Newsletter compiled by Jon Munshaw.
Good afternoon, Talos readers.
Adversaries love to use headlines as part of their spam campaigns. From COVID-19, to Black Lives Matter and even Black Friday every year, the bad guys are wanting to capitalize on current events. Why is this the case, and when do they decide to jump on headlines?
In our latest blog post, we look at this technique and examine the advantages and disadvantages of trying to leverage the biggest news.
Cyber Security Week in Review
- Garmin services are back online after a ransomware attack on the GPS company’s cloud platform. Most users follow Garmin for their exercise trackers and navigation, but perhaps more seriously, the company’s flight-tracking service that amateur pilots use also went dark.
- Security researchers are blaming the Evil Corp APT for the attack. The group is known for using the WastedLocker ransomware and Dridex credential-stealer.
- Cosmetics giant Avon left one of their Microsoft Azure servers open to the internet without encryption or a password. Security researchers say an adversary could have accessed the server and obtained OAuth other security tokens.
- Many consumers assume that the adoption of chip readers on credit cards make their transactions more secure. But the reality is the security measures in place vary between banks.
- North Korean state-sponsored attackers are reportedly targeting American defense and aerospace agencies and private companies. Some of the infection vectors are classic phishing emails that claim to include job offers to potential victims.
- Zoom recently disclosed a vulnerability discovered and fixed in April that could allow attackers to join anyone’s meetings by brute-forcing their passwords. The video conferencing platform has skyrocketed in popularity during the COVID-19 pandemic and has become a popular target for malicious actors.
- The FBI issued a warning to U.S. and international government agencies about a recent spike in NetWalker ransomware attacks. Victims are urged to not pay any ransom payments and report infections to the FBI immediately.
- A hacker infiltrated the Emotet botnet recently and replaced its malicious payload with humorous GIFs. Emotet is known to spread a large amount of the world’s spam emails.
Notable recent security issues
Title: New botnet supports cryptocurrency mining for Monero
Description: Cisco Talos recently discovered a complex campaign employing a multi-modular botnet with multiple ways to spread and a payload focused on providing financial benefits for the attacker by mining the Monero online currency. Prometei employs various methods to spread across the network, like SMB with stolen credentials, psexec, WMI and SMB exploits. The adversary also uses several crafted tools that helps the botnet increase the amount of systems participating in its Monero-mining pool. Apart from a large focus on spreading across the environment, Prometei also tries to recover administrator passwords. The discovered passwords are sent to the C2 and then reused by other modules that attempt to verify the validity of the passwords on other systems using SMB and RDP protocols.
Snort SIDs: 54610 - 54612
Title: Attackers exploit high-severity vulnerability in Cisco Adaptive Security Appliance
Description: Cisco warned users that attackers are actively exploiting a vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability exists in the software due to improper input validation for URLs in HTTP requests. An adversary could use this exploit to carry out directory traversal attacks.
Snort SIDs: 54598 - 54601
Most prevalent malware files this week
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.