Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

Cyber security firm FireEye recently disclosed an incident that was reported to have resulted in the inadvertent disclosure of various internally developed offensive security tools (OSTs) that were used across FireEye red-team engagements. We know this is going to be top-of-mind for many users, so for more, check out all our coverage that covers these vulnerabilities here. We also have new Snort rules out, which you can read about here.

Patch Tuesday was also this week, albeit a quieter one compared to the other months this year. Microsoft disclosed just under 60 vulnerabilities, though there are still a few critical ones we wanted to point out.

Lastly, we have our latest Cisco Talos Incident Response Quarterly Trends report out. Our incident response team is seeing just as much ransomware in the wild as ever. For more insights into what we’re seeing in the field, check out the full report here.

Cyber security week in review

  • Former U.S. election security head Chris Krebs spoke out in an interview against President Donald Trump’s continued spread of election disinformation. Krebs was removed from the Trump administration after his agency called the November election “the safest in history.”
  • The U.S. Cyber Security and Infrastructure Security Agency released an advisory warning against Russian state-sponsored actors targeting virtual machines. The attackers are installing web shells on the victim machines and then carrying out additional malicious activities.
  • Critical vulnerabilities in an open-source internet protocol leave many internet-of-things products open to attack. And security researchers say they may never be patched.
  • Hackers have reportedly accessed COVID-19 vaccine data in the European Union. The European Medicines Agency says it suffered a data breach, affecting the vaccines from Pfizer and BioNTech.
  • The FBI is reportedly investigating the theft of voter data in Maricopa County, Arizona. Agents reportedly seized evidence of a cyber attack on an unnamed organization.
  • The TrickBot botnet is regaining strength after a major takedown of its servers earlier this year. Security researchers also say it’s gained the ability to scan for vulnerable firmware and read, write or erase it on devices.
  • The operators behind njRAT have switched up their tactics, now using Pastebin as their central command server. Researchers say this new feature helps the malware evade detection and increases its odds of operating unnoticed.
  • Google and Apple have barred location data company X-Mode from its respective app stores. The company had its technology embedded in many popular apps, and then sold the data it collected to the U.S. military and defense contractors.
  • Adobe released updates to fix critical vulnerabilities in Lightroom, Prelude and Experience Manager. One of the vulnerabilities involves the attacker triggering an uncontrolled search path and then eventually gaining the ability to execute arbitrary code.

Notable recent security issues

Title: Microsoft discloses fewest vulnerabilities in a month since January

Description: Microsoft released its monthly security update Tuesday, disclosing 58 vulnerabilities across its suite of products, the lowest number of vulnerabilities in any Patch Tuesday since January. There are only 10 critical vulnerabilities as part of this release, while there are two moderate-severity exploits, and the remainder are considered “important.” Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs.  The security updates cover several different products and services, including the SharePoint file-sharing service, the Windows Backup Engine and the Exchange mail server.

Snort SIDs: 56554, 56557, 56558, 56560 - 56562 and 56564

Title: RegretLocker targets Windows virtual machines

Description: Cisco Talos recently released new protection against the recently discovered RegretLocker ransomware. The malware was discovered last month targeting Windows virtual machines. The malware encrypts virtual hard drives and can also close open files to encrypt them. Once all the victim’s files are encrypted, they’re presented with a text file that asks victims to pay a ransom payment by emailing the actors. While RegretLocker is not particularly flashy, security researchers have found the malware uses several techniques that make it very problematic for virtual machine users.

Snort SIDs: 56555, 56556

Most prevalent malware files this week

SHA 256: c814e977d6451eeefacce58c0e0ffd395bc8725853a40c67aa7a326d6b39cfe1

MD5: fb8e3acde54227e3571f5341fafecf31

Typical Filename: kmmsauto-Downlading.zip

Claimed Product: N/A

Detection Name: Win.Tool.Autokms::in01

SHA 256: 100318042c011363a98f82516b48c09bbcdd016aec557b009c3dd9c17eed0584

MD5: 920823d1c5cb5ce57a7c69c42b60959c

Typical Filename: FlashHelperService.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Variant.23mj.1201

SHA 256: f4c15b1eee06d45fa6115ddcfeb24bdacf54570352e0cb713e1c5895089dae1d

MD5: d5b40faa134ee1e73233e521ac476cdd

Typical Filename: 12072020_130241_7399559.xlsm

Claimed Product: N/A

Detection Name:W32.F4C15B1EEE-90.SBX.TG


SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

Typical Filename: vid001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.