Thursday, March 31, 2022

Threat Advisory: Spring4Shell





UPDATE, APRIL 4, 2022:

The Kenna Risk Score for CVE-2022-22965 is currently at maximum 100. This is an exceptionally rare score, of which only 415 out of 184,000 CVEs (or 0.22 percent) have achieved, reflecting the severity and potential effects of this vulnerability. To get a risk score this high means it is a widely deployed technology with a public exploit available, and we have seen proof of an ongoing active internet breach using the vulnerability.

Kenna Risk Scores are continually reevaluated and may shift over time. An outline of the current risk score is below: 



Cisco Talos is releasing coverage to protect users against the exploitation of two remote code execution vulnerabilities in Spring Framework. CVE-2022-22963 is a medium-severity bug that affects Spring Cloud and CVE-2022-22965, a high-severity bug that affects Spring Core Framework. Spring is a Java-based framework commonly used by developers to create and test code. There are already reports of the vulnerabilities being leveraged in the wild and patches have been made available here, here and here.

CVE-2022-22963

CVE-2022-22963 is a vulnerability in the routing functionality in Spring Cloud Function versions 3.1.6, 3.2.2, and old unsupported versions. The vulnerability can be triggered by an attacker sending a specially crafted SpEL routing expression that could result in remote code execution. Upgrading to Spring Cloud Function 3.1.7 or 3.2.3 will resolve this issue.

On the Radar: Is 2022 the year encryption is doomed?



By Martin Lee. 

Quantum technology in development by the world’s superpowers will render many current encryption algorithms obsolete overnight. When it becomes available, whoever controls this technology will be able to read almost any encrypted data or message they wish.

Organizations need to take note that this technology is likely to be developed within the coming years. Senior managers responsible for information security should take stock of the encryption algorithms in use within their systems and plan their move to quantum-secure algorithms. 

The AES-256 encryption algorithm is predicted to be quantum secure, as are the SHA-384 and SHA-512 hashing algorithms. As an interim solution, organizations should increase the key lengths of public-key algorithms to a minimum of 3,072 bits, to protect against attacks. 

Systems under development should be designed to implement AES-256, and to have the capability to swap out encryption algorithms if weaknesses are discovered, or more secure algorithms become available.

Quantum computers already exist as proof-of-concept systems. For the moment, none are powerful enough to crack current encryption, but the private and public sectors are investing billions of dollars globally to create these powerful systems that will revolutionize computing.

Although nobody knows when a powerful quantum computer will be available, we can predict the effects on security and prepare our defenses in advance.

Threat Source newsletter (March 31, 2022) — Is "Fortnite" a Metaverse?

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

By now, anyone on the internet has pondered the question: “Is a hot dog a sandwich?” (My two cents: Yes, absolutely.) 

Now as we move into the new internet age and onto Web 3.0 and NFTs instead of classic memes, I’ve had another question stuck in my head: “Is Fortnite the Metaverse?” 

This came up again for me last week as we published new research into Web 3.0 and the Metaverse, examining what potential security pitfalls lie ahead, and how attackers are already using the Metaverse to spread spam and malware.  

My first introduction to the Metaverse was actually through video games and my dad asking me if he should mint his original artwork as an NFT without getting sued by Disney. I first started hearing about NFTs on various video game podcasts that I listen to, because every video game company was putting out some vague statement about how they were “looking into” getting into NFTs and the Metaverse because that’s what investors wanted to hear at the time.  

“Fortnite” was way ahead of EA and Ubisoft, though. The third-person shooter-turned-free-to-play-battle-royale became its own Metaverse a few years ago already by hosting virtual concerts, becoming a platform for presidential campaigns and bringing together pretty much any IP you could think of into the same game. 

Other video game developers and publishers have wanted to get in on the action now, too, as Jaeson Schultz and I talked about in last week’s Talos Takes episode. And it only took a few weeks for them to start backpedaling as consumers expressed concerns over the potential for scams on the metaverse and the environmental concerns associated with NFTs.  

Fortnite’s push into the metaverse has slightly slowed down recently, especially with the return of in-person concerts and friendly hangouts, players don’t necessarily need a virtual environment anymore to visit with their friends or see Ariana Grande perform. And at the end of the day, Fortnite’s focus is still on being a video game.  

