Lucene search

K
talosblogJon Munshaw ([email protected])TALOSBLOG:12103F398364269083FD96139F0F6562
HistoryOct 06, 2022 - 6:00 p.m.

Threat Source newsletter (Oct. 6, 2022) — Continuing down the Privacy Policy rabbit hole

2022-10-0618:00:00
Jon Munshaw ([email protected])
blog.talosintelligence.com
12

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

_By Jon Munshaw. _

Welcome to this week’s edition of the Threat Source newsletter.

As I wrote about last week, I’ve been diving a lot into apps’ privacy policies recently. And I was recently made aware of a new type of app I never knew existed — family trackers.

There are countless mobile apps for parents to track their children or other family members based on their location, phone usage, and even driving speed. As an anxious soon-to-be-parent, this sounds intriguing to me — it’d be a supped-up version of Find my Friends on Apple devices so I’d never have to ask my teenager (granted, I’m many years away from being at that stage of my life) when they were coming home or where they were.

Just as with all other types of mobile apps, there are pitfalls, though.

Life360, one of the most popular of these types of apps and even tells users what their maximum driving speed was on a given trip, was found in December 2021 to be selling precise location data on its users, potentially affecting millions of people. Once that precise location data is out there, there is no telling who could eventually get a hold of it. Even if Life360 doesn’t intend to let adversaries see this information, they don’t have direct control over how those third parties handle the information once it’s sold off.

The app’s current and updated privacy policy states that it "may also share location information with our partners, such as Cuebiq and its Partners, for tailored advertising, attribution, analytics, research and other purposes.” However, users do have the ability to opt out of this inside the app.

There is hardware that offers this same type of tracking. Jealous, angry or paranoid spouses and parents have used Apple’s AirTags in the past to unknowingly track people, eventually to the point that Apple had to address the issue directly and provide several updates to AirTags’ security and precise location alerts to make it easier for users to find potentially unwanted AirTags on their cars or personal belongings.

This is truthfully just an area of concern I had never considered before. Many parents would do anything for their children’s safety, which is certainly understandable. But just like personal health apps, we need to consider the security trade-offs here, too. As we’ve said before, no one truly has “nothing to hide,” especially when it comes to minors or vulnerable populations. I’m not saying using any of these apps is inherently wrong, or that AirTags do not have their legitimate purposes. But any time we welcome this software and hardware into our homes and on our devices, it’s worth considering what sacrifices we might be making elsewhere.

The one big thing

Microsoft warned last week of the exploitation of two recently disclosed vulnerabilities collectively referred to as “ProxyNotShell,” affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers.

> ### Why do I care?
>
> Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The Hafnium threat actor exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was one of the four attacks they saw most often last year.
>
> ### So now what?

> While no fixes or patches are available yet, Microsoft has provided mitigations for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. While Microsoft continues to update their mitigations, some security researchers posit they can be bypassed. Talos has released several Snort rules to detect the exploitation of these vulnerabilities and associate malware families used in these attacks.

>

Top security headlines from the week

More than 2 million Australians’ personal information is at risk after a data breach at telecommunications giant Optus. More than 1.2 million customers have had at least one ID number from a current and valid form of identification, along with other personal data, according to an update from the company’s CEO. Adding to the confusion, the company told many residents in New South Wales that it would need to replace their driver’s license, only to later backtrack to say that would not be the case for everyone affected. Optus says it enlisted a third party to complete a thorough review of the compromise to identify security gaps and any other potential fallout. (ABC News, Nine News)

The Vice Society ransomware group leaked more than 500 GB worth of data on employees and students at the unified Los Angeles School District after the district refused to pay a requested extortion payment after a ransomware attack several weeks ago. Officials said the leak was less extensive than originally expected and limited to attendance and academic records from 2013 - 2016. The district declined to pay the ransom because there was no guarantee that the actors would not leak the information anyway. Threat actors have commonly targeted the education sector with ransomware attacks as the school year started and their networks were particularly vulnerable. (Axios, Los Angeles Times)

The infamous Lazarus Group threat actor continues to ramp up its activity, recently exploiting open-source software and Dell hardware to target companies all over the globe. A recent report from Microsoft found that the group was impersonating contributors to open-source projects and injecting malicious updates for that software to users. In a separate campaign, the APT also used an exploit in a Dell firmware driver to deliver a Windows rootkit targeting an aerospace company and high-profile journalist in Belgium. Lazarus Group is known for operating with North Korean state interests, often stealing cryptocurrency or finding other ways to earn money. (Bleeping Computer, Security Affairs)

Can’t get enough Talos?

Upcoming events where you can find Talos

Cisco Security Solution Expert Sessions (Oct. 11 & 13)

Virtual

GovWare 2022 (Oct. 18 - 20)

Sands Expo & Convention Centre, Singapore

_Conference On Applied Machine Learning For Information Security _** (Oct. 20 - 21)**

Sands Capital Management, Arlington, Virginia

Most prevalent malware files from Talos telemetry over the past week


SHA 256:c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0

**MD5:**8c69830a50fb85d8a794fa46643493b2

**Typical Filename:**AAct.exe

**Claimed Product:**N/A

**Detection Name:**PUA.Win.Dropper.Generic::1201


SHA 256:e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934** ****MD5:**93fefc3e88ffb78abb36365fa5cf857c ** ****Typical Filename:**Wextract
**Claimed Product:**Internet Explorer
**Detection Name:**PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256:58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681

**MD5:**f1fe671bcefd4630e5ed8b87c9283534

**Typical Filename:**KMSAuto Net.exe

**Claimed Product:**KMSAuto Net

**Detection Name:**PUA.Win.Tool.Hackkms::1201


SHA 256:e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c** **

**MD5:**a087b2e6ec57b08c0d0750c60f96a74c

**Typical Filename:AAct.exe **

**Claimed Product:**N/A

**Detection Name:**PUA.Win.Tool.Kmsauto::1201


SHA 256:63d543945e33b4b6088dc34d0550213dc73ea6acce248d8353c63039e8fa284f

**MD5:**a779d230c944ef200bce074407d2b8ff

**Typical Filename:mediaget.exe **

**Claimed Product:**MediaGet

**Detection Name:**W32.File.MalParent

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H