Newsletter compiled by Jon Munshaw.
Good afternoon, Talos readers.
We have a special edition of the Threat Source newsletter to bring you this week, because we’re premiering a new video for you right now!
Below, you’ll find a full roundtable we put together discussing the SolarWinds supply chain attack. We brought together Talos researchers from several parts of our organization, including incident responders, global threat intelligence researchers and our Outreach team. We discussed everything we know about the SolarWinds attack, and what’s still yet to be uncovered. View the video below or check it out over on our YouTube page.
Upcoming public engagements with Talos
Title: Cisco Live 2021
Date: March 30 – April 1
Speakers: Nick Biasini, more TBA
Overview: Join us for the annual Cisco Live conference, this year taking place across the globe at the same time virtually for the first time. Cisco Live is your destination for year-round technical education and training. There will be many on-demand sessions to choose from throughout the conference. Nick Biasini of Talos Outreach will provide a broad overview of the past year’s threats and trends we’ve been seeing, with a specific focus on dual-use tools and supply chain attacks. Additional sessions will be announced in the coming weeks.
Cybersecurity week in review
- Early reports indicate more than 30,000 organizations could be affected by the Microsoft Exchange zero-day vulnerabilities. The threat actor behind the attacks even stepped up their efforts to scan for unpatched servers after the vulnerabilities were disclosed and patched.
- Chinese threat actors may have also targeted SolarWinds products the same time as Russian groups targeted the same vulnerabilities. The new discoveries show that there’s never a shortage of APTs looking to target American government agencies and large companies.
- The U.S. is expected to retaliate against Russia for the SolarWinds breach in the next few weeks. Actions could include cyber attacks and economic sanctions.
- A data breach at far-right social media app Gab uncovered many sensitive messages and gives a deeper look into the site. Among them are direct messages between the service’s CEO and a high-profile figure in the QAnon conspiracy theory.
- While SolarWinds stole headlines in December and January, another significant cyber attack flew under the radar. A very different set of coordinated intrusions targeted New Zealand’s central bank and grocery store chain Kroger, among other high-profile organizations.
- Students who are still learning remotely are finding ways to bypass schools’ test-proctoring systems that claim to be foolproof. Some methods involve downloading third-party apps, while other methods are as simple as using video chatting.
- The FBI released a warning this week that state-sponsored actors are likely to deploy deepfake videos to expand their influence in cybersecurity. The alert states that common ways to spot these types of manipulated videos include looking for any warping, distortions or synching issues.
- The recently passed COVID-19 relief bill includes millions of dollars in funding for American government cybersecurity efforts. Among the various provisions in the bill is $650 million earmarked for the Cybersecurity and Infrastructure Security Agency’s cybersecurity risk management programs.
- The U.S. Senate introduced a bipartisan bill that would provide additional funding to train government officials on election security. The proposed legislation would establish a $1 million grant to cover many of the costs of tuition for cybersecurity training for state and local election officials and their employees.
- F5 disclosed four remote code execution vulnerabilities that affect its BIG-IP and BIG-IQ software. All the vulnerabilities have a CVSS severity score of 9.0 or higher (out of 10).
Notable recent security issues
Description: Microsoft released its monthly security update Tuesday, disclosing 89 vulnerabilities across its suite of products, the most in any month so far this year. There are 14 critical vulnerabilities as part of this release, and one considered of “low” severity. The remainder are all “important.” Three of the critical vulnerabilities are the ones Microsoft disclosed last week in Exchange Server that the company said state-sponsored actors exploited in the wild to steal emails. Microsoft also announced Monday they were releasing patches for older versions of Exchange Server. All organizations using the affected software should prevent external access to port 443 on Exchange Servers or set up a VPN to provide external access to port 443. This will ensure that only authenticated and authorized users can connect to this service. However, this action will only protect against the initial step of the attack. Administrators should also immediately apply the published patches to vulnerable Exchange Servers. Outside of Exchange Server, this month’s security update provides patches for several other pieces of software, including Azure Sphere, the SharePoint file-sharing service and the .hevc video file extension.
Snort SIDs: 54518, 57233, 57234, 57241 - 57246, 57252, 57253, 57259 - 57268, 57269 and 57274 - 57276
Description: Microsoft disclosed several critical vulnerabilities in Exchange Server last week, stating that a state-sponsored actor known as “HAFNIUM” was behind the attacks. This threat actor exploited four vulnerabilities to steal emails, the most severe of one is a zero-day server-side request forgery (SSRF) vulnerability. HAFNIUM is a newly identified threat actor. According to Microsoft, the group usually targets industries such as military contractors, infections disease research, legal, education and think tanks. Microsoft stated that the group is likely based out of China, but relies on leased virtual private servers in the U.S. While HAFNIUM was first known for exploiting these Exchange Server vulnerabilities, it is likely they will switch their tactics now that the vulnerabilities are public.
Snort SIDs: 57235 - 57240
Most prevalent malware files this week
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
Typical Filename: flashhelperservice.exe
Claimed Product: Flash Helper Service
Detection Name: W32.4647F1A085.in12.Talos
Typical Filename: SAntivirusService.exe
Claimed Product: SAService
Detection Name: PUA.Win.File.Segurazo::95.sbx.tg
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
Typical Filename: svchost.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.