Thursday, February 25, 2021

Threat Source newsletter (Feb. 25, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We all think of APTs as these wide-reaching, silent threat groups who are backed by a nation-state. But our recent research into Gamaredon shows that not all APTs are created equal. 

We’ve spotted this actor carrying out several different attacks across the globe, many of which are mainly just interested in stealing information. And what they do with that information is still up for debate. 


Upcoming public engagements with Talos

Date: March 30 – April 1 
Speakers: Nick Biasini, more TBA 
Overview: Join us for the annual Cisco Live conference, this year taking place across the globe at the same time virtually for the first time. Cisco Live is your destination for year-round technical education and training. There will be many on-demand sessions to choose from throughout the conference. Nick Biasini of Talos Outreach will provide a broad overview of the past year’s threats and trends we’ve been seeing, with a specific focus on dual-use tools and supply chain attacks. Additional sessions will be announced in the coming weeks. 

Cybersecurity week in review

  • U.S. President Joe Biden’s administration is reportedly preparing to sanction Russia for its involvement in the recent SolarWinds breach that affected thousands of companies and government agencies. American defense agencies are also reportedly working on new defensive measures to protect against similar attacks in the future. 
  • Several major tech companies testified in front of the U.S. Senate this week regarding the SolarWinds incident. Representatives from Amazon Web Services, which is also reportedly involved in the campaign, declined to attend. 
  • Apple says it’s already addressed the “Silver Sparrow” attack that targets the company’s M1 chips. Cisco Talos also already has hash-based protection in place to prevent attacks. 
  • A child-focused security camera company says it was recently the victim of a data breach. However, NurseryCam says the compromise did not allow any adversaries to spy on children or parents through their cameras, which are usually placed at daycares. 
  • APT31 is reportedly using a repurposed zero-day exploit from fellow APT the Equation Group to target Microsoft products. Microsoft patched the vulnerability in 2017 with no CVE, though some software remains unpatched in the wild. 
  • A new IBM report states the operators behind the Sodinokibi ransomware made at least $123 million in profits in 2020. The group (also known as REvil) also stole around 21.6 TB of data. 
  • Attackers are targeting chatrooms in Clubhouse, an exclusive social media startup that’s focused on voice chat. Users have been warned that some voice chats and other data may have been vulnerable. 
  • Ukrainian officials are blaming a Russian state-sponsored actor for an attack on the country’s government document management system. A statement from Ukraine said the goal of the attack was "the mass contamination of information resources of public authorities." 
  • Video game developer CD Projekt Red is still suffering after a ransomware attack earlier this month. The company’s employees are partially locked out from their remote desktops, according to a new report, which has led to development delays.  

Notable recent security issues

Description: Cisco Talos recently discovered a campaign utilizing a variant of the Masslogger trojan designed to retrieve and exfiltrate user credentials from multiple sources such as Microsoft Outlook, Google Chrome and instant messengers. The actor employs a multi-modular approach that starts with the initial phishing email and carries through to the final payload. The adversaries behind this campaign likely do this to evade detection. But it can also be a weakness, as there are plenty of opportunities for defenders to break the killchain. While most of the public attention seems to be focused on ransomware attacks, big game hunting and APTs, it is important to keep in mind that crimeware actors are still active and can inflict significant damage to organizations by stealing users' credentials. The credentials themselves have value on the dark web and actors sell them for money or use them in other attacks. 
Snort SIDs: 57141-57154 
OSQueries: https://github.com/Cisco-Talos/osquery_queries/blob/master/win_forensics/potential_compiled_HTML_abuse.yaml 

Description: Gamaredon is a threat actor, active since at least 2013, that has long been associated with pro-Russian activities in several reports throughout the years. It is extremely aggressive and is usually not associated with high-visibility campaigns, Cisco Talos sees it is incredibly active and we believe the group is on par with some of the most prolific crimeware gangs. Gamaredon has been exposed several times in multiple threat intelligence reports, without any significant effects on their operations. Their information-gathering activities can almost be classified as a second-tier APT, whose main goal is to gather information and share it with their units, who will eventually use that information to perform the end goal. Recently, Cisco Talos researchers discovered four different campaigns using different initial infection vectors and final payloads. 
Snort SIDs: 57194 – 57196 
ClamAV: Lnk.Malware.Gamaredon-7448135-3 

Most prevalent malware files this week

MD5: 9a4b7b0849a274f6f7ac13c7577daad8 
Typical Filename: ww31.exe 
Claimed Product: N/A 
Detection Name: W32.GenericKD:Attribute.24ch.1201 

MD5: f37167c1e62e78b0a222b8cc18c20ba7 
Typical Filename: flashhelperservice.exe 
Claimed Product: Flash Helper Service 
Detection Name: W32.4647F1A085.in12.Talos 

MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: svchost.exe
Claimed Product: N/A 
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

MD5: 34560233e751b7e95f155b6f61e7419a 
Typical Filename: SAntivirusService.exe 
Claimed Product: A n t i v i r u s S e r v i c e 
Detection Name: PUA.Win.Dropper.Segurazo::tpd 

MD5: 88781be104a4dcb13846189a2b1ea055 
Typical Filename: ActivityElement.dp 
Claimed Product: N/A 
Detection Name: Win.Trojan.Generic::sso.talos  

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.