Friday, July 29, 2022

Threat Roundup for July 22 - 29



Talos is publishing a glimpse into the most prevalent threats we've observed from July 22 - 29. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, July 28, 2022

Threat Source newsletter (July 28, 2022) — What constitutes an "entry-level" job in cybersecurity?

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

Between the White House’s recent meeting, countless conference talks and report after report warning of cybersecurity burnout, there’s been a ton of talk recently around the cybersecurity skills gap and hiring. 

Everyone wants to know the magic ticket to figure out how to increase hiring at their cybersecurity practice without hiring somehow with under-developed skills that could leave clients open to attack. This is not a problem exclusive to cybersecurity, but I do find it interesting that there’s been so much talk about the problems the cybersecurity workforce faces and not much about actual solutions. 

I think a good place to start would change the meaning of what an “entry-level” position truly is in security. I came into this field with zero security experience from the domain of journalism. My family considered me to be “a computer guy” just because I was good at searching the internet for public information as a journalist.

Wednesday, July 27, 2022

Vulnerability Spotlight: How a code re-use issue led to vulnerabilities across multiple products



By Francesco Benvenuto. 

Recently, I was performing some research on a wireless router and noticed the following piece of code: 

This unescape function will revert the URL encoded bytes to its original form. But something specifically caught my attention: There was no size check for the performed operations and the function assumes that after a ‘%’ there are always two bytes. So, what would happen if after ‘%’, only one character existed? The answer is that the s+3, in the strcpy, will access after the end of the string. So, it could lead to memory corruption.

What Talos Incident Response learned from a recent Qakbot attack hijacking old email threads



By Nate Pors and Terryn Valikodath.  

Executive summary 

  • In a recent malspam campaign delivering the Qakbot banking trojan, Cisco Talos Incident Response (CTIR) observed the adversary using aggregated, old email threads from multiple organizations that we assess were likely harvested during the 2021 ProxyLogon-related compromises targeting vulnerable Microsoft Exchange servers. 
  • This campaign relies on external thread hijacking, whereby the adversary is likely using a bulk aggregation of multiple organizations’ harvested emails to launch focused phishing campaigns against previously uncompromised organizations. This differs from the more common approach to thread hijacking, in which attackers use a single compromised organization’s emails to deliver their threat. 
  • This many-to-one approach is unique from what we have generally observed in the past and is likely an indirect effect of the widespread compromises and exfiltration of large volumes of email from 2020 and 2021. 
  • Understanding the difference between external and single-victim thread hijacking is essential for detecting these threats. Below, we have several tips for defenders on how to identify key indicators of this activity. 

Tuesday, July 26, 2022

Quarterly Report: Incident Response Trends in Q2 2022

Commodity malware usage surpasses ransomware by narrow margin 




For the first time in more than a year, ransomware was not the top threat Cisco Talos Incident Response (CTIR) responded to this quarter, as commodity malware surpassed ransomware by a narrow margin. This is likely due to several factors, including the closure of several ransomware groups, whether it be of their own volition or the actions of global law enforcement agencies and governments. 

Commodity malware was the top observed threat this quarter, a notable development given the general decrease in observations of attacks leveraging commodity trojans in CTIR engagements since 2020. These developments coincide with a general resurgence of certain email-based trojans in recent months, as law enforcement and technology companies have continued to attempt to disrupt and affect email-based malware threats like Emotet and Trickbot. This quarter featured malware such as the Remcos remote access trojan (RAT), Vidar infostealer, Redline Stealer and Qakbot (Qbot), a well-known banking trojan that in recent weeks, has been observed in new clusters of activity delivering a variety of payloads. 

Friday, July 22, 2022

Threat Roundup for July 15 to July 22


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 15 and July 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, July 21, 2022

Threat Source newsletter (July 21, 2022) — No topic is safe from being targeted by fake news and disinformation

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

I could spend time in this newsletter every week talking about fake news. There are always so many ridiculous memes, headlines, misleading stories, viral Facebook posts and manipulated media that I see come across my Instagram feed or via my wife when she shows me TikToks she favorited. 

One recent event, though, was so crushing to me that I had to call it out specifically. Former Japanese Prime Minister Shinzo Abe was assassinated earlier this month while making a campaign speech in public. This was a horrible tragedy marking the death of a powerful politician in one of the world’s most influential countries. It was the top story in the world for several days and was even more shocking given Japan’s strict gun laws and the relative infrequency of any global leaders being the target of violence. 

It took no time for the internet at large to take this tragedy and immediately try to spin it to their whims to spread false narratives, disinformation and downright harmful fake stories that mar Abe’s death and make a mockery of the 24/7 news cycle and the need for everyone to immediately have their own “take” on social media. 

Shortly after Abe’s murder, a far-right French politician took a false claim from the infamous online forum 4chan that video game developer Hideo Kojima was the suspect who killed Abe and shared it on Twitter. The politician, Damien Rieu, even went as far to connect Kojima to the “far left,” linking to pictures of the “Metal Gear Solid” creator wearing a shirt depicting the Joker and a bag with Che Guevara’s face on it.