Headline
Threat Source newsletter (June 16, 2022) — Three top takeaways from Cisco Live
By Jon Munshaw.
Welcome to this week’s edition of the Threat Source newsletter.
I’m still decompressing from Cisco Live and the most human interaction I’ve had in a year and a half.
But after spending a few days on the show floor and interacting with everyone, there are a…
[[ This is only the beginning! Please visit the blog for the complete entry ]]
By Jon Munshaw.
Welcome to this week’s edition of the Threat Source newsletter.
I’m still decompressing from Cisco Live and the most human interaction I’ve had in a year and a half.
But after spending a few days on the show floor and interacting with everyone, there are a few things that stand out to me about the state of security and what people are interested in at Cisco Live. So, I wanted to take some time to highlight a few things that stood out to me at this year’s Cisco Live. Editor’s note: The Threat Source newsletter will be on a summer break next week, so no new edition!
**Don’t think about the worst **
A lot of our lightning talks at the Cisco Secure Pub this week centered around some crazy days, many of which left us scrambling — the Colonial Pipeline ransomware attack, Log4J, Kaseya, you name it. The problem is no one wants to think about how awful these days are.
During these talks, I saw a lot of heads in the audience nodding around how we need to be prepared for the worst, but no one wants to talk about that. Who wants to be the one to predict the next Log4J? Unfortunately, it’s going to happen, we just don’t know when. That’s why things like Incident Response plans and playbooks are so important.
You may not want to talk about the toughest day of your professional career, but it’s going to come, so we may as well embrace it and be ready.
**A wink and a nod **
Speaking of these major incidents, it seems like a ton of major security events have happened since the last Cisco Live in person. While they were happening, it was all anyone could talk about. But in person, words like “SolarWinds” and “Kaseya” were all spoken in hush tones or were just vaguely referenced to in-person like “back then” or “the dark times.”
If we are going to truly learn from these events, I feel like we need to speak about them openly and honestly. I try to have a judgment-free security zone because eventually, a breach is going to happen to everyone. So the point is not to shame someone when it happens, we should be discussing the lessons learned openly so we can do better next time, rather than trying to brush it under the rug.
During these stretches, we were all busy and stressed and it made for some late nights. That’s OK, and it should be OK to talk about that, even if you’re within earshot of someone who was involved.
**We can’t replicate everything over the internet **
The future is hybrid work, there’s no doubt about it. And I’d be the first person to tell you I prefer working from home versus commuting to the office today. But I must admit — it’s tough to replicate the connections at conferences and shows over Webex.
Meetings and 1:1 check-ins work great for virtual meeting platforms, but there’s something about just making a personal connection in-person to a stranger. I was working at the Talos booth this week and struck up a conversation with someone who worked in network operations for an NFL team. Being a huge NFL fan, I had all sorts of questions to ask about the ins and outs of his job and the organization, especially given Cisco Talos Incident Response’s recent work at the Super Bowl and NFL draft.
Unfortunately, this isn’t something we’ve been able to capture virtually. That operations person and I exchanged information on what we’re seeing in the field, what pain points exist and even got to talking about the NFL offseason. My wife, boss and parents would be shocked to hear me say this — but I actually missed talking to people in person.
**The one big thing **
Microsoft’s Patch Tuesday for this month included 40 high-severity vulnerabilities, including one critical issue. The most serious issue is CVE-2022-30136, a remote code execution vulnerability in the Windows Network File System (NFS) service, version NFSv4.1, with a severity score of near-maximum 9.8. An attacker can exploit the vulnerability over the network by making an unauthenticated, specially crafted call to an NFS service to execute remote code. To mitigate this vulnerability, users are advised to disable the vulnerable version NFSV4.1 and restart the NFS server or reboot the machine.
**Why do I care? **This month’s round of updates also includes a fix for the high-profile Follina vulnerability disclosed a few weeks ago. Attackers are actively exploiting this in the wild to deliver malware, so this is especially important to patch for immediately. Also, this release marks the official end of Internet Explorer, the Microsoft browser that’s been around for more than 25 years. As of Tuesday, Microsoft stopped officially supporting most versions of Explorer and disabled the IE desktop application. All Explorer users are encouraged to switch over to Microsoft Edge (or another web browser).
**So now what? **Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. And it goes without saying, but all Microsoft users should update their products as soon as possible.
