Report Cyber Crime

Cisco Talos Intelligence Group – Comprehensive Threat Intelligence: Threat Source Newsletter (April 1, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We hope you’re enjoying Cisco Live this week and only reading this after you’ve caught up on your sessions for the day. 

No April Fool’s jokes here (thankfully) — we are just excited to tell you that applications are now open for the Snort scholarship. Find out how to apply here and complete rules here
And speaking of things that aren’t funny, who likes to be tricked into downloading malware when they’re just trying to turn on some Thomas the Train mods in “Skyrim?” We are tracking a malware campaign that hides inside video game cheat engine and other “mods.” Our blog post has a complete reverse-engineering of the cryptor used in this case that’s going to be useful for all defenders. 

Upcoming public engagements with Talos

Date: March 30 – April 1 

Speakers: Nick Biasini, more TBA 

Overview: Join us for the annual Cisco Live conference, this year taking place across the globe at the same time virtually for the first time. Cisco Live is your destination for year-round technical education and training. There will be many on-demand sessions to choose from throughout the conference. Nick Biasini of Talos Outreach will provide a broad overview of the past year’s threats and trends we’ve been seeing, with a specific focus on dual-use tools and supply chain attacks. Additional sessions will be announced in the coming weeks. 

Date: April 7 at 11 a.m. ET 

Speakers: Vitor Ventura 

Overview: In this free webinar, Vitor Ventura of Talos Outreach will discuss the most recent Android malware he’s seen in the wild. Vitor will reverse-engineer some of these malware samples and discuss what users can do to stay safe. We’ll cover everything from deobfuscating strings, to appropriate patching practices and searching for command and control beacons. 

Cybersecurity week in review

  • American intelligence agencies are expected to publish the most in-depth findings yet on the SolarWinds breach. The report allegedly includes new information on the tools the attackers used in the supply chain attack. 
  • Attackers breached the PHP library and attempted to install a backdoor that would have allowed them to inject remote code into effected websites. The maintainers behind PHP said they will now move the repository over to GitHub rather than their own git instance. 
  • A new Android malware is disguising itself as a system update that must be installed outside the Google Play store. If infected, a user’s device could be completely taken over. 
  • A major television network in Australia had to go offline after a cyber attack. The initial report came on the same day the country’s parliament also reported an attempted cyber intrusion. 
  • Non-fungible tokens are taking the internet by storm. But their increased popularity has also led to uninformed consumers falling for scams, or malicious actors finding ways to make the NFTs disappear. 
  • U.S. President Joe Biden’s administration is having to respond to multiple state-sponsored cyber threats, all while still trying to fill several key cybersecurity positions. Congressional leaders are pushing Biden to fill the role of national cyber director as soon as possible. 
  • The U.K. launched a new, independent Cyber Security Council tasked with formalizing standards across the security industry in the country. This group will now be tasked with creating new tools and resources for cybersecurity experts or those hoping to enter the industry. 
  • The North Korean state-sponsored threat group targeting security researchers set up a fake security firm to lure potential targets. They also created fake recruiter profiles on LinkedIn for the phony company. 
  • The Cybersecurity and Infrastructure Security Agency (CISA) is asking all government agencies running on-premises Microsoft Exchange servers to run Microsoft malware scanners and report their results by April 5. Microsoft’s recently released tool should find any undetected compromises. 

Notable recent security issues

Description: OpenSSL disclosed and patched a denial-of-service vulnerability last week that could allow adversaries to completely crash servers. An attacker could cause a null pointer dereference, and then send a specially crafted, malicious request to crash the targeted server. OpenSSL is one of the most popular software libraries on the internet. It is a toolkit for TLS or SSL and serves as a general cryptographic library. The maintainers behind the toolkit also fixed a separate vulnerability that could prevent apps from detecting and rejecting unsigned TLS certificates.  

Snort SID: 56942 – 56944, 56957 – 56963 

Description: Cisco fixed multiple vulnerabilities in the Jabber messaging software that affects versions for mobile devices, MacOS and Windows. An attacker could exploit any of these bugs to execute arbitrary programs on the underlying operating system with elevated privileges. They could also potentially access sensitive information, intercept protected network traffic or cause a denial of service. Adversaries only need to exploit one of the vulnerabilities disclosed this week to carry out these malicious actions. They also must be able to authenticate to an Extensible Messaging and Presence Protocol (XMPP) server that the affected software uses and be able to send XMPP messages to a targeted system. 

Snort SIDs: 55016 – 55018, 56572, 56573, 56575, 56576, 56588 – 56591, 57351 – 57354, 57359 

Most prevalent malware files this week

MD5: 9a4b7b0849a274f6f7ac13c7577daad8 

Typical Filename: ww31.exe 

Claimed Product: N/A 

Detection Name: W32.GenericKD:Attribute.24ch.1201

MD5: 8193b63313019b614d5be721c538486b 

Typical Filename: SAService.exe 

Claimed Product: SAService 

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg 

MD5: 34560233e751b7e95f155b6f61e7419a 

Typical Filename: SAntivirusService.exe 

Claimed Product: A n t i v i r u s S e r v i c e 

Detection Name: PUA.Win.Dropper.Segurazo::tpd 

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: svchost.exe

Claimed Product: N/A 

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

MD5: 96f8e4e2d643568cf242ff40d537cd85 

Typical Filename: SAService.exe  

Claimed Product: SAService  

Detection Name: PUA.Win.File.Segurazo::95.sbx.tg 

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  





Source link

Is your business effected by Cyber Crime?

If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Contact Digitpol’s hotlines or respond to us online.

Digitpol’s Cyber Crime Investigation Unit provides investigative support to victims of cyber crimes. Digitpol is available 24/7. https://digitpol.com/cybercrime-investigation/

Europe +31558448040
UK +44 20 8089 9944
ASIA +85239733884