Threat Source newsletter (May 19, 2022) — Why I'm missing the days of iPods and LimeWire

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

I will openly admit that I still own a “classic” iPod — the giant brick that weighed down my skinny jeans in high school and did nothing except play music. There are dozens of hours of music on there that I always tell myself I’m going to back up somewhere and never do. The iPod doesn’t have any charge at the moment, and I still need to hop on eBay to buy one of those flat chargers for it to even start the backup process. So no, I’m sure I’ll never get around to backing it up and recycling the device. 

But that doesn’t make it any less painful to hear that Apple is going to stop making iPods altogether. I’m a longtime iPod user and have owned everything from the original “stick of gum” iPod shuffle, to the tiny, square iPod nano that clipped to my backpack and made me think I was really cool, along with pretty much every other iteration of the nano. 

The news of the iPod’s end got me thinking about how far the threat landscape has come. We all have a supped-up iPod in our pockets now that connects to the internet at a moment’s notice and is one risky click away from someone stealing your banking app password. It used to be that when I wanted new music, I would have to plug the iPod into my parents’ Mac at home and connect to the internet, and then pray that whatever perilous download I was grabbing from uTorrent or LimeWire wasn’t going to download a virus. Most of the time, I thankfully landed on a somewhat legitimate version of a Slayer album. 

Nowadays, attackers have even come up with ways to install malware on your iPhone even when it’s powered down — that was never an issue in the heyday of the iPod! 

Though in my walk down memory lane, I did learn that some classic iPods shipped in 2006 contained Windows malware known as “RavMonE.exe,” an early example of why everyone should have at least a base anti-virus enabled.  

I’ll miss the days of the iPod, when I didn’t have to worry about malware following me in my backpack or briefcase. But I don’t miss having to illegitimately listen to Slayer, I’ll gladly pay the $10 a month for Spotify to avoid having to hope a file from “xX_metalhead420Xx_” doesn’t have malware in it.  

The one big thing 

A critical vulnerability in F5’s BIG-IP software continues to dominate security headlines and haunt defenders. Though we released coverage for this vulnerability last week, attackers are still exploiting it in the wild. Security researchers at the SANS Institute recently discovered adversaries exploiting the vulnerability to try and completely wipe some Linux systems. The U.S. Cybersecurity and Infrastructure Security Agency also added CVE-2022-1388 to its list of known vulnerabilities and gave federal agencies until May 30 to patch for the issue.   

Why do I care? 

The continuous warnings around this vulnerability show how truly widespread and potentially dangerous it is. Due to the nature of this vulnerability, and adversary could exploit it and obtain root privileges in the Linux operating systems powering BIG-IP devices. While most attackers seem to be using it to gain an initial foothold on a system, this also opens the door to an attacker running specific commands to delete files on the system, including ones that are required for the operating system to function correctly.  

So now what? 

Cisco Secure products have several ways of detecting exploitation of this vulnerability and defending against it. F5 also has a patch available for the vulnerability, which should be implemented immediately. If users are not able to patch for some reason, Talos, CISA and F5 all recommend blocking iControl REST access through the self IP address and management interface. 

 

Other news of note

The quantum computing race is on. This week, U.S. officials said they believe America will be the first country to harness the power of quantum computing, outpacing rivals like China. It’s widely believed that quantum computers will break current encryption technologies. This means the U.S. also has to develop new encryption standards, which has interested privacy experts. Though the National Security Agency has had backdoors into encryption methods in the past, the agency says that will not be the case for whatever standard the U.S. develops to combat quantum computing. (CyberScoop, Bloomberg) 

U.S. officials released a warning this week that North Koreans are posing as remote workers and hiding their true identities to apply for jobs with cryptocurrency-related companies. These individuals eventually aim to get onto corporate networks and steal currency for the North Korean government. While many of the adversaries are based in North Korea, others are operating out of China, Russia, Africa and South East Asia. North Korean state-sponsored actors have been finding different ways to steal virtual currency for years, mainly in the name of funding the country’s weapons program. (BBC, U.S. Department of Treasury) 

Western governments and security experts continue to sound warnings about potential cyber attacks from Russian state-sponsored groups. Although there have not been any major public attacks as expected when Russia invaded Ukraine, there has been a sustained effort to improve Russia’s standing in the war. Finland and Sweden’s application to join the NATO military alliance also raised the possibility that Russia could respond with a cyber attack. Albeit more low-stakes, Russian actors also tried to disrupt the semifinals and finals of the Eurovision Song Contest in Italy last week, a contest that Ukraine eventually won. (Reuters, The Hill, BBC) 

Can’t get enough Talos? 

• Talos Takes Ep. #96: Takeaways from victim chats with two ransomware groups
• Vulnerability Spotlight: Multiple memory corruption vulnerabilities in NVIDIA GPU driver
• Ransomware: How executives should prepare given the current threat landscape
• Threat Roundup for May 6 - 13

Upcoming events where you can find Talos 

NorthSec 2022 (May 19 – 20, 2022)
Montreal, Canada 

REcon (June 3 – 5, 2022)
Montreal, Canada 

RSA 2022 (June 6 – 9, 2022)
San Francisco, California 

Cisco Live U.S. (June 12 – 16, 2022)
Las Vegas, Nevada 

Most prevalent malware files from Talos telemetry over the past week  

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

SHA 256: 1b94aaa71618d4ecba665130ae54ef38b17794157123675b24641dc85a379426  
MD5: a841c3d335907ba5ec4c2e070be1df53  
Typical Filename: chip 1-click installer.exe  
Claimed Product: chip 1-click installer   
Detection Name: Win.Trojan.Generic::ptp.cam  

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Typical Filename: c0dwjdi6a.dll  
Claimed Product: N/A   
Detection Name: Trojan.GenericKD.33515991  

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa   
MD5: df11b3105df8d7c70e7b501e210e3cc3   
Typical Filename: DOC001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201  

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
MD5: a087b2e6ec57b08c0d0750c60f96a74c  
Typical Filename: AAct.exe  
Claimed Product: N/A    
Detection Name: PUA.Win.Tool.Kmsauto::1201