Tuesday, September 21, 2021

TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines


News summary

  • Cisco Talos recently discovered a new backdoor used by the Russian Turla APT group.
  • We have seen infections in the U.S., Germany and, more recently, in Afghanistan.
  • It is likely used as a stealth second-chance backdoor to keep access to infected devices
  • It can be used to download, upload and/or execute files.
  • The backdoor code is quite simple but is efficient enough that it will usually fly under the radar.

What's new?

Cisco Talos found a previously undiscovered backdoor from the Turla APT that we are seeing in the wild. This simple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed. It could also be used as a second-stage dropper to infect the system with additional malware.

 

Friday, September 17, 2021

Threat Roundup for September 10 to September 17


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 10 and Sept. 17. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #68: The various pivots and pitfalls in a malware investigation

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

On this week's episode, Vitor Ventura from our research team walks through his recent work on connecting several malware campaigns leveraging the aviation industry. These attacks commonly use lure documents that pertain to fake flight itineraries, bills and more, and could possibly be targeting airlines themselves.

This is a perfect example of the various pitfalls, pivots and waves that come as part of a malware investigation, so we felt it was a great time to have Vitor on. He discusses what he learned about the threat actor in this case, what threw him off, and what he can learn for the next time he goes to look into a threat actor. 

Thursday, September 16, 2021

Threat Source newsletter (Sept. 16, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

It's a bird, it's a plane, it's a rat!

We've been tracking a series of trojans targeting the aviation industry, and trying to lure victims in by sending them spam related to flight itineraries and other transportation news. In our latest blog post, we discuss how we've followed the actor behind these attacks, and what we can learn about tracking a threat actor in the future.

This week was also Patch Tuesday, so you'll want to update your Microsoft products as soon as possible if you haven't already. Most notably, there's an official update to patch the high-profile MSHTML vulnerability

Operation Layover: How we tracked an attack on the aviation industry to five years of compromise




By Tiago Pereira and Vitor Ventura.

  • Cisco Talos linked the recent aviation targeting campaigns to an actor who has been targeting the aviation industry for two years.
  • The same actor has been running successful malware campaigns for more than five years.
  • Although always using commodity malware, the acquisition of crypters to wrap the malware makes them more effective.
  • This shows that a small operation can run for years under the radar, while still causing serious problems for its targets.


Summary


Cisco Talos and other security researchers have recently reported on a series of malicious campaigns targeting the aviation industry. These reports mainly center around the crypter that hides the usage of commodity malicious remote access tools.

We decided this would be a good starting point to demonstrate how a researcher can pivot from the initial discovery of a RAT and eventually profile a threat actor. This post will show how we discovered previous campaigns targeting the aviation industry, which links back to an actor that's been active for approximately six years.

We believe the actor is based out of Nigeria with a high degree of confidence and doesn't seem to be technically sophisticated, using off-the-shelf malware since the beginning of its activities without developing its own malware. The actor also buys the crypters that allow the usage of such malware without being detected, throughout the years it has used several different cryptors, mostly bought on online forums.

We also believe with a high degree of confidence that the actor has been active for at least five years. For the last two, they've been targeting the aviation industry, while conducting other campaigns at the same time. Pivoting from an initial discovery is not an exact science — in this process, a researcher must assert a certain level of confidence in these associations.

In this post, we will show how our research uncovered information about the attackers spreading AsyncRAT and njRAT using specific lure documents centered around the aviation industry. If infected with these threats, organizations could fall victim to data theft, financial fraud or future cyber attacks with much worse consequences.

In the end, our research shows that actors that perform smaller attacks can keep doing them for a long period of time under the radar. However, their activities can lead to major incidents at large organizations. These are the actors that feed the underground market of credentials and cookies, which can then be used by larger groups on activities like "big game hunting."

Tuesday, September 14, 2021

Microsoft Patch Tuesday for Sept. 2021 — Snort rules and prominent vulnerabilities



By Jon Munshaw, with contributions from Holger Unterbrink. 

Microsoft released its monthly security update Tuesday, disclosing 85 vulnerabilities across the company’s firmware and software. This month’s release is headlined by an official patch for the critical remote code execution vulnerability disclosed earlier this month in MSHTML.  

