Thursday, January 21, 2021

Threat Source newsletter (Jan. 21, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We know it’s hard to focus on anything happening outside of Washington, D.C. this week. But we would be remiss if we didn’t mention the exciting news that the Snort 3 GA is officially out now! This update has been literally years in the making and is a major upgrade to Snort’s performance and its level of customization. Here’s our announcement post from Tuesday, and for the official downloads and even more resources, check out the Snort 3 hub page

Talos is also hiring for multiple positions. Please bookmark our Careers page and come back every so often to see if we have any new listings up. But we have several openings now for security experts who want to join our team. 


Upcoming public engagements with Talos

Event: CactusCon 
Date: Feb. 6 - 7 
Speakers: Edmund Brumaghin and Nick Biasini 
Overview: As the volume of malware samples in the wild has continued to explode in recent years, a lot of effort has been put into the development of automated analysis platforms. These platforms typically execute files in controlled environments to observe their behavior and determine if the file is benign or malicious. As the use of these technologies has increased, adversaries have invested significant resources in developing techniques to circumvent automated analysis and evade detection. Malware developers are also implementing various techniques to make analysis more difficult. Modern botnets have begun leveraging new technologies to make their infrastructure more resilient to disruption by security organizations and law enforcement. This presentation will describe the latest techniques employed by adversaries to evade analysis and detection. It will also cover the new technologies being leveraged to establish C2 communications channels that are resilient against intervention by the security industry and law enforcement. We will discuss specific examples and walk through detailed case studies where these techniques are being employed, as well as how to defend against them more effectively. 

Cybersecurity week in review

  • Security researchers discovered a fourth malware strain that was used in the SolarWinds breach. While it isn’t believed the malware was widely deployed, it does show how there is still much to learn about this campaign. 
  • The techniques used in the SolarWinds attack are likely to show up again, too. Researchers are expecting other threat actors to copy much of what the adversaries did in the wide-ranging effort. 
  • The SolarWinds incident will also likely influence the new Congress’ agenda. In what will be a quick-moving first 100 days in office for new President Joe Biden, the Democratic-controlled legislature will likely take up several cybersecurity-related bills. 
  • Controversial app Parler appears to be coming back online with the help of a Russian company. Web-hosting service Epik is known for supporting other sites that fuel conspiracy theories and far-right users. 
  • A woman who was part of the mob that stormed the U.S. Capitol recently was arrested for stealing House Speaker Nancy Pelosi’s laptop. The woman reportedly wanted to try and send the device to a Russian intelligence agency. 
  • India’s government is asking WhatsApp to withdraw its proposed new privacy policy that would change the way the messaging app shares data with Facebook. India is one of WhatsApp’s largest markets. 
  • The U.S. National Security Agency appointed longtime cybersecurity official Rob Joyce as its new cyber director. Joyce was a special security adviser to former President Donald Trump before Trump eliminated the position. 
  • An error in attackers' code left stolen credentials exposed on the internet. Anyone could use a Google search to find the password associated with stolen email addresses.

Notable recent security issues

Description: Researchers recently discovered a webshell called “BumbleBee” being used in an espionage campaign against Microsoft Exchange servers. The affected organizations thus far are located in Kuwait. BumbleBee was observed being used to upload and download files on a targeted Exchange server back in September. The operators behind this campaign, which researchers indicate is the xHunt group, used BumbleBee to execute commands and upload and download files. This is the latest tool xHunt’s added to its arsenal. The group dates back to at least 2018 and has targeted Kuwaiti organizations and government agencies in the past, specifically going after the shipping and trading sectors.  
Snort SIDs: 56887 – 56890  

Description: Cisco disclosed 74 vulnerabilities in some of its RV series of wireless routers last week, urging users to purchase new hardware rather than patching them. The vulnerabilities all exist in products that have already reached their end-of-life. The affected devices include the Cisco Small Business RV110W, RV130, RV130W and RV215W systems, which could all be use as firewalls, VPNs or standard routers. All of the vulnerabilities require that an attacker has login credentials for the targeted device, and therefore are not easily exploitable. This should give users a small runway to upgrade to new gear.  
Snort SIDs: 56839 – 56845, 56866 – 56876, 56893, 56894 

Most prevalent malware files this week

MD5: 176e303bd1072273689db542a7379ea9  
Typical Filename: FlashHelperService.exe  
Claimed Product: Flash Helper Service  
Detection Name: W32.Variant.24cl.1201 

MD5: 34560233e751b7e95f155b6f61e7419a 
Typical Filename: santivirusservice.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name:  PUA.Win.Dropper.Segurazo::tpd

MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: svchost.exe
Claimed Product: N/A 
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

MD5: 8193b63313019b614d5be721c538486b  
Typical Filename: SAService.exe  
Claimed Product: SAService  
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg 
 
MD5: 0083bc511149ebc16109025b8b3714d7
Typical Filename: webnavigatorbrowser.exe 
Claimed Product: WebNavigatorBrowser
Detection Name: W32.6FDFCD0510-100.SBX.VIOC

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.