Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

In case you hadn’t already realized, Snort somehow became a meme this week, so that was fun.

As 2020 (finally...or already...I can’t decide which) comes to an end, we’re going to start doing a look back at the year that was in malware. And although Emotet has been around long before this year, 2020 was particularly peculiar for the botnet because it went virtually dormant over the summer before coming back over the few months. After we obtained ownership of several C2 domains that are part of Emotet, we looked at this threat’s trends and recent changes.

We also released a new decryptor tool for the Nibiru ransomware. Any victims can use this to safely recover any files locked up as part of an infection.

Cyber security week in review

  • U.S. President Donald Trump fired the U.S.’s top cyber security official, Chris Krebs, this week. Trump became critical of Krebs after he refuted claims of widespread voter fraud during this month’s presidential election.
  • Schools around the world are already struggling to stay open for hybrid learning given the ongoing pandemic. But now more of them are also having to fend off cyber attacks that disrupt online learning.
  • State-sponsored threat actors continue to target COVID-19 vaccine research. Microsoft researchers say they’ve recently seen attacks going after vaccine producers in Canada, France, India, South Korea and the U.S.
  • As more local, state and national governments roll out their own COVID-19 contact-tracing apps, researchers are finding large variations in what data is kept and shared among them. Many of the apps do not follow Apple and Google’s privacy guidelines for exposure notification systems as the company outlined at the start of the pandemic.
  • President Trump used video from the DEFCON hacking village at the popular security conference to try and support his claims of voter fraud. The video showed security researchers demonstrating a vulnerability in one specific voting machine but there is no evidence that that type of attack was actually used during the election.
  • The National Security Agency released the newest version of its Ghidra reverse-engineering tool.
  • Some apps on macOS are now bypassing detection from some VPNs and firewalls with the Big Sur update. The apps appear to be avoiding Apple’s own NEFilterDataProvider.
  • A new list of 2020’s most popular passwords contains the same classic mistakes users always make. Such easy-to-guess passwords are still popping up everywhere like “123456” and “password.”
  • Microsoft is working with major chip makers to create a new product that would protect against attacks like the Meltdown and Spectre exploits. The new chip would stop adversaries from critical data from computers and now has the buy-in of Qualcomm, AMD and Intel.

Notable recent security issues

Title: Cisco Security Manager contains exploits that could allow attackers to execute remote code

Description: Cisco disclosed three significant vulnerabilities in its Security Manager software that the company urged users to patch immediately. An attacker could leverage these vulnerabilities to execute arbitrary code and download files on the victim’s targeted device — even without credentials. One of the bugs is considered to be critical while the others are high-severity. These vulnerabilities affect Cisco Security Manager releases 4.22 and earlier.


Snort SIDs: 56408 - 56423

Title: Vulnerabilities in Pixar OpenUSD affect some versions of macOS

Description: Pixar OpenUSD contains multiple vulnerabilities that attackers could exploit to carry out a variety of malicious actions. Pixar uses this software for several types of animation tasks, including swapping arbitrary 3-D scenes that are composed of many different elements. Aimed at professional animation studios, the software is designed for scalability and speed as a pipeline connecting various aspects of the digital animation process. It is mostly expected to process trusted inputs in most use cases. By default, on macOS, both a thumbnail and a preview handler are registered for USD file formats through QuickLook. The default application to open USD files is the Preview application. On iOS, the AR application is the default handler. A USD file can be embedded in a web page or sent in a message and an AR application is opened when the file is clicked, which therefore opens some Mac operating systems to be vulnerable to these bugs.

Snort SIDs: 54415, 54416, 54467 - 54472, 54488 - 54493, 54922, 54923

Most prevalent malware files this week

SHA 256: 432FC2E3580E818FD315583527AE43A729586AF5EE37F99F04B562D1EFF2A1FD

MD5: dd726d5e223ca762dc2772f40cb921d3

Typical Filename: ww24.exe

Claimed Product: N/A

Detection Name: W32.TR:Attribute.23ln.1201

SHA 256: F059A5358C24CC362C2F74B362C75E02035FDF82F9FFAE8D553AFEE1A271AFD0

MD5: ce4395edbbf9869a5e276781af2e0fb5

Typical Filename: wupxarch635.exe

Claimed Product: N/A

Detection Name: W32.Auto:f059a5358c.in03.Talos

SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name:

SHA 256: 100318042c011363a98f82516b48c09bbcdd016aec557b009c3dd9c17eed0584

MD5: 920823d1c5cb5ce57a7c69c42b60959c

Typical Filename: FlashHelperService.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Variant.23mj.1201

SHA 256: C3E530CC005583B47322B6649DDC0DAB1B64BCF22B124A492606763C52FB048F

MD5: e2ea315d9a83e7577053f52c974f6a5a

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.