Friday, February 26, 2021

Threat Roundup for February 19 to February 26


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 19 and Feb. 26. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #42: Seriously folks, save your logs

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

When Pierre Cadieux steps into a Cisco Talos Incident Response engagement, the first thing he wants to do is check out the customer's logs. But if there are no logs to be found, he'll be pretty limited in the kinds of insights he can provide.

This has come up several times during the SolarWinds era, when customers are wanting to know if they were targeted in the widespread supply chain attack. So in this episode of Talos Takes, Pierre joins the show to discuss why it's so important to keep logs for everything — log-ins, events, applications and more. 

Thursday, February 25, 2021

Threat Source newsletter (Feb. 25, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We all think of APTs as these wide-reaching, silent threat groups who are backed by a nation-state. But our recent research into Gamaredon shows that not all APTs are created equal. 

We’ve spotted this actor carrying out several different attacks across the globe, many of which are mainly just interested in stealing information. And what they do with that information is still up for debate. 

Beers with Talos Ep. #101: Is security the career you really want?

 

Beers with Talos (BWT) Podcast episode No. 101 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded Jan. 22, 2020 –

We get a lot of questions in Talos about HOW to get a job in security. In this episode, we take a look at figuring out IF Security is the right career choice for you — and if so, where? The industry is a big place with so many different skills in demand, so having a good idea of your strengths and weaknesses is a good place to start. One constant is that curiosity, constant learning, and certain base knowledge seem to be correlated with success across most skills in the industry. We wrap it all up by talking about mapping skill sets to transition careers.

Wednesday, February 24, 2021

Vulnerability Spotlight: Out-of-bounds read vulnerability in Slic3r could lead to information disclosure

Lilith >_> of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered an out-of-bounds read vulnerability in Slic3r's library. Slic3r is an open-source 3-D printing toolbox, mainly utilized for translating assorted 3-D printing model file types into machine code for a specific printer. The software uses libslic3er to perform most of the non-GUI-based processes such as reading various file formats, converting formats and outputting appropriate gcode for selected 3-D printer settings. An adversary could send a target a specially crafted obj file to cause an out-of-bounds condition.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Slic3r to disclose these vulnerabilities and ensure that an update is available.

Tuesday, February 23, 2021

Gamaredon - When nation states don’t pay all the bills


By Warren Mercer and Vitor Ventura.

Update 02/22: The IOC section has been updated

  • Gamaredon is a threat actor, active since at least 2013, that has long been associated with pro-Russian activities in several reports throughout the years. It is extremely aggressive and is usually not associated with high-visibility campaigns, Cisco Talos sees it is incredibly active and we believe the group is on par with some of the most prolific crimeware gangs.
  • It has been considered an APT for a long time, however, its characteristics don't match the common definition of an APT. We should consider the possibility of this not being an APT at all, rather being a group that provides services for other APTs, while doing its own attacks on other regions/victimology.
  • Contradicting the usual APT method of operation, Gamaredon does not have a focused victimology and insteads targets users all over the globe.
  • This group is targeting everyone, from banks in Africa to educational institutions in the U.S.
  • The actor is not as stealthy as other major APT actors, and instead acts more like a crimeware gang.


What's new?


Gamaredon has been exposed several times in multiple threat intelligence reports, without any significant effects on their operations. Their information-gathering activities can almost be classified as a second-tier APT, whose main goal is to gather information and share it with their units, who will eventually use that information to perform the end goal.

How did it work?


The actor uses common tactics from the crimeware world, such as trojanized applications installers, self-extracting archives with common names and icons and spam emails with malicious payloads, sometimes even using template injection. For an APT, this actor is extremely noisy with an infrastructure that goes well above 600 active domains for the first stage command and control (C2). This first-stage C2 is responsible for the delivery of the second stage and the update of the first stage, which can also update the second stage if needed. By opposition, the second stage seems to be delivered with a detailed criteria, rather than sending it to all targets.

So what?


