Thursday, July 1, 2021

Threat Source newsletter (July 1, 2021)

 

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

There's been a lot of talk recently around how to address America's infrastructure cybersecurity. After attacks like Colonial Pipeline and JBS, everyone across the public and private sectors are wondering what they should be doing to avoid becoming the next major ransomware victim that disrupts their given industry.

While we don't have all the answers, our critical infrastructure experts recently suggested what some security partnerships could look like in the U.S. One of the authors of that post, Joe Marshall, joined the Talos Takes podcast last week with yours truly to discuss CI security and how operational technology can so often intersect with information technology.


Upcoming Talos public engagements


Speaker: Edmund Brumaghin
Date: July 10, 2021
Location: Miami Valley Research Park in Dayton, Ohio or virtual
Description: As telework has become the norm throughout the COVID-19 pandemic, attackers are modifying their tactics to take advantage of the changes to employee workflows. Attackers are leveraging collaboration platforms, such as Discord and Slack, to stay under the radar and evade organizational defenses. In this talk, Edmund will go over the recent campaigns we've seen in the wild targeting these types of collaboration apps.

Speaker: Vitor Ventura
Date: Oct. 7 - 8
Location: Virtual
Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.

Cybersecurity week in review


Notable recent security issues


Title: Cisco warns of active exploitation of cross-site scripting vulnerability 
Description: Cisco warned users this week that a vulnerability in its Adaptive Security Appliance software is being exploited in the wild. The company first disclosed this vulnerability, identified as CVE-2020-3580, in October. However, a proof-of-concept recently became publicly available and used in the wild. ASA is a perimeter defense appliance that blocks threats from entering corporate networks. An attacker could exploit this cross-site scripting vulnerability (XSS) to execute arbitrary code in the context of ASA and view sensitive browser-based information on the victim’s network. An XSS attack occurs when an adversary injects malicious scripts into otherwise trusted websites. An affected user comes under attack if they visit that compromised website. 

Snort SIDs: 57856, 57857 

Description: Security researchers recently discovered Netfilter, a malicious rootkit disguised as a legitimate DLL. Microsoft confirmed this week that it signed the driver, commonly distributed among the video game players, saying that the developers behind the tool managed to acquire a Microsoft-signed binary in a legitimate manner, and the company is now investigating the manner. Once installed, Netfilter eventually connects to several China-based command and control sites, though the URLs do not appear to have any legitimate use. 
Snort SIDs: 57864 - 57871 

Most prevalent malware files this week


MD5: 9a4b7b0849a274f6f7ac13c7577daad8 
Typical Filename: ww31.exe 
Claimed Product: N/A 
Detection Name: W32.GenericKD:Attribute.24ch.1201

MD5: 6be10a13c17391218704dc24b34cf736 
Typical Filename: smbscanlocal0906.exe 
Claimed Product: N/A 
Detection Name: Win.Dropper.Ranumbot::in03.talos 

MD5: 8193b63313019b614d5be721c538486b 
Typical Filename: SAService.exe 
Claimed Product: SAService 
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg 

MD5: 1971fc3783aa6fa3c0efb1276dd1143c 
Typical Filename: iRiNpQaAxCcNxPdKyG 
Claimed Product: Segurazo Antivirus 
Detection Name: PUA.Win.File.Segurazo::222360.in02 

MD5: 8c80dd97c37525927c1e549cb59bcbf3 
VirusTotal: 
Typical Filename: Eternalblue-2.2.0.exe 
Claimed Product: N/A 
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos 

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.