Threat Source newsletter (June 3, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

If you didn't catch us live yesterday, we've uploaded the full version of our stream on Discord and Slack malware to our YouTube page. Chris Neal from Talos Outreach walked through his recent research into these campaigns targeting collaboration apps. Find out what Chris and his team discovered on these apps that have become crucial to work and communication in 2021.

Cybersecurity week in review

Microsoft discovered the Nobelium threat actor continuing to target high-profile companies and think tanks in intelligence-gathering efforts. The group reportedly gained access to a Constant Contact email marketing account belonging to USAID.
The campaigns attempted to lure victims in by sending them themed documents invoking former President Donald Trump. The malicious documents would eventually download a DLL that gave Nobelium a backdoor to the victim machine.
JBS, one of the world's largest producers of meat, had to shut down operations at some of its plants for several days after a cyber attack. As of Thursday, the company restored most of its services.
The FBI blamed the attack on the infamous REvil ransomware group. A representative from the group said in October the group was likely to target the agricultural sector next.
Multiple notable transportation systems revealed they were the victims of cyber attacks earlier this year. The ferry in Martha's Vineyard was compromised this week, while New York City's MTA revealed an attack back in April that did not result in any compromised data belonging to riders.
The White House released a memo warning private companies' executives of the recent increase in cyber attacks. The letter outlined immediate steps companies can take to protect themselves from ransomware attacks.
The Biden administration's proposed budget would commit about $10 billion to civilian government cybersecurity in 2022, an increase of 14 percent from this year. Included in the budget is $750 million specifically earmarked to "respond to lessons learned" from the SolarWinds supply chain attack.
Amazon devices will soon be automatically opted in to its new Sidewalk program, in which users' wireless internet is shared with other Amazon devices. Sidewalk will also provide users with a slice of others' WiFi if they do not have a current connection.

Notable recent security issues

Title: Vulnerabilities in Trend Micro Home Network Security Station could lead to device takeover

Description: Trend Micro recently patched multiple security vulnerabilities in its Home Network Security systems. Attackers could exploit the vulnerabilities to cause a denial of service on connected devices, privilege escalation and code execution. The Home Network Security Station is an all-in-one device that protects users’ home networks by scanning for vulnerabilities on connected devices and serves as an intrusion prevention system. An attacker could manipulate the device in a way, using these vulnerabilities, that could allow them to execute remote code on the device or takeover PCs that are connected to the targeted home network.

Snort SIDs: 51719 - 57122

Title: Multiple vulnerabilities in Accusoft ImageGear

Description: Cisco Talos researchers recently discovered multiple vulnerabilities in Accusoft ImageGear. The ImageGear library is a document-imaging developer toolkit that allows users to create, edit, annotate and convert various images. It supports more than 100 file formats such as DICOM, PDF, Microsoft Office. These vulnerabilities Talos discovered could allow an attacker to carry out various malicious actions, including corrupting memory on the victim machine and gaining the ability to execute remote code. CVE-2021-21793, CVE-2021-21794 and CVE-2021-21824 are all out-of-bounds write vulnerabilities that exist in various functions of the software. An attacker could trigger these vulnerabilities by tricking a user into opening a specially crafted, malicious file.

Snort SIDs: 54411 - 54414, 57249 - 57252, 57270 - 57273, 57301, 57302, 57378, 57379

Most prevalent malware files this week

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 583418f8f4c156be56ae65b932ca1d8e431e8f845806d0fc814f40562241fbc4

MD5: 52ed8d8b8f1d37b7db0319a3351f6a16

Typical Filename: smbscanlocal2705.exe

Claimed Product: N/A

Detection Name: W32.Auto:583418f8f4.in03.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 3bc24c618151b74ebffb9fbdaf89569fadcce6682584088fde222685079f7bb9

MD5: d709ea22945c98782dc69e996a98d643

Typical Filename: FlashHelperService.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Auto:3bc24c6181.in03.Talos

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.

Intelligence Center

Vulnerability Information

Security Resources

Media

Company

Bidirectional communication via polyrhythms and shuffles: Without Jon the beat must go on

What I’ve learned in my first 7-ish years in cybersecurity

What NIST’s latest password standards mean, and why the old ones weren’t working

Intelligence Center

Vulnerability Research

Incident Response