Friday, September 30, 2022

Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server


Cisco Talos has released new coverage to detect and prevent the exploitation of two recently disclosed vulnerabilities collectively referred to as "ProxyNotShell," affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers.

While no fixes or patches are available yet, Microsoft has provided mitigations for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. Cisco Talos is closely monitoring the recent reports of exploitation attempts against these vulnerabilities and strongly recommends users implement mitigation steps while waiting for security patches for these vulnerabilities. Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The Hafnium threat actor exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was one of the four attacks they saw most often last year.

Threat Roundup for September 23 to September 30


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 23 and Sept. 30. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, September 29, 2022

Threat Source newsletter (Sept. 29, 2022) — Personal health apps are currently under a spotlight, but their warning signs have always been there


By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

I’ve spent the past few months with my colleague Ashlee Benge looking at personal health apps’ privacy policies. We found several instances of apps that carry sensitive information stating they would share certain information with third-party advertisers and even law enforcement agencies, if necessary. 

One of the most popular period-tracking apps on the Google Play store, Period Calendar Period Tracker, has a privacy policy that states it will "share information with law enforcement agencies, public authorities, or other organizations if We’re [sic] required by law to do so or if such use is reasonably necessary. We will carefully review all such requests to ensure that they have a legitimate basis and are limited to data that law enforcement is authorized to access for specific investigative purposes only." 

A report from the Washington Post also released last week found that this app, as well as popular health sites like WebMD, “gave advertisers the information they’d need to market to people, or groups of consumers based on their health concerns.” 

To me — these were all things I had never considered before. I’m sure I’m not alone in just going to Google to type in “pain in left flank” or something along those lines to see if I’m dying or not. The research Ashlee and I did really make me rethink the type of information I’m inputting into apps on my phone, especially around my health.

Wednesday, September 28, 2022

New campaign uses government, union-themed lures to deliver Cobalt Strike beacons

By Chetan Raghuprasad and Vanja Svajcer.
  • Cisco Talos discovered a malicious campaign in August 2022 delivering Cobalt Strike beacons that could be used in later, follow-on attacks.
  • Lure themes in the phishing documents in this campaign are related to the job details of a government organization in the United States and a trade union in New Zealand.
  • The attack involves a multistage and modular infection chain with fileless, malicious scripts.

Cisco Talos recently discovered a malicious campaign with a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints.

The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit that attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office. If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker-controlled Bitbucket repository.

Talos discovered two attack methodologies employed by the attacker in this campaign: One in which the downloaded DOTM template executes an embedded malicious Visual Basic script, which leads to the generation and execution of other obfuscated VB and PowerShell scripts and another that involves the malicious VB downloading and running a Windows executable that executes malicious PowerShell commands to download and implant the payload.

The payload discovered is a leaked version of a Cobalt Strike beacon. The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon's traffic.

Although the payload discovered in this campaign is a Cobalt Strike beacon, Talos also observed usage of the Redline information-stealer and Amadey botnet executables as payloads.

This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim's system memory. Defenders should implement behavioral protection capabilities in the organization's defense to effectively protect them against fileless threats.

Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker's attempts in the earlier stage of the attack's infection chain.

Friday, September 23, 2022

Threat Roundup for September 16 to September 23


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 16 and Sept. 23. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, orokibot ClamAV.net.

Thursday, September 22, 2022

Threat Source newsletter (Sept. 22, 2022) — Attackers are already using student loan relief for scams


By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

We’ve seen attackers capitalize on the news time and again, from COVID-19 to U.S.-North Korea relationships and, of course, holiday shopping sales every November. 

So, I was far from surprised to see that attackers are already using U.S. President Joe Biden’s student loan forgiveness plan as a basis for scams and phishing emails.  

The Better Business Bureau and the U.S. Federal Trade Commission both released warnings over the past few weeks around fake offers, scams and website links related to the debt forgiveness plan, with which some borrowers will have up to $20,000 worth of loans forgiven. 

Many of these scams, coming via phone calls, text messages and emails, are promising to provide guaranteed access to the forgiveness program or early applications for a fee. (Hint: This will not work.)

Insider Threats: Your employees are being used against you

By Nick Biasini.
  • Insider threats are becoming an increasingly common part of the attack chain, with malicious insiders and unwitting assets playing key roles in incidents over the past year.
  • Social engineering should be part of any organization’s policies and procedures and a key area for user education in 2023 and beyond.
  • Mitigating these types of risks include education, user/access control, and ensuring proper processes and procedures are in place when and if employees leave the organization.

