Tuesday, June 15, 2021

What’s past is prologue – A new world of critical infrastructure security



By Caitlin Huey, Joe Marshall and Thomas Pope.

Attackers have targeted American critical infrastructure several times over the past few years, putting at risk U.S. electrical grids, oil pipelines and water supply systems. However, we collectively have not responded in a meaningful way to these attacks. This inaction has now led to a failure to protect our oil and natural gas (ONG) infrastructure, resulting in some fuel shortages in wide swaths of the U.S. earlier this year. This, in turn, has prompted federal executive action emphasizing protecting critical ONG infrastructure and responding to ransomware attacks in this space. ONG companies must take heed – proactive and wholistic security can protect their enterprises and critical infrastructure.

Friday, June 11, 2021

Threat Roundup for June 4 to June 11


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 4 and June 11. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #56: The first security steps you should take when you return to the office

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

We started out the COVID-19 pandemic by thinking we'd be away from the office for a month — maybe two. More than 12 months later, we're still here, working from home (at least part-time).

But some businesses are starting to reopen now and welcoming workers back into the office. After so much time working out of the office, what should security professionals do once they get back? In this week's episode, Beers with Talos' own Craig Williams joins the show to talk about triple-checking for patches, changing passwords and more. Plus, how should you handle the new hybrid worker?

Thursday, June 10, 2021

Threat Source newsletter (June 10, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We seriously can't escape from ransomware. It's in the headlines constantly and has now drawn the full attention of the federal government. But we at Talos recognize that is going to take far more than just words to address this global threat. In this opinion piece we published this week along with the Cyber Threat Alliance, we outlined some steps we feel the government and private sector need to take to ensure physical life and property, critical infrastructure and the economy are all protected from ransomware. 

While you're on our blog, you should also head over to the new Cisco Talos Incident Response web page. We have updated CTIR's list of offerings and gave it a few visual overhauls that we think you'll love.

Back in the security space, we also had Microsoft Patch Tuesday this week. The company disclosed several vulnerabilities that they've seen actively exploited in the wild, so you should patch all of your Microsoft products if you haven't already.

Quarterly Report: Incident Response trends from Spring 2021



By David Liebenberg and Caitlin Huey

While the security community made a great effort to warn users of the exploitation of several Microsoft Exchange Server zero-day vulnerabilities, it was still the biggest threat Cisco Talos Incident Response (CTIR) saw this past quarter. These vulnerabilities, tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065, comprised around 35 percent of all incidents investigated.   

This shows that when a vulnerability is recently disclosed, severe, and widespread, CTIR will often see a corresponding rise in engagements in which the vulnerabilities in question are involved. Thankfully, the majority of these incidents involved scanning and not post-compromise behavior, such as file encryption or evidence of exfiltration.  

While CTIR’s focus was largely on the Microsoft Exchange Server vulnerabilities this quarter, ransomware continued to be a persistent and growing problem. This quarter featured several ransomware families that we have not previously encountered in CTIR engagements, including MountLocker, Zeppelin and Avaddon. These families fit the ransomware-as-a-service (RaaS) model and are typically deployed with Cobalt Strike and are delivered by an initial commodity trojan loader. These ransomware families also engage in double extortion, threatening to publish victim data if the ransom demand is not met. 

Tuesday, June 8, 2021

Vulnerability Spotlight: Code execution vulnerability in Google Web Audio API



Piotr Bania of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered two use-after-free vulnerabilities in Google’s Web Audio API that an adversary could exploit to execute remote code on the victim machine. Web Audio API is a high-level JavaScript API for processing and synthesizing audio in web applications. These vulnerabilities specifically exist in the Google Chrome web browser’s instance of this API.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Google to ensure that these issues are resolved and an update is available for affected customers.

Microsoft Patch Tuesday for June 2021 — Snort rules and prominent vulnerabilities



By Jon Munshaw, with contributions from Edmund Brumaghin. 

Microsoft released its monthly security update Tuesday, disclosing 51 vulnerabilities across its suite of products, breaking last month’s 16-month record of the fewest vulnerabilities disclosed in a month by the company. 

There are only four critical vulnerabilities patched in this month, while all the other ones are considered “important.” However, there are several vulnerabilities that Microsoft states are being actively exploited in the wild. 

This month’s security update provides updates for several pieces of software and Windows functions, including SharePoint Server, the Windows kernel and Outlook. For a full rundown of these CVEs, head to Microsoft’s security update page.

Monday, June 7, 2021

Intelligence-driven disruption of ransomware campaigns

By Neil Jenkins and Matthew Olney.

