Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

Start spreading the word now, the Snort scholarship is back for 2021! This year, we’re giving away two $10,000 awards to two college students who are studying cybersecurity or another IT-related field. Applications open on April 1, but we want everyone to start getting their applications together now.

Upcoming public engagements with Talos

Title: Cisco Live 2021

Date: March 30 – April 1

Speakers: Nick Biasini, more TBA

Overview: Join us for the annual Cisco Live conference, this year taking place across the globe at the same time virtually for the first time. Cisco Live is your destination for year-round technical education and training. There will be many on-demand sessions to choose from throughout the conference. Nick Biasini of Talos Outreach will provide a broad overview of the past year’s threats and trends we’ve been seeing, with a specific focus on dual-use tools and supply chain attacks. Additional sessions will be announced in the coming weeks.

Title: Analyzing Android Malware: From triage to reverse-engineering

Date: April 7 at 11 a.m. ET

Speakers: Vitor Ventura

Overview: In this free webinar, Vitor Ventura of Talos Outreach will discuss the most recent Android malware he’s seen in the wild. Vitor will reverse-engineer some of these malware samples and discuss what users can do to stay safe. We’ll cover everything from deobfuscating strings, to appropriate patching practices and searching for command and control beacons.

Cybersecurity week in review

  • At least six APTs have exploited the zero-day vulnerabilities in Microsoft Exchange Server since they were first disclosed. While this could just be some amazing coincidence, it’s more than likely an unprecedented security event.
  • Microsoft released a one-click PowerShell script to fix these vulnerabilities aimed at helping smaller businesses and organizations who may not have dedicated security teams. The script will check to see if the user’s server is affected, and if so, downloads and runs the Microsoft Safety Scanner to remove web shells and other malicious scripts linked to these attacks.
  • A major Senate committee started another round of testimonies on Thursday focused on the SolarWinds supply chain attack. Lawmakers are specifically investigating what federal agencies are doing to prevent another similar attack in the future.
  • Several American officials are pushing for major changes to American cybersecurity infrastructure after the SolarWinds and Microsoft Exchange incidents. Some plans are considering great participation with private security firms.
  • Russian disinformation farms are reportedly trying to sow distrust in Western COVID-19 vaccines. Fake online news sites backed by these actors are publishing fake news articles making incorrect claims about the safety of the vaccines.
  • A new declassified report states that Iranian and Russian actors attempted to sway the outcome of the 2020 presidential election by spreading fake and misleading information. However, the report states no foreign actors tried to alter voter registration files or vote counting.
  • In response to the report, U.S. President Joe Biden said Russian President Vladimir Putin will “pay a price” for the election interference. New sanctions could come as early as next week.
  • A fire at a large office building in Europe reportedly is affecting the operations of some well-known threat actors. Groups including Bahamut and OceanLotus may have lost physical infrastructure, including servers, in the fire.
  • New iOS features suggest Apple may start releasing security updates for its products separately from feature changes. The iOS 14.5 beta has a new setting that allow users to select whether they want to install just security updates or the entirety of the release.

Notable recent security issues

Title: F5 urges users to patch exploits that could open the door to take complete control of systems

Description: F5’s BIG-IP and BIG-IQ applications contain multiple critical vulnerabilities that could allow adversaries to completely compromise systems. The company urged users to patch as soon as possible. Several of the vulnerabilities disclosed last week could allow attackers to execute malicious code, disable services, manipulate, delete and create files, among other malicious actions. In all, F5 Networks disclosed four critical vulnerabilities, seven high-severity bugs and 10 that are considered of “medium” severity. BIG-IP and BIG-IQ users are usually deployed for application delivery services, such as load balancing, app security and access control. In a worst-case scenario, F5 said, an attacker could exploit a vulnerable BIG-IP appliance to break into the broader enterprise network.

Snort SID: 57298

Title: New detection, information available on Microsoft Exchange Server zero-day vulnerabilities

Description: Since Microsoft's initial disclosure of multiple zero-day vulnerabilities in Microsoft Exchange Server, Cisco Talos has seen shifts in the tactics, techniques, and procedures (TTPs) associated with this malicious activity. Talos researchers have discovered other actors exploiting these vulnerabilities that appear to be separate from the initial "Hafnium" actor and include groups that are leveraging infrastructure previously attributed to cryptocurrency mining campaigns, groups creating or accessing web shells using notepad.exe or notepad++.exe and large amounts of scanning activity without successful exploitation. Talos has also identified organizations that may be involved in post-exploitation activity. The victimology shows that financial services have been disproportionately affected by exploitation, with a few other notable verticals following including health care, education and local/state governments.

Snort SIDs: 57233 - 57246, 57251 – 57253

ClamAV signatures:

  • Win.Trojan.MSExchangeExploit-9838898-0
  • Win.Trojan.MSExchangeExploit-9838899-0
  • Win.Trojan.MSExchangeExploit-9838900-0
  • Asp.Trojan.Webshell0321-9839392-0
  • Asp.Trojan.Webshelljs0321-9839431-0
  • Asp.Trojan.Webshell0321-9839771-0

Most prevalent malware files this week

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: svchost.exe

Claimed Product: N/A

Detection Name:

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 5901ce0f36a875e03e4d5e13e728a2724b8eff3c61cc24eb810be3df7508997f

MD5: b8a582da0ad22721a8f66db0a7845bed

Typical Filename: flashhelperservice.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Auto:5901ce0f36.in03.Talos

SHA 256: 4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b

MD5: f37167c1e62e78b0a222b8cc18c20ba7

Typical Filename: flashhelperservice.exe

Claimed Product: Flash Helper Service

Detection Name: W32.4647F1A085.in12.Talos

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.