Good afternoon, Talos readers.

If you haven't seen already, our blog has a lot of cool and new stuff this week.

We first dove into the world of proxyware on Tuesday (aka internet-sharing applications). Attackers are hiding in this newly popular software to steal users' bandwidth and money, while spreading malware along the way. This is a perfect case to show how willing users are to trade away some of their privacy and security for literally a few cents a day.

In another first, we got our hands on the leaked Conti ransomware playbook and translated it to English. Read our blog post and the full translation for some awesome insight into how this ransomware-as-a-service group operates.

Upcoming Talos public engagements

CTIR on the Technado podcast

Speaker: Chris DiSalle

Date: Sept. 9

Location: Virtual

Description: Chris DiSalle from Talos Incident Response will join the Technado podcast to share the ins and outs of the IR industry. Chris will talk to host Don Pezet about how he got started in incident response, horror stories he's seen in the field, and much more.

Chats, Cheats, and Cracks: Abuse of Collaboration Platforms in Malware Campaigns at BSides Charlotte

Speaker: Edmund Brumaghin

Date: Sept. 25

Location: Virtual

Description: Join Edmund Brumaghin from Talos Outreach where he'll be discussing malware campaigns targeting collaboration apps such as Discord and Slack. Following up on Talos' blog post from earlier this year, the presentation will dive into campaigns we've spotted in the wild and discuss how users can stay safe while using these apps.

Workshop: Analysing Android malware at VirusBulletin localhost 2021

Speaker: Vitor Ventura

Date: Oct. 7 - 8

Location: Virtual

Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.

Cybersecurity week in review

  • Several major tech CEOs pledged to invest billions of dollars into the nation's cybersecurity in the coming years. U.S. President Joe Biden met with business leaders and cybersecurity companies last week to discuss recent attacks on critical infrastructure.
  • A 21-year-old is allegedly behind the recent cyber attack on T-Mobile. The person who claims to be the attacker who stole millions of customer records spoke to the Wall Street Journal anonymously, criticizing T-Mobile's security.
  • Security researchers discovered a major vulnerability in Microsoft Azure's cloud platform that could allow attackers to read, write and change database records. Although it was just disclosed, the vulnerability could have existed for months or even years.
  • Microsoft and the U.S. Department of Homeland Security both warned Azure users to update as soon as possible to protect against this attack. After Microsoft first sent the notice to a chunk of users, it eventually told all users to reset their security keys.
  • A new survey found that 61 percent of companies admit to not providing their remote employees with appropriate cybersecurity tools. And half of the respondents said they have relaxed security policies since the beginning of the COVID-19 pandemic or are not enforcing them as much.
  • American government agencies warned organizations they could see a spike in cyber attacks over the long Labor Day weekend. Threat actors have traditionally used holidays while many employees are on vacation or not as engaged in work to spread malware.
  • Apple announced that Arizona and Georgia will be the first two states to test users being able to store their driver's license and other government-issued IDs in their Apple Wallet. The Transportation Security Administration will also open new airport checkpoints and security lanes to accept this form of ID.
  • Despite the recent arrest of its creator, the Mozi botnet is expected to live on. Although its size will shrink in the coming weeks, security experts say its already infected so many devices that its effects will be felt for a long time.
  • The U.S. Security and Exchange Commission fined several brokerage firms for cybersecurity failings that led to hacks on their email systems. Because of security failures, the SEC says attackers gained unauthorized access to cloud-based email accounts, exposing the personal information of thousands of customers and clients at each firm.

Notable recent security issues

Title: How attackers are hiding in proxyware

Description: Adversaries are finding new ways to monetize their attacks by abusing internet-sharing, or "proxyware" platforms like Honeygain, Nanowire, and others. This poses new challenges to organizations, especially to those whose internet access is rated as residential. But any organization could be at risk, as there are platforms that also allow data center-based internet sharing. Malicious actors are taking multiple avenues to monetize these new platforms in their favor. The most obvious one is the silent installation of the platform client to "sell" the victim's bandwidth without their knowledge. In some cases, the adversaries patch the client to stop any alerts that would warn the victim. As these platforms became more popular, the adversaries started to leverage trojanized installers, which install the legitimate platform client as well as digital currency miners and information stealers. Given the nature of proxyware services, the users expect that their performance will suffer, making it a perfect disguise for coin miners.

Snort SIDs: 45549, 46237, 58030 – 58033

Cisco Secure Endpoint OSQueries: malware_honeygain_trojanized_installer, malware_honeygain_loader, malware_honeygain_bot

Title: Botnet starting to scan for routers vulnerable to Realtek exploits

Description: A botnet similar to Mirai is actively scanning for wireless routers affected by a recently disclosed denial-of-service vulnerability affecting SDKs for Realtek chipsets. An attacker could exploit the vulnerability by sending specially crafted inputs, eventually crashing the HTTP server running the management interface and eventually the router. Security researchers are calling the botnet in question “Dark.IoT.” The botnet reportedly waits for researchers and organizations to publish proof-of-concepts for newly discovered vulnerabilities, and only takes days to eventually incorporate them. Other Realtek vulnerabilities were disclosed two weeks ago that affect dozens of internet-of-things devices, including internet-connected cameras and WiFi repeaters.

Snort SIDs: 58052 - 58059

Most prevalent malware files this week

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb

MD5: 6be10a13c17391218704dc24b34cf736

Typical Filename: smbscanlocal0906.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Ranumbot::in03.talos

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: Eter.exe

Claimed Product: N/A

Detection Name:

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name:

SHA 256: 5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af

MD5: 0a13d106fa3997a0c911edd5aa0e147a

Typical Filename: mg20201223-1.exe

Claimed Product: N/A

Detection Name: RanumBot::mURLin::W32.5E46ECFFCF.in12.Talos

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.