Good afternoon, Talos readers.
Even though spam emails asking for gift cards may seem like the oldest trick in the book, they're still effective in 2021. The FBI estimates that business email compromise cost victims around $1.8 billion in 2020, and we've seen recent campaigns that are showing the damage can only get worse.
Attackers are taking over businesses' emails and then sending employees and customers messages themed around everything from COVID-19 to PlayStation 5 sales. So while BEC may not seem like the most exciting threat out there, it's still one that can't be ignored.
Upcoming Talos public engagements
Speaker: Vitor Ventura
Date: Oct. 7 - 8
Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.
Cybersecurity week in review
- Just days after police made several arrests regarding the CLOP ransomware group, the operators posted data they claim came from a new victim. This indicates the group is still active in some way, even though possibly not as strong.
- Multiple Russian intelligence officials have recently pledged to help the U.S. track down cybercriminals. The comments from the FSB and the country's deputy foreign minister come after U.S. President Joe Biden and Vladimir Putin, his Russian counterpart, met at a rare summit last week.
- A new proposal circulating in Congress would label certain entities as being potential targets for cyber attacks, then offer them special access to government resources in exchange for improving their security standards. This idea is known as "systemically important critical infrastructure."
- The U.S. and European Union created a new joint working group to combat ransomware. A joint statement said the group will address the threat "through law enforcement action, raising public awareness on how to protect networks as well as the risk of paying the criminals responsible, and to encourage those states that turn a blind eye to this crime to arrest and extradite or effectively prosecute criminals on their territory."
- The EU also created a separate Joint Cyber Unit to address emergency, large-scale cyber attacks. A dedicated team of security experts will now be deployed to European countries in the event of a major ransomware attack to assist with response and recovery.
- A new ransomware called "LV" appears to have copied large swaths of REvil ransomware code. The two families also share similar TTPs, as LV also steals victims' information and then posts the information on leak sites to shame the victim into paying the ransom.
- Update firmware in more than 30 million Dell computers could leave the devices open to attacks. Security researchers recently discovered four vulnerabilities affecting desktops, laptops and tablets, and Dell plans to release a patch Thursday.
- John McAfee, the creator of the McAfee anti-virus software and viral personality, was found dead in a Spanish prison this week. McAfee left the security space many years ago, and since ran into a bevy of criminal charges and legal troubles.
- The Monero cryptocurrency is quickly becoming the virtual currency of choice for threat actors. Monero is harder to trace than bitcoin and obscures the amount of money exchanged during a transaction between sender and receiver.
Notable recent security issues
Description: The Agent Tesla remote access trojan (RAT) is back again, this time using COVID-19-related phishing documents as its initial infection vector. Attackers are sending emails claiming to have a COVID-19 vaccine schedule attached as an RTF document. The malicious attachment exploits a known Microsoft Office remote code execution vulnerability, CVE-2017-11882, to infect the victim with Agent Tesla. This version of the RAT appears to be the most recent, with updated anti-detection capabilities and data theft tools. Although many countries, including the U.S., are starting to loosen pandemic restrictions as vaccination rates increase, this campaign shows that attackers will continue using COVID-19 as a popular spam topic.
Snort SIDs: 57787
Title: Attackers may be relying on one another to access corporate networks
Description: A new report indicates that APTs may be exchanging information and money as part of a vast network of cyber criminals distributing ransomware. Some of these groups buy access from other, independent adversaries who infiltrate major targets and eventually receive part of the proceeds from a successful ransomware infection. As part of this, security researchers at Proofpoint uncovered several new actors. One of these groups, which it named TA577, has been active since mid-2020. It’s used several ransomware payloads including SmokeLoader, IcedID, Ursnif and Cobalt Strike.
Snort SIDs: 57786, 57791
Most prevalent malware files this week
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
Typical Filename: smbscanlocal0906.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Ranumbot::in03.talos
Typical Filename: VID.dat
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.