Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

The Cisco Talos Incident Response team has several new, valuable insights into the threat landscape in the latest Quarterly Trends report. This post highlights the malware families our researchers are seeing most often in the field, and what tactics adversaries are using to infect victims.

We also have a new walkthrough available on the Talos blog of how to use Cisco Secure IPS to detect and protect against the Hafnium zero-day vulnerabilities in Microsoft Exchange Server.

On the Snort end of things, we have a new roundtable video up on our YouTube page talking about the history of Snort 3. We even managed to get Marty Roesch, the creator of Snort, on. Watch the full discussion below to find out how Snort 3 even came to be in the first place and why you should upgrade today.

Upcoming public engagements with Talos

Title: Cisco Live 2021

Date: March 30 – April 1

Speakers: Nick Biasini, more TBA

Overview: Join us for the annual Cisco Live conference, this year taking place across the globe at the same time virtually for the first time. Cisco Live is your destination for year-round technical education and training. There will be many on-demand sessions to choose from throughout the conference. Nick Biasini of Talos Outreach will provide a broad overview of the past year’s threats and trends we’ve been seeing, with a specific focus on dual-use tools and supply chain attacks. Additional sessions will be announced in the coming weeks.

Title: Analyzing Android Malware: From triage to reverse-engineering

Date: April 7 at 11 a.m. ET

Speakers: Vitor Ventura

Overview: In this free webinar, Vitor Ventura of Talos Outreach will discuss the most recent Android malware he’s seen in the wild. Vitor will reverse-engineer some of these malware samples and discuss what users can do to stay safe. We’ll cover everything from deobfuscating strings, to appropriate patching practices and searching for command and control beacons.

Cybersecurity week in review

  • Cybersecurity officials across the U.S. are worried that an attack on a Florida town’s public water system in February could be the tip of the iceberg for cyber attacks on utilities. Many water systems across the country still don’t have appropriate firewalls in place, use outdated software and have shared, easy-to-guess passwords.
  • The CEOs of Google, Facebook and Twitter are scheduled to testify in front of the U.S. House on Thursday regarding disinformation. The trip to Capitol Hill comes as lawmakers ponder making changes to laws that protect technology companies from being held liable for the content on their platforms.
  • CNA, one of the largest providers of cybersecurity insurance, had to disconnect many of its computers from its network after a cyber attack. As of Thursday afternoon, the company’s website stated, "The attack caused a network disruption and impacted certain CNA systems, including corporate email.”
  • The U.K.’s top cybersecurity office warned education facilities that they are at high risk for a ransomware attack as students return to in-person instruction. A bulletin specifically highlights attacks carried out through the exploitation of Remote Desktop Protocol (RDP).
  • Security researchers are warning that attackers are trying to exploit recently disclosed vulnerabilities in Microsoft Exchange Server multiple times every single day. Despite Microsoft issuing a fix for these zero-days disclosed earlier this month, many affected products remain unpatched.
  • The group behind the REvil ransomware recently targeted laptop maker Acer, demanding a $50 million ransom. Attackers leaked images that are alleged to be financial spreadsheets, bank balances and communications with financial institutions as proof.
  • Facebook says it shut down a group that was using the social media platform to spread iOS and Android malware. The group was trying to spy on the oppressed Uyghur people in China.
  • An internal security research team at Facebook has spent the past two years looking for vulnerabilities in the products the company uses. One such study included installing 30,000 cryptocurrency miners on Facebook production servers as a proof of concept.
  • Millions of Israeli citizens had their voter registration and personal details leaked online this week, the same time as the country holds elections for its parliament. Information includes full names, phone numbers, addresses, age and more.

Notable recent security issues

Title: Vulnerabilities in line of NETGEAR switches could lead to remote code execution

Description: NETGEAR disclosed multiple vulnerabilities, some of them considered critical, in two of its ProSAFE Plus networking switches. An adversary could exploit these vulnerabilities to execute unauthenticated code on the affected devices. NETGEAR could not fix five high-risk vulnerabilities due to “system-on-chip CPU and memory limitaitons of the switches.” However, an attacker could only exploit these vulnerabilities if the switches have Plus Utility enabled — a feature that’s been disabled by default since 2019. One of the most serious vulnerabilities, CVE-2020-35231, allows an attacker to bypass NSDP authentication, potentially allowing them to execute management actions on the device or wipe its configuration via a factory reset.

Snort SID: 57332 - 57334

Title: Attacks spike against F5 BIG-IP and BIG-IQ vulnerabilities

Description: Attackers are actively exploiting a critical vulnerability in F5 devices that could lead to remote code execution. F5 disclosed and patched the flaws earlier this month, but many devices remain unpatched. The unauthenticated remote command execution vulnerability exists in in the F5 BIG-IP and BIG-IQ enterprise networking infrastructure. An attacker could exploit this flaw to fully take over a vulnerable system. Proof-of-concept exploit code made its way onto GitHub shortly after the vulnerability was disclosed, and security researchers say attackers are scanning for unpatched targets. The U.S. Cybersecurity and Infrastructure Security Agency also released a warning over the weekend urging users to patch as soon as possible.

Snort SIDs: 57336, 57337

Most prevalent malware files this week

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: svchost.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: 5901ce0f36a875e03e4d5e13e728a2724b8eff3c61cc24eb810be3df7508997f

MD5: b8a582da0ad22721a8f66db0a7845bed

Typical Filename: flashhelperservice.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Auto:5901ce0f36.in03.Talos

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.