Newsletter compiled by Jon Munshaw.
Good afternoon, Talos readers.
In our continued research on election security, we have a new video roundtable discussion up on our YouTube page. In this Q&A-style format, I ask our researchers questions about the work they’ve done researching disinformation (aka “fake news”) and how to combat the spread of it.
Microsoft Patch Tuesday was also this week. For our recap of all 120-something vulnerabilities Microsoft discovered, click here. You can also take a deep dive into one of the bugs our researchers specifically discovered in the Windows 10 Common Log File System.
Cyber Security Week in Review
- A specially crafted message in WhatsApp can cause the app to completely crash and sometimes delete users’ entire message history. So far, only a workaround on the desktop version of WhatsApp has been discovered.
- Tech companies like Amazon, Apple and Google are working together to release a new standard for internet-of-things devices’ connectivity. Project Connected Home over IP says its open-source product will be available sometime next year.
- As school districts start the school year remotely, teachers and students are having to learn new online classroom systems and fend off cyber attacks. Miami, Florida is the best example of this, where officials there say the area’s school system fought off 12 attacks in one day.
- The city of Hartford, Connecticut had to postpone its first day of school after a cyber attack. City officials say adversaries compromised 200 servers critical to schooling.
- Adobe fixed several vulnerabilities in its Experience Manager, InDesign and Framemaker software. Seven of the most serious could allow an adversary to execute JavaScript at-will in the user’s web browser.
- The White House released a new set of guidelines aimed at hardening American satellites from cyber attacks. While there is nothing enforceable, the hope is that it will encourage systems in space and on the ground will be updated and better protected.
- A new report outlines a massive effort by the American government to protect COVID-19 vaccine research. Known as the Security and Assurance portion of Operation Warp Speed, the goal is to provide cyber security expertise, advice and software to pharmaceutical companies developing vaccines for the virus.
- One of Chile’s largest banks had to close all its branches this week due to a cyber attack. Initial reports indicate that the attack originated from a malicious Microsoft Office document an employee opened.
- Amazon allegedly created a secret group to spy on its own employees, specifically trying to infiltrate Facebook groups used by the company’s delivery drivers. The effort reportedly aims to identify any potential strikes or attempts to unionize.
Notable recent security issues
Title: More than 120 vulnerabilities patched as part of Microsoft monthly security update
Description: Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its array of products. Twenty-three of the vulnerabilities are considered “critical" while the vast remainder are ranked as “important.” Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. The security updates cover several different products including the Microsoft Office suite of products, Windows Media Audo Decoder and the Hyper-V virtual machine software. One of the most sever vulnerabilities exists in Microsoft COM. CVE-2020-0922 received a CVSS severity score of 8.8 out of a possible 10. An adversary could exploit this bug to gain the ability to remotely execute code on the victim machine after a user opens an attacker-controlled web page that contains specially crafted JavaScript.
Snort SIDs: 55139 - 55146, 55161, 55162, 55187, 55188, 55206
Title: Salfram spam campaigns spread several malware families
Description: Cisco Talos recently uncovered a series of email campaigns utilizing links to malicious documents hosted on legitimate file-sharing platforms to spread malware. The campaigns distributed various malware payloads including Gozi ISFB, ZLoader, SmokeLoader and AveMaria, among others. Ongoing campaigns are distributing various malware families using the same crypter. While effective, this crypting mechanism contains an easy-to-detect flaw: The presence of a specific string value "Salfram" makes it easy to track over time. The obfuscated binaries used by Salfram are completely different, from both a binary and execution flow graph perspective. The techniques used by this crypter can confuse weak API behavior-based systems and static analysis tools and it appears to be undergoing active development and improvement over time.
Snort SIDs: 54920, 54921
Most prevalent malware files this week
SHA 256: 7f9446709fbd77a21a806d17cf163ba00ce1a70f8b6af197990aa9924356fd36
MD5: adad179db8c67696ac24e9e11da2d075
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: W32.7F9446709F-100.SBX.VIOC
SHA 256: 32155b070c7e1b9d6bdc021778c5129edfb9cf7e330b8f07bb140dedb5c9aae7
MD5: 73d1de319c7d61e0333471c82f2fc104
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: Win.Dropper.Segurazo::tpd
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: Win.Downloader.Generic::1201
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.