Thursday, December 10, 2020

Threat Source newsletter (Dec. 10, 2020)

 

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

Cyber security firm FireEye recently disclosed an incident that was reported to have resulted in the inadvertent disclosure of various internally developed offensive security tools (OSTs) that were used across FireEye red-team engagements. We know this is going to be top-of-mind for many users, so for more, check out all our coverage that covers these vulnerabilities here. We also have new Snort rules out, which you can read about here

Patch Tuesday was also this week, albeit a quieter one compared to the other months this year. Microsoft disclosed just under 60 vulnerabilities, though there are still a few critical ones we wanted to point out.

Lastly, we have our latest Cisco Talos Incident Response Quarterly Trends report out. Our incident response team is seeing just as much ransomware in the wild as ever. For more insights into what we’re seeing in the field, check out the full report here

Cyber security week in review

  • Former U.S. election security head Chris Krebs spoke out in an interview against President Donald Trump’s continued spread of election disinformation. Krebs was removed from the Trump administration after his agency called the November election “the safest in history.” 
  • The U.S. Cyber Security and Infrastructure Security Agency released an advisory warning against Russian state-sponsored actors targeting virtual machines. The attackers are installing web shells on the victim machines and then carrying out additional malicious activities. 
  • Critical vulnerabilities in an open-source internet protocol leave many internet-of-things products open to attack. And security researchers say they may never be patched. 
  • Hackers have reportedly accessed COVID-19 vaccine data in the European Union. The European Medicines Agency says it suffered a data breach, affecting the vaccines from Pfizer and BioNTech. 
  • The FBI is reportedly investigating the theft of voter data in Maricopa County, Arizona. Agents reportedly seized evidence of a cyber attack on an unnamed organization. 
  • The TrickBot botnet is regaining strength after a major takedown of its servers earlier this year. Security researchers also say it’s gained the ability to scan for vulnerable firmware and read, write or erase it on devices. 
  • The operators behind njRAT have switched up their tactics, now using Pastebin as their central command server. Researchers say this new feature helps the malware evade detection and increases its odds of operating unnoticed. 
  • Google and Apple have barred location data company X-Mode from its respective app stores. The company had its technology embedded in many popular apps, and then sold the data it collected to the U.S. military and defense contractors. 
  • Adobe released updates to fix critical vulnerabilities in Lightroom, Prelude and Experience Manager. One of the vulnerabilities involves the attacker triggering an uncontrolled search path and then eventually gaining the ability to execute arbitrary code. 

Notable recent security issues

Description: Microsoft released its monthly security update Tuesday, disclosing 58 vulnerabilities across its suite of products, the lowest number of vulnerabilities in any Patch Tuesday since January. There are only 10 critical vulnerabilities as part of this release, while there are two moderate-severity exploits, and the remainder are considered “important.” Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs.  The security updates cover several different products and services, including the SharePoint file-sharing service, the Windows Backup Engine and the Exchange mail server.  
Snort SIDs: 56554, 56557, 56558, 56560 - 56562 and 56564  

Description: Cisco Talos recently released new protection against the recently discovered RegretLocker ransomware. The malware was discovered last month targeting Windows virtual machines. The malware encrypts virtual hard drives and can also close open files to encrypt them. Once all the victim’s files are encrypted, they’re presented with a text file that asks victims to pay a ransom payment by emailing the actors. While RegretLocker is not particularly flashy, security researchers have found the malware uses several techniques that make it very problematic for virtual machine users.   
Snort SIDs: 56555, 56556 

Most prevalent malware files this week

MD5: fb8e3acde54227e3571f5341fafecf31  
Typical Filename: kmmsauto-Downlading.zip  
Claimed Product: N/A  
Detection Name: Win.Tool.Autokms::in01 

MD5: 920823d1c5cb5ce57a7c69c42b60959c  
Typical Filename: FlashHelperService.exe  
Claimed Product: Flash Helper Service  
Detection Name: W32.Variant.23mj.1201 

MD5: d5b40faa134ee1e73233e521ac476cdd  
Typical Filename: 12072020_130241_7399559.xlsm  
Claimed Product: N/A  
Detection Name: W32.F4C15B1EEE-90.SBX.TG 
MD5: 8c80dd97c37525927c1e549cb59bcbf3 
Typical Filename: Eternalblue-2.2.0.exe 
Claimed Product: N/A 
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos 

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
Typical Filename: vid001.exe 
Claimed Product: N/A 
Detection Name: Win.Worm.Coinminer::1201 

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.