This trend around video game companies in the Metaverse reminds me of the fervor around virtual reality in 2012-13 when the first consumer VR headsets were released. At the time, there was speculation that everything would become VR in a few years, and it’d be the best way to play video games. Yet these headsets only ended up being adopted by a small portion of the population, and VR is only used in highly specific cases, such as training for surgeons. 

So even though games like Fortnite and Roblox may have their own Metaverses, I’m not sure that means good news for the broader “Metaverse.” Just because it’s worked for Fortnite doesn’t mean “Assassins Creed” fans want to bid against one another for a one-of-a-kind sword they can also bring into “Far Cry 10” come 2026. Let’s just hope the bad guys don’t start disguising malicious cryptominers as Fortnite cheats. 

Tuesday, March 29, 2022

Transparent Tribe campaign uses new bespoke malware to target Indian government officials



By Asheer Malhotra and Justin Thattil with contributions from Kendall McKay.

  • Cisco Talos has observed a new Transparent Tribe campaign targeting Indian government and military entities. While the actors are infecting victims with CrimsonRAT, their well-known malware of choice, they are also using new stagers and implants.
  • This campaign, which has been ongoing since at least June 2021, uses fake domains mimicking legitimate government and related organizations to deliver malicious payloads, a common Transparent tribe tactic.
  • Based on our analysis of Transparent Tribe operations over the last year, the group has continued to change its initial entry mechanisms and incorporate new bespoke malware, indicating the actors are actively diversifying their portfolio to compromise even more victims.
  • Notably, the adversary has moved towards deploying small, bespoke stagers and downloaders that can be easily modified, likely to enable quick and agile operations.


Transparent Tribe deploys new implants


Transparent Tribe, also known as APT36 and Mythic Leopard, continues to create fake domains mimicking legitimate military and defense organizations as a core component of their operations. In the latest campaign conducted by the threat actor, Cisco Talos observed multiple delivery methods, such as executables masquerading as installers of legitimate applications, archive files and maldocs to target Indian entities and individuals. These infection chains led to the deployment of three different types of implants, two of which we had not previously observed:

  • CrimsonRAT: A remote access trojan (RAT) family that Transparent Tribe frequently uses to conduct espionage operations against their targets.
  • A previously unknown Python-based stager that leads to the deployment of .NET-based reconnaissance tools and RATs.
  • A lightweight .NET-based implant to run arbitrary code on the infected system.


This campaign also uses fake domains mimicking legitimate government and pseudo-government organizations to deliver malicious payloads, a typical Transparent Tribe tactic.

Friday, March 25, 2022

Threat Roundup for March 18 to March 25


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 18 and March 25. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, March 24, 2022

Threat Source newsletter (March 24, 2022) — Of course the deepfake videos are here

 

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

The war in Ukraine has involved misinformation since before Russia’s ground forces invaded the country. So, it’s not really a shock that we’ve reached the stage of information warfare where deepfake videos are involved.  

Last week, a video made its rounds on social media appearing to show Ukrainian President Volodymr Zelensky telling Ukrainian soldiers to lay down their arms against Russian forces. It was, thankfully, quickly debunked as being fake and manipulated. On its face, that’s good news, but the bad news is pretty much anyone would have noticed the video was fake. 

On first watch, I could clearly see that the video was overly pixelated, his voice sounded deeper than what I was used to hearing in other news coverage, and his head just seemed...off. It didn’t take long for the internet at large to catch on and for Zelensky himself to debunk the video. The problem is, this was the best-case scenario for a deepfake video because it was so obvious. 

The next time there’s a deepfake video used in the information warfare portion of this invasion, it may not be as clearly fake. Even just days after that Zelensky video hit Twitter, another one appeared of Russian leader Vladimir Putin appearing to declare peace. This one was immediately much harder for me to notice as fake, but thankfully, Twitter sleuths and the media had already done some digging for me to flag it before I saw it.  

That Putin video, and other infamous deepfakes like this one of Jordan Peele pretending to be Barack Obama, show that bad actors have gotten incredibly good at creating deepfake videos and photos, as we’ve outlined in previous posts.  

