Thursday, April 29, 2021

Threat Source Newsletter (April 29, 2021)

 

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

Ransomware is not just financial extortion. It is crime that transcends business, academic and geographic boundaries. Talos was proud to assist with a newly released report from the international Ransomware Task Force that provides a path forward to mitigate this criminal enterprise. This was a large undertaking by Talos researchers and our cybersecurity partners from across the globe that everyone should read.

And if you're in the mood to watch rather than read, we uploaded a recording of a LinkedIn Live video from earlier this week to our YouTube page. Martin Lee from Talos Outreach joined security blogger Graham Cluley to discuss cybersecurity threats during our current (and likely permanent) work from home situation.

Cybersecurity week in review

  • U.S. President Joe Biden is shopping around a $2 trillion infrastructure package. But security experts say with all of this new infrastructure comes the challenge of securing it.
  • Biden is also working on a new executive order that would outline new cybersecurity standards companies must meet before taking on federal contracts. The effort is part of the administration's continued response to the SolarWinds supply chain attack.
  • Researchers discovered a vulnerability in Apple's AirDrop feature that could allow anyone to view users' personally identifiable information. Attackers could carry out brute-force attacks to guess a user's phone number based on the SHA-256 hash the user's device sends during an AirDrop transaction.
  • Passwordstate, an Australian-based password manager, was the victim of a recent supply chain attack, potentially exposing users' passwords. The company warned its global customer base that everyone should be changing any stored passwords.
  • The latest version of Apple's iOS includes a long-awaited privacy feature. Users can now opt out of third-party apps tracking their use and selling that information to other third parties. The update also fixed several vulnerabilities.
  • Attackers seeking to extort the Washington, D.C. police department have leaked sensitive information about five current former and current officers. The information includes arrest history, polygraph results and previous work history.
  • A recently discovered Linux backdoor has flown under the radar for years. RotaJakiro remains undetected by anti-virus engines and can allow adversaries to exfiltrate large amounts of data.
  • An APT group successfully exploited the SolarWinds Orion platform on a U.S. company's network by disguising themselves as legitimate teleworking employees. The actors planted a backdoor called "Supernova" to conduct reconnaissance, data theft and domain mapping.
  • Some cancer care in the U.S. was delayed after a medical systems company suffered a cyber attack. More than 40 health care sites across the country saw service disrupted to their radiation services earlier this month.
  • Many cryptocurrency users want to turn to hardware wallets to store their virtual currencies. The Internal Revenue Service is actively seeking ways to break into these wallets in criminal investigations.

Notable recent security issues

Description: Pulse Secure announced that a critical vulnerability (CVE-2021-22893) was discovered in their VPN service "Pulse Secure Connect" in a recent security advisory. The advisory states that, "a vulnerability was discovered under Pulse Connect Secure (PCS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. This vulnerability has a critical CVSS score and poses a significant risk to your deployment." The company released a blog post alongside this advisory disclosing that the vulnerability has been exploited in the wild. The U.S. Cybersecurity and Infrastructure Security Agency also released an alert warning of these vulnerabilities. In the alert, CISA notes that networks belonging to multiple government agencies, critical infrastructure entities and private sector organizations have been compromised going as far back as June 2020. 
Snort SIDs: 51288, 51289, 51390, 57452 – 57459 and 57461 - 57468 

Description: A new report indicates that the amount of malware campaigns using COVID-19-themed lures continue to rise, even more than a year after the pandemic took hold in the U.S. New data shows that COVID-related cyber attack detections rose by 240 percent in the third quarter of 2020 and 114 percent in Q4. Many attackers relied on privilege escalation techniques to spread ransomware and other threats off the backs of these campaigns. Some used PowerShell, while others relied on remote access trojans like Remcos. Several state-sponsored actors have also been involved in these attacks. 
Snort SIDs: 57431 

Most prevalent malware files this week

MD5: 9a4b7b0849a274f6f7ac13c7577daad8 
Typical Filename: ww31.exe 
Claimed Product: N/A 
Detection Name: W32.GenericKD:Attribute.24ch.1201

MD5: 8193b63313019b614d5be721c538486b 
Typical Filename: SAService.exe 
Claimed Product: SAService 
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg 

MD5: d709ea22945c98782dc69e996a98d643 
Typical Filename: FlashHelperService.exe 
Claimed Product: Flash Helper Service 
Detection Name: W32.Auto:3bc24c6181.in03.Talos 
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: svchost.exe
Claimed Product: N/A 
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

MD5: 96f8e4e2d643568cf242ff40d537cd85 
Typical Filename: SAService.exe  
Claimed Product: SAService  
Detection Name: PUA.Win.File.Segurazo::95.sbx.tg 

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.