Wednesday, November 24, 2021

Talos Takes Ep. #78: Attackers would love to buy you a non-existent PS5 this holiday season

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

We know this episode comes around every year, but people keep falling for scams, so we have to remind people how to avoid them.

Tuesday, November 23, 2021

Attackers exploiting zero-day vulnerability in Windows Installer — Here’s what you need to know and Talos’ coverage

Cisco Talos is releasing new SNORTⓇ rules to protect against the exploitation of a zero-day elevation of privilege vulnerability in Microsoft Windows Installer. This vulnerability allows an attacker with a limited user account to elevate their privileges to become an administrator. This vulnerability affects every version of Microsoft Windows, including fully patched Windows 11 and Server 2022. Talos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability.

Monday, November 22, 2021

A review of Azure Sphere vulnerabilities: Unsigned code execs, kernel bugs, escalation chains and firmware downgrades



Summary of all the vulnerabilities reported by Cisco Talos in Microsoft Azure Sphere

By Claudio Bozzato and Lilith [>_>].

In May 2020, Microsoft kicked off the Azure Sphere Security Research Challenge, a three-month initiative aimed at finding bugs in Azure Sphere. In the first three months, Cisco Talos reported 16 vulnerabilities. Our analysis continued intermittently, and eventually, we discovered and reported a total of 31 published vulnerabilities, two of which were present in the Linux kernel itself.

We already released several blog posts about Azure Sphere (see blog posts 1, 2, 3, 4, 5). Today, we’re putting a bow on our research by summarizing what we’ve found and how attackers could exploit them, and what that would mean for the user. We also have another blog post coming next week that will detail how we exploited a chain of two vulnerabilities to gain arbitrary kernel code execution.

Vulnerability Spotlight: Multiple vulnerabilities in Advantech R-SeeNet

Yuri Kramarz discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in the Advantech R-SeeNet monitoring software. 

R-SeeNet is the software system used for monitoring Advantech routers. It continuously collects information from individual routers in the network and records the data into a SQL database. The vulnerabilities Talos discovered exist in various scripts inside of R-SeeNet's web applications. 

TALOS-2021-1366 (several CVEs, please refer to advisory for more information), TALOS-2021-1365 (CVE-2021-21920, CVE-2021-21921, CVE-2021-21922, CVE-2021-21923), TALOS-2021-1363 (CVE-2021-21915, CVE-2021-21916, CVE-2021-21917) and TALOS-2021-1364 (CVE-2021-21918, CVE-2021-21919) are SQL injection vulnerabilities that exist in various R-SeeNet pages.

Back from the dead: Emotet re-emerges, begins rebuilding to wrap up 2021



Executive summary


Emotet has been one of the most widely distributed threats over the past several years. It has typically been observed being distributed via malicious spam email campaigns, and often leads to additional malware infections as it provides threat actors with an initial foothold in an environment. These email campaigns exhibit characteristics previously described here. International police announced a takedown campaign to disrupt Emotet in early 2021, effectively removing the botnet from the threat landscape. But as of last week, Emotet has re-emerged and has been observed establishing the infrastructure and distribution required to rebuild the botnets. While the current distribution campaigns are not at the same volumes as those previously observed when Emotet was at full strength, this is likely the beginning of a resurgence in Emotet activity that will continue to amplify as more systems become infected and are leveraged for spam distribution.


Vulnerability Spotlight: PHP deserialize vulnerability in CloudLinux Imunity360 could lead to arbitrary code execution



Marcin “Icewall” Noga of Cisco Talos. Blog by Jon Munshaw. 

Cisco Talos recently discovered a vulnerability in the Ai-Bolit functionality of CloudLinux Inc Imunify360 that could lead to arbitrary code execution. 

Imunify360 is a security platform for web-hosting servers that allows users to configure various settings for real-time website protection and web server security.

Friday, November 19, 2021

Threat Roundup for November 12 to November 19


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 12 and Nov. 19. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Beers with Talos, Ep. #111: We say goodbye to Craig and his killer robots

Beers with Talos (BWT) Podcast episode No. 111 is now available. Download this episode and subscribe to Beers with Talos:

      

If iTunes and Google Play aren't your thing, click here.

We apologize for holding onto this for so long, but we wanted to formally bid farewell to Craig once we were ready to move on to the next act for Beers with Talos. So the good news is, we'll have a new host come the next episode! The bad news is, we have to say goodbye to Craig for now.

