Thursday, September 10, 2020

Threat Source newsletter for Sept. 10, 2020

  

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

In our continued research on election security, we have a new video roundtable discussion up on our YouTube page. In this Q&A-style format, I ask our researchers questions about the work they’ve done researching disinformation (aka “fake news”) and how to combat the spread of it. 

Microsoft Patch Tuesday was also this week. For our recap of all 120-something vulnerabilities Microsoft discovered, click here. You can also take a deep dive into one of the bugs our researchers specifically discovered in the Windows 10 Common Log File System

Cyber Security Week in Review

  • A specially crafted message in WhatsApp can cause the app to completely crash and sometimes delete users’ entire message history. So far, only a workaround on the desktop version of WhatsApp has been discovered. 
  • Tech companies like Amazon, Apple and Google are working together to release a new standard for internet-of-things devices’ connectivity. Project Connected Home over IP says its open-source product will be available sometime next year. 
  • As school districts start the school year remotely, teachers and students are having to learn new online classroom systems and fend off cyber attacks. Miami, Florida is the best example of this, where officials there say the area’s school system fought off 12 attacks in one day. 
  • The city of Hartford, Connecticut had to postpone its first day of school after a cyber attack. City officials say adversaries compromised 200 servers critical to schooling. 
  • Adobe fixed several vulnerabilities in its Experience Manager, InDesign and Framemaker software. Seven of the most serious could allow an adversary to execute JavaScript at-will in the user’s web browser. 
  • The White House released a new set of guidelines aimed at hardening American satellites from cyber attacks. While there is nothing enforceable, the hope is that it will encourage systems in space and on the ground will be updated and better protected. 
  • A new report outlines a massive effort by the American government to protect COVID-19 vaccine research. Known as the Security and Assurance portion of Operation Warp Speed, the goal is to provide cyber security expertise, advice and software to pharmaceutical companies developing vaccines for the virus. 
  • One of Chile’s largest banks had to close all its branches this week due to a cyber attack. Initial reports indicate that the attack originated from a malicious Microsoft Office document an employee opened. 
  • Amazon allegedly created a secret group to spy on its own employees, specifically trying to infiltrate Facebook groups used by the company’s delivery drivers. The effort reportedly aims to identify any potential strikes or attempts to unionize.  

Notable recent security issues

Description: Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its array of products. Twenty-three of the vulnerabilities are considered “critical" while the vast remainder are ranked as “important.” Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. The security updates cover several different products including the Microsoft Office suite of products, Windows Media Audo Decoder and the Hyper-V virtual machine software. One of the most sever vulnerabilities exists in Microsoft COM. CVE-2020-0922 received a CVSS severity score of 8.8 out of a possible 10. An adversary could exploit this bug to gain the ability to remotely execute code on the victim machine after a user opens an attacker-controlled web page that contains specially crafted JavaScript.   
Snort SIDs: 55139 - 55146, 55161, 55162, 55187, 55188, 55206  

Description: Cisco Talos recently uncovered a series of email campaigns utilizing links to malicious documents hosted on legitimate file-sharing platforms to spread malware. The campaigns distributed various malware payloads including Gozi ISFB, ZLoader, SmokeLoader and AveMaria, among others.  Ongoing campaigns are distributing various malware families using the same crypter. While effective, this crypting mechanism contains an easy-to-detect flaw: The presence of a specific string value "Salfram" makes it easy to track over time. The obfuscated binaries used by Salfram are completely different, from both a binary and execution flow graph perspective. The techniques used by this crypter can confuse weak API behavior-based systems and static analysis tools and it appears to be undergoing active development and improvement over time.  
Snort SIDs: 54920, 54921 

Most prevalent malware files this week

MD5: adad179db8c67696ac24e9e11da2d075  
Typical Filename: FlashHelperServices.exe  
Claimed Product: Flash Helper Service  
Detection Name: W32.7F9446709F-100.SBX.VIOC

MD5: 73d1de319c7d61e0333471c82f2fc104  
Typical Filename: SAntivirusService.exe  
Claimed Product: A n t i v i r u s S e r v i c e  
Detection Name: Win.Dropper.Segurazo::tpd 

MD5: e2ea315d9a83e7577053f52c974f6a5a  
Typical Filename: Tempmf582901854.exe  
Claimed Product: N/A  
Detection Name: Win.Dropper.Agentwdcr::1201 
MD5: 799b30f47060ca05d80ece53866e01cc  
Typical Filename: mf2016341595.exe  
Claimed Product: N/A  
Detection Name: Win.Downloader.Generic::1201 

MD5: 8193b63313019b614d5be721c538486b  
Typical Filename: SAService.exe  
Claimed Product: SAService  
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg  

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment