Good afternoon, Talos readers.
It's a bird, it's a plane, it's a rat!
We've been tracking a series of trojans targeting the aviation industry, and trying to lure victims in by sending them spam related to flight itineraries and other transportation news. In our latest blog post, we discuss how we've followed the actor behind these attacks, and what we can learn about tracking a threat actor in the future.
This week was also Patch Tuesday, so you'll want to update your Microsoft products as soon as possible if you haven't already. Most notably, there's an official update to patch the high-profile MSHTML vulnerability.
Upcoming Talos public engagements
Chats, Cheats, and Cracks: Abuse of Collaboration Platforms in Malware Campaigns at BSides Charlotte
Speaker: Edmund Brumaghin
Date: Sept. 25
Description: Join Edmund Brumaghin from Talos Outreach where he'll be discussing malware campaigns targeting collaboration apps such as Discord and Slack. Following up on Talos' blog post from earlier this year, the presentation will dive into campaigns we've spotted in the wild and discuss how users can stay safe while using these apps.
Workshop: Analysing Android malware at VirusBulletin localhost 2021
Speaker: Vitor Ventura
Date: Oct. 7 - 8
Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.
National Cybersecurity Awareness Month with Cisco Talos Incident Response
Speaker: Brad Garnett
Date: Oct. 18 at 9:30 a.m. ET
Location: Livestream on all Talos social media accounts
Description: Join Cisco Talos Incident Response as we go live to celebrate National Cybersecurity Awareness Month. Brad Garnett, CTIR's general management, will be live to answer your questions, talk about the trends he's seeing on the threat landscape, and the growing threat of ransomware. Please use this page to drop us any questions ahead of time, or join us in the chat live. A recording will be made available shortly after on our YouTube page at cs.co/TalosTube.
Cybersecurity week in review
- Four vulnerabilities in Microsoft Azure are being called "OMIGOD," referring to the vulnerable Open Management Infrastructure (OMI) software agent. The most serious of the set could allow an attacker to gain root privileges on a remote machine with only a single packet.
- Microsoft warned that several ransomware groups are actively exploiting the high-profile MSHTML zero-day vulnerability. The company released an official patch this week as part of its monthly security update.
- A popular HP gaming driver used on many PCs is vulnerable to a privilege escalation attack, potentially allowing attackers to obtain kernel-mode access. HP Omen Gaming, which contains the vulnerability, comes pre-installed on many HP laptops and desktop computers.
- Microsoft will now allow users to go passwordless for their Office 365 and OneDrive accounts. Users who opt out of passwords can now log in through the Microsoft Authenticator app or biometric login options on Windows machines.
- Australia's top cybersecurity agency warned organizations and government agencies this week that cyber attacks on critical infrastructure are on the rise. In a new report, the agency stated that the number of cyber attacks reported rose 15 percent during the 2020-21 fiscal year, costing victims around $33 billion.
- With the rise in remote and hybrid learning, students' data is increasingly being leaked online. Unfortunately, there are little parents can do to protect their children's identity when the information is stolen from schools.
- Security researchers and law enforcement worked together to create a new decryptor for the REvil ransomware. The universal key should work for any victim who had their files locked up prior to the group's servers going dark in July.
- Apple unveiled the new iPhone 13 this week, announcing several new privacy features as part of iOS 15 that will be rolling out alongside it. These include on-device processing of voice commands and new options to disable tracking by third-party apps.
- The hacktivist group Anonymous leaked 180GB of data from users of some far-right social media apps and sites. The information seems to have come from the DNS hosting provider Epik, which has several clients including Parler and Gab.
Notable recent security issues
Title: MSHTML vulnerability exploited in the wild fixed as part of Microsoft security update
Description: Microsoft released its monthly security update Tuesday, disclosing 86 vulnerabilities across the company’s firmware and software. This month’s release is headlined by an official patch for the critical remote code execution vulnerability disclosed earlier this month in MSHTML. CVE-2021-40444 is being actively exploited in the wild, according to Microsoft, and proof-of-concept code is now available, potentially widening the potential for attacks exploiting this vulnerability. The most serious vulnerability is CVE-2021-36965, a remote code execution vulnerability in Windows WLAN. This vulnerability has a severity score of 8.8 out of a possible 10, the same score as CVE-2021-40444. Aside from the aforementioned MSHTML exploit, another critical vulnerability exists in the Windows scripting engine. CVE-2021-26435 could allow an attacker to corrupt memory on the victim machine by tricking the user into opening a specially crafted file or visiting a website containing an attacker-create file designed to exploit this vulnerability.
Snort SIDs: 58120 – 58135
Snort 3 SID: 300049
ClamAV signature: 9891528 (Doc.Exploit.CVE_2021_40444-9891528-0)
Cisco Secure OSQuery: CVE-2021-40444_vulnerability status
Title: Apple patches zero-click vulnerability that opens the door to spyware
Description: Apple released updates for its smartphones, iPads and smartwatches this week fixing a vulnerability in its devices that could allow attackers to install the Pegasus spyware. The company pushed the patch shortly after researchers discovered a Saudi Arabian activists’ phone was infected with the spyware via the zero-click vulnerability. If installed, Pegasus can turn on a user’s camera and microphone, record messages, texts, emails and calls and send them back to the NSO Group’s — the Israeli tech firm that created the app — customers. The researchers found that up to 1.65 billion Apple products could have been vulnerable to the Pegasus spyware since March.
Most prevalent malware files this week
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: 6c62b768d8b22888724288af038bc0b6e55280ddbbe42a436cdf68889346df18
Typical Filename: smbscanlocal0902.exe
Claimed Product: N/A
Detection Name: MS17010::mURLin::W32.Auto:6c62b768d8.in03.Talos
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID.dat
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: fad16599a866f466bdeff2a716b9aa79faa6677f2895f0b262cf9402deb4b66c
Typical Filename: zReXhNb
Claimed Product: N/A
Detection Name: Auto.FAD16599A8.241842.in07.Talos
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.