The Zelensky video made for a great opportunity for social media companies to take a victory lap that they quickly blocked and banned the video. But what happens when more talented actors spread the next, inevitable deepfake? Will it take social media companies more than a few hours to see it? Will even the most seasoned internet users be fooled? The next time you see a video, I encourage you to check it against this list of steps MIT created to spot a deepfake. Things are too high-risk in Ukraine right now to risk sharing any misinformation, even if it’s just to a few of your friends or followers. 

Threat Advisory: DoubleZero


This post is also available in:

Українська (Ukrainian)

Overview


The Computer Emergency Response Team of Ukraine released an advisory on March 22, 2022 disclosing another wiper dubbed "DoubleZero" targeting Ukrainian enterprises during Russia's invasion of the country. This wiper was detected as early as March 17, 2022. DoubleZero is yet another wiper discovered in addition to previously disclosed attacks we've seen in Ukraine over the past two months, such as "CaddyWiper" "HermeticWiper" and "WhisperGate."

DoubleZero is a .NET-based implant that destroys files, registry keys and trees on the infected endpoint.

Cisco Talos is actively conducting analysis to confirm the details included in these reports.

Wednesday, March 23, 2022

Vulnerability Spotlight: Heap overflow in Sound Exchange libsox library

 

Lilith >_> of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in the sphere.c start_read() functionality of Sound Exchange libsox.

The libsox library is a library of sound sample file format readers/writers and sound effects processors. It's been in development for several years, and now supports several file formats including .wav, .flac, and .mp3 (with the aid of an external library).

Tuesday, March 22, 2022

On the Radar: Securing Web 3.0, the Metaverse and beyond

By Jaeson Schultz.

Internet technology evolves rapidly, and the World Wide Web (WWW or Web) is currently experiencing a transition into what many are calling "Web 3.0". Web 3.0 is a nebulous term. If you spend enough time Googling it, you'll find many interpretations regarding what Web 3.0 actually is. However, most people tend to agree that Web 3.0 is being driven by cryptocurrency, blockchain technology, decentralized applications and decentralized file storage. 

Web 3.0 innovations include the immersive 3-D experience known as the "Metaverse," a virtual reality environment where people can explore, shop, play games, spend time with distant friends, attend a concert, or even hold a business meeting. The Metaverse is the next iteration of social media, and identity in the Metaverse is directly tied to the cryptocurrency wallet that used to connect. A user's cryptocurrency wallet holds all of their digital assets (collectables, cryptocurrency, etc.) and in-world progress. Since cryptocurrency already has over 300 million users globally, and a market capitalization well into the trillions, it's no wonder that cybercriminals are gravitating toward the Web 3.0 space.


Web 3.0 brings with it a host of unique challenges and security risks. Some Web 3.0 threats are simply fresh twists on old attacks — new ways of phishing, or social engineering designed to separate users from the contents of their cryptocurrency wallets. Other security problems are unique to the specific technology that powers Web 3.0, such as playing clever tricks with how data on the blockchain is stored and perceived.


Friday, March 18, 2022

Threat Roundup for March 11 to March 18


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 11 and March 18. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, March 17, 2022

Threat Source newsletter (March 17, 2022) — Channelling productive worry to help Ukraine



By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. Cisco Talos continues to be heads-down working on the current Ukraine situation. This is incredibly difficult for everyone across the globe, especially for those directly affected. But that doesn’t mean those of us who are looking from the outside-in aren’t still feeling emotional effects. 

As the Beers with Talos crew talked about in their newest episode this week, it’s a tough time for our researchers and everyone in the security community and beyond. Of course, the people of Ukraine who are seeing the worst of this — some of our Ukrainian-based employees have even opted to join the military there to defend their country. It is incredibly noble and moving to see.  

This conflict can still take a mental toll on everyone who is involved and watching from the outside. Folks at Cisco and Talos are working unreal hours to help defend Ukrainian networks and keep critical infrastructure there online. Following the news is stressful for everyone, and it can sometimes be overwhelming, so it’s important to take a break from the news and social media every once and a while to recharge.  

