Newsletter compiled by Jon Munshaw.
Good afternoon, Talos readers.
Unfortunately, I don’t have any stock tips to give you to help you get rich overnight. But I do have two Vulnerability Spotlights you should read so your network can stay safer. We disclosed multiple vulnerabilities in phpGACL and Micrium uc-HTTP. There are patches available for both products and Snort rules for extra coverage.
The biggest news in the security community this week is a recently disclosed that a state-sponsored actor is targeting security researchers across the globe. There were multiple Talos researchers targeted in this attack, but there are no security risks at this time and our researchers were not compromised in any way.
Upcoming public engagements with Talos
Date: Feb. 6 - 7
Speakers: Edmund Brumaghin and Nick Biasini
Overview: As the volume of malware samples in the wild has continued to explode in recent years, a lot of effort has been put into the development of automated analysis platforms. These platforms typically execute files in controlled environments to observe their behavior and determine if the file is benign or malicious. As the use of these technologies has increased, adversaries have invested significant resources in developing techniques to circumvent automated analysis and evade detection. Malware developers are also implementing various techniques to make analysis more difficult. Modern botnets have begun leveraging new technologies to make their infrastructure more resilient to disruption by security organizations and law enforcement. This presentation will describe the latest techniques employed by adversaries to evade analysis and detection. It will also cover the new technologies being leveraged to establish C2 communications channels that are resilient against intervention by the security industry and law enforcement. We will discuss specific examples and walk through detailed case studies where these techniques are being employed, as well as how to defend against them more effectively.
Cybersecurity week in review
- Email security firm Mimecast disclosed this week it was the victim of the recent SolarWinds breach. The company said adversaries breached their security certificate and exfiltrated encrypted credentials, though there is no evidence to suggest those stolen credentials have been abused.
- SolarWinds is already shaping U.S. President Joe Biden’s cybersecurity plan. His administration is still unpacking how widespread the attack is and how it could shape cyber espionage campaigns in the future.
- As the COVID-19 vaccination effort ramps up around the world, cyber actors are — unsurprisingly — trying to capitalize. Adversaries have already started campaigns looking to spread disinformation regarding the vaccine and other researchers say distribution disruptions could follow.
- Vulnerabilities in Amazon’s Kindle devices could allow an attacker to steal users’ credit card information using a malformed eBook. Ad adversary could string together three exploits to take control of a victim's Kindle and use their credit card on the devices’ store and access personal information stored on the device.
- U.S. intelligence agencies reportedly purchased commercial cell phone location data from third parties to track individuals without a warrant. The Defense Intelligence Agency has received permission to query that data five times in the last two-and-a-half years.
- Ransomware groups are now also using distributed denial-of-service attacks to coerce their victims into paying. Researchers have so far confirmed SunCrypt and RagnarLocker as being the two ransomware families utilizing this tactic.
- A home security technician admitted to hacking into home security cameras to spy on women. The former ADT employee added his personal email to accounts belonging to targeted customers, allowing him to remotely check on their security cameras.
- Apple urged users to update their iPhones as soon as possible to fix multiple vulnerabilities being exploited in the wild. IOS 14.4 included fixes for exploits that Apple could not yet disclose the details of.
Notable recent security issues
Description: A recently discovered trojan known as ElectroRAT is pulling out all the stops to try and infect cryptocurrency wallets. The actors behind this campaign have so far created three cryptocurrency-related apps that are disguised as legitimate. They’ve also invested in a full-fledged marketing campaign trying to encourage users to download the apps. If a victim downloads the trojanized apps, they are infected with the malware that then takes over their cryptocurrency wallet.
Snort SIDs: 56991 - 56993
Description: Cisco disclosed multiple vulnerabilities last week that could allow attackers to execute malicious code remotely on affected devices. Three of these vulnerabilities collectively have a severity score of 9.9 out of 10. An adversary could cause a variety of conditions on the affected products that could eventually lead to remote code execution. These issues affect several Cisco products, including SD-WAN vBond Orchestrator Software, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage Softwareand SD-WAN vSmart Controller Software.
Snort SIDs: 56942 – 56944, 56957 - 56963
Most prevalent malware files this week
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
Typical Filename: santivirusservice.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
Typical Filename: pmropn.exe
Claimed Product: PremierOpinion
Detection Name: PUA.Win.Adware.Relevantknowledge::231753.in02
Typical Filename: svchost.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
Typical Filename: webnavigatorbrowser.exe
Claimed Product: WebNavigatorBrowser
Detection Name: W32.6FDFCD0510-100.SBX.VIOC
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.