Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

We’ve been writing and talking about election security a ton lately. And as the U.S. presidential election draws closer, we decided it was time to summarize some things. So, we released this blog post with our formal recommendations for voters and how they can avoid disinformation and other bad actors trying to influence the election.

Our researchers are also following the development of the PoetRAT malware. This remote access trojan is still targeting public and private entities in Azerbaijan, and we’ve seen the actor behind the threat make several tweaks over time to make it more agile and difficult to detect.

If vulnerability research is more your thing, we also have a deep dive into our work discovering bugs in Microsoft Azure Sphere as part of a challenge from Microsoft. In all, we disclosed 16 vulnerabilities. Here’s what you need to know about them and how to stay protected.


Event: Bug hunting in cloud-connected ICS devices: Getting root from the cloud

Location: CS3STHLM Virtual

Date: Oct. 22

Speakers: Kelly Leaschner

Synopsis: As more devices are becoming cloud-connected, it is important to understand how this attack surface is different from traditional, socket-based server applications. There is no open port listening with a cloud-connected application, so there is additional work required in order to just get the application to accept attacker-controlled data. This talk will walk through the initial steps necessary to begin vulnerability research on this application. Cloud-based control of physical devices has some security benefits compared to traditional socket programming but, at the end of the day, there is an opportunity for bugs and vulnerabilities in the software responsible for handling cloud messages. This talk will describe changes in research methodology that are necessary for performing vulnerability research on a cloud-connected application. Kelly will also walk through some vulnerabilities she’s discovered — live — by impersonating the industrial vendor cloud application, resulting in root privileges.

Event: A double-edged sword: The threat of dual-use tools
Location: SecureWV virtual
Date: Nov. 6 - 7
Speakers: Edmund Brumaghin
Synopsis: It's difficult to read any information security news lately without hearing about large corporations being extorted by cyber criminals. In today's threat landscape, enterprises increasingly rely on red teams to identify risks and mitigate vulnerabilities in their infrastructure, so much so that an entire industry exists around tools to help facilitate this effectively and efficiently as possible.

Dual-use tools are developed to assist administrators in managing their systems or assist during security testing or red-teaming activities. Unfortunately, many of these same tools are often co-opted by threat actors attempting to compromise systems, attack organizational networks, or otherwise adversely affect companies around the world. This webinar will discuss the topic of dual-use tools and how they have historically been used in various attacks. It will also provide case studies that walk through how native system functionality and dual-use tools are often used in real-world attacks to evade detection at various stages of the attack lifecycle. Finally, we will discuss ways that organizations can defend against malicious abuse of otherwise legitimate technologies and toolsets.

Cyber Security Week in Review

  • Two North American health care payment processors were infected with card-skimming malware in two separate attacks in May and June. Credit card company Visa disclosed the attacks at two of their clients, reporting that an attacker used three different malware strains in one of the infections.
  • Facebook shut down numerous hijacked accounts a threat group was using to put fake ads. The advertisements, some of which pointed to malicious sites, pushed fake designer handbags and diet pills.
  • GitHub released a new vulnerability-scanning tool to allow users to check for vulnerabilities in their code before uploading their products to the site. The tool transforms code into a queryable format and then identifies vulnerabilities and errors in code changes to the developer.
  • Several Russian disinformation actors have reportedly shifted their sights to popular far-right American sites. The groups post misleading or false information about Democratic lawmakers, with the goal of deepening the political divide in the U.S.
  • The U.S. Treasury Department says ransomware victims who pay extortion payments in exchange for the return of their data could be punished. American officials say the exchange of funds with some international actors could violate sanctions.
  • Some clinical trials of a potential COVID-19 vaccine were interrupted by cyber attacks, according to a new report. No patients were affected, but the researchers had to switch to tracking the patients via pen-and-paper methods.
  • Popular dating app Grindr recently fixed a vulnerability that could have allowed anyone to hijack other users’ accounts. The app leaked password reset tokens in the browser, meaning anyone could reset another user’s password if they knew their email address.
  • Universal Health Services says it fully recovered all its data after a ransomware attack last week. The hospital chain said electronic health care records were not affected, and it successfully reestablished connections with those systems.
  • Facebook deleted a post from the American president relaying false information about COVID-19 and the flu, which could set them up from removing high-profile disinformation in the future. However, the social media giant has yet to say who authorized the removal of the post and under what rules they did so.

Notable recent security issues

Title: Attackers using Zerologon vulnerability at higher rate

Description: Cisco Talos researchers report seeing a spike in exploitation attempts against the Microsoft vulnerability CVE-2020-1472, an elevation of privilege bug in Netlogon, outlined in the August Microsoft Patch Tuesday report. The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol which — among other things — can be used to update computer passwords by forging an authentication token for specific Netlogon functionality. This flaw allows attackers to impersonate any computer, including the domain controller itself and gain access to domain admin credentials.

Snort SIDs: 55703, 55704

Title: Cisco warns of vulnerabilities in IOS operating system

Description: Cisco patched several vulnerabilities — many of them considered severe — in its IOS operating system. The updates address denial-of-service, file overwrite and input validation attacks that affect many of Cisco’s products. Two of the vulnerabilities — CVE-2020-3421 and CVE-2020-3480 — exist in Cisco’s Zone-Based Firewall. An attacker could exploit these bugs to cause the affected device to reload or make it stop forwarding traffic through the firewall.

Snort SIDs: 55815 – 55819, 55830 - 55832

Most prevalent malware files this week

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: Eter.exe

Claimed Product: N/A

Detection Name:

SHA 256: be29d4902d72abbc293376b42005d954807b3e6794b13fe628faff9bc94f6063

MD5: 29f47c2f15d6421bdd813be27a2e3b25

Typical Filename: FlashHelperServices.exe

Claimed Product: N/A

Detection Name: Flash Helper Service

SHA 256: 1eef72aa566ba6c76b33f9d430d7233e358392382bfb3db81ca4f28d74f415a5

MD5: 01a607b4d69c549629e6f0dfd3983956

Typical Filename: wupxarch.exe

Claimed Product: N/A

Detection Name: W32.Auto:1eef72aa56.in03.Talos

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

Typical Filename: Tempmf582901854.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: Win.Downloader.Generic::1201

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.