This can sometimes come across as “burying your head in the sand” or ignoring the outside world. But taking some time for yourself is not selfish. If anything, it’s recharging so that you can return and be your best self for everyone around you who needs you. We can all channel the anxiety, stress and heartbreak we’re suffering currently into something positive. Take Martin Lee from our strategic communications team, for example, who recently ran *50* miles in the U.K. to help raise money for Ukraine. Or Vitor Ventura from our threat intelligence and interdiction team who drove to Poland from Portugal to hand-deliver donations and even offered a Ukrainian family a ride back to Portugal where they were looking to relocate. 

For me, personally, I’ve been making sure to play “Elden Ring” every night as a work cooldown. This recharges me to come back to work the next day so I feel I can give my all to Talos, supporting our strategic communication platforms and helping inform users, customers and the wider public about our work in Ukraine and making sure we are getting the important information out there quickly and accurately. I’ve also been able to research legitimate non-profits who are helping in Ukraine and donate to them after removing myself from the constant news stream and calls for action on Instagram. 

These are all small acts of kindness we can be making right now. But if we choose to instead invest our team in doomscrolling, virtue-signaling on social media or just drowning in our own anxiety, that zaps us of our energy to do those things. So, take any stress or anxiety you’re feeling and channel it into some “productive worry” and know that we are all doing our part to address this injustice and help those in need. 

From BlackMatter to BlackCat: Analyzing two attacks from one affiliate


By Tiago Pereira with contributions from Caitlin Huey.

  • BlackCat is a recent and growing ransomware-as-a-service (RaaS) group that targeted several organizations worldwide over the past few months. 
  • There are rumors of a relationship between BlackCat and the BlackMatter/DarkSide ransomware groups, infamous for attacking the Colonial Pipeline last year. According to a BlackCat representative, BlackCat is not a rebranding of BlackMatter, but its team is made from affiliates of other RaaS groups (including BlackMatter).
  • Talos has observed at least one attacker that used BlackMatter was likely one of the early adopters of BlackCat. In this post, we'll describe these attacks and the relationship between them.
  • Understanding the techniques and tools used by RaaS affiliates helps organizations detect and prevent attacks before the ransomware itself is executed, at which point, every second means lost data.

Wednesday, March 16, 2022

Preparing for denial-of-service attacks with Talos Incident Response



By Yuri Kramarz. 

Over the years, several extorsion-style and politically motivated denial-of-service attacks increased and still pose a threat to businesses and organizations of any size that can find themselves in the crosshairs of various malicious campaigns.  

A detailed preparation plan is needed to handle attacks that might come in various formats and over different protocols aiming at grinding existing infrastructure to a halt. 

Understanding potential effects ahead of an attack can lead to reduced response times, which in turn would benefit business operations. 

Tuesday, March 15, 2022

Threat Advisory: CaddyWiper


This post is also available in:

日本語 (Japanese)

Українська (Ukrainian)

Overview


Cybersecurity company ESET disclosed another Ukraine-focused wiper dubbed "CaddyWiper" on March 14. This wiper is relatively smaller than previous wiper attacks we've seen in Ukraine such as "HermeticWiper" and "WhisperGate," with a compiled size of just 9KB.

The wiper discovered has the same compilation timestamp day (March 14) and initial reports suggest that it was deployed via GPO.

Cisco Talos is actively conducting analysis to confirm the details included in these reports.

Monday, March 14, 2022

Beers with Talos, Ep. #118: Reflecting on the current situation in Ukraine



Beers with Talos (BWT) Podcast episode No. 118 is now available. Download this episode and subscribe to Beers with Talos:

      

Recorded March 7, 2022.

If iTunes and Google Play aren't your thing, click here.

This was admittedly a tough one to record. In the middle of us trying to respond to the situation in Ukraine, we felt it was important to let our listeners in a bit. Matt, JJ and Liz discuss the work they and their teams are doing in Ukraine to protect critical systems there and keep users online. We also talk about the human side of things, and why it’s important for folks in cybersecurity to think about self-care during this time.

If you want to stay up to date on Talos’ work in Ukraine and our ongoing research about cybersecurity concerns in the region, continually check cs.co/TalosUA.

