Thursday, August 19, 2021

Threat Source newsletter (Aug. 19, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

I'm writing this on Tuesday morning on account of vacation (again), so apologies if we miss any major stories. 

You certainly don't want to miss our latest blog post on the Neurevt remote access trojan that's targeting users in Mexico. This malware is mainly designed to steal login credentials to banking websites, and we don't really need to tell you why that would be bad.


Upcoming Talos public engagements

Speaker: Chris DiSalle
Date: Sept. 9
Location: Virtual
Description: Chris DiSalle from Talos Incident Response will join the Technado podcast to share the ins and outs of the IR industry. Chris will talk to host Don Pezet about how he got started in incident response, horror stories he's seen in the field, and much more. 


Speaker: Vitor Ventura
Date: Oct. 7 - 8
Location: Virtual
Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.

Cybersecurity week in review

  • The Taliban's takeover of Afghanistan's government is obviously the most important story this week. And while there are several national security issues at play here, we should also be considering the possible cybersecurity implications here. With U.S. officials and the military leaving the country, they could be leaving behind sensitive national intelligence completely unguarded. 
  • Nearly 6,000 people had their personal information stolen as part of the recent ransomware attack on the Colonial Pipeline. The company said it is sending out breach notifications to those affected, which mainly include current and former employees and their families.
  • Jen Easterly, the recently confirmed director of the Cybersecurity and Infrastructure Security Agency, said in a recent interview that she wants the agency to remain non-partisan. Easterly added that she wants to develop a bi-partisan solution to combating disinformation ahead of the 2022 and 2024 election cycles.
  • Security researchers found an unpatched vulnerability in the gym management platform Wodify. The software, used by thousands of gyms across the U.S., could be exploited to manipulate and view users' financial transactions.
  • T-Mobile says it is investigating a possible data breach and/or cyber attack after adversaries claimed to be selling the personal information of 100 million customers. A dark web seller claims to want the equivalent of $270,000 for a subset of the data containing 30 million social security numbers and driver licenses.
  • A vulnerability in Ford's website could allow an attacker to view customer and employee records from internal systems. Researchers found the data was exposed via a misconfigured instance of Pega Infinity running on Ford's servers.
  • A ransomware attack hit a hospital system serving parts of Ohio and West Virginia, locking employees out from accessing internal IT systems. The hospitals had to turn away many patients and cancel surgeries as a result.
  • Consulting company Accenture said there were no effects to the company's operations or clients from a reported ransomware attack last week. The operators behind the Lockbit ransomware claim to be selling a huge trove of data stolen from the company via an "insider."
  • Attackers are hiding phishing links and malware inside reCAPTCHA and other CAPTCHA-like software. The CAPTCHAs are useful in making phishing sites appear legitimate, and can also stop malware scanners from detecting the sites.

Notable recent security issues


Description: Another threat actor is actively exploiting the so-called PrintNightmare vulnerability (CVE-2021-1675 / CVE-2021-34527) in Windows' print spooler service to spread laterally across a victim's network as part of a recent ransomware attack, according to Cisco Talos Incident Response research. While previous research found that other threat actors had been exploiting this vulnerability, this appears to be new for the threat actor Vice Society. Talos Incident Response's research demonstrates that multiple, distinct threat actors view this vulnerability as attractive to use during their attacks and may indicate that this vulnerability will continue to see more widespread adoption and incorporation by various adversaries moving forward. For defenders, it is important to understand the attack lifecycle leading up to the deployment of ransomware. If users have not already, they should download the latest patch for PrintNightmare from Microsoft. 
Snort SIDs: 57876, 57877 

Description: Group TA505 has been active for at least seven years, making wide-ranging connections with other threat actors involved in ransomware, stealing credit card numbers and exfiltrating data. One of the common tools in TA505's arsenal is ServHelper. In mid-June, Cisco Talos detected an increase in ServHelper's activity. We investigated the activity and discovered a set of intertwined malware families and TTPs. Although ServHelper has existed since at least early 2019, we detected the use of other malware families to install it. The installation comes as a GoLang dropper, .NET dropper or PowerShell script. Its activity is generally linked to Group TA505, but we cannot be certain that they are the exclusive users of this RAT. 
Snort SID: 57975 
ClamAV signatures: Win.Downloader.Powershell-9883640, Win.Trojan.Powershell-9883642, Win.Downloader.Powershell-9883641, Win.Downloader.ServHelper-9883708, Win.Downloader.Powershell-9883847, Win.Trojan.ServHelper-9883848, Win.Trojan.ServHelper-9883866, Win.Trojan.ServHelper-9883867 

Most prevalent malware files this week

MD5: 9a4b7b0849a274f6f7ac13c7577daad8 
Typical Filename: ww31.exe 
Claimed Product: N/A 
Detection Name: W32.GenericKD:Attribute.24ch.1201

MD5: 6be10a13c17391218704dc24b34cf736 
Typical Filename: smbscanlocal0906.exe 
Claimed Product: N/A 
Detection Name: Win.Dropper.Ranumbot::in03.talos

MD5: 0a13d106fa3997a0c911edd5aa0e147a 
Typical Filename: mg20201223-1.exe 
Claimed Product: N/A 
Detection Name: RanumBot::mURLin::W32.5E46ECFFCF.in12.Talos 

MD5: 34560233e751b7e95f155b6f61e7419a  
Typical Filename: SAntivirusService.exe  
Claimed Product: A n t i v i r u s S e r v i c e  
Detection Name: PUA.Win.Dropper.Segurazo::tpd  

MD5: d54ade674cb0c3e6d322ed7380e8adf6 
Typical Filename: ml20201223.exe 
Claimed Product: N/A 
Detection Name: RanumBot::mURLin::GenericRXMW:Win32-tpd 

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.