Newsletter compiled by Jon Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
Sure, all anyone wants to talk about is coronavirus. But what about cyber security? We’ve still got cool stuff, like this huge write-up on the Bisonal malware and how it’s changed over the past 10 years. While its victimology has always stayed the same, we walk through how its creators have added on new features over time to avoid detection.
There’s also another entry in our Incident Response “Stories from the Field” video series. This time, Matt Aubert discusses ransomware infections he’s seen in the wild and passes on some lessons to you.
And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.
Upcoming public engagements
Location: Makuhari Messe, Tokyo, Japan
Date: April 13 - 15
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.
Cyber Security Week in Review
- The U.S. Federal Communications Commission proposed new fines against wireless carriers that sell customers’ location information $200 million. T-Mobile faces the highest fine at $91 million.
- Two Chinese nationals face new charges of helping a North Korean state-sponsored actor steal millions of dollars of cryptocurrency. The U.S. Justice Department said it believes the two men funneled money stolen in cryptocurrency mining campaigns and then sent the money back to North Korea to help pay in part for additional malicious cyber capabilities.
- The Super Tuesday round of presidential primaries in the U.S. went off without a publicly disclosed cyber attack, though several questions remain before November’s general election. Election officials are still being encouraged to use paper ballots, and state-sponsored actors may still be saving their best efforts.
- Facebook’s new “Off Facebook Activity” tracking feature allows users to see what apps are receiving their personal information, even when they’re not using Facebook. One reporter discovered that more than 60 health apps were sharing her information with the social media site, including prescriptions and menstrual cycles.
- T-Mobile is warning customers that it recently suffered a data breach, and that some users’ information may be affected. Individualized text messages are telling customers if their financial information was accessed, and if so, T-Mobile is offering a free two years of identity theft protection.
- American intelligence officials warned members of the Senate of potential security concerns with the popular social media app TikTok. One FBI official even went as far to say that the app is “basically controlled by a state-sponsored actor.”
- Netgear disclosed a critical bug in its popular Nighthawk line of wireless routers that could allow a remote attacker to take complete control of the device. The company also released fixes for 21 medium-severity vulnerabilities and two of high severity.
- The U.S. pledged to send $8 million to Ukraine to help bolster its cyber defenses. The two countries met this week to discuss security, after which the Americans agreed to invest a total of $38 million over the coming years.
- A Chinese cyber security company accused the CIA for an 11-year hacking campaign against the country. Qihoo 360 says Americans targeted the Chinese aviation and oil industries, as well as some government agencies.
Notable recent security issues
Description: A new malware family known as “Mozart” uses DNS to communicate with a command and control seemingly belonging to its creators. It also evades detection by disguising itself and executing specialized JSScript files. Once infected, Mozart can download other types of malware onto the victim machine, including ransomware and cryptocurrency miners. This malware is typically spread through spam campaigns with malicious PDF attachments. If a victim opens the PDF, it displays a message saying that the PDF reader doesn’t support a specific font, and asks the user to download a font, which actually points to a malicious ZIP file.
Snort SIDs: 53364 - 53373
Title: Ryuk ransomware strikes across the globe
Description: Several reports surfaced over the past week of the Ryuk ransomware being used in attacks over the course of the past year. Notable recent infections include an attack on a Fortune 500 company that specializes in mechanical and electrical construction, a local library system and police department in Florida and a school district in New Mexico. Ryuk primarily spreads through phishing emails and contains a number of capabilities, including credential theft and the downloading of a cryptocurrency miner.
Snort SIDs: 53333, 53334, 53336, 53337
Most prevalent malware files this week
Typical Filename: wup.exe
Claimed Product: N/A
Detection Name: PUA.Win.File.Coinminer::1201
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.