Organizations need to understand the threat actors they are more likely to be targeted by. Classification of the threat actors becomes important to optimize the limited defensive resources available. APT groups are often associated with focused, high-impact activities with extremely small footprints leading to an extremely stealthy activity that's hard to detect. However, Gamaredon is the opposite of that — though it's still considered an APT actor. Our objective is to help organizations understand how Gamaredon fits into the larger cybersecurity landscape. Rather than doing a fully comprehensive report about Gamaredon, we focused our attention on four campaigns that started in 2020 and are still active today.

Overview


The APT group Gamaredon is one of the most active and undeterred actors in the threat landscape. Gamaredon breaks the APT mold — they use a fairly large footprint across their campaigns with a large number of domains used. This is similar to the TTPs normally associated with crimeware groups that don't often overlap with APTs. Their activity has been documented several times over the years, but the group relentlessly continued their activities without showing any signs of slowing down or covert operations. This group controls more than 600 domains, which they deploy at various points in the infection timeline. It's not often that we see an APT group with such a large infrastructure that's been active for this long. A similar, but smaller, example could be the Promethium group.

This level of activity is excessively noisy for an APT actor. Gamaredon lacks the fluency and eloquent techniques we see in some of the most advanced operations. There is also no indication the group profits off their victim's information, which differentiates them from the regular crimeware crews that monetize all information in different ways. This doesn't mean that Gamaredon, as an APT, should be considered a minor threat. This should be seen as an expansion of their activities to a broader victimology, increasing the likelihood of an organization being a target.

The activity of this group matches up with the activities of usual information-stealers on the crimeware scene who steal information and then sell it to other threat actors — second-tier APT actors that pass critical information to other top-tier teams within their operational unit. The other possibility is Gamaredon is a "service provider" that also performs some side jobs, which would explain why they've targeted a major national bank in West Africa.

This is a group that, although it's very active and noisy in some campaigns, does take special care to avoid certain victims. Some of their campaigns have a simple first stage, and second-stage delivery seems to be vetted based on the information received after first contact.

This is not a group that denotes a high level of technical expertise — their first stages seem to be designed to complete the job quickly without hiding its capabilities. This, however, should not be taken as a lack of capability. This group has a huge infrastructure, more than 600 active domains linked to their activities. Gamaredon often uses Windows Batch language and/or Visual Basic Scripting (VBS) in their first stage. Sometimes, the first-stage files are created directly by the VisualBasic for Applications (VBA) macros embedded in the malicious documents used as an initial vector. Later in this post, we'll walk through the details of some past campaigns from this actor over the past two years. Talos observed some new campaigns as of February 2021 that show this actor evolves in small ways, but very often. This, along with the size of the infrastructure, implies a dedicated development effort to allow the actor to continue operating while adding new capabilities and features, alongside managing their infrastructure to support their campaigns.

Friday, February 19, 2021

Threat Roundup for February 12 to February 19


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 12 and Feb. 19. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, February 18, 2021

Threat Source newsletter (Feb. 18, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

Whether you want to read Talos’ research or listen to it, we’ve got plenty of options for you this week.  

Beers with Talos hit its 100th episode last week. To celebrate, we brought Nigel back out of retirement to update us on the Mighty Reds and talk about SolarWinds. What’s your favorite Beers with Talos moment of the past 100 episodes? Tag us on Twitter @TalosSecurity.  

The latest Talos Takes episode is also special because it’s our celebration of Snort 3. Nick Mavis joins the show to talk about the benefits of upgrading to Snort 3 while he reflects on how far it’s come. 

If the written word is more your thing, we have a full writeup on some changes we’ve recently seen with the Masslogger malware. Once installed on a victim machine, it steals users’ login credentials from crucial places like Microsoft Outlook and Google Chrome. 

