Thursday, October 21, 2021

Threat Source newsletter (Oct. 21, 2021)

 Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We're writing this on Wednesday for PTO reasons, so apologies if we miss any major news that happens after Wednesday afternoon. 

Above, you can watch our awesome live stream from Monday with Brad Garnett from Cisco Talos Incident Response. Brad sat down for a long discussion about the basics of engaging with an incident response team, provided some tips for hybrid work and answered questions live from the audience. 

On the written front, we just published new research on the recent wave of cyber attacks against users on the Indian Subcontinent. We recently spotted another set of threat actors trying to spread RATs to India and Afghanistan. Our blog has the latest information on why that matters, and what defenders can do to stay protected.

Upcoming Talos public engagements

Speaker: Brad Garnett
Date: Oct. 22 at 8:30 a.m. ET
Location: Virtual
Description: In this session, Brad Garnett, the general manager of Cisco Talos Incident Response, will discuss practical incident response strategies that every CISO and business leader faces with a hybrid workforce. Brad will share his insights from the front lines in the fight against ransomware and why organizations need to re-evaluate existing incident response plans and share how Talos is fighting the good fight against evolving adversaries.

Cybersecurity week in review

  • The REvil ransomware group is going dark once again after their payment portal and data leak websites were breached. This threat actor already went quiet for a few months earlier this year after the U.S. government blamed it for the Kaseya supply chain attack.
  • Many local TV stations across the U.S. experienced disruptions this week after Sinclair Broadcast Group was hit with a ransomware attack. As of Monday afternoon, the company told employees the full extent of the attack was still unknown.
  • Twitter suspended two accounts believed to be connected with North Korean state-sponsored actors. The accounts allegedly tried to lure security researchers into clicking on malicious links. 
  • The U.S. government released a warning last week that attackers are increasingly targeting the country’s water and wastewater systems sector. The report highlights three major campaigns targeting these critical infrastructure organizations since 2020. 
  • The Biden Administration took several steps over the past week to crack down on illegal cryptocurrency transactions, especially those linked to cyber attacks. This included a warning to private companies that they could face the consequences of sanctions if they deal with virtual currencies that facilitate ransomware payment.
  • Rural communities in the U.S. are particularly susceptible to ransomware attacks. As a new profile shows, it can sometimes shut down key resident services for weeks because the community's IT departments are so under-prepared. 
  • The number of ransomware victims who have paid extortion payments has already risen 30 percent this year from 2020. A new report from the U.S. Department of Treasury found ransomware attacks cost victims $590 million in the first six months of 2021. 
  • Electronics company Acer announced it was hit with a second cyber attack in less than a week. The attackers behind both campaigns said they wanted to prove a point that the company is behind on its data security practices.
  • Hackers reportedly hailing from Turkey compromised a portion of former President Donald Trump's website. A portion of the site briefly displayed positive messages regarding Turkish President Recep Tayyip Erdo─čan.

Notable recent security issues

Predecessor to DarkSide ransomware game could make waves in coming weeks

Major U.S. government agencies released a warning this week that the BlackMatter ransomware could strike major organizations or public sector targets. An advisory from the U.S. Cybersecurity and Infrastructure Security Agency, the FBI and the National Security Agency stated that BlackMatter is likely a predecessor to DarkSide, the ransomware group known for attacking the Colonial Pipeline earlier this year. The advisory warns businesses that they should implement multi-factor authentication and enact stronger credential rules to prepare for potential BlackMatter attacks. According to the report, the ransomware has already targeted two large food cooperatives in the U.S. 
Snort SIDs: 58237, 58238

Multiple vulnerabilities in ZTE MF971R LTE router

Cisco Talos recently discovered multiple vulnerabilities in the ZTE MF971R LTE portable router. The MF971R is a portable router with Wi-Fi support and works as an LTE/GSM modem. An attacker could exploit all these vulnerabilities by sending a specially crafted HTTP request to the targeted device. TALOS-2021-1320 and TALOS-2021-1321 are stack-based buffer overflow vulnerabilities. An attacker could exploit these issues to execute arbitrary remote code on the targeted device. As part of these exploits, the attacker needs to complete a referrer bypass, which is outlined in TALOS-2021-1317. TALOS-2021-1318 and TALOS-2021-1319 are cross-site scripting vulnerabilities that an attacker could use to execute arbitrary JavaScript in the victim’s browser. In this case, an attacker would need to trick the user into opening an attacker-controlled URL that hosts the malicious HTTP request.
Snort SID: 57749 - 57752, 57798, 57799, 57802, 57803, 57829 

Most prevalent malware files this week

MD5: 84452e3633c40030e72c9375c8a3cacb 
Typical Filename: sqhost.exe 
Claimed Product: sqhost.exe 
Detection Name: W32.Auto:f0a5b257f1.in03.Talos 

MD5: fe3659119e683e1aa07b2346c1f215af
Typical Filename: SqlBase.exe
Claimed Product:  SqlServerWorks.Runner
Detection Name: W32.8639FD3EF8-95.SBX.TG

MD5: 34560233e751b7e95f155b6f61e7419a  
Typical Filename: SAntivirusService.exe  
Claimed Product: A n t i v i r u s S e r v i c e  
Detection Name: PUA.Win.Dropper.Segurazo::tpd 

MD5: 7b7e4f2878799268e9dd0a515420a88e 
Typical Filename: S A Service.exe 
Claimed Product: S_A_Service 
Detection Name: W32.Auto:0e043149a1.in03.Talos 

MD5: bdd455b064413ee7e1997bd10daa4904 
Typical Filename: 461502.exe 
Claimed Product: N/A 
Detection Name: W32.3367784613-100.SBX.TG 

Keep up with all things Talos by following us on TwitterSnort, and ClamAV also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.