Friday, May 20, 2022

Threat Roundup for May 13 to May 20

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 13 and May 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, May 19, 2022

Threat Source newsletter (May 19, 2022) — Why I'm missing the days of iPods and LimeWire

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

I will openly admit that I still own a “classic” iPod — the giant brick that weighed down my skinny jeans in high school and did nothing except play music. There are dozens of hours of music on there that I always tell myself I’m going to back up somewhere and never do. The iPod doesn’t have any charge at the moment, and I still need to hop on eBay to buy one of those flat chargers for it to even start the backup process. So no, I’m sure I’ll never get around to backing it up and recycling the device. 

But that doesn’t make it any less painful to hear that Apple is going to stop making iPods altogether. I’m a longtime iPod user and have owned everything from the original “stick of gum” iPod shuffle, to the tiny, square iPod nano that clipped to my backpack and made me think I was really cool, along with pretty much every other iteration of the nano. 

The news of the iPod’s end got me thinking about how far the threat landscape has come. We all have a supped-up iPod in our pockets now that connects to the internet at a moment’s notice and is one risky click away from someone stealing your banking app password. It used to be that when I wanted new music, I would have to plug the iPod into my parents’ Mac at home and connect to the internet, and then pray that whatever perilous download I was grabbing from uTorrent or LimeWire wasn’t going to download a virus. Most of the time, I thankfully landed on a somewhat legitimate version of a Slayer album. 

Nowadays, attackers have even come up with ways to install malware on your iPhone even when it’s powered down — that was never an issue in the heyday of the iPod! 

Though in my walk down memory lane, I did learn that some classic iPods shipped in 2006 contained Windows malware known as “RavMonE.exe,” an early example of why everyone should have at least a base anti-virus enabled.  

I’ll miss the days of the iPod, when I didn’t have to worry about malware following me in my backpack or briefcase. But I don’t miss having to illegitimately listen to Slayer, I’ll gladly pay the $10 a month for Spotify to avoid having to hope a file from “xX_metalhead420Xx_” doesn’t have malware in it.  

Wednesday, May 18, 2022

The BlackByte ransomware group is striking users all over the globe



News summary

  • Cisco Talos has been monitoring the BlackByte Ransomware Group for several months, infecting victims all over the world, from North America to Colombia, Netherlands, China, Mexico and Vietnam.
  • The FBI released a joint cybersecurity advisory in February 2022 warning about this group, stating that the group has targeted at least three critical infrastructure sectors in the U.S.
  • Talos has monitored ongoing BlackByte attacks dating back to March.
  • BlackByte updated its leak site with a new design and new victims and is still actively exploiting victims worldwide. 

Tuesday, May 17, 2022

Vulnerability Spotlight: Multiple memory corruption vulnerabilities in NVIDIA GPU driver



Piotr Bania of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered four vulnerabilities in the NVIDIA D3D10 driver for graphics cards that could allow an attacker to corrupt memory and write arbitrary memory on the card. 

NVIDIA graphics drivers are software for NVIDIA Graphics GPU cards that are installed on PCs. The D3D10 driver communicates between the operating system and the GPU. It's required in most cases for the PC to function properly. 

Monday, May 16, 2022

Ransomware: How executives should prepare given the current threat landscape












By Nate Pors.

Top executives are increasingly dreading the phone call from their fellow employees notifying them that their company has been hit by a cyber attack. Nearly every week in 2021 and early 2022, a prominent organization has been in the media spotlight as their public relations team struggles to explain how they were attacked and how they can regain consumer confidence. A recent survey showed that 37 percent of organizations surveyed had been affected by ransomware attacks in the last year.

Worse, the days when executive leadership teams could fully delegate responsibility to a CISO are over. Regardless of reality, surveys have shown that about 40 percent of the public perception of fault for a ransomware attack land squarely on the CEO’s shoulders, and that 36 percent of attacks result in the loss of C-level talent. While executive involvement in the security program does not guarantee a successful defense, it does give the Executive Leadership Team (ELT) a degree of ownership of the final product, as well as the ability to speak confidently and knowledgeably to the public. 

Cisco Talos Incident Response (CTIR) has assisted hundreds of organizations through recent ransomware incidents and executive tabletop exercises and compiled the following observations for how top executives can best prepare and evaluate their teams.

Friday, May 13, 2022

Threat Roundup for May 6 to May 13


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 6 and May 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

EMEAR Monthly Talos Update: Wiper malware

Cisco Talos and Cisco Secure are launching a new video series to fill you in on the latest cybersecurity trends. We’re thrilled to launch our first video in the new Talos Threat Update series, which you can watch above or over at this link, where Martin Lee and Hazel Burton talk about wiper malware  — what is it, why is it important and how you can prepare your organization against it. 

