Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

In case you missed the Friday news drop last week, we have an update on the Lemon Duck cryptocurrency miner. It's not as eye-catching as the ransomware attacks that make the news, but Lemon Duck's exploitation of Microsoft Exchange servers shows that patching is still king, and a cryptocurrency attack shows there's room for additional attacks in the future.

Speaking of patching, it's time to update your Microsoft products if you haven't already. This month's Patch Tuesday included a wormable vulnerability in the HTTP protocol stack that has a severity score of 9.8 out of 10. Of course, it's important to always patch any and all vulnerabilities, but that's the one that most people came out of Tuesday talking about.

Upcoming public engagements with Talos

Title: Cisco Secure at RSA 2021

Date: May 17 - 20

Overview: Come visit Cisco's booth virtually at the RSA Conference 2021. We'll have on-demand talks with Talos researchers and Incident Responders available all week long, and even after the conference for those who have the appropriate virtual badge.

Title: Snort 3 and me (Part 2)

Date: May 25 at 11 a.m. ET

Overview: Join us as we once again provide a base-level overview of Snort 3 — the next generation of IPS. Alex Tatistcheff returns to discuss Cisco IPS' internal operations. This is the perfect place to jump on if you haven't upgraded to Snort 3 yet. For more on Snort 3, head to Snort.org.

Cybersecurity week in review

  • The Colonial Pipeline, responsible for much of the petroleum products in the Eastern U.S., slowly came back online this week after suffering a ransomware attack. The company behind the pipeline said it could take "several days for the product delivery supply chain to return to normal."
  • The FBI quickly identified the DarkSide ransomware group as being behind the attack. DarkSide's operators claimed in a statement that they are apolitical and their motivations are strictly financially driven.
  • A new executive order from the U.S. president aims to improve the nation's cybersecurity by reducing barriers to information sharing and creating new standards. The order also establishes a new Cybersecurity Safety Review Board.
  • The U.K.'s National Health Service was one of the largest targets of the WannaCry attack in 2017 that disrupted health care systems across the world. The NHS is now taking lessons learned from that incident to help other hospitals prepare for cyber attacks.
  • Attackers leaked the information of 22 Washington, D.C. police officers in the continuation of an attempted extortion attempt. A recent cyber attack compromised sensitive files belonging to the law enforcement agency and released an initial round of files two weeks ago.
  • MSI, a manufacturer of GPUs, warned users that attackers are using fake overclocking software to spread malware. The adversaries impersonating MSI's website and offer downloads disguised as downloads for MSI’s Afterburner software.
  • A new study from MIT found that social media users correcting other users for spreading disinformation actually leads to the spread of additional fake news. The researchers instead found it was more effective to have users take an "accuracy nudge" quiz and judge the accuracy of random headlines.
  • Microsoft's CISO recently touted the successes of the company's switch to passwordless security. Bret Arsenault said in an interview that 90 percent of Microsoft employees can access the company's corporate network without a password.
  • Adobe patched a vulnerability it says was actively being exploited in the wild. The vulnerability in Adobe Acrobat Reader could lead to arbitrary code execution.

Notable recent security issues

Title: Microsoft fixes wormable remote code execution vulnerability in HTTP protocol stack

Description: Microsoft released its monthly security update Tuesday, disclosing 55 vulnerabilities across its suite of products, the fewest in any month since January 2020. There are only three critical vulnerabilities patched in this month, while two are of “moderate” severity and the rest are “important.” All three critical vulnerabilities, however, are considered "more likely” to be exploited, according to Microsoft.  This month’s security update provides patches for several major pieces of software, including Microsoft Office, SharePoint and Windows’ wireless networking. The most serious vulnerability exists in the HTTP protocol stack. An unauthenticated attacker could exploit CVE-2021-31166 by sending a specially crafted packet to a targeted server utilizing the stack. If successful, the adversary could gain the ability to execute remote code on the targeted server. According to Microsoft, the vulnerability is wormable and the company “recommends prioritizing the patching of affected servers.” It has a CVSS severity score of 9.8 out of 10.

Snort SIDs: 57539, 57540, 57542 – 57545, 57548 - 57550

Title: Cisco discloses critical vulnerabilities that expose corporate networks

Description: Cisco recently patched three critical security vulnerabilities between the SD-WAN vManage software and the HyperFlex HX platform. These vulnerabilities, if left unpatched, could allow an attacker to completely take over corporate networks that are using this software. vManage is a network management system that allows users to monitor and configure any devices and links they have in the broader SD-WAN. The most serious vulnerability in this group is CVE-2021-1468, which has a CVSS severity score of 9.8 out of 10. An attacker could exploit this vulnerability by submitting a specially crafted input to the service, eventually allowing them to call privileged actions on the affected systems. The adversary could then also create new administrative-level accounts.

Snort SIDs: 57527 – 57530, 57535 - 57538

Most prevalent malware files this week

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: svchost.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: 5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af

MD5: 0a13d106fa3997a0c911edd5aa0e147a

Typical Filename: mg20201223-1.exe

Claimed Product: N/A

Detection Name: RanumBot::mURLin::W32.5E46ECFFCF.in12.Talos

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.