We spent a good chunk of this episode reminiscing with Craig, but also touched on new internet-sharing applications that are suddenly the next hot thing in malware. 

Talos Takes Ep. #77: How to connect to (and safely use) public WiFi

 

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

Whenever we walk into a bar or restaurant, it's almost a given that we're going to ask the bartender or server: "What's the WiFi password?"

Thursday, November 18, 2021

Threat Source Newsletter (Nov. 18, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

This is our last newsletter before Thanksgiving in the U.S. next week, so now's as good of a time as any to remind you: If a deal seems too good to be true, it probably is. 

To prep online shoppers for the upcoming Cyber Monday and Black Friday sales, we have this handy guide with past Talos podcasts, blog posts and television appearances to keep you safe. Attackers are especially likely to try and capitalize on supply chain fears this year, and keep pushing phony deals around the XBOX Series X and PlayStation 5. 

Bookmark that page, too, because we'll update it as new content becomes available. 

Wednesday, November 17, 2021

Vulnerability Spotlight: Multiple code execution vulnerabilities in LibreCAD



Lilith >_> of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered three vulnerabilities in LibreCAD’s libdfxfw open-source library. 

This library reads and writes .dxf and .dwg files — the primary file format for vector graphics in CAD software. LibreCAD, a free computer-aided design software for 2-D models, uses this libdfxfw.  

TALOS-2021-1349 (CVE-2021-21898) and TALOS-2021-1350 (CVE-2021-21899) can trigger buffer overflows if an attacker tricks the user into opening a specially crafted DWG file, eventually allowing the attacker to execute code on the victim machine. TALOS-2021-1351 (CVE-2021-21900) works in a similar manner, but with a DXF file instead.

Vulnerability Spotlight: Use-after-free vulnerability in Google Chrome could lead to code execution

 

Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered an exploitable use-after-free vulnerability in Google Chrome.  

Google Chrome is a cross-platform web browser — and Chromium is the open-source version of the browser that other software developers use to build their browsers, as well.

Talos’ tips for staying safe while shopping online this holiday season



By Jon Munshaw. 

Attackers will resort to all tactics to trick users into downloading malware, handing over credit card data or completing compromising their machine. 

No topic is off-limits, and threat actors have resorted to using everything from PlayStation 5 sales, to COVID-19 cures and news on nuclear weapons as part of their lures over the past year. And these spam attacks will only ramp up over the next month as consumers across the globe shop online for the holidays. 

Adobe Insight’s recent “Holiday Shopping Forecast” predicts that spending for e-commerce will top $200 billion during the holiday season for the first time ever. The report also specifically warned that there will be supply chain shortages this year due to the pandemic, which is likely to force online shoppers into long virtual queues or push them to shop even earlier than usual.

Tuesday, November 16, 2021

Attackers use domain fronting technique to target Myanmar with Cobalt Strike

By Chetan Raghuprasad, Vanja Svajcer and Asheer Malhotra.

News Summary

  • Cisco Talos discovered a new malicious campaign using a leaked version of Cobalt Strike in September 2021.
  • This shows that Cobalt Strike, although it was originally created as a legitimate tool, continues to be something defenders need to monitor, as attackers are using it to set up attacks.
  • The threat actor in this case uses domain fronting with the Cloudflare Content Delivery Network, redirecting a Myanmar government owned-domain to an attacker-controlled server.
  • The threat actor employed the tactic of re-registering reputed domains in their attack chains to evade detections.
  • This threat demonstrates several techniques of the MITRE ATT&CK framework, most notably T1202 - Indirect Command Execution , T1027 - Obfuscated Files or Information, T1105 - Ingress Tool Transfer, T1071.001 - Application Layer Protocols:Web Protocols.

What's New?

Cisco Talos discovered a malicious campaign using an obfuscated Meterpreter stager to deploy Cobalt Strike beacons in September 2021. The actor used a domain owned and operated by the Myanmar government, the Myanmar Digital News network, as a domain front for their beacons.

The evolution of this threat indicates that the attackers have been active since at least August 2021 using a combination of Meterpreter stagers and Cobalt Strike beacons to establish presence on victim's endpoints.

Monday, November 15, 2021

Vulnerability Spotlight: Vulnerabilities in Lantronix PremierWave 2050 could lead to code execution, file deletion



Matt Wiseman discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in Lantronix’s PremierWave 2050, an embedded Wi-Fi module. 

There are several vulnerabilities in PremierWave 2050’s Web Manager, a web-accessible application that allows users to configure settings for the 2050 gateway. An attacker could exploit some of these vulnerabilities to carry out a range of malicious actions, including executing arbitrary code and deleting or replacing files on the targeted device. 