Note: Our guest co-author, Neil Jenkins, is the Chief Analytic Officer at the Cyber Threat Alliance. He leads the CTA's analytic efforts, focusing on the development of threat profiles, adversary playbooks and other analysis using the threat intelligence in the CTA Platform. Previously, he served in various roles within the Department of Homeland Security, Department of Defense, and Center for Naval Analyses, where he spearheaded numerous initiatives tied to cybersecurity strategy, policy and operational planning for both the public and private sectors.

As the headlines show, ransomware has become a threat to national security, life safety and critical infrastructure. As a result, the U.S. Department of Justice recently announced it would be giving ransomware attacks priority similar to that as terrorism. None of this is a surprise to the more than 60 experts who came together this year under the umbrella of the Ransomware Task Force (RTF), an effort to produce a comprehensive set of recommendations to international governments and private-sector partners on how to address this threat. In fact, the report — issued just days before the Colonial Pipeline attack — begins by saying, "Ransomware attacks present an urgent national security risk around the world."

As contributors to the report, we'd like to drill into the second priority recommendation issued by the group, calling for "...a sustained, aggressive, whole of government, intelligence-driven anti-ransomware campaign…" To a large extent, we have left the private sector to deal with the ransomware threat by themselves, and when an incident has occurred, we have treated it as a law enforcement matter. Both of these approaches have failed. When the actor only needs to find any flaw in any company or organization's defenses, then they will continue to be successful. When the primary threat society puts forth to deter these activities is "you'll go to jail" and the actors are hiding in countries that have shown no interest in cooperating with law enforcement activities for these behaviors, there is no deterrence.

Friday, June 4, 2021

Threat Roundup for May 28 to June 4


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 28 and June 4. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, June 3, 2021

Threat Source newsletter (June 3, 2021)



Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

If you didn't catch us live yesterday, we've uploaded the full version of our stream on Discord and Slack malware to our YouTube page. Chris Neal from Talos Outreach walked through his recent research into these campaigns targeting collaboration apps. Find out what Chris and his team discovered on these apps that have become crucial to work and communication in 2021.

Necro Python bot adds new exploits and Tezos mining to its bag of tricks


By Vanja Svajcer, with contributions from Caitlin Huey and Kendall McKay.

News summary

  • Some malware families stay static in terms of their functionality. But a newly discovered malware campaign utilizing the Necro Python bot shows this actor is adding new functionality and improving its chances of infecting vulnerable systems. The bot contains exploits for more than 10 different web applications and the SMB protocol.
  • Cisco Talos recently discovered the increased activity of the bot discovered in January 2021 in Cisco Secure Endpoint product telemetry, although the bot has been in development since 2015, according to its author.
  • This threat demonstrates several techniques of the MITRE ATT&CK framework, most notably Exploit Public-Facing Application T1190, Scripting - T1064, PowerShell - T1059.001, Process Injection - T1055, Non-Standard Port - T1571, Remote Access Software - T1219, Input Capture - T1056, Obfuscated Files or Information - T1027 and Registry Run Keys/Startup Folder - T1547.001.


What's new?

Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command and control (C2) communications and the addition of new exploits for spreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code.


How did it work?

The infection starts with successful exploitation of a vulnerability in one of the targeted applications or the operating systems. The bot targets Linux-based and Windows operating systems. A Java-based downloader is also used for the initial infection stage. The malware uses a combination of a standalone Python interpreter and a malicious script, as well as ELF executables created with pyinstaller.

The bot can connect to a C2 server using IRC and accepts commands related to exploitation, launching distributed denial-of-service attacks, configuration changes and RAT functionality to download and execute additional code or sniff network traffic to exfiltrate the captured data.

The bot hides its presence on the system by installing a user-mode rootkit designed to hide the malicious process and malicious registry entries created to ensure that the bot runs every time a user logs into the infected system.

A significant part of the code is dedicated to downloading and running a Monero miner XMRig program. The bot also injects the code to download and execute a JavaScript-based miner from an attacker-controlled server into HTML and PHP files on infected systems. If the user opens the infected application, a JavaScript-based Monero miner will run within their browser's process space.

So what?

Necro Python bot shows an actor that follows the latest development in remote command execution exploits on various web applications and includes the new exploits into the bot. This increases its chances of spreading and infecting systems. Users need to make sure to regularly apply the latest security updates to all of the applications, not just operating systems.

Here, we are dealing with a self-replicating, polymorphic bot that attempts to exploit server-side software for spreading. The bot is similar to others, like Mirai, in that it targets small and home office (SOHO) routers. However, this bot uses Python to support multiple platforms, rather than downloading a binary specifically compiled for the targeted system.

