Thursday, September 16, 2021

Threat Source newsletter (Sept. 16, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

It's a bird, it's a plane, it's a rat!

We've been tracking a series of trojans targeting the aviation industry, and trying to lure victims in by sending them spam related to flight itineraries and other transportation news. In our latest blog post, we discuss how we've followed the actor behind these attacks, and what we can learn about tracking a threat actor in the future.

This week was also Patch Tuesday, so you'll want to update your Microsoft products as soon as possible if you haven't already. Most notably, there's an official update to patch the high-profile MSHTML vulnerability

Operation Layover: How we tracked an attack on the aviation industry to five years of compromise

By Tiago Pereira and Vitor Ventura.

  • Cisco Talos linked the recent aviation targeting campaigns to an actor who has been targeting the aviation industry for two years.
  • The same actor has been running successful malware campaigns for more than five years.
  • Although always using commodity malware, the acquisition of crypters to wrap the malware makes them more effective.
  • This shows that a small operation can run for years under the radar, while still causing serious problems for its targets.


Cisco Talos and other security researchers have recently reported on a series of malicious campaigns targeting the aviation industry. These reports mainly center around the crypter that hides the usage of commodity malicious remote access tools.

We decided this would be a good starting point to demonstrate how a researcher can pivot from the initial discovery of a RAT and eventually profile a threat actor. This post will show how we discovered previous campaigns targeting the aviation industry, which links back to an actor that's been active for approximately six years.

We believe the actor is based out of Nigeria with a high degree of confidence and doesn't seem to be technically sophisticated, using off-the-shelf malware since the beginning of its activities without developing its own malware. The actor also buys the crypters that allow the usage of such malware without being detected, throughout the years it has used several different cryptors, mostly bought on online forums.

We also believe with a high degree of confidence that the actor has been active for at least five years. For the last two, they've been targeting the aviation industry, while conducting other campaigns at the same time. Pivoting from an initial discovery is not an exact science — in this process, a researcher must assert a certain level of confidence in these associations.

In this post, we will show how our research uncovered information about the attackers spreading AsyncRAT and njRAT using specific lure documents centered around the aviation industry. If infected with these threats, organizations could fall victim to data theft, financial fraud or future cyber attacks with much worse consequences.

In the end, our research shows that actors that perform smaller attacks can keep doing them for a long period of time under the radar. However, their activities can lead to major incidents at large organizations. These are the actors that feed the underground market of credentials and cookies, which can then be used by larger groups on activities like "big game hunting."

Tuesday, September 14, 2021

Microsoft Patch Tuesday for Sept. 2021 — Snort rules and prominent vulnerabilities

By Jon Munshaw, with contributions from Holger Unterbrink. 

Microsoft released its monthly security update Tuesday, disclosing 85 vulnerabilities across the company’s firmware and software. This month’s release is headlined by an official patch for the critical remote code execution vulnerability disclosed earlier this month in MSHTML.  

CVE-2021-40444 is being actively exploited in the wild, according to Microsoft, and proof-of-concept code is now available, potentially widening the potential for attacks exploiting this vulnerability. This is the first official Microsoft update to address this issue. Talos has additional protection available here

Users should download this patch immediately. Additionally, they can disable the installation of all ActiveX controls in Internet Explorer to mitigate this attack.

Monday, September 13, 2021

Downtime on Talos Intelligence will be down for a short time on Sept. 17 around 10 a.m. ET while we perform some routine maintenance on the site. 

We apologize for any inconvenience this may cause. We expect the interruption will only last for about 30 minutes.  

Vulnerability Spotlight: Code execution vulnerability in Nitro Pro PDF

A Cisco Talos team member discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered a vulnerability in the Nitro Pro PDF reader that could allow an attacker to execute code in the context of the application. 

Nitro Pro PDF is part of Nitro Software’s Productivity Suite. Pro PDF allows users to create and modify PDFs and other digital documents. It includes support for several capabilities via third-party libraries to parse the PDFs.  

TALOS-2021-1267 (CVE-2021-21798) is a use-after-free vulnerability that can be triggered if a target opens a specially crafted, malicious PDF. 

Friday, September 10, 2021

Threat Roundup for September 3 to September 10

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 3 and Sept. 10. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or

Talos Takes Ep. #67: What a leaked playbook tells us about the Conti ransomware group

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

There's a lot to take apart in the recently leaked Conti ransomware playbook. After a disgruntled member of the ransomware-as-a-service group leaked it in August, people immediately started combing through it to gain insight into this threat actor. 

But few people spent more time with it than David Liebenberg and Azim Khodjibaev, who were part of a Cisco Talos team that translated the entire paper, by hand, to English. Azim and Dave join Talos Takes this week to discuss what they learned from the project, and how attackers' human sides are starting to show.

Thursday, September 9, 2021

Threat Source newsletter (Sept. 9, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

The biggest security news this week is no doubt another Microsoft zero-day. On the heels of PrintNightmare and multiple Exchange Server vulnerabilities comes a code execution vulnerability in MSHTML, the rendering engine in Internet Explorer. 

We have new Snort rules out today that protect users against the exploitation of this vulnerability, which could allow an attacker to take complete control of a victim machine.

Talos release protection against zero-day vulnerability (CVE-2021-40444) in Microsoft MSHTML

Cisco Talos released new SNORT® rules Thursday to protect against the exploitation of a zero-day vulnerability in Microsoft MSHTML that the company warns is being actively exploited in the wild. 

Users are encouraged to deploy SIDs 58120 – 58129, Snort 3 SID 300049 and ClamAV signature ID: 9891528 (Doc.Exploit.CVE_2021_40444-9891528-0) to detect and prevent the exploitation of CVE-2021-40444. Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are vulnerable to this specific threat. An OSquery (CVE-2021-40444_vulnerability status) has been added for this threat. 

If an adversary were to successfully exploit this vulnerability, they could remotely execute code on the victim machine or gain complete control. The Microsoft advisory also stated that proof-of-concept code for this vulnerability is available in the wild.

Tuesday, September 7, 2021

Vulnerability Spotlight: Heap buffer overflow vulnerability in Ribbonsoft dxflib library

Lilith >_> of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in Ribbonsoft’s dxflib library that could lead to code execution. 

The dxflib library is a C++ library utilized by digital design software such as QCAD and KiCad to parse DXF files for reading and writing.