Friday, November 12, 2021

Threat Roundup for November 5 to November 12


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 5 and Nov. 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #76: What is Kimsuky phishing around for?



By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

Blog posts aren't just for sharing your darkest secrets from high school anymore. They're also used by attackers to spread malware and steal international secrets.

Thursday, November 11, 2021

Threat Source newsletter (Nov. 11, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

It's important to be proactive, and not reactive, with your security. It's always better to see the worst coming and block it than have to scramble to deal with the worst-case scenario in the moment.

That's why it's so important to have a polished Incident Response Plan that's tested and proven. A solid IR plan will ensure your team has the appropriate protections in place, and if you are the target of a cyber attack, you'll be ready to act at a moment's notice to snuff out the threat before it becomes a full-on cybersecurity incident.

Whether you want to create an IR plan from scratch or just refine yours, you'll want to watch our live stream from last week with Martin Lee from Talos research and Paul Lee from Talos Incident Response. Watch the full recording above or check out the Talos Takes audio version here

Wednesday, November 10, 2021

North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets

 


By Jung soo An and Asheer Malhotra, with contributions from Kendall McKay.

  • Cisco Talos has observed a new malware campaign operated by the Kimsuky APT group since June 2021.
  • Kimsuky, also known as Thallium and Black Banshee, is a North Korean state-sponsored advanced persistent threat (APT) group active since 2012.
  • This campaign utilizes malicious blogs hosted on Blogspot to deliver three types of preliminary malicious content: beacons, file exfiltrators and implant deployment scripts.
  • The implant deployment scripts, in turn, can infect the endpoint with additional implants such as system information-stealers, keyloggers and credential stealers.
  • These implants are derivatives of the Gold Dragon/Brave Prince family of malware operated by Kimsuky since at least 2017 — now forked into three separate modules.
  • This campaign targets South Korea-based think tanks whose research focuses on political, diplomatic and military topics pertaining to North Korea, China, Russia and the U.S.


What's new?


Cisco Talos recently discovered a campaign operated by the North Korean Kimsuky APT group delivering malware to high-value South Korean targets — namely geopolitical and aerospace research agencies. This campaign has been active since at least June 2021 deploying a constantly evolving set of implants derived from the Gold Dragon/Brave Prince family of implants.

The attackers used Blogspot in this campaign to host their malicious artifacts. Talos coordinated with Google to alert them of these blog posts. Google removed these posts and related IOCs prior to publication of this blog post. We also shared this information with appropriate national security partners as well as our our industry partners, including the Cyber Threat Alliance (CTA).


Tuesday, November 9, 2021

Microsoft Patch Tuesday for Nov. 2021 — Snort rules and prominent vulnerabilities



By Jon Munshaw and Tiago Pereira. 

Microsoft released its monthly security update Tuesday, disclosing 56 vulnerabilities in the company’s various software, hardware and firmware offerings, including one that’s actively being exploited in the wild.  

November’s security update features six critical vulnerabilities, up from last month’s two, which was far lower than average for Microsoft. The other 50 vulnerabilities fixed today are considered “important.” 

CVE-2021-42292 is one of those vulnerabilities considered “important” and not critical, though it is the only one included in this security update that Microsoft reports has been spotted being exploited in the wild. An attacker could exploit this vulnerability in Microsoft Excel to bypass certain security settings on targeted machines. 

In a time when email attachments are the major vector of system compromise, this vulnerability can be used to increase the efficiency of these attacks by avoiding a security prompt and consequently reducing the social engineering necessary to infect the victim.

Cisco Talos finds 10 vulnerabilities in Azure Sphere’s Linux kernel, Security Monitor and Pluton



By Claudio Bozzato and Lilith [-_-];.

Following our previous engagements (see blog posts 1, 2, 3 and 4) with Microsoft's Azure Sphere IoT platform, we decided to take another look at the device, without all the rush and commotion that normally entails a hacking challenge. 

Today, we’re disclosing another 10 vulnerabilities in Azure Sphere — two of which are on the Linux side, seven that exist in Security Monitor and one in the Pluton security subsystem.

Friday, November 5, 2021

Threat Roundup for October 29 to November 5


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 29 and Nov. 5. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, November 4, 2021

Threat Source newsletter (Nov. 4, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

A series of vulnerabilities in Microsoft Exchange Server made waves earlier this year for coming under attack. And while they've come and gone from the headlines since then, attackers are still very much paying attention.

