Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

In our latest entry into our election security series, we’re turning our attention to the professionals who are responsible for securing our elections. After months of research, we’ve compiled a series of recommendations for local, state and national officials to combat disinformation and secure Americans’ faith in the election system.

Patch Tuesday was also this week, which as usual, brought with it a big Snort rule release and our breakdown of the important Microsoft vulnerabilities you need to know about.


Event: Bug hunting in cloud-connected ICS devices: Getting root from the cloud

Location: CS3STHLM Virtual

Date: Oct. 22

Speakers: Kelly Leaschner

Synopsis: As more devices are becoming cloud-connected, it is important to understand how this attack surface is different from traditional, socket-based server applications. There is no open port listening with a cloud-connected application, so there is additional work required in order to just get the application to accept attacker-controlled data. This talk will walk through the initial steps necessary to begin vulnerability research on this application. Cloud-based control of physical devices has some security benefits compared to traditional socket programming but, at the end of the day, there is an opportunity for bugs and vulnerabilities in the software responsible for handling cloud messages. This talk will describe changes in research methodology that are necessary for performing vulnerability research on a cloud-connected application. Kelly will also walk through some vulnerabilities she’s discovered — live — by impersonating the industrial vendor cloud application, resulting in root privileges.

Event: A double-edged sword: The threat of dual-use tools
Location: SecureWV virtual
Date: Nov. 7
Speakers: Edmund Brumaghin
Synopsis: It's difficult to read any information security news lately without hearing about large corporations being extorted by cyber criminals. In today's threat landscape, enterprises increasingly rely on red teams to identify risks and mitigate vulnerabilities in their infrastructure, so much so that an entire industry exists around tools to help facilitate this as effectively and efficiently as possible.

Dual-use tools are developed to assist administrators in managing their systems or assist during security testing or red-teaming activities. Unfortunately, many of these same tools are often co-opted by threat actors attempting to compromise systems, attack organizational networks, or otherwise adversely affect companies around the world. This webinar will discuss the topic of dual-use tools and how they have historically been used in various attacks. It will also provide case studies that walk through how native system functionality and dual-use tools are often used in real-world attacks to evade detection at various stages of the attack lifecycle. Finally, we will discuss ways that organizations can defend against malicious abuse of otherwise legitimate technologies and toolsets.

Cyber Security Week in Review

  • Trickbot appeared to survive a takedown attempt from U.S. Cyber Command and private security companies, although its current capabilities are now limited. However, the campaign shows how America’s offensive cyber capabilities have grown.
  • Some Robinhood users say their accounts have been hacked and then drained, leading to thousands of dollars of investments disappearing. The app says these events do not have anything to do with a breach of their systems.
  • The U.S. Cybersecurity and Intrastructure Security Agency warned that several APTs are using a Windows Netlogon vulnerability chain to target state and local government networks. An advisory states attackers are also using critical vulnerabilities in F5 BIGIP and Citrix NetScaler to gain an initial foothold.
  • Norway’s parliament officially charged Russian state-sponsored actors with a cyber attack on their network earlier this year. The breach resulted in several politicians having their email addresses compromised.
  • Video chat and meeting service Zoom is rolling out end-to-end encrypted calls to users starting next week. Users will be able to generate encrypted keys that will never been seen by Zoom’s servers.
  • Several scams have popped up online around the newly announced iPhone 12. Attackers are creating fake sites that claim to offer preorders for the device but actually steal users’ Apple ID login information.
  • Amazon Prime Day also presented a new attack vector for scammers. Adversaries sent out malicious emails and links claiming to be related to the two-day megasale on Amazon this week that regularly draws in American consumers.
  • Book retailer Barnes & Noble alerted customers that it suffered a data breach on Oct. 10. This may have exposed customers’ phone numbers, email addresses and addresses.
  • Pennsylvania has become a battleground state for election security, mail-in voting and ballot counting. The state is a key swing state in the upcoming presidential election, and the challenges many local officials face there are emblematic of what the U.S. faces as a whole.

Notable recent security issues

Title: Microsoft Patch Tuesday for Oct. 2020

Description: Microsoft released its monthly security update Tuesday, disclosing just under 100 vulnerabilities across its array of products. Fourteen of the vulnerabilities are considered “critical" while the vast remainder are ranked as “important.” Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. The security updates cover several different products including the SharePoint document management system, Azure Sphere and the Windows camera codec, which allows users to view a variety of video files on their machines.

Snort SIDs: 53689 - 53691

Title: Lemon Duck brings cryptocurrency miners back into the spotlight

Description: Cisco Talos recently discovered a complex campaign employing a multi-modular botnet with multiple ways to spread. This threat, known as "Lemon Duck," has a cryptocurrency mining payload that steals computer resources to mine the Monero virtual currency. The actor employs various methods to spread across the network, like sending infected RTF files using email, psexec, WMI and SMB exploits, including the infamous Eternal Blue and SMBGhost threats that affect Windows 10 machines. Some variants also support RDP brute-forcing. In recent attacks we observed, this functionality was omitted. The adversary also uses tools such as Mimikatz, that help the botnet increase the amount of systems participating in its mining pool.

Snort SIDs: 55926 - 55928

Most prevalent malware files this week

SHA 256: 7f16b5e291ccba6411c95bafc3fe7eeb5c4a57df8ba32cfd173e75cc8826c921

MD5: 0b422df6c3d71d2147350d11c256724e

Typical Filename: wupxarch.exe

Claimed Product: N/A

Detection Name: W32.Auto:7f16b5.in03.Talos

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: Eter.exe

Claimed Product: N/A

Detection Name:

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name:

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 8193b63313019b614d5be721c538486b

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

Typical Filename: Tempmf582901854.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.