CVE-2021-40444 is being actively exploited in the wild, according to Microsoft, and proof-of-concept code is now available, potentially widening the potential for attacks exploiting this vulnerability. This is the first official Microsoft update to address this issue. Talos has additional protection available here

Users should download this patch immediately. Additionally, they can disable the installation of all ActiveX controls in Internet Explorer to mitigate this attack.

Monday, September 13, 2021

Downtime on Talos Intelligence

TalosIntelligence.com will be down for a short time on Sept. 17 around 10 a.m. ET while we perform some routine maintenance on the site. 

We apologize for any inconvenience this may cause. We expect the interruption will only last for about 30 minutes.  

Vulnerability Spotlight: Code execution vulnerability in Nitro Pro PDF



A Cisco Talos team member discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered a vulnerability in the Nitro Pro PDF reader that could allow an attacker to execute code in the context of the application. 

Nitro Pro PDF is part of Nitro Software’s Productivity Suite. Pro PDF allows users to create and modify PDFs and other digital documents. It includes support for several capabilities via third-party libraries to parse the PDFs.  

TALOS-2021-1267 (CVE-2021-21798) is a use-after-free vulnerability that can be triggered if a target opens a specially crafted, malicious PDF. 

Friday, September 10, 2021

Threat Roundup for September 3 to September 10


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 3 and Sept. 10. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #67: What a leaked playbook tells us about the Conti ransomware group

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

There's a lot to take apart in the recently leaked Conti ransomware playbook. After a disgruntled member of the ransomware-as-a-service group leaked it in August, people immediately started combing through it to gain insight into this threat actor. 

But few people spent more time with it than David Liebenberg and Azim Khodjibaev, who were part of a Cisco Talos team that translated the entire paper, by hand, to English. Azim and Dave join Talos Takes this week to discuss what they learned from the project, and how attackers' human sides are starting to show.

Thursday, September 9, 2021

Threat Source newsletter (Sept. 9, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

The biggest security news this week is no doubt another Microsoft zero-day. On the heels of PrintNightmare and multiple Exchange Server vulnerabilities comes a code execution vulnerability in MSHTML, the rendering engine in Internet Explorer. 

We have new Snort rules out today that protect users against the exploitation of this vulnerability, which could allow an attacker to take complete control of a victim machine.

Talos release protection against zero-day vulnerability (CVE-2021-40444) in Microsoft MSHTML



Cisco Talos released new SNORT® rules Thursday to protect against the exploitation of a zero-day vulnerability in Microsoft MSHTML that the company warns is being actively exploited in the wild. 

Users are encouraged to deploy SIDs 58120 – 58129, Snort 3 SID 300049 and ClamAV signature ID: 9891528 (Doc.Exploit.CVE_2021_40444-9891528-0) to detect and prevent the exploitation of CVE-2021-40444. Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are vulnerable to this specific threat. An OSquery (CVE-2021-40444_vulnerability status) has been added for this threat. 

If an adversary were to successfully exploit this vulnerability, they could remotely execute code on the victim machine or gain complete control. The Microsoft advisory also stated that proof-of-concept code for this vulnerability is available in the wild.

Tuesday, September 7, 2021

Vulnerability Spotlight: Heap buffer overflow vulnerability in Ribbonsoft dxflib library



Lilith >_> of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in Ribbonsoft’s dxflib library that could lead to code execution. 

The dxflib library is a C++ library utilized by digital design software such as QCAD and KiCad to parse DXF files for reading and writing. 

Friday, September 3, 2021

Threat Roundup for August 27 to September 3


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 27 and Sept. 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #66: Dude, where's my bandwidth?

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

“Proxyware” sounds like a complicated topic that you’re too afraid to ask about. But really, it’s just software that allows users to sell off a portion of their internet bandwidth for a small profit. Problem is, attackers are swooping in on this popular software to spread malware and steal users’ money. 

Edmund Brumaghin joins the show this week to discuss his recent research into proxyware applications and how malware is hiding in plain sight. Edmund discusses why these types of apps are potentially unwanted applications, and what the threat is for enterprise users with remote workers, as well as personal PC users.

Thursday, September 2, 2021

Beers with Talos, Ep. #109: We have not secured our society — Or, working out a conference talk in realtime

Beers with Talos (BWT) Podcast episode No. 109 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Most of the Beers with Talos guys got a chance to take a summer vacation after the last episode, so they're rejuvenated and equally unprepared for this recording. 

We recorded this before BlackHat, so you'll get a live look into Matt's preparation for the talk he co-hosted with Wendy Nather as the hosts discuss cyber warfare. How far is too far? Have we done enough as a society to secure ourselves? And is this just going to be an existential dread we live with forever?

Find out inside!

Threat Source newsletter (Sept. 2, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

If you haven't seen already, our blog has a lot of cool and new stuff this week.

We first dove into the world of proxyware on Tuesday (aka internet-sharing applications). Attackers are hiding in this newly popular software to steal users' bandwidth and money, while spreading malware along the way. This is a perfect case to show how willing users are to trade away some of their privacy and security for literally a few cents a day.

In another first, we got our hands on the leaked Conti ransomware playbook and translated it to English. Read our blog post and the full translation for some awesome insight into how this ransomware-as-a-service group operates.

Translated: Talos' insights from the recently leaked Conti ransomware playbook











By Caitlin Huey, David Liebenberg, Azim Khodjibaev, and Dmytro Korzhevin.

Executive summary


Cisco Talos recently became aware of a leaked playbook that has been attributed to the ransomware-as-a-service (RaaS) group Conti. Talos has a team of dedicated, native-level speakers that translated these documents in their entirety into English. We also translated a Cobalt Strike manual that the authors referenced while creating their playbook.

These documents, written mostly in Cyrillic, were allegedly released by an affiliate upset with Conti. We believe that this translation is an extremely important contribution to the community, as machine-translated efforts have missed some interesting insights and led to some garbled passages.

Notably, the LockBit operator we interviewed warned us that something like this would take place. They stated that in a ransomware cartel, "Someone will sell them out from the inside," which is allegedly what took place in this case. The LockBit operator also told us that ransomware actors use various channels on the messaging app Telegram to stay on top of the latest exploits and attack trends. A look into a list of Telegram channels deemed interesting by the playbook authors shows numerous channels that were potentially leveraged for this exact use.

Talos' main takeaway from this playbook is that operators of all skill levels are involved with Conti. Some adversaries who are very new to the malware scene could follow this playbook to compromise a major, enterprise network with relatively little experience. At the end of this post, we've attached a full English translation of the documents.

Tuesday, August 31, 2021

Attracting flies with Honey(gain): Adversarial abuse of proxyware

By Edmund Brumaghin and Vitor Ventura.

  • With internet-sharing applications, or "proxyware," users download software that allows them to share a percentage of their bandwidth with other internet users for a fee, with the companies that created this software acting as a go-between.
  • As proxyware has grown in popularity, attackers have taken notice and are now attempting to exploit this interest to monetize their malware campaigns.
  • Malware is currently leveraging these platforms to monetize the internet bandwidth of victims, similar to how malicious cryptocurrency mining attempts to monetize the CPU cycles of infected systems.
  • In many cases, these applications are featured in multi-stage, multi-payload malware attacks that provide adversaries with multiple monetization methods.
  • Trojanized installers are some of the most common threats taking advantage of public interest in proxyware to infect victims.
  • These applications pose significant privacy and operational risks to organizations as they may allow nefarious or abusive network traffic to appear as if it originates from their corporate networks resulting in reputational damages that may also lead to service disruption.

Friday, August 27, 2021

Threat Roundup for August 20 to August 27


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 20 and Aug. 27. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, August 26, 2021

Talos Takes Ep: #65: How several RAT campaigns in Latin America are connected

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

As more people around the world start to get vaccinated against COVID-19, travel is becoming easier, especially during these summer months. But as much as you may be excited to travel, so are threat actors. Asheer Malhotra was part of a team that looked into a series of campaigns targeting users in Latin America, specifically using social engineering tactics centered around travel. Some of the lure documents, in this case, include fake travel itineraries, coupons for flights and hotel reservation confirmations. Asheer joins the show this week to discuss the throughline between all these attacks and their potential connections to the Aggah crimeware group.

Threat Source newsletter (Aug. 26, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We have RATs on RATs on RATs over the past few weeks. And last week, we found a few more heading to Latin America to target users and try to steal their login credentials.

The threat actor in this case has some compelling connections to the Aggah threat group we've written about in the past, but there doesn't appear to be any definitive link.

Friday, August 20, 2021

Threat Roundup for August 13 to August 20


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 13 and Aug. 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, August 19, 2021

Threat Source newsletter (Aug. 19, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

I'm writing this on Tuesday morning on account of vacation (again), so apologies if we miss any major stories. 

You certainly don't want to miss our latest blog post on the Neurevt remote access trojan that's targeting users in Mexico. This malware is mainly designed to steal login credentials to banking websites, and we don't really need to tell you why that would be bad.

Malicious Campaign Targets Latin America: The seller, The operator and a curious link



By Asheer Malhotra and Vitor Ventura, with contributions from Vanja Svajcer.

  • Cisco Talos has observed a new malware campaign delivering commodity RATs, including njRAT and AsyncRAT.
  • The campaign targets travel and hospitality organizations in Latin America.
  • Techniques utilized in this campaign bear a resemblance to those of the Aggah group but are operated by a distinct threat actor based out of Brazil.
  • We've also discovered a builder/crypter known as "Crypter 3losh rat" used to generate various stages of the highly modularized infection chain used by the campaign operators.
  • We've also seen instances where the crypter author has operated their own malicious campaigns abusing archive[.]org.


What's new?


Cisco Talos recently observed a new set of campaigns targeting Latin American countries. These campaigns use a multitude of infection components to deliver two widely popular commodity malware and remote access trojans (RATs): njRAT and AsyncRAT.

We also discovered a .NET-based infection chain builder/crypter binary used to generate the malicious infection artifacts used in recent campaigns, including the ones targeting Latin America. Such builders indicate the author's intent to bundle malware generation functionalities for easy distribution and use by operators, customers and affiliates.

We've also observed some resemblance to the tactics and techniques used by a known crimeware actor "Aggah," especially the final payload delivery stages. Aggah has traditionally utilized highly modular infection chains with a focus on hosting malicious payloads on public repositories such as Pastebin, Web Archive and Blogger.


How did it work?


The campaigns targeting Latin American countries consist of macro-enabled Office documents that act as the entry points into the infection. What follows is a modular chain of PowerShell and VB scripts, all working towards disabling anti-virus protection features such as AMSI and eventually delivering the RAT payloads.

We've also observed some Aggah campaigns using similar infection chains including scripts and similar commodity malware. However, unlike Aggah, the operators working the Latin American campaigns tend to use either compromised or attacker-controlled websites to host their components and payloads instead of using public hosting services such as Blogger, Pastebin and Web Archive.

The infection chains used in these campaigns are built using a .NET-based crypter called "3losh crypter rat" [SIC]. This crypter has been actively advertised on social media by the authors and used to generate infection chains for campaigns operated by the crypter's authors themselves.


So what?


It is important for defenders to identify distinct adversaries and their tactics. The usage of crypters makes it difficult to do so since completely disjointed actors can now generate identical infection chains for unrelated campaigns. Our research uncovers one such scenario where there are three distinct campaigns identified using the 3losh crypter: the Latin American campaigns, the Aggah campaigns and those operated by the crypter authors.

All these campaigns however, aim to distribute commodity RAT families. Commodity malware families are increasingly being used by both crimeware and APT groups to infect their targets. RATs in particular are extremely popular since they provide a wide range of functionalities to their operators to take advantage of the infected systems. These functionalities can be used for malicious activities such as:

  • Performing preliminary reconnaissance to scope out victim networks and infrastructure.
  • Deploying more malware such as ransomware and wipers to disrupt enterprise operations.
  • Executing arbitrary commands.
  • Exfiltrating confidential and proprietary information from enterprises.
  • Stealing credentials, opening up more systems and services to unauthorized access.


Tuesday, August 17, 2021

Neurevt trojan takes aim at Mexican users

By Chetan Raghuprasad, with contributions from Vanja Svajcer.

News summary

What's new?

Although Neurevt has been around for a while, recent samples in Cisco Secure Endpoint show that the actors combined this trojan with backdoors and information stealers. This trojan appears to target Mexican organizations. Talos is tracking these campaigns embedding URLs in the associated droppers, which belong to many major banks in Mexico.

Friday, August 13, 2021

Vulnerability Spotlight: Memory corruption vulnerability in Daemon Tools Pro

Piotr Bania of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered a memory corruption vulnerability in Disc Soft Ltd.'s Daemon Tools Pro. 

Daemon Tools Pro is a professional emulation software that works with disc images and virtual drives. It allows the user to mount ISO images on Windows systems.

TALOS-2021-1295 (CVE-2021-21832) can cause memory corruption in the application if the user opens an adversary-created ISO file that causes an integer overflow. This vulnerability exists in the way the application parses ISOs.

Threat Roundup for August 6 to August 13


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 6 and Aug. 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Vulnerability Spotlight: Multiple integer overflow vulnerabilities in GPAC Project on Advanced Content

A Cisco Talos team member discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple integer overflow vulnerabilities in the GPAC Project on Advanced Content that could lead to memory corruption.

The GPAC Project on Advanced Content is an open-source cross-platform library that implements the MPEG-4 system standard and provides tools for media playback, vector graphics, and 3-D rendering. The project comes with the MP4Box tool, which allows the user to encode or decode media containers in multiple supported formats.

TALOS-2021-1297 (CVE-2021-21834 - CVE-2021-21852), TALOS-2021-1298 (CVE-2021-21859 - CVE-2021-21862) and TALOS-2021-1299 (CVE-2021-21853 - CVE-2021-21858) could all allow an adversary to corrupt the memory of the application. An adversary could exploit these vulnerabilities by sending the target a specially crafted MPEG-4 input. This could cause an integer overflow due to unchecked addition arithmetic, eventually resulting in a heap-based buffer overflow that causes memory corruption.

Talos Takes Ep. #64: Back 2 Skool edition



By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

There's no shortage of complications leading into this new school year. Students, parents, teachers and admins alike are adapting to the "new normal," and each county and state seem to have their own set of restrictions, challenges and plans to address those challenges.

This can be a cybersecurity nightmare for everyone involved. We hope we can provide a bit of help heading into the start of the new school year with this week's Talos Takes episode, where we talk about students bringing computers to and from school, the dangers of hybrid learning and the best steps for education networks' admins. 

We also address Talos' research into online homework scams and associated, follow-on malware. For more on that, check out our original post here and Forbes' recent article on our work here.

Thursday, August 12, 2021

Vice Society leverages PrintNightmare in ransomware attacks

By Edmund Brumaghin, Joe Marshall, and Arnaud Zobec.

Executive Summary


Another threat actor is actively exploiting the so-called PrintNightmare vulnerability (CVE-2021-1675 / CVE-2021-34527) in Windows' print spooler service to spread laterally across a victim's network as part of a recent ransomware attack, according to Cisco Talos Incident Response research. While previous research found that other threat actors had been exploiting this vulnerability, this appears to be new for the threat actor Vice Society.

Talos Incident Response's research demonstrates that multiple, distinct threat actors view this vulnerability as attractive to use during their attacks and may indicate that this vulnerability will continue to see more widespread adoption and incorporation by various adversaries moving forward. For defenders, it is important to understand the attack lifecycle leading up to the deployment of ransomware. If users have not already, they should download the latest patch for PrintNightmare from Microsoft.

In this post, we'll analyze the various TTPs used in a recent ransomware attack from Vice Society that leveraged this vulnerability. Many of these same TTPs are commonly observed in other ransomware attacks, such as a previously published analysis of a WastedLocker attack.

Threat Source newsletter (Aug. 12, 2021)

 

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

No, that's not Ratatouille. It's ServHelper, who is much more dangerous (albeit just as cute) as the cartoon chef. We have a new blog post out today detailing this RAT, run by the threat actor Group TA505, that is stealing credit card data and other sensitive information. We've been tracking this actor for a while now, and recently saw a huge spike in their activity. Find out what this means for your organization in our blog post and accompanying one-page overview.

Obviously, there are plenty more scary things to worry about on the threat landscape. And for that, there's the Talos Incident Response Quarterly Threat Report, where we run down the top TTPs, malware families and actors our incident responders are seeing in the wild.

As if all of that wasn't scary enough, you also need to make sure to update your Microsoft products as soon as possible after Patch Tuesday. Microsoft disclosed 44 vulnerabilities as part of its monthly security updates, two of which have a 9.8 severity score out of a possible 10.