Threat Source newsletter for Sept. 10, 2020

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

In our continued research on election security, we have a new video roundtable discussion up on our YouTube page. In this Q&A-style format, I ask our researchers questions about the work they’ve done researching disinformation (aka “fake news”) and how to combat the spread of it.

Microsoft Patch Tuesday was also this week. For our recap of all 120-something vulnerabilities Microsoft discovered, click here. You can also take a deep dive into one of the bugs our researchers specifically discovered in the Windows 10 Common Log File System.

Cyber Security Week in Review

A specially crafted message in WhatsApp can cause the app to completely crash and sometimes delete users’ entire message history. So far, only a workaround on the desktop version of WhatsApp has been discovered.
Tech companies like Amazon, Apple and Google are working together to release a new standard for internet-of-things devices’ connectivity. Project Connected Home over IP says its open-source product will be available sometime next year.
As school districts start the school year remotely, teachers and students are having to learn new online classroom systems and fend off cyber attacks. Miami, Florida is the best example of this, where officials there say the area’s school system fought off 12 attacks in one day.
The city of Hartford, Connecticut had to postpone its first day of school after a cyber attack. City officials say adversaries compromised 200 servers critical to schooling.
Adobe fixed several vulnerabilities in its Experience Manager, InDesign and Framemaker software. Seven of the most serious could allow an adversary to execute JavaScript at-will in the user’s web browser.
The White House released a new set of guidelines aimed at hardening American satellites from cyber attacks. While there is nothing enforceable, the hope is that it will encourage systems in space and on the ground will be updated and better protected.
A new report outlines a massive effort by the American government to protect COVID-19 vaccine research. Known as the Security and Assurance portion of Operation Warp Speed, the goal is to provide cyber security expertise, advice and software to pharmaceutical companies developing vaccines for the virus.
One of Chile’s largest banks had to close all its branches this week due to a cyber attack. Initial reports indicate that the attack originated from a malicious Microsoft Office document an employee opened.
Amazon allegedly created a secret group to spy on its own employees, specifically trying to infiltrate Facebook groups used by the company’s delivery drivers. The effort reportedly aims to identify any potential strikes or attempts to unionize.

Notable recent security issues

Title: More than 120 vulnerabilities patched as part of Microsoft monthly security update

Description: Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its array of products. Twenty-three of the vulnerabilities are considered “critical" while the vast remainder are ranked as “important.” Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. The security updates cover several different products including the Microsoft Office suite of products, Windows Media Audo Decoder and the Hyper-V virtual machine software. One of the most sever vulnerabilities exists in Microsoft COM. CVE-2020-0922 received a CVSS severity score of 8.8 out of a possible 10. An adversary could exploit this bug to gain the ability to remotely execute code on the victim machine after a user opens an attacker-controlled web page that contains specially crafted JavaScript.

Snort SIDs: 55139 - 55146, 55161, 55162, 55187, 55188, 55206

Title: Salfram spam campaigns spread several malware families

Description: Cisco Talos recently uncovered a series of email campaigns utilizing links to malicious documents hosted on legitimate file-sharing platforms to spread malware. The campaigns distributed various malware payloads including Gozi ISFB, ZLoader, SmokeLoader and AveMaria, among others. Ongoing campaigns are distributing various malware families using the same crypter. While effective, this crypting mechanism contains an easy-to-detect flaw: The presence of a specific string value "Salfram" makes it easy to track over time. The obfuscated binaries used by Salfram are completely different, from both a binary and execution flow graph perspective. The techniques used by this crypter can confuse weak API behavior-based systems and static analysis tools and it appears to be undergoing active development and improvement over time.

Snort SIDs: 54920, 54921

Most prevalent malware files this week

SHA 256: 7f9446709fbd77a21a806d17cf163ba00ce1a70f8b6af197990aa9924356fd36

MD5: adad179db8c67696ac24e9e11da2d075

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: W32.7F9446709F-100.SBX.VIOC

SHA 256: 32155b070c7e1b9d6bdc021778c5129edfb9cf7e330b8f07bb140dedb5c9aae7

MD5: 73d1de319c7d61e0333471c82f2fc104

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: Win.Dropper.Segurazo::tpd

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

Typical Filename: Tempmf582901854.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: Win.Downloader.Generic::1201

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.

Intelligence Center

Vulnerability Information

Security Resources

Media

Company

What I’ve learned in my first 7-ish years in cybersecurity

What NIST’s latest password standards mean, and why the old ones weren’t working

CISA is warning us (again) about the threat to critical infrastructure networks

Intelligence Center

Vulnerability Research

Incident Response