Thursday, July 29, 2021

Threat Source newsletter (July 29, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

Thanks to everyone who joined us live yesterday for our talk on business email compromise. If you missed us live, the recording is up on our YouTube page now. Nick Biasini from Talos Outreach provided some great advice on avoiding business email compromise and detecting these malicious campaigns.

If you want a shorter version of Nick's talk, you can also listen to last week's episode of Talos Takes.

We also have new research out on the Solarmarker information stealer and keylogger. Find out how this threat is growing and how you can defend against it using Cisco Secure products.


Upcoming Talos public engagements


Date: July 31 - Aug. 5
Location: Virtual and Mandalay Bay hotel and resort, Las Vegas, Nevada
Description: Join Talos and Cisco Secure for a series of sponsored talks, mock debates and incident response lessons at this year's hybrid BlackHat conference.

Speaker: Vitor Ventura
Date: Oct. 7 - 8
Location: Virtual
Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.

Cybersecurity week in review

  • Security researchers and privacy advocates uncovered a massive effort by international governments to acquire the NSO Group's Pegasus spyware. These regimes reportedly used the software to spy on journalists, activists and other politicians.
  • In the wake of this report, Mexico's government stated two previous administrations spent a combined $61 million on Pegasus. The contracts also included excess payments that may have been used to send kickbacks to government officials.
  • The Pegasus report has many users worried they may be affected. There are many ways to avoid spyware, including avoiding obvious social engineering messages, testing for man-in-the-middle attacks, and use newly released open-source software that checks for spyware. 
  • U.S. President Joe Biden signed a new executive order directing federal agencies to create voluntary cybersecurity goals for companies that operate critical infrastructure. The order asks preliminary goals to be put in place by late September, and another set of cross-sector standards by the end of the year.
  • The Death Kitty ransomware is linked to an attack on several South African ports. A string of attacks late last week forced the company operating the ports to declare a force majeure at container terminals start manually processing cargo. 
  • Apple released updates to macOS, iPadOS and iOS this week to fix multiple vulnerabilities, including one that attackers were actively exploiting in the wild. The most serious vulnerability could allow an attacker to execute arbitrary code with kernel privileges.
  • Kaseya obtained a decryptor for the recent REvil ransomware attack carried out against many of its users. The company says the key, which it obtained from a "trusted third-party" will allow users to retrieve missing files without paying the ransom.
  • A joint advisory from the U.S. and some of its allies outlined the most-exploited vulnerabilities in 2020 and 2021. So far this year, adversaries are most often targeting vulnerable Microsoft Exchange Servers. 

Notable recent security issues


Description: After an attempted takedown attempt, security researchers are seeing increased command and control (C2) traffic around the Trickbot malware. The botnet also has a new version of its “vncDll” module, which is used for monitoring and intelligence gathering. This module appears to be actively updated with bug fixes and additional functionality. Currently, it creates a virtual desktop that mirrors the target’s desktop and steals information by monitoring the screen. Trickbot traditionally downloads new playloads to carry out additional attacks, opens the target’s documents and email and uploads data to the C2. 
Snort SIDs: 57948 - 57950  

Description: Even though Adobe has discontinued support for Flash Player, attackers are still capitalizing on it. Operators behind the Shlayer malware send macOS users fake Flash Player update notifications, hoping to trick users into clicking on malicious links. The malware completes its install when the user downloads the malicious file. Shlayer is a well-known malware that’s been targeting MacOS users for at least three years. Once installed, Shlayer deploys adware on the affected machine and eventually fetches additional payloads, usually also adware.  
Snort SIDs: 57919, 57920 

Most prevalent malware files this week


MD5: 9a4b7b0849a274f6f7ac13c7577daad8 
Typical Filename: ww31.exe 
Claimed Product: N/A 
Detection Name: W32.GenericKD:Attribute.24ch.1201

MD5: 6be10a13c17391218704dc24b34cf736 
Typical Filename: smbscanlocal0906.exe 
Claimed Product: N/A 
Detection Name: Win.Dropper.Ranumbot::in03.talos 

MD5: 84452e3633c40030e72c9375c8a3cacb  
Typical Filename: sqhost.exe 
Claimed Product: N/A 
Detection Name: W32.Auto:f0a5b257f1.in03.Talos 

MD5: 34560233e751b7e95f155b6f61e7419a  
Typical Filename: SAntivirusService.exe  
Claimed Product: A n t i v i r u s S e r v i c e  
Detection Name: PUA.Win.Dropper.Segurazo::tpd 

MD5: 39e14b83d48ab362c9a5e03f885f5669 
Typical Filename: SqlServerWorks.Runner.exe 
Claimed Product: SqlServerWorks.Runner 
Detection Name: W32.302F58DA59-95.SBX.TG 

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.