Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

COVID-19 has changed everything about our lives — no surprise there. So it also shouldn't be shocking that it's changing the way Americans view Tax Day this year.

The deadline to file taxes is about a month later than usual and is now only 11 days away. Attackers have jumped on this opportunity to create new malware campaigns centered around taxes and COVID-19. You don't want to miss the latest Talos Takes episode where we talk about scams around supposed rewards for receiving your COVID vaccine, promises of better tax returns, and everything else you could think of with "taxes" in the subject line of a spam email.

Upcoming public engagements with Talos

Title:Cisco Secure at RSA 2021

Date: May 17 - 20

Overview: Come visit Cisco's booth virtually at the RSA Conference 2021. We'll have on-demand talks with Talos researchers and Incident Responders available all week long, and even after the conference for those who have the appropriate virtual badge.

Title: Snort 3 and me (Part 2)

Date: May 25 at 11 a.m. ET

Overview: Join us as we once again provide a base-level overview of Snort 3 — the next generation of IPS. Alex Tatistcheff returns to discuss Cisco IPS' internal operations. This is the perfect place to jump on if you haven't upgraded to Snort 3 yet. For more on Snort 3, head to Snort.org.

Cybersecurity week in review

  • International law enforcement recently removed the infamous Emotet botnet from infected machines. At least nine countries joined up to deal what they hope is the death blow to the threat.
  • Afterward, the FBI released the emails of affected users. Anyone looking to see if their email was compromised as part of Emotet can check via the popular website Have I Been Pwned.
  • Apple released updates to all its major operating systems this week to fix a vulnerability in its Webkit service. The company says one of the vulnerabilities may have been exploited in the wild.
  • Several top American lawmakers are pushing for the U.S. Cybersecurity and Infrastructure Security agency to have greater control over disclosing and patching vulnerabilities in ICS systems. New legislation, they say, is needed to better protect U.S. water and power supplies.
  • Software development tool Codecov started informing customers this week if they were affected by a recent supply chain attack. Codecov released several IP addresses as IOCs that they say threat actors used to collect sensitive information from users who downloaded a malicious update.
  • Attackers breached sensitive information belonging to a popular therapy service in Finland late last year. Some users received ransom notes from the attackers warning that their information would be leaked, including therapists' notes, if they did not pay a fee in Bitcoin.
  • A set of websites are offering to pay users for handing over their login credentials for services at their employer. For example, one site promises they'll tell the user how much they earn compared to their peers if they hand over their payroll site credentials.
  • A new malware known as PortDoor is targeting Russian defense contractors. Security researchers say the threat could be linked to a Chinese APT known for using the RoyalRoad weaponizer in the past.
  • The actors behind the Buer malware have completely rewritten the threat in the Rust programming language. It is believed this is primarily to avoid detection already written for Buer.

Notable recent security issues

Title: Information disclosure vulnerability in Linux Kernel

Description: Cisco Talos recently discovered an information disclosure vulnerability in the Linux Kernel. The Linux Kernel is the free and open-source core of Unix-like operating systems. This vulnerability specifically exists in the /proc/pid/syscall functionality of 32-bit ARM devices running Linux. CVE-2020-28588 is an information disclosure vulnerability that could allow an attacker to view Kernel stack memory. Talos researchers first discovered this issue on an Azure Sphere device (version 20.10), a 32-bit ARM device that runs a patched Linux kernel. An attacker could exploit this vulnerability by reading /proc/<pid>/syscall, a legitimate Linux operating system file — making it impossible to detect on a network remotely. If utilized correctly, an attacker could leverage this information leak to successfully exploit additional unpatched Linux vulnerabilities.

Title: Cisco discloses multiple vulnerabilities in Adaptive Security Appliance

Description: Cisco disclosed multiple vulnerabilities in its Adaptive Security Appliance software and Cisco Firepower Threat Defense. One high-severity vulnerability, CVE-2021-1493, could allow an attacker to cause a buffer overflow condition. An attacker could exploit this vulnerability by sending a malicious HTTP request.  A successful exploit could allow the attacker to cause a buffer overflow condition on the affected system, which could disclose data fragments or cause the device to reload, resulting in a denial of service (DoS) condition. Another medium-risk vulnerability could allow an adversary to inject commands that could be executed with root privileges on the underlying operating system.

References: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-cmdinj-TKyQfDcU

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-memc-dos-fncTyYKG

Snort SIDs: 57486, 57488, 57489

Most prevalent malware files this week

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256:cda7eb57321e133ca126aa8237a8432e8c539830656d64976bc953a70c0fa587

MD5: ec26aef08313a27cfa06bfa897972fc1

Typical Filename: 01fd0f9a83cb940bca23fbeea3ecaffcfb4df2ef.vbs

Claimed Product: N/A

Detection Name: Win.Worm.Dunihi::tpd

SHA 256:5524fee1bb95b3778857b414586611584794867c5fce1952d22dcba93c5cd243

MD5: f2c1aa209e185ed50bf9ae8161914954

Typical Filename: webnavigatorbrowser_exe

Claimed Product: WebNavigatorBrowser

Detection Name: W32.5524FEE1BB.5A6DF6a61.auto.Talos

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: svchost.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.