Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

We all think of APTs as these wide-reaching, silent threat groups who are backed by a nation-state. But our recent research into Gamaredon shows that not all APTs are created equal.

We’ve spotted this actor carrying out several different attacks across the globe, many of which are mainly just interested in stealing information. And what they do with that information is still up for debate.

Upcoming public engagements with Talos

Title: Cisco Live 2021

Date: March 30 – April 1

Speakers: Nick Biasini, more TBA

Overview: Join us for the annual Cisco Live conference, this year taking place across the globe at the same time virtually for the first time. Cisco Live is your destination for year-round technical education and training. There will be many on-demand sessions to choose from throughout the conference. Nick Biasini of Talos Outreach will provide a broad overview of the past year’s threats and trends we’ve been seeing, with a specific focus on dual-use tools and supply chain attacks. Additional sessions will be announced in the coming weeks.

Cybersecurity week in review

  • U.S. President Joe Biden’s administration is reportedly preparing to sanction Russia for its involvement in the recent SolarWinds breach that affected thousands of companies and government agencies. American defense agencies are also reportedly working on new defensive measures to protect against similar attacks in the future.
  • Several major tech companies testified in front of the U.S. Senate this week regarding the SolarWinds incident. Representatives from Amazon Web Services, which is also reportedly involved in the campaign, declined to attend.
  • Apple says it’s already addressed the “Silver Sparrow” attack that targets the company’s M1 chips. Cisco Talos also already has hash-based protection in place to prevent attacks.
  • A child-focused security camera company says it was recently the victim of a data breach. However, NurseryCam says the compromise did not allow any adversaries to spy on children or parents through their cameras, which are usually placed at daycares.
  • APT31 is reportedly using a repurposed zero-day exploit from fellow APT the Equation Group to target Microsoft products. Microsoft patched the vulnerability in 2017 with no CVE, though some software remains unpatched in the wild.
  • A new IBM report states the operators behind the Sodinokibi ransomware made at least $123 million in profits in 2020. The group (also known as REvil) also stole around 21.6 TB of data.
  • Attackers are targeting chatrooms in Clubhouse, an exclusive social media startup that’s focused on voice chat. Users have been warned that some voice chats and other data may have been vulnerable.
  • Ukrainian officials are blaming a Russian state-sponsored actor for an attack on the country’s government document management system. A statement from Ukraine said the goal of the attack was "the mass contamination of information resources of public authorities."
  • Video game developer CD Projekt Red is still suffering after a ransomware attack earlier this month. The company’s employees are partially locked out from their remote desktops, according to a new report, which has led to development delays.

Notable recent security issues

Title: Masslogger steals users’ credentials from Outlook, Chrome

Description: Cisco Talos recently discovered a campaign utilizing a variant of the Masslogger trojan designed to retrieve and exfiltrate user credentials from multiple sources such as Microsoft Outlook, Google Chrome and instant messengers. The actor employs a multi-modular approach that starts with the initial phishing email and carries through to the final payload. The adversaries behind this campaign likely do this to evade detection. But it can also be a weakness, as there are plenty of opportunities for defenders to break the killchain. While most of the public attention seems to be focused on ransomware attacks, big game hunting and APTs, it is important to keep in mind that crimeware actors are still active and can inflict significant damage to organizations by stealing users' credentials. The credentials themselves have value on the dark web and actors sell them for money or use them in other attacks.

Snort SIDs: 57141-57154

OSQueries: https://github.com/Cisco-Talos/osquery_queries/blob/master/win_forensics/potential_compiled_HTML_abuse.yaml

Title: Gamaredon APT spreads rapidly, looking to steal and sell information

Description: Gamaredon is a threat actor, active since at least 2013, that has long been associated with pro-Russian activities in several reports throughout the years. It is extremely aggressive and is usually not associated with high-visibility campaigns, Cisco Talos sees it is incredibly active and we believe the group is on par with some of the most prolific crimeware gangs. Gamaredon has been exposed several times in multiple threat intelligence reports, without any significant effects on their operations. Their information-gathering activities can almost be classified as a second-tier APT, whose main goal is to gather information and share it with their units, who will eventually use that information to perform the end goal. Recently, Cisco Talos researchers discovered four different campaigns using different initial infection vectors and final payloads.

Snort SIDs: 57194 – 57196

ClamAV: Lnk.Malware.Gamaredon-7448135-3

Most prevalent malware files this week

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b

MD5: f37167c1e62e78b0a222b8cc18c20ba7

Typical Filename: flashhelperservice.exe

Claimed Product: Flash Helper Service

Detection Name: W32.4647F1A085.in12.Talos

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: svchost.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 1a8a17b615799f504d1e801b7b7f15476ee94d242affc103a4359c4eb5d9ad7f

MD5: 88781be104a4dcb13846189a2b1ea055

Typical Filename: ActivityElement.dp

Claimed Product: N/A

Detection Name: Win.Trojan.Generic::sso.talos

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.