversaries to completely disrupt service. 
  • Top American election security officials say it’ll no longer deliver regular briefings to Congress. The Office of the Director of National Intelligence will instead provide written statements on a somewhat regular basis, which Democrats say is insufficient.  
  • The well-known Evilnum threat actor is now using a Python-scripted trojan as part of its major payloads. The new “PyVil RAT” steals information, keylogs and deploys additional tools to steal login credentials. 

Notable recent security issues

Description: Cisco Talos Incident Response (CTIR) observed ransomware dominating the threat landscape over the past quarter, according to a new report. Infections involved a wide variety of malware families including LockBit and Maze, among others. Sixty-six percent of all ransomware attacks this quarter involved the red-teaming framework Cobalt Strike, suggesting that ransomware actors are increasingly relying on the tool as they abandon commodity trojans. CTIR reports a rise in ransomware actors engage in data exfiltration and even observed the new cartel formed by Maze and other ransomware operations in action.     
Snort SIDs: 54910 – 54917 (Protect against the LockBit ransomware)  

Description: The Emotet botnet continues to evolve, and now uses a Microsoft Word template to spread its malware. Known as “Red Dawn,” the new infection method involves the user downloading a Word file, and then the file prompts them to enable macros to read the document. If enabled, the macros then download Emotet onto the victim’s machine. Emotet spam emails try to entice users with information on COVID-19, financial documents or package tracking.   
Snort SIDs: 54900, 54901 

Most prevalent malware files this week

MD5: e2ea315d9a83e7577053f52c974f6a5a  
Typical Filename: Tempmf582901854.exe  
Claimed Product: N/A  
Detection Name: Win.Dropper.Agentwdcr::1201 

MD5: 8193b63313019b614d5be721c538486b  
Typical Filename: SAService.exe  
Claimed Product: SAService  
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg  

MD5: 799b30f47060ca05d80ece53866e01cc  
Typical Filename: mf2016341595.exe  
Claimed Product: N/A  
Detection Name: Win.Downloader.Generic::1201 

MD5: adad179db8c67696ac24e9e11da2d075  
Typical Filename: FlashHelperServices.exe  
Claimed Product: Flash Helper Service  
Detection Name: W32.7F9446709F-100.SBX.VIOC  

MD5: 47b97de62ae8b2b927542aa5d7f3c858 
Typical Filename: qmreportupload.exe 
Claimed Product: qmreportupload 
Detection Name: Win.Trojan.Generic::in10.talos 

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment