Thursday, September 16, 2021

Threat Source newsletter (Sept. 16, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

It's a bird, it's a plane, it's a rat!

We've been tracking a series of trojans targeting the aviation industry, and trying to lure victims in by sending them spam related to flight itineraries and other transportation news. In our latest blog post, we discuss how we've followed the actor behind these attacks, and what we can learn about tracking a threat actor in the future.

This week was also Patch Tuesday, so you'll want to update your Microsoft products as soon as possible if you haven't already. Most notably, there's an official update to patch the high-profile MSHTML vulnerability


Upcoming Talos public engagements

Chats, Cheats, and Cracks: Abuse of Collaboration Platforms in Malware Campaigns at BSides Charlotte
Speaker: Edmund Brumaghin
Date: Sept. 25
Location: Virtual
Description: Join Edmund Brumaghin from Talos Outreach where he'll be discussing malware campaigns targeting collaboration apps such as Discord and Slack. Following up on Talos' blog post from earlier this year, the presentation will dive into campaigns we've spotted in the wild and discuss how users can stay safe while using these apps. 

Speaker: Vitor Ventura
Date: Oct. 7 - 8
Location: Virtual
Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.

Speaker: Brad Garnett
Date: Oct. 18 at 9:30 a.m. ET
Location: Livestream on all Talos social media accounts
Description: Join Cisco Talos Incident Response as we go live to celebrate National Cybersecurity Awareness Month. Brad Garnett, CTIR's general management, will be live to answer your questions, talk about the trends he's seeing on the threat landscape, and the growing threat of ransomware. Please use this page to drop us any questions ahead of time, or join us in the chat live. A recording will be made available shortly after on our YouTube page at cs.co/TalosTube.

Cybersecurity week in review

  • Four vulnerabilities in Microsoft Azure are being called "OMIGOD," referring to the vulnerable Open Management Infrastructure (OMI) software agent. The most serious of the set could allow an attacker to gain root privileges on a remote machine with only a single packet.
  • Microsoft warned that several ransomware groups are actively exploiting the high-profile MSHTML zero-day vulnerability. The company released an official patch this week as part of its monthly security update.
  • A popular HP gaming driver used on many PCs is vulnerable to a privilege escalation attack, potentially allowing attackers to obtain kernel-mode access. HP Omen Gaming, which contains the vulnerability, comes pre-installed on many HP laptops and desktop computers.
  • Microsoft will now allow users to go passwordless for their Office 365 and OneDrive accounts. Users who opt out of passwords can now log in through the Microsoft Authenticator app or biometric login options on Windows machines.
  • Australia's top cybersecurity agency warned organizations and government agencies this week that cyber attacks on critical infrastructure are on the rise. In a new report, the agency stated that the number of cyber attacks reported rose 15 percent during the 2020-21 fiscal year, costing victims around $33 billion.
  • With the rise in remote and hybrid learning, students' data is increasingly being leaked online. Unfortunately, there are little parents can do to protect their children's identity when the information is stolen from schools.
  • Security researchers and law enforcement worked together to create a new decryptor for the REvil ransomware. The universal key should work for any victim who had their files locked up prior to the group's servers going dark in July. 
  • Apple unveiled the new iPhone 13 this week, announcing several new privacy features as part of iOS 15 that will be rolling out alongside it. These include on-device processing of voice commands and new options to disable tracking by third-party apps.
  • The hacktivist group Anonymous leaked 180GB of data from users of some far-right social media apps and sites. The information seems to have come from the DNS hosting provider Epik, which has several clients including Parler and Gab. 

Notable recent security issues

Description: Microsoft released its monthly security update Tuesday, disclosing 86 vulnerabilities across the company’s firmware and software. This month’s release is headlined by an official patch for the critical remote code execution vulnerability disclosed earlier this month in MSHTML. CVE-2021-40444 is being actively exploited in the wild, according to Microsoft, and proof-of-concept code is now available, potentially widening the potential for attacks exploiting this vulnerability. The most serious vulnerability is CVE-2021-36965, a remote code execution vulnerability in Windows WLAN. This vulnerability has a severity score of 8.8 out of a possible 10, the same score as CVE-2021-40444. Aside from the aforementioned MSHTML exploit, another critical vulnerability exists in the Windows scripting engine. CVE-2021-26435 could allow an attacker to corrupt memory on the victim machine by tricking the user into opening a specially crafted file or visiting a website containing an attacker-create file designed to exploit this vulnerability. 
Snort SIDs: 58120 – 58135 
Snort 3 SID: 300049  
ClamAV signature: 9891528 (Doc.Exploit.CVE_2021_40444-9891528-0) 
Cisco Secure OSQuery: CVE-2021-40444_vulnerability status 

Description: Apple released updates for its smartphones, iPads and smartwatches this week fixing a vulnerability in its devices that could allow attackers to install the Pegasus spyware. The company pushed the patch shortly after researchers discovered a Saudi Arabian activists’ phone was infected with the spyware via the zero-click vulnerability. If installed, Pegasus can turn on a user’s camera and microphone, record messages, texts, emails and calls and send them back to the NSO Group’s — the Israeli tech firm that created the app — customers. The researchers found that up to 1.65 billion Apple products could have been vulnerable to the Pegasus spyware since March.  

Most prevalent malware files this week

MD5: 9a4b7b0849a274f6f7ac13c7577daad8 
Typical Filename: ww31.exe 
Claimed Product: N/A 
Detection Name: W32.GenericKD:Attribute.24ch.1201

MD5: 830ffb393ba8cca073a1c0b66af78de5 
Typical Filename: smbscanlocal0902.exe 
Claimed Product: N/A 
Detection Name: MS17010::mURLin::W32.Auto:6c62b768d8.in03.Talos 

MD5: 34560233e751b7e95f155b6f61e7419a  
Typical Filename: SAntivirusService.exe  
Claimed Product: A n t i v i r u s S e r v i c e  
Detection Name: PUA.Win.Dropper.Segurazo::tpd 

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
Typical Filename: VID[1].dat 
Claimed Product: N/A 
Detection Name: Win.Worm.Coinminer::1201 

MD5: 04c1f4395f80a3890aa8b12ebc2b4855 
Typical Filename: zReXhNb 
Claimed Product: N/A 
Detection Name: Auto.FAD16599A8.241842.in07.Talos 

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.