Newsletter compiled by Jon Munshaw.
Good afternoon, Talos readers.
If you missed our webinar last week, we've got you covered. We've uploaded an extended version to our YouTube page that includes the scripts used in the presentation. This video will show you how to reverse-engineer and detect Android malware.
We also had Patch Tuesday this week, which featured some more vulnerabilities in Microsoft Exchange Server. Here is a full breakdown of the issues you should know about and Snort rules to keep users protected from exploitation. Cisco Talos researchers specifically discovered multiple vulnerabilities in Azure Sphere that were patched this month. For more on those specifically, check out the full Vulnerability Spotlight.
Upcoming public engagements with Talos
Title: Snort 3 and me
Date: April 20
Speakers: Alex Tatischeff
Overview: Have you upgraded to Snort 3 yet? Want to learn how to transition? With Snort 3, rules are faster and more efficient, users have more control over their Snort experience, and it runs on multiple environments and operating systems. To help you make the switch, we're launching a new series of webinars with the help of the Snort product team and our friends across Cisco. To kick things off, Alex Tatistcheff, a technical marketing manager for Cisco, will be holding a presentation on Snort 3 on April 20 at 11 a.m. ET. Alex will address specific questions anyone has about Snort 3 and walk you through how to have a successful migration to Snort 3.
Cybersecurity week in review
- The U.S. formally attributed the SolarWinds supply chain attack to Russia in a new report. In retaliation for the attack, as well as interference in the 2020 presidential election, the Biden administration levied new sanctions against Russia.
- A cyber attack caused damage over the weekend at one of Iran's nuclear facilities where it enriches uranium. While the official cause is still being investigated, it appears someone caused a blackout at the plant.
- Researchers at IBM warned that the COVID vaccine supply chain continues to be under attack by online threat actors. A recent phishing campaign targeted 44 different companies involved in the distribution of the vaccine.
- The NBA's Houston Rockets team was the recent target of a ransomware attack on the team's company network. It is currently unclear if attackers encrypted or stole any information.
- The FBI launched a brief campaign this week to "copy and remove" backdoors from affected Microsoft Exchange Servers that were still vulnerable to recently disclosed zero-day vulnerabilities. A federal court in Texas approved the operation, which involved the FBI issuing a command through the web shell to the server.
- A new report indicates that the FBI partnered with an Australian security firm to break into an iPhonebelonging to a mass murderer. The federal agency's tactics were previously unknown when they wanted to gain access to the device, belonging to a man who took part in a terrorist attack in San Bernadino, California in 2015.
- Google released the latest version of its Chrome web browser that forces all traffic through HTTPS rather than HTTP by default. The update also patched 37 security vulnerabilities in the software.
- A set of vulnerabilities affecting multiple TCP/IP stacks puts many internet-of-things devices at risk. The "Name:Wreck" exploit could allow attackers to disable devices remotely or gain the ability to execute code on the devices.
- A ransomware group known as "C10p" is recruiting customers of breached companies to help the group extort their targets. Individuals whose data the actor acquires through cyber attacks are contacted and told to contact the targeted organization and urge them to pay the requested ransom.
Notable recent security issues
Title: Exchange Server critical vulnerabilities included in Patch Tuesday
Description: Microsoft released its monthly security update Tuesday, disclosing 108 vulnerabilities across its suite of products, the most in any month so far this year. Four new remote code execution vulnerabilities in Microsoft Exchange Server are included in Tuesday’s security update. Microsoft disclosed multiple zero-day vulnerabilities in Exchange Server earlier this year that attackers were exploiting in the wild. The new vulnerabilities Microsoft disclosed are identified as CVE-2021-28480, CVE-2021-28481, CVE-2021-28482 and CVE-2021-28483 — all of which are critical, and the highest of which has a CVSS severity score of 9.8 out of 10. There are 20 critical vulnerabilities as part of this release and one considered of “moderate” severity. The remainder are all “important.” Twelve of the critical vulnerabilities exist in the remote procedure call runtime.
Snort SIDs: 57403, 57404, 57411, 57414
Title: Attackers infiltrate collaboration app servers to spread spam, malware
Description: As telework has become the norm throughout the COVID-19 pandemic, attackers are modifying their tactics to take advantage of the changes to employee workflows. Attackers are leveraging collaboration platforms, such as Discord and Slack, to stay under the radar and evade organizational defenses. Collaboration platforms enable adversaries to conduct campaigns using legitimate infrastructure that may not be blocked in many network environments. RATs, information stealers, internet-of-things malware and other threats are leveraging collaboration platforms for delivery, component retrieval and command and control communications.
ClamAV signatures: Win.Trojan.AgentTesla-9846789-0, Js.Trojan.Downloader-9846867-0, Win.Dropper.Agent-9847178-0, Win.Trojan.Vebzenpak-9847193-0, Win.Trojan.Bulz-9847194-1, Win.Malware.Predator-9850360-1, Win.Trojan.Taskun-9850631-0, Win.Packed.Trojanx-9850692-0
Most prevalent malware files this week
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: 17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2
MD5: 96f8e4e2d643568cf242ff40d537cd85
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.File.Segurazo::95.sbx.tg
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: svchost.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.