Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

We’re back after a few-week hiatus! And to celebrate, we just dropped some new research on the CRAT trojan that’s bringing some ransomware friends along with it. This blog post has all the details of this threat along with what you can do to stay protected.

We also had Microsoft Patch Tuesday this week. The company disclosed about 120 vulnerabilities this month that all users should patch now. Our blog post has a rundown of the most prominent bugs and you can check out the Snort rule update for all defenses against the exploitation of these vulnerabilities.

And if you missed it last week, we recently put out an advisory alerting health care organizations of a recent spike in ransomware. If you have a customer that has been impacted by an attack, ransomware or otherwise, the first course of action is to engage Cisco Talos Incident Response Services (CTIR).  Please head to this page and follow the instructions for contacting IR at the top right of the page.


Event: To obfuscate, or not to obfuscate: PoetRAT origins and evolution

Location: Cisco WebEx webinar

Date: Nov. 19

Speakers: Warren Mercer

Synopsis: In today's threat landscape remote access trojans, or RATs, are being deployed at an alarming rate. This includes both the crimeware and espionage landscapes and PoetRAT is one of the newer players in that space, first discovered by Cisco Talos earlier this year. This targeted, Python-based RAT is being actively deployed and developed. This includes evidence of maturity with obfuscation and continued relevance to Azerbaijan as evidenced by the fact we have seen multiple campaigns and continued evolution, since its discovery. In this webinar, we will have the researchers that found the threat discuss its Shakespearean origins, the key findings they've had so far, highlights on how this threat is continuing to evolve and the details of the campaigns we've been able to identify along the way.

Cyber Security Week in Review

  • Although there are many things to come out of what turned into Election Week in the U.S. last week, the good news is there were no major cyber attacks. So far, there’s been no evidence of threat actors successfully breaching American election operations last Tuesday.
  • With President-elect Joe Biden set to take office in January, there’s already talk about what his election could mean for security. Biden’s administration is expected to be tougher on state-sponsored actors and look to bolster election security.
  • Another change under the Biden administration could be the reinstatement of the so-called “cyber czar” position in the White House. This role was originally created by the Obama administration, where Biden served as vice president.
  • While the public and private sector teamed up to limit disinformation in the lead-up to the election, it seems posts written in Spanish largely went unnoticed. Many Spanish-speaking users were subjected to fake news and disinformation in the days leading up to the election, reporters found.
  • The developer behind popular video game “Genshin Impact” mistakenly exposed players’ phone numbers on their site for weeks. MiHoYo’s website contained a bug in its “forgot password” feature that could allow anyone to brute-force their way into finding a user’s phone number.
  • Researchers recently uncovered a new wave of DNS poisoning attacks. The years-old tactic sends users to malicious websites when they think they’re going to be headed to a legitimate page.
  • Some ransomware actors are using fake Facebook accounts to pressure their victims in paying extortion payments. The ads push back on claims from private-sector victims regarding potentially stolen data.
  • Apple’s latest iOS update includes fixes for 24 security vulnerabilities. Three of the bugs were being exploited in the wild, according to researchers, at the time of the patch.
  • Taiwan’s efforts to combat disinformation may provide a blueprint to the Western world’s next steps in the fight against fake news. The country has taken an active stance against disinformation and misinformation online using a combination of government resources and help from the public.

Notable recent security issues

Title: Microsoft Patch Tuesday

Description: Microsoft released its monthly security update Tuesday, disclosing just over 110 vulnerabilities across its products. This is a slight jump from last month, when Microsoft disclosed one of their lowest vulnerability totals in months. Eighteen of the vulnerabilities are considered “critical" while the vast remainder are ranked as “important,” with two also considered of “low” importance. Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. The security updates cover several different products and services, including the HEVC video file extension, the Azure Sphere platform and Microsoft Exchange servers.

Snort SIDs: 56161 - 56264, 56230, 56231, 56254, 56255, 56286 - 56289, 56295, 56296, 56309, 56301 - 56305, 56310 and 56312

Title: Adobe issues security updates for Acrobat Reader

Description: Adobe recently disclosed multiple vulnerabilities in its Acrobat PDF Reader, including for both desktop and Android versions. Among them are a heap buffer overflow and use-after-free vulnerability that Cisco Talos researchers discovered. Acrobat reader integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger these vulnerabilities. There is also a bug that’s considered “important” in all Android versions of Acrobat that could allow an adversary to disclose sensitive information on an affected device.



Snort SIDs: 53563, 53564, 55842, 55843

Most prevalent malware files this week

SHA 256: F059A5358C24CC362C2F74B362C75E02035FDF82F9FFAE8D553AFEE1A271AFD0

MD5: ce4395edbbf9869a5e276781af2e0fb5

Typical Filename: wupxarch635.exe

Claimed Product: N/A

Detection Name: W32.Auto:f059a5358c.in03.Talos

SHA 256: 432FC2E3580E818FD315583527AE43A729586AF5EE37F99F04B562D1EFF2A1FD

MD5: dd726d5e223ca762dc2772f40cb921d3

Typical Filename: ww24.exe

Claimed Product: N/A

Detection Name: W32.TR:Attribute.23ln.1201

SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name:

SHA 256: 97511b671c29a6c04c9c80658428b4ce55010d9dfe6ee5d813595d37fbe5500a

MD5: 0cd267df5b55552a6589f4e67164fd3d

Typical Filename: FlashHelperService.exe

Claimed Product: Flash Helper Service

Detection Name: Auto.97511B.232354.in02

SHA 256: C3E530CC005583B47322B6649DDC0DAB1B64BCF22B124A492606763C52FB048F

MD5: e2ea315d9a83e7577053f52c974f6a5a

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.