Threat Source newsletter (Dec. 17, 2020)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

This will be our last Threat Source newsletter of the year. We’ll be on a few-week break for the holidays until Jan. 7.

Of course, all anyone wants to talk about this week is the SolarWinds supply chain attack. There are still many outstanding questions yet to be answered. But everything Cisco Talos knows about this incident and our coverage can be found here. And our pre-existing coverage keeps users protected from the exploitation of any of the FireEye vulnerabilities that arose out of this attack.

While we’re away for the holidays, why not do some reverse-engineering and threat hunting of your own with some of our open-source tools? We just released new versions of GhIDA and Dynamic Data Resolver as an early holiday present.

Cyber security week in review

Security researchers, defenders, IT professionals and government officials around the U.S. are scrambling this week to respond to the SolarWinds incident. Here’s why it’s such a big deal.
Several security industry organizations came together in a massive response to this attack. On Wednesday, security researchers seized control of and sinkholed a key domain used in the SolarWinds incident.
The U.S. Treasury and Commerce departments were also victims of this attack, though its currently unclear how or if attackers used the backdoor established on their networks. Many Fortune 500 companies also used SolarWinds products, according to the company’s website.
House Intelligence Committee Chairman Adam Schiff said the U.S. government needs to take on “urgent work” to defend its critical networks in the wake of this attack. Schiff asked that any private companies that were affected reach out to U.S. intelligence agencies to coordinate a response.
Apple started adding new labels to the apps on its iOS and Mac stores that identify what type of personal information they collect. The labels include information under three different categories “Data used to track you,” “Data linked to you,” and “Data not linked to you.”
A new adware campaign Microsoft is calling “Adrozek” injects malicious ads into search results on numerous browsers. The actors behind the campaign generate money by tricking the users into clicking on the fake ads, which send them to affiliate-linked pages.
Government agencies in Poland and Lithuania were both subjects of disinformation attacks this week. Attackers took control of several state-controlled websites and posted intentionally misleading information looking to disrupt ties between the two countries.
Thousands of medical images like X-Rays and MRIs are available on unprotected servers, accessible to anyone on the internet. A security firm found many of them were connected to a massive health care system in Russia.
A security firm found 28 malicious browser plugins for Microsoft Edge and Google Chrome that steal users’ personal data. More than 3 million people are estimated to have downloaded these extensions.

Notable recent security issues

Title: State-sponsored actors behind massive SolarWinds attacks, full breadth yet to be discovered

Description: In a sophisticated supply-chain attack, adversaries compromised updates to the widely used SolarWinds Orion IT monitoring and management software. The digitally signed updates were posted on the SolarWinds website from March to May 2020. This backdoor is loaded by the actual SolarWinds executable before the legitimate code, as not to alert the victim that anything is amiss. Reports indicate that some of the largest companies in the world use this software, so it is still unclear if the backdoor has led to any major cyber attacks or data breaches. At least two American government agencies are also affected: the Treasury and Commerce departments. The U.S. Department of Homeland Security (DHS) and CISA issued an emergency alert calling on all U.S. federal civilian agencies to review their networks for indicators of compromise (IOCs) and advising them to disconnect SolarWinds Orion products immediately.

References: /solarwinds-supplychain-coverage

https://krebsonsecurity.com/2020/12/u-s-treasury-commerce-depts-hacked-through-solarwinds-compromise/

Snort SIDs: 56660 - 56668

Title: Red-teaming security tools stolen as part of broad attack

Description: In an attack related to the vulnerabilities in SolarWindws products, security vendor FireEye had some red-teaming tools stolen by a state-sponsored actor. Some of these tools appear to be based on well-known offensive frameworks like Cobalt Strike. It has been reported that none of the tools target zero-day vulnerabilities. It’s currently unknown why a state-sponsored actor would want to target these tools. Typically, these types of actors target high-value data possessed by victims. As part of this disclosure, FireEye also released a repository of signatures/rules designed to detect the use of these tools across a variety of detection technologies.

References: https://github.com/fireeye/red_team_tool_countermeasures

/fireeye-breach-guidance

https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html

Snort SIDs: 8068, 8422, 38491, 38492, 48359, 49100, 49171, 49861, 50137, 50168 – 50170, 50275 – 50278, 51288 – 51289, 51368, 51370 – 51372, 51390, 51966, 52512, 52513, 52603, 52620, 53433, 53435, 53346 – 53351, 53380 – 53383, 55703, 55704, 55802, 55862, 56290, 56436, 56586

ClamAV signature: W32.FindstrSearchForKeyWords

Most prevalent malware files this week

SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: 2c36cb4e1771a04e728d75eb65b05f6875d4eb56df6eb5810af09d0d5e419cd5

MD5: eb20ca63dc3badc1a48072d33bd6428b

VirusTotal:

Typical Filename: 1 Total New Invoices-Monday December 14 2020.xlsm

Claimed Product: N/A

Detection Name: W32.2C36CB4E17-90.SBX.TG

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: 4b8aef15c75ab675acdd9588bbcbd45dcc11a270513badfb21cfdfd92f723b01

MD5: 7e36752d274e61b9f2b0ee43200fe36d

Typical Filename: Click HERE to start the File Launcher by WebNavigator Installer_ryymehv3_.exe

Claimed Product: WebNavigator Browser

Detection Name: W32.48C6324412-95.SBX.TG

SHA 256: 763d0f405ca4a762ce5d27077f3092f295b6504a743f61b88a1de520bcdb3d8a

MD5: 552299482ffa389321df9b05740c1b92

Typical Filename: webnavigatorbrowser.exe

Claimed Product: WebNavigator Browser

Detection Name:W32.763D0F405C-100.SBX.VIOC

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.

Intelligence Center

Vulnerability Information

Security Resources

Media

Company

Badgerboard: A PLC backplane network visibility module

Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers

Year in Malware 2023: Recapping the major cybersecurity stories of the past year

Intelligence Center

Vulnerability Research

Incident Response