Thursday, April 22, 2021

Threat Source Newsletter (April 22, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We went viral this week! Everyone seemed to love to joke about these vulnerabilities we discovered in a WiFi-connected air fryer. An attacker, if they had physical access to the device, could exploit these vulnerabilities to change cook times and temperatures, or even turn the device on by themselves.

There's also a new Beers with Talos episode out this week. The guys have a special guest on this week to talk about the world of SCADA and IoT as it relates to security — we promise the conversation is way more interesting than all of those acronyms.

On the malware front, we have new research out highlighting an actor we're calling "Fajan." These groups send out spam emails to primarily Middle Eastern targets claiming to be from Bloomberg BNA — a news aggregation and business resource. 

Cybersecurity week in review

Notable recent security issues

Description: The U.S. National Security Agency released an advisory outlining several vulnerabilities that the Russian Foreign Intelligence Services (SVR) is exploiting in the wild. The U.S. formally attributed the recent SolarWinds supply chain attack to the SVR group in this advisory and detailed more of the group's tactics, techniques and procedures. The exploits included a series of five CVEs that affect VPN solutions, collaboration suite software and virtualization technologies. All five of the CVEs have been patched — Cisco Talos encourages everyone with the affected software update immediately. Some of these vulnerabilities also have working metasploit modules and are currently being widely exploited. Please note that some of these vulnerabilities exploit applications leveraging SSL. 
Snort SIDs: 49898, 52512, 52513, 52603, 52620, 52662, 51370 – 51372, 51288 - 51390 

Description: Google issued multiple updates to its Chrome web browser last week after researchers discovered multiple zero-day vulnerabilities in its V8 engine. The company stated in an update that exploits for vulnerabilities in V8 and Chrome's rendering engine Blink exist in the wild. According to proof-of-concept code posted by a security researcher, an attacker could use an HTML and JavaScript file to launch the calculator app on Windows 10 when loaded into a Chromium-based browser. However, it has larger wide-range implications, including other types of code execution.  
Snort SIDs: 57420 - 57424 

Most prevalent malware files this week

MD5: 9a4b7b0849a274f6f7ac13c7577daad8 
Typical Filename: ww31.exe 
Claimed Product: N/A 
Detection Name: W32.GenericKD:Attribute.24ch.1201

MD5: 34560233e751b7e95f155b6f61e7419a 
Typical Filename: SAntivirusService.exe 
Claimed Product: A n t i v i r u s S e r v i c e 
Detection Name: PUA.Win.Dropper.Segurazo::tpd 

MD5: 84291afce6e5cfd615b1351178d51738 
Typical Filename: webnavigatorbrowser.exe 
Claimed Product: WebNavigatorBrowser 
Detection Name: W32.BFBE7022A4.5A6DF6a61.auto.Talos 
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: svchost.exe
Claimed Product: N/A 
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

MD5: 96f8e4e2d643568cf242ff40d537cd85 
Typical Filename: SAService.exe  
Claimed Product: SAService  
Detection Name: PUA.Win.File.Segurazo::95.sbx.tg 

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.