Wednesday, February 17, 2021

Masslogger campaigns exfiltrates user credentials


News summary


  • As protection techniques develop, attackers are finding it harder to successfully attack their targets and must find creative ways to succeed.
  • Cisco Talos recently discovered a campaign utilizing a variant of the Masslogger trojan designed to retrieve and exfiltrate user credentials from multiple sources such as Microsoft Outlook, Google Chrome and instant messengers.
  • Apart from the initial email attachment, all the stages of the attacks are fileless and they only occur in volatile memory.
  • These threats demonstrate several techniques of the MITRE ATT&CK framework, most notably T1566 — Phishing, T1059.001 and T1059.007 — Command and Scripting Interpreters, T1140 — Deobfuscate/Decode Files or Information, T1497 — Virtualization/Sandbox Evasion, T1555.003 — Credentials from Web Browsers, T1115 — Clipboard Data, T1056.001 — Keylogging and T1048.003 — Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol.


Attackers are constantly reinventing ways to monetize their tools. Cisco Talos recently discovered an interesting campaign affecting Windows systems and targeting users in Turkey, Latvia and Italy, although similar campaigns by the same actor have also been targeting users in Bulgaria, Lithuania, Hungary, Estonia, Romania and Spain in September, October and November 2020.

The actor employs a multi-modular approach that starts with the initial phishing email and carries through to the final payload. The adversaries behind this campaign likely do this to evade detection. But it can also be a weakness, as there are plenty of opportunities for defenders to break the killchain.

What's new?


Although operations of the Masslogger trojan have been previously documented, we found the new campaign notable for using the compiled HTML file format to start the infection chain. This file format is typically used for Windows Help files, but it can also contain active script components, in this case JavaScript, which launches the malware's processes.

How did it work?


The infection starts with an email message containing a legitimate-looking subject line that seems to relate to a business. The email contains a RAR attachment with a slightly unusual filename extension.

The usual filename extension for RAR files is .rar. However, RAR-compressed archives can also be split into multi-volume archives. In this case, the filename creates files with the RAR extension named "r00" and onwards with the .chm file extension. This naming scheme is used by the Masslogger campaign, presumably to bypass any programs that would block the email attachment based on its file extension.

CHM is a compiled HTML file that contains an embedded HTML file with JavaScript code to start the active infection process. Every stage of the infection is obfuscated to avoid detection using simple signatures.

The second stage is a PowerShell script that eventually deobfuscates into a downloader and downloads and loads the main PowerShell loader. The Masslogger loaders seem to be hosted on compromised legitimate hosts with a filename containing one letter and one number concatenated with the filename extension .jpg. For example, "D9.jpg".

The main payload is a variant of the Masslogger trojan designed to retrieve and exfiltrate user credentials from a variety of sources, targeting home and business users. Masslogger can be configured as a keylogger, but in this case, the actor has disabled this functionality.

So what?


While most of the public attention seems to be focused on ransomware attacks, big game hunting and APTs, it is important to keep in mind that crimeware actors are still active and can inflict significant damage to organizations by stealing users' credentials. The credentials themselves have value on the dark web and actors sell them for money or use them in other attacks.

Based on the IOCs we retrieved, we have moderate confidence that this actor has previously used other payloads such as AgentTesla, Formbook and AsyncRAT in campaigns starting as early as April 2020.

Tuesday, February 16, 2021

Vulnerability Spotlight: Two vulnerabilities in Advantech WebAccess/SCADA



Yuri Kramarz of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered two vulnerabilities in the Advantech WebAccess/SCADA software package. An adversary could exploit each of these vulnerabilities to disclose sensitive information and elevate their privileges on the targeted system, respectively. This software package, based in HTML-5, allows users to perform data visualization and supervisory controls over internet-of-things and operational technology devices.

In accordance with our coordinated disclosure policy, Cisco Talos is disclosing these vulnerabilities despite Advantech not confirming a fix. For more on this, refer to Cisco's 90-day vulnerability disclosure policy.

