Newsletter compiled by Jon Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
What’s old is new again.
Our research this week centers around a series of long-lasting threat actors and malware that have been given new life.
China Chopper, a 9-year-old web shell, is more prevalent than ever now that the source code is out there, so any threat actor could conceivably use it. We recently discovered three distinct campaigns using it for a variety of malicious activities.
We’ve also discovered threat actors using two of the most popular RATs — Orcus RAT and RevengeRAT — to target government entities, financial services organizations, information technology service providers and consultancies.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
Upcoming public engagements with Talos Event: “DNS on Fire” at Virus Bulletin 2019
Location: Novotel London West hotel, London, U.K.
Date: Oct. 2 - 4
Speaker: Warren Mercer and Paul Rascagneres
Synopsis: In this talk, Paul and Warren will walk through two campaigns Talos discovered targeted DNS. The first actor developed a piece of malware, named “DNSpionage,” targeting several government agencies in the Middle East, as well as an airline. During the research process for DNSpionage, we also discovered an effort to redirect DNSs from the targets and discovered some registered SSL certificates for them. The talk will go through the two actors’ tactics, techniques and procedures and the makeup of their targets.
Event: “It’s never DNS...It was DNS: How adversaries are abusing network blind spots” at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.
Cyber Security Week in Review
- Apple released a patch to fix a jailbreak vulnerability in iPhones. The update came weeks after the company mistakenly unpatched a previous fix for the bug, which was eventually discovered by a security researcher.
- The U.S. government is close to releasing a plan focused on protecting the 2020 U.S. presidential election from a ransomware attack. Officials are concerned with protecting voter registration databases from theft, manipulation or total takeover.
- Spammers have started using Google Calendar invites as their latest attack vector. These invites usually contain malicious links, and clicking on these links will signal to the attacker to send additional invites in the future.
- Courts in Georgia are still recovering from a ransomware attack earlier this year. Their systems are still down, forcing many to keep track of criminal cases and traffic citations with paper records.
- U.S. officials say a cyber attack earlier this summer against Iran has hindered the country’s ability to target American oil tankers. Iran is reportedly still recovering data from the attack and has had to totally restart some systems, including military communications networks.
- Security researchers discovered two malicious apps on the Google Play store that ran ads in the background on users’ devices, draining battery power and increasing mobile data usage. The apps were downloaded a combined 1.5 million times.
- Home security company Ring says it has partnerships with more than 400 police departments across the country. This collaboration can take several forms, including information-sharing, access to Ring’s online community and rebates to customers.
- French police and a security firm teamed up to remove a wormable cryptocurrency miner from 850,000 machines in the country. The botnet’s C2 server contained a vulnerability that allowed the team of researchers to make it possible for the victims to remove the miner without executing any additional code.
- NATO’s secretary general said the military alliance would collectively respond to a major cyber attack on one of its 29 member countries. Jens Stoltenberg used the 2017 Wannacry attack as an example of something that could trigger the “Article 5” clause in NATO’s charter.
- Apple says it will no longer retain recordings of users’ conversations with Siri and released an apology for allowing humans to listen to the recordings in the past. The company now says users can choose to opt in to the program, which is designed to improve Siri’s capabilities.
Notable recent security issues Title: Critical vulnerabilities found in some Cisco smart switches
Description: Two vulnerabilities in Cisco's 220 series of smart switches for small businesses could allow an attacker to leak sensitive information or inject malicious code. CVE-2019-1912 could allow an attacker to bypass security checks on the switch and upload arbitrary files. And CVE-2019-1913 opens the switches to a buffer overflow attack, which could be used to gain the ability to remotely execute code on the machine with root privileges.
Snort SIDs: 51293 – 51295 (Written by John Levy), 51298 – 51300 (Written by Amit Raut), 51306 - 51307 (Written by Tim Muniz)
Title: Popular VPN services open to attack, data leaks
Description: Attackers are actively exploiting vulnerabilities in the Fortigate and Pulse VPN services to steal encryption keys, passwords and other sensitive data. These campaigns, which started last week, target the Webmin utility for managing Linux and *NIX systems. These are devices in enterprise networks, and the vulnerabilities involved could allow an attacker to take complete control of a system.
Snort SIDs: 51240 – 51243 (Written by John Levy), 51288, 51289 (Written by Joanne Kim)
Most prevalent malware files this week
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256: 1755c179f08a648a618043a5af2314d6a679d6bdf77d4d9fca5117ebd9f3ea7c
Typical Filename: cslast.gif
Claimed Product: N/A
Detection Name: W32.1755C179F0-100.SBX.TG
SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
Typical Filename: invoice.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG
SHA 256: 093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7
Typical Filename: sayext.gif
Claimed Product: N/A
Detection Name: W32.093CC39350-100.SBX.TG