Attackers spreading the Babuk ransomware are targeting these vulnerabilities to infect victims. Find out how, exactly, these Babuk attacks work, and if you haven't already, patch.

To prepare for a ransomware attack like this, it's always important to have an incident response plan at the ready. Whether you are looking to create an IR plan from scratch, or just looking to polish your current one, we have a new guide to get you started

The features all Incident Response Plans need to have



Adversaries are always growing their capabilities and changing their tactics, leading to a greater number of incidents and data breaches. This is supported by organizations such as ITRC who reports that the number of data breaches in 2021 is already greater than that of 2020. This is why defenders must become proactive, not reactive. Many forms of traditional protection are reactive, like host-based antivirus, firewalls and secure web gateways. An overlooked aspect of cybersecurity is the proactive planning and policy that goes into defense.

Wednesday, November 3, 2021

Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk

By Chetan Raghuprasad and Vanja Svajcer, with contributions from Caitlin Huey.

  • Cisco Talos recently discovered a malicious campaign deploying variants of the Babuk ransomware predominantly affecting users in the U.S. with smaller number of infections in U.K., Germany, Ukraine, Finland, Brazil, Honduras and Thailand.
  • The actor of the campaign is sometimes referred to as Tortilla, based on the payload file names used in the campaign. This is a new actor operating since July 2021. Prior to this ransomware, Tortilla has been experimenting with other payloads, such as the PowerShell-based netcat clone Powercat, which is known to provide attackers with unauthorized access to Windows machines.
  • We assess with moderate confidence that the initial infection vector is exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of China Chopper web shell.

What's new?

Cisco Talos discovered a malicious campaign using Cisco Secure product telemetry on Oct. 12, 2021 targeting vulnerable Microsoft Exchange servers and attempting to exploit the ProxyShell vulnerability to deploy the Babuk ransomware in the victim's environment. The actor is using a somewhat unusual infection chain technique where an intermediate unpacking module is hosted on a pastebin.com clone pastebin.pl. The intermediate unpacking stage is downloaded and decoded in memory before the final payload embedded within the original sample is decrypted and executed.

Friday, October 29, 2021

Threat Roundup for October 22 to October 29


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 22 and Oct. 29. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, October 28, 2021

Threat Source newsletter (Oct. 28, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

Most people know about chicken and waffles. But what about squirrel and waffles? They may not be the most appetizing brunch, but they are teaming up for one heck of a spam campaign. 

We have new research out detailing this threat and examining whether it could be the next big player in the spam space.

Also, everyone will be excited to know that the 2022 Snort Calendar has arrived! This year’s theme is “Hoofstock ‘22 — 12 epic months of music legends.” To get your copy of the 2022 Snort Calendar, fill out our short survey here. Calendars will begin shipping in November 2021. U.S. shipping only, available while supplies last.

Do you have a particular threat, IOC, malware family or actor you want us to be covering in the Threat Source newsletter? Let us know at threatsource@cisco.com.

Quarterly Report: Incident Response trends from Q3 2021

Ransomware again dominated the threat landscape, while BEC grew 



By David Liebenberg and Caitlin Huey

Once again, ransomware was the most dominant threat observed in Cisco Talos Incident Response (CTIR) engagements this quarter.  

CTIR helped resolve several significant ransomware events this quarter, including ones that involved the REvil ransomware leveraging a vulnerability in the Kaseya VSA software (CVE-2021-30116) against managed service providers (MSPs) and their downstream customers. REvil, along with Vice Society, were the only ransomware groups observed more than once this quarter. This highlights the greater democratization of emerging ransomware variants. This is the first quarter in which we had no observations of the Ryuk ransomware, a variant that was often the most often observed variant from previous quarters. CTIR also engaged in several pre-ransomware incidents in which ransomware was never deployed. 

The next most commonly observed threat between July and October 2021 was business email compromise (BEC). The dominance of BEC and ransomware incidents, which also frequently use phishing and malspam as a means of initial infection, illustrate the importance of properly implementing multi-factor authentication (MFA).  

Other threats observed this quarter include the Solarmarker malware, which Talos has covered extensively, as well as the Redline information-stealer, with leaked information observed being sold in Russian dark web forums. 

Tuesday, October 26, 2021

SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike

By Edmund Brumaghin, Mariano Graziano and Nick Mavis.

