Newsletter compiled by Jon Munshaw.
Good afternoon, Talos readers.
We went viral this week! Everyone seemed to love to joke about these vulnerabilities we discovered in a WiFi-connected air fryer. An attacker, if they had physical access to the device, could exploit these vulnerabilities to change cook times and temperatures, or even turn the device on by themselves.
There's also a new Beers with Talos episode out this week. The guys have a special guest on this week to talk about the world of SCADA and IoT as it relates to security — we promise the conversation is way more interesting than all of those acronyms.
On the malware front, we have new research out highlighting an actor we're calling "Fajan." These groups send out spam emails to primarily Middle Eastern targets claiming to be from Bloomberg BNA — a news aggregation and business resource.
Cybersecurity week in review
- Attackers stole the data of more than 21 million ParkMobile users. The app, which is used to pay for parking in many major American cities, had information stolen including users' license plate numbers, names and emails.
- Def Con and Black Hat, two of the most popular security conferences in the world, plan to have some in-person events this summer. The events went fully online last year due to the COVID-19 pandemic.
- China is becoming one of the largest data collectors in the world. But this has opened the door to actors inside the country who want to steal that information on Chinese citizens and sell it.
- Ransomware attackers tried to extort Apple hours prior to a major company presentation. The REvil group threatened to publish product schematics and designs that were set to be announced later in the day Tuesday.
- Quanta, one of Apple's major suppliers, came forward Wednesday and disclosed it was the victim of the attack. The Taiwanese company said it suffered "cyber attacks on a small number of Quanta servers."
- The White House announced a new initiative this week designed to improve the security of the nation's electricity infrastructure. The U.S. Cybersecurity and Infrastructure Agency is also starting a corresponding "60-day sprint."
- Japan accused Chinese state-sponsored actors of being behind more than 200 separate cyber attacks. Investigators say the campaigns were carried out by a group known as "Tick" at the behest of China's People's Liberation Army.
- The Prometei botnet has shifted its focus to searching for unpatched Microsoft Exchange Servers that are vulnerable to recently disclosed vulnerabilities. Prometei is primarily known for spreading cryptocurrency mining malware.
- A newly proposed bill in Congress would prevent federal agencies from collecting individuals' data without a court order.
- The U.S. Department of Justice is launching a new task force to reduce the proliferation of ransomware. An internal memo called 2020 the "worst year ever" for ransomware attacks.
Notable recent security issues
Title: U.S. blames Russian state-sponsored actors for exploiting vulnerabilties
Description: The U.S. National Security Agency released an advisory outlining several vulnerabilities that the Russian Foreign Intelligence Services (SVR) is exploiting in the wild. The U.S. formally attributed the recent SolarWinds supply chain attack to the SVR group in this advisory and detailed more of the group's tactics, techniques and procedures. The exploits included a series of five CVEs that affect VPN solutions, collaboration suite software and virtualization technologies. All five of the CVEs have been patched — Cisco Talos encourages everyone with the affected software update immediately. Some of these vulnerabilities also have working metasploit modules and are currently being widely exploited. Please note that some of these vulnerabilities exploit applications leveraging SSL.
Snort SIDs: 49898, 52512, 52513, 52603, 52620, 52662, 51370 – 51372, 51288 - 51390
Title: Google Chrome V8 engine exploited in the wild
Description: Google issued multiple updates to its Chrome web browser last week after researchers discovered multiple zero-day vulnerabilities in its V8 engine. The company stated in an update that exploits for vulnerabilities in V8 and Chrome's rendering engine Blink exist in the wild. According to proof-of-concept code posted by a security researcher, an attacker could use an HTML and JavaScript file to launch the calculator app on Windows 10 when loaded into a Chromium-based browser. However, it has larger wide-range implications, including other types of code execution.
Snort SIDs: 57420 - 57424
Most prevalent malware files this week
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: bfbe7022a48c6bbcddfcbf906ef9fddc02d447848579d7e5ce96c7c64fe34208
MD5: 84291afce6e5cfd615b1351178d51738
Typical Filename: webnavigatorbrowser.exe
Claimed Product: WebNavigatorBrowser
Detection Name: W32.BFBE7022A4.5A6DF6a61.auto.Talos
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: svchost.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: 17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2
MD5: 96f8e4e2d643568cf242ff40d537cd85
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.File.Segurazo::95.sbx.tg
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.