Good afternoon, Talos readers.
I'm writing this on Tuesday morning on account of vacation (again), so apologies if we miss any major stories.
You certainly don't want to miss our latest blog post on the Neurevt remote access trojan that's targeting users in Mexico. This malware is mainly designed to steal login credentials to banking websites, and we don't really need to tell you why that would be bad.
Upcoming Talos public engagements
Speaker: Chris DiSalle
Date: Sept. 9
Location: Virtual
Description: Chris DiSalle from Talos Incident Response will join the Technado podcast to share the ins and outs of the IR industry. Chris will talk to host Don Pezet about how he got started in incident response, horror stories he's seen in the field, and much more.
Workshop: Analysing Android malware at VirusBulletin localhost 2021
Speaker: Vitor Ventura
Date: Oct. 7 - 8
Location: Virtual
Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.
Cybersecurity week in review
- The Taliban's takeover of Afghanistan's government is obviously the most important story this week. And while there are several national security issues at play here, we should also be considering the possible cybersecurity implications here. With U.S. officials and the military leaving the country, they could be leaving behind sensitive national intelligence completely unguarded.
- Nearly 6,000 people had their personal information stolen as part of the recent ransomware attack on the Colonial Pipeline. The company said it is sending out breach notifications to those affected, which mainly include current and former employees and their families.
- Jen Easterly, the recently confirmed director of the Cybersecurity and Infrastructure Security Agency, said in a recent interview that she wants the agency to remain non-partisan. Easterly added that she wants to develop a bi-partisan solution to combating disinformation ahead of the 2022 and 2024 election cycles.
- Security researchers found an unpatched vulnerability in the gym management platform Wodify. The software, used by thousands of gyms across the U.S., could be exploited to manipulate and view users' financial transactions.
- T-Mobile says it is investigating a possible data breach and/or cyber attack after adversaries claimed to be selling the personal information of 100 million customers. A dark web seller claims to want the equivalent of $270,000 for a subset of the data containing 30 million social security numbers and driver licenses.
- A vulnerability in Ford's website could allow an attacker to view customer and employee records from internal systems. Researchers found the data was exposed via a misconfigured instance of Pega Infinity running on Ford's servers.
- A ransomware attack hit a hospital systemserving parts of Ohio and West Virginia, locking employees out from accessing internal IT systems. The hospitals had to turn away many patients and cancel surgeries as a result.
- Consulting company Accenture said there were no effects to the company's operations or clients from a reported ransomware attack last week. The operators behind the Lockbit ransomware claim to be selling a huge trove of data stolen from the company via an "insider."
- Attackers are hiding phishing links and malware inside reCAPTCHA and other CAPTCHA-like software. The CAPTCHAs are useful in making phishing sites appear legitimate, and can also stop malware scanners from detecting the sites.
Notable recent security issues
Title:Vice Society group exploiting PrintNightmare in recent ransomware attacks
Description: Another threat actor is actively exploiting the so-called PrintNightmare vulnerability (CVE-2021-1675 / CVE-2021-34527) in Windows' print spooler service to spread laterally across a victim's network as part of a recent ransomware attack, according to Cisco Talos Incident Response research. While previous research found that other threat actors had been exploiting this vulnerability, this appears to be new for the threat actor Vice Society. Talos Incident Response's research demonstrates that multiple, distinct threat actors view this vulnerability as attractive to use during their attacks and may indicate that this vulnerability will continue to see more widespread adoption and incorporation by various adversaries moving forward. For defenders, it is important to understand the attack lifecycle leading up to the deployment of ransomware. If users have not already, they should download the latest patch for PrintNightmare from Microsoft.
Snort SIDs: 57876, 57877
Title: Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT
Description: Group TA505 has been active for at least seven years, making wide-ranging connections with other threat actors involved in ransomware, stealing credit card numbers and exfiltrating data. One of the common tools in TA505's arsenal is ServHelper. In mid-June, Cisco Talos detected an increase in ServHelper's activity. We investigated the activity and discovered a set of intertwined malware families and TTPs. Although ServHelper has existed since at least early 2019, we detected the use of other malware families to install it. The installation comes as a GoLang dropper, .NET dropper or PowerShell script. Its activity is generally linked to Group TA505, but we cannot be certain that they are the exclusive users of this RAT.
Snort SID: 57975
ClamAV signatures: Win.Downloader.Powershell-9883640, Win.Trojan.Powershell-9883642, Win.Downloader.Powershell-9883641, Win.Downloader.ServHelper-9883708, Win.Downloader.Powershell-9883847, Win.Trojan.ServHelper-9883848, Win.Trojan.ServHelper-9883866, Win.Trojan.ServHelper-9883867
Most prevalent malware files this week
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb
MD5: 6be10a13c17391218704dc24b34cf736
Typical Filename: smbscanlocal0906.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Ranumbot::in03.talos
SHA 256: 5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af
MD5: 0a13d106fa3997a0c911edd5aa0e147a
Typical Filename: mg20201223-1.exe
Claimed Product: N/A
Detection Name: RanumBot::mURLin::W32.5E46ECFFCF.in12.Talos
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: 5191548b8edf4b98e623f055f5205e2db17aa220c28928b1da1c3a9ba1a75ee0
MD5: d54ade674cb0c3e6d322ed7380e8adf6
Typical Filename: ml20201223.exe
Claimed Product: N/A
Detection Name: RanumBot::mURLin::GenericRXMW:Win32-tpd
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.