Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

We hope everyone is enjoying BlackHat and/or DEFCON this week, regardless of if you're attending virtually or in person. In case you missed any of our talks from BlackHat, you can check them out here, along with some other Cisco Secure offerings.

And if you didn't hear enough of our voices after that, there's a new Beers with Talos episode out this week. The guys got together for a retrospective on the Kaseya supply chain incident and follow-on ransomware attacks.

Upcoming Talos public engagements

CTIR on the Technado podcast

Speaker: Chris DiSalle

Date: Sept. 9

Location: Virtual

Description: Chris DiSalle from Talos Incident Response will join the Technado podcast to share the ins and outs of the IR industry. Chris will talk to host Don Pezet about how he got started in incident response, horror stories he's seen in the field, and much more.

Workshop: Analysing Android malware at VirusBulletin localhost 2021

Speaker: Vitor Ventura

Date: Oct. 7 - 8

Location: Virtual

Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.

Cybersecurity week in review

  • A cyber attack briefly disrupted Italy's most popular registration website for the COVID-19 vaccine. Government officials in the country called it the attack ever on an Italian government administration.
  • The U.S. federal government is seizing millions of dollars worth of cryptocurrency to disrupt threat actors and catch tax evaders. It is even enlisting the help of private companies to manage the storage and sales of the virtual currency.
  • Although the exploitation of Microsoft Exchange Server made headlines earlier this year, attackers have been targeting the platform for longer than a few months. Security researchers recently uncovered a large trove of stolen data attackers obtained by attacking Exchange Server that likely was a precursor to larger attacks this year.
  • Multiple American federal agencies received poor grades for cybersecurity in a recent Senate report. Four of the agencies investigated as part of the report earned "D's," while only one of the eight included received a "B."
  • TikTok is now a part of the first-ever U.S. Cyber Games. The year-round competition involves security researchers looking for security vulnerabilities, and then eventually face off against researchers from other countries at the inaugural International Cybersecurity Challenge (ICC) in December.
  • The investigation into the widespread use of the Pegasus spyware continues. French investigators recently found that three journalists from the country, including one person who worked for the international television station, had the software secretly installed on their phones.
  • The same attackers behind the massive SolarWinds campaign recently infected the email accounts of many high-profile U.S. prosecutors. The emails likely contained "very sensitive, very confidential and often very secret information."
  • The controversial PunkSpider tool made its return at the BlackHat conference this week. When used legitimately, the software allows companies to scan their websites for vulnerabilities and fix them before they can be exploited.
  • A security researcher showed they could control smart devices through a large hotel as part of a BlackHat presentation this week. This particular case highlights the dangers of keeping smart devices all connected to the same network.

Notable recent security issues

Title: SolarMarker tries to take victims around the galaxy

Description: Cisco Talos has observed new activity from Solarmarker a highly modular .NET-based information stealer and keylogger. A previous staging module, “d.m,” used with this malware has been replaced by a new module dubbed “Mars.” Another previously unreported module named “Uranus” has been identified. Organizations should be particularly concerned about the modular nature and information stealing capabilities of this malware family. Using its staging DLL, the malware can then execute whichever payload module they choose, some of which may be previously undiscovered. The modules already observed make potential victims vulnerable to having sensitive information stolen, including employees' browser usage, such as if they enter their credit card number or other personal information. These attackers may also look to steal login credentials, which could then be used for lateral movement into other systems or to access and steal even more enticing data, such as a customer or patient medical information database.

Snort SIDs: 57973, 57974

Title: Microsoft warns of NTLM relay attacks

Description: Microsoft released an advisory last week with a workout for recently discovered NTLM relay attacks. A tool, called PetitPotam, works against servers that enable NTLM authentication and Active Directory Certificate Services. An attacker could use this tool to abuse the Microsoft Encrypting File System Remote Protocol to authenticate to another server. An adversary could carry out this attack without any prior authentication. Microsoft and other security researchers advise disabling NTLM authentication on domain controllers. Users could also disable NTLM on any AD CS servers and NTLM for IIS AD CS servers.

References: https://duo.com/decipher/microsoft-issue-guidance-for-mitigating-petitpotam-ntlm-relay-attack

https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429

Snort SIDs: 57965, 57966

Most prevalent malware files this week

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb

MD5: 6be10a13c17391218704dc24b34cf736

Typical Filename: smbscanlocal0906.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Ranumbot::in03.talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: 7820c5e3fbad356d9a8333ff731b04a4a3dd6e41cfc37be90b4e638fa1a6551e

MD5: 4891c7b054453b3e1b0950bb8e645b9c

Typical Filename: FlashHelperService.exe

Claimed Product: Flash Helper Service

Detection Name: PUA:2144FlashPlayer-tpd

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.