Newsletter compiled by Jon Munshaw.

Of course, we will start things off talking about the Microsoft Exchange Server zero-day vulnerabilities disclosed earlier this week. Microsoft said in a statement that a threat actor is exploiting these vulnerabilities in the wild to steal users’ emails, understandably causing a lot of panic in the security community.

Thankfully, patches are already available for the product, so updated asap. We also have a ton of coverage across Cisco Secure products to keep users protected, including SNORT® rules, additions to Talos’ blocklist and Cisco Secure Endpoint.

Elsewhere in the malware space, we also have a new breakdown of ObliqueRAT, which is a threat we’ve been following for a while. This new campaign utilizes updated macro code to download and deploy its payload. The attackers have also updated the infection chain to deliver ObliqueRAT via adversary-controlled websites.

There are also several other vulnerabilities we disclosed this week that you should know about. Check out our Vulnerability Spotlights for WebKit, Epignosis eFront and Accusoft ImageGear.

Upcoming public engagements with Talos

Title: Cisco Live 2021

Date: March 30 – April 1

Speakers: Nick Biasini, more TBA

Overview: Join us for the annual Cisco Live conference, this year taking place across the globe at the same time virtually for the first time. Cisco Live is your destination for year-round technical education and training. There will be many on-demand sessions to choose from throughout the conference. Nick Biasini of Talos Outreach will provide a broad overview of the past year’s threats and trends we’ve been seeing, with a specific focus on dual-use tools and supply chain attacks. Additional sessions will be announced in the coming weeks.

Cybersecurity week in review

  • The Exchange vulnerabilities caused the U.S. Cybersecurity and Infrastructure Security Agency to issue an emergency advisory, asking all government agencies to address the vulnerabilities immediately. The alert calls on agencies to triage their network activity, system memory, logs, Windows event logs and registry records to find any suspicious behavior.
  • Rumors swirled last week that the SolarWinds security incident may have begun with the leak of a very basic password. However, company officials have clarified that the password incident had nothing to do with the wide-ranging breach.
  • Several government entities are launching their own independent investigationsinto the SolarWinds breach, including the Securities and Exchange Commission, the Department of Justice and several state attorneys general.
  • The FBI is renewing a push against encryption, warning Congress that law enforcement should have access to secure data. FBI Directory Christopher Wray said this is specially important in the wake of the mob on the U.S. Capitol in January and additional calls for violence against lawmakers.
  • An Oxford University biology lab says it was the victim of a security breach, including attackers obtaining access to machines that prepare biochemical samples. The lab is one of the leading centers in the world for COVID-19 vaccines and treatments.
  • The fast-growing social media app Clubhouse could have several underlying security concerns. Some security researchers say some unauthorized adversaries could record rooms’ voice chats, and other vulnerabilities may expose users’ personal information.
  • The rate of ransomware attacks against school systems and hospitals are down in the first part of 2021. This comes after a historic rate of campaigns against these highly vulnerable targets during the COVID-19 pandemic last year.
  • Right-leaning chat app Gab was the victim of a data breach, with more than 15,000 accounts having some of their chat history posted online. The founder of the service says that one of the accounts affected belongs to former U.S. President Donald Trump.
  • Google announced this week it’s done selling ads based on a user’s individual browsing data. Instead, the company will track consumers in large anonymized groups and serve ads based on that information.

Notable recent security issues

Title: Long-running trojan spotted in the wild using another campaign to target users in South Asia

Description: Cisco Talos recently discovered another new campaign distributing the malicious remote access trojan (RAT) ObliqueRAT. In the past, Talos connected ObliqueRAT and another campaign from December 2019 distributing CrimsonRAT. These two malware families share similar maldocs and macros. This new campaign, however, utilizes completely different macro code to download and deploy the ObliqueRAT payload. The attackers have also updated the infection chain to deliver ObliqueRAT via adversary-controlled websites. This new campaign is a typical example of how adversaries react to attack disclosures and evolve their infection chains to evade detections. Modifications in the ObliqueRAT payloads also highlight the usage of obfuscation techniques that can be used to evade traditional signature-based detection mechanisms.

Snort SIDs: 57168 - 57175

ClamAV signature: Doc.Downloader.ObliqueRAT-9835361-0

Title: Cisco discloses three critical vulnerabilities

Description: Cisco patched three critical vulnerabilities for some of the company’s high-end software systems last week — two that effect the Application Services Engine and one that exists in the NX-OS operating system. The most severe of the vulnerabilities is rated a 10 out of 10 on the CVSS scale. Cisco’s advisory states an attacker could exploit this vulnerability to bypass authentication on a targeted device by receiving a token with administrator-level privileges. They could then authenticate to the targeted devices’ API.

Snort SIDs: 57222, 57223

Most prevalent malware files this week

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: svchost.exe

Claimed Product: N/A

Detection Name:

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

Typical Filename: SAntivirusService.exe

Claimed Product: SAService

Detection Name:

SHA 256: 4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b

MD5: f37167c1e62e78b0a222b8cc18c20ba7

Typical Filename: flashhelperservice.exe

Claimed Product: Flash Helper Service

Detection Name: W32.4647F1A085.in12.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.