SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Attackers spread malware disguised as solution for Pegasus spyware
Description: Threat actors are impersonating the group Amnesty International and promising to protect against the Pegasus spyware as part of a scheme to deliver malware. Amnesty International recently made international headlines when it released a groundbreaking report on the widespread use of Pegasus to target international journalists and activists. Adversaries have set up a phony website that looks like Amnesty International's — a human rights-focused non-governmental organization — and points to a promised anti-virus tool to protect against the NSO Group's Pegasus tool. However, the download actually installs the little-known Sarwent malware. Sarwent contains the usual abilities of a remote access tool (RAT) — mainly serving as a backdoor on the victim machine — and can also activate the remote desktop protocol on the victim machine, potentially allowing the adversary to access the desktop directly.
Reference: https://blog.talosintelligence.com/2021/09/fakeantipegasusamnesty.html
Snort SIDs: 54357, 57901
Title: SonicWall patches critical vulnerability in remote connect device
Description: SonicWall released a security update for its Secure Mobile Access (SMA) 100 line of devices. The company disclosed a critical vulnerability that could allow unauthenticated attackers to remotely gain admin access on targeted devices. CVE-2021-20034 has a severity score of 9.1 out of a possible 10. The SMA 100 allows remote workers to securely connect to their office’s network and devices. The product recently came under additional scrutiny after SonicWall warned users that attackers were specifically targeting end-of-life versions of the device to spread ransomware attacks.
Snort SID: 58224 - 58226