Newsletter compiled by Jon Munshaw.
Good afternoon, Talos readers.
We spend a lot of time talking about what you should do to keep your data safe, and how other organizations should be prepared for the worst. But what happens if the worst happens to you?
In the latest Beers with Talos episode, we walk you through what to do if you’re the one who gets owned — even if it’s not your fault at all.
We also have the details out on several vulnerabilities in Microsoft Azure Sphere. Our researchers will even receive an award later this year for their work on these. We also have a new Threat Roundup to give you insight into the IOCs you should be on the lookout for.
Cyber Security Week in Review
- Police arrested a 17-year-old in connection with the massive Twitter hack last month. The breach saw many high-profile accounts taken over and used to promote a bitcoin scam, including those belonging to Barack Obama and Elon Musk.
- When the man was set to appear in court, hackers interrupted the virtual hearing over Zoom. The local court publicly released information on the meeting ahead of time, essentially allowing anyone to join the hearing. One user sent a pornographic clip that led to the end of the hearing.
- Researchers discovered a vulnerability in the PC booting process that could allow malware to remain on a victim machine even after a safe boot. Billions of devices could be affected, which means it would take years to fix or phase out.
- The European Union used its powers to sanction nation-states over cyber attacks for the first time. Individuals connected to Russia, China and North Korea all received punishments this week, some connected to the infamous Not Petya attack in 2017.
- Security analysts found several vulnerabilities and security flaws in automation technology used in the manufacturing industry. The programming environments manage the robotics used to speed up production.
- The U.S. is offering bounties of up to $10 million to anyone who provides information on state-sponsored actors that interfere in the 2020 general election. The state department said it is looking for "any person who works with or for a foreign government for the purpose of interfering with US elections through certain illegal cyber activities."
- Cisco disclosed multiple high-severity vulnerabilities in its AnyConnect VPN client and DNA Center software. There are also potential exploits in small business switches that could allow an adversary to carry out a denial-of-service.
- The National Security Agency released a new warning to its employees that they should turn off find-my-phone, Bluetooth and WiFi whenever possible on their mobile devices. The advisory also asks employees to use a VPN to obscure their location.
- TikTok’s status in the U.S. is still in limbo as President Donald Trump, Microsoft and the Chinese government continue a back-and-forth over the future of the social media app. Reports suggest Microsoft could buy TikTok’s
Notable recent security issues
Description: The WastedLocker ransomware is now using the Windows memory management feature to evade detection. This malware has made headlines recently for its expanded use and has even potentially been linked to a recent cyber attack on GPS service provider Garmin. WastedLocker now can disguise its actions and bypass any ransomware protections that are already deployed on a victim machine.
Snort SIDs: 54685 - 54692
Description: Cisco Talos researchers recently discovered seven vulnerabilities in Microsoft’s Azure Sphere, a cloud-connected SoC platform designed specifically with IoT application security in mind. The infrastructure around the Azure Sphere platform is Microsoft’s Azure Sphere cloud, which takes care of secure updates, app deployment, and periodically verifying the device integrity. Internally, the SoC is made up of a set of several ARM cores that have different roles. The researchers discovered two chainable vulnerabilities within Azure Sphere that, assuming an attacker could flash a malicious application, would allow for arbitrary writing to anywhere in the /mnt/config partition, resulting in further privilege escalation.
Snort SIDs: 54501 - 53504
Most prevalent malware files this week
Typical Filename: SAntivirusService.exe
Claimed Product: SAService
Detection Name: Win.Dropper.Segurazo::tpd
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: Win.Downloader.Generic::1201
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.