Newsletter compiled by Jon Munshaw.
Good afternoon, Talos readers.
We went viral this week! Everyone seemed to love to joke about these vulnerabilities we discovered in a WiFi-connected air fryer. An attacker, if they had physical access to the device, could exploit these vulnerabilities to change cook times and temperatures, or even turn the device on by themselves.
There's also a new Beers with Talos episode out this week. The guys have a special guest on this week to talk about the world of SCADA and IoT as it relates to security — we promise the conversation is way more interesting than all of those acronyms.
On the malware front, we have new research out highlighting an actor we're calling "Fajan." These groups send out spam emails to primarily Middle Eastern targets claiming to be from Bloomberg BNA — a news aggregation and business resource.
Cybersecurity week in review
- Attackers stole the data of more than 21 million ParkMobile users. The app, which is used to pay for parking in many major American cities, had information stolen including users' license plate numbers, names and emails.
- Def Con and Black Hat, two of the most popular security conferences in the world, plan to have some in-person events this summer. The events went fully online last year due to the COVID-19 pandemic.
- China is becoming one of the largest data collectors in the world. But this has opened the door to actors inside the country who want to steal that information on Chinese citizens and sell it.
- Ransomware attackers tried to extort Apple hours prior to a major company presentation. The REvil group threatened to publish product schematics and designs that were set to be announced later in the day Tuesday.
- Quanta, one of Apple's major suppliers, came forward Wednesday and disclosed it was the victim of the attack. The Taiwanese company said it suffered "cyber attacks on a small number of Quanta servers."
- The White House announced a new initiative this week designed to improve the security of the nation's electricity infrastructure. The U.S. Cybersecurity and Infrastructure Agency is also starting a corresponding "60-day sprint."
- Japan accused Chinese state-sponsored actors of being behind more than 200 separate cyber attacks. Investigators say the campaigns were carried out by a group known as "Tick" at the behest of China's People's Liberation Army.
- The Prometei botnet has shifted its focus to searching for unpatched Microsoft Exchange Servers that are vulnerable to recently disclosed vulnerabilities. Prometei is primarily known for spreading cryptocurrency mining malware.
- A newly proposed bill in Congress would prevent federal agencies from collecting individuals' data without a court order.
- The U.S. Department of Justice is launching a new task force to reduce the proliferation of ransomware. An internal memo called 2020 the "worst year ever" for ransomware attacks.
Notable recent security issues
Description: The U.S. National Security Agency released an advisory outlining several vulnerabilities that the Russian Foreign Intelligence Services (SVR) is exploiting in the wild. The U.S. formally attributed the recent SolarWinds supply chain attack to the SVR group in this advisory and detailed more of the group's tactics, techniques and procedures. The exploits included a series of five CVEs that affect VPN solutions, collaboration suite software and virtualization technologies. All five of the CVEs have been patched — Cisco Talos encourages everyone with the affected software update immediately. Some of these vulnerabilities also have working metasploit modules and are currently being widely exploited. Please note that some of these vulnerabilities exploit applications leveraging SSL.
Snort SIDs: 49898, 52512, 52513, 52603, 52620, 52662, 51370 – 51372, 51288 - 51390
Snort SIDs: 57420 - 57424
Most prevalent malware files this week
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
Typical Filename: webnavigatorbrowser.exe
Claimed Product: WebNavigatorBrowser
Detection Name: W32.BFBE7022A4.5A6DF6a61.auto.Talos
Typical Filename: svchost.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.File.Segurazo::95.sbx.tg
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.