Threat Roundup for April 23 to April 30

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 23 and April 30. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #51: COVID and Tax Day have perfectly aligned for spammers

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

We see tax scams every year — people offering to do your taxes for you, finding a larger return, etc. 

But this year is a little different from the COVID-19 pandemic. Like everything else in our lives that COVID’s changed, tax day is later this year — May 17 rather than the usual April 15. And that’s led to a whole new layer of scam campaigns.

Threat Source Newsletter (April 29, 2021)

 

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

Ransomware is not just financial extortion. It is crime that transcends business, academic and geographic boundaries. Talos was proud to assist with a newly released report from the international Ransomware Task Force that provides a path forward to mitigate this criminal enterprise. This was a large undertaking by Talos researchers and our cybersecurity partners from across the globe that everyone should read.

And if you're in the mood to watch rather than read, we uploaded a recording of a LinkedIn Live video from earlier this week to our YouTube page. Martin Lee from Talos Outreach joined security blogger Graham Cluley to discuss cybersecurity threats during our current (and likely permanent) work from home situation.

Vulnerability Spotlight: Information disclosure vulnerability in the Linux Kernel

Lilith >_> and Claudio Bozzato of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered an information disclosure vulnerability in the Linux Kernel.  

The Linux Kernel is the free and open-source core of Unix-like operating systems. This vulnerability specifically exists in the /proc/pid/syscall functionality of 32-bit ARM devices running Linux. 

TALOS-2020-1211 (CVE-2020-28588) is an information disclosure vulnerability that could allow an attacker to view Kernel stack memory . We first discovered this issue on an Azure Sphere device (version 20.10), a 32-bit ARM device that runs a patched Linux kernel.

Threat Roundup for April 16 to April 23

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 16 and April 23. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #50: Just like us, attackers are using Slack and Discord now more than ever

 

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

With more workers than ever going remote due to the COVID-19 pandemic, the popularity of collaboration apps like Discord and Slack has spiked. It didn't take long for the bad guys to notice, as they soon started finding ways to spread malicious links, images and files to these rooms that are usually limited to a close circle of trust friends and co-workers. On this week's episode, Nick Biasini discusses how collaboration apps have become a popular vector for malware distribution, and even command and control, and how that poses a problem for defenders.

Threat Source Newsletter (April 22, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We went viral this week! Everyone seemed to love to joke about these vulnerabilities we discovered in a WiFi-connected air fryer. An attacker, if they had physical access to the device, could exploit these vulnerabilities to change cook times and temperatures, or even turn the device on by themselves.

There's also a new Beers with Talos episode out this week. The guys have a special guest on this week to talk about the world of SCADA and IoT as it relates to security — we promise the conversation is way more interesting than all of those acronyms.

On the malware front, we have new research out highlighting an actor we're calling "Fajan." These groups send out spam emails to primarily Middle Eastern targets claiming to be from Bloomberg BNA — a news aggregation and business resource. 

Threat Advisory: Pulse Secure Connect Coverage

Pulse Secure announced that a critical vulnerability (CVE-2021-22893) was discovered in their VPN service "Pulse Secure Connect" in a recent security advisory.

The advisory states that, "a vulnerability was discovered under Pulse Connect Secure (PCS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. This vulnerability has a critical CVSS score and poses a significant risk to your deployment."

The company released a blog post alongside this advisory disclosing that the vulnerability has been exploited in the wild. According to the blog post, several other previously known vulnerabilities were exploited during these incidents:

Beers with Talos Ep. #103: ICS/SCADA Security — The permanence and people problems

Beers with Talos (BWT) Podcast episode No. 103 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded March 2021

ICS and SCADA systems are deeply embedded all around us in critical infrastructure. Today, we talk about some of the inherent issues in infrastructure security and take a wide-ranging look at the ICS- and SCADA-specific issues found there. Joe Marshall from the Talos Outreach group joins to share his insights on the space and how donuts are the ultimate career track switching tool. Oh — and Matt's cat discovers jerky...

Vulnerability Spotlight: Code execution vulnerabilities in PrusaSlicer

Lilith >_> of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered two out-of-bounds write vulnerabilities in Prusa Research’s PrusaSlicer. Prusa Slicer is an open-source 3-D printer slicing program forked off Slic3r that can convert various 3-D model file formats and can output corresponding 3-D printer-readable Gcode. Two functions in the software could be exploited with specially crafted OBJ files to cause out-of-bounds and buffer overflow conditions, to then gain the ability to execute code on the victim machine.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Prusa Research to disclose these vulnerabilities and ensure that an update is available.

A year of Fajan evolution and Bloomberg themed campaigns

By Vanja Svajcer.

News summary

• Some malware campaigns are designed to spread malware to as many people as possible — while some others carefully choose their targets. Cisco Talos recently discovered a malware campaign that does not fit in any of the two categories. This actor has a relatively low volume of recovered samples, which makes it difficult to decide whether the campaigns are carefully targeted or mass-spammed.
• Cisco Talos recently discovered a series of low volume email campaigns we're calling "Fajan," targeting users with Bloomberg BNA-based email messages since at least March 2020.
• These threats demonstrate several techniques of the MITRE ATT&CK framework, most notably Scripting - T1064, PowerShell - T1059.001, Process Injection - T1055, Non Standard Port - T1571, Remote Access Software - T1219, Input Capture - T1056, Obfuscated Files or Information - T1027 and Registry Run Keys / Startup Folder - T1547.001

The actor employs various methods to install and run a variant of either JavaScript- or VBScript-based remote access trojans (RATs). The command and control (C2) IP addresses of the script-based RATs are also shared with some other popular families such as Netwire RC and Revenge RAT.

In one instance, we also observed Nanocore RAT as the final payload with a C2 server IP address shared with other RAT families such as XpertRAT.

The campaigns are likely a work of a single actor that keeps experimenting with various TTPs to make the campaigns more difficult to detect and more successful.

What's new?

We believe this is the first time anyone's documented Fajan's operations. The actor is actively maintaining the tools and has been active since March 2020. Based on the observed IOCs and TTPs, we have a moderate confidence that the actor is an Arabic-speaking person or group.

How did it work?

The infection starts with an email containing a message which pretends to come from Bloomberg's BNA division — a site dedicated to providing legal and regulatory information to professionals. The email contains an Excel spreadsheet as an attachment, containing macro code to either download the next infection stage or drop and run the final payload.

The payload is always a RAT that allows the attacker to take control over the infected system using HTTP over a non-standard TCP port.

The main payload is a JavaScript file, a VBScript file or a standard Windows PE binary.

So what?

The actors behind Fajan campaigns are actively maintaining and developing functionality to make the attacks more successful. The campaigns use email messages, which is still the most commonly used vector in a successful compromise. The inclusion of remote access trojans as payloads of the campaign indicate the actors may want to carry out surveillance operations or steal user data. The C2 servers were not responsive at the time of analysis and we could not discover the final objective of the campaigns.

Vulnerability Spotlight: Multiple vulnerabilities in Synology DiskStation Manager

Claudio Bozzato of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in Synology DiskStation Manager.  

DSM is the Linux-based operating system for every Synology network-attached storage device (NAS). The vulnerabilities exist in various features inside the operating system, including AppArmor and QuickConnect.

Vulnerability Spotlight: Remote code execution vulnerabilities in Cosori smart air fryer

Dave McDaniel of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Update (April 27, 2021): Cosori has released an update for this product that fixes these two vulnerabilities.

Cisco Talos recently discovered two code execution vulnerabilities in the Cosori smart air fryer.  

The Cosori Smart Air Fryer is a WiFi-enabled kitchen appliance that cooks food with a variety of methods and settings. Users can also use the device’s Wi-Fi features to start and stop cooking, look up recipe guides and monitor cooking status.

Threat Roundup for April 9 to April 16

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 9 and April 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #49: LodaRAT keeps growing....and growing

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

Chris Neal from Talos Outreach has followed LodaRAT for years now. It’s gone from a fairly small threat to a full-on malware with several features that target all sorts of Android devices. Chris joins the show this week to discuss his history of researching LodaRAT and updates us on its latest TTPs. Find out how this trojan tries to trick users into downloading it on their phones and how it hunts for your banking information.

Threat Source Newsletter (April 15, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

If you missed our webinar last week, we've got you covered. We've uploaded an extended version to our YouTube page that includes the scripts used in the presentation. This video will show you how to reverse-engineer and detect Android malware.

We also had Patch Tuesday this week, which featured some more vulnerabilities in Microsoft Exchange Server. Here is a full breakdown of the issues you should know about and Snort rules to keep users protected from exploitation. Cisco Talos researchers specifically discovered multiple vulnerabilities in Azure Sphere that were patched this month. For more on those specifically, check out the full Vulnerability Spotlight.

