Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: SolarMarker tries to take victims around the galaxy

Description: Cisco Talos has observed new activity from Solarmarker a highly modular .NET-based information stealer and keylogger. A previous staging module, “d.m,” used with this malware has been replaced by a new module dubbed “Mars.” Another previously unreported module named “Uranus” has been identified. Organizations should be particularly concerned about the modular nature and information stealing capabilities of this malware family. Using its staging DLL, the malware can then execute whichever payload module they choose, some of which may be previously undiscovered.

The modules already observed make potential victims vulnerable to having sensitive information stolen, including employees' browser usage, such as if they enter their credit card number or other personal

information. These attackers may also look to steal login credentials, which could then be used for lateral movement into other systems or to access and steal even more enticing data, such as a customer or patient medical information database.

Reference: https://blog.talosintelligence.com/2021/07/threat-spotlight-solarmarker.html


Title: Microsoft warns of NTLM relay attacks

Description: Microsoft released an advisory last week with a workout for recently discovered NTLM relay attacks. A tool, called PetitPotam, works against servers that enable NTLM authentication and Active Directory Certificate Services. An attacker could use this tool to abuse the Microsoft Encrypting File System Remote Protocol to authenticate to another server. An adversary could carry out this attack without any prior authentication. Microsoft and other security researchers advise disabling NTLM authentication on domain controllers. Users could also disable NTLM on any AD CS servers and NTLM for IIS AD CS servers.

References:

-https://duo.com/decipher/microsoft-issue-guidance-for-mitigating-petitpotam-ntlm-relay-attack

-https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429

Internet Storm Center Entries


The U.S. Department of Justice says the threat actors behind the SolarWinds supply chain attack broke into federal prosecutors’ email accounts.

https://www.npr.org/2021/07/31/1023162095/russians-hacked-federal-prosecutors-doj-solarwinds


Attackers blocked an Italian booking site for the COVID-19 vaccine.

https://www.cnn.com/2021/08/02/business/italy-hackers-covid-vaccine-intl/index.html


The U.S. government has hired a company to help it store seized bitcoin.

https://www.vox.com/recode/2021/7/30/22600574/cryptocurrency-bitcoin-ethereum-asset-seizure-crimes-bank-storage-password-department-of-justice


The U.S. Cybersecurity and Infrastructure Security Agency launched a new internal vulnerability reporting platform for federal agencies.

https://www.cisa.gov/blog/2021/07/29/cisa-announces-new-vulnerability-disclosure-policy-vdp-platform


An updated version of PunkSpider will be introduced at the Defcon conference next week. The tool crawls the web to catalogs vulnerabilities in websites.

https://www.wired.com/story/punkspider-web-site-vulnerabilities/


Apple released patches for iOS, iPadOS, and macOS last week to fix a zero-day vulnerability.

https://therecord.media/apple-releases-fix-for-ios-and-macos-zero-day-13th-this-year/


A week after releasing iOS 14.7.1, Apple stopped signing iOS version 14.7, preventing users from downgrading to that version.

https://9to5mac.com/2021/08/02/apple-stops-signing-ios-14-7-blocking-downgrades-from-ios-14-7-1/


In September, Google will add a resource key to the end of shared Google Drive links to prevent people from guessing secret URLs.

https://arstechnica.com/gadgets/2021/07/heres-what-that-google-drive-security-update-message-means/

Recent CVEs


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM 

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201


SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb

MD5: 6be10a13c17391218704dc24b34cf736

VirusTotal: https://www.virustotal.com/gui/file/9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb/details

Typical Filename: smbscanlocal0906.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Ranumbot::in03.talos


SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd


SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg


SHA 256: 7820c5e3fbad356d9a8333ff731b04a4a3dd6e41cfc37be90b4e638fa1a6551e

MD5: 4891c7b054453b3e1b0950bb8e645b9c

VirusTotal: https://www.virustotal.com/gui/file/7820c5e3fbad356d9a8333ff731b04a4a3dd6e41cfc37be90b4e638fa1a6551e/details

Typical Filename: FlashHelperService.exe

Claimed Product: Flash Helper Service

Detection Name: PUA:2144FlashPlayer-tpd