Other news of note
U.S. defense contractor L3Harris is in talks to acquire the controversial Israeli tech company NSO Group, the creators of the Pegasus spyware. Pegasus is known to be used by threat actors to track unwilling targets, including activists, journalists and government leaders. This has set off alarm bells for privacy experts and those following national security, and some are even calling on the White House to preemptively block any sort of deal. NSO Group is currently on a U.S. blacklist for working “contrary to the foreign policy and national security interests of the U.S.” (The Guardian, Haaretz)
Apple unveiled the newest version of its iOS operating system for iPhones last week, including several new security features and improvements. Users will no longer have to download standalone versions of the operating system to implement security updates, and instead, the patches will be installed automatically. Another new feature is the ability to edit and unsend iMessages. However, security and privacy experts worry this ability could allow stalkers, harassers, and abusers to contact their victims and then hide any trace of their messages, leading some people to call on Apple to change the feature. (9To5Mac, Mac Rumors)
A newly discovered Linux malware is extremely difficult to detect while spreading silently across a network. Security researchers call this campaign “Symbiote,” and it’s already been spotted in the wild. Symbiote infects running Linux processes and steals user credentials, gains rootkit functionality and installs a backdoor for remote access. Once it infects the processes, it can become difficult to detect by the typical security software, and some researchers are wondering if it’s even possible to detect this attack. (ThreatPost, Ars Technica)
**Can’t get enough Talos? **
- Boosting Security Resilience and Defending the IT Ecosystem
- Businesses need to be more aggressive with their cyber security, Cisco warns
- Cisco unveils sweeping new cloud capabilities, SASE and WAN forecasting offerings
- Deepfake attacks expected to be next major threat to businesses
**Upcoming events where you can find Talos **
BlackHat U.S. (Aug. 6 - 11, 2022)
Las Vegas, Nevada
DEF CON U.S. (Aug. 11 - 14, 2022)
Las Vegas, Nevada
**Most prevalent malware files from Talos telemetry over the past week **
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934 MD5: 93fefc3e88ffb78abb36365fa5cf857c Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645 MD5: 2c8ea737a232fd03ab80db672d50a17a Typical Filename: LwssPlayer.scr
Claimed Product: 梦想之巅幻灯播放器
Detection Name: Auto.125E12.241442.in02
SHA 256: b2ef49a10d07df6db483e86516d2dfaaaa2f30f4a93dd152fa85f09f891cd049
MD5: 067f9a24d630670f543d95a98cc199df Typical Filename: RzxDivert32.sys Claimed Product: WinDivert 1.4 driver
Detection Name: W32.B2EF49A10D-95.SBX.TG
SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 MD5: 8c69830a50fb85d8a794fa46643493b2
Typical Filename: AAct.exe Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201
Related news
Hello everyone! This will be an episode about the Microsoft vulnerabilities that were released on June Patch Tuesday and also between May and June Patch Tuesdays. Alternative video link (for Russia): https://vk.com/video-149273431_456239094 On June Patch Tuesday, June 14, 56 vulnerabilities were released. Between May and June Patch Tuesdays, 38 vulnerabilities were released. This gives us 94 […]
Windows Network File System Remote Code Execution Vulnerability.
Patch Tuesday for June 2022 brought a fix for Follina and many other security vulnerabilities. Time to figure out what needs to be prioritized. The post Update now! Microsoft patches Follina, and many other security updates appeared first on Malwarebytes Labs.
Microsoft on Tuesday released software updates to fix 60 security vulnerabilities in its Windows operating systems and other software, including a zero-day flaw in all supported Microsoft Office versions on all flavors of Windows that's seen active exploitation for at least two months now. On a lighter note, Microsoft is officially retiring its Internet Explorer (IE) web browser, which turns 27 years old this year.
Microsoft officially released fixes to address an actively exploited Windows zero-day vulnerability known as Follina as part of its Patch Tuesday updates. Also addressed by the tech giant are 55 other flaws, three of which are rated Critical, 51 are rated Important, and one is rated Moderate in severity. Separately, five other shortcomings were resolved in the Microsoft Edge browser. <!-
Here are which Microsoft patches to prioritize among the June Patch Tuesday batch.
By Chetan Raghuprasad. Microsoft released its monthly security update Tuesday, disclosing 55 vulnerabilities in the company’s firmware and software. One of these vulnerabilities is considered critical, 40 are listed as high severity, and the remainder is considered "moderate." The most... [[ This is only the beginning! Please visit the blog for the complete entry ]]