Good afternoon, Talos readers.
We seriously can't escape from ransomware. It's in the headlines constantly and has now drawn the full attention of the federal government. But we at Talos recognize that is going to take far more than just words to address this global threat. In this opinion piece we published this week along with the Cyber Threat Alliance, we outlined some steps we feel the government and private sector need to take to ensure physical life and property, critical infrastructure and the economy are all protected from ransomware.
While you're on our blog, you should also head over to the new Cisco Talos Incident Response web page. We have updated CTIR's list of offerings and gave it a few visual overhauls that we think you'll love.
Back in the security space, we also had Microsoft Patch Tuesday this week. The company disclosed several vulnerabilities that they've seen actively exploited in the wild, so you should patch all of your Microsoft products if you haven't already.
Cybersecurity week in review
- The U.S. Department of Justice recovered roughly $2.3 million worth of Bitcoin paid to attackers in the Colonial Pipeline ransomware incident. The pipeline paid more than $4 million to the actors who compromise its network in hopes of restoring operations as quickly as possible.
- The CEO of Colonial Pipeline said in testimony to Congress that the company paid the ransom to avoid a worst-case scenario. After the compromise was first detected, the company focused solely on making sure the adversaries couldn't seize physical control of the pipeline, he said.
- Global meat supplier JBS paid $11 million to attackers who recently targeted the company with ransomware. The company had to shut down some of its operations for several days in the U.S. and Australia due to the attack.
- Adobe disclosed 41 vulnerabilities across its suite of products this week as part of its monthly security update. The fixes include patches for five critical vulnerabilities in Adobe Acrobat and Reader.
- Google's upcoming Android 12 release will include a new feature for users to opt-out of tracking from apps downloaded from the Google Play store. This follows similar options Apple recently rolled out to its iOS platform.
- The second beta for Android 12 also includes icons to show users when an app is accessing their camera, microphone or clipboard. These features are all part of a new "privacy dashboard."
- New court documents outline how the FBI used a supposed encrypted messaging app to spy on criminals. The honeypot, called "An0m," supposedly allowed users to communicate secretly, but the FBI was actually tracking criminals' actions.
- American law enforcement officials arrested a supposed operator of the Trickbot remote access trojan. The woman allegedly was one of the malware's main coders and developed ransomware-related functionality, including control, deployment and payments.
- A new APT group has reportedly been targeting African and Middle Eastern diplomatic organizations since 2017. BackdoorDiplomacy uses a custom backdoor called "Turian" that's derived from the Quarian backdoor.
Notable recent security issues
Title: Vulnerability with 9.8 severity score under attack on VMware products
Description: VMware issued a warning Friday alerting users to protect against exploitation of a severe vulnerability in its vSphere Client’s Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server. An attacker with network access to this service can exploit this vulnerability to gain remote code execution on the affected vCenter Server. The vulnerability, tracked as CVE-2021-21985, exists in the software that allows users to manage virtualization in large data centers. VMware warned users in an advisory earlier this month that vCenter machines using the default configurations contained the vulnerability. An attacker could exploit this vulnerability to execute malicious code on machines that are connected to vCenter and exposed to the internet. The vulnerability has a CVSS severity rating of 9.8 out of 10.
Snort SIDs: 57720
Title: Microsoft patches 49 vulnerabilities as part of monthly security update
Description: Microsoft released its monthly security update Tuesday, disclosing 49 vulnerabilities across its suite of products, breaking last month’s 16-month record of the fewest vulnerabilities disclosed in a month by the company. There are only four critical vulnerabilities patched in this month, while all the other ones are considered “important.” However, there are several vulnerabilities that Microsoft states are being actively exploited in the wild. One of the critical vulnerabilities this month exists in the Windows Defender anti-malware software. CVE-2021-31985 could allow an attacker to execute remote code on the targeted machine. However, Microsoft stated the vulnerability, along with others identified in Windows Defender this month, will be updated automatically. Users can verify the update was downloaded and installed by verifying steps Microsoft outlined in its advisory.
Snort SIDs: 49388, 49389, 57722 - 57727, 57730 - 57733, 57735 and 57736
Most prevalent malware files this week
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: 583418f8f4c156be56ae65b932ca1d8e431e8f845806d0fc814f40562241fbc4
Typical Filename: smbscanlocal2705.exe
Claimed Product: N/A
Detection Name: W32.Auto:583418f8f4.in03.Talos
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: d8ccc7b34c875d9bbbde99de2338b76aab46a87b777e3f010f205028d7bf9156
Typical Filename: hd8vct.exe
Claimed Product: N/A
Detection Name: W32.Auto:d8ccc7b34c.in03.Talos
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.