Newsletter compiled by Jon Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
This wasn’t your average Patch Tuesday. Microsoft’s monthly security update was notable for a few reasons. For starters, it’s really time to give up Windows 7, since this is the last free update Microsoft will issue for the operating system.
There was also a vulnerability that made headlines for leaving Windows open to cryptographic spoofing, which could allow an attacker to sign a malicious file as if it came from a trusted source. The bug was so severe that Microsoft even reached out to the U.S. military ahead of time to issue them an early patch. For more on Patch Tuesday, you can check out our roundup here and our Snort rule release here.
Elsewhere in the vulnerability department, we also released new Snort rules to protect users against some notable Citrix bugs that have been used in the wild.
And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.
Upcoming public engagements
Location: Fira Barcelona, Barcelona, Spain
Date: Jan. 27 - 31
Speakers: Warren Mercer
Synopsis: Cisco Talos specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. We are responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk, we will perform a deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies.
Cyber Security Week in Review
- Apple once again denied the FBI’s request for the company to unlock an iPhone belonging to someone involved in a criminal investigation. The agency is attempting to access a device belonging to a man who shot and killed multiple people at a naval base last year.
- This caused U.S. President Donald Trump to enter the fold. Trump tweeted that he was unhappy with Apple denying law enforcement access to devices "used by killers, drug dealers and other violent criminal elements.”
- More than two weeks after a ransomware attack, foreign currency exchange service Travelex is finally resuming normal operations. The company recently said it was making “good progress” on recovery and was expecting customer-facing systems to return soon.
- The Travelex attack prompted the U.S. government to release a new warning that users need to update their VPN services as soon as possible. Vulnerabilities disclosed last year in Pulse Secure VPN leave users open to cyber attacks similar to the ransomware infection on Travelex, according to the U.S. Cybersecurity and Infrastructure Security Agency.
- The Democratic party in Iowa says it will still use a mobile app to report primary election results, despite warnings that it is a security risk. Election judges will use the apps to count polling results during the presidential primaries and report those results on their mobile devices, though officials say there will be paper backups to verify the results.
- The estimated cost of a recent cyber attack on the city of New Orleans is above $7 million, $3 million of which the city says it will recoup from its cyber insurance policy. Officials say it will still take months to rebuild their internal network, and departments are still digging out from having to manually carry out many functions for weeks.
- The U.S. election security czar warned that attempts to interfere in the U.S.’ upcoming presidential election will be more sophisticated than ever. Shelby Pierson said at a recent presentation America is tracking several hacking groups, including a recent effort uncovered to breach a Ukrainian company at the center of President Donald Trump’s impeachment trial.
- A critical vulnerability in a popular WordPress plugin leaves more than 300,000 sites open to attack. An attacker could exploit a bug in InfiniteWP to log in as an administrator on any affected site.
- Android devices infected with the Faketoken malware began sending offensive SMS messages last week. It sends these messages to foreign numbers, potentially costing the victim money based on their carrier’s policies.
- The U.S. may invest more than $1 billion into researching alternatives for 5G to avoid working with Chinese tech companies Huawei and ZTE. Legislation submitted in the Senate urged America to counter the Chinese government’s investment in the telecom space.
Notable recent security issues
Description: Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. Patch Tuesday covers 49 vulnerabilities, eight of which are considered critical. This month’s security update is particularly important for its disclosure of two vulnerabilities related to a core cryptographic component in all versions of Windows. CVE-2020-0601 could allow an attacker to use cryptography to sign a malicious executable, making the file appear as if it was from a trusted source. The victim would have no way of knowing if the file was malicious. Cyber security reporter Brian Krebs says the vulnerability is so serious, Microsoft secretly deployed a patch to branches of the U.S. military prior to today.
Snort SIDs: 52593 - 51596, 52604, 52605
Title: ZeroCleare wiper malware deployed on oil refinery
Description: ZeroCleare, a wiper malware connected to an Iranian hacker group, was recently deployed against a national oil refinery in Bahrain. An upgraded version has been spotted in the wild, according to security researchers, which can delete files off infected machines. The latest attacks match previous attacks using this malware family, which have gone after other targets connected to Saudi Arabia. Concerns over Iranian cyber attacks have spiked since the U.S. killed a high-profile Iranian general in a drone strike.
Snort SIDs: 52572 – 52581
Most prevalent malware files this week
Typical Filename: SegurazoIC.exe
Claimed Product: Digital Communications Inc.
Detection Name: PUA.Win.Adware.Ursu::95.sbx.tg
SHA 256: d73ea76f6f07f96b337335213418b58e3fbc7e4b519fec0ef3fbd19c1d335d81
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::1201
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201
SHA 256: da231330efd623bc7d116ed233828be88951b9df7cc889e747d31279bdf2c2a0
Typical Filename: 4a4ee4ce27fa4525be327967b8969e13.exe
Claimed Product: N/A
Detection Name: PUA.Win.File.Coinminer::tpd
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.