Newsletter compiled by Jon Munshaw.
Of course, we will start things off talking about the Microsoft Exchange Server zero-day vulnerabilities disclosed earlier this week. Microsoft said in a statement that a threat actor is exploiting these vulnerabilities in the wild to steal users’ emails, understandably causing a lot of panic in the security community.
Thankfully, patches are already available for the product, so updated asap. We also have a ton of coverage across Cisco Secure products to keep users protected, including SNORT® rules, additions to Talos’ blocklist and Cisco Secure Endpoint.
Elsewhere in the malware space, we also have a new breakdown of ObliqueRAT, which is a threat we’ve been following for a while. This new campaign utilizes updated macro code to download and deploy its payload. The attackers have also updated the infection chain to deliver ObliqueRAT via adversary-controlled websites.
Upcoming public engagements with Talos
Title: Cisco Live 2021
Date: March 30 – April 1
Speakers: Nick Biasini, more TBA
Overview: Join us for the annual Cisco Live conference, this year taking place across the globe at the same time virtually for the first time. Cisco Live is your destination for year-round technical education and training. There will be many on-demand sessions to choose from throughout the conference. Nick Biasini of Talos Outreach will provide a broad overview of the past year’s threats and trends we’ve been seeing, with a specific focus on dual-use tools and supply chain attacks. Additional sessions will be announced in the coming weeks.
Cybersecurity week in review
- The Exchange vulnerabilities caused the U.S. Cybersecurity and Infrastructure Security Agency to issue an emergency advisory, asking all government agencies to address the vulnerabilities immediately. The alert calls on agencies to triage their network activity, system memory, logs, Windows event logs and registry records to find any suspicious behavior.
- Rumors swirled last week that the SolarWinds security incident may have begun with the leak of a very basic password. However, company officials have clarified that the password incident had nothing to do with the wide-ranging breach.
- Several government entities are launching their own independent investigationsinto the SolarWinds breach, including the Securities and Exchange Commission, the Department of Justice and several state attorneys general.
- The FBI is renewing a push against encryption, warning Congress that law enforcement should have access to secure data. FBI Directory Christopher Wray said this is specially important in the wake of the mob on the U.S. Capitol in January and additional calls for violence against lawmakers.
- An Oxford University biology lab says it was the victim of a security breach, including attackers obtaining access to machines that prepare biochemical samples. The lab is one of the leading centers in the world for COVID-19 vaccines and treatments.
- The fast-growing social media app Clubhouse could have several underlying security concerns. Some security researchers say some unauthorized adversaries could record rooms’ voice chats, and other vulnerabilities may expose users’ personal information.
- The rate of ransomware attacks against school systems and hospitals are down in the first part of 2021. This comes after a historic rate of campaigns against these highly vulnerable targets during the COVID-19 pandemic last year.
- Right-leaning chat app Gab was the victim of a data breach, with more than 15,000 accounts having some of their chat history posted online. The founder of the service says that one of the accounts affected belongs to former U.S. President Donald Trump.
- Google announced this week it’s done selling ads based on a user’s individual browsing data. Instead, the company will track consumers in large anonymized groups and serve ads based on that information.
Notable recent security issues
Description: Cisco Talos recently discovered another new campaign distributing the malicious remote access trojan (RAT) ObliqueRAT. In the past, Talos connected ObliqueRAT and another campaign from December 2019 distributing CrimsonRAT. These two malware families share similar maldocs and macros. This new campaign, however, utilizes completely different macro code to download and deploy the ObliqueRAT payload. The attackers have also updated the infection chain to deliver ObliqueRAT via adversary-controlled websites. This new campaign is a typical example of how adversaries react to attack disclosures and evolve their infection chains to evade detections. Modifications in the ObliqueRAT payloads also highlight the usage of obfuscation techniques that can be used to evade traditional signature-based detection mechanisms.
Snort SIDs: 57168 - 57175
ClamAV signature: Doc.Downloader.ObliqueRAT-9835361-0
Description: Cisco patched three critical vulnerabilities for some of the company’s high-end software systems last week — two that effect the Application Services Engine and one that exists in the NX-OS operating system. The most severe of the vulnerabilities is rated a 10 out of 10 on the CVSS scale. Cisco’s advisory states an attacker could exploit this vulnerability to bypass authentication on a targeted device by receiving a token with administrator-level privileges. They could then authenticate to the targeted devices’ API.
Snort SIDs: 57222, 57223
Most prevalent malware files this week
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
Typical Filename: svchost.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
Typical Filename: SAntivirusService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
Typical Filename: flashhelperservice.exe
Claimed Product: Flash Helper Service
Detection Name: W32.4647F1A085.in12.Talos
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.