Wednesday, June 2, 2021

Vulnerability Spotlight: Use-after-free vulnerability in WebKit

Marcin Towalski of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

The WebKit browser engine contains a use-after-free vulnerability in its GraphicsContext function. A malicious web page code could trigger a use-after-free error, which could lead to a potential information leak and memory corruption. An attacker could exploit this vulnerability by tricking the user into visiting a specially crafted, malicious web page to trigger this vulnerability.

In accordance with our coordinated disclosure policy, Cisco Talos worked with WebKit to ensure that this issue is resolved and that an update is available for affected customers.

Vulnerability Spotlight: A deep dive into macOS SMB server



By Aleksandar Nikolich.

Executive summary

Cisco Talos recently discovered multiple vulnerabilities in macOS’s implementation of SMB server. An adversary could exploit these vulnerabilities to carry out a variety of malicious actions, including revealing sensitive information on the server, bypassing certain cryptographic checks, causing a denial of service or execute remote code on the targeted server. Cisco Talos worked with Apple to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy. Users are encouraged to update to the latest macOS version as soon as possible to patch these vulnerabilities.

Tuesday, June 1, 2021

Vulnerability Spotlight: Multiple vulnerabilities in Accusoft ImageGear



Emmanuel Tacheau of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in Accusoft ImageGear.

The ImageGear library is a document-imaging developer toolkit that allows users to create, edit, annotate and convert various images. It supports more than 100 file formats such as DICOM, PDF, Microsoft Office. These vulnerabilities Talos discovered could allow an attacker to carry out various malicious actions, including corrupting memory on the victim machine and executing remote code.

Friday, May 28, 2021

Threat Roundup for May 21 to May 28


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 21 and May 28. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #55: How Transparent Tribe could evolve in the future

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

We recently covered how the Transparent Tribe APT added another RAT to its arsenal. Where might they go from here? In this week's episode, Asheer Maholtra from Talos Outreach joins the show to talk about this groups tactics, techniques and procedures and how they use typo-squatted domains to lure in victims.

Thursday, May 27, 2021

Threat Source newsletter (May 27, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We're used to referring to attackers as either APTs or not APTs. And when something is an APT, it sounds a lot scarier and sexier. But it's our belief that that isn't going to cut it anymore.

Therefore, we propose in a new blog post that there be a new group of threat actors known as "privateers." These groups benefit from a nation-state but can't be directly connected to a government. Find out more about these groups here.

You also don't want to miss this Vulnerability Spotlight post on the Trend Micro Home Network Security Station. These vulnerabilities, which have been patched, could allow an attacker to manipulate this device which manages devices connected to a home network.

Wednesday, May 26, 2021

Elizabethan England has nothing on modern-day Russia

This post was authored by Warren Mercer and Vitor Ventura


The threat landscape is changing. Organizations need to defend against an ever-evolving tranche of threat actors. For a long time, the lines that distinguish state-sponsored and crimeware groups were well-defined. We believe this is no longer the case. In today's landscape, there are groups that, although their modus operandi (MO) is consistent with crimeware groups, act like state sponsored groups. This poses new challenges to the defending organizations as these groups become more prevalent and dangerous which, depending on the organization's risk profile, may require more attention.

In light of recent events, we believe it's time to recognize that a new category can be defined, one where the ransomware syndicates enjoy some kind of protection from Governments, even if not intentionally. Therefore, Talos proposes the term "privateers'' to describe actors who benefit either from government decisions to turn a blind eye toward their activities or from more material support, but where the government doesn't necessarily exert direct control over their actions. Which in itself does not diminish the responsibility these governments share with these groups by protecting them or simply allowing them to operate by turning a blind eye.

Monday, May 24, 2021

Vulnerability Spotlight: Multiple vulnerabilities in Trend Micro Home Network Security Station



Carl Hurd and Kelly Leuschner of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in Trend Micro’s Home Network Security Station. 

The Home Network Security Station is a device that monitors and protects home networks from security threats and provides other network management features. The Security Station can scan for vulnerabilities, detect and prevent possible intrusions and allow the user to control access settings for all devices on the network.

Friday, May 21, 2021

Threat Roundup for May 14 to May 21


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 14 and May 21. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #54: Incident response is just as much about the relationships as anything else

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

Brad Garnett, Cisco Talos Incident Response's fearless leader, joins the show this week to expound more on his recent blog post regarding IR as a team sport. Brad discusses a recent engagement in which his team prevented a customer from being infected with ransomware (at what would have been the worst possible time). In this particular case, the relationships CTIR built up ahead of time were just as important as the actual technical side of the malware removal.

For more from CTIR this week:

Thursday, May 20, 2021

Threat Source newsletter (May 20, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We know a lot of you may be tired of "content" after RSA week. But we have some more for you!

And specifically related to RSA, Cisco Talos Incident Response has new case studies out detailing a few recent engagements they helped resolve. These particular cases show how incident response is a "team sport" with customers and incident responders working hand-in-hand with an inherent level of trust to meet challenges.

For more, you can also watch one of our on-demand presentations at RSA from CTIR.

There's also a new Beers with Talos episode out now. Tune in and see how many of Matt's "hidden phrases" he can fit in 44-ish minutes. 

Vulnerability Spotlight: Heap-based buffer overflow in Google Chrome could lead to code execution



Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in Google Chrome.  

Google Chrome is a cross-platform web browser — and Chromium is the open-source version of the browser that other software developers use to build their browsers, as well.

Wednesday, May 19, 2021

Vulnerability Spotlight: Information disclosure vulnerability in macOS SMB server



Aleksandar Nikolic of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered an exploitable integer overflow vulnerability in Apple macOS’ SMB server that could lead to information disclosure.  

Server Message Block (SMB) is a network file-sharing commonly seen in Windows network environments, but macOS contains its own proprietary implementation of the server and client components.

Talos is hiring for several positions — Join our world-class security organization

Cisco Talos continues to build an elite threat intelligence and research group, and we are looking for driven, innovative and diverse security enthusiasts to join us. 

We are currently hiring for several positions, including multiple security engineer roles and a senior vulnerability researcher. You can learn more about each of these positions over on our Careers page

At Talos, we make it our mission to make the internet a safer place and fight the good fight for customers and users alike. If you think you have the expertise to help lead the world in cutting-edge security, apply to one of our open positions.

Tuesday, May 18, 2021

Beers with Talos Ep. #104: Supply chain has Matt hopping mad like a kangaroo

 




Beers with Talos (BWT) Podcast episode No. 104 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded March 30, 2020.

What better way to discuss supply chain attacks than to have Matt demonstrate how easily you can blend your payload into normal operations via Twitter shenanigans? (see the links) We’re talking about (surprise!) supply chain attacks and how their rise to prevalence is notable, albeit expected. The supply chain gets linked in with privacy concerns as we round out the episode discussing the Signal/Cellebrite situation. Listen to the episode before you read Matt’s tweet (link in the full show notes) and see if you can pick the words that were part of his little reindeer game. Your prize is the achievement of a job well done.

Monday, May 17, 2021

Case Study: Incident Response is a relationship-driven business

Proof that incident response is "the ultimate team sport" 



By Brad Garnett

Introduction 

As a seasoned incident responder, and now IR business leader here at Cisco Talos Incident Response (CTIR), I have always said that incident response is the ultimate team sport. People are building blocks for organizations — and an effective incident response is about people, relationships and leveraging those relationships into the incident response workflow (processes and security instrumentation). This all plays a part in effectively containing and eradicating a determined adversary from the organization’s network environment. 

To highlight this, I want to share a recent CTIR engagement that shows how we can work together with an organization’s IR and IT teams to quickly contain and remediate a threat. In this case, we dealt with an adversary that could critically affect a business by deploying ransomware and virtually completely shutting down their network.

Friday, May 14, 2021

Threat Roundup for May 7 to May 14


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 7 and May 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threatsbubl in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #53: The broader lesson of those air fryer vulnerabilities

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

It seemed like everyone on security Twitter had a joke when we disclosed a vulnerability in a WiFi-connected air fryer. The since-patched vulnerability could allow an attacker to change cooking times and temperatures if they had physical access to the device.

And while everyone had their own hot take on the situation, this Talos Takes episode aims to take a step back and look at the broader lesson here: Not everything needs to be connected to the internet.

Joe Marshall from Talos Outreach joins the show to talk smart washers, dryers and cooking appliances and how you can be prepared if you feel like you must have one of those in your home.

Thursday, May 13, 2021

Threat Source Newsletter (May 13, 2021)

  

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

In case you missed the Friday news drop last week, we have an update on the Lemon Duck cryptocurrency miner. It's not as eye-catching as the ransomware attacks that make the news, but Lemon Duck's exploitation of Microsoft Exchange servers shows that patching is still king, and a cryptocurrency attack shows there's room for additional attacks in the future.

Speaking of patching, it's time to update your Microsoft products if you haven't already. This month's Patch Tuesday included a wormable vulnerability in the HTTP protocol stack that has a severity score of 9.8 out of 10. Of course, it's important to always patch any and all vulnerabilities, but that's the one that most people came out of Tuesday talking about.

Transparent Tribe APT expands its Windows malware arsenal

By Asheer Malhotra, Justin Thattil and Kendall McKay.

Transparent Tribe, also known as APT36 and Mythic Leopard, continues to create fake domains mimicking legitimate military and defense organizations as a core component of their operations. Cisco Talos' previous research has mainly linked this group to CrimsonRAT, but new campaigns show they are expanding their Windows malware arsenal with ObliqueRAT.

While military and defense personnel continue to be the group's primary targets, Transparent Tribe is increasingly targeting diplomatic entities, defense contractors, research organizations and conference attendees, indicating that the group is expanding its targeting.

Our recent research into Transparent Tribe uncovered two types of domains the group uses in their various campaigns: fake domains masquerading as legitimate Indian defense and government-related websites, and malicious domains posing as content-hosting sites. These domains work in conjunction with each other to deliver maldocs distributing CrimsonRAT and ObliqueRAT.

Based on our findings, Transparent Tribe's tactics, techniques, and procedures (TTPs) have remained largely unchanged since 2020, but the group continues to implement new lures into its operational toolkit. The variety of maldoc lures Transparent Tribe employs indicates the group still relies on social engineering as a core component of its operations.


Tuesday, May 11, 2021

Microsoft Patch Tuesday for May 2021 — Snort rules and prominent vulnerabilities



By Jon Munshaw, with contributions from Chris Neal. 

Microsoft released its monthly security update Tuesday, disclosing 55 vulnerabilities across its suite of products, the fewest in any month since January 2020. 

There are only three critical vulnerabilities patched in this month, while two are of “moderate” severity and the rest are “important.” All three critical vulnerabilities, however, are considered "more likely” to be exploited, according to Microsoft. 

This month’s security update provides patches for several major pieces of software, including Microsoft Office, SharePoint and Windows’ wireless networking. For a full rundown of these CVEs, head to Microsoft’s security update page

Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For complete details, check out the latest Snort advisory here.

Vulnerability Spotlight: Code execution vulnerability in Adobe Acrobat Reader

Aleksandar Nikolic of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered an arbitrary code execution vulnerability in Adobe Acrobat Reader.  

Adobe Acrobat Reader is one of the most popular and feature-rich PDF readers on the market. The software supports JavaScript so it can process interactive forms. 

TALOS-2021-1233 (CVE-2021-28562) specifically exploits queries through JavaScript in a way that could allow an attacker to execute code on the targeted machine. An attacker needs to trick a user into opening a specially crafted, malicious PDF to exploit this vulnerability.

Friday, May 7, 2021

Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs

By Caitlin Huey and Andrew Windsor with contributions from Edmund Brumaghin.

  • Lemon Duck continues to refine and improve upon their tactics, techniques and procedures as they attempt to maximize the effectiveness of their campaigns.
  • Lemon Duck remains relevant as the operators begin to target Microsoft Exchange servers, exploiting high-profile security vulnerabilities to drop web shells and carry out malicious activities.
  • Lemon Duck continues to incorporate new tools, such as Cobalt Strike, into their malware toolkit.
  • Additional obfuscation techniques are now being used to make the infrastructure associated with these campaigns more difficult to identify and analyze.
  • The use of fake domains on East Asian top-level domains (TLDs) masks connections to the actual command and control (C2) infrastructure used in these campaigns.

Executive summary


Since April 2021, Cisco Talos has observed updated infrastructure and new components associated with the Lemon Duck cryptocurrency mining botnet that target unpatched Microsoft Exchange Servers and attempt to download and execute payloads for Cobalt Strike DNS beacons. This activity reflects updated tactics, techniques, and procedures (TTPs) associated with this threat actor. After several zero-day Microsoft Exchange Server vulnerabilities were made public on March 2, Cisco Talos and several other security researchers began observing various threat actors, including Lemon Duck, leveraging these vulnerabilities for initial exploitation before security patches were made available. Microsoft released a report on March 25 highlighting Lemon Duck's targeting of Exchange Servers to install cryptocurrency-mining malware and a malware loader that was used to deliver secondary malware payloads, such as information stealers. We also discovered that Lemon Duck actors have been generating fake domains on East Asian top-level domains (TLDs) to mask connections to their legitimate C2 domain since at least February 2020, highlighting another attempt to make their operations more effective. Below, we'll outline changes to the TTPs used by Lemon Duck across recent campaigns as they relate to various stages of these attacks.