Threat Advisory: NSA SVR Advisory Coverage

The U.S. National Security Agency released an advisory outlining several vulnerabilities that the Russian Foreign Intelligence Services (SVR) is exploiting in the wild. The U.S. formally attributed the recent SolarWinds supply chain attack to the SVR group in this advisory and detailed more of the group's tactics, techniques and procedures.

The exploits included a series of five CVEs that affect VPN solutions, collaboration suite software and virtualization technologies. All five of the CVEs have been patched — Cisco Talos encourages everyone with the affected software update immediately. Some of these vulnerabilities also have working metasploit modules and are currently being widely exploited. Please note that some of these vulnerabilities exploit applications leveraging SSL. This means that users should enable SSL decryption in Cisco Secure Firewall and Snort to detect exploitation of these vulnerabilities. For an example of this, see how it can be done to protect against exploits used by the Hafnium threat actor here.

Below, we'll outline the vulnerabilities the NSA highlighted, along with Snort rules that will keep users protected from exploitation. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Vulnerability Spotlight: Multiple remote code execution vulnerabilities in Microsoft Azure Sphere

Claudio Bozzato and Lilith >_> of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos researchers recently discovered multiple vulnerabilities in Microsoft’s Azure Sphere, a cloud-connected and custom SoC platform designed specifically with IoT application security in mind. Internally, the SoC is made up of a set of several ARM cores that have different roles (e.g. running different types of applications, enforcing security, and managing encryption), and externally the Azure Sphere platform is supported by Microsoft’s Azure Sphere cloud, which handles secure updates, app deployment, and periodically verifying the device integrity to determine whether or not it should be allowed cloud access.

Talos discovered four vulnerabilities in Azure Sphere that could lead to unsigned code execution and kernel privilege escalation. The discovery of these vulnerabilities continues our research into Azure Sphere and follows the multiple vulnerabilities we disclosed in 2020. Microsoft patched these vulnerabilities as part of their Patch Tuesday releases in March and April. For more on the rest of the issues disclosed as part of April’s update, check out our post here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Microsoft Patch Tuesday for April 2021 — Snort rules and prominent vulnerabilities

By Jon Munshaw, with contributions from Vanja Svajcer. 

Microsoft released its monthly security update Tuesday, disclosing 108 vulnerabilities across its suite of products, the most in any month so far this year.

Four new remote code execution vulnerabilities in Microsoft Exchange Server are included in today's security update. Microsoft disclosed multiple zero-day vulnerabilities in Exchange Server earlier this year that attackers were exploiting in the wild. Talos encourages everyone with an affected product to update as soon as possible if they have not already and put other mitigation strategies into place in the meantime. Users can also detect the exploitation of the previously disclosed vulnerabilities with Cisco Secure IPS.

The new vulnerabilities Microsoft disclosed today are identified as CVE-2021-28480, CVE-2021-28481, CVE-2021-28482 and CVE-2021-28483 — all of which are critical, and the highest of which has a CVSS severity score of 9.8 out of 10.

In all, there are 20 critical vulnerabilities as part of this release and one considered of “moderate” severity. The remainder is all “important.” 

Twelve of the critical vulnerabilities exist in the remote procedure call runtime — all of which require no user interaction and could allow an attacker to execute remote code on the victim machine. For a full rundown of these CVEs, head to Microsoft’s security update page.

Vulnerability Spotlight: Multiple vulnerabilities in OpenClinic’s GA web portal

Yuri Kramarz of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered multiple vulnerabilities in OpenClinic’s GA web portal. OpenClinic GA
is an open-source, fully integrated hospital management solution. The web portal allows users to manage administrative, financial, clinical, lab, x-ray and pharmacy data for health care facilities. The software contains extensive statistical and reporting capabilities. OpenClinic GA contains several vulnerabilities that could allow an adversary to carrot out a wide range of malicious actions, including injecting SQL code into the targeted server or elevating their privileges.

In accordance with our coordinated disclosure policy, Cisco Talos worked with OpenClinic to disclose these vulnerabilities and ensure that updates are available.

Recording: Analyzing Android Malware — From triage to reverse-engineering

It's easy to get wrapped up worry about large-scale ransomware attacks on the threat landscape. These are the types of attacks that make headlines and strike fear into the hearts of CISOs everywhere. But if you want to defend the truly prolific and widespread threats that target some of the devices closest to us, you need to be on the lookout for mobile malware.

Many actors are deploying malware that targets Android devices — most of which can even fit in our pockets. Attackers are always targeting Android devices, given that it's the most popular mobile operating system in the world. 

If you want to stay up to date on the latest Android malware, you don't want to miss our latest webinar. You can watch the full recording of "Analyzing Android Malware — From triage to reverse-engineering" above or over on our YouTube page.

Threat Roundup for April 2 to April 9

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 2 and April 9. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #48: The complete history of ObliqueRAT

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

After researching and writing about ObliqueRAT for several months now, Asheer Malhotra joins Talos Takes for the first time to discuss this trojan. We’ve seen this malware evolve over the past year or so to add new evasion techniques and find ways to avoid email filters and usual antivirus protections. Asheer talks about his history researching this malware and provides some advice on how to avoid email spam and the other maldocs these actors try to spread.

Threat Source Newsletter (April 8, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We've all heard about spam coming through your email or those robocalls we all hate. But during the COVID-19 pandemic, attackers are now turning to chat rooms and gaming servers to spread spam. Talos researchers this week unveiled multiple malware campaigns spreading through sites like Discord and Slack, which have becoming increasingly popular while more and more people work from home.

Beers with Talos is also back this week after going quiet for a few weeks. The show's back with a mailbag episode, where the guys answer your Twitter questions. And they don't waste any time getting to Craig's robot problems.

Beers with Talos Ep. #102: Twitter has questions for us

Beers with Talos (BWT) Podcast episode No. 102 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded Feb. 23, 2021

We’ve been quiet for a minute, but we have a few new episodes in the bank now, starting with some of your questions from Twitter. And yes, one of the first questions concerns Craig and the robots. Do you have a question you’d like to ask us for the next listener questions episode? Send us a tweet (links below). Ask us anything security-related or something else entirely. It’s your question, I’m not going to tell you what to ask.

Sowing Discord: Reaping the benefits of collaboration app abuse

By Nick Biasini, Edmund Brumaghin, and Chris Neal with contributions from Paul Eubanks.

• As telework has become the norm throughout the COVID-19 pandemic, attackers are modifying their tactics to take advantage of the changes to employee workflows.
• Attackers are leveraging collaboration platforms, such as Discord and Slack, to stay under the radar and evade organizational defenses.
• Collaboration platforms enable adversaries to conduct campaigns using legitimate infrastructure that may not be blocked in many network environments.
• RATs, information stealers, internet-of-things malware and other threats are leveraging collaboration platforms for delivery, component retrieval and command and control communications.

Executive summary

Abuse of collaboration applications is not a new phenomenon and dates back to the early days of the internet. As new platforms and applications gain in popularity, attackers often develop ways to use them to achieve their mission objectives. Communications platforms like Telegram, Signal, WhatsApp and others have been abused over the past several years to spread malware, used for command and control communications, and otherwise leveraged for nefarious purposes.

As the COVID-19 pandemic spread across the globe in 2020, organizations made significant changes to their work routines across virtually every industry. One major shift was the move to remote working arrangements which coincided with increased reliance on new interactive communications platforms like Discord and Slack. While both of these platforms have existed for some time, recent changes to employee workflows have led to an increased reliance upon them for conducting business. In many cases, these platforms provide rich environments that can be used for communication and collaboration professionally and personally. As the pandemic continued, we observed several threat actors changing their tactics, techniques and procedures to compensate for these new enterprise workflows. We previously described how many threat actors began taking advantage of public interest in COVID-19 related information here and here. Over the past year, we have also observed a significant increase in the abuse of many of these collaboration platforms to facilitate malware attacks against various organizations. Attackers are looking to spread ransomware via these rooms and use the platforms to spread traditional malspam lures used to infect victims.

Threat Roundup for March 26 to April 2

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 26 and April 2. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for theinyban following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #47: Looking back at the Masslogger trojan

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

We return to our usual formatting this week to discuss the Masslogger trojan. We covered this threat earlier this year in a full blog post, where we outlined how these adversaries were looking to steal users' login credentials to Microsoft Outlook and Google Chrome. Nick Biasini comes on to discuss the ins and outs of Masslogger, and why you shouldn't look past this threat despite it not making massive headlines.

Threat Source Newsletter (April 1, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We hope you’re enjoying Cisco Live this week and only reading this after you’ve caught up on your sessions for the day. 

No April Fool’s jokes here (thankfully) — we are just excited to tell you that applications are now open for the Snort scholarship. Find out how to apply here and complete rules here. 

And speaking of things that aren’t funny, who likes to be tricked into downloading malware when they’re just trying to turn on some Thomas the Train mods in “Skyrim?” We are tracking a malware campaign that hides inside video game cheat engine and other “mods.” Our blog post has a complete reverse-engineering of the cryptor used in this case that’s going to be useful for all defenders.