Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

After months (years?) in beta, an official release candidate is out now for Snort 3. Stay tuned for an officially official release in about a month.

In other Snort rules, we also have a deep dive into our detection and prevention of Cobalt Strike. One of our researchers, Nicholas Mavis, did an amazing job breaking down what goes into writing Snort rules and ClamAV signatures, for those of you who really want to nerd out.

We also have new research out on fraudulent sites that claim to complete students' homework for them. This is easier for students to carry out now that many of them are learning from home. But these sites also sometimes come with malware.


Event: Attribution: A puzzle  
Location: Virtual VirusBulletin conference 2020
Date: Sept. 30
Speakers: Paul Rascagneres and Vitor Ventura
Synopsis: The attribution of cyber attacks is hard. It requires collecting diverse intelligence, analyzing it and deciding who is responsible. Given this, it is interesting to examine the evidence available to us as a threat intelligence and security research group to support these conclusions. In this presentation, we will present our research in attributing WellMess. We will also describe additional elements linked to the attribution process such as false flags and code sharing by using additional use cases such as OlympicDestroyer and ACIDBox.

Event: A double-edged sword: The threat of dual-use tools
Location: Cisco Webex webinar
Date: Oct. 8 at 11 a.m. ET
Speakers: Edmund Brumaghin
Synopsis: It's difficult to read any information security news lately without hearing about large corporations being extorted by cyber criminals. In today's threat landscape, enterprises increasingly rely on red teams to identify risks and mitigate vulnerabilities in their infrastructure, so much so that an entire industry exists around tools to help facilitate this effectively and efficiently as possible.

Dual-use tools are developed to assist administrators in managing their systems or assist during security testing or red-teaming activities. Unfortunately, many of these same tools are often co-opted by threat actors attempting to compromise systems, attack organizational networks, or otherwise adversely affect companies around the world. This webinar will discuss the topic of dual-use tools and how they have historically been used in various attacks. It will also provide case studies that walk through how native system functionality and dual-use tools are often used in real-world attacks to evade detection at various stages of the attack lifecycle. Finally, we will discuss ways that organizations can defend against malicious abuse of otherwise legitimate technologies and toolsets.

Cyber Security Week in Review

  • Apple’s iOS 14 is out now, and it may be one of the most secure mobile operating systems ever. New security features include more granular control over stored photos and notifications when an app is accessing users’ cameras and microphones.
  • Police in Germany launched a homicide investigation in what could be one of the first deaths ever related to a ransomware attack. A German woman died recently after the hospital she was in suffered a cyber attack, bringing some of their critical systems down.
  • American lawmakers are increasingly relying on big tech companies to keep them updated on election security. Increased briefings from companies like Facebook come as the Trump administration has limited its information-sharing with Congress.
  • Billions of internet-connected devices are vulnerable to a newly discovered attack called "BLESA." The vulnerability could be used in low-energy Bluetooth connections to spoof internet-of-things devices.
  • Online video games were the targets of more than 10 billion cyber attacks over the past two years, according to a new report. The threats range from credential-stuffing to take over accounts, to distributed denial-of-service attacks to shut services down.
  • President Donald Trump's presidential re-election campaign recently paid $4 million to a data broker to obtain personal information on American voters. But it's impossible to know which apps or sites may be involved.
  • The curious case of TikTok is now in U.S. courts. A judge recently asked the Trump administration to postpone their deadline for removing TikTok from American app stores so he could rule on the case as TikTok looks to make a deal for its American operations.
  • While Iran has taken a toned-down approach to this year's presidential elections, they've still been active online. New intelligence suggests state-sponsored actors have been given the go-ahead to disrupt the election process in multiple ways.
  • Polish police say they've broken up a massive criminal cyber group responsible for fake bomb threats and the distribution of Android and Windows malware. Investigators said the group's main source of income was ransom payments made after the group sent bomb threats.

Notable recent security issues

Title: Exploit code for Microsoft Netlogon vulnerability goes public

Description: Security researchers and government agencies alerted users that exploit code for a critical vulnerability is circulating in the wild. Known as “Zerologon” the vulnerability could allow an adversary to run a specially crafted application on devices connected to the affected network. Microsoft disclosed the bug back in August as part of its Patch Tuesday update, when it received a CVSS score of a maximum 10.0 out of 10. Microsoft plans to release a second portion of a fix for the vulnerability, though proof of concepts have only just now started to surface on GitHub.

Snort SIDs: 55703, 55704

Title: Trickbot and Emotet team up for spam campaign

Description: After going quiet for a few months, the infamous Emotet botnet is back again with another surge. Security researchers recently found Emotet teaming up with Trickbot for a phishing campaign earlier this month. Attackers are using Microsoft Word lures, blurring out what is supposed to be important text and alerting the user that they can only read the text if they enable macros. If enabled, a malicious macro then downloads the Trickbot loader, and the attacker can carry out other malicious actions from there.

Snort SIDs: 55787, 55788

Most prevalent malware files this week

SHA 256: 52c8cff981e5d541e4b2930a4a5e0b0a495d62c8237e91538d94c03a048dd51d

MD5: bd4b03e6127a34ecab890f6eb1546634


Typical Filename: wupxarch.exe

Claimed Product: N/A

Detection Name:

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: Eter.exe

Claimed Product: N/A

Detection Name:

SHA 256: 32155b070c7e1b9d6bdc021778c5129edfb9cf7e330b8f07bb140dedb5c9aae7

MD5: 73d1de319c7d61e0333471c82f2fc104

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: Win.Dropper.Segurazo::tpd

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

Typical Filename: Tempmf582901854.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201

SHA 256: 60b6d7664598e6a988d9389e6359838be966dfa54859d5cb1453cbc9b126ed7d

MD5: bc26fd7a0b7fe005e116f5ff2227ea4d

Typical Filename: svchost.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Python::1201

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.