Welcome to this week’s edition of the Threat Source newsletter.
Tuesday was an absolute hammer for the infosec community. Not only did we have the US elections but we had Emotet returning and a regular Microsoft Tuesday release. That release always leads me to think about the bug hunting ecosystem and the importance and value of vulnerability research. I admit that the phrase bug hunting ecosystem does lead you to think of the magical days in school. A tv rolled in the classroom on the big AV cart to show a documentary - the salad days. We were masters of our domain. Enough oldguy rambling, vulnerability research is absolutely vital to the security of the internet. Researchers dig into software and operating systems, identifying vulnerabilities in order to discover them before malicious threat actors do. A discovered and responsibly disclosed vulnerability can nullify possibly disastrous public exploitation before the attackers ever get their campaigns off the ground. It may also be before the threat actors have found the vulnerability at all. Ensuring that the vendor can create patches or remediation before attackers can leverage the vulnerability in the wild is a massive win for defenders, but it's often not discussed widely. So this is me saying "thank you so much" to those researchers that are undertaking the arduous process of identifying vulnerabilities and coordinating disclosure with the vendors
The one big thing
Emotet is back. Did it ever truly go away? Emotet has been disrupted by law enforcement only to return over and over again. Tracking Emotet as it evolved from banking trojan to modular botnet has been interesting. To me it’s not unlike the Whac-A-Mole adventure that was Talos v. Angler as they developed and implemented new techniques to not only exploit end users but attempt to avoid detection.
Why do I care?
Emotet has been very successful for a very long time and it’s likely that if you are reading this you are already aware of Emotet and may have had to deal with them firsthand. History shows us that they aren’t going away so being aware of the active research from Talos is vital in attempting to stay secure.
So now what?
Same as it ever was. Ensure that end users are educated as much as possible but understand that they will click the link. You need to verify that all security devices are up to date with the latest coverage releases, and that you follow the Talos blog where you will always find IOCs in clear text or appended via the Talos GitHub. Make sure you have implemented a strong patch management keeping systems up to date, as well as performing general system hardening that includes removing services or protocols that are unnecessary.
Top security headlines from the week
More than two dozen Lenovo notebook models are vulnerable to exploitation that disables the UEFI secure-boot process. Once exploited unsigned UEFI apps or load bootloaders can be run that permanently backdoor the device. Researchers from ESET disclosed the vulnerabilities as Lenovo released security updates for 25 vulnerable models. Vulnerabilities that undermine the UEFI secure boot make it possible for attackers to install malicious firmware that survives multiple operating system re-installations and avoids detection. (Ars Technica)
Zimperium zLabs recently identified a malicious extension that lets attackers control Google Chrome remotely. Cloud9, a malicious browser extension, is not only capable of stealing the information from a browser session, it can also install malware on a user’s device and subsequently assume control of the entire device, effectively a remote access trojan (RAT) for the Chromium web browser (Google Chrome and Microsoft Edge for example). The extension was not available on the official Chrome store but instead delivered via websites pushing fake Adobe Flash Player updates. (Bleepingcomputer)
Can’t get enough Talos?
- Emotet coming in hot
- Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns
- Microsoft Patch Tuesday for November 2022 — Snort rules and prominent vulnerabilities
- The Company You Keep – Preparing for supply chain attacks with Talos IR
Upcoming events where you can find Talos
BSides Lisbon (Nov. 10 - 11)
Cidade Universitária, Lisboa, Portugal
SIS(Security Intelligence Summit), 2022.ON (Nov. 29)
Josun Palace, Seoul
CactusCon (Jan 27-28)
Most prevalent malware files from Talos telemetry over the past week
Typical Filename: VID001.exe
Detection Name: Simple_Custom_Detection
Typical Filename: Iris QuickLinks.exe
Detection Name: W32.DFC.MalParent
SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
Typical Filename: IMG001.exe
Detection Name: Simple_Custom_Detection
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg