Thursday, January 20, 2022

Threat Source Newsletter (Jan. 20, 2022)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

Even though we're nearly a month into 2022, we're still not quite ready to move on from 2021. That's why next week, we'll be going live on social media to talk about some of the top cybersecurity stories from the past year.

Liz Waddell from Talos Incident Response and Matt Olney from our threat intelligence team will be joining Hazel Burton from Cisco Secure to talk about everything from Log4j to supply chain attacks. You can find this stream live on any of Cisco Secure's social media platforms or the Talos YouTube page.


Cybersecurity week in review


  • In the latest round of cyber incidents in Ukraine, attackers hijacked many government-run websites and some agencies even lost important data. Microsoft was the first security research team to discover the attack, who dubbed it "WhisperGate."
  • Security experts and government leaders are struggling with how to address these cyber attacks. Given the sensitivity around Ukraine and Russia currently, it's unclear if these could be constituted as an act of war or anything that could lead to kinetic warfare.
  • Russian authorities arrested several alleged members of the REvil ransomware group at the request of U.S. authorities. It also seized multiple millions of dollars in international currencies that likely came from cyber attacks.
  • UniCC, one of the largest darknet forums for selling stolen credit card information, shut down last week when its founder retired. The creator of the forum claims to have made $358 million during the site's lifespan.
  • U.S. Cyber Command formally attributed the MuddyWater threat actor as an Iranian state-sponsored actor. The government also released an outline of the group's tactics, techniques and procedures (TTPs) and likely entry points into victims' networks.
  • North Korean state-sponsored actors stole nearly $400 million worth of cryptocurrency in 2021. There were a reported seven different intrusions against different virtual currency wallets and trading sites from these groups.
  • Two high-profile women's rights activists recently came forward saying they were being tracked by the Pegasus spyware. This particular case highlights how much more detrimental this type of tracking can be to female targets.
  • Microsoft released fixes for a Patch Tuesday update that interrupted some types of VPN connections. The original updates earlier this month were meant to fix vulnerabilities in Microsoft Server.
  • Attackers cloned a U.S. Department of Labor website to look like its hosting official government contracts. However, the phony website instead points to malicious links that harvest the credentials of any users who try to log in.


Notable recent security issues


Attackers use AWS, Azure, to spread group of RATs 

Cisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire and AsyncRATs targeting user's information. According to Cisco Secure product telemetry, the victims of this campaign are primarily distributed across the United States, Italy and Singapore. The actor used complex obfuscation techniques in the downloader script. Each stage of the deobfuscation process results with the decryption methods for the subsequent stages to finally arrive at the actual malicious downloader method. The campaign is the latest example of threat actors abusing cloud services like Microsoft Azure and Amazon Web Services and are actively misusing them to achieve their malicious objectives. 
Snort SIDs: 58758 – 58773 

ClamAV signatures:  

  • Ps1.Dropper.HCrypt-9913873-0 
  • Txt.Trojan.BatchDownloader-9913886-0 
  • Win.Trojan.AsyncRAT-9914220-0 
  • Txt.Downloader.Agent-9914217-0 
  • Js.Trojan.Agent-9914218-0 
  • Js.Downloader.Agent-9914219-0 
  • Win.Packed.Samas-7998113-0 
  • Win.Trojan.NanoCore-9852758-0 
  • Win.Dropper.NetWire-8025706-0 
  • Win.Malware.Generickdz-9865912-0 
  • Win.Dropper.Joiner-6 

Log4j-related Java flaw found in H2 

Security researchers recently discovered a critical vulnerability in the H2 open-source Java SQL database that’s like the widespread Log4shell exploit. However, the issue in H2 is considered to be less serious, as it's harder to exploit and gives potential attackers less of an attack surface. The flaw, identified as CVE-2021-42392, could allow an adversary to execute remote code on vulnerable systems. H2 is widely used by developers in web and internet-of-things platforms. This issue specifically lies in JNDI remote class loading, making it similar to Log4Shell, in that it allows several code paths in the H2 database framework to pass unfiltered attacker-controlled URLs to the javax.naming.Context.lookup function. 
Snort SIDs: 58876 and 58877


Most prevalent malware files this week


MD5: a5e345518e6817f72c9b409915741689 
Typical Filename: swupdater.exe 
Claimed Product: Wavesor SWUpdater 
Detection Name: W32.1B259D8CA9.Wavesor.SSO.Talos 

MD5: 3f75eb823cd1a73e4c89185fca77cb38 
Typical Filename: signup.png 
Claimed Product: N/A 
Detection Name: Win.Dropper.Generic::231945.in02 

MD5: 8193b63313019b614d5be721c538486b 
Typical Filename: SAService.exe 
Claimed Product: SAService 
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg 

MD5: 7c5eaac8c756691c422027f7b3458759 
Typical Filename: santivirusservice.exe 
Claimed Product: SA_Service 
Detection Name: W32.Auto:bda6b6c45e.in03.Talos 

MD5: fe3659119e683e1aa07b2346c1f215af 
Typical Filename: SqlServerWorks.Runner.exe 
Claimed Product: SqlServerWorks.Runner 
Detection Name: W32.8639FD3EF8-95.SBX.TG 

Keep up with all things Talos by following us on TwitterSnort, and ClamAV also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.