Good afternoon, Talos readers.

I'm compiling this Tuesday for vacation reasons, so apologies for any major stories I'm missing here.

This week's Beers with Talos podcast hits the seas again. And although we've covered sea shanties in the past, this week we're covering the bad guys trying to disrupt those glorious songs of old.

The guys talk about privateer groups in this episode, which is a new type of threat actor classification we believe the security community needs to better discuss the intricacies of state-sponsored threat actors.

Upcoming Talos public engagements

Talos at BlackHat USA 2021

Date: July 31 - Aug. 5

Location: Virtual and Mandalay Bay hotel and resort, Las Vegas, Nevada

Description: Join Talos and Cisco Secure for a series of sponsored talks, mock debates and incident response lessons at this year's hybrid BlackHat conference.

Workshop: Analysing Android malware at VirusBulletin localhost 2021

Speaker: Vitor Ventura

Date: Oct. 7 - 8

Location: Virtual

Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.

Cybersecurity week in review

  • The U.S. and NATO allies formally blamed Chinese state-sponsored actors for exploiting zero-day vulnerabilities in Microsoft Exchange Server. The FBI released a joint announcement detailing 50 tactics, techniques and procedures (TTPs) the attackers are known to use.
  • Many victims of the Kaseya supply chain attack are struggling to recover encrypted files after the REvil group behind the attack went dark. Some companies paid the requested ransom to REvil, only to find out the decryption keys they received did not work.
  • Security researchers uncovered a massive spyware ring based out of Israel. A company that produces the software and reportedly sells it to governments, allowing users to infect and monitor iPhones, Androids, Macs, PCs and cloud accounts.
  • Apple and other mobile phone makers are under pressure to respond to reports that the NSO Group has exploited phones to spy on journalists and activists. The head of WhatsApp even called the newly disclosed information a “wake-up call for security on the internet.”
  • Researchers are raising red flags at a new phone that right-leaning influencers are promoting as being secure and censorship-proof. The devices actually appear to be repurposed devices from overseas manufacturers that are known for producing vulnerability-riddled devices.
  • Apple recently patched a zero-day vulnerability in iOS' WiFi connectivity. At the time, the company said it was a denial-of-service issue, but researchers say it could also be used for remote code execution.
  • The U.S. Department of Justice is offering up to a $10 million reward, paid out in cryptocurrency, for any information leading to the identification of state-sponsored threat actors. The department set up a new report channel on the dark web for researchers to submit information securely and anonymously.
  • New guidelines from the U.S. Department of Homeland Security have created new security standards for critical American pipelines. The new rules include that all pipeline operators must have a cybersecurity contingency and recovery plan.
  • Popular messaging app WhatsApp is testing new encryption settings for cloud backups on Android devices. But users need to make sure they never forget their 64-character recovery key.

Notable recent security issues

Title: Cisco patches critical issues in WSA, BPA

Description: Multiple, critical vulnerabilities in Cisco’s Web Security Appliance (WSA) and Business Process Automation (BPA) could allow an attacker to elevate their privileges to the level of an administrator. This opens the door for the attacker to access sensitive data or take over a targeted system. The issues both received a CVSS severity score of 8.8 out of 10. An adversary could exploit these vulnerabilities, identified as CVE-2021-1574 and CVE-2021-1576, by sending specially crafted HTTP messages to the targeted system.


Snort SIDs: 57882 – 57887

Title: Critical vulnerabilities in ForgeRock’s Access Management actively under attack

Description: The U.S. Cybersecurity and Infrastructure Security Agency warned users that attackers are actively exploiting critical remote code execution vulnerabilities in ForgeRock’s Access Management software. Access Management serves as a front end for web apps and remote access setups in enterprise networks. CISA, along with ForgeRock, warned users that the vulnerabilities are actively under exploitation in the wild, although ForgeRock has already released a patch. An adversary could exploit these vulnerabilities to execute commands in the context of the current user.

Snort SIDs: 57912, 57913

Most prevalent malware files this week

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb

MD5: 6be10a13c17391218704dc24b34cf736

Typical Filename: smbscanlocal0906.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Ranumbot::in03.talos

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

Typical Filename: VID001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name:

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.