Threat Source newsletter (Oct. 13, 2022) — Cybersecurity Awareness Month is all fun and memes until someone gets hurt

By Jon Munshaw.

Welcome to this week’s edition of the Threat Source newsletter.

October is National Cybersecurity Awareness Month. Which, if you’ve been on social media at all the past 13 days or read any cybersecurity news website, you surely know already.

As it does every year, I saw Cybersecurity Awareness Month kick off with a lot of snark and memes of people joking about what it even means to be “aware” of cybersecurity and why we even have this month at all. And I get why it’s easy to poke fun at, it is at its core a marketing-driven campaign, and hardcore security experts and researchers have notoriously pushed back against this being a marketing-driven field.

I’m not saying there should be Cybersecurity Awareness Month mascots brought to life on the floor of Black Hat, but it is probably time to pump the brakes on the skepticism and snark. After all, this week should be about broadening the security community, not trying to exclude others from it. I came to Talos almost five years ago at this point knowing little to nothing about security. I had written about everything from ballet dancing to local government ordinances and zoning laws in my previous field, but the second someone mentioned a “container” in relation to computers I could only picture the big metal ones on the decks of freighter boats. The only reason I’ve made it to this point in my career is the support of my employer and co-workers, and their openness to these kinds of conversations.

And even five years into the field, I still have so much more to learn. But an easy way for me to digest security is through these high-level conversations, memes, “awareness” stories and “explain like I’m five” questions.

My sister-in-law recently had her Instagram account hacked by some bitcoin-mining operation to the point she just had to cut her losses and create a new account. Before that, she didn’t know that enabling multi-factor authentication in Instagram was even an option. Or that because her one password had been compromised on one site meant an attacker might try that same password on another site with an easy-to-guess email address.

My wife never thought to check the “To” field of her emails if she thinks the Post Office is actually holding a package from her before realizing the link is from “ussps.zone” or something. In those cases, they quite literally are not aware of the security risks in these cases, it’s not that they were willingly ignoring it.

That’s why I think National Cybersecurity Awareness Month is still important. It’s not for the security practitioners who have been following the same group of 100 people for the past 10 years, it’s for the public who does need to become more aware of the current cybersecurity risks that are out there. It’s probably worth putting the jokes aside for a week or two just to take the time to tell someone about why they shouldn’t just click on any link that’s texted to them from a number with the same area code as them.

That’s how I learned, and that’s how a lot of my colleagues have learned — just asking questions (some of them that may seem dumb at first). If you want to make it easier to start a conversation with any of your friends and family this October about security, any of the resources on Cisco’s NCSAM page are a great place to start.

The one big thing Microsoft released its monthly security update Tuesday, disclosing 83 vulnerabilities across the company’s hardware and software line, including seven critical issues in Windows’ point-to-point tunneling protocol. October’s security update features 11 critical vulnerabilities, with the remainder being “important.”

Why do I care? Many of the critical vulnerabilities included in this month’s security release could lead to remote code execution, which is usually the worst of the worst when it comes to vulnerabilities. One of the most notable vulnerabilities Microsoft fixed this month is CVE-2022-41038, a remote code execution issue in Microsoft SharePoint. There are several other SharePoint vulnerabilities included in this month’s Patch Tuesday, though this seems the most severe, as Microsoft continues it to be “more likely” to be exploited. So now what?

Patch all your Microsoft hardware and software as soon as possible in accordance with the guidance the company provides on its update page. Talos has also released several Snort rules to protect against the exploitation of many of these vulnerabilities.

Top security headlines from the week

The Killnet Russian state-sponsored threat actor took credit for several high-profile cyber attacks this week, including the disruption of websites belonging to major American airports and state governments. The group posted on Telegram that it was behind a distributed denial-of-service attack on several airports’ sites, including Los Angeles International, Chicago O’Hare and Hartsfield-Jackson International in Atlanta, some of the largest in the U.S. However, no flight operations were disrupted. Prior to that, they also carried out DDoS attacks against state government-run websites in Colorado, Connecticut, Kentucky and Mississippi, including local election committees. Killnet also took responsibility for disrupting bank JP Morgan’s infrastructure, though the bank denied it experienced any negative effects from the attack. (NPR, SC Magazine, StateScoop)
Microsoft updated its mitigations for the so-called “ProxyNotShell” zero-day vulnerabilities in Exchange Server after security researchers found the initial recommendations could be bypassed. However, there was no formal patch for the issues in this week’s Patch Tuesday as some had expected. An attacker could exploit the flaws to achieve remote code execution on the underlying server. Microsoft also says it’s investigating a possibly different vulnerability in Exchange Server that’s being exploited in the wild, though they aren’t ruling out that the new report could be connected to ProxyNotShell. (The Hacker News, The Register, The Record) Facebook warned more than a million users that their login credentials could have been stolen if they downloaded one of 400 malicious apps on the Google Play and Apple app stores. The malicious apps disguised themselves as mobile games, photo editing or fitness tracking apps, among others, according to Facebook. Users who may have logged into Facebook through the malicious app could have had their information stolen. Facebook has already notified the users affected, warning them to enable two-factor authentication on their accounts and change their passwords. Forty-seven of the apps existed on the Apple store, while the remainder were Android-based. (CNET, Engadget)

Can’t get enough Talos?

Talos Takes Ep. #116: The latest on Lockbit 3.0 drama and the rest of the ransomware landscape Threat Roundup for Sept. 30 to Oct. 7 How ransomware turned into the stuff of nightmares for modern businesses VMware Patches Code Execution Vulnerability in vCenter Server

Upcoming events where you can find Talos

GovWare 2022 (Oct. 18 - 20) Sands Expo & Convention Centre, Singapore

Conference On Applied Machine Learning For Information Security (Oct. 20 - 21) Sands Capital Management, Arlington, Virginia

BSides Lisbon (Nov. 10 - 11) Cidade Universitária, Lisboa, Portugal

Most prevalent malware files from Talos telemetry over the past week

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645
MD5: 2c8ea737a232fd03ab80db672d50a17a
Typical Filename: LwssPlayer.scr
Claimed Product: 梦想之巅幻灯播放器
Detection Name: Auto.125E12.241442.in02

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 1a234656f81e870cdeb0e648a6b305a41452c405cca21124de26b54f79d55ad0
MD5: 10f1561457242973e0fed724eec92f8c
Typical Filename: ntuser.vbe
Claimed Product: N/A
Detection Name: Auto.1A234656F8.211848.in07.Talos

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201

SHA 256: 63d543945e33b4b6088dc34d0550213dc73ea6acce248d8353c63039e8fa284f
MD5: a779d230c944ef200bce074407d2b8ff Typical Filename: mediaget.exe Claimed Product: MediaGet Detection Name: W32.File.MalParent