Good afternoon, Talos readers.
We seriously can't escape from ransomware. It's in the headlines constantly and has now drawn the full attention of the federal government. But we at Talos recognize that is going to take far more than just words to address this global threat. In this opinion piece we published this week along with the Cyber Threat Alliance, we outlined some steps we feel the government and private sector need to take to ensure physical life and property, critical infrastructure and the economy are all protected from ransomware.
While you're on our blog, you should also head over to the new Cisco Talos Incident Response web page. We have updated CTIR's list of offerings and gave it a few visual overhauls that we think you'll love.
Back in the security space, we also had Microsoft Patch Tuesday this week. The company disclosed several vulnerabilities that they've seen actively exploited in the wild, so you should patch all of your Microsoft products if you haven't already.
Cybersecurity week in review
- The U.S. Department of Justice recovered roughly $2.3 million worth of Bitcoin paid to attackers in the Colonial Pipeline ransomware incident. The pipeline paid more than $4 million to the actors who compromise its network in hopes of restoring operations as quickly as possible.
- The CEO of Colonial Pipeline said in testimony to Congress that the company paid the ransom to avoid a worst-case scenario. After the compromise was first detected, the company focused solely on making sure the adversaries couldn't seize physical control of the pipeline, he said.
- Global meat supplier JBS paid $11 million to attackers who recently targeted the company with ransomware. The company had to shut down some of its operations for several days in the U.S. and Australia due to the attack.
- Adobe disclosed 41 vulnerabilities across its suite of products this week as part of its monthly security update. The fixes include patches for five critical vulnerabilities in Adobe Acrobat and Reader.
- Google's upcoming Android 12 release will include a new feature for users to opt-out of tracking from apps downloaded from the Google Play store. This follows similar options Apple recently rolled out to its iOS platform.
- The second beta for Android 12 also includes icons to show users when an app is accessing their camera, microphone or clipboard. These features are all part of a new "privacy dashboard."
- New court documents outline how the FBI used a supposed encrypted messaging app to spy on criminals. The honeypot, called "An0m," supposedly allowed users to communicate secretly, but the FBI was actually tracking criminals' actions.
- American law enforcement officials arrested a supposed operator of the Trickbot remote access trojan. The woman allegedly was one of the malware's main coders and developed ransomware-related functionality, including control, deployment and payments.
- A new APT group has reportedly been targeting African and Middle Eastern diplomatic organizations since 2017. BackdoorDiplomacy uses a custom backdoor called "Turian" that's derived from the Quarian backdoor.
Notable recent security issues
Description: VMware issued a warning Friday alerting users to protect against exploitation of a severe vulnerability in its vSphere Client’s Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server. An attacker with network access to this service can exploit this vulnerability to gain remote code execution on the affected vCenter Server. The vulnerability, tracked as CVE-2021-21985, exists in the software that allows users to manage virtualization in large data centers. VMware warned users in an advisory earlier this month that vCenter machines using the default configurations contained the vulnerability. An attacker could exploit this vulnerability to execute malicious code on machines that are connected to vCenter and exposed to the internet. The vulnerability has a CVSS severity rating of 9.8 out of 10.
Snort SIDs: 57720
Description: Microsoft released its monthly security update Tuesday, disclosing 49 vulnerabilities across its suite of products, breaking last month’s 16-month record of the fewest vulnerabilities disclosed in a month by the company. There are only four critical vulnerabilities patched in this month, while all the other ones are considered “important.” However, there are several vulnerabilities that Microsoft states are being actively exploited in the wild. One of the critical vulnerabilities this month exists in the Windows Defender anti-malware software. CVE-2021-31985 could allow an attacker to execute remote code on the targeted machine. However, Microsoft stated the vulnerability, along with others identified in Windows Defender this month, will be updated automatically. Users can verify the update was downloaded and installed by verifying steps Microsoft outlined in its advisory.
Snort SIDs: 49388, 49389, 57722 - 57727, 57730 - 57733, 57735 and 57736
Most prevalent malware files this week
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
Typical Filename: smbscanlocal2705.exe
Claimed Product: N/A
Detection Name: W32.Auto:583418f8f4.in03.Talos
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
Typical Filename: hd8vct.exe
Claimed Product: N/A
Detection Name: W32.Auto:d8ccc7b34c.in03.Talos
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.