Thursday, May 6, 2021

Threat Source Newsletter (May 6, 2021)

 

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

COVID-19 has changed everything about our lives — no surprise there. So it also shouldn't be shocking that it's changing the way Americans view Tax Day this year.

The deadline to file taxes is about a month later than usual and is now only 11 days away. Attackers have jumped on this opportunity to create new malware campaigns centered around taxes and COVID-19. You don't want to miss the latest Talos Takes episode where we talk about scams around supposed rewards for receiving your COVID vaccine, promises of better tax returns, and everything else you could think of with "taxes" in the subject line of a spam email.


Upcoming public engagements with Talos


Date: May 17 - 20
Overview: Come visit Cisco's booth virtually at the RSA Conference 2021. We'll have on-demand talks with Talos researchers and Incident Responders available all week long, and even after the conference for those who have the appropriate virtual badge.

Date: May 25 at 11 a.m. ET
Overview: Join us as we once again provide a base-level overview of Snort 3 — the next generation of IPS. Alex Tatistcheff returns to discuss Cisco IPS' internal operations. This is the perfect place to jump on if you haven't upgraded to Snort 3 yet. For more on Snort 3, head to Snort.org.

Cybersecurity week in review

  • International law enforcement recently removed the infamous Emotet botnet from infected machines. At least nine countries joined up to deal what they hope is the death blow to the threat.
  • Afterward, the FBI released the emails of affected users. Anyone looking to see if their email was compromised as part of Emotet can check via the popular website Have I Been Pwned.
  • Apple released updates to all its major operating systems this week to fix a vulnerability in its Webkit service. The company says one of the vulnerabilities may have been exploited in the wild.
  • Several top American lawmakers are pushing for the U.S. Cybersecurity and Infrastructure Security agency to have greater control over disclosing and patching vulnerabilities in ICS systems. New legislation, they say, is needed to better protect U.S. water and power supplies. 
  • Software development tool Codecov started informing customers this week if they were affected by a recent supply chain attack. Codecov released several IP addresses as IOCs that they say threat actors used to collect sensitive information from users who downloaded a malicious update.
  • Attackers breached sensitive information belonging to a popular therapy service in Finland late last year. Some users received ransom notes from the attackers warning that their information would be leaked, including therapists' notes, if they did not pay a fee in Bitcoin.
  • A set of websites are offering to pay users for handing over their login credentials for services at their employer. For example, one site promises they'll tell the user how much they earn compared to their peers if they hand over their payroll site credentials.
  • A new malware known as PortDoor is targeting Russian defense contractors. Security researchers say the threat could be linked to a Chinese APT known for using the RoyalRoad weaponizer in the past.
  • The actors behind the Buer malware have completely rewritten the threat in the Rust programming language. It is believed this is primarily to avoid detection already written for Buer.


Notable recent security issues


Description: Cisco Talos recently discovered an information disclosure vulnerability in the Linux Kernel. The Linux Kernel is the free and open-source core of Unix-like operating systems. This vulnerability specifically exists in the /proc/pid/syscall functionality of 32-bit ARM devices running Linux. CVE-2020-28588 is an information disclosure vulnerability that could allow an attacker to view Kernel stack memory. Talos researchers first discovered this issue on an Azure Sphere device (version 20.10), a 32-bit ARM device that runs a patched Linux kernel. An attacker could exploit this vulnerability by reading /proc/<pid>/syscall, a legitimate Linux operating system file — making it impossible to detect on a network remotely. If utilized correctly, an attacker could leverage this information leak to successfully exploit additional unpatched Linux vulnerabilities. 

Title: Cisco discloses multiple vulnerabilities in Adaptive Security Appliance 
Description: Cisco disclosed multiple vulnerabilities in its Adaptive Security Appliance software and Cisco Firepower Threat Defense. One high-severity vulnerability, CVE-2021-1493, could allow an attacker to cause a buffer overflow condition. An attacker could exploit this vulnerability by sending a malicious HTTP request.  A successful exploit could allow the attacker to cause a buffer overflow condition on the affected system, which could disclose data fragments or cause the device to reload, resulting in a denial of service (DoS) condition. Another medium-risk vulnerability could allow an adversary to inject commands that could be executed with root privileges on the underlying operating system. 
References: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-cmdinj-TKyQfDcU 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-memc-dos-fncTyYKG 
Snort SIDs: 57486, 57488, 57489 

Most prevalent malware files this week


MD5: 9a4b7b0849a274f6f7ac13c7577daad8 
Typical Filename: ww31.exe 
Claimed Product: N/A 
Detection Name: W32.GenericKD:Attribute.24ch.1201

MD5: ec26aef08313a27cfa06bfa897972fc1 
Typical Filename: 01fd0f9a83cb940bca23fbeea3ecaffcfb4df2ef.vbs 
Claimed Product: N/A 
Detection Name: Win.Worm.Dunihi::tpd 

MD5: f2c1aa209e185ed50bf9ae8161914954 
Typical Filename: webnavigatorbrowser_exe 
Claimed Product: WebNavigatorBrowser 
Detection Name: W32.5524FEE1BB.5A6DF6a61.auto.Talos 

MD5: 8193b63313019b614d5be721c538486b 
Typical Filename: SAService.exe 
Claimed Product: SAService 
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg 
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: svchost.exe
Claimed Product: N/A 
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.