Threat Advisory: Opportunistic cyber criminals take advantage of Ukraine invasion

By Edmund Brumaghin, with contributions from Jonathan Byrne, Perceo Lemos and Vasileios Koutsoumpogeras.

This post is also available in:

日本語 (Japanese)

Українська (Ukrainian) 

Executive Summary


  • Since the beginning of the war in Ukraine, we have observed threat actors using email lures with themes related to the conflict, including humanitarian assistance and various types of fundraising. This activity has been increasing since the end of February.
  • These emails are primarily related to scam activity but have also delivered a variety of threats, including remote access trojans (RATs). This is in addition to the malicious activity we've recently seen related to the crowd-sourced attacks in the region.
  • This pattern is consistent with what we typically see following global events or crises, such as the COVID-19 pandemic, when opportunistic cybercriminals attempt to exploit high public interest for their own gain.

Friday, March 11, 2022

Threat Roundup for March 4 to March 11


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 4 and March 11. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, March 10, 2022

Talos Threat Source newsletter (March 10, 2022) — Fake social media posts spread in wake of Ukraine invasion



By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter — complete with a new format and feel.  

First off, it goes without saying, but we’re all heartbroken by the crisis happening in Ukraine. Our hearts are with the people of Ukraine, our employees and their families, as well as everyone affected. 

There’s been a lot of talk around disinformation and fake news in the wake of the conflict in Ukraine. As we’ve written about many times before, this can take many forms — fake news articles, deepfake videos, misleading social media posts, etc. But another form of disinformation I’ve seen over the past few weeks is social media sharing from the average person. 

This isn’t some giant troll farm somewhere backed by millions of dollars — it’s regular users just sharing what they think is interesting without checking the origins of the post. There are a host of examples from Twitter and Instagram this week, including viral photos of alleged Ukrainian “Army Cats” who are trained to spot sniper lasers, a piece of art that people thought was the latest “Time” magazine cover and miscaptioned videos claiming to show Ukrainian and Russian soldiers dancing together.

Iranian linked conglomerate MuddyWater comprised of regionally focused subgroups


By Asheer Malhotra, Vitor Ventura and Arnaud Zobec.

  • Cisco Talos has observed new cyber attacks targeting Turkey and other Asian countries we believe with high confidence are from groups operating under the MuddyWater umbrella of APT groups. U.S. Cyber Command recently connected MuddyWater to Iran's Ministry of Intelligence and Security (MOIS).
  • These campaigns primarily utilize malicious documents (maldocs) to deploy downloaders and RATs implemented in a variety of languages, such as PowerShell, Visual Basic and JavaScript.
  • Another new campaign targeting the Arabian peninsula deploys a WSF-based RAT we're calling "SloughRAT", identified as an implant called "canopy" by CISA in their advisory released in late February.
  • Based on a review of multiple MuddyWater campaigns, we assess that the Iranian APT is a conglomerate of multiple teams operating independently rather than a single threat actor group.
  • The MuddyWater supergroup is highly motivated and can use unauthorized access to conduct espionage, intellectual property theft and deploy ransomware and destructive malware in an enterprise.


Executive summary


Cisco Talos has identified multiple campaigns and tools being perpetrated by the MuddyWater APT group, widely considered to be affiliated with Iranian interests. These threat actors are considered extremely motivated and persistent when it comes to targeting victims across the globe.

Talos disclosed a MuddyWater campaign in January targeting Turkish entities that leveraged maldocs and executable-based infection chains to deliver multistage, PowerShell-based downloader malware. This group previously used the same tactics to target other countries in Asia, such as Armenia and Pakistan.

In our latest findings, we discovered a new campaign targeting Turkey and the Arabian peninsula with maldocs to deliver a Windows script file (WSF)-based remote access trojan (RAT) we're calling "SloughRAT" an implant known by "canopy" in CISA's most recent alert from February 2022 about MuddyWater.

This trojan, although obfuscated, is relatively simple and attempts to execute arbitrary code and commands received from its command and control (C2) servers.

