Thursday, October 7, 2021

Threat Source newsletter (Oct. 7, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

Every day, we see mountains and mountains of data. So how do we comb through all of it to find out what's important to customers and users? Well, there are many ways, but we wanted to give readers and researchers a look into at least one option using Apache Spark.

Our new walkthrough will show we use machine learning, software and good 'ole fashioned intuition to work through a huge dataset. 

October is the start of National Cybersecurity Awareness Month. To celebrate, we'll be releasing special episodes of the Talos Takes podcast each week centered around a specific theme. First up, we have Chris Marshall from Talos discussing how to avoid burnout. Cybersecurity is a stressful industry even when we're not in a global pandemic. So how have we adapted to our new hybrid work style at Talos? Listen to find out.

Do you have a particular threat, IOC, malware family or actor you want us to be covering in the Threat Source newsletter? Let us know at threatsource@cisco.com.


Upcoming Talos public engagements


Speaker: Brad Garnett
Date: Oct. 18 at 9:30 a.m. ET
Location: Livestream on all Talos social media accounts
Description: Join Cisco Talos Incident Response as we go live to celebrate National Cybersecurity Awareness Month. Brad Garnett, CTIR's general management, will be live to answer your questions, talk about the trends he's seeing on the threat landscape, and the growing threat of ransomware. Please use this page to drop us any questions ahead of time, or join us in the chat live. A recording will be made available shortly after on our YouTube page at cs.co/TalosTube.


Cybersecurity week in review

  • An anonymous hacker leaked what amounts to essentially the entirety of Twitch. The popular streaming service's source code was posted online, along with a massive trove of data that includes information on the highest-paid streamers.
  • Twitch followed up the leak by changing all stream keys. The company attributed the leak to a server configuration change error that left the data exposed.
  • A new lawsuit addresses what is believed to be the first death ever attributed to a ransomware attack. The family filing the suit says their baby died in a hospital after it did not receive adequate care while hospital staff tried to recover from a cyber attack.
  • The White House is organizing a meeting of cybersecurity experts from 30 countries to address cybercrime and ransomware. U.S. President Joe Biden said in a statement the group would also discuss "improving law enforcement collaboration" around illegal cryptocurrency transactions.
  • Facebook, Instagram and WhatsApp were down for several hours Monday due to a BGP error. While speculation immediately swirled on social media about a potential cyber attack, Facebook says it was simply a command issued during maintenance that caused the outage.
  • A recent report found that cyber attacks targeting the maritime transportation system rose by 400 percent over the course of a few months in 2020. These types of attacks threaten to disrupt international trade, transportation companies and more.
  • Recent data shows many users in Europe and the U.K. use their favorite soccer team's name in their passwords, leading to easy-to-guess login information. Researchers found more than 800 million leaked passwords out of a group of 2.5 billion that used teams' nicknames. 
  • The U.S. Transportation Security Agency plans to enact new cybersecurity guidelines for the railroad and airline industries. After the announcement, leaders from the rail industry immediately pushed back on the new mandates. 
  • The U.S. Department of Justice created a new task force specifically focused on investigating the illegal use of cryptocurrency. Among its several duties, the group will track down and attempt to recover any payments made as a result of ransomware attacks.


Notable recent security issues


Attackers spread malware disguised as solution for Pegasus spyware 

Threat actors are impersonating the group Amnesty International and promising to protect against the Pegasus spyware as part of a scheme to deliver malware. Amnesty International recently made international headlines when it released a groundbreaking report on the widespread use of Pegasus to target international journalists and activists. Adversaries have set up a phony website that looks like Amnesty International's — a human rights-focused non-governmental organization — and points to a promised anti-virus tool to protect against the NSO Group's Pegasus tool. However, the download actually installs the little-known Sarwent malware. Sarwent contains the usual abilities of a remote access tool (RAT) — mainly serving as a backdoor on the victim machine — and can also activate the remote desktop protocol on the victim machine, potentially allowing the adversary to access the desktop directly.  
Snort SIDs: 54357, 57901 
 

SonicWall patches critical vulnerability in remote connect device 

Description: SonicWall released a security update for its Secure Mobile Access (SMA) 100 line of devices. The company disclosed a critical vulnerability that could allow unauthenticated attackers to remotely gain admin access on targeted devices. CVE-2021-20034 has a severity score of 9.1 out of a possible 10. The SMA 100 allows remote workers to securely connect to their office’s network and devices. The product recently came under additional scrutiny after SonicWall warned users that attackers were specifically targeting end-of-life versions of the device to spread ransomware attacks.  
Snort SID: 58224 - 58226 


Most prevalent malware files this week


MD5: 9a4b7b0849a274f6f7ac13c7577daad8 
Typical Filename: ww31.exe 
Claimed Product: N/A 
Detection Name: W32.GenericKD:Attribute.24ch.1201

MD5: 830ffb393ba8cca073a1c0b66af78de5 
Typical Filename: smbscanlocal0902.exe 
Claimed Product: N/A 
Detection Name: MS17010::mURLin::W32.Auto:6c62b768d8.in03.Talos 

MD5: 04c1f4395f80a3890aa8b12ebc2b4855 
Typical Filename: zReXhNb 
Claimed Product: N/A 
Detection Name: Auto.FAD16599A8.241842.in07.Talos 

MD5: 34560233e751b7e95f155b6f61e7419a  
Typical Filename: SAntivirusService.exe  
Claimed Product: A n t i v i r u s S e r v i c e  
Detection Name: PUA.Win.Dropper.Segurazo::tpd 

MD5: fe3659119e683e1aa07b2346c1f215af
Typical Filename: SqlBase.exe
Claimed Product:  SqlServerWorks.Runner
Detection Name: W32.8639FD3EF8-95.SBX.TG

Keep up with all things Talos by following us on TwitterSnort, and ClamAV also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.