Threat Source newsletter (June 9, 2022) — Get ready for Cisco Live

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

Another week, another conference. We’re heading a few miles southeast from San Francisco to Las Vegas for Cisco Live. I hope everyone had a safe, healthy and enjoyable RSA, but the fun isn’t over just yet. 

We’ve got another week chock full of talks, meet-and-greets, podcasts and much more at Cisco Live this week. Come find us at the center of the Cisco Secure booth where we have something awesome planned (it’s a surprise!). I’ve also got a few other highlights from Talos at Cisco Live to know about this week.  

I’ll personally be giving my first-ever talk at the Cisco Secure Pub on Wednesday, so come by and say hi and tell me how much you love the newsletter.  

Cisco Secure Pub 

The best place to find us is at the Cisco Secure Pub on the show floor. The Pub will be serving coffee in the morning and alcoholic drinks in the afternoon. Every day, we’ll be represented in lightning talks at the booth on a wide variety of topics, including Talos’ work in Ukraine, securing industrial control systems and a look back at Log4j. 

And since this is my newsletter, I’m also going to plug my talk on Wednesday at 2:30 p.m. local time when I’ll be discussing disinformation and propaganda campaigns in the age of social media, especially as it relates to Russia’s invasion of Ukraine. 

Talos Insights: The State of Cybersecurity 

This is our annual overview of the threat landscape, this year delivered by Nick Biasini from our Outreach team. In this talk on the 15th, Nick will talk about the threats and trends Talos has uncovered in the past 12 months and provide the technical details on how they operate. Use the Cisco Live Session Catalog for more details on location. 

Interactive sessions 

Talos and Cisco Talos Incident Responses are hosting several interactive sessions throughout the conference where attendees will get a chance to work face-to-face with our researchers and work hands-on with Cisco Secure products. 

I’ve created a personal filter here in the Session Catalog so you can easily find all our interactive sessions throughout the week.    

  

The one big thing 

Attackers are actively exploiting a zero-day vulnerability in Atlassian Confluence Data Center and Server to execute remote code on targeted machines. The attacks delivered several payloads, including the in-memory BEHINDER implant as well as web shells, including China Chopper. In addition to the initial attacks outlined in the report, researchers confirmed additional, continued exploitation is ongoing. There is now a Proof of Concept (PoC) available so exploitation could increase in the near term.  

Why do I care? 

If an attacker exploited this vulnerability, they could completely take over the targeted host and execute remote code on the targeted machine. And although a patch is available for this vulnerability, many instances remain unpatched, and reports continue to pour in that attackers are using exploit code available in the wild. This is all a bad recipe for a vulnerability that I relatively easy for attackers to exploit and we know they’re scanning for. Attackers are also exploiting this issue to spread China Chopper, a longstanding malware that can act as a backdoor on targeted machines and essentially be a backup plan for threat actors to retain access.  

So now what? 

Atlassian has released a set of patches to mitigate the vulnerability. Enterprises are encouraged to test and apply the patch immediately to mitigate the ongoing attacks, patched versions include: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1. Additionally, they have provided a series of steps to be performed to help mitigate the risk if the patches cannot be applied for any reason. Talos has also released several Snort rules that will detect attempts to exploit this vulnerability.  

 

Other news of note

Attackers are still exploiting the Follina vulnerability in the Microsoft Support Diagnostic Tool (MSDT) to deliver Qbot, AsyncRAT and other malware families. Attackers have used these malware families for many years and are not tied to one particular threat actor. If delivered successfully, Qbot can steal sensitive information from the targeted machine. Although no official patch is available still, Microsoft has provided several workarounds for users to disable MSDT. Office Pro Plus, Office 2013, Office 2016, Office 2019 and Office 2021 have been confirmed to be affected. (SecurityWeek, Security Boulevard)

Two million people could be affected by a data breach at a large Massachusets-based health care company. Shields Health Care, which provides management and imaging services, said it "became aware of suspicious activity" on its network on March 28 and immediately began investigating the incident. The company has not discovered any evidence that any information from the data breach has been used to commit identity theft or fraud. Potential at-risk information includes addresses, Social Security numbers, billing information, insurance information and other medical treatment information. (NBC 10 Boston, ABC News)

A new form of Linux malware known as "Symbiote" is "almost impossible" to detect, according to new research. Linux malware normally tries to compromise processes running on the machines, but Symbiote instead acts as a shared object library that gets loaded onto all running processes via LD_PRELOAD. That library then acts as a parasite to compromise the target machine by embedding itself in the system, eventually providing attackers with rootkit functionality. (ZDNet, CSO Online)

Can’t get enough Talos? 

• Researcher Spotlight: Martin Lee, EMEAR lead, Talos Strategic Communications
• Talos EMEA monthly update: Business email compromise
• Threat Roundup for May 27 - June 3
  

Upcoming events where you can find Talos 

Cisco Live U.S. (June 12 – 16, 2022)
Las Vegas, Nevada 

BlackHat U.S. (Aug. 6 - 11, 2022)
Las Vegas, Nevada 

Most prevalent malware files from Talos telemetry over the past week  

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
MD5: a087b2e6ec57b08c0d0750c60f96a74c  
Typical Filename: AAct.exe  
Claimed Product: N/A    
Detection Name: PUA.Win.Tool.Kmsauto::1201 

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645    
MD5: 2c8ea737a232fd03ab80db672d50a17a    
Typical Filename: LwssPlayer.scr    
Claimed Product: 梦想之巅幻灯播放器    
Detection Name: Auto.125E12.241442.in02    

SHA 256: b2ef49a10d07df6db483e86516d2dfaaaa2f30f4a93dd152fa85f09f891cd049 
MD5: 067f9a24d630670f543d95a98cc199df 
Typical Filename: RzxDivert32.sys 
Claimed Product: WinDivert 1.4 driver 
Detection Name: W32.B2EF49A10D-95.SBX.TG 

SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 
MD5: 8c69830a50fb85d8a794fa46643493b2 
Typical Filename: AAct.exe 
Claimed Product: N/A  
Detection Name: PUA.Win.Dropper.Generic::1201