Good afternoon, Talos readers.
While ransomware attacks continue to hog all the headlines, cryptocurrency miners are still running the background, sapping computing power from unsuspecting victims. We have what we believe is the first documentation of a new botnet we're calling "Prometei" that mines for Monero. Here's why you need to be on the lookout for this botnet and why it could be a sign of worse things to come if you're infected.
If you didn't get enough election security news last week with our research paper, the guys on Beers With Talos dug even deeper into the topic in the latest episode.
Cyber Security Week in Review
- More information continues to come out regarding the massive Twitter hack last week that led to several high-profile accounts being taken over and sending out information on a Bitcoin scam. A new report from the New York Times found that the group behind the hack is a group of younger people who don’t have any ties to state-sponsored actors.
- Adding another layer onto the intrusion, Twitter now says that the hackers accessed the private direct messages belonging to 36 of the accounts that were breached. This raises the possibility that the victims could be extorted in the future.
- This incident highlights that humans can sometimes be an organization's largest security weakness. Some employees have enough personal information out on social media accounts that adversaries can leverage to carry out social engineering attacks, while others may not be properly trained to spot phishing emails.
- Israel says it fended off another cyber attack against its public water system. The intrusions in June came after a different attack on Israeli infrastructure in April that the country blamed on Iranian state-sponsored actors.
- A new report from the British government states that the country did not do enough to fend off foreign interference in its elections. The U.K.'s Intelligence and Security Committee added that Russian actors are the country's greatest threats, and says Britain is "playing catch-up."
- The Trump administration continues to mull over whether to ban the popular social media app TikTok. While the American government is locked in a battle with Chinese tech companies across the board, security experts say the issues surrounding TikTok are not so black and white.
- New York state announced plans to formally charge mortgage title insurance company First American Financial Corp. for a massive data leak last year. The penalties are set to be the first of their type under new regulations in the state.
- A new Android malware that appears to be a spinoff of LokiBot aims to steal users' information off their devices in the background. The BlackRock trojan is going after some of the most popular apps in the world, too, including Netflix and Tinder.
Notable recent security issues
Title: SAP systems vulnerability could allow adversaries to create new user accounts, execute code
Description: The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released a warning last week urging SAP admins to update their systems as soon as possible to fix a critical vulnerability. CVE-2020-6287 affects the SAP NetWeaver Application Server's Java component LM Configuration Wizard. An attacker could exploit this bug to obtain unrestricted access to SAP systems, allowing them to create their own user accounts and executing arbitrary system commands.
Snort SIDs: 54571 - 54574
Title: Cisco discloses 33 vulnerabilities in small business routers, firewalls
Description: Cisco disclosed 33 vulnerabilities in their RV series of routers and firewalls earlier this month. The products mainly service small business environments. One of the bugs, CVE-2020-3330, could allow an adversary to completely take over a device if the user hadn’t reset the default admin credentials that came pre-installed on the device. There is also a critical privilege escalation vulnerability in Prime License Manager.
References: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv110w-static-cred-BMTWBWTy
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-rce-AQKREqp
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-code-exec-wH3BNFb
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-prime-priv-esc-HyhwdzBA
Snort SIDs: 54538 - 54567
Most prevalent malware files this week
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.