Our investigation also led to the discovery of the use of two additional script-based implants: one written in Visual Basic (VB) (late 2021 - 2022) and one in JavaScript (2019 - 2020), which also downloads and runs arbitrary commands on the victim's system.

MuddyWater's variety of lures and payloads — along with the targeting of several different geographic regions — strengthens our growing hypothesis that MuddyWater is a conglomerate of sub-groups rather than a single actor. These sub-groups have conducted campaigns against a variety of industries such as national and local governments and ministries, universities and private entities such as telecommunication providers. While these teams seem to operate independently, they are all motivated by the same factors that align with Iranian national security objectives, including espionage, intellectual theft, and destructive or disruptive operations based on the victims they target.

A variety of campaigns analyzed are marked by the development and use of distinct infection vectors and tools to gain entry, establish long-term access, siphon valuable information and monitor their targets. The MuddyWater teams appear to share TTPs, as evidenced by the incremental adoption of various techniques over time in different MuddyWater campaigns. We represent this progression in a detailed graphic in the first main section of this blog.

Wednesday, March 9, 2022

Threat advisory: Cybercriminals compromise users with malware disguised as pro-Ukraine cyber tools

This post is also available in:


Українська (Ukrainian)


Update March 17, 2022: Cisco Talos has updated the IOC section with additional hashes and ClamAV coverage.

Executive summary


  • Opportunistic cybercriminals are attempting to exploit Ukrainian sympathizers by offering malware purporting to be offensive cyber tools to target Russian entities. Once downloaded, these files infect unwitting users rather than delivering the tools originally advertised.
  • In one such instance, we observed a threat actor offering a distributed denial-of-service (DDoS) tool on Telegram intended to be used against Russian websites. The downloaded file is actually an information stealer that infects the unwitting victim with malware designed to dump credentials and cryptocurrency-related information.
  • These observations serve as reminders that users must be on heightened alert to increased cyber threat activity as threat actors look for new ways to incorporate the Russia-Ukraine conflict into their operations.
  • Such activity could take the form of themed email lures on news topics or donation solicitations, malicious links purporting to host relief funds or refugee support sites, malware masquerading as defensive or offensive security tools, and more. We remind users to carefully inspect suspicious emails before opening them and validating software or other files before downloading them.

Tuesday, March 8, 2022

Microsoft Patch Tuesday for March 2022 — Snort rules and prominent vulnerabilities



By Jon Munshaw and Edmund Brumaghin. 

Microsoft released another relatively light security update Tuesday, disclosing 71 vulnerabilities, including fixes for issues in Azure and the Office suite of products. March’s Patch Tuesday only included two critical vulnerabilities, which is notable considering there weren’t any critical issues in February’s security update

This month’s patch batch does not include any threats that Microsoft says have been exploited in the wild, and none of the vulnerabilities disclosed has a severity score higher than 8.8 out of 10. 

The most serious issue is CVE-2022-23277, a remote code execution vulnerability in Microsoft Exchange Server. An adversary could exploit this vulnerability to target the Exchange Server accounts with arbitrary or remote code execution, according to Microsoft. If the user is authenticated, they could trigger malicious code in the context of the Server account through a network call.

Monday, March 7, 2022

Deep dive: Vulnerabilities in ZTE router could lead to complete attacker control of the device

Cisco Talos’ vulnerability research team disclosed multiple vulnerabilities in the ZTE MF971R wireless hotspot and router in October. Several months removed from that disclosure and ZTE’s patch, we decided to take an even closer look at two of these vulnerabilities — CVE-2021-21748 and CVE-2021-21745 — to show how they could be chained together by an attacker to completely take over a device.  

In our latest research paper, Marcin Noga, the researcher who discovered these vulnerabilities, walks through the process of how he discovered these vulnerabilities and shows the worst-case scenario for a user should an attacker choose to exploit these issues. You can read the full paper by clicking on the button to the right, and watch the video above to see a snippet of this attack vector. 

