Good afternoon, Talos readers.
If you haven’t already, we highly recommend you read our in-depth research paper on election security. This paper represents four years of hands-on research, interviews and insight into how things have changed since 2016, and what hurdles remain to secure American elections.
This is just the first release in a series of papers, blog posts and more that we’ll be releasing in the leadup to the November general election. Stay tuned for more.
Microsoft dominated the headlines otherwise this week, disclosing a critical vulnerability in DNS for Windows servers. We also had a hand in discovering six critical vulnerabilities in the Hyper-V engine. Check out our blog post for the full breakdown and Snort rules.
Upcoming public engagements
Event: "High-speed fingerprint cloning: Myth or reality?” at BSides Portugal
Location: Streaming online
Date: July 23
Speakers: Paul Rascagneres and Vitor Ventura
Synopsis: Users often rely on devices’ fingerprint scanners to unlock their devices, including smartphones, laptops and tablets. But how safe are these features, really? Talos researchers set out to see if they could trick this technology into accepting artificially replicated fingerprints — an attack method that adversaries would not shy away from using. In this talk, Paul and Vitor will cover their findings in this experiment.
Cyber Security Week in Review
- Officials from the U.S., U.K. and Canada jointly blamed a Russian state-sponsored actor for allegedly trying to steal information related to the development of COVID-19 vaccines. APT29 is accused of targeting academic institutions and medical research organizations in cyber attacks.
- Several high-profile Twitter accounts belonging to major American figures such as Elon Musk, Joe Biden and Bill Gates were hacked this week and used to promote a Bitcoin scan. This led Twitter to temporarily prevent all verified accounts from posting updates.
- After the fact, Twitter stated it believed the hacks were part of a “coordinated social engineering attack.” The company added that it believes adversaries targeted Twitter employees who had access to internal tools.
- A 17-year-old vulnerability in Windows DNS headlined this month’s Microsoft Patch Tuesday. Microsoft and security researchers jointly warned users on Tuesday to update immediately, as the bug could be used to quickly spread malware.
- The U.K. ordered Chinese company Huawei to remove its technology from the country’s 5G network. This was a major reversal for British Prime Minister Boris Johnson, who previously greenlit the company’s involvement.
- The CIA recently received broader powers to carry out cyber espionage campaigns, according to a new report. These new powers give the agency the ability to carry out its own cyber operations without first needing approval from the White House.
- The U.S. is looking into restrictions or a ban on the popular social media app TikTok. One White House official even said a new set of rules could come within weeks, citing security concerns of the app, which is developed by a Chinese company.
- A new Android malware known as “BlackRock” can infect devices and steal login information and credit card data from 337 other apps. Security researchers say the malware is based off the leaked source code for the Xerxes malware.
- The latest update to iOS and iPadOS allows users to use a virtual car keyto open some BMW cars. Apple says the feature will eventually work with more car manufacturers.
Notable recent security issues
Title: Patch Tuesday highlighted by DNS bug, critical vulns affecting Intel and AMD
Description: Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its array of products. While only a few vulnerabilities are considered critical, users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation. The security updates cover several different products including the Hyper-V engine, Microsoft Word and the rest of the Microsoft Office suite of products. Six of the critical vulnerabilities that Microsoft fixed this month could allow an adversary to execute remote code by exploiting the RemoteFX feature in the Windows Hyper-V engine. These bugs affect some Intel and AMD drivers.
Snort SIDs: 54509 - 54511, 54516 - 54518, 54521 - 54525, 54534, 54535
Title: NetSupport RAT among biggest threats to government agencies
Description: The U.S. Department of Homeland Security recently released a report outlining the three most popular malware families its intrusion prevention system detects. The NetSupport remote access tool leads the group, followed by the Kovter trojan and the XMRig cryptocurrency miner. The NetSupport Manager RAT leverages legitimate administration software to infect victim machines and then remotely take control of them.
Snort SIDs: 54496
Most prevalent malware files this week
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.