Thursday, November 19, 2020

Threat Source newsletter (Nov. 19, 2020)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

In case you hadn’t already realized, Snort somehow became a meme this week, so that was fun. 

As 2020 (finally...or already...I can’t decide which) comes to an end, we’re going to start doing a look back at the year that was in malware. And although Emotet has been around long before this year, 2020 was particularly peculiar for the botnet because it went virtually dormant over the summer before coming back over the few months. After we obtained ownership of several C2 domains that are part of Emotet, we looked at this threat’s trends and recent changes. 

We also released a new decryptor tool for the Nibiru ransomware. Any victims can use this to safely recover any files locked up as part of an infection. 

Cyber security week in review

  • U.S. President Donald Trump fired the U.S.’s top cyber security official, Chris Krebs, this week. Trump became critical of Krebs after he refuted claims of widespread voter fraud during this month’s presidential election. 
  • Schools around the world are already struggling to stay open for hybrid learning given the ongoing pandemic. But now more of them are also having to fend off cyber attacks that disrupt online learning. 
  • State-sponsored threat actors continue to target COVID-19 vaccine research. Microsoft researchers say they’ve recently seen attacks going after vaccine producers in Canada, France, India, South Korea and the U.S. 
  • As more local, state and national governments roll out their own COVID-19 contact-tracing apps, researchers are finding large variations in what data is kept and shared among them. Many of the apps do not follow Apple and Google’s privacy guidelines for exposure notification systems as the company outlined at the start of the pandemic. 
  • President Trump used video from the DEFCON hacking village at the popular security conference to try and support his claims of voter fraud. The video showed security researchers demonstrating a vulnerability in one specific voting machine but there is no evidence that that type of attack was actually used during the election. 
  • The National Security Agency released the newest version of its Ghidra reverse-engineering tool.  
  • Some apps on macOS are now bypassing detection from some VPNs and firewalls with the Big Sur update. The apps appear to be avoiding Apple’s own NEFilterDataProvider. 
  • A new list of 2020’s most popular passwords contains the same classic mistakes users always make. Such easy-to-guess passwords are still popping up everywhere like “123456” and “password.”
  • Microsoft is working with major chip makers to create a new product that would protect against attacks like the Meltdown and Spectre exploits. The new chip would stop adversaries from critical data from computers and now has the buy-in of Qualcomm, AMD and Intel. 

Notable recent security issues

Title: Cisco Security Manager contains exploits that could allow attackers to execute remote code 
Description: Cisco disclosed three significant vulnerabilities in its Security Manager software that the company urged users to patch immediately. An attacker could leverage these vulnerabilities to execute arbitrary code and download files on the victim’s targeted device — even without credentials. One of the bugs is considered to be critical while the others are high-severity. These vulnerabilities affect Cisco Security Manager releases 4.22 and earlier. 
References: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csm-path-trav-NgeRnqgR 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csm-java-rce-mWJEedcD 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csm-rce-8gjUz9fW 
Snort SIDs: 56408 - 56423 

Description: Pixar OpenUSD contains multiple vulnerabilities that attackers could exploit to carry out a variety of malicious actions. Pixar uses this software for several types of animation tasks, including swapping arbitrary 3-D scenes that are composed of many different elements. Aimed at professional animation studios, the software is designed for scalability and speed as a pipeline connecting various aspects of the digital animation process. It is mostly expected to process trusted inputs in most use cases. By default, on macOS, both a thumbnail and a preview handler are registered for USD file formats through QuickLook. The default application to open USD files is the Preview application. On iOS, the AR application is the default handler. A USD file can be embedded in a web page or sent in a message and an AR application is opened when the file is clicked, which therefore opens some Mac operating systems to be vulnerable to these bugs. 
Snort SIDs: 54415, 54416, 54467 - 54472, 54488 - 54493, 54922, 54923 

Most prevalent malware files this week

MD5: dd726d5e223ca762dc2772f40cb921d3 
Typical Filename: ww24.exe 
Claimed Product: N/A 
Detection Name: W32.TR:Attribute.23ln.1201 

MD5: ce4395edbbf9869a5e276781af2e0fb5 
Typical Filename: wupxarch635.exe 
Claimed Product: N/A 
Detection Name: W32.Auto:f059a5358c.in03.Talos 

MD5: 8c80dd97c37525927c1e549cb59bcbf3 
Typical Filename: Eternalblue-2.2.0.exe 
Claimed Product: N/A 
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos 

MD5: 920823d1c5cb5ce57a7c69c42b60959c  
Typical Filename: FlashHelperService.exe  
Claimed Product: Flash Helper Service  
Detection Name: W32.Variant.23mj.1201 

MD5: e2ea315d9a83e7577053f52c974f6a5a  
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin 
Claimed Product: N/A 
Detection Name: Win.Dropper.Agentwdcr::1201 

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.