Newsletter compiled by Jon Munshaw.
Good afternoon, Talos readers.
We have an update on LodaRAT, a trojan we’ve been following for years. This threat has a new version targeting Android devices, looking to infect devices and steal user’s credentials and monitor things like their phone calls and messages.
Patch Tuesday was also this week, which was relatively quiet in terms of the volume of vulnerabilities. We have our full Microsoft blog post as usual, and also a Snort rule update to keep users protected.
Upcoming public engagements with Talos
Title: Cisco Live 2021
Date: March 30 – April 1
Speakers: Nick Biasini, more TBA
Overview: Join us for the annual Cisco Live conference, this year taking place across the globe at the same time virtually for the first time. Cisco Live is your destination for year-round technical education and training. There will be many on-demand sessions to choose from throughout the conference. Nick Biasini of Talos Outreach will provide a broad overview of the past year’s threats and trends we’ve been seeing, with a specific focus on dual-use tools and supply chain attacks. Additional sessions will be announced in the coming weeks.
Cybersecurity week in review
- An adversary tried to poison the water supply of a small town in Florida through a cyber attack. Government representatives say they watched a remote attacker breach their systems and try to increase the amount of lye in the water, which could have been deadly.
- Google removed a popular extension from the Chrome browser after it was discovered injecting malicious code. The original creator of the open-source project recently sold the code to an unknown group.
- Minneapolis police used a Google geofence warrant to track protestors after George Floyd’s death at the hands of an officer. The sweep led to many innocent bystanders being included in the wave of arrests.
- Adversaries posted thousands of patients’ medical forms online after a ransomware attack on 11 American hospitals. The information included patients’ names, addresses, birthdays, medical diagnoses and letters to insurers.
- Polish video game developer CD Projekt Red was the victim of a ransomware attack this week. The attackers behind it are warning they will post the source code of three of the studio’s games including the recently released “Cyberpunk 2077.”
- A United Nations panel says North Korean state-sponsored actors are still relying on cyber attacks to fund the country’s nuclear weapons program. The threat actors commonly target financial institutions and virtual currency exchange houses.
- Microsoft warns that defenders should still be on the lookout for Emotet, despite a recent takedown. It is currently unclear if the infamous botnet will return after a major international law enforcement campaign to shut it down.
- The U.S. Election Assistance Commission adopted new standards for the first time in 16 years. Electronic voting machines must now submit to basic cybersecurity testing while making several steps to move toward paper ballots.
- Popular messaging app Signal released a workaround for a recent ban in Iran. Users can now use a TLS proxy to bypass the network block.
Notable recent security issues
Title: Microsoft discloses fewest vulnerabilities in a month since Jan. 2020
Description: Microsoft released its monthly security update Tuesday, disclosing 56 vulnerabilities across its suite of products. This is the smallest amount of vulnerabilities Microsoft has disclosed in a month since January 2020. There are only 11 critical vulnerabilities as part of this release, while there are three moderate-severity exploits, and the remainder are considered “important.” Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. The security updates cover several different products and services, including the Microsoft Office suite of products, the Windows DNS server and the SharePoint file-sharing service.
Snort SIDs: 57103, 57104, 57106 - 57108, 57123, 57128
Title: Cisco VPN routers open to remote attacks
Description: Cisco disclosed multiple vulnerabilities in some of its RV series routers designed for use as small business VPNs. An adversary could exploit any of these flaws to view or manipulate data on the targeted device and perform other unauthorized actions. These routers have a VPN function built into them and are purpose-built for small and medium-sized businesses or as a way for users to access their office’s network remotely. The vulnerabilities exist in the way the routers validate HTTP requests in its management interface. An attacker could exploit these vulnerabilities by sending a specially crafted HTTP request to the targeted device and then gain the ability to execute arbitrary code as a root user.
Snort SIDs: 57065, 57068 – 57070, 57072 - 57095
Most prevalent malware files this week
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
Typical Filename: svchost.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
Typical Filename: santivirusservice.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: 4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b
Typical Filename: flashhelperservice.exe
Claimed Product: Flash Helper Service
Detection Name: W32.4647F1A085.in12.Talos
SHA 256: 1a8a17b615799f504d1e801b7b7f15476ee94d242affc103a4359c4eb5d9ad7f
Typical Filename: ActivityElement.dp
Claimed Product: N/A
Detection Name: Win.Trojan.Generic::sso.talos
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.