Newsletter compiled by Jon Munshaw.
Good afternoon, Talos readers.
In our continued research on election security, we have a new video roundtable discussion up on our YouTube page. In this Q&A-style format, I ask our researchers questions about the work they’ve done researching disinformation (aka “fake news”) and how to combat the spread of it.
Microsoft Patch Tuesday was also this week. For our recap of all 120-something vulnerabilities Microsoft discovered, click here. You can also take a deep dive into one of the bugs our researchers specifically discovered in the Windows 10 Common Log File System.
Cyber Security Week in Review
- A specially crafted message in WhatsApp can cause the app to completely crash and sometimes delete users’ entire message history. So far, only a workaround on the desktop version of WhatsApp has been discovered.
- Tech companies like Amazon, Apple and Google are working together to release a new standard for internet-of-things devices’ connectivity. Project Connected Home over IP says its open-source product will be available sometime next year.
- As school districts start the school year remotely, teachers and students are having to learn new online classroom systems and fend off cyber attacks. Miami, Florida is the best example of this, where officials there say the area’s school system fought off 12 attacks in one day.
- The city of Hartford, Connecticut had to postpone its first day of school after a cyber attack. City officials say adversaries compromised 200 servers critical to schooling.
- The White House released a new set of guidelines aimed at hardening American satellites from cyber attacks. While there is nothing enforceable, the hope is that it will encourage systems in space and on the ground will be updated and better protected.
- A new report outlines a massive effort by the American government to protect COVID-19 vaccine research. Known as the Security and Assurance portion of Operation Warp Speed, the goal is to provide cyber security expertise, advice and software to pharmaceutical companies developing vaccines for the virus.
- One of Chile’s largest banks had to close all its branches this week due to a cyber attack. Initial reports indicate that the attack originated from a malicious Microsoft Office document an employee opened.
- Amazon allegedly created a secret group to spy on its own employees, specifically trying to infiltrate Facebook groups used by the company’s delivery drivers. The effort reportedly aims to identify any potential strikes or attempts to unionize.
Notable recent security issues
Snort SIDs: 55139 - 55146, 55161, 55162, 55187, 55188, 55206
Description: Cisco Talos recently uncovered a series of email campaigns utilizing links to malicious documents hosted on legitimate file-sharing platforms to spread malware. The campaigns distributed various malware payloads including Gozi ISFB, ZLoader, SmokeLoader and AveMaria, among others. Ongoing campaigns are distributing various malware families using the same crypter. While effective, this crypting mechanism contains an easy-to-detect flaw: The presence of a specific string value "Salfram" makes it easy to track over time. The obfuscated binaries used by Salfram are completely different, from both a binary and execution flow graph perspective. The techniques used by this crypter can confuse weak API behavior-based systems and static analysis tools and it appears to be undergoing active development and improvement over time.
Snort SIDs: 54920, 54921
Most prevalent malware files this week
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: W32.7F9446709F-100.SBX.VIOC
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: Win.Dropper.Segurazo::tpd
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: Win.Downloader.Generic::1201
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.