Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

We have a special edition of the Threat Source newsletter to bring you this week, because we’re premiering a new video for you right now!

Below, you’ll find a full roundtable we put together discussing the SolarWinds supply chain attack. We brought together Talos researchers from several parts of our organization, including incident responders, global threat intelligence researchers and our Outreach team. We discussed everything we know about the SolarWinds attack, and what’s still yet to be uncovered. View the video below or check it out over on our YouTube page.

If you prefer the written word, we also have full coverage of the Microsoft Exchange zero-day vulnerabilities disclosed last week, including all the coverage you need to keep your network safe.

Upcoming public engagements with Talos

Title: Cisco Live 2021

Date: March 30 – April 1

Speakers: Nick Biasini, more TBA

Overview: Join us for the annual Cisco Live conference, this year taking place across the globe at the same time virtually for the first time. Cisco Live is your destination for year-round technical education and training. There will be many on-demand sessions to choose from throughout the conference. Nick Biasini of Talos Outreach will provide a broad overview of the past year’s threats and trends we’ve been seeing, with a specific focus on dual-use tools and supply chain attacks. Additional sessions will be announced in the coming weeks.

Cybersecurity week in review

  • Early reports indicate more than 30,000 organizations could be affected by the Microsoft Exchange zero-day vulnerabilities. The threat actor behind the attacks even stepped up their efforts to scan for unpatched servers after the vulnerabilities were disclosed and patched.
  • Chinese threat actors may have also targeted SolarWinds products the same time as Russian groups targeted the same vulnerabilities. The new discoveries show that there’s never a shortage of APTs looking to target American government agencies and large companies.
  • The U.S. is expected to retaliate against Russia for the SolarWinds breach in the next few weeks. Actions could include cyber attacks and economic sanctions.
  • A data breach at far-right social media app Gab uncovered many sensitive messages and gives a deeper look into the site. Among them are direct messages between the service’s CEO and a high-profile figure in the QAnon conspiracy theory.
  • While SolarWinds stole headlines in December and January, another significant cyber attack flew under the radar. A very different set of coordinated intrusions targeted New Zealand’s central bank and grocery store chain Kroger, among other high-profile organizations.
  • Students who are still learning remotely are finding ways to bypass schools’ test-proctoring systems that claim to be foolproof. Some methods involve downloading third-party apps, while other methods are as simple as using video chatting.
  • The FBI released a warning this week that state-sponsored actors are likely to deploy deepfake videos to expand their influence in cybersecurity. The alert states that common ways to spot these types of manipulated videos include looking for any warping, distortions or synching issues.
  • The recently passed COVID-19 relief bill includes millions of dollars in funding for American government cybersecurity efforts. Among the various provisions in the bill is $650 million earmarked for the Cybersecurity and Infrastructure Security Agency’s cybersecurity risk management programs.
  • The U.S. Senate introduced a bipartisan bill that would provide additional funding to train government officials on election security. The proposed legislation would establish a $1 million grant to cover many of the costs of tuition for cybersecurity training for state and local election officials and their employees.
  • F5 disclosed four remote code execution vulnerabilities that affect its BIG-IP and BIG-IQ software. All the vulnerabilities have a CVSS severity score of 9.0 or higher (out of 10).

Notable recent security issues

Title: Microsoft discloses 89 vulnerabilities, 14 critical, as part of monthly security update

Description: Microsoft released its monthly security update Tuesday, disclosing 89 vulnerabilities across its suite of products, the most in any month so far this year. There are 14 critical vulnerabilities as part of this release, and one considered of “low” severity. The remainder are all “important.” Three of the critical vulnerabilities are the ones Microsoft disclosed last week in Exchange Server that the company said state-sponsored actors exploited in the wild to steal emails. Microsoft also announced Monday they were releasing patches for older versions of Exchange Server. All organizations using the affected software should prevent external access to port 443 on Exchange Servers or set up a VPN to provide external access to port 443. This will ensure that only authenticated and authorized users can connect to this service. However, this action will only protect against the initial step of the attack. Administrators should also immediately apply the published patches to vulnerable Exchange Servers. Outside of Exchange Server, this month’s security update provides patches for several other pieces of software, including Azure Sphere, the SharePoint file-sharing service and the .hevc video file extension.

Snort SIDs: 54518, 57233, 57234, 57241 - 57246, 57252, 57253, 57259 - 57268, 57269 and 57274 - 57276

Title: Microsoft Exchange Server vulnerabilities highlights HAFNIUM threat actor

Description: Microsoft disclosed several critical vulnerabilities in Exchange Server last week, stating that a state-sponsored actor known as “HAFNIUM” was behind the attacks. This threat actor exploited four vulnerabilities to steal emails, the most severe of one is a zero-day server-side request forgery (SSRF) vulnerability. HAFNIUM is a newly identified threat actor. According to Microsoft, the group usually targets industries such as military contractors, infections disease research, legal, education and think tanks. Microsoft stated that the group is likely based out of China, but relies on leased virtual private servers in the U.S. While HAFNIUM was first known for exploiting these Exchange Server vulnerabilities, it is likely they will switch their tactics now that the vulnerabilities are public.

Snort SIDs: 57235 - 57240

Most prevalent malware files this week

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b

MD5: f37167c1e62e78b0a222b8cc18c20ba7

Typical Filename: flashhelperservice.exe

Claimed Product: Flash Helper Service

Detection Name: W32.4647F1A085.in12.Talos

SHA 256: 17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2

MD5: 96f8e4e2d643568cf242ff40d537cd85

Typical Filename: SAntivirusService.exe

Claimed Product: SAService

Detection Name: PUA.Win.File.Segurazo::95.sbx.tg

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: svchost.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.