Executive summary


Recently, a new threat, referred to as "SQUIRRELWAFFLE" is being spread more widely via spam campaigns, infecting systems with a new malware loader. This is a malware family that's been spread with increasing regularity and could become the next big player in the spam space.

SQUIRRELWAFFLE provides threat actors with an initial foothold onto systems and their network environments that can then be used to facilitate further compromise or additional malware infections depending on how adversaries choose to attempt to monetize their access. In many cases, these infections are also being used to deliver and infect systems with other malware like Qakbot and the penetration-testing tool Cobalt Strike. Let's take a look at how this new threat operates and the volume and characteristics of the malicious email campaigns associated with it. Organizations should be aware of this threat, as it will likely persist across the threat landscape for the foreseeable future.

Friday, October 22, 2021

Threat Roundup for October 15 to October 22


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 15 and Oct. 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, October 21, 2021

Threat Source newsletter (Oct. 21, 2021)



 Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We're writing this on Wednesday for PTO reasons, so apologies if we miss any major news that happens after Wednesday afternoon. 

Above, you can watch our awesome live stream from Monday with Brad Garnett from Cisco Talos Incident Response. Brad sat down for a long discussion about the basics of engaging with an incident response team, provided some tips for hybrid work and answered questions live from the audience. 

On the written front, we just published new research on the recent wave of cyber attacks against users on the Indian Subcontinent. We recently spotted another set of threat actors trying to spread RATs to India and Afghanistan. Our blog has the latest information on why that matters, and what defenders can do to stay protected.

Tuesday, October 19, 2021

Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India


  • Cisco Talos recently discovered a threat actor using political and government-themed malicious domains to target entities in India and Afghanistan.
  • These attacks use dcRAT and QuasarRAT for Windows delivered via malicious documents exploiting CVE-2017-11882 — a memory corruption vulnerability in Microsoft Office — and AndroidRAT to target mobile devices.
  • The actor also uses a custom file enumerator and infector in their initial reconnaissance phase of the attack.
  • The actor appears to be a lone wolf using a front company to run a crimeware campaign, possibly to establish initial footholds into high-value targets for future operations or monetary gain.


What's new?


Cisco Talos has observed a new campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver a variety of commodity malware to victims. The campaign consists of two phases: A reconnaissance phase that involves a custom file enumerator and infector to the victims and an attack phase that deploys a variety of commodity RATs, such as DcRAT and QuasarRAT.


How did it work?


The threat actor registered multiple domains with political and government themes. These domains hosted malware payloads that were distributed to their victims. Their malicious lures also contained themes related to Afghan entities, specifically diplomatic and humanitarian efforts. We assess with high confidence that the threat actor behind these attacks is an individual operating under the guise of a Pakistani IT firm called "Bunse Technologies."

The infection chains consist of malicious RTF documents and PowerShell scripts that distribute malware to victims. We've also observed the usage of C#-based downloader binaries to deploy malware while displaying decoy images to victims to appear legitimate.


So what?


This campaign is a classic example of an individual threat actor employing political, humanitarian and diplomatic themes in a campaign to deliver commodity malware to victims. Commodity RAT families are increasingly being used by both crimeware and APT groups to infect their targets. These RATs are packed with multiple functionalities to achieve complete control over the victim's endpoint - from preliminary reconnaissance capabilities to arbitrary command execution and data exfiltration. These families also act as excellent launch pads for deploying additional malware against their victims. Furthermore, these out-of-the-box features enable the attackers to make minimal configuration changes to the RATs taking away the need for a full-fledged development cycle of custom malware by an actor.

The use of a custom file enumerator and infector module by the attackers indicates their intent to proliferate by infecting benign, trusted documents to achieve an even greater degree of infection.


Beers with Talos, Ep. #110: The 10 most-exploited vulnerabilities this year (You won't believe No. 6!)

Beers with Talos (BWT) Podcast episode No. 110 is now available. Download this episode and subscribe to Beers with Talos:

      

If iTunes and Google Play aren't your thing, click here.

We mainly spend this episode doing some catching up because it's been a while since we recorded. But on the actual, helpful, front, we discuss a recently released list of the vulnerabilities that are most often exploited in the wild, according to the U.S. Cybersecurity and Infrastructure Security Agency. 

It's particularly interesting to compare the lists from 2020 and 2021 to see how threat actors have changed up their tactics and parse through all the information to tell you what you need to know. It's also important to question these types of reports and how helpful they are to defenders.

This is also a great episode for any Snort fans out there who are interested in the old days of writing rules for some Y2K-era malware.

