Newsletter compiled by Jon Munshaw.
Good afternoon, Talos readers.
We’ve got a couple of vulnerabilities you should know about. Monday, we disclosed a bug in Google Chrome’s PDFium feature that opens the door for an adversary to execute remote code.
Our researchers also discovered several vulnerabilities in the Nitro Pro PDF Reader. The software contains vulnerabilities that could allow adversaries to exploit a victim machine in multiple ways that would eventually allow them to execute code.
UPCOMING PUBLIC ENGAGEMENTS
Event: Attribution: A puzzle
Location: Virtual VirusBulletin conference 2020
Date: Sept. 30
Speakers: Paul Rascagneres and Vitor Ventura
Synopsis: The attribution of cyber attacks is hard. It requires collecting diverse intelligence, analyzing it and deciding who is responsible. Given this, it is interesting to examine the evidence available to us as a threat intelligence and security research group to support these conclusions. In this presentation, we will present our research in attributing WellMess. We will also describe additional elements linked to the attribution process such as false flags and code sharing by using additional use cases such as OlympicDestroyer and ACIDBox.
Event: A double-edged sword: The threat of dual-use tools
Location: Cisco Webex webinar
Date: Oct. 8 at 11 a.m. ET
Speakers: Edmund Brumaghin
Synopsis: It's difficult to read any information security news lately without hearing about large corporations being extorted by cyber criminals. In today's threat landscape, enterprises increasingly rely on red teams to identify risks and mitigate vulnerabilities in their infrastructure, so much so that an entire industry exists around tools to help facilitate this effectively and efficiently as possible.
Dual-use tools are developed to assist administrators in managing their systems or assist during security testing or red-teaming activities. Unfortunately, many of these same tools are often co-opted by threat actors attempting to compromise systems, attack organizational networks, or otherwise adversely affect companies around the world. This webinar will discuss the topic of dual-use tools and how they have historically been used in various attacks. It will also provide case studies that walk through how native system functionality and dual-use tools are often used in real-world attacks to evade detection at various stages of the attack lifecycle. Finally, we will discuss ways that organizations can defend against malicious abuse of otherwise legitimate technologies and toolsets.
Cyber Security Week in Review
- New filings from the Federal Communications Commission show off GrayKey, an infamous tool that law enforcement agencies sometimes use to unlock iPhones. Photos of the device are extremely rare.
- A group of high-profile security researchers pushed back against a recent brief a virtual voting company filed to the Supreme Court. The back-and-forth continues as America’s highest court considers a case that could completely overhaul how security researchers find vulnerabilities.
- A bug in the Biden/Harris 2020 campaign’s official app could have allowed anyone to look up information on millions of voters. The vulnerability existed in the way the app worked with TargetSmart, a political marketing service.
- In the continued TikTok saga, tech giant Oracle has a plan to be a partner with the popular social media app in the U.S. to appease the Trump administration. But that plan has come under fire over the past few days from Republican lawmakers.
- Microsoft says state-sponsored threat actors are targeting both the Biden and Trump campaigns with cyber attacks. The actors have gone after the candidates themselves, campaign staffers and other third parties that the campaigns consult.
- Apple’s new iOS 14 is scheduled to be released Thursday. But Cisco is warning users that a new privacy feature that randomized MAC addresses could interrupt some organizations’ network setups.
- The U.S. Department of Justice formally charged seven Chinese nationals for a string of cyber attacks on several software makers and popular online games. The indictments state the attackers used their intrusion into these services for money laundering, identity theft, wire and access device fraud.
- The Maze ransomware has a new virtual machine technique it seems to have adopted from Ragnar Locker. Security researchers discovered the threat delivering a malicious .msi file for the VirtualBox software.
- Attackers are spreading a new cryptocurrency-mining malware by infecting Microsoft SQL Servers. Researchers discovered Linux, ARM and Microsoft variants of the Monero miner.
Notable recent security issues
Description: The U.S. Cybersecurity and Infrastructure Security Agency released a warning this week that state-sponsored actors are targeting several well-known vulnerabilities disclosed over the past year. Among them are vulnerabilities in the Pulse and Citrix VPN services that could allow an attacker to carry out directory-traversal attacks and infiltrate a victim’s network via the VPN. These same actors are also spreading several malware families through spear-phishing campaigns. Users in the public and private sectors are asked to update these affected products as soon as possible, including F5 BIG-IP, Pulse Secure VPN, Citrix VPN and Microsoft Exchange servers.
Snort SIDs: 55637 - 55640
Description: Google Chrome's PDFium feature could be exploited by an adversary to corrupt memory and potentially execute remote code. PDFium allows users to open PDFs inside Chrome. Cisco Talos researchers recently discovered a bug that would allow an adversary to send a malicious web page to a user, and then cause out-of-bounds memory access. To trigger this vulnerability, the victim must visit a malicious webpage or open a malicious PDF document.
Snort SIDs: 54282, 54283
Most prevalent malware files this week
Typical Filename: Eter.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: Win.Dropper.Segurazo::tpd
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: Win.Downloader.Generic::1201
Typical Filename: Xerox_Device_060214.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Upatre::1201
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.