Thursday, January 27, 2022

Beers with Talos, Ep. #115: Everybody's measured by quarters — even threat actors

Beers with Talos (BWT) Podcast episode No. 115 is now available. Download this episode and subscribe to Beers with Talos:

      

Recorded Jan. 14, 2022.

If iTunes and Google Play aren't your thing, click here.

We wanted to start off the new year by reflecting on 2021 with Talos Incident Response. The one thing many cyber attacks had in common? People. 

There are issues that arise any time humans are involved, whether it's being tempted by a phish or someone making simple human errors. So, Matt, Mitch and Liz discuss how logs are crucial during the worst-case scenario and look at how to remove human error as much as possible from the equation. 

Outside of initial infection vectors, there are plenty of other lessons learned from 2021 that we can take into incident response this year.

Wednesday, January 26, 2022

Vulnerability Spotlight: WiFi-connected security camera could be manipulated to spy on communications, among other malicious actions



Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered several vulnerabilities in the Reolink RLC-410W security camera that could allow an attacker to perform several malicious actions, including performing man-in-the-middle attacks, stealing user login credentials and more.  

The Reolink RLC-410W is a WiFi-connected security camera. The camera includes motion detection functionalities and multiple ways to save and view the recordings. The vulnerabilities Talos discovered exist in various functions and features of the camera. Some of these exploits could be combined, as well, to reboot the camera without authentication or run certain APIs.

Tuesday, January 25, 2022

Vulnerability Spotlight: Vulnerability in Apple iOS, iPad OS and MacOS could lead to disclosure of sensitive memory data



Jaewon Min of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered an out-of-bounds read vulnerability in Apple’s macOS and iOS operating systems that could lead to the disclosure of sensitive memory content. An attacker could capitalize on that information to aid in the exploitation of other vulnerabilities 

This vulnerability specifically exists in the DDS image parsing functionality of Apple’s ImageIO library that exists in its desktop and mobile operating systems.

Saturday, January 22, 2022

Talos Incident Response year-in-review for 2021


Cisco Talos Incident Response (CTIR), as with everyone else in the cybersecurity world, dealt with a bevy of threats last year, as responders dealt with an expanding set of ransomware adversaries and several major cybersecurity incidents affecting organizations worldwide, all under the backdrop of the global pandemic, which brought its own set of cybersecurity challenges. In lieu of the regular incident response quarterly trends blog this quarter, this report will look at trends that emerged throughout 2021. Our findings reveal that: 

Friday, January 21, 2022

Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation


Authored by Nick Biasini, Michael Chen, Chris Neal, and Matt Olney with Contributions from Dmytro Korzhevin.

Several cyber attacks against Ukrainian government websites — including website defacements and destructive wiper malware — have made headlines over the past few weeks as military tensions along the Russian/Ukrainian border have escalated. As a longtime intelligence partner and ally, Cisco Talos quickly responded to provide support, working with the State Special Communications Service of Ukraine (SSSCIP), the Cyberpolice Department of the National Police of Ukraine and the National Coordination Center for Cybersecurity (NCCC at the NSDC of Ukraine).

Based on our analysis of the wiper malware, dubbed WhisperGate, we identified the following key points:

  • While WhisperGate has some strategic similarities to the notorious NotPetya wiper that attacked Ukranian entities in 2017, including masquerading as ransomware and targeting and destroying the master boot record (MBR) instead of encrypting it, it notably has more components designed to inflict additional damage.
  • We assess that attackers used stolen credentials in the campaign and they likely had access to the victim network for months before the attack, a typical characteristic of sophisticated advanced persistent threat (APT) operations.
  • The multi-stage infection chain downloads a payload that wipes the MBR, then downloads a malicious DLL file hosted on a Discord server, which drops and executes another wiper payload that destroys files on the infected machines.

Threat Roundup for January 14 to January 21


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 14 and Jan. 21. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, January 20, 2022

Threat Source Newsletter (Jan. 20, 2022)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

Even though we're nearly a month into 2022, we're still not quite ready to move on from 2021. That's why next week, we'll be going live on social media to talk about some of the top cybersecurity stories from the past year.

Liz Waddell from Talos Incident Response and Matt Olney from our threat intelligence team will be joining Hazel Burton from Cisco Secure to talk about everything from Log4j to supply chain attacks. You can find this stream live on any of Cisco Secure's social media platforms or the Talos YouTube page.

Friday, January 14, 2022

Threat Roundup for January 7 to January 14


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 7 and Jan. 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #82: Log4j followed us in 2022

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

Thursday, January 13, 2022

Threat Source Newsletter (Jan. 13, 2022)



Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

Move out of the way, Log4j! Traditional malware is back with a bang in 2022. While Log4j is likely still occupying many defenders' minds, the bad guys are still out there doing not-Log4j things. We have new research out on a campaign spreading three different remote access tools (RATs) using public internet infrastructures like Amazon Web Services and Microsoft Azure Sphere.

If you're looking to unwind after all the Log4j madness, we also have a new Beers with Talos episode that's one of our more laid-back productions. We, unfortunately, said goodbye to Joel, but it was not without tequila and discussions about "Rent."