Good afternoon, Talos readers.
The value of cryptocurrency is all over the place. Elon Musk's tweets can send Dogecoin rising and falling. And Monero, the most popular currency for cryptominers, has gone all over the place this year. So does that have any effect on the rate of attackers deploying miners?
Also, if you haven't already, be sure to update your Microsoft products. The company disclosed three vulnerabilities this month that attackers are exploiting in the wild (four if you count PrintNightmare from earlier this month).
Upcoming Talos public engagements
Date: July 31 - Aug. 5
Location: Virtual and Mandalay Bay hotel and resort, Las Vegas, Nevada
Description: Join Talos and Cisco Secure for a series of sponsored talks, mock debates and incident response lessons at this year's hybrid BlackHat conference.
Speaker: Vitor Ventura
Date: Oct. 7 - 8
Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.
Cybersecurity week in review
- REvil, the threat actor thought to be behind the massive Kaseya supply chain attack, has disappeared from the internet. The group's website and presence on the dark web went quiet sometime Tuesday, including pages used to negotiate with the group.
- The U.S. Senate finally confirmed Jen Easterly as the new head of the Cybersecurity and Infrastructure Security Agency this week. The position had been vacant since President Joe Biden was sworn in. Easterly will obviously enter at a very tumultuous time as the country, and world, addresses ransomware.
- After a ransomware attack in 2019, the Norwegian company Norsk Hydro refused to pay the requested extortion payment. And their long road to recovery shows what can happen if ransomware victims choose to completely rebuild and re-focus on security after such an event.
- Iran's public rail system and associated transportation websites were hit with a cyber attack over the weekend. Reportedly, the electronic system that tracks trains' arrivals and departures failed.
- Networking device manufacturer SonicWall warned users of an imminent ransomware attack using compromised credentials against their devices. Some users were even encouraged to just unplug their devices entirely.
- It's worth noting that some of the devices under attack are considered at their end-of-life, so users shouldn't expect an immediate patch. One of the devices even went end-of-life in 2016, though they still may be able to update to a newer version of the firmware that is not vulnerable to this attack.
- The White House announced a new initiative Thursday to cut off threat actors from cryptocurrency. Officials say they are forming new partnerships with virtual currency exchanges to track the flow of cryptocurrency and put new anti-money laundering rules in place.
- Clothing retailer Guess revealed that customers' personal information was stolen after a DarkSide ransomware attack. The data includes Social Security numbers, passport numbers and driver's license information, though no payment information appears to be affected.
Notable recent security issues
Title: Microsoft patches PrintNightmare as part of Patch Tuesday
Description: Microsoft released its monthly security update Tuesday, disclosing 117 vulnerabilities across its suite of products, by far the most in a month this year. Most notably, Microsoft released the update to patch the so-called “PrintNightmare” vulnerability in its print spooler function that could allow an attacker to execute remote code. This vulnerability was first disclosed in April, though security researchers later discovered it could be exploited in a more serious way than initially thought. Microsoft attempted to fix the vulnerability with an out-of-band release earlier this month, though the vulnerability could still be exploited. Besides the print spooler vulnerability, there is one other issue attackers have exploited in the wild, according to Microsoft. CVE-2021-34448 is a memory corruption vulnerability in the Scripting Engine that is triggered when the user opens a specially crafted file, either attached to an email or a compromised website.
Snort SIDs: 57890, 57891, 57894 - 57897 and 57906 - 57910
Title:Kaseya rolls out patches for vulnerabilities exploited by ransomware attackers
Description: The supply chain attack on Kaseya VSA continues to dominate the security landscape as hundreds of organizations deal with the ramifications, including ransomware attacks. Kaseya released a patch for its remote monitoring software that could be exploited to bypass authentication and execute remote code. REvil, the ransomware group behind the attack, is demanding a $70 million ransom for a universal decryption key. The current patch only applies to on-premise customers. Users who have the software-as-a-service version of VSA are still advised to shut down their affected servers while Kaseya works with users to fix the issues.
Cisco Secure Endpoint signatures: Gen:Variant.Graftor.952042, W32.D55F983C99-100.SBX.TG, W32.File.MalParent, W32.RetroDetected
ClamAV signatures: Win.Dropper.REvil-9875493-0, Win.Ransomware.REvil-9875494-0
Cloud IOCs: W32.PingPredicatedDel.ioc, W32.DisableRealtimeMonitoring.ioc, W32.CertutilDecodedExecutableFile.ioc, W32.CertUtilCopy.ioc
Snort SID: 57879
Most prevalent malware files this week
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
Typical Filename: smbscanlocal0906.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Ranumbot::in03.talos
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.