Thursday, September 23, 2021

Threat Source newsletter (Sept. 23, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

The Russian APT Turla is one of the most notorious threat actors out there today. And they aren't stopping, recently adding a new backdoor to their arsenal that serves as a "last chance" to retain a foothold on victim machines, even after their other malware has been removed.

Elsewhere on the APT landscape, the U.S. Cybersecurity and Infrastructure Security Agency released an advisory warning users and organizations about a recent spike in Conti ransomware attacks. Their report even included a Talos shout-out! If you want to read our recent work on Conti, you can check out our major takeaways from their leaked playbook, and an episode of Talos Takes covering the matter.



Upcoming Talos public engagements


Chats, Cheats, and Cracks: Abuse of Collaboration Platforms in Malware Campaigns at BSides Charlotte
Speaker: Edmund Brumaghin
Date: Sept. 25 at 1:30 p.m. ET
Location: Virtual
Description: Join Edmund Brumaghin from Talos Outreach where he'll be discussing malware campaigns targeting collaboration apps such as Discord and Slack. Following up on Talos' blog post from earlier this year, the presentation will dive into campaigns we've spotted in the wild and discuss how users can stay safe while using these apps. 

Speaker: Vitor Ventura
Date: Oct. 7 - 8
Location: Virtual
Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.

Speaker: Brad Garnett
Date: Oct. 18 at 9:30 a.m. ET
Location: Livestream on all Talos social media accounts
Description: Join Cisco Talos Incident Response as we go live to celebrate National Cybersecurity Awareness Month. Brad Garnett, CTIR's general management, will be live to answer your questions, talk about the trends he's seeing on the threat landscape, and the growing threat of ransomware. Please use this page to drop us any questions ahead of time, or join us in the chat live. A recording will be made available shortly after on our YouTube page at cs.co/TalosTube.


Cybersecurity week in review

  • Walgreens mistakenly left customers' COVID-19 testing information exposed online. Until some recent security additions, it was relatively easy for a malicious actor to view a person's name, appointment information, test results and other personal information through the pharmacy chain's website.
  • Apple released iOS 15 this week, which includes several new security features. The company also quietly patched a vulnerability that could allow an attacker to unlock a device using its facial ID features with a 3-D printed version of the user's face. 
  • Customer service company TTEC fully recovered from a ransomware attack. The company had to take some of its services offline, affecting customers like Verizon, after the attack on Sept. 12.
  • The U.S. government announced new sanctions against a popular cryptocurrency exchange that officials say attackers used to launder money made in ransomware attacks. The sanctions ban U.S. citizens and companies from transacting with the group.
  • A Russian threat actor demanded a $5.9 million ransom payment from an Iowa grain cooperative after a cyber attack this week. The company was able to recover and develop a workaround so that none of its shipments or operations were disrupted. 
  • European police arrested more than 100 individuals charged with carrying out various cybercrime for the Italian mafia. The suspects are charged with SIM swapping and carrying out phishing attacks.
  • A popular voice-over-IP service is experiencing disruptions as of Thursday afternoon due to a distributed denial-of-service attack. The company serves 80,000 customers across more than 100 countries.
  • Alaska's state health department is still recovering two months after a ransomware attack. An unknown number of citizens may have had their personal information compromised, including full names and social security numbers.
  • Lithuanian cybersecurity researchers warned their government to stop using Chinese-produced mobile devices after they discovered several privacy concerns and security holes in the products. Some banned phrases on the phones include "Free Tibet" and "Voice of America."

Notable recent security issues


Description: Cisco Talos found a previously undiscovered backdoor from the Turla APT that we are seeing in the wild. This simple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed. It could also be used as a second-stage dropper to infect the system with additional malware. The adversaries installed the backdoor as a service on the infected machine. They attempted to operate under the radar by naming the service "Windows Time Service," like the existing Windows service. The backdoor can upload and execute files or exfiltrate files from the infected system. In our review of this malware, the backdoor contacted the command and control (C2) server via an HTTPS encrypted channel every five seconds to check if there were new commands from the operator. 
ClamAV signature: Win.Trojan.Turla-9891506-1 

Description: Microsoft updated its patches for the so-called “OMIGOD” vulnerabilities in Open Management Infrastructure. The most severe vulnerability, CVE-2021-38647, could allow an attacker to remotely execute code. The three others (CVE-2021-38648, CVE-2021-38645 and CVE-2021-38649) could allow an adversary to obtain higher-level privileges on the targeted machine. Microsoft first disclosed these vulnerabilities last week as part of its monthly Patch Tuesday. However, security researchers found that some Linux machines could still be attacked using these exploits, prompting Microsoft to release updated guidance.  
Snort SID: 58169 


Most prevalent malware files this week


MD5: 9a4b7b0849a274f6f7ac13c7577daad8 
Typical Filename: ww31.exe 
Claimed Product: N/A 
Detection Name: W32.GenericKD:Attribute.24ch.1201

MD5: 830ffb393ba8cca073a1c0b66af78de5 
Typical Filename: smbscanlocal0902.exe 
Claimed Product: N/A 
Detection Name: MS17010::mURLin::W32.Auto:6c62b768d8.in03.Talos 

MD5: 34560233e751b7e95f155b6f61e7419a  
Typical Filename: SAntivirusService.exe  
Claimed Product: A n t i v i r u s S e r v i c e  
Detection Name: PUA.Win.Dropper.Segurazo::tpd 

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
Typical Filename: VID[1].dat 
Claimed Product: N/A 
Detection Name: Win.Worm.Coinminer::1201 

MD5: 04c1f4395f80a3890aa8b12ebc2b4855 
Typical Filename: zReXhNb 
Claimed Product: N/A 
Detection Name: Auto.FAD16599A8.241842.in07.Talos 

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.