Threat Source Newsletter (Jan. 13, 2022)

Good afternoon, Talos readers.

Move out of the way, Log4j! Traditional malware is back with a bang in 2022. While Log4j is likely still occupying many defenders' minds, the bad guys are still out there doing not-Log4j things. We have new research out on a campaign spreading three different remote access tools (RATs) using public internet infrastructures like Amazon Web Services and Microsoft Azure Sphere.

If you're looking to unwind after all the Log4j madness, we also have a new Beers with Talos episode that's one of our more laid-back productions. We, unfortunately, said goodbye to Joel, but it was not without tequila and discussions about "Rent."

Cybersecurity week in review

A well-known Iranian state-sponsored actor is exploiting the widespread Log4j vulnerability to deliver a new PowerShell backdoor. The group, APT35, use the backdoor to set up C2 communications, perform system enumeration, and decrypt and load additional modules.
The White Hosue is hosting a meeting with major tech companies to discuss the security of open-source software in the wake of the Log4j vulnerability. Invitees include representatives from Apache — the makers of Log4j, Google, Microsoft and VMware.
The H2 database engine contains a vulnerability similar to Log4shell, though it doesn't appear to be as serious. Attackers could exploit the vulnerability to take over a targeted server, though it would be more difficult to spread across the network than it is using Log4shell.
The European Union launched a simulated cyber attack against multiple member nations' critical infrastructure. The exercise comes as leaders in the region grow concerned about Russia's potential military intervention in Ukraine.
A hacker claims to be selling access to a high-profile search database commonly used by private investigators. The user says they can provide credentials to use TransUnion, which allows users to look up individuals' Social Security numbers and physical addresses, among other sensitive pieces of information.
More than 5,000 schools' websites across the globe were affected by a ransomware attack against a Connecticut-based software company. The attack briefly disrupted communication between the schools and students, notably those who are holding classes virtually.
An extradited Russian national the U.S. recently charged with several high-profile cyber attacks may have access to sensitive documents related to Russia's interference in the 2016 U.S. presidential election. It's well known that Russian state-sponsored actors spread many misinformation campaigns to influence the outcome of the election.
Apple's latest iOS operating system offers users the ability to download privacy reports on the apps on their phones. Users can now see, in plain text, what information certain apps are collecting on them and how often they run in the background.
The U.S. Cybersecurity and Infrastructure Security Agency released new details on a series of campaigns from Russian state-sponsored actors. An advisory states that the groups are exploiting many well-known vulnerabilities, including ones in Microsoft Exchange Server and F5 BIG-IP.

Notable recent security issues

Microsoft Patch Tuesday for Jan. 2021 — Snort rules and prominent vulnerabilities

Microsoft released its monthly security update Tuesday, disclosing 102 vulnerabilities across its large collection of hardware and software. This is the largest amount of vulnerabilities Microsoft has disclosed in a monthly security update in eight months, however, none of the issues have been exploited in the wild, according to Microsoft. 2022’s first security update features nine critical vulnerabilities, with all but one of the remaining being considered “important.” CVE-2022-21840 is one of the critical vulnerabilities, an issue in Microsoft Office that could allow an attacker to execute remote code on the targeted machine. CVE-2022-21841, CVE-2022-21837 and CVE-2022-21842 are also remote code execution vulnerabilities in the Office suite of products, though they are only rated as “important.” These four vulnerabilities are particularly of note, though, because they can be triggered by the target opening a specially crafted document, a favorite tactic of attackers.

Snort SIDs: 40689, 40690, 58859, 58860, 58866 - 58869 and 58870 - 58875

Two vulnerabilities in Adobe Acrobat DC could lead to arbitrary code execution

Cisco Talos recently discovered multiple vulnerabilities in a device from Garrett Metal Detectors that could allow remote attackers to bypass authentication requirements, manipulate metal detector configurations, and even execute arbitrary code on the device. The vulnerabilities specifically exist in the Garrett iC module, which provides network connectivity to the Garrett PD 6500i or Garrett MZ 6100 walk-through metal detectors commonly used at security checkpoints. An attacker could manipulate this module to remotely monitor statistics on the metal detector, such as whether the alarm has been triggered or how many visitors have walked through. They could also make configuration changes, such as altering the sensitivity level of a device, which potentially poses a security risk to users who rely on these metal detectors.

References: https://blog.talosintelligence.com/2022/01/adobe-acrobat-vuln-spotlight-.html

https://helpx.adobe.com/security/security-bulletin.html

Snort SIDs: 58013 - 58017

Most prevalent malware files this week

SHA 256: 1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37

MD5: a5e345518e6817f72c9b409915741689 Typical Filename: swupdater.exe Claimed Product: Wavesor SWUpdater Detection Name: W32.1B259D8CA9.Wavesor.SSO.Talos SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9 MD5: 34560233e751b7e95f155b6f61e7419a Typical Filename: SAntivirusService.exe Claimed Product: A n t i v i r u s S e r v i c e Detection Name: PUA.Win.Dropper.Segurazo::tpd SHA 256: 0fa5cf65905b79ede6fe39e9ee8a8a8b2d04b71b859fe6e7a0ee583a7b832f43 MD5: cbd421ed5799f498e42ec6c598dc0aef Typical Filename: N/A Claimed Product: N/A Detection Name: W32.Auto:0fa5cf6590.in03.Talos

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd MD5: 8193b63313019b614d5be721c538486b Typical Filename: SAService.exe Claimed Product: SAService Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: 8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2 MD5: fe3659119e683e1aa07b2346c1f215af Typical Filename: SqlServerWorks.Runner.exe Claimed Product: SqlServerWorks.Runner Detection Name: W32.8639FD3EF8-95.SBX.TG

Keep up with all things Talos by following us on Twitter. Snort, and ClamAV also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.

Intelligence Center

Vulnerability Information

Security Resources

Media

Company

Could the Brazilian Supreme Court finally hold people accountable for sharing disinformation?

The internet is already scary enough without April Fool’s jokes

There are plenty of ways to improve cybersecurity that don’t involve making workers return to a physical office

Intelligence Center

Vulnerability Research

Incident Response