Good afternoon, Talos readers.
Although the Colonial Pipeline attack is largely behind us now, its potential repercussions are not. This was just the latest in a string of attacks against American critical infrastructure over the past few years, and we don't expect them to slow down any time soon.
Talos researchers have outlined a series of steps critical infrastructure organizations can take to secure their networks, and what the government needs to do to protect physical property and prevent potential life-threatening attacks. If you are experiencing an emergency or in need of an incident response retainer, Cisco Talos Incident Responseis available for proactive and emergency response.
Cybersecurity week in review
- NATO's Secretary General suggested that any cyber attacks on member nations should be considered just as serious as any kinetic warfare. This opens up the possibility that member nations could take defensive actions if one of their allies becomes the victim of a cyber attack.
- U.S. President Joe Biden held a long-anticipated summit with his Russian counterpart, Vladimir Putin, on Wednesday. The two leaders appeared to participate in future discussions around cybersecurity, though it will be a long time to see what tangible actions those talks could turn into.
- Thousands of users have yet to patch critical VMware vulnerabilities that are being exploited in the wild. Another round of warnings came to patch the affected products a few weeks after the vulnerabilities were initially disclosed.
- Fitness company Peloton warned users that touchscreens on their exercise bikes could be exploited by attackers. Although the potential exploit includes using a physical USB device, an adversary could spy on users via the bikes' camera and microphone.
- An update to Microsoft Defender for Android and iOS adds several new security features, including the ability to detect jailbroken devices. The Android version can also scan for potential malware or unwanted apps.
- Attackers stole source code from video game company Electronic Arts, and the code is reportedly for sale online. The alleged attackers is claiming to sell source code for the game FIFA 21 and other private data.
- Ukrainian police have arrested multiple individuals they say are tied to the CLOP ransomwaregroup. CLOP is known for exploiting four zero-day vulnerabilities in FTA and recently targeting major international companies such as the grocer Kroger.
- A recent report found that 80 percent of ransomware victims that pay the requested ransom are hit by a cyber attack again, often by the same actors. Sixty-six percent of the responders to the survey also reported significant revenue loss from the ransomware attack.
- Adversaries are tracking Iranian dissidents by spying on popular apps, including VPN services and Telegram. The attackers use fake images and videos claiming to be from prisoners in Iran, which trick victims into downloading malware.
Notable recent security issues
Title: New detection for wiper disguising itself as ransomware
Description: An APT with potential connections to Iran is spreading a new wiper malware that disguises itself as ransomware. The actor, known as Agrius, has been conducting cyber espionage dating back to November, and recently started focusing on the more destructive malware. It uses a backdoor known as IPsec Helper to spread wiper malware. It deletes users’ files completely, but still informs the victims that their data was stolen and encrypted in the hopes of still receiving a ransom payment. The adversary exploits a few different vulnerabilities, but a favorite is a long-fixed path traversal vulnerability in Fortinet’s FortiOS operating system — CVE-2018-13379.
Snort SIDs: 57780 - 57782
Title: BazarLoader spreads via fake video streaming site
Description: The actors behind the BazarLoader trojan are using a new, fake video streaming site to lure victims into downloading their malware. The attackers are sending emails to users advertising a new service called "BravoMovies" from a company called UrbanCinema. The site uses legitimate movie posters to disguise itself as a streaming service, but the site only eventually points to BazarLoader. BazarLoader is commonly used to download and execute other malicious files.
Snort SIDs: 57773
Most prevalent malware files this week
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb
MD5: 6be10a13c17391218704dc24b34cf736
Typical Filename: smbscanlocal0906.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Ranumbot::in03.talos
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
SHA 256: 5524fee1bb95b3778857b414586611584794867c5fce1952d22dcba93c5cd243
MD5: f2c1aa209e185ed50bf9ae8161914954
Typical Filename: webnavigatorbrowser.exe
Claimed Product: WebNavigatorBrowser
Detection Name: W32.5524FEE1BB.5A6DF6a61.auto.Talos
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.