Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

We went viral this week! Everyone seemed to love to joke about these vulnerabilities we discovered in a WiFi-connected air fryer. An attacker, if they had physical access to the device, could exploit these vulnerabilities to change cook times and temperatures, or even turn the device on by themselves.

There's also a new Beers with Talos episode out this week. The guys have a special guest on this week to talk about the world of SCADA and IoT as it relates to security — we promise the conversation is way more interesting than all of those acronyms.

On the malware front, we have new research out highlighting an actor we're calling "Fajan." These groups send out spam emails to primarily Middle Eastern targets claiming to be from Bloomberg BNA — a news aggregation and business resource.

Cybersecurity week in review

Notable recent security issues

Title: U.S. blames Russian state-sponsored actors for exploiting vulnerabilties

Description: The U.S. National Security Agency released an advisory outlining several vulnerabilities that the Russian Foreign Intelligence Services (SVR) is exploiting in the wild. The U.S. formally attributed the recent SolarWinds supply chain attack to the SVR group in this advisory and detailed more of the group's tactics, techniques and procedures. The exploits included a series of five CVEs that affect VPN solutions, collaboration suite software and virtualization technologies. All five of the CVEs have been patched — Cisco Talos encourages everyone with the affected software update immediately. Some of these vulnerabilities also have working metasploit modules and are currently being widely exploited. Please note that some of these vulnerabilities exploit applications leveraging SSL.

Snort SIDs: 49898, 52512, 52513, 52603, 52620, 52662, 51370 – 51372, 51288 - 51390

Title: Google Chrome V8 engine exploited in the wild

Description: Google issued multiple updates to its Chrome web browser last week after researchers discovered multiple zero-day vulnerabilities in its V8 engine. The company stated in an update that exploits for vulnerabilities in V8 and Chrome's rendering engine Blink exist in the wild. According to proof-of-concept code posted by a security researcher, an attacker could use an HTML and JavaScript file to launch the calculator app on Windows 10 when loaded into a Chromium-based browser. However, it has larger wide-range implications, including other types of code execution.

Snort SIDs: 57420 - 57424

Most prevalent malware files this week

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: bfbe7022a48c6bbcddfcbf906ef9fddc02d447848579d7e5ce96c7c64fe34208

MD5: 84291afce6e5cfd615b1351178d51738

Typical Filename: webnavigatorbrowser.exe

Claimed Product: WebNavigatorBrowser

Detection Name:

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: svchost.exe

Claimed Product: N/A

Detection Name:

SHA 256: 17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2

MD5: 96f8e4e2d643568cf242ff40d537cd85

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name:

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.