Threat Source newsletter (July 25, 2019)

Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

No one really likes talking about election security. It’s a sticky subject, costs lots of money and doesn’t come with an easy fix. But that doesn’t mean the conversation shouldn’t happen.

With another presidential election just around the corner, we decided to take up the topic and examine the approach a potential attacker may take to disrupting a democratic election. Matt Olney took a deep dive into their psyche here, and wrote about what may happen in a real-life attack scenario.

He and the rest of the Beers with Talos crew broke down these scenarios more in this week’s Beers with Talos episode, too.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Upcoming public engagements with Talos

Event: “DNS on Fire” at Black Hat USA
Location: Mandalay Bay, Las Vegs, Nevada
Date: Aug. 7
Speaker: Warren Mercer
Synopsis: In this talk, Warren will go over two recent malicious threat actors targeting DNS protocol along with the methodology used to target victims, timeline, and technical details. The first is a piece of malware, “DNSpionage,” targeting government agencies in the Middle East and an airline. The second actor, more advanced and aggressive than the previous one, is behind the campaign we named “Sea Turtle.”

Event: “It’s never DNS…It was DNS: How adversaries are abusing network blind spots” at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.

Cyber Security Week in Review

  • Facebook confirmed in its latest earnings report that it reached a $5 billion settlement with the U.S. Federal Trade Commission over data privacy violations, the largest fine in the history of the U.S. over online privacy. The social media network also said it would create “a comprehensive new framework for protecting people’s privacy.” 
  • Attackers are using file-sharing network WeTransfer to bypass email security. Security researchers have discovered multiple attacks where malicious actors are sending emails to users with a WeTransfer link that leads to an HTM or HTML file redirecting to a phishing landing page. 
  • Former FBI special counsel Robert Mueller warned that Russia made multiple attempts to disrupt the 2016 presidential election. During Congressional testimony, Mueller said “They’re doing it as we sit here, and they expect to do it during the next campaign.” 
  • Certain LG and Samsung phones are open to an attack that could allow a malicious user to listen in on conversations. The attacks exploit the devices’ accelerometer to eavesdrop on any audio played through the speaker. 
  • The U.S. Federal Trade Commission fined Equifax up to $700 million over a 2016 data breach. However, privacy advocates and some lawmakers say the punishment doesn’t go far enough. 
  • The latest round of security updates from Apple fixes a critical flaw in the Apple Watch’s walkie talkie app that could allow an attacker to listen in on conversations. There were also fixes to vulnerabilities in the iOS operating system. 
  • U.S. Attorney General William Barr stepped up his fight against encryption, saying tech firms “can and must” put backdoors on their devices to bypass encryption. Barr argued that encryption allows criminals to operate unnoticed and can stall law enforcement agencies’ investigations. 
  • The National Security Agency says it is working on a cybersecurity directorate that aims to align America’s offensive and defense cyber capabilities. The directorate will begin operating on Oct. 1 under the direction of Anne Neuberger, who helped establish U.S. Cyber Command. 

Notable recent security issues

Title: Attackers spread AZORult trojan, attempts to steal passwords
Description: Attackers recently began spreading the AZORult trojan AZORult through a series of phony cheat codes for video games, such as "CounterStrike: Go and Player Unknown’s Battlegrounds. The attackers embedded links to the supposed cheats in YouTube videos and other social media sites. Once installed, the trojan attempts to steal users’ passwords. This Snort rule fires when AZORult attempts to make an outbound connection to its command and control server.
Snort SIDs: 50771 (Written by Tim Muniz)

Title: New protection rolled out for Microsoft vulnerability exploited in the wild
Description: Attackers continue to exploit a previously disclosed vulnerability in Windows’ win32k.sys component. The escalation of privilege bug, identified as CVE‑2019‑1132, was exploited in a series of targeted attacks in Eastern Europe. An APT installed espionage malware on victim machines through this bug. Two new Snort rules activate when a user attempts to corrupt a machine’s memory using this vulnerability.
Snort SIDs: 50734 – 50737 (Written by Joanne Kim)

Most prevalent malware files this week

SHA 256: 6dfaacd6f16cb86923f21217ca436b09348ee72b34849921fed2a17bddd59310
MD5: 7054c32d4a21ae2d893a1c1994039050
Typical Filename:
Claimed Product: N/A
Detection Name: PUA.Osx.Adware.Advancedmaccleaner::tpd

SHA 256: e062f35810260a1406895acff447e412a8133380807ef3ddc91c70c01bd34b50
MD5: 5a315fdaa14ae98226de43940630b147
Typical Filename: FYDUpdate.exe
Claimed Product: Minama
Detection Name: W32.E062F35810-95.SBX.TG

MD5: 47b97de62ae8b2b927542aa5d7f3c858  
Typical Filename: qmreportupload.exe  
Claimed Product: qmreportupload  

Detection Name: Win.Trojan.Generic::in10.talos  

MD5: 4a50780ddb3db16ebab57b0ca42da0fb  
Typical Filename: xme64-2141.exe  
Claimed Product: N/A  

Detection Name: W32.7ACF71AFA8-95.SBX.TG  

MD5: db69eaaea4d49703f161c81e6fdd036f  
Typical Filename: xme32-2141-gcc.exe  
Claimed Product: N/A  

Detection Name: W32.46B241E3D3-95.SBX.TG  

Article Link: