Friday, July 23, 2021

Threat Roundup for July 16 to July 23


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 16 and July 23. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep: #62: Don't sleep on business email compromise

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

Business email compromise may seem like last decade’s threat, but it’s still just as prevalent as ever. A recent FBI report found that it cost users more than $1 billion in 2020, and attackers are now capitalizing on everything from PlayStation 5 sales to the COVID-19 pandemic to still scam people. On this week’s Talos Takes, Nick Biasini recaps his recent research into BEC and discusses why there are some reasons why this threat may never go away (hint: users).

Thursday, July 22, 2021

Threat Source newsletter (July 22, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

I'm compiling this Tuesday for vacation reasons, so apologies for any major stories I'm missing here.

This week's Beers with Talos podcast hits the seas again. And although we've covered sea shanties in the past, this week we're covering the bad guys trying to disrupt those glorious songs of old. 

The guys talk about privateer groups in this episode, which is a new type of threat actor classification we believe the security community needs to better discuss the intricacies of state-sponsored threat actors.

Security implications of misconfigurations

By Jaeson Schultz.


When defenders regularly monitor their organization's Domain Name System (DNS) queries, they can often snuff out potential attacks before they happen. At the very least, it's important to identify and fix configuration mistakes that could lead to nasty security breaches.

Most DNS queries in a network are created automatically by a user's applications. For example, when someone types "talosintelligence.com" into a web browser, the browser triggers a DNS query intended to map the friendly domain name to an internet IP address. DNS queries might fail to find an IP corresponding to a domain name for a variety of reasons — perhaps the user mistyped the domain name. However, when DNS lookup failures occur at regular intervals, or in large numbers, the result may be a misconfiguration somewhere. These misconfigurations can leave a security flaw in an organization's network, opening them up to typo-squatting attacks or potential impersonation in phishing campaigns.

Cisco Talos regularly monitors networks and domain names that may have once formed a part of attacker infrastructure, or perhaps are victims currently targeted by attackers. This sometimes involves monitoring passive DNS and finding domain names that receive substantial internet traffic, despite the fact that the domain name is unregistered, and for all intents and purposes, does not exist.

Tuesday, July 20, 2021

Beers with Talos, Ep. #107: Sailing the high seas in search of privateer groups



Beers with Talos (BWT) Podcast episode No. 107 is now available. Download this episode and subscribe to Beers with Talos:


If iTunes and Google Play aren't your thing, click here.

You're not going to believe this, but everyone actually agreed on something in this episode. And no, it's not regarding the best flavor of beef jerky. In this episode, we discuss a new category of threat actors that we're choosing to call "privateers." The guys discuss why this classification is much needed in the security community, the previous research on this topic, and the ways private security firms can partner with public intelligence agencies to protect against this type of threat.

Friday, July 16, 2021

Threat Roundup for July 9 to July 16


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 9 and July 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep: #61: SideCopy sounds so familiar, but I just can't put my finger on it...

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

Asheer Malhotra of Talos Outreach has spent the past few months tracking APTs all along the same line. APT 36, aka Transparent Tribe, was recently discovered adding new tools to attack Windows machines. Another, similar group called "Sidewinder," also went after targets on the Indian subcontinent.

Now, he's following the SideCopy APT, which takes the best of both worlds and borrows heavily from Transparent Tribe and Sidewinder. Asheer joins Talos Takes this week to discuss his research into SideWinder and break down the recent research paper he co-authored on the group

We discuss SideCopy's "borrowing" of other group's tactics, techniques and procedures (TTPs) and the active development of several trojans they use. 

Thursday, July 15, 2021

Vulnerability Spotlight: Multiple vulnerabilities in D-LINK DIR-3040



Dave McDaniel discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in the D-LINK DIR-3040 wireless router. 

The DIR-3040 is an AC3000-based wireless internet router. These vulnerabilities could allow an attacker to carry out a variety of malicious actions, including exposing sensitive information, causing a denial of service and gaining the ability to execute arbitrary code.  

Threat Source newsletter (July 15, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

The value of cryptocurrency is all over the place. Elon Musk's tweets can send Dogecoin rising and falling. And Monero, the most popular currency for cryptominers, has gone all over the place this year. So does that have any effect on the rate of attackers deploying miners?

We looked at Talos telemetry and virtual currency value to find out.

Also, if you haven't already, be sure to update your Microsoft products. The company disclosed three vulnerabilities this month that attackers are exploiting in the wild (four if you count PrintNightmare from earlier this month).

Vulnerability Spotlight: Multiple vulnerabilities in Advantech R-SeeNet



The Talos vulnerability research team discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in the Advantech R-SeeNet monitoring software. 

R-SeeNet is the software system used for monitoring Advantech routers. It continuously collects information from individual routers in the network and records the data into a SQL database. The vulnerabilities Talos discovered exist in various scripts inside of R-SeeNet's web applications. 

TALOS-2021-1270 (CVE-2021-21799), TALOS-2021-1271 (CVE-2021-21800) and TALOS-2021-1272 (CVE-2021-21801 - CVE-2021-21803) are all vulnerabilities that could allow an attacker to execute arbitrary JavaScript code in the context of the targeted user's browser. An adversary could exploit any of these vulnerabilities by sending the target a malicious URL and tricking the user into opening it.