Newsletter compiled by Jon Munshaw.
Good afternoon, Talos readers.
While ransomware has made all the headlines this year, that doesn’t mean cryptocurrency miners are going anywhere. We recently discovered a new actor we’re calling “Xanthe” that’s mining Monero on targets’ machines. The main payload, in this case, is a variant of the XMRig Monero-mining program that is protected with a shared object developed to hide the presence of the miner's process from various tools for process enumeration.
We’ll also have a string of Beers with Talos episodes to round out the year (hopefully one new one a week). This week, the guys discuss QR codes and whether we should still care about them, and how they could potentially aid in the robots’ uprising against Craig.
Cyber security week in review
- The FBI released a warning this week that attackers are taking advantage of email forwarding rules to skirt by email sensors and send spam emails. Adversaries hope by inserting themselves in legitimate email threads, they’re more likely to be successful.
- Home Depot settled with more than 40 states over a 2014 data breach. The company will pay out $17.5 million and agreed to implement several new security measures.
- The Aspen Cybersecurity Group released a report outlining several key areas in which the incoming Biden administration can improve the U.S.’ cyber security posture. The report recommends specific actions President-elect Joe Biden could take along with Congress.
- The Supreme Court is hearing arguments in a case that could change the U.S.’ broadest anti-hacking law. Some cyber security researchers say the law could be used to punish them for conducting basic internet research.
- State-sponsored actors from North Korea have targeted at least six pharmaceutical companies across the globe this year. A new report indicates that organizations in the U.S., the U.K. and South Korea working on COVID-19 vaccines have been the targets of cyber attacks recently.
- Adversaries have also started to target companies in charge of distributing future COVID-19 vaccines. IBM’s cyber security division says it’s unclear whether the actors are motivated by stealing technology or disrupting delivery operations.
- Schools in Baltimore County, Maryland shut down remote learning for several days after a ransomware attack. Government officials there said no school-issued laptops to students were affected.
- A Google security researcher recently discovered a major exploit that could take over iPhones by sending a massive Wi-Fi packet. The exploit, which Apple has patched, could also quickly spread to other nearby devices.
- A new campaign utilizes phony Google Drive links to attempt to get users to open malicious web pages. Attackers have found a way to generate the messages in a way that they appear to be directly from Google.
Notable recent security issues
Description: Cisco Talos recently discovered a cryptocurrency-mining botnet attack we're calling "Xanthe," which attempted to compromise one of Cisco's security honeypots for tracking Docker-related threats. The infection starts with the downloader module, which downloads the main installer module, which is also tasked with spreading to other systems on the local and remote networks. The main module attempts to spread to other known hosts by stealing the client-side certificates and connecting to them without the requirement for a password. Two additional bash scripts terminate security services, removing competitor's botnets and ensuring persistence by creating scheduled cron jobs and modifying one of the system startup scripts. The main payload is a variant of the XMRig Monero mining program that is protected with a shared object developed to hide the presence of the miner's process from various tools for process enumeration.
ClamAV: Unix.Coinminer.Xanthe-9791859-0, Unix.Coinminer.Xanthe-9791860-0, Unix.Coinminer.Xanthe-9791861-0
Description: The WebKit browser engine contains multiple vulnerabilities in various functions of the software. A malicious web page code could trigger multiple use-after-free errors, which could lead to remote and arbitrary code execution. An attacker could exploit these vulnerabilities by tricking the user into visiting a specially crafted, malicious web page on a browser utilizing WebKit. WebKit is utilized mainly in Apple’s Safari web browser, but is also utilized by some PlayStation consoles and all iOS web browsers.
Snort SIDs: 55844, 55845, 56126, 56127, 56379 - 56382
Most prevalent malware files this week
Typical Filename: vid001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
Typical Filename: dfsvc.exe
Claimed Product: N/A
Detection Name: Auto.586D6B.232349.in02
Typical Filename: FlashHelperService.exe
Claimed Product: Flash Helper Service
Detection Name: W32.Variant.23mj.1201
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.