Good afternoon, Talos readers.
There's been a lot of talk recently around how to address America's infrastructure cybersecurity. After attacks like Colonial Pipeline and JBS, everyone across the public and private sectors are wondering what they should be doing to avoid becoming the next major ransomware victim that disrupts their given industry.
While we don't have all the answers, our critical infrastructure experts recently suggested what some security partnerships could look like in the U.S. One of the authors of that post, Joe Marshall, joined the Talos Takes podcast last week with yours truly to discuss CI security and how operational technology can so often intersect with information technology.
Upcoming Talos public engagements
Speaker: Edmund Brumaghin
Date: July 10, 2021
Location: Miami Valley Research Park in Dayton, Ohio or virtual
Description: As telework has become the norm throughout the COVID-19 pandemic, attackers are modifying their tactics to take advantage of the changes to employee workflows. Attackers are leveraging collaboration platforms, such as Discord and Slack, to stay under the radar and evade organizational defenses. In this talk, Edmund will go over the recent campaigns we've seen in the wild targeting these types of collaboration apps.
Workshop: Analysing Android malware at VirusBulletin localhost 2021
Speaker: Vitor Ventura
Date: Oct. 7 - 8
Location: Virtual
Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.
Cybersecurity week in review
- A vulnerability called "PrintNightmare" could allow an attacker to execute remote code by exploiting Microsoft's print spooler function. Microsoft originally patched the vulnerability last month, but it was discovered this week that it was more serious than expected after proof-of-concept code made it into the wild. Snort rules 57876 and 57877 will protect against this vulnerability.
- The same attackers behind the SolarWinds supply chain attack compromised Microsoft's support system. The company said Nobelium gained access to "basic account information for a small number of our customers."
- Nobelium also is accused of infiltrating the network of Denmark's central bank and lurking for nearly seven months. The group reportedly used the widespread SolarWinds vulnerability as an initial entry point.
- More than 700 million LinkedIn users' information is available for sale on a dark web forum. The company says its network was not breached, though, and was simply the victim of data-scraping.
- The U.S. Department of Energy is requesting $201 million in its 2022 budget to shore up critical infrastructure security, an increase of 15 percent from this year. The Secretary of Energy told a Senate committee that the recent cyber attack on Colonial Pipeline showed her department that "we do not have cyber standards on pipelines like we do on the electricity sector."
- Germany said it thwarted a cyber attack this week on a national data service provider, and also denied the attack targeted the country's critical infrastructure and banks. Officials say the attack was likely "criminally motivated," and defenders kept the potential damage to a minimum.
- European law enforcement shut down a popular VPN service used by many cybercriminals. DoubleVPN's domain was seized, as was information they kept on their users. Attackers commonly used DoubleVPN to obscure their identities during attacks.
- The U.S. Senate has still yet to confirm a new director for the Cybersecurity and Infrastructure Security Agency, five months into President Joe Biden's term and heading into a two-week vacation for Congress. Biden nominated Jen Easterly, a former U.S. National Security Agency official, for the post in April.
Notable recent security issues
Title: Cisco warns of active exploitation of cross-site scripting vulnerability
Description: Cisco warned users this week that a vulnerability in its Adaptive Security Appliance software is being exploited in the wild. The company first disclosed this vulnerability, identified as CVE-2020-3580, in October. However, a proof-of-concept recently became publicly available and used in the wild. ASA is a perimeter defense appliance that blocks threats from entering corporate networks. An attacker could exploit this cross-site scripting vulnerability (XSS) to execute arbitrary code in the context of ASA and view sensitive browser-based information on the victim’s network. An XSS attack occurs when an adversary injects malicious scripts into otherwise trusted websites. An affected user comes under attack if they visit that compromised website.
References: https://threatpost.com/cisco-asa-bug-exploited-poc/167274/
Snort SIDs: 57856, 57857
Title: Microsoft-signed DLL points to APT-controlled C2s
Description: Security researchers recently discovered Netfilter, a malicious rootkit disguised as a legitimate DLL. Microsoft confirmed this week that it signed the driver, commonly distributed among the video game players, saying that the developers behind the tool managed to acquire a Microsoft-signed binary in a legitimate manner, and the company is now investigating the manner. Once installed, Netfilter eventually connects to several China-based command and control sites, though the URLs do not appear to have any legitimate use.
Snort SIDs: 57864 - 57871
Most prevalent malware files this week
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb
MD5: 6be10a13c17391218704dc24b34cf736
Typical Filename: smbscanlocal0906.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Ranumbot::in03.talos
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
SHA 256: d0c3e85195fb2782cff3de09de5003f37d9bdd351e7094a22dbf205966cc8c43
MD5: 1971fc3783aa6fa3c0efb1276dd1143c
Typical Filename: iRiNpQaAxCcNxPdKyG
Claimed Product: Segurazo Antivirus
Detection Name: PUA.Win.File.Segurazo::222360.in02
SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal:
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.