Newsletter compiled by Jon Munshaw.
Good afternoon, Talos readers.
We're used to referring to attackers as either APTs or not APTs. And when something is an APT, it sounds a lot scarier and sexier. But it's our belief that that isn't going to cut it anymore.
Therefore, we propose in a new blog post that there be a new group of threat actors known as "privateers." These groups benefit from a nation-state but can't be directly connected to a government. Find out more about these groups here.
You also don't want to miss this Vulnerability Spotlight post on the Trend Micro Home Network Security Station. These vulnerabilities, which have been patched, could allow an attacker to manipulate this device which manages devices connected to a home network.
Upcoming public engagements with Talos
Title: Sowing Discord livestream
Date: June 2 at 11 a.m. ET
Overview: Join Cisco Talos for a livestream presentation to discuss malware campaigns targeting collaboration apps like Discord and Slack. Following up on Talos' blog post from earlier this year, the presentation will dive into campaigns we've spotted in the wild and discuss how users can stay safe while using these apps. You can watch along with us, and participate in a live Q&A, live on LinkedIn and the Talos YouTube channel.
Cybersecurity week in review
- The latest macOS update provided a fix for a recently discovered malware that could take screenshots on victim machines. Attackers developed the malware to bypass certain permissions in a way that could allow them to access the target's microphone, webcam or keystrokes.
- Apple also released an important update for iOS that fixes several security vulnerabilities. Some of the fixes affect Apple devices dating back to the iPhone 6.
- Ireland's health care system is still recovering from a recent ransomware attack. But they were handed some unexpected help from the attackers, who reportedly provided them with a key to decrypt their files despite not paying the requested ransom.
- Several Japanese government agencies are the victims of a recent cyber attack and some information may have been leaked. The attack stems from an attack against a widely used information-sharing software.
- Researchers at the National Cybersecurity Agency of France discovered a new way to impersonate devices during the Bluetooth pairing process. The recently discovered vulnerabilities build on an attack method discovered last year that exists in core Bluetooth specifications.
- Millions of Air India users had their information leaked in a data breach earlier this year. Details compromised included passport and ticket information, and some credit card information.
- Security experts are still dissecting U.S. President Joe Biden's recent Executive Order on cybersecurity, aimed at improving America's infrastructure security. The order places a greater focus on zero trust and the potential implications this has for federal agencies and their contractors.
- The U.S. Department of Homeland Security is preparing new directives for the oil pipeline industry. There will likely be new rules in place that will require pipelines to disclose security breaches in a timely manner and designate a 24-7 cybersecurity contact with a direct line to the DHS and CISA.
Notable recent security issues
Title: Researchers find POC for wormable vulnerability in Microsoft Windows HTTP protocol stack
Description: A recently discovered wormable vulnerability in the Windows HTTP protocol stack could also be used to target unpatched Windows 10 and Server systems publicly exposing the Windows Remote Management service. A security researcher released POC code for the vulnerability, patched in this month’s Microsoft security update, last week. The vulnerability only affects WinRM if a user manually enables it on their Windows 10 systems, though enterprise Windows Server endpoints have it toggled on by default. This potentially increases the attack surface for any adversaries that uses the vulnerability to spread a ransomware attack, as they could move quickly across the targeted environment. Microsoft has urged users to update their affected products as soon as possible.
Snort SIDs: 57605
Title: Heap-based buffer overflow in Google Chrome could lead to code execution
Description: Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in Google Chrome. CVE-2021-21160 is a buffer overflow vulnerability in Chrome’s AudioDelay function that could allow an adversary to execute remote code. An attacker could exploit this vulnerability by tricking a user into visiting a specially crafted HTML page in Chrome. Proper heap grooming can give the attacker full control of this heap overflow vulnerability, and as a result, could allow it to be turned into arbitrary code execution.
Snort SIDs: 57057, 57058
Most prevalent malware files this week
SHA 256: 7263ec6afa49dcb11ab9e3ee7e453e26b9ba91c3f8a440bcab3b92048175eb33
Typical Filename: 29C8BA0D89A9265C270985B02572E693.mlw
Claimed Product: N/A
Detection Name: W32.7263EC6AFA.smokeloader.in11.Talos
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
SHA 256: d88b26b3699c3b02f8be712552185533d77d7866f1a9a723c1fbc40cdfc2287d
Typical Filename: smbscanlocal1805.exe
Claimed Product: N/A
Detection Name: Auto.D88B26B369.241855.in07.Talos
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.