Thursday, March 3, 2022

Cisco stands on guard with our customers in Ukraine




This post is also available in:


  • As the Russia-led invasion intensifies, Ukraine is being attacked by bombs and bytes. Cisco is working around the clock on a global, company-wide effort to protect our customers there and ensure that nothing goes dark.
  • Cisco Talos has taken the extraordinary step of directly operating security products 24/7 for critical customers in Ukraine while over 500 employees at Cisco have joined them to assist in collecting open-source (public) intelligence.
  • In critical Ukrainian networks, we are taking advantage of advanced product features to create Ukraine-specific protections based on intelligence we have received.
  • We are closely monitoring telemetry and aggressively convicting threats to protect both our Ukrainian and global customers.
  • Customers with a mature security model should design their intelligence programs to drive changes in the organization's defensive posture based on their findings.
  • We have been successful in our work in Ukraine up to this point and will continue to support our partners there until the crisis ends.

Introduction


You may not have noticed, but Cisco has been a different place in the past month. The unjust invasion of Ukraine, and the sense of helplessness we all have felt, has created a motivated collection of Cisco employees working to make life just a little safer and easier in a part of the world many have never been. Teams have set aside their normal tasks, and now watch over Ukranian networks, others have focused on caring for and protecting refugees and still others have turned their obsession with social media into a critical component of our open-source intelligence work. The plans have been creative and, while many would have been unthinkable just a week ago, approvals have come fast and everyone has been stretching far beyond their normal workload.

In today's situation in Ukraine, lives and livelihoods depend on the up-time of systems. Trains need to run, people need to buy gas and groceries, the government needs to get messages out to civilians for morale and for safety. Cybersecurity can be invisible behind all of this. In this blog we talk about a small part of Cisco's response to this crisis. It is just one of many stories about how the people that make Cisco what it is have responded to an unprecedented crisis. There are lessons here for the defender as well, on what a world-class intelligence team can do when handed a network to defend and a capable set of security tools. But mostly this is a story about the people – from the cubicle to the C Suite – who would do what little they could.

Read more »


Current executive guidance for ongoing cyberattacks in Ukraine


This post is also available in:

日本語 (Japanese)

Українська (Ukrainian)


Cyber threat activity against Ukraine, and around the world, has long been a central focus of our work. We continue to monitor the Ukraine-Russia situation by enacting a comprehensive, Talos-wide effort to provide support to our partners and customers. These actions include issuing new Cisco protections based on research findings and malware analysis, enacting an internal crisis management system to formalize components of our investigation, and sharing information with domestic and international intelligence partners.

Guidance


Our current guidance continues to echo the recommendations from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) that global organizations with ties to Ukraine should carefully consider how to isolate and monitor those connections to protect themselves from potential collateral damage.

CISA released additional steps organizations could take to protect themselves. We recommend organizations, especially those in critical infrastructure and government, review CISA's advisory, enable and carefully examine their logs, patch, develop a crisis plan, and implement multi-factor authentication where possible. We also recommend following CISA guidance for safeguarding against foreign influence operations, which Russia previously used against U.S. entities to disrupt critical infrastructure functions.

The important thing to understand is, regardless of the current situation, our fundamental guidance remains the same. Tech debt, poor cybersecurity hygiene, and out-of-date systems and software will have catastrophic impacts on your organization. On the flip side, network segmentation, visibility, asset inventories, prioritized patching and intelligence programs that actively drive changes in your defenses are key to successfully weathering attacks.

Wednesday, March 2, 2022

Threat Roundup for February 25 to March 4


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 25 and March 4. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Tuesday, March 1, 2022

Crowd-sourced attacks present new risk of crisis escalation







By Matt Olney.


This post is also available in:

日本語 (Japanese)

  • An unpredictable and largely unknown set of actors present a threat to organizations, despite their sometimes unsophisticated techniques. Customers who are typically focused on top-tier, state-sponsored attacks should remain aware of these highly motivated threat actors, as well. 
  • Misattribution of these actors carries the risk of nations escalating an already dangerous conflict in Ukraine. 
  • Based on data from our fellow researchers at Cisco Kenna, customers should be most concerned about threat actors exploiting several recently disclosed vulnerabilities, highlighting the importance of consistently updating software and related systems.  
  • With this rising and diverse threat, we recommend defenders continue to employ security fundamentals, patch aggressively, and leverage finished intelligence reports or other sources to enhance their understanding of the threat landscape.