Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

We’ve got a couple of vulnerabilities you should know about. Monday, we disclosed a bug in Google Chrome’s PDFium feature that opens the door for an adversary to execute remote code.

Our researchers also discovered several vulnerabilities in the Nitro Pro PDF Reader. The software contains vulnerabilities that could allow adversaries to exploit a victim machine in multiple ways that would eventually allow them to execute code.


Event: Attribution: A puzzle  
Location: Virtual VirusBulletin conference 2020
Date: Sept. 30
Speakers: Paul Rascagneres and Vitor Ventura
Synopsis: The attribution of cyber attacks is hard. It requires collecting diverse intelligence, analyzing it and deciding who is responsible. Given this, it is interesting to examine the evidence available to us as a threat intelligence and security research group to support these conclusions. In this presentation, we will present our research in attributing WellMess. We will also describe additional elements linked to the attribution process such as false flags and code sharing by using additional use cases such as OlympicDestroyer and ACIDBox.

Event: A double-edged sword: The threat of dual-use tools
Location: Cisco Webex webinar
Date: Oct. 8 at 11 a.m. ET
Speakers: Edmund Brumaghin
Synopsis: It's difficult to read any information security news lately without hearing about large corporations being extorted by cyber criminals. In today's threat landscape, enterprises increasingly rely on red teams to identify risks and mitigate vulnerabilities in their infrastructure, so much so that an entire industry exists around tools to help facilitate this effectively and efficiently as possible.

Dual-use tools are developed to assist administrators in managing their systems or assist during security testing or red-teaming activities. Unfortunately, many of these same tools are often co-opted by threat actors attempting to compromise systems, attack organizational networks, or otherwise adversely affect companies around the world. This webinar will discuss the topic of dual-use tools and how they have historically been used in various attacks. It will also provide case studies that walk through how native system functionality and dual-use tools are often used in real-world attacks to evade detection at various stages of the attack lifecycle. Finally, we will discuss ways that organizations can defend against malicious abuse of otherwise legitimate technologies and toolsets.

Cyber Security Week in Review

  • New filings from the Federal Communications Commission show off GrayKey, an infamous tool that law enforcement agencies sometimes use to unlock iPhones. Photos of the device are extremely rare.
  • A group of high-profile security researchers pushed back against a recent brief a virtual voting company filed to the Supreme Court. The back-and-forth continues as America’s highest court considers a case that could completely overhaul how security researchers find vulnerabilities.
  • A bug in the Biden/Harris 2020 campaign’s official app could have allowed anyone to look up information on millions of voters. The vulnerability existed in the way the app worked with TargetSmart, a political marketing service.
  • In the continued TikTok saga, tech giant Oracle has a plan to be a partner with the popular social media app in the U.S. to appease the Trump administration. But that plan has come under fire over the past few days from Republican lawmakers.
  • Microsoft says state-sponsored threat actors are targeting both the Biden and Trump campaigns with cyber attacks. The actors have gone after the candidates themselves, campaign staffers and other third parties that the campaigns consult.
  • Apple’s new iOS 14 is scheduled to be released Thursday. But Cisco is warning users that a new privacy feature that randomized MAC addresses could interrupt some organizations’ network setups.
  • The U.S. Department of Justice formally charged seven Chinese nationals for a string of cyber attacks on several software makers and popular online games. The indictments state the attackers used their intrusion into these services for money laundering, identity theft, wire and access device fraud.
  • The Maze ransomware has a new virtual machine technique it seems to have adopted from Ragnar Locker. Security researchers discovered the threat delivering a malicious .msi file for the VirtualBox software.
  • Attackers are spreading a new cryptocurrency-mining malware by infecting Microsoft SQL Servers. Researchers discovered Linux, ARM and Microsoft variants of the Monero miner.

Notable recent security issues

Title: U.S. warns of exploitation of well-known vulnerabilities

Description: The U.S. Cybersecurity and Infrastructure Security Agency released a warning this week that state-sponsored actors are targeting several well-known vulnerabilities disclosed over the past year. Among them are vulnerabilities in the Pulse and Citrix VPN services that could allow an attacker to carry out directory-traversal attacks and infiltrate a victim’s network via the VPN. These same actors are also spreading several malware families through spear-phishing campaigns. Users in the public and private sectors are asked to update these affected products as soon as possible, including F5 BIG-IP, Pulse Secure VPN, Citrix VPN and Microsoft Exchange servers.

Snort SIDs: 55637 - 55640

Title: Google Chrome PDFium memory corruption to lead to code execution

Description: Google Chrome's PDFium feature could be exploited by an adversary to corrupt memory and potentially execute remote code. PDFium allows users to open PDFs inside Chrome. Cisco Talos researchers recently discovered a bug that would allow an adversary to send a malicious web page to a user, and then cause out-of-bounds memory access. To trigger this vulnerability, the victim must visit a malicious webpage or open a malicious PDF document.

Snort SIDs: 54282, 54283

Most prevalent malware files this week

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: Eter.exe

Claimed Product: N/A

Detection Name:

SHA 256: 32155b070c7e1b9d6bdc021778c5129edfb9cf7e330b8f07bb140dedb5c9aae7

MD5: 73d1de319c7d61e0333471c82f2fc104

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: Win.Dropper.Segurazo::tpd

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

Typical Filename: Tempmf582901854.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: Win.Downloader.Generic::1201

SHA 256: 7bd78114e61ae332e9e9d67b66cdab4a4db4e0c74dc43a0582ab1aecb13d7f0f

MD5: 6423f6d49466f739d4eaa2a30759c46a

Typical Filename: Xerox_Device_060214.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Upatre::1201

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.