Thursday, October 1, 2020

Threat Source newsletter for Oct. 1, 2020

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

In the past, we’ve covered what disinformation (otherwise known as “fake news”) is and who spreads it. Now, we’re diving into why it works, and why it’s so easy for people to spread. Check out our full paper here to gain a lot of insight into the psychology of social media. 

On the malware front, we also have an update on LodaRAT. We've seen several new variants of this threat in the wild. Here’s what to look out for and how to protect your network. 

UPCOMING PUBLIC ENGAGEMENTS 

Event: A double-edged sword: The threat of dual-use tools 
Location: Cisco Webex webinar 
Date: Oct. 8 at 11 a.m. ET 
Speakers: Edmund Brumaghin 
Synopsis: It's difficult to read any information security news lately without hearing about large corporations being extorted by cyber criminals. In today's threat landscape, enterprises increasingly rely on red teams to identify risks and mitigate vulnerabilities in their infrastructure, so much so that an entire industry exists around tools to help facilitate this effectively and efficiently as possible. 
  
Dual-use tools are developed to assist administrators in managing their systems or assist during security testing or red-teaming activities. Unfortunately, many of these same tools are often co-opted by threat actors attempting to compromise systems, attack organizational networks, or otherwise adversely affect companies around the world. This webinar will discuss the topic of dual-use tools and how they have historically been used in various attacks. It will also provide case studies that walk through how native system functionality and dual-use tools are often used in real-world attacks to evade detection at various stages of the attack lifecycle. Finally, we will discuss ways that organizations can defend against malicious abuse of otherwise legitimate technologies and toolsets. 

Location: CS3STHLM Virtual 
Date: Oct. 22 
Speakers: Kelly Leaschner 
Synopsis: As more devices are becoming cloud-connected, it is important to understand how this attack surface is different from traditional, socket-based server applications. There is no open port listening with a cloud-connected application, so there is additional work required in order to just get the application to accept attacker-controlled data. This talk will walk through the initial steps necessary to begin vulnerability research on this application. Cloud-based control of physical devices has some security benefits compared to traditional socket programming but, at the end of the day, there is an opportunity for bugs and vulnerabilities in the software responsible for handling cloud messages. This talk will describe changes in research methodology that are necessary for performing vulnerability research on a cloud-connected application. Kelly will also walk through some vulnerabilities she’s discovered — live — by impersonating the industrial vendor cloud application, resulting in root privileges.  

Cyber Security Week in Review

  • A major general in the U.K. confirmed that England has serious cyber warfare capabilities. The head of the U.K.’s strategic command said the country has the cyber weapons to “degrade, disrupt and destroy” critical infrastructure should it ever be needed in war. 
  • Google removed 17 apps from its Play store that was spreading the Joker (aka Bread) malware. Once installed on the device, the malware steals the user’s information and unknowingly enrolls them in wireless services that come with a monthly charge. 
  • A major American hospital chain had its services interrupted this week by a suspected cyber attack. Universal Health Services had to switch to paper backups though it said no patient or employee data was accessed. 
  • Twitter banned more than 130 accounts it says are linked to Iranian state-sponsored actors hoping to disrupt the U.S. presidential election. The FBI reportedly first flagged the accounts. 
  • Signs point to the infamous APT28 being behind an intrusion on an unnamed U.S. federal agency. The Cybersecurity and Infrastructure Security Agency released an alert last week regarding the attack, but did not identify the agency affected nor the perpetrators. 
  • A new report from Microsoft details how attackers’ tactics are maturing. The company highlighted Russian state-sponsored actors as a particular hotspot of activity and stated that attacks increased as more individuals started working from home during the COVID-19 pandemic. 
  • Cisco purchased container management company PortShift to grow its DevOps security platform. The Israeli startup is known for creating a Kubernetes-native security platform. 
  • U.S. authorities charged two individuals for hacking social media accounts belonging to several NFL and NBA athletes. The hacks led to the victims’ nude photos being leaked onto their accounts. 
  • American security officials say distributed denial-of-service attacks are not a threat to November’s election. The FBI and CISA released a joint statement saying that they could slow down access to public-facing websites that post election results but would not affect actual voting. 

Notable recent security issues

Description: Cisco Talos researchers report seeing a spike in exploitation attempts against the Microsoft vulnerability CVE-2020-1472, an elevation of privilege bug in Netlogon, outlined in the August Microsoft Patch Tuesday report. The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol which — among other things — can be used to update computer passwords by forging an authentication token for specific Netlogon functionality. This flaw allows attackers to impersonate any computer, including the domain controller itself and gain access to domain admin credentials. 
Snort SIDs: 55703, 55704 

Description: Cisco patched several vulnerabilities — many of them considered severe — in its IOS operating system. The updates address denial-of-service, file overwrite and input validation attacks that affect many of Cisco’s products. Two of the vulnerabilities — CVE-2020-3421 and CVE-2020-3480 — exist in Cisco’s Zone-Based Firewall. An attacker could exploit these bugs to cause the affected device to reload or make it stop forwarding traffic through the firewall. 
Snort SIDs: 55815 – 55819, 55830 - 55832 

Most prevalent malware files this week

MD5: 8c80dd97c37525927c1e549cb59bcbf3  
Typical Filename: Eter.exe  
Claimed Product: N/A  
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos 

MD5: 29f47c2f15d6421bdd813be27a2e3b25 
Typical Filename: FlashHelperServices.exe 
Claimed Product: N/A 
Detection Name: Flash Helper Service 
 
MD5: 01a607b4d69c549629e6f0dfd3983956 
Typical Filename: wupxarch.exe 
Claimed Product: N/A 
Detection Name: W32.Auto:1eef72aa56.in03.Talos 

MD5: e2ea315d9a83e7577053f52c974f6a5a  
Typical Filename: Tempmf582901854.exe  
Claimed Product: N/A  
Detection Name: Win.Dropper.Agentwdcr::1201 

MD5: 799b30f47060ca05d80ece53866e01cc  
Typical Filename: mf2016341595.exe  
Claimed Product: N/A  
Detection Name: Win.Downloader.Generic::1201 

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.