While this series is primarily focused on the European region, the advice and topics covered each month apply to users everywhere.  

In each video, Hazel Burton dives into important security topics with Cisco Secure researchers, asking the tough questions and giving straight answers. 

Thursday, May 12, 2022

Threat Source newsletter (May 12, 2022) — Mandatory MFA adoption is great, but is it too late?



By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

Mandatory multi-factor authentication is all the rage nowadays. GitHub just announced that all contributors would have to enroll in MFA by 2023 to log into their accounts. And Google announced as part of World Password Day that it would soon be making MFA compulsory for all users.  

But is it too little, too late? 

Don’t get me wrong, MFA is one of the best first lines of defense for preventing a cyber attack or any other type of network intrusion. It comes up in pretty much every Talos blog post and Talos Takes episode I record.  

However, if we keep pushing off the deadline for making this step mandatory, it only gives attackers more time to catch up to us. Adversaries have already figured out ways to intercept MFA codes that are sent via SMS message, as. I talked about with Wendy Nather last year

And on the latest Beers with Talos episode, Nate Pors from Talos Incident Response talked about “prompt bombing” users, essentially annoying them to the point that they click “yes” on an MFA prompt and let a bad guy in.  

By the time MFA becomes mandatory on major sites and for some of our most important accounts on the internet, what other types of attacks will threat actors come up with to get around it. Already, one-time codes are starting to become out-of-fashion in favor of FIDO or certificate-based PKI authentication. Rather than adopting what should have been standard practice several years ago, is it time to start thinking about what the future of MFA is? 

It might be best for us to all look forward to zero-trust as our security future. It’s something the federal government is already looking at, but it goes without saying that things don’t happen quickly within the government at any level.  

In the meantime, everyone should work toward making MFA mandatory as quickly as possible. Yes, it can be a pain, but it will save many future headaches. If you do have MFA already, rely on app push notifications rather than SMS-based authentication. And, as always, user education is important. It should go without saying but tell users that unless they know they initiated an MFA push, they should never click on it. Even if it’s 3 a.m. 

Vulnerability Spotlight: How an attacker could chain several vulnerabilities in an industrial wireless router to gain root access



Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Francesco Benvenuto and Jon Munshaw. 

Cisco Talos recently discovered several vulnerabilities in InHand Networks’ InRouter302 that could allow an attacker to escalate their privileges on the targeted device from a non-privileged user to a privileged one. There are also multiple vulnerabilities that could allow an adversary to reach unconstrained root privileges. The router has one privileged user and several non-privileged ones. 

The InRouter is an industrial LTE router that includes remote management functionalities and several security protection mechanisms, such as VPN connections and a firewall. 

The router can be managed mainly in two ways: through the web interface, and through a router console accessible by telnet or, if enabled, SSH. The router does not provide access in any way to the Linux system beneath the router functionalities. 

Wednesday, May 11, 2022

Bitter APT adds Bangladesh to their targets


  • Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims.
  • As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other features, includes remote file execution capability.
  • Based on the similarities between the C2 server in this campaign with that of Bitter's previous campaign, we assess with moderate confidence that this campaign is operated by the Bitter APT group.

Executive Summary

Cisco Talos discovered an ongoing campaign operated by what we believe is the Bitter APT group since August 2021. This campaign is a typical example of the actor targeting South Asian government entities.

This campaign targets an elite unit of the Bangladesh's government with a themed lure document alleging to relate to the regular operational tasks in the victim's organization. The lure document is a spear-phishing email sent to high-ranking officers of the Rapid Action Battalion Unit of the Bangladesh police (RAB). The emails contain either a malicious RTF document or a Microsoft Excel spreadsheet weaponized to exploit known vulnerabilities. Once the victim opens the maldoc, the Equation Editor application is automatically launched to run the embedded objects containing the shellcode to exploit known vulnerabilities described by CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802 — all in Microsoft Office — then downloads the trojan from the hosting server and runs it on the victim's machine. The trojan masquerades as a Windows Security update service and allows the malicious actor to perform remote code execution, opening the door to other activities by installing other tools. In this campaign, the trojan runs itself but the actor has other RATs and downloaders in their arsenal.

Such surveillance campaigns could allow the threat actors to access the organization's confidential information and give their handlers an advantage over their competitors, regardless of whether they're state-sponsored.

