Good afternoon, Talos readers.
The biggest security news this week is no doubt another Microsoft zero-day. On the heels of PrintNightmare and multiple Exchange Server vulnerabilities comes a code execution vulnerability in MSHTML, the rendering engine in Internet Explorer.
We have new Snort rules out today that protect users against the exploitation of this vulnerability, which could allow an attacker to take complete control of a victim machine.
Upcoming Talos public engagements
Speaker: Chris DiSalle
Date: Sept. 9
Description: Chris DiSalle from Talos Incident Response will join the Technado podcast to share the ins and outs of the IR industry. Chris will talk to host Don Pezet about how he got started in incident response, horror stories he's seen in the field, and much more.
Chats, Cheats, and Cracks: Abuse of Collaboration Platforms in Malware Campaigns at BSides Charlotte
Speaker: Edmund Brumaghin
Date: Sept. 25
Description: Join Edmund Brumaghin from Talos Outreach where he'll be discussing malware campaigns targeting collaboration apps such as Discord and Slack. Following up on Talos' blog post from earlier this year, the presentation will dive into campaigns we've spotted in the wild and discuss how users can stay safe while using these apps.
Workshop: Analysing Android malware at VirusBulletin localhost 2021
Speaker: Vitor Ventura
Date: Oct. 7 - 8
Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.
Cybersecurity week in review
- The White House released new guidelines this week pointing federal agencies toward a new zero-trust approach to cybersecurity. The documents form a roadmap for agencies to put the appropriate architecture and policies in place to reach a zero-trust model by 2024.
- Germany formally protested to Russia regarding a series of cyber attacks and disinformation campaigns ahead of the country's upcoming parliamentary elections. German officials charged a hacking group known as Ghostwriter of trying to steal federal and state lawmakers' personal information via phishing campaigns.
- Ireland's national health care system is still recovering months after a ransomware attack. Some patients still cannot access the online scheduling system, and others have seen their plan-of-care interrupted.
- The U.S. government warned consumers of a series of scams and phishing campaigns centered around Hurricane Ida. States in the Southeast and Northeast U.S. are still recovering from major flooding and high winds from the storm, leading many people to look for financial assistance and insurance payouts.
- Banks and post offices in New Zealand briefly went offline this week as they dealt with a cyber attack. Officials stated they believed the outages were the result of a distributed denial-of-service attack.
- Howard University in Washington, D.C. had to cancel classes Tuesday after a ransomware attack over Labor Day weekend. While in-person classes resumed Wednesday, as of Thursday morning, hybrid and online classes were still suspended.
- Security researchers have already found ways to spoof virtual vaccine passports on apps and websites. However, these apps have been slow to provide updates.
- Attackers are increasingly targeting the food supply chain, launching multiple ransomware attacks against the industry this year. A notice from the FBI stated that the sector's increased use of automation increased the number of potential weak points that attackers could exploit.
Notable recent security issues
Title: Attackers actively target Atlassian Confluence vulnerability
Description: U.S. Cyber Command warned American organizations prior to Labor Day weekend that a vulnerability in Atlassian Confluence was under active exploitation. The popular project management software disclosed the vulnerability in August as CVE-2021-26084, which could allow an attacker to remotely execute arbitrary code. Although a patch had been available for about a week, the Cyber Command warning reminded users to patch immediately, advising them to not wait until after the holiday to update. Atlassian described the issue as “an OGNL injection vulnerability” in the Atlassian Confluence Server and Confluence Data Center products, both of which are vulnerable to unauthenticated remote attackers. CVE-2021-26084 has a severity rating of 9.8 out of a possible 10.
Snort SIDs: 58093, 58094
Title: Cisco discloses vulnerability that could allow attackers to authenticate in as admins
Description: Cisco patched a critical vulnerability in its Cisco Enterprise Network Function Virtualization Infrastructure Software (NFVIS) last week that could allow an attacker to gain admin privileges on an affected system. The U.S. Cybersecurity and Infrastructure Security Agency followed up with a warning to all users to patch immediately. Cisco stated in its security advisory that there is no workaround to protect against exploitation of the vulnerability outside of downloading the latest patch. "This vulnerability is due to incomplete validation of user-supplied input that is passed to an authentication script. An attacker could exploit this vulnerability by injecting parameters into an authentication request. A successful exploit could allow the attacker to bypass authentication and login as an administrator to the affected device," the advisory reads.
Snort SIDs: 58097 - 58099
Most prevalent malware files this week
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: 6c62b768d8b22888724288af038bc0b6e55280ddbbe42a436cdf68889346df18
Typical Filename: smbscanlocal0902.exe
Claimed Product: N/A
Detection Name: MS17010::mURLin::W32.Auto:6c62b768d8.in03.Talos
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
SHA 256: 5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af
Typical Filename: mg20201223-1.exe
Claimed Product: N/A
Detection Name: RanumBot::mURLin::W32.5E46ECFFCF.in12.Talos
SHA 256: a10acc24581855565579bdf17d23989e67ef15343fdd2d9b6736c10be137c06c
Typical Filename: Quote request.exe
Claimed Product: N/A
Detection Name: W32.A10ACC2458-95.SBX.TG
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.