Good afternoon, Talos readers.
I'm compiling this Tuesday for vacation reasons, so apologies for any major stories I'm missing here.
The guys talk about privateer groups in this episode, which is a new type of threat actor classification we believe the security community needs to better discuss the intricacies of state-sponsored threat actors.
Upcoming Talos public engagements
Date: July 31 - Aug. 5
Location: Virtual and Mandalay Bay hotel and resort, Las Vegas, Nevada
Description: Join Talos and Cisco Secure for a series of sponsored talks, mock debates and incident response lessons at this year's hybrid BlackHat conference.
Speaker: Vitor Ventura
Date: Oct. 7 - 8
Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.
Cybersecurity week in review
- The U.S. and NATO allies formally blamed Chinese state-sponsored actors for exploiting zero-day vulnerabilities in Microsoft Exchange Server. The FBI released a joint announcement detailing 50 tactics, techniques and procedures (TTPs) the attackers are known to use.
- Many victims of the Kaseya supply chain attack are struggling to recover encrypted files after the REvil group behind the attack went dark. Some companies paid the requested ransom to REvil, only to find out the decryption keys they received did not work.
- Security researchers uncovered a massive spyware ring based out of Israel. A company that produces the software and reportedly sells it to governments, allowing users to infect and monitor iPhones, Androids, Macs, PCs and cloud accounts.
- Apple and other mobile phone makers are under pressure to respond to reports that the NSO Group has exploited phones to spy on journalists and activists. The head of WhatsApp even called the newly disclosed information a “wake-up call for security on the internet.”
- Researchers are raising red flags at a new phone that right-leaning influencers are promoting as being secure and censorship-proof. The devices actually appear to be repurposed devices from overseas manufacturers that are known for producing vulnerability-riddled devices.
- Apple recently patched a zero-day vulnerability in iOS' WiFi connectivity. At the time, the company said it was a denial-of-service issue, but researchers say it could also be used for remote code execution.
- The U.S. Department of Justice is offering up to a $10 million reward, paid out in cryptocurrency, for any information leading to the identification of state-sponsored threat actors. The department set up a new report channel on the dark web for researchers to submit information securely and anonymously.
- New guidelines from the U.S. Department of Homeland Security have created new security standards for critical American pipelines. The new rules include that all pipeline operators must have a cybersecurity contingency and recovery plan.
- Popular messaging app WhatsApp is testing new encryption settings for cloud backups on Android devices. But users need to make sure they never forget their 64-character recovery key.
Notable recent security issues
Title: Cisco patches critical issues in WSA, BPA
Description: Multiple, critical vulnerabilities in Cisco’s Web Security Appliance (WSA) and Business Process Automation (BPA) could allow an attacker to elevate their privileges to the level of an administrator. This opens the door for the attacker to access sensitive data or take over a targeted system. The issues both received a CVSS severity score of 8.8 out of 10. An adversary could exploit these vulnerabilities, identified as CVE-2021-1574 and CVE-2021-1576, by sending specially crafted HTTP messages to the targeted system.
Snort SIDs: 57882 – 57887
Description: The U.S. Cybersecurity and Infrastructure Security Agency warned users that attackers are actively exploiting critical remote code execution vulnerabilities in ForgeRock’s Access Management software. Access Management serves as a front end for web apps and remote access setups in enterprise networks. CISA, along with ForgeRock, warned users that the vulnerabilities are actively under exploitation in the wild, although ForgeRock has already released a patch. An adversary could exploit these vulnerabilities to execute commands in the context of the current user.
Snort SIDs: 57912, 57913
Most prevalent malware files this week
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
Typical Filename: smbscanlocal0906.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Ranumbot::in03.talos
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.