Friday, February 12, 2021

Threat Roundup for February 5 to February 12


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 5 and Feb. 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #41: The tl;dr of Snort 3

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

This week's episode is for all our SNORTⓇ lovers out there. To celebrate last month's release of the Snort 3 GA, we have Nicholas Mavis on the show again to talk about working with Snort 3 and the benefits of upgrading to it. Nick, who writes Snort rules for Cisco Talos, talks about how rules are more powerful and versatile with Snort and some other new features he likes to show off. For more on Snort 3, visit our informational page over on Snort.org.

Thursday, February 11, 2021

Threat Source newsletter (Feb. 11, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We have an update on LodaRAT, a trojan we’ve been following for years. This threat has a new version targeting Android devices, looking to infect devices and steal user’s credentials and monitor things like their phone calls and messages.  

Patch Tuesday was also this week, which was relatively quiet in terms of the volume of vulnerabilities. We have our full Microsoft blog post as usual, and also a Snort rule update to keep users protected. 

Beers with Talos Ep. #100: The supersized centennial episode


Beers with Talos (BWT) Podcast episode No. 100 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded Jan. 8, 2020.

It’s hard to believe that we have made 100 episodes of BWT. It really feels like a lot more. This is a long-winded show, as we welcome back our buddy Nigel for this special milestone, complete with a Mighty Reds update. In an unintentional nod to our early episodes, the opening roundtable gets way off track. We basically host an “In-Between” episode in the middle of a regular show. Hopefully, our group therapy session on parenting through current events is beneficial listening to some. We also dig into supply chain attacks, in light of the recent SolarWinds incident, delving into defensive and IR strategies. Finally, we take a trip into the past remembering some of our favorite moments from the past 100 times I’ve written these show notes.

Tuesday, February 9, 2021

Kasablanka Group's LodaRAT improves espionage capabilities on Android and Windows




By Warren Mercer, Chris Neal and Vitor Ventura.
  • The developers of LodaRAT have added Android as a targeted platform.
  • A new iteration of LodaRAT for Windows has been identified with improved sound recording capabilities.
  • The operators behind LodaRAT tied to a specific campaign targeting Bangladesh, although others have been seen.
  • Kasablanca, the group behind LodaRAT, seems to be motivated by information gathering and espionage rather than direct financial gain.
Threat actors attempt to evolve over time and the ones behind Loda are no different. Loda now has an Android version. Just like its Windows version, the Android version is also a remote access tool (RAT) with the features one would expect out of this kind of malware. This Android RAT had been previously referred to as "Gaza007." However, Talos linked it to the Loda developers and uncovered a full campaign targeting Bangladeshi users. This shows a resourceful adversary evolving their toolkit into other platforms. It is unclear if the campaign operators are the same as the developers, but there is no doubt they must work closely together. To protect against this actor, each individual in an organization must be careful with documents attached to emails and be vigilant before clicking on links. Organizations can protect themselves by monitoring domains resolutions using Umbrella, for instance, and protecting endpoints using Cisco AMP.

Microsoft Patch Tuesday for Feb. 2021 — Snort rules and prominent vulnerabilities



By Jon Munshaw, with contributions from Bill Largent. 

Microsoft released its monthly security update Tuesday, disclosing 56 vulnerabilities across its suite of products. This is the smallest amount of vulnerabilities Microsoft has disclosed in a month since January 2020. 

There are only 11 critical vulnerabilities as part of this release, while there are three moderate-severity exploits, and the remainder are considered “important.” Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs.

Vulnerability Spotlight: Accusoft ImageGear vulnerabilities could lead to code execution



Marcin Towalski, Emmanuel Tacheau and another Cisco Talos team member discovered these vulnerabilities. Blog by Jon Munshaw.

Accusoft ImageGear contains two remote code execution vulnerabilities. ImageGear is a document and imaging library from Accusoft that developers can use to build their applications. The library contains the entire document imaging lifecycle. These vulnerabilities are present in the Accusoft ImageGear library, which is a document-imaging developer toolkit. An adversary could exploit any of these vulnerabilities to cause various conditions, including an out-of-bounds write, to eventually execute code.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Accusoft to ensure that these issues are resolved and that an update is available for affected customers.

