2021: Looking back on the year in malware and cyber attacks, from SolarWinds to Log4j

By Jon Munshaw.

It seems like we were just recovering from the aftermath of the massive SolarWinds campaign a month or two ago. And now suddenly, it’s been a year since one of the largest cyber attacks in history and moving onto another threat that could last for years. 

That just seemed to be how 2021 went — one hit after another for the cybersecurity community. We had everything from massive oil pipelines go offline, to state-sponsored actors raising the stakes, and (albeit on the less serious end of things) even saw the entirety of the Twitch streaming platform leaked. 

There’s really no way to predict where threat actors will head in 2022, but we expect to still see big game hunting and ransomware to be on the rise. It’s worth looking back at some of the major security moments from 2021, though, to be prepared for what could come in the New Year. 

Vulnerability Spotlight: Vulnerabilities in metal detector peripheral could allow attackers to manipulate security devices

Matt Wiseman of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in a device from Garrett Metal Detectors that could allow remote attackers to bypass authentication requirements, manipulate metal detector configurations, and even execute arbitrary code on the device.  

The vulnerabilities specifically exist in the Garrett iC module, which provides network connectivity to the Garrett PD 6500i or Garrett MZ 6100 walk-through metal detectors commonly used at security checkpoints. An attacker could manipulate this module to remotely monitor statistics on the metal detector, such as whether the alarm has been triggered or how many visitors have walked through. They could also make configuration changes, such as altering the sensitivity level of a device, which potentially poses a security risk to users who rely on these metal detectors.

Vulnerability Spotlight: Vulnerabilities in DaVinci Resolve video editing software could lead to code execution

A Cisco Talos team member discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered two vulnerabilities in the DaVinci Resolve video editing software that could allow an adversary to execute code in the context of the application. 

DaVinci Resolve is a non-linear video editing application from Blackmagic Software that is available on multiple operating systems. Both these vulnerabilities exist in the DPDecoder service inside DaVinci Resolve.

Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild

Update History

Date	Description of Updates
Dec. 20, 2021	Additional coverage and IOCs; additional detection capabilities for customers via Cisco Global Threat Alerts.
Dec. 18, 2021	Additional mitigation guidance; updated coverage information.
Dec. 17, 2021	Added additional vulnerability and mitigation information; added section on guidance for developers; timeline.
Dec. 16, 2021	Added additional vulnerability and mitigation information; added event timeline; relevant advisory information.
Dec. 15, 2021	Added observations on exploitation activity; updated coverage information. Additional IOCs.
Dec. 14, 2021	Added new CVE details; updated coverage information; additional mitigation guidance; additional threat vectors; Additional IOCs.
Dec. 13, 2021	Added additional vulnerability information; updated coverage information; additional attack vectors identified; emerging obfuscations; Additional IOCs.
Dec. 12, 2021	Added additional vulnerability information; additional details on earliest observed activity; additional mitigation recommendations; additional IOCs.
Dec. 11, 2021	Added additional information on observed exploitation activity; updated coverage information; additional IOCs.
Dec. 10, 2021	Added additional vulnerability information; updated coverage information; additional IOCs.
Dec. 10, 2021	Initial publication date.

---

Update Dec. 21, 2021

Cisco Talos is releasing updates to Snort SIDs: 58722-58744, 58751, 58784-58790, 58795, 58801, 58811-58814 to address CVE-2021-44228/CVE-2021-45046/CVE-2021-45105, an RCE vulnerability in the Apache Log4j API.

Cisco Talos has also released an update for ClamAV signature: Java.Malware.CVE_2021_44228-9915816-1 and a new signature: PUA.Java.Tool.CVE_2021_44228-9916978-0 for threats exploiting these vulnerabilities. Please refer to the “Coverage” section for a comprehensive list of protections and signatures.

---

Talos Takes Ep. #80: I'll have a blue Christmas without a CTIR retainer

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

Threat Roundup for December 3 to December 10

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 3 and Dec. 10. As with previous roundups, this post isn't meant tobifj be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Threat Source Newsletter (Dec. 16, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

I'm just going to cut to the chase since I know all anyone wants to read about is Log4J. For the latest Talos research, continually check back on our blog post here. Above is the live stream we recorded Monday morning updating everyone on the situation, but of course, a lot has already changed since then. Which is why Beers with Talos will be returning for a live recording Friday at noon ET. You can join us on any of our social media platforms or over on our YouTube page. 

