Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

We have an update on LodaRAT, a trojan we’ve been following for years. This threat has a new version targeting Android devices, looking to infect devices and steal user’s credentials and monitor things like their phone calls and messages.

Patch Tuesday was also this week, which was relatively quiet in terms of the volume of vulnerabilities. We have our full Microsoft blog post as usual, and also a Snort rule update to keep users protected.

Upcoming public engagements with Talos

Title: Cisco Live 2021

Date: March 30 – April 1

Speakers: Nick Biasini, more TBA

Overview: Join us for the annual Cisco Live conference, this year taking place across the globe at the same time virtually for the first time. Cisco Live is your destination for year-round technical education and training. There will be many on-demand sessions to choose from throughout the conference. Nick Biasini of Talos Outreach will provide a broad overview of the past year’s threats and trends we’ve been seeing, with a specific focus on dual-use tools and supply chain attacks. Additional sessions will be announced in the coming weeks.

Cybersecurity week in review

  • An adversary tried to poison the water supply of a small town in Florida through a cyber attack. Government representatives say they watched a remote attacker breach their systems and try to increase the amount of lye in the water, which could have been deadly.
  • Google removed a popular extension from the Chrome browser after it was discovered injecting malicious code. The original creator of the open-source project recently sold the code to an unknown group.
  • Minneapolis police used a Google geofence warrant to track protestors after George Floyd’s death at the hands of an officer. The sweep led to many innocent bystanders being included in the wave of arrests.
  • Adversaries posted thousands of patients’ medical forms online after a ransomware attack on 11 American hospitals. The information included patients’ names, addresses, birthdays, medical diagnoses and letters to insurers.
  • Polish video game developer CD Projekt Red was the victim of a ransomware attack this week. The attackers behind it are warning they will post the source code of three of the studio’s games including the recently released “Cyberpunk 2077.”
  • A United Nations panel says North Korean state-sponsored actors are still relying on cyber attacks to fund the country’s nuclear weapons program. The threat actors commonly target financial institutions and virtual currency exchange houses.
  • Microsoft warns that defenders should still be on the lookout for Emotet, despite a recent takedown. It is currently unclear if the infamous botnet will return after a major international law enforcement campaign to shut it down.
  • The U.S. Election Assistance Commission adopted new standards for the first time in 16 years. Electronic voting machines must now submit to basic cybersecurity testing while making several steps to move toward paper ballots.
  • Popular messaging app Signal released a workaround for a recent ban in Iran. Users can now use a TLS proxy to bypass the network block.

Notable recent security issues

Title: Microsoft discloses fewest vulnerabilities in a month since Jan. 2020

Description: Microsoft released its monthly security update Tuesday, disclosing 56 vulnerabilities across its suite of products. This is the smallest amount of vulnerabilities Microsoft has disclosed in a month since January 2020. There are only 11 critical vulnerabilities as part of this release, while there are three moderate-severity exploits, and the remainder are considered “important.” Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. The security updates cover several different products and services, including the Microsoft Office suite of products, the Windows DNS server and the SharePoint file-sharing service.

Snort SIDs: 57103, 57104, 57106 - 57108, 57123, 57128

Title: Cisco VPN routers open to remote attacks

Description: Cisco disclosed multiple vulnerabilities in some of its RV series routers designed for use as small business VPNs. An adversary could exploit any of these flaws to view or manipulate data on the targeted device and perform other unauthorized actions. These routers have a VPN function built into them and are purpose-built for small and medium-sized businesses or as a way for users to access their office’s network remotely. The vulnerabilities exist in the way the routers validate HTTP requests in its management interface. An attacker could exploit these vulnerabilities by sending a specially crafted HTTP request to the targeted device and then gain the ability to execute arbitrary code as a root user.

Snort SIDs: 57065, 57068 – 57070, 57072 - 57095

Most prevalent malware files this week

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: svchost.exe

Claimed Product: N/A

Detection Name:

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: santivirusservice.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name:  PUA.Win.Dropper.Segurazo::tpd

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b

MD5: f37167c1e62e78b0a222b8cc18c20ba7

Typical Filename: flashhelperservice.exe

Claimed Product: Flash Helper Service

Detection Name: W32.4647F1A085.in12.Talos

SHA 256: 1a8a17b615799f504d1e801b7b7f15476ee94d242affc103a4359c4eb5d9ad7f

MD5: 88781be104a4dcb13846189a2b1ea055

Typical Filename: ActivityElement.dp

Claimed Product: N/A

Detection Name: Win.Trojan.Generic::sso.talos

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.