Traditionally, attackers try to leverage vulnerabilities to deliver malicious payloads via exploitation. But more recently, that activity has shifted away from exploitation and consistently moved closer and closer to the user. Initially, threat actors loved to trick users into enabling malicious macros in Microsoft Office documents, but as Microsoft moves to blunt the effectiveness of macros, adversaries are always going to move to the next avenue to generate malicious revenue. This is where insider threats come into play. There are two broad categories of insider threats: the malicious insider and the unwitting asset. Both present unique challenges in detection and prevention for defenders and organizations’ IT admins. 


Malicious Insiders

There are a variety of reasons a user may choose to become a malicious insider, and unfortunately, many of them are occurring today. Let’s start with the most obvious: financial distress. When a user has a lot of debt, selling the ability to infect their employer can be a tempting avenue. We’ve seen examples of users trying to sell access into their employers’ networks for more than a decade, having spotted them on dark web forums. The current climate is, unfortunately, ripe for this type of abuse. The economy is on the brink of a recession, inflation continues to spike, and the cryptocurrency markets have lost as much as 70% of their peak value from late 2021. Combined, these factors can create an environment where employees are susceptible to coercion, putting the enterprise at risk.

Vulnerability Spotlight: Vulnerabilities in popular library affect Unix-based devices



Lilith >_> of Cisco Talos discovered these vulnerabilities. 

Cisco Talos recently discovered a memory corruption vulnerability in the uClibC library that could affect any Unix-based devices that use this library. uClibC and uClibC-ng are lightweight replacements for the popular gLibc library, which is the GNU Project's implementation of the C standard library. 

TALOS-2022-1517 (CVE-2022-29503 - CVE-2022-29504) is a memory corruption vulnerability in uClibC and uClibc-ng that can occur if a malicious user repeatedly creates threads. 

Many embedded devices utilize this library, but Talos specifically confirmed that the Anker Eufy Homebase 2, version 2.1.8.8h, is affected by this vulnerability. Anker confirmed that they’ve patched for this issue. However, uClibC has not issued an official fix, though we are disclosing this vulnerability in accordance with Cisco’s 90-day vulnerability disclosure policy. Talos tested and confirmed the following software is affected by these vulnerabilities: uClibC, version 0.9.33.2 and uClibC-ng, version 1.0.40. 

Tuesday, September 20, 2022

Our current world, health care apps and your personal data

What does your autonomy mean to you?



By Ashlee Benge and Jonathan Munshaw.

  • After the recent Supreme Court ruling in Dobbs v. Jackson Women's Health Organization, the use of third-party apps to track health care has recently come under additional scrutiny for privacy implications.
  • Many of these apps have privacy policies that state they are authorized to share data with law enforcement investigations, though the exact application of those policies is unclear.
  • The use of health-tracking apps and wearable tech is rising, raising questions around the application of the 14th Amendment’s equal protection clause and HIPAA rules as to who can and cannot collect and share health care information. 

It’s become second nature for many users to blindly click on the “Accept” button on an app or website’s privacy policy and terms of service. But in the wake of the U.S. Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization that reversed previous interpretations of the 14th amendment on privacy from Roe v. Wade, users of sensitive health apps need to be mindful of the kinds of data these apps keep, sell and share. It is a privacy ruling at its core, with the decision raising concerns about the government’s ability to access our personal and private information. Today’s digital surveillance infrastructures, coupled with new and existing laws, digital health histories are nearly impossible to protect.

Friday, September 16, 2022

Threat Roundup for September 9 to September 16


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 9 and Sept. 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, September 15, 2022

Threat Source newsletter (Sept. 15, 2022) — Teachers have to be IT admins now, too


By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

Public schools in the United States already rely on our teachers for so much — they have to be educators, occasional parental figures, nurses, safety officers, law enforcement and much more. Slowly, they’re having to add “IT admin” to their list of roles. 

Educational institutions have increasingly become a target for ransomware attacks, an issue already highlighted this year by a major cyber attack on the combined Los Angeles school district in California that schools are still recovering from. 

Teachers there reported that during the week of the attack, they couldn’t enter attendance, lost lesson plans and presentations, and had to scrap homework plans. Technology has become ever-present in classrooms, so any minimal disruption in a school’s network or software can throw pretty much everything off. 

The last thing teachers need to worry about now is defending against a well-funded threat actor who may live thousands of miles away — but we’re not making it easy on them. 

