Newsletter compiled by Jon Munshaw.
Good afternoon, Talos readers.
We've all heard about spam coming through your email or those robocalls we all hate. But during the COVID-19 pandemic, attackers are now turning to chat rooms and gaming servers to spread spam. Talos researchers this week unveiled multiple malware campaigns spreading through sites like Discord and Slack, which have becoming increasingly popular while more and more people work from home.
Beers with Talos is also back this week after going quiet for a few weeks. The show's back with a mailbag episode, where the guys answer your Twitter questions. And they don't waste any time getting to Craig's robot problems.
Cybersecurity week in review
- The Biden Administration has reportedly finished a thorough report on foreign meddling in the 2020 presidential election and the SolarWinds breach. This likely sets the stage for Biden to announce retaliatory actions soon.
- The actors behind the SolarWinds campaign targeted security experts and researchers prior to the disclosure of the hack. This was likely an attempt to slow down discovery of the supply chain attack and response.
- Federal authorities charged a 22-year-old man for allegedly breaching the network belonging to a Kansas town's water supply. The man was an employee at the time who attempted to shut down processes at the facility regarding cleaning and disinfecting procedures "with the intention of harming" people.
- Several different European Union agencies were the targets of cyber attacks last week. Officials say it's too early to tell the extent of the campaigns, as they're still conducting forensic analysis.
- Malicious actors hid dropper malware in cheat engines for the popular video game "Call of Duty: Warzone." Activision, the developers of the game, released a full report on the campaign, stating the dropper "can be customized to install other, more destructive, malware onto the targets’ machines."
- A new hacking tool recently started appearing on cybercrime forums that can imitate the DocuSign software. DocuSign is often used to electronically sign important documents.
- Adversaries are reportedly actively exploiting critical vulnerabilities in SAP applications. Security researchers say an APT is using brute-force password attacks to log into targeted systems and then exploiting multiple known vulnerabilities, some of which could lead to full control of the applications.
- More than 530 million Facebook users had their personal information leaked online, including phone numbers, names and emails. The social media site said attackers were able to scrape the data by exploiting a vulnerability it disclosed and patched in 2019.
- Meanwhile, Facebook announced another push in its moderation efforts. The site said it recently exiled several troll farms, deepfake creators and spreaders of misinformation.
- Several European manufacturing firms were the recent targets of the Cring ransomware. Attackers reportedly exploited vulnerabilities in Fortigate VPN servers to deliver the malware.
Notable recent security issues
Title: Video game cheats, mods, used to hide malware
Description: Cisco Talos recently discovered a new campaign targeting video game players and other PC modders. Talos detected a new cryptor used in several different malware campaigns hidden in seemingly legitimate files that users would usually download to install cheat codes into video games or other visual and game modifications (aka "mods"). The cryptor uses Visual Basic 6 along with shellcode and process injection techniques. The cryptor in this campaign uses several obfuscation techniques that makes it difficult to dissect and could pose a challenge for security analysts not familiar with Visual Basic 6. Video game players may opt to download certain cheats or modifications (aka "mods") to change the way some games are presented. The adversaries use these gaming and OS modding tools to attach hidden malware to infect their victims.
ClamAV signatures: Win.Trojan.VB6Crypt-9839935-0, Win.Trojan.Elzob-9839938-0, Win.Malware.Amyl6tnk-9839937-0, Win.Packed.Cerbu-9839936-0
Title: Accusoft ImageGear vulnerabilities could lead to code execution
Description: Cisco Talos recently discovered multiple out-of-bounds write vulnerabilities in Accusoft ImageGear that an adversary could exploit to corrupt memory on the targeted machine. The ImageGear library is a document-imaging developer toolkit that offers image conversion, creation, editing, annotation and more. It supports more than 100 formats such as DICOM, PDF and Microsoft Office. A user could trigger these vulnerabilities by opening an attacker-created, malicious file.
Snort SIDs: 57011 - 57018, 57052, 57053, 57124, 57125
Most prevalent malware files this week
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: svchost.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
SHA 256: 17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2
MD5: 96f8e4e2d643568cf242ff40d537cd85
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.File.Segurazo::95.sbx.tg
SHA 256:bfbe7022a48c6bbcddfcbf906ef9fddc02d447848579d7e5ce96c7c64fe34208
MD5: 84291afce6e5cfd615b1351178d51738
Typical Filename: webnavigatorbrowser.exe
Claimed Product: WebNavigatorBrowser
Detection Name: W32.BFBE7022A4.5A6DF6a61.auto.Talos
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.