Thursday, February 11, 2021

Threat Source newsletter (Feb. 11, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We have an update on LodaRAT, a trojan we’ve been following for years. This threat has a new version targeting Android devices, looking to infect devices and steal user’s credentials and monitor things like their phone calls and messages.  

Patch Tuesday was also this week, which was relatively quiet in terms of the volume of vulnerabilities. We have our full Microsoft blog post as usual, and also a Snort rule update to keep users protected. 


Upcoming public engagements with Talos

Date: March 30 – April 1 
Speakers: Nick Biasini, more TBA 
Overview: Join us for the annual Cisco Live conference, this year taking place across the globe at the same time virtually for the first time. Cisco Live is your destination for year-round technical education and training. There will be many on-demand sessions to choose from throughout the conference. Nick Biasini of Talos Outreach will provide a broad overview of the past year’s threats and trends we’ve been seeing, with a specific focus on dual-use tools and supply chain attacks. Additional sessions will be announced in the coming weeks. 

Cybersecurity week in review

  • An adversary tried to poison the water supply of a small town in Florida through a cyber attack. Government representatives say they watched a remote attacker breach their systems and try to increase the amount of lye in the water, which could have been deadly. 
  • Google removed a popular extension from the Chrome browser after it was discovered injecting malicious code. The original creator of the open-source project recently sold the code to an unknown group. 
  • Minneapolis police used a Google geofence warrant to track protestors after George Floyd’s death at the hands of an officer. The sweep led to many innocent bystanders being included in the wave of arrests. 
  • Adversaries posted thousands of patients’ medical forms online after a ransomware attack on 11 American hospitals. The information included patients’ names, addresses, birthdays, medical diagnoses and letters to insurers. 
  • Polish video game developer CD Projekt Red was the victim of a ransomware attack this week. The attackers behind it are warning they will post the source code of three of the studio’s games including the recently released “Cyberpunk 2077.” 
  • A United Nations panel says North Korean state-sponsored actors are still relying on cyber attacks to fund the country’s nuclear weapons program. The threat actors commonly target financial institutions and virtual currency exchange houses. 
  • Microsoft warns that defenders should still be on the lookout for Emotet, despite a recent takedown. It is currently unclear if the infamous botnet will return after a major international law enforcement campaign to shut it down. 
  • The U.S. Election Assistance Commission adopted new standards for the first time in 16 years. Electronic voting machines must now submit to basic cybersecurity testing while making several steps to move toward paper ballots. 
  • Popular messaging app Signal released a workaround for a recent ban in Iran. Users can now use a TLS proxy to bypass the network block. 

Notable recent security issues


Description: Microsoft released its monthly security update Tuesday, disclosing 56 vulnerabilities across its suite of products. This is the smallest amount of vulnerabilities Microsoft has disclosed in a month since January 2020. There are only 11 critical vulnerabilities as part of this release, while there are three moderate-severity exploits, and the remainder are considered “important.” Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. The security updates cover several different products and services, including the Microsoft Office suite of products, the Windows DNS server and the SharePoint file-sharing service.  
Snort SIDs: 57103, 57104, 57106 - 57108, 57123, 57128  

Description: Cisco disclosed multiple vulnerabilities in some of its RV series routers designed for use as small business VPNs. An adversary could exploit any of these flaws to view or manipulate data on the targeted device and perform other unauthorized actions. These routers have a VPN function built into them and are purpose-built for small and medium-sized businesses or as a way for users to access their office’s network remotely. The vulnerabilities exist in the way the routers validate HTTP requests in its management interface. An attacker could exploit these vulnerabilities by sending a specially crafted HTTP request to the targeted device and then gain the ability to execute arbitrary code as a root user.  
Snort SIDs: 57065, 57068 – 57070, 57072 - 57095 

Most prevalent malware files this week

MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: svchost.exe
Claimed Product: N/A 
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

MD5: 34560233e751b7e95f155b6f61e7419a 
Typical Filename: santivirusservice.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name:  PUA.Win.Dropper.Segurazo::tpd

MD5: 9a4b7b0849a274f6f7ac13c7577daad8 
Typical Filename: ww31.exe 
Claimed Product: N/A 
Detection Name: W32.GenericKD:Attribute.24ch.1201 

MD5: f37167c1e62e78b0a222b8cc18c20ba7 
Typical Filename: flashhelperservice.exe 
Claimed Product: Flash Helper Service 
Detection Name: W32.4647F1A085.in12.Talos 

MD5: 88781be104a4dcb13846189a2b1ea055 
Typical Filename: ActivityElement.dp 
Claimed Product: N/A 
Detection Name: Win.Trojan.Generic::sso.talos  

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.