I asked my mom about this, who is a paraeducator for kindergarten students, and she told me each of her students (keep in mind these are mostly 5- and 6-year-olds) has their own Chromebooks that they bring to and from home and use for homework assignments. The elementary school she works at has more than 500 students enrolled across six grades, and yet there’s only one person for the whole school who acts as their overall IT and network administrator. That’s one person to manage 500-plus laptops and even more devices like iPads and smartboards as you get into the older grades. 

Gamaredon APT targets Ukrainian government agencies in new campaign


By Asheer Malhotra and Guilherme Venere.

  • Cisco Talos recently identified a new, ongoing campaign attributed to the Russia-linked Gamaredon APT that infects Ukrainian users with information-stealing malware.
  • The adversary is using phishing documents containing lures related to the Russian invasion of Ukraine.
  • LNK files, PowerShell and VBScript enable initial access, while malicious binaries are deployed in the post-infection phase.
  • We discovered the use of a custom-made information stealer implant that can exfiltrate victim files of interest and deploy additional payloads as directed by the attackers.

Cisco Talos discovered Gamaredon APT activity targeting users in Ukraine with malicious LNK files distributed in RAR archives. The campaign, part of an ongoing espionage operation observed as recently as August 2022, aims to deliver information-stealing malware to Ukrainian victim machines and makes heavy use of multiple modular PowerShell and VBScript (VBS) scripts as part of the infection chain. The infostealer is a dual-purpose malware that includes capabilities for exfiltrating specific file types and deploying additional binary and script-based payloads on an infected endpoint.

Tuesday, September 13, 2022

Microsoft Patch Tuesday for September 2022 — Snort rules and prominent vulnerabilities

By Jon Munshaw and Asheer Malhotra. 

Microsoft released its monthly security update Tuesday, disclosing 64 vulnerabilities across the company’s hardware and software line, a sharp decline from the record number of issues Microsoft disclosed last month. 

September's security update features five critical vulnerabilities, 10 fewer than were included in last month’s Patch Tuesday. There are two moderate-severity vulnerabilities in this release and a low-security issue that’s already been patched as a part of a recent Google Chromium update. The remainder is considered “important.” 

The most serious vulnerability exists in several versions of Windows Server and Windows 10 that could allow an attacker to gain the ability to execute remote code (RCE) by sending a singular, specially crafted IPv6 packet to a Windows node where IPSec is enabled. CVE-2022-34718 only affects instances that have IPSec enabled. This vulnerability has a severity score of 9.8 out of 10 and is considered “more likely” to be exploited by Microsoft.

Thursday, September 8, 2022

Threat Source newsletter (Sept. 8, 2022) — Why there is no one-stop-shop solution for protecting passwords


By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

It seems like there’s at least one major password breach every month — if not more. Most recently, there was an incident at Plex where all users had to reset their passwords.  

Many users pay for a password management service — which is something I’ve talked about a ton for Talos. But even those aren’t a one-size-fits-all solution. LastPass, one of the most popular password management services, recently suffered a breach of their own internal development environment, though as of right now, it doesn’t appear like any users’ primary passwords were compromised. 

This got me curious about how people prefer to manage their passwords, so I threw up a poll on our Twitter asking our readers how they managed their passwords. Paid password management services like LastPass and 1Password were the most popular response, followed by web browser-based managers like the ones Chrome and Safari offer.

Lazarus and the tale of three RATs



By Jung soo An, Asheer Malhotra and Vitor Ventura.

  • Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government.
  • This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations.
  • Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan.
  • The campaign is meant to infiltrate organizations around the world for establishing long term access and subsequently exfiltrating data of interest to the adversary's nation-state.
  • Talos has discovered the use of two known families of malware in these intrusions — VSingle and YamaBot.
  • Talos has also discovered the use of a recently disclosed implant we're calling "MagicRAT" in this campaign.


Talos EMEA Monthly Threat Update: How do you know if cyber insurance is right for you?

On September's edition of the Monthly EMEA Threat Update, Hazel Burton and Martin Lee break down cyber insurance.

Although many businesses and organizations will think insurance will only help them in a worst-case scenario, that worst-case scenario comes for us all eventually.

Martin and Hazel discuss the benefits of having a cyber insurance policy and how it protects the policy holder when a cyber attacks strike. You can watch the full episode above or over on our YouTube page here.

Wednesday, September 7, 2022

Multiple ransomware data leak sites experience DDoS attacks, facing intermittent outages and connectivity issues

By Azim Khodjibaev, Colin Grady, Paul Eubanks.