Monday, October 18, 2021

Vulnerability Spotlight: Multiple vulnerabilities in ZTE MF971R LTE router



Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in the ZTE MF971R LTE portable router. 

The MF971R is a portable router with Wi-Fi support and works as an LTE/GSM modem. An attacker could exploit all these vulnerabilities by sending a specially crafted HTTP request to the targeted device. 

TALOS-2021-1320 and TALOS-2021-1321 are stack-based buffer overflow vulnerabilities. An attacker could exploit these issues to execute arbitrary remote code on the targeted device. As part of these exploits, the attacker needs to complete a referrer bypass, which is outlined in TALOS-2021-1317.

TALOS-2021-1318 and TALOS-2021-1319 are pre-authentication, cross-site scripting vulnerabilities that an attacker could use to execute arbitrary JavaScript in the victim’s browser in a context of a router web panel. In this case, an attacker would need to trick the user into opening an attacker-controlled URL that hosts the malicious HTTP request. 

An adversary could also exploit pre-authentication TALOS-2021-1316 to cause a configuration file entry overwrite, which in certain cases, could allow the attacker to fully lock down the device.

Friday, October 15, 2021

Threat Roundup for October 8 to October 15


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 8 and Oct. 15. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #73 (NCSAM edition): Fight the phish from land, sea and air

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

Most people may think of spam as being the classic email promising that you've won the lottery or some great prize, only for the badly photoshopped picture to take you to a malicious site. But attackers are getting more sophisticated, taking users on with text messages, phone calls and several layers of communication. 

Jaeson Schultz joins Talos Takes this week to discuss the basics of spam in 2021 for National Cybersecurity Awareness Month as we celebrate "Fight the phish" week. Jaeson discusses some recent campaigns he's seen asking victims to call a specific phone number and provides some basic spam advice we could all use — and could pass along to some of our less-than-technically savvy relatives and loved ones.

Thursday, October 14, 2021

Threat Source newsletter (Oct. 14, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

It's still Cybersecurity Awareness Month, and what better way to celebrate by patching and then patching some more? 

This week was Microsoft Patch Tuesday, which only included two critical vulnerabilities, but still requires patching diligence. Here's our full breakdown of this month's security updates for Microsoft products, and some additional details on a code execution vulnerability we discovered in Excel.

If you're looking for other ways to celebrate this month of security awareness, you can also listen to our latest special edition of Talos Takes reflecting on ransomware in 2021. The Cisco newsroom also wrote up a profile on one of our researchers, Vanja Svajcer, if you want to find out what a day in the life of a threat researcher is like. 

Do you have a particular threat, IOC, malware family or actor you want us to be covering in the Threat Source newsletter? Let us know at threatsource@cisco.com.

Vulnerability Spotlight: Code execution vulnerabilities in Nitro Pro PDF



A Cisco Talos team member discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in the Nitro Pro PDF reader that could allow an attacker to execute code in the context of the application. 

Nitro Pro PDF is part of Nitro Software’s Productivity Suite. Pro PDF allows users to create and modify PDFs and other digital documents. It includes support for several capabilities via third-party libraries to parse the PDFs.

Tuesday, October 12, 2021

Vulnerability Spotlight: Use-after-free vulnerability in Microsoft Excel could lead to code execution



Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered a use-after-free vulnerability in the ConditionalFormatting functionality of Microsoft Office Excel 2019 that could allow an attacker to execute arbitrary code on the victim machine. 

Microsoft disclosed and patched this vulnerability in the popular spreadsheet creation and editing platform as part of its monthly security update. You can read more about Patch Tuesday here.

Microsoft Patch Tuesday for Oct. 2021 — Snort rules and prominent vulnerabilities

By Jon Munshaw, with contributions from Asheer Malhotra. 

Microsoft released its monthly security update Tuesday, disclosing 78 vulnerabilities in the company’s various software, hardware and firmware offerings.  

This month’s release is particularly notable because there are only two critical vulnerabilities included, with the rest being important. This is the fewest number of critical vulnerabilities disclosed as part of a Patch Tuesday in at least a year. 

CVE-2021-40461 is one of the critical vulnerabilities — a flaw in the Network Virtualization Service Provider that could allow an attacker to execute remote code on the target machine. This vulnerability has a severity rating of 9.9 out of a possible 10, virtually the highest severity rating seen in Patch Tuesdays. 

The other critical vulnerability, CVE-2021-38672, exists in Windows Hyper-V. This vulnerability could also lead to remote code execution and has the same severity score as CVE-2021-40461.