Threat Source newsletter (Jan. 14, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

Microsoft released its monthly security update this week, disclosing 83 vulnerabilities across its suite of products to kickoff 2021. Our blog post has the most important vulnerabilities you need to know about, along with our released Snort rules to keep your network protected.

TalosIntelligence.com users will also want to check out the list of our new Content and Threat Categories that will provide you with sufficient intelligence details to allow you to make informed decisions to protect your network without disrupting your organization’s productivity.

Upcoming public engagements with Talos

Title: “The Crimeware Arms Race: Modern Techniques in Malware Armoring and Evasion”

Event: CactusCon

Date: Feb. 6 - 7

Speakers: Edmund Brumaghin and Nick Biasini

Overview: As the volume of malware samples in the wild has continued to explode in recent years, a lot of effort has been put into the development of automated analysis platforms. These platforms typically execute files in controlled environments to observe their behavior and determine if the file is benign or malicious. As the use of these technologies has increased, adversaries have invested significant resources in developing techniques to circumvent automated analysis and evade detection. Malware developers are also implementing various techniques to make analysis more difficult. Modern botnets have begun leveraging new technologies to make their infrastructure more resilient to disruption by security organizations and law enforcement. This presentation will describe the latest techniques employed by adversaries to evade analysis and detection. It will also cover the new technologies being leveraged to establish C2 communications channels that are resilient against intervention by the security industry and law enforcement. We will discuss specific examples and walk through detailed case studies where these techniques are being employed, as well as how to defend against them more effectively.

Cybersecurity week in review

Parler, a controversial right-leaning app, was removed from major app stores and dropped by Amazon Web Services over its role in a mob on the U.S. Capitol building last week. In the wake of the bans, a security researcher scraped 70 TBs of data from the app, showing anyone could access users’ driver's license photos and more.
The data leak also included full posts users made. For many users, these included threats of violence, which could follow many users for years to come.
There are many cybersecurity questions left unanswered after the mob on the Capitol last week. Participants in the riot had physical access to many Congressional devices and some laptops are still unaccounted for.
Facebook says it took down a Russian-linked disinformation campaign running out of Ukraine. The social media site said the malicious users created fake profiles and groups posing as legitimate news organizations to spread intentionally misleading or false information.
A postcard sent to the CEO of cybersecurity company FireEye could be another look into the SolarWinds campaign. The note referenced knowledge of the wide-ranging attack, which wasn’t publicly disclosed until last month.
President-elect Joe Biden plans to elevate two cybersecurity-related positions to senior White House posts. The roles were given a lower priority during the Trump administration.
The U.S. Department of Defense paused a $2 billion cybersecurity program at the Pentagon, citing new information discovered after the SolarWinds campaign. The effort is supposed to consist of consolidating networks and detecting network intrusions.
Apple removed a controversial feature from its apps that allowed some of them to bypass third-party firewalls and VPNs. This included many popular apps like Apple Maps and iCloud.
Attackers used four different zero-days in Windows and Google Chrome to infect Android and Microsoft users’ devices. Google’s Project Zero says the attackers are using “well-engineered, complex code” and appear to be sophisticated actors.

Notable recent security issues

Title: Microsoft disclosed 83 vulnerabilities, 10 critical, in monthly security update

Description: Microsoft released its monthly security update Tuesday, disclosing 83 vulnerabilities across its suite of products to kick off 2021. There are only 10 critical vulnerabilities as part of this release, while there are two moderate-severity exploits, and the remainder are considered “important.” Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. The security updates cover several different products and services, including the Microsoft Defender antivirus software, the Microsoft Remote Procedure Call tools and Bluetooth communication with Windows devices. One of the most serious vulnerabilities exists in Microsoft Defender. CVE-2021-1647 affects some versions of Windows dating back to Windows 2008. An attacker could exploit this vulnerability to execute arbitrary code on the victim machine. No action is required to install this update and protect against this vulnerability, according to Microsoft, as the fix is part of Microsoft’s regular updates to its anti-malware products.

Snort SIDs: 56849 – 56860, 56865

Title: Lokibot adds new dropper to its arsenal

Description: Lokibot is one of the most well-known information stealers on the malware landscape. The actors behind Lokibot usually can steal multiple types of credentials and other sensitive information. This new campaign utilizes a complex, multi-stage, multi-layered dropper to execute Lokibot on the victim machine. The attack starts with a malicious XLS attachment, sent in a phishing email, containing an obfuscated macro that downloads a heavily packed second-stage downloader. The second stage fetches the encrypted third stage, which includes three layered encrypted Lokibot. After a privilege escalation, the third stage deploys Lokibot. The Image below shows the infection chain.

Snort SIDs: 56577, 56578

Most prevalent malware files this week

SHA 256: 20f0ce6ae08d954767bdd8445017453475d53fe1e448c07da7a8a6a1194374c6

MD5: 6902aa6dd0fbd0d1b647e8d529c7ad3f

Typical Filename: FlashHelperService.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Variant.23nh.1201

SHA 256: a463f9a8842a5c947abaa2bff1b621835ff35f65f9d3272bf1fa5197df9f07d0

MD5: 9b7c2b0abf5478ef9a23d9a9e87c7835

Typical Filename: INV1458863388-20210111852384.xlsm

Claimed Product: N/A

Detection Name: W32.A463F9A884-90.SBX.TG

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: svchost.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: santivirusservice.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 6fdfcd051075383b28f5e7833fde1bb7371192f54e381c8bdfa8e68269e3dc30

MD5: 0083bc511149ebc16109025b8b3714d7

Typical Filename: webnavigatorbrowser.exe

Claimed Product: WebNavigatorBrowser

Detection Name: W32.6FDFCD0510-100.SBX.VIOC

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.

Intelligence Center

Vulnerability Information

Security Resources

Media

Company

Could the Brazilian Supreme Court finally hold people accountable for sharing disinformation?

The internet is already scary enough without April Fool’s jokes

There are plenty of ways to improve cybersecurity that don’t involve making workers return to a physical office

Intelligence Center

Vulnerability Research

Incident Response