Newsletter compiled by Jon Munshaw.
Good afternoon, Talos readers.
This will be our last Threat Source newsletter of the year. We’ll be on a few-week break for the holidays until Jan. 7.
Of course, all anyone wants to talk about this week is the SolarWinds supply chain attack. There are still many outstanding questions yet to be answered. But everything Cisco Talos knows about this incident and our coverage can be found here. And our pre-existing coverage keeps users protected from the exploitation of any of the FireEye vulnerabilities that arose out of this attack.
While we’re away for the holidays, why not do some reverse-engineering and threat hunting of your own with some of our open-source tools? We just released new versions of GhIDA and Dynamic Data Resolver as an early holiday present.
Cyber security week in review
- Security researchers, defenders, IT professionals and government officials around the U.S. are scrambling this week to respond to the SolarWinds incident. Here’s why it’s such a big deal.
- Several security industry organizations came together in a massive response to this attack. On Wednesday, security researchers seized control of and sinkholed a key domain used in the SolarWinds incident.
- The U.S. Treasury and Commerce departments were also victims of this attack, though its currently unclear how or if attackers used the backdoor established on their networks. Many Fortune 500 companies also used SolarWinds products, according to the company’s website.
- House Intelligence Committee Chairman Adam Schiff said the U.S. government needs to take on “urgent work” to defend its critical networks in the wake of this attack. Schiff asked that any private companies that were affected reach out to U.S. intelligence agencies to coordinate a response.
- Apple started adding new labels to the apps on its iOS and Mac stores that identify what type of personal information they collect. The labels include information under three different categories “Data used to track you,” “Data linked to you,” and “Data not linked to you.”
- A new adware campaign Microsoft is calling “Adrozek” injects malicious ads into search results on numerous browsers. The actors behind the campaign generate money by tricking the users into clicking on the fake ads, which send them to affiliate-linked pages.
- Government agencies in Poland and Lithuania were both subjects of disinformation attacks this week. Attackers took control of several state-controlled websites and posted intentionally misleading information looking to disrupt ties between the two countries.
- Thousands of medical images like X-Rays and MRIs are available on unprotected servers, accessible to anyone on the internet. A security firm found many of them were connected to a massive health care system in Russia.
- A security firm found 28 malicious browser plugins for Microsoft Edge and Google Chrome that steal users’ personal data. More than 3 million people are estimated to have downloaded these extensions.
Notable recent security issues
Title: State-sponsored actors behind massive SolarWinds attacks, full breadth yet to be discovered
Description: In a sophisticated supply-chain attack, adversaries compromised updates to the widely used SolarWinds Orion IT monitoring and management software. The digitally signed updates were posted on the SolarWinds website from March to May 2020. This backdoor is loaded by the actual SolarWinds executable before the legitimate code, as not to alert the victim that anything is amiss. Reports indicate that some of the largest companies in the world use this software, so it is still unclear if the backdoor has led to any major cyber attacks or data breaches. At least two American government agencies are also affected: the Treasury and Commerce departments. The U.S. Department of Homeland Security (DHS) and CISA issued an emergency alert calling on all U.S. federal civilian agencies to review their networks for indicators of compromise (IOCs) and advising them to disconnect SolarWinds Orion products immediately.
Snort SIDs: 56660 - 56668
Title: Red-teaming security tools stolen as part of broad attack
Description: In an attack related to the vulnerabilities in SolarWindws products, security vendor FireEye had some red-teaming tools stolen by a state-sponsored actor. Some of these tools appear to be based on well-known offensive frameworks like Cobalt Strike. It has been reported that none of the tools target zero-day vulnerabilities. It’s currently unknown why a state-sponsored actor would want to target these tools. Typically, these types of actors target high-value data possessed by victims. As part of this disclosure, FireEye also released a repository of signatures/rules designed to detect the use of these tools across a variety of detection technologies.
Snort SIDs: 8068, 8422, 38491, 38492, 48359, 49100, 49171, 49861, 50137, 50168 – 50170, 50275 – 50278, 51288 – 51289, 51368, 51370 – 51372, 51390, 51966, 52512, 52513, 52603, 52620, 53433, 53435, 53346 – 53351, 53380 – 53383, 55703, 55704, 55802, 55862, 56290, 56436, 56586
ClamAV signature: W32.FindstrSearchForKeyWords
Most prevalent malware files this week
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
Typical Filename: 1 Total New Invoices-Monday December 14 2020.xlsm
Claimed Product: N/A
Detection Name: W32.2C36CB4E17-90.SBX.TG
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
Typical Filename: Click HERE to start the File Launcher by WebNavigator Installer_ryymehv3_.exe
Claimed Product: WebNavigator Browser
Detection Name: W32.48C6324412-95.SBX.TG
Typical Filename: webnavigatorbrowser.exe
Claimed Product: WebNavigator Browser
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.