Thursday, March 4, 2021

Threat Source newsletter (March 4, 2021)

Newsletter compiled by Jon Munshaw.

Of course, we will start things off talking about the Microsoft Exchange Server zero-day vulnerabilities disclosed earlier this week. Microsoft said in a statement that a threat actor is exploiting these vulnerabilities in the wild to steal users’ emails, understandably causing a lot of panic in the security community. 

Thankfully, patches are already available for the product, so updated asap. We also have a ton of coverage across Cisco Secure products to keep users protected, including SNORT® rules, additions to Talos’ blocklist and Cisco Secure Endpoint.  

Elsewhere in the malware space, we also have a new breakdown of ObliqueRAT, which is a threat we’ve been following for a while. This new campaign utilizes updated macro code to download and deploy its payload. The attackers have also updated the infection chain to deliver ObliqueRAT via adversary-controlled websites.

There are also several other vulnerabilities we disclosed this week that you should know about. Check out our Vulnerability Spotlights for WebKit, Epignosis eFront and Accusoft ImageGear


Upcoming public engagements with Talos

Date: March 30 – April 1 
Speakers: Nick Biasini, more TBA 
Overview: Join us for the annual Cisco Live conference, this year taking place across the globe at the same time virtually for the first time. Cisco Live is your destination for year-round technical education and training. There will be many on-demand sessions to choose from throughout the conference. Nick Biasini of Talos Outreach will provide a broad overview of the past year’s threats and trends we’ve been seeing, with a specific focus on dual-use tools and supply chain attacks. Additional sessions will be announced in the coming weeks. 

Cybersecurity week in review

  • The Exchange vulnerabilities caused the U.S. Cybersecurity and Infrastructure Security Agency to issue an emergency advisory, asking all government agencies to address the vulnerabilities immediately. The alert calls on agencies to triage their network activity, system memory, logs, Windows event logs and registry records to find any suspicious behavior. 
  • Rumors swirled last week that the SolarWinds security incident may have begun with the leak of a very basic password. However, company officials have clarified that the password incident had nothing to do with the wide-ranging breach. 
  • Several government entities are launching their own independent investigations into the SolarWinds breach, including the Securities and Exchange Commission, the Department of Justice and several state attorneys general. 
  • The FBI is renewing a push against encryption, warning Congress that law enforcement should have access to secure data. FBI Directory Christopher Wray said this is specially important in the wake of the mob on the U.S. Capitol in January and additional calls for violence against lawmakers. 
  • An Oxford University biology lab says it was the victim of a security breach, including attackers obtaining access to machines that prepare biochemical samples. The lab is one of the leading centers in the world for COVID-19 vaccines and treatments. 
  • The fast-growing social media app Clubhouse could have several underlying security concerns. Some security researchers say some unauthorized adversaries could record rooms’ voice chats, and other vulnerabilities may expose users’ personal information. 
  • The rate of ransomware attacks against school systems and hospitals are down in the first part of 2021. This comes after a historic rate of campaigns against these highly vulnerable targets during the COVID-19 pandemic last year. 
  • Right-leaning chat app Gab was the victim of a data breach, with more than 15,000 accounts having some of their chat history posted online. The founder of the service says that one of the accounts affected belongs to former U.S. President Donald Trump. 
  • Google announced this week it’s done selling ads based on a user’s individual browsing data. Instead, the company will track consumers in large anonymized groups and serve ads based on that information. 

Notable recent security issues

Description: Cisco Talos recently discovered another new campaign distributing the malicious remote access trojan (RAT) ObliqueRAT. In the past, Talos connected ObliqueRAT and another campaign from December 2019 distributing CrimsonRAT. These two malware families share similar maldocs and macros. This new campaign, however, utilizes completely different macro code to download and deploy the ObliqueRAT payload. The attackers have also updated the infection chain to deliver ObliqueRAT via adversary-controlled websites. This new campaign is a typical example of how adversaries react to attack disclosures and evolve their infection chains to evade detections. Modifications in the ObliqueRAT payloads also highlight the usage of obfuscation techniques that can be used to evade traditional signature-based detection mechanisms. 
Snort SIDs: 57168 - 57175 
ClamAV signature: Doc.Downloader.ObliqueRAT-9835361-0 
 
Description: Cisco patched three critical vulnerabilities for some of the company’s high-end software systems last week — two that effect the Application Services Engine and one that exists in the NX-OS operating system. The most severe of the vulnerabilities is rated a 10 out of 10 on the CVSS scale. Cisco’s advisory states an attacker could exploit this vulnerability to bypass authentication on a targeted device by receiving a token with administrator-level privileges. They could then authenticate to the targeted devices’ API.  
Snort SIDs: 57222, 57223 

Most prevalent malware files this week

MD5: 9a4b7b0849a274f6f7ac13c7577daad8 
Typical Filename: ww31.exe 
Claimed Product: N/A 
Detection Name: W32.GenericKD:Attribute.24ch.1201 

MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: svchost.exe
Claimed Product: N/A 
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

MD5: 8193b63313019b614d5be721c538486b 
Typical Filename: SAntivirusService.exe 
Claimed Product: SAService 
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg 

MD5: f37167c1e62e78b0a222b8cc18c20ba7 
Typical Filename: flashhelperservice.exe 
Claimed Product: Flash Helper Service 
Detection Name: W32.4647F1A085.in12.Talos 

MD5: 34560233e751b7e95f155b6f61e7419a 
Typical Filename: SAntivirusService.exe 
Claimed Product: A n t i v i r u s S e r v i c e 
Detection Name: PUA.Win.Dropper.Segurazo::tpd 

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.