This will be the last Threat Source newsletter of 2021 as we head into the holiday break. We hope everyone is able to put Log4J behind them at least for a few days and enjoy some quality time with friends and family.

Beers with Talos, Ep. #112: A new host approaches!

Beers with Talos (BWT) Podcast episode No. 112 is now available. Download this episode and subscribe to Beers with Talos:

      

If iTunes and Google Play aren't your thing, click here.

We promised it wouldn't be long until we moved into the next phase of Beers with Talos! We are back with a new episode and a new host — meet Liz Waddell from Cisco Talos Incident Response. Liz joins the crew for the first time to discuss the latest drama on "Days of our Ransomware-as-a-Service Groups" and look at why so many actors' playbooks are making it out into the wild.

Please note, we recorded this episode before all the Log4J stuff dropped. For the latest information on that vulnerability, check out the Talos blog post here. We are working on recording an emergency episode of Beers with Talos addressing Log4J and will be releasing that later this week.

Threat Source Newsletter (Dec. 9, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

The good news keeps rolling in for our Incident Response team, who received another accolade by being featured in Forrester's recent quarterly report on the incident readiness industry. This comes on the heels of the team also being named a leader in IR services in an IDC MarketScape report.

If you are looking for a great holiday gift for the IT lover in your life, you should make sure to get your free copy of the SNORTⓇ calendar now. All you have to do is fill out this quick survey to get your free copy. (Sorry, shipping in the U.S. only.)

Cisco recognized by Forrester as cybersecurity incident response services provider

By Brad Garnett. 

Cisco Talos Incident Response is proud to announce that Forrester has recognized us by including Cisco in the new Forrester report “Now Tech: Cybersecurity Incident Response Services, Q4 2021.”

The Forrester report provides an overview of 36 Cybersecurity Incident Response Services (CIRS) providers that offer critical incident response and digital forensic expertise during cybersecurity breaches based upon size, capabilities, industry vertical and geography. We are especially pleased to be recognized in this Forrester report as this news comes on the heels of us being named an industry leader in incident readiness as part of an IDC MarketScape report.

Threat Roundup for November 26 to December 3

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 26 and Dec. 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #79: Emotet's back with the worst type of holiday present

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

Emotet is back, and it brought the worst possible holiday present (just in time for peak spam season, too!). We recently chronicled how the long-known botnet could be coming back after an international law enforcement takedown effort earlier this year.

Threat Source Newsletter (Dec. 2, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

The Thanksgiving holiday in the U.S. didn't slow us down at all, even though we were all still trying to sleep off the food coma from the long weekend. But we came back this week with lots of fun content.

Cisco received an early Christmas present when we were named a leader in incident response services by a recent IDC MarketScape report. We are incredibly proud of this honor, and you can find out what sets our incident response services apart by reading the blog here.  

We're also excited because Cisco Talos Incident Response recently grew with the addition of the CTIR Red Team, which can perform penetration tests (even physical pen tests where they try to access an organization's physical office). Our new case study shows how this team discovered a vulnerability in a customer's website and helped them fix it before the bad guys could exploit it. 

Magnat campaigns use malvertising to deliver information stealer, backdoor and malicious Chrome extension

By Tiago Pereira.

• Talos recently observed a malicious campaign offering fake installers of popular software as bait to get users to execute malware on their systems.
• This campaign includes a set of malware distribution campaigns that started in late 2018 and have targeted mainly Canada, along with the U.S., Australia and some EU countries.
• Two undocumented malware families (a backdoor and a Google Chrome extension) are consistently delivered together in these campaigns.
• An unknown actor with the alias "magnat" is the likely author of these new families and has been constantly developing and improving them.
• The attacker's motivations appear to be financial gain from selling stolen credentials, fraudulent transactions and Remote Desktop access to systems.

Vulnerability Spotlight: Use-after-free condition in Google Chrome could lead to code execution

Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered an exploitable use-after-free vulnerability in Google Chrome.  

Google Chrome is a cross-platform web browser — and Chromium is the open-source version of the browser that other software developers use to build their browsers, as well. This specific vulnerability exists in Blink, the main DOM parsing and rendering engine at the core of Chromium.