Friday, February 5, 2021

Threat Roundup for January 29 to February 5


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 29 and Feb. 5. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threatsx we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #40: Takeaways from interviewing a ransomware operator

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

This week, we have two guests on (a Talos Takes first!) to discuss our recent research paper on the LockBit ransomware. Two of the authors, who spoke to the actor directly, join the show to talk about their major takeaways. They talk about how the operator chooses their targets and what defenders should take away from the paper.

A ransomware primer



Ransomware defense

Cyber security is continually a relevant topic for Cisco customers and other stakeholders. Ransomware is quickly becoming one of the hottest topics in the technology space as these malware families target high-leverage companies and organizations. We at Cisco are often contacted for guidance and recommendations for ways organizations can prepare for, detect and prevent ransomware attacks. Some of Cisco’s vendors have also been affected by ransomware and have looked to Cisco for our expectations and expertise. As the leading technology security company, Cisco brings credibility to share with our guidance on proactive measures and reactive considerations. However, ransomware prevention and remediation are complex topics and there is no “one-size-fits-all” approach.

In this document, we’ll outline a collection of risk mitigation strategies. While none of these methods are new, when combined, these defensive techniques and methods allow resiliency against initial access, and the ability to contain the threat if an adversary successfully gains initial access.

Thursday, February 4, 2021

Threat Source newsletter (Feb. 4, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We are excited to finally share this LockBit research paper with you all after months of work. Some of our researchers spoke to a ransomware operator, which provided us insight into a threat actor’s day-to-day goals and tactics. 

The paper includes information on how the attacker chooses its targets and why it’s easier for the attacker to operate in some countries than others. 

Wednesday, February 3, 2021

Vulnerability Spotlight: Multiple vulnerabilities in SoftMaker Office PlanMaker

 

Discovered by a Cisco Talos researcher. Blog by Jon Munshaw.

SoftMaker's Office PlanMaker contains multiple vulnerabilities that could allow an adversary to cause a variety of malicious conditions in the software. SoftMaker's flagship product, SoftMaker Office, is supported on a variety of platforms and contains a handful of components that allows the user to write text documents, create spreadsheets, design presentations and more. The SoftMaker Office suite supports a variety of common office file formats, as well as other internal formats that the user may choose to use when performing their necessary work. These vulnerabilities all exist in the PlanMaker component of the suite, which allows users to create and edit spreadsheets.

In accordance with our coordinated disclosure policy, Cisco Talos worked with SoftMaker to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Allen-Bradley Flex I/O vulnerable to denial of service



Jared Rittle of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

The Rockwell Automation Allen-Bradley Flex I/O input/output device is vulnerable to a denial-of-service vulnerability. FLEX I/O provides a wide range of input/output operations while keeping a smaller form factor. Users can communicate with the device via Ethernet/IP (ENIP) and HTTP. An attacker could send a specially crafted, malicious packet to the affected device, causing a denial of service.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Rockwell Automation to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, February 2, 2021

Interview with a LockBit ransomware operator

By Azim KhodjibaevDymtro Korzhevin and Kendall McKay.

Ransomware is still highly prevalent in our current threat landscape — it's one of the top threats Cisco Talos Incident Response responds to. One such ransomware family we encounter is called LockBit, a ransomware-as-a-service (RaaS) platform that's known for its automation and the speed at which it attacks its victims.

At Cisco Talos, we strive to understand the malware utilized in ransomware, the infrastructure leveraged by operators to launch these attacks, and even the ransomware operators themselves. In September 2020, Cisco Talos established contact with a self-described LockBit operator and experienced threat actor. Over the course of several weeks, we conducted multiple interviews that gave us a rare, first-hand account of a ransomware operator’s cybercriminal activities. Through these exchanges, we gleaned several valuable takeaways for executives and the broader cybersecurity community.