Tuesday, May 10, 2022

Threat Advisory: Critical F5 BIG-IP Vulnerability



Summary


A recently disclosed vulnerability in F5 Networks' BIG-IP could allow an unauthenticated attacker to access the BIG-IP system to execute arbitrary system commands, create and delete files, disable services and could lead to additional malicious activity.

This vulnerability, tracked as CVE-2022-1388 is an authentication bypass vulnerability in F5's BIG-IP modules affecting the iControl REST component. BIG-IP is F5's line of appliances that organizations use as load balancers, firewalls, and for inspection and encryption of data passing in to and out of networks. The vulnerability has a CVSS score of 9.8 out of a possible 10 and is considered critical.

F5 discovered the vulnerability on May 4, 2022 and has subsequently released a security advisory and patches, along with a subsequent advisory from the U.S. Cybersecurity & Infrastructure Security Agency (CISA).

Cisco Talos is closely monitoring the recent reports of exploitation attempts against CVE-2022-1388 and strongly recommends users issue patches to affected systems as soon as possible.


Microsoft Patch Tuesday for May 2022 — Snort rules and prominent vulnerabilities



By Jon Munshaw, with contributions from Jaeson Schultz. 

Microsoft returned to its normal monthly patching volume in May, disclosing and fixing 74 vulnerabilities as part of the company’s latest security update. This month’s Patch Tuesday includes seven critical vulnerabilities after Microsoft disclosed more than 140 security issues in April

The point-to-point tunneling feature in Windows contains two of the most serious vulnerabilities that could allow an attacker to execute remote code on a targeted RAS server machine. While CVE-2022-21972 and CVE-2022-23270 are rated “critical,” Microsoft stated the attack complexity is high since an adversary needs to win a race condition, making it less likely an attacker could exploit these issues.  

CVE-2022-26931 and CVE-2022-26923 are elevation of privilege vulnerabilities in Windows Kerberos and Windows Active Directory, respectively. They both are considered critical, though CVE-2022-26931 is considered less likely to be exploited because it has a higher attack complexity. 

The Windows Network File System contains the highest-rated vulnerability of the month: CVE-2022-26937, which has a severity score of 9.8 out of a possible 10. An attacker could exploit this vulnerability by making an unauthenticated, specially crafted call to an NFS service to eventually gain the ability to execute remote code. 

May’s Patch Tuesday also features a vulnerability in the Magnitude Simba Amazon Redshift ODBC Driver that affects the Windows self-hosted integration runtime service. An attacker could exploit CVE-2022-29972 to execute remote code, though they would need to first have the same level of privilege as a Synapse Administrator, Synapse Contributor or Synapse Computer Operator. 

Talos would also like to highlight six important vulnerabilities that Microsoft considers to be “more likely” to be exploited: 

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 59726 - 59728, 59730, 59731, 59733, 59734, 59737 and 59738. For Snort 3, the following rules are also available to protect against these vulnerabilities: 300125, 300126, 300128, 300129, 300130, 300133 and 300134 - 300137.

Vulnerability Spotlight: Vulnerability in Alyac antivirus program could stop virus scanning, cause denial of service


Jaewon Min of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered an out-of-bounds read vulnerability in the ESTsecurity Corp.’s Alyac antivirus software that could cause a denial-of-service condition.  

If successful, an attacker could trigger this vulnerability to stop the program from scanning for malware, which would be crucial in a potential attack scenario. Alyac is an antivirus software developed for Microsoft Windows machines. 

Talos Incident Response added to German BSI Advanced Persistent Threat response list



Cisco Talos Incident Response is now listed as an approved vendor on the Bundesamt für Sicherheit in der Informationstechnik (BSI) Advanced Persistent Threat (APT) response service providers list. Talos Incident Response successfully demonstrated to the BSI, through a review of our processes and a technical panel interview, that we can respond to cybersecurity incidents involving APT actors throughout Germany. Additionally, Cisco was recognized as a Leader by IDC MarketScape for our Worldwide Incident Readiness services. We look forward to continuing to provide our wide range of market-leading, globally delivered incident response services to Cisco’s German Federal, Public and Private business customers.

Friday, May 6, 2022

Threat Roundup for April 29 to May 6


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 29 and May 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, May 5, 2022

Threat Source newsletter (May 5, 2022) — Emotet is using up all of its nine lives

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

Emotet made headlines last week for being “back” after a major international law enforcement takedown last year. But I’m here to argue that Emotet never left, and honestly, I’m not sure it ever will.  

As Nick Biasini and I covered in a December episode of Talos Takes, these takedowns are always incredibly helpful and a show of strength among the international community. But it doesn’t mean they’re a final nail in the coffin.  

