Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

In the past, we’ve covered what disinformation (otherwise known as “fake news”) is and who spreads it. Now, we’re diving into why it works, and why it’s so easy for people to spread. Check out our full paper here to gain a lot of insight into the psychology of social media.

On the malware front, we also have an update on LodaRAT. We've seen several new variants of this threat in the wild. Here’s what to look out for and how to protect your network.


Event: A double-edged sword: The threat of dual-use tools
Location: Cisco Webex webinar
Date: Oct. 8 at 11 a.m. ET
Speakers: Edmund Brumaghin
Synopsis: It's difficult to read any information security news lately without hearing about large corporations being extorted by cyber criminals. In today's threat landscape, enterprises increasingly rely on red teams to identify risks and mitigate vulnerabilities in their infrastructure, so much so that an entire industry exists around tools to help facilitate this effectively and efficiently as possible.

Dual-use tools are developed to assist administrators in managing their systems or assist during security testing or red-teaming activities. Unfortunately, many of these same tools are often co-opted by threat actors attempting to compromise systems, attack organizational networks, or otherwise adversely affect companies around the world. This webinar will discuss the topic of dual-use tools and how they have historically been used in various attacks. It will also provide case studies that walk through how native system functionality and dual-use tools are often used in real-world attacks to evade detection at various stages of the attack lifecycle. Finally, we will discuss ways that organizations can defend against malicious abuse of otherwise legitimate technologies and toolsets.

Event: Bug hunting in cloud-connected ICS devices: Getting root from the cloud

Location: CS3STHLM Virtual

Date: Oct. 22

Speakers: Kelly Leaschner

Synopsis: As more devices are becoming cloud-connected, it is important to understand how this attack surface is different from traditional, socket-based server applications. There is no open port listening with a cloud-connected application, so there is additional work required in order to just get the application to accept attacker-controlled data. This talk will walk through the initial steps necessary to begin vulnerability research on this application. Cloud-based control of physical devices has some security benefits compared to traditional socket programming but, at the end of the day, there is an opportunity for bugs and vulnerabilities in the software responsible for handling cloud messages. This talk will describe changes in research methodology that are necessary for performing vulnerability research on a cloud-connected application. Kelly will also walk through some vulnerabilities she’s discovered — live — by impersonating the industrial vendor cloud application, resulting in root privileges.

Cyber Security Week in Review

  • A major general in the U.K. confirmed that England has serious cyber warfare capabilities. The head of the U.K.’s strategic command said the country has the cyber weapons to “degrade, disrupt and destroy” critical infrastructure should it ever be needed in war.
  • Google removed 17 apps from its Play store that was spreading the Joker (aka Bread) malware. Once installed on the device, the malware steals the user’s information and unknowingly enrolls them in wireless services that come with a monthly charge.
  • A major American hospital chain had its services interrupted this week by a suspected cyber attack. Universal Health Services had to switch to paper backups though it said no patient or employee data was accessed.
  • Twitter banned more than 130 accounts it says are linked to Iranian state-sponsored actors hoping to disrupt the U.S. presidential election. The FBI reportedly first flagged the accounts.
  • Signs point to the infamous APT28 being behind an intrusion on an unnamed U.S. federal agency. The Cybersecurity and Infrastructure Security Agency released an alert last week regarding the attack, but did not identify the agency affected nor the perpetrators.
  • A new report from Microsoft details how attackers’ tactics are maturing. The company highlighted Russian state-sponsored actors as a particular hotspot of activity and stated that attacks increased as more individuals started working from home during the COVID-19 pandemic.
  • Cisco purchased container management company PortShift to grow its DevOps security platform. The Israeli startup is known for creating a Kubernetes-native security platform.
  • U.S. authorities charged two individuals for hacking social media accounts belonging to several NFL and NBA athletes. The hacks led to the victims’ nude photos being leaked onto their accounts.
  • American security officials say distributed denial-of-service attacks are not a threat to November’s election. The FBI and CISA released a joint statement saying that they could slow down access to public-facing websites that post election results but would not affect actual voting.

Notable recent security issues

Title: Attackers using Zerologon vulnerability at higher rate

Description: Cisco Talos researchers report seeing a spike in exploitation attempts against the Microsoft vulnerability CVE-2020-1472, an elevation of privilege bug in Netlogon, outlined in the August Microsoft Patch Tuesday report. The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol which — among other things — can be used to update computer passwords by forging an authentication token for specific Netlogon functionality. This flaw allows attackers to impersonate any computer, including the domain controller itself and gain access to domain admin credentials.

Snort SIDs: 55703, 55704

Title: Cisco warns of vulnerabilities in IOS operating system

Description: Cisco patched several vulnerabilities — many of them considered severe — in its IOS operating system. The updates address denial-of-service, file overwrite and input validation attacks that affect many of Cisco’s products. Two of the vulnerabilities — CVE-2020-3421 and CVE-2020-3480 — exist in Cisco’s Zone-Based Firewall. An attacker could exploit these bugs to cause the affected device to reload or make it stop forwarding traffic through the firewall.

Snort SIDs: 55815 – 55819, 55830 - 55832

Most prevalent malware files this week

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: Eter.exe

Claimed Product: N/A

Detection Name:

SHA 256: be29d4902d72abbc293376b42005d954807b3e6794b13fe628faff9bc94f6063

MD5: 29f47c2f15d6421bdd813be27a2e3b25

Typical Filename: FlashHelperServices.exe

Claimed Product: N/A

Detection Name: Flash Helper Service

SHA 256: 1eef72aa566ba6c76b33f9d430d7233e358392382bfb3db81ca4f28d74f415a5

MD5: 01a607b4d69c549629e6f0dfd3983956

Typical Filename: wupxarch.exe

Claimed Product: N/A

Detection Name: W32.Auto:1eef72aa56.in03.Talos

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

Typical Filename: Tempmf582901854.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: Win.Downloader.Generic::1201

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.