  • Since Aug. 20, 2022, Cisco Talos has been monitoring suspected distributed denial-of-service (DDoS) attacks resulting in intermittent downtime and outages affecting several ransomware-as-a-service (RaaS) data leak sites.
  • While the source and origin of this activity remain unknown, this appears to be a concentrated effort against RaaS leak sites to disrupt their efforts to announce and post new victim information.
  • Actors' responses have varied, with LockBit and ALPHV implementing new measures to counteract DDoS attacks against their sites while other groups like Quantum have simply resorted to redirecting web traffic elsewhere. LockBit also appears to have co-opted this technique by advertising that they are now adding DDoS as an extortion tactic in addition to encrypting and leaking data.

RaaS leak sites experience intermittent outages


In late August, Talos became aware of several prominent ransomware operations, such as ALPHV (also referred to as BlackCat) and LockBit, experiencing suspected DDoS attacks against their public data leak sites. These leak sites are typically hosted on Tor hidden services where, in a tactic known as double extortion, RaaS affiliates post victim information if the ransom demand is not met. On Aug. 26, we also observed at least seven more RaaS leak sites for LV, Hive, Everest, BianLian, Yanluowang, Snatch and Lorenz become inaccessible and go offline intermittently and/or experience slow traffic. Security researchers have also identified additional RaaS leak sites for Ragnar Locker and Vice Society which may have also been affected by this activity. However, we have only verified the Ragnar Locker claim at this time, as their leak site continues to experience outages. At the time of analysis, many of the aforementioned groups are still affected by connectivity issues and continue to face a variety of intermittent outages to their data leak sites, including frequent disconnects and unreachable hosts, suggesting that this is part of a sustained effort to thwart updates to those sites.

MagicRAT: Lazarus’ latest gateway into victim networks











By Jung soo An, Asheer Malhotra and Vitor Ventura.

  • Cisco Talos has discovered a new remote access trojan (RAT) we're calling "MagicRAT," developed and operated by the Lazarus APT group, which the U.S. government believes is a North Korean state-sponsored actor.
  • Lazarus deployed MagicRAT after the successful exploitation of vulnerabilities in VMWare Horizon platforms.
  • We've also found links between MagicRAT and another RAT known as "TigerRAT," disclosed and attributed to Lazarus by the Korean Internet & Security Agency (KISA) recently.
  • TigerRAT has evolved over the past year to include new functionalities that we illustrate in this blog.

Tuesday, September 6, 2022

Researcher Spotlight: How Asheer Malhotra looks for ‘instant gratification’ in threat hunting

The India native has transitioned from a reverse-engineer hobbyist to a public speaker in just a few years

 
By Jon Munshaw. 

Ninety percent of Asheer Malhotra’s work will never see the light of day. But it’s that 10 percent that keeps him motivated to keep looking for something new. 

The Talos Outreach researcher spends most of his days looking into potential new threats. Many times, that leads to dead ends of threats that have already been discovered and blocked or don’t have any additional threads to pull on. 

But eventually, the “lightbulb goes off,” as he puts it, which indicates something is a new threat the wider public needs to know about. During his time at Talos, Malhotra has spent much of his time looking into cyber attacks and state-sponsored threat actors in Asia, like the Transparent Tribe group he’s written about several times. 

“At some point, I say ‘Hey, I don’t think I’ve seen this before.’ I start analyzing public disclosures, and slowly start gaining confidence and being able to craft a narrative around the motivations and tactics around a specific threat actor or malware campaign,” he said.

Friday, September 2, 2022

Threat Roundup for August 26 to September 2


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 26 and Sept. 2. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, September 1, 2022

Threat Source newsletter (Sept. 1, 2022) — Conversations about an unborn baby's privacy


By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

This week marks about 90 days before my wife’s due date with our first child, a baby girl. We’re both incredibly excited and nervous at the same time, and we have much to discuss, like how to lay out the nursery, what times we’ll put her down for a nap and who must be the one to get up the first time she starts crying at 2 a.m. 

But the first true argument my wife and I have had about having a child is whether we should show the baby’s face on Instagram. 

This child isn’t even born yet, and social media companies are probably already building out a data profile on her. I signed up for the What to Expect app so I could follow along with my wife’s pregnancy progress and learn more about what she’s going through and how the baby is developing. Already I’m getting targeted ads on the app and my Instagram for specific brands of baby food, the stroller that we’ve listed on our registry and an automatic children’s toothbrush.