Nick pointed out to me in that Talos Takes that there weren’t any arrests associated with the takedown, so the operators were always still out there ready to come back. And we started seeing Emotet send spam again as soon as nine-ish months after the takedown announcement.  

“In this particular case, we saw a botnet disruption, more than anything else,” Nick said. 

So it really shouldn’t be a surprise to anyone that Emotet is re-loading again. It’s known to go on months-long breaks, usually picking up around major holidays or international events like Black Friday and Cyber Monday. 

I admittedly don’t know enough about the ins and outs of taking down a botnet to say if something like this could ever be permanent or if there ever really is a way to truly end it for good. But if Emotet goes quiet for another few months and then magically pops up again in September, no one should be surprised. 

Take Silk Road, an infamous dark website for drug trade, needed three international takedown efforts over two years to truly shut down the site and stop any predecessors from popping up, even after its initial founder was arrested. 

As all these threats have shown us, as defenders, we can never let our guard down that a threat is ever truly gone no matter how impressive a press release sounds.  

Mustang Panda deploys a new wave of malware targeting Europe



By Jung soo An, Asheer Malhotra and Justin Thattil, with contributions from Aliza Berk and Kendall McKay.

  • In February 2022, corresponding roughly with the start of the Russian Invasion of Ukraine, Cisco Talos began observing the China-based threat actor Mustang Panda conducting phishing campaigns against European entities, including Russian organizations. Some phishing messages contain malicious lures masquerading as official European Union reports on the conflict in Ukraine and its effects on NATO countries. Other phishing emails deliver fake "official" Ukrainian government reports, both of which download malware onto compromised machines.
  • Mustang Panda has been known to use themed lures relating to various current-day events and issues, including the COVID-19 pandemic, international summits and various political topics.
  • While the Ukraine-related Mustang Panda developments have been reported by at least one other security firm, we identified additional samples that have not been cited in open-source reporting.
  • Apart from targeting European countries, Mustang Panda has also targeted organizations in the U.S. and Asia.
  • In these campaigns, we've observed the deployment of Mustang Panda's PlugX implant, custom stagers and reverse shells and meterpreter-based shellcode, all used to establish long-term persistence on infected endpoints with the intention of conducting espionage.


Threat actor profile


MustangPanda, also known as "RedDelta" or "Bronze President," is a China-based threat actor that has targeted entities all over the world since at least 2012, including American and European entities such as government organizations, think tanks, NGOs, and even Catholic organizations at the Vatican.

We've also observed extensive targeting of Asian countries as well, such as the Taiwanese government, activists in Hong Kong, NGOs in Mongolia and Tibet, Myanmar and even Afghan and Indian telecommunication firms.

The threat actor heavily relies on sending lures via phishing emails to achieve initial infection. These lures often masquerade as legitimate documents of national and organizational interest to the targets. These infection vectors deploy malware predominantly consisting of the PlugX remote access trojan (RAT) with custom stagers, reverse shells, meterpreter and Cobalt Strike, which act as another mechanism for achieving long term access into their targets. One thing remains consistent across all these campaigns — Mustang Panda is clearly looking to conduct espionage campaigns.


Tuesday, May 3, 2022

Conti and Hive ransomware operations: What we learned from these groups' victim chats


As part of Cisco Talos’ continuous efforts to learn more about the current ransomware landscape, we recently examined a trove of chat logs between the Conti and Hive ransomware gangs and their victims.

Ransomware-as-a-service groups have exploded in popularity over the past few years, with these groups continually adding new affiliates and tools. In the past, we’ve learned more about these groups by speaking directly with operators and examining these groups’ changing tactics, techniques and procedures (TTPs).  

Talos researchers recently spent weeks combing through chat logs and other information we obtained from Hive and Conti operators' conversations with victims. These conversations had not previously been made public. The research paper we’re releasing today contains new insights into how Conti and Hive choose their targets, negotiate with victims,  operate internally, and much more.  


Monday, May 2, 2022

Vulnerability Spotlight: Two vulnerabilities in Accusoft ImageGear could lead to DoS, arbitrary free

Emmanuel Tacheau of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered two new vulnerabilities in Accusoft ImageGear. 

The ImageGear library is a document-imaging developer toolkit that allows users to create, edit, annotate and convert various images. It supports more than 100 file formats such as DICOM, PDF and Microsoft Office. 

One vulnerability, TALOS-2022-1465 (CVE-2022-23400) could allow an attacker to cause a denial-of-service condition inside the application by overflowing the stack buffer. In a very specific scenario, this buffer overflow could also lead to a memory leak of one byte.