Thursday, March 18, 2021

Threat Source newsletter (March 18, 2021)

 

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

Start spreading the word now, the Snort scholarship is back for 2021! This year, we’re giving away two $10,000 awards to two college students who are studying cybersecurity or another IT-related field. Applications open on April 1, but we want everyone to start getting their applications together now.  


Upcoming public engagements with Talos


Date: March 30 – April 1 
Speakers: Nick Biasini, more TBA 
Overview: Join us for the annual Cisco Live conference, this year taking place across the globe at the same time virtually for the first time. Cisco Live is your destination for year-round technical education and training. There will be many on-demand sessions to choose from throughout the conference. Nick Biasini of Talos Outreach will provide a broad overview of the past year’s threats and trends we’ve been seeing, with a specific focus on dual-use tools and supply chain attacks. Additional sessions will be announced in the coming weeks. 

Date: April 7 at 11 a.m. ET 
Speakers: Vitor Ventura 
Overview: In this free webinar, Vitor Ventura of Talos Outreach will discuss the most recent Android malware he’s seen in the wild. Vitor will reverse-engineer some of these malware samples and discuss what users can do to stay safe. We’ll cover everything from deobfuscating strings, to appropriate patching practices and searching for command and control beacons. 

Cybersecurity week in review

  • At least six APTs have exploited the zero-day vulnerabilities in Microsoft Exchange Server since they were first disclosed. While this could just be some amazing coincidence, it’s more than likely an unprecedented security event. 
  • Microsoft released a one-click PowerShell script to fix these vulnerabilities aimed at helping smaller businesses and organizations who may not have dedicated security teams. The script will check to see if the user’s server is affected, and if so, downloads and runs the Microsoft Safety Scanner to remove web shells and other malicious scripts linked to these attacks. 
  • A major Senate committee started another round of testimonies on Thursday focused on the SolarWinds supply chain attack. Lawmakers are specifically investigating what federal agencies are doing to prevent another similar attack in the future. 
  • Several American officials are pushing for major changes to American cybersecurity infrastructure after the SolarWinds and Microsoft Exchange incidents. Some plans are considering great participation with private security firms.  
  • Russian disinformation farms are reportedly trying to sow distrust in Western COVID-19 vaccines. Fake online news sites backed by these actors are publishing fake news articles making incorrect claims about the safety of the vaccines. 
  • A new declassified report states that Iranian and Russian actors attempted to sway the outcome of the 2020 presidential election by spreading fake and misleading information. However, the report states no foreign actors tried to alter voter registration files or vote counting. 
  • In response to the report, U.S. President Joe Biden said Russian President Vladimir Putin will “pay a price” for the election interference. New sanctions could come as early as next week. 
  • A fire at a large office building in Europe reportedly is affecting the operations of some well-known threat actors. Groups including Bahamut and OceanLotus may have lost physical infrastructure, including servers, in the fire. 
  • New iOS features suggest Apple may start releasing security updates for its products separately from feature changes. The iOS 14.5 beta has a new setting that allow users to select whether they want to install just security updates or the entirety of the release. 

Notable recent security issues


Title: F5 urges users to patch exploits that could open the door to take complete control of systems 
Description: F5’s BIG-IP and BIG-IQ applications contain multiple critical vulnerabilities that could allow adversaries to completely compromise systems. The company urged users to patch as soon as possible. Several of the vulnerabilities disclosed last week could allow attackers to execute malicious code, disable services, manipulate, delete and create files, among other malicious actions. In all, F5 Networks disclosed four critical vulnerabilities, seven high-severity bugs and 10 that are considered of “medium” severity. BIG-IP and BIG-IQ users are usually deployed for application delivery services, such as load balancing, app security and access control. In a worst-case scenario, F5 said, an attacker could exploit a vulnerable BIG-IP appliance to break into the broader enterprise network.   
Snort SID: 57298 

Title: New detection, information available on Microsoft Exchange Server zero-day vulnerabilities 
Description: Since Microsoft's initial disclosure of multiple zero-day vulnerabilities in Microsoft Exchange Server, Cisco Talos has seen shifts in the tactics, techniques, and procedures (TTPs) associated with this malicious activity. Talos researchers have discovered other actors exploiting these vulnerabilities that appear to be separate from the initial "Hafnium" actor and include groups that are leveraging infrastructure previously attributed to cryptocurrency mining campaigns, groups creating or accessing web shells using notepad.exe or notepad++.exe and large amounts of scanning activity without successful exploitation. Talos has also identified organizations that may be involved in post-exploitation activity. The victimology shows that financial services have been disproportionately affected by exploitation, with a few other notable verticals following including health care, education and local/state governments.  
Snort SIDs: 57233 - 57246, 57251 – 57253 
ClamAV signatures: 
  • Win.Trojan.MSExchangeExploit-9838898-0 
  • Win.Trojan.MSExchangeExploit-9838899-0 
  • Win.Trojan.MSExchangeExploit-9838900-0 
  • Asp.Trojan.Webshell0321-9839392-0 
  • Asp.Trojan.Webshelljs0321-9839431-0 
  • Asp.Trojan.Webshell0321-9839771-0 

Most prevalent malware files this week


MD5: 9a4b7b0849a274f6f7ac13c7577daad8 
Typical Filename: ww31.exe 
Claimed Product: N/A 
Detection Name: W32.GenericKD:Attribute.24ch.1201

MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: svchost.exe
Claimed Product: N/A 
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

MD5: 34560233e751b7e95f155b6f61e7419a 
Typical Filename: SAntivirusService.exe 
Claimed Product: A n t i v i r u s S e r v i c e 
Detection Name: PUA.Win.Dropper.Segurazo::tpd 

MD5: b8a582da0ad22721a8f66db0a7845bed 
Typical Filename: flashhelperservice.exe 
Claimed Product: Flash Helper Service 
Detection Name: W32.Auto:5901ce0f36.in03.Talos 

MD5: f37167c1e62e78b0a222b8cc18c20ba7 
Typical Filename: flashhelperservice.exe 
Claimed Product: Flash Helper Service 
Detection Name: W32.4647F1A085.in12.Talos 

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.