Friday, May 7, 2021

Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs

By Caitlin Huey and Andrew Windsor with contributions from Edmund Brumaghin.

  • Lemon Duck continues to refine and improve upon their tactics, techniques and procedures as they attempt to maximize the effectiveness of their campaigns.
  • Lemon Duck remains relevant as the operators begin to target Microsoft Exchange servers, exploiting high-profile security vulnerabilities to drop web shells and carry out malicious activities.
  • Lemon Duck continues to incorporate new tools, such as Cobalt Strike, into their malware toolkit.
  • Additional obfuscation techniques are now being used to make the infrastructure associated with these campaigns more difficult to identify and analyze.
  • The use of fake domains on East Asian top-level domains (TLDs) masks connections to the actual command and control (C2) infrastructure used in these campaigns.

Executive summary


Since April 2021, Cisco Talos has observed updated infrastructure and new components associated with the Lemon Duck cryptocurrency mining botnet that target unpatched Microsoft Exchange Servers and attempt to download and execute payloads for Cobalt Strike DNS beacons. This activity reflects updated tactics, techniques, and procedures (TTPs) associated with this threat actor. After several zero-day Microsoft Exchange Server vulnerabilities were made public on March 2, Cisco Talos and several other security researchers began observing various threat actors, including Lemon Duck, leveraging these vulnerabilities for initial exploitation before security patches were made available. Microsoft released a report on March 25 highlighting Lemon Duck's targeting of Exchange Servers to install cryptocurrency-mining malware and a malware loader that was used to deliver secondary malware payloads, such as information stealers. We also discovered that Lemon Duck actors have been generating fake domains on East Asian top-level domains (TLDs) to mask connections to their legitimate C2 domain since at least February 2020, highlighting another attempt to make their operations more effective. Below, we'll outline changes to the TTPs used by Lemon Duck across recent campaigns as they relate to various stages of these attacks.


Talos Takes Ep. #52: Celebrating World Password Day by talking about getting rid of passwords

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

The internet celebrated World Password Day on Thursday. To celebrate, we had Dave Lewis on the latest episode of Talos Takes to discuss getting rid of passwords altogether. Lewis, who is a global advisory CISO for Cisco Secure, discusses Cisco and Duo's latest push for everyone to go passwordless.

Find out the benefits of going passwordless, the dangers of keeping passwords around and the specific security details that go into things like multi-factor authentication and biometrics.

Threat Roundup for April 30 to May 7


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 30 and May 7. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, May 6, 2021

Threat Source Newsletter (May 6, 2021)

 

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

COVID-19 has changed everything about our lives — no surprise there. So it also shouldn't be shocking that it's changing the way Americans view Tax Day this year.

The deadline to file taxes is about a month later than usual and is now only 11 days away. Attackers have jumped on this opportunity to create new malware campaigns centered around taxes and COVID-19. You don't want to miss the latest Talos Takes episode where we talk about scams around supposed rewards for receiving your COVID vaccine, promises of better tax returns, and everything else you could think of with "taxes" in the subject line of a spam email.

Vulnerability Spotlight: Use-after-free vulnerability in Foxit PDF Reader

Aleksandar Nikolic of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered a use-after-free vulnerability in the Foxit PDF Reader.  

Foxit PDF Reader is one of the most popular PDF document readers currently available. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms.

TALOS-2021-1287 (CVE-2020-28588) is a use-after-free vulnerability that exists in the PDF Reader that could lead to an adversary gaining the ability to execute arbitrary code on the victim machine. An attacker needs to trick a user into opening a specially crafted, malicious PDF to exploit this vulnerability. 

Friday, April 30, 2021

Threat Roundup for April 23 to April 30


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 23 and April 30. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #51: COVID and Tax Day have perfectly aligned for spammers

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

We see tax scams every year — people offering to do your taxes for you, finding a larger return, etc. 

But this year is a little different from the COVID-19 pandemic. Like everything else in our lives that COVID’s changed, tax day is later this year — May 17 rather than the usual April 15. And that’s led to a whole new layer of scam campaigns.

Thursday, April 29, 2021

Threat Source Newsletter (April 29, 2021)

 

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

Ransomware is not just financial extortion. It is crime that transcends business, academic and geographic boundaries. Talos was proud to assist with a newly released report from the international Ransomware Task Force that provides a path forward to mitigate this criminal enterprise. This was a large undertaking by Talos researchers and our cybersecurity partners from across the globe that everyone should read.

And if you're in the mood to watch rather than read, we uploaded a recording of a LinkedIn Live video from earlier this week to our YouTube page. Martin Lee from Talos Outreach joined security blogger Graham Cluley to discuss cybersecurity threats during our current (and likely permanent) work from home situation.

Tuesday, April 27, 2021

Vulnerability Spotlight: Information disclosure vulnerability in the Linux Kernel



Lilith >_> and Claudio Bozzato of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered an information disclosure vulnerability in the Linux Kernel.  

The Linux Kernel is the free and open-source core of Unix-like operating systems. This vulnerability specifically exists in the /proc/pid/syscall functionality of 32-bit ARM devices running Linux. 

TALOS-2020-1211 (CVE-2020-28588) is an information disclosure vulnerability that could allow an attacker to view Kernel stack memory . We first discovered this issue on an Azure Sphere device (version 20.10), a 32-bit ARM device that runs a patched Linux kernel.

Friday, April 23, 2021

Threat Roundup for April 16 to April 23


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 16 and April 23. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.