Good afternoon, Talos readers.
In the latest example of attackers trying to capitalize on current headlines, we've spotted a group using the recent fervor around the Pegasus spyware to spread malware.
We've detailed a campaign in which the attackers have copied (nearly perfectly) Amnesty International's website and is advertising a tool to sniff out the spyware and remove it. The problem is, there is no such software, and instead, it just downloads a RAT on your device.
Do you have a particular threat, IOC, malware family or actor you want us to be covering in the Threat Source newsletter? Let us know at email@example.com.
Upcoming Talos public engagements
Date: Oct. 5, 11 a.m. ET
Description: In the latest entry into the Snort 3 and Me webinar series, Talos analysts will join us to discuss the ins and outs of Snort rules.
Speaker: Vitor Ventura
Date: Oct. 7 - 8
Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.
Speaker: Brad Garnett
Date: Oct. 18 at 9:30 a.m. ET
Location: Livestream on all Talos social media accounts
Description: Join Cisco Talos Incident Response as we go live to celebrate National Cybersecurity Awareness Month. Brad Garnett, CTIR's general management, will be live to answer your questions, talk about the trends he's seeing on the threat landscape, and the growing threat of ransomware. Please use this page to drop us any questions ahead of time, or join us in the chat live. A recording will be made available shortly after on our YouTube page at cs.co/TalosTube.
Cybersecurity week in review
- Microsoft added new features to Exchange Server that mitigate several high-profile vulnerabilities disclosed earlier this year. Attackers may have exploited a set of ProxyLogon vulnerabilities for months, and these mitigations should protect users until admins are able to apply a formal patch.
- Google released an emergency update for its Chrome web browser after researchers discovered the 11th zero-day vulnerability in the software this year. The use-after-free vulnerability, identified as CVE-2021-37973, is still being kept relatively secret as to not tip off attackers while users can patch.
- A new letter to Congress revealed that the U.S. National Security Agency and other federal agencies urge their employees to use ad blockers on web browsers. The NSA stated that “seemingly innocuous online advertisements” can infect users with malware that can “steal, modify or wipe sensitive government data, or record conversations by remotely enabling a computer’s built-in microphone.”
- A British payroll company was forced offline last week after a cyber attack, leaving some contractors unpaid. The company had to disable its network, integrated IT infrastructure, phone and email systems.
- The U.S. Senate is considering legislation that would require critical infrastructure to report any cyber attacks to the federal government. The bill would also create a new Cyber-Incident Review Office within the Cybersecurity and Infrastructure Security Agency.
- The Port of Houston, one of the largest shipping hubs in the U.S., fought off a cyber attack last month. State-sponsored actors reportedly tried to exploit ManageEngine ADSelfService Plus, a password management program.
- Proof-of-concept code for a brute-force vulnerability in Microsoft Azure Active Directory is now available in the wild. Microsoft has called the mechanism that contains the vulnerability a design choice, though it allows anyone to perform username enumeration and password brute-forcing.
- YouTube is cracking down on vaccine disinformation, banning several high-profile accounts this week. The site says it will remove any videos that claim vaccines do not reduce transmission rates or contain content that includes false information on the actual makeup of vaccines.
Notable recent security issues
Cisco Talos recently discovered a malicious campaign we’re calling “Operation: ArmorPiercer” targeting government employees and military personnel in the Indian subcontinent with two commercial and commodity RAT families known as NetwireRAT (aka NetwireRC) and WarzoneRAT (aka Ave Maria). The attackers delivered a variety of lures to their targets, predominantly posing as guides related to Indian governmental infrastructure and operations such as Kavach and I.T.-related guides in the form of malicious Microsoft Office documents and archives (RARs, ZIPs) containing loaders for the RATs. This campaign illustrates another instance of a highly motivated threat actor using a set of commercial and commodity RAT families to infect their victims. These RATs are packed with many features out-of-the-box to achieve comprehensive control over the infected systems. It is also highly likely that these malware families establish footholds into the victim's networks to deploy additional plugins and modules.
Snort SIDs: 58115 - 58119
A remote code execution vulnerability for VMWare vCenter is circulating on the internet and actively being exploited in the wild. CVE-2021-22005 can allow an attacker to open a reverse shell on a vulnerable server, allowing them to remotely execute arbitrary code. VCenter is a server virtualization management platform that allows users to manage VMs and containers. Working proof-of-concept code became available online Tuesday, Sept. 28. VMWare disclosed this vulnerability and patched it last week. This vulnerability is considered critical, with a CVSS severity score of 9.8 out of a possible 10.
Snort SIDs: 58217 - 58219
Most prevalent malware files this week
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
Typical Filename: smbscanlocal0902.exe
Claimed Product: N/A
Detection Name: MS17010::mURLin::W32.Auto:6c62b768d8.in03.Talos
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
Typical Filename: zReXhNb
Claimed Product: N/A
Detection Name: Auto.FAD16599A8.241842.in07.Talos
SHA 256: 8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2
Typical Filename: SqlBase.exe
Claimed Product: SqlServerWorks.Runner
Detection Name: W32.8639FD3EF8-95.SBX.TG
Keep up with all things Talos by following us on Twitter. Snort, and ClamAV also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.