Threat Roundup for April 9 to April 16

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 9 and April 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #49: LodaRAT keeps growing....and growing

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

Chris Neal from Talos Outreach has followed LodaRAT for years now. It’s gone from a fairly small threat to a full-on malware with several features that target all sorts of Android devices. Chris joins the show this week to discuss his history of researching LodaRAT and updates us on its latest TTPs. Find out how this trojan tries to trick users into downloading it on their phones and how it hunts for your banking information.

Threat Source Newsletter (April 15, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

If you missed our webinar last week, we've got you covered. We've uploaded an extended version to our YouTube page that includes the scripts used in the presentation. This video will show you how to reverse-engineer and detect Android malware.

We also had Patch Tuesday this week, which featured some more vulnerabilities in Microsoft Exchange Server. Here is a full breakdown of the issues you should know about and Snort rules to keep users protected from exploitation. Cisco Talos researchers specifically discovered multiple vulnerabilities in Azure Sphere that were patched this month. For more on those specifically, check out the full Vulnerability Spotlight.

Threat Advisory: NSA SVR Advisory Coverage

The U.S. National Security Agency released an advisory outlining several vulnerabilities that the Russian Foreign Intelligence Services (SVR) is exploiting in the wild. The U.S. formally attributed the recent SolarWinds supply chain attack to the SVR group in this advisory and detailed more of the group's tactics, techniques and procedures.

The exploits included a series of five CVEs that affect VPN solutions, collaboration suite software and virtualization technologies. All five of the CVEs have been patched — Cisco Talos encourages everyone with the affected software update immediately. Some of these vulnerabilities also have working metasploit modules and are currently being widely exploited. Please note that some of these vulnerabilities exploit applications leveraging SSL. This means that users should enable SSL decryption in Cisco Secure Firewall and Snort to detect exploitation of these vulnerabilities. For an example of this, see how it can be done to protect against exploits used by the Hafnium threat actor here.

Below, we'll outline the vulnerabilities the NSA highlighted, along with Snort rules that will keep users protected from exploitation. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Vulnerability Spotlight: Multiple remote code execution vulnerabilities in Microsoft Azure Sphere

Claudio Bozzato and Lilith >_> of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos researchers recently discovered multiple vulnerabilities in Microsoft’s Azure Sphere, a cloud-connected and custom SoC platform designed specifically with IoT application security in mind. Internally, the SoC is made up of a set of several ARM cores that have different roles (e.g. running different types of applications, enforcing security, and managing encryption), and externally the Azure Sphere platform is supported by Microsoft’s Azure Sphere cloud, which handles secure updates, app deployment, and periodically verifying the device integrity to determine whether or not it should be allowed cloud access.

Talos discovered four vulnerabilities in Azure Sphere that could lead to unsigned code execution and kernel privilege escalation. The discovery of these vulnerabilities continues our research into Azure Sphere and follows the multiple vulnerabilities we disclosed in 2020. Microsoft patched these vulnerabilities as part of their Patch Tuesday releases in March and April. For more on the rest of the issues disclosed as part of April’s update, check out our post here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Microsoft Patch Tuesday for April 2021 — Snort rules and prominent vulnerabilities

By Jon Munshaw, with contributions from Vanja Svajcer. 

Microsoft released its monthly security update Tuesday, disclosing 108 vulnerabilities across its suite of products, the most in any month so far this year.

Four new remote code execution vulnerabilities in Microsoft Exchange Server are included in today's security update. Microsoft disclosed multiple zero-day vulnerabilities in Exchange Server earlier this year that attackers were exploiting in the wild. Talos encourages everyone with an affected product to update as soon as possible if they have not already and put other mitigation strategies into place in the meantime. Users can also detect the exploitation of the previously disclosed vulnerabilities with Cisco Secure IPS.

The new vulnerabilities Microsoft disclosed today are identified as CVE-2021-28480, CVE-2021-28481, CVE-2021-28482 and CVE-2021-28483 — all of which are critical, and the highest of which has a CVSS severity score of 9.8 out of 10.

In all, there are 20 critical vulnerabilities as part of this release and one considered of “moderate” severity. The remainder is all “important.” 

Twelve of the critical vulnerabilities exist in the remote procedure call runtime — all of which require no user interaction and could allow an attacker to execute remote code on the victim machine. For a full rundown of these CVEs, head to Microsoft’s security update page.

Vulnerability Spotlight: Multiple vulnerabilities in OpenClinic’s GA web portal

Yuri Kramarz of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered multiple vulnerabilities in OpenClinic’s GA web portal. OpenClinic GA
is an open-source, fully integrated hospital management solution. The web portal allows users to manage administrative, financial, clinical, lab, x-ray and pharmacy data for health care facilities. The software contains extensive statistical and reporting capabilities. OpenClinic GA contains several vulnerabilities that could allow an adversary to carrot out a wide range of malicious actions, including injecting SQL code into the targeted server or elevating their privileges.

In accordance with our coordinated disclosure policy, Cisco Talos worked with OpenClinic to disclose these vulnerabilities and ensure that updates are available.

Recording: Analyzing Android Malware — From triage to reverse-engineering

It's easy to get wrapped up worry about large-scale ransomware attacks on the threat landscape. These are the types of attacks that make headlines and strike fear into the hearts of CISOs everywhere. But if you want to defend the truly prolific and widespread threats that target some of the devices closest to us, you need to be on the lookout for mobile malware.

Many actors are deploying malware that targets Android devices — most of which can even fit in our pockets. Attackers are always targeting Android devices, given that it's the most popular mobile operating system in the world. 

If you want to stay up to date on the latest Android malware, you don't want to miss our latest webinar. You can watch the full recording of "Analyzing Android Malware — From triage to reverse-engineering" above or over on our YouTube page.

Threat Roundup for April 2 to April 9

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 2 and April 9. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #48: The complete history of ObliqueRAT

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

After researching and writing about ObliqueRAT for several months now, Asheer Malhotra joins Talos Takes for the first time to discuss this trojan. We’ve seen this malware evolve over the past year or so to add new evasion techniques and find ways to avoid email filters and usual antivirus protections. Asheer talks about his history researching this malware and provides some advice on how to avoid email spam and the other maldocs these actors try to spread.

Threat Source Newsletter (April 8, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We've all heard about spam coming through your email or those robocalls we all hate. But during the COVID-19 pandemic, attackers are now turning to chat rooms and gaming servers to spread spam. Talos researchers this week unveiled multiple malware campaigns spreading through sites like Discord and Slack, which have becoming increasingly popular while more and more people work from home.

Beers with Talos is also back this week after going quiet for a few weeks. The show's back with a mailbag episode, where the guys answer your Twitter questions. And they don't waste any time getting to Craig's robot problems.

Beers with Talos Ep. #102: Twitter has questions for us

Beers with Talos (BWT) Podcast episode No. 102 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded Feb. 23, 2021

We’ve been quiet for a minute, but we have a few new episodes in the bank now, starting with some of your questions from Twitter. And yes, one of the first questions concerns Craig and the robots. Do you have a question you’d like to ask us for the next listener questions episode? Send us a tweet (links below). Ask us anything security-related or something else entirely. It’s your question, I’m not going to tell you what to ask.

Sowing Discord: Reaping the benefits of collaboration app abuse

By Nick Biasini, Edmund Brumaghin, and Chris Neal with contributions from Paul Eubanks.

• As telework has become the norm throughout the COVID-19 pandemic, attackers are modifying their tactics to take advantage of the changes to employee workflows.
• Attackers are leveraging collaboration platforms, such as Discord and Slack, to stay under the radar and evade organizational defenses.
• Collaboration platforms enable adversaries to conduct campaigns using legitimate infrastructure that may not be blocked in many network environments.
• RATs, information stealers, internet-of-things malware and other threats are leveraging collaboration platforms for delivery, component retrieval and command and control communications.

Executive summary

Abuse of collaboration applications is not a new phenomenon and dates back to the early days of the internet. As new platforms and applications gain in popularity, attackers often develop ways to use them to achieve their mission objectives. Communications platforms like Telegram, Signal, WhatsApp and others have been abused over the past several years to spread malware, used for command and control communications, and otherwise leveraged for nefarious purposes.

As the COVID-19 pandemic spread across the globe in 2020, organizations made significant changes to their work routines across virtually every industry. One major shift was the move to remote working arrangements which coincided with increased reliance on new interactive communications platforms like Discord and Slack. While both of these platforms have existed for some time, recent changes to employee workflows have led to an increased reliance upon them for conducting business. In many cases, these platforms provide rich environments that can be used for communication and collaboration professionally and personally. As the pandemic continued, we observed several threat actors changing their tactics, techniques and procedures to compensate for these new enterprise workflows. We previously described how many threat actors began taking advantage of public interest in COVID-19 related information here and here. Over the past year, we have also observed a significant increase in the abuse of many of these collaboration platforms to facilitate malware attacks against various organizations. Attackers are looking to spread ransomware via these rooms and use the platforms to spread traditional malspam lures used to infect victims.

Threat Roundup for March 26 to April 2

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 26 and April 2. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for theinyban following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #47: Looking back at the Masslogger trojan

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

We return to our usual formatting this week to discuss the Masslogger trojan. We covered this threat earlier this year in a full blog post, where we outlined how these adversaries were looking to steal users' login credentials to Microsoft Outlook and Google Chrome. Nick Biasini comes on to discuss the ins and outs of Masslogger, and why you shouldn't look past this threat despite it not making massive headlines.

Threat Source Newsletter (April 1, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We hope you’re enjoying Cisco Live this week and only reading this after you’ve caught up on your sessions for the day. 

No April Fool’s jokes here (thankfully) — we are just excited to tell you that applications are now open for the Snort scholarship. Find out how to apply here and complete rules here. 

And speaking of things that aren’t funny, who likes to be tricked into downloading malware when they’re just trying to turn on some Thomas the Train mods in “Skyrim?” We are tracking a malware campaign that hides inside video game cheat engine and other “mods.” Our blog post has a complete reverse-engineering of the cryptor used in this case that’s going to be useful for all defenders.