Friday, July 23, 2021

Threat Roundup for July 16 to July 23


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 16 and July 23. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep: #62: Don't sleep on business email compromise

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

Business email compromise may seem like last decade’s threat, but it’s still just as prevalent as ever. A recent FBI report found that it cost users more than $1 billion in 2020, and attackers are now capitalizing on everything from PlayStation 5 sales to the COVID-19 pandemic to still scam people. On this week’s Talos Takes, Nick Biasini recaps his recent research into BEC and discusses why there are some reasons why this threat may never go away (hint: users).

Thursday, July 22, 2021

Threat Source newsletter (July 22, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

I'm compiling this Tuesday for vacation reasons, so apologies for any major stories I'm missing here.

This week's Beers with Talos podcast hits the seas again. And although we've covered sea shanties in the past, this week we're covering the bad guys trying to disrupt those glorious songs of old. 

The guys talk about privateer groups in this episode, which is a new type of threat actor classification we believe the security community needs to better discuss the intricacies of state-sponsored threat actors.

Security implications of misconfigurations

By Jaeson Schultz.


When defenders regularly monitor their organization's Domain Name System (DNS) queries, they can often snuff out potential attacks before they happen. At the very least, it's important to identify and fix configuration mistakes that could lead to nasty security breaches.

Most DNS queries in a network are created automatically by a user's applications. For example, when someone types "talosintelligence.com" into a web browser, the browser triggers a DNS query intended to map the friendly domain name to an internet IP address. DNS queries might fail to find an IP corresponding to a domain name for a variety of reasons — perhaps the user mistyped the domain name. However, when DNS lookup failures occur at regular intervals, or in large numbers, the result may be a misconfiguration somewhere. These misconfigurations can leave a security flaw in an organization's network, opening them up to typo-squatting attacks or potential impersonation in phishing campaigns.

Cisco Talos regularly monitors networks and domain names that may have once formed a part of attacker infrastructure, or perhaps are victims currently targeted by attackers. This sometimes involves monitoring passive DNS and finding domain names that receive substantial internet traffic, despite the fact that the domain name is unregistered, and for all intents and purposes, does not exist.

Tuesday, July 20, 2021

Beers with Talos, Ep. #107: Sailing the high seas in search of privateer groups



Beers with Talos (BWT) Podcast episode No. 107 is now available. Download this episode and subscribe to Beers with Talos:


If iTunes and Google Play aren't your thing, click here.

You're not going to believe this, but everyone actually agreed on something in this episode. And no, it's not regarding the best flavor of beef jerky. In this episode, we discuss a new category of threat actors that we're choosing to call "privateers." The guys discuss why this classification is much needed in the security community, the previous research on this topic, and the ways private security firms can partner with public intelligence agencies to protect against this type of threat.

Friday, July 16, 2021

Threat Roundup for July 9 to July 16


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 9 and July 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep: #61: SideCopy sounds so familiar, but I just can't put my finger on it...

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

Asheer Malhotra of Talos Outreach has spent the past few months tracking APTs all along the same line. APT 36, aka Transparent Tribe, was recently discovered adding new tools to attack Windows machines. Another, similar group called "Sidewinder," also went after targets on the Indian subcontinent.

Now, he's following the SideCopy APT, which takes the best of both worlds and borrows heavily from Transparent Tribe and Sidewinder. Asheer joins Talos Takes this week to discuss his research into SideWinder and break down the recent research paper he co-authored on the group

We discuss SideCopy's "borrowing" of other group's tactics, techniques and procedures (TTPs) and the active development of several trojans they use. 

Thursday, July 15, 2021

Vulnerability Spotlight: Multiple vulnerabilities in D-LINK DIR-3040



Dave McDaniel discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in the D-LINK DIR-3040 wireless router. 

The DIR-3040 is an AC3000-based wireless internet router. These vulnerabilities could allow an attacker to carry out a variety of malicious actions, including exposing sensitive information, causing a denial of service and gaining the ability to execute arbitrary code.  

Threat Source newsletter (July 15, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

The value of cryptocurrency is all over the place. Elon Musk's tweets can send Dogecoin rising and falling. And Monero, the most popular currency for cryptominers, has gone all over the place this year. So does that have any effect on the rate of attackers deploying miners?

We looked at Talos telemetry and virtual currency value to find out.

Also, if you haven't already, be sure to update your Microsoft products. The company disclosed three vulnerabilities this month that attackers are exploiting in the wild (four if you count PrintNightmare from earlier this month).

Vulnerability Spotlight: Multiple vulnerabilities in Advantech R-SeeNet



The Talos vulnerability research team discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in the Advantech R-SeeNet monitoring software. 

R-SeeNet is the software system used for monitoring Advantech routers. It continuously collects information from individual routers in the network and records the data into a SQL database. The vulnerabilities Talos discovered exist in various scripts inside of R-SeeNet's web applications. 

TALOS-2021-1270 (CVE-2021-21799), TALOS-2021-1271 (CVE-2021-21800) and TALOS-2021-1272 (CVE-2021-21801 - CVE-2021-21803) are all vulnerabilities that could allow an attacker to execute arbitrary JavaScript code in the context of the targeted user's browser. An adversary could exploit any of these vulnerabilities by sending the target a malicious URL and tricking the user into opening it.

Wednesday, July 14, 2021

Following the Money: Comparing cryptocurrency value to illicit mining activity



By Nick Biasini

In the age of meme stocks, Robinhood and Elon Musk's tweets influencing the global economy, cryptocurrency mining has not seemed as fringe as it once did. Mining has been around as long as these crytocurrencies have, but only really started to gather the attention of criminals in late 2017. At the time, cryptocurrency value was surging, hitting previously unattainable values. At a time when the pre-big game hunting version of ransomware was starting to wane, malicious cryptomining was there to take up the slack, but researchers wondered if it had staying power.

The value of cryptocurrencies are extremely volatile. Bitcoin, the pseudo godfather of cryptocurrencies, experienced a 30 percent drop in its value over the course of 24 hours in May. But it also hit an all-time high value a month prior. Online adversaries are always looking for ways to make money, and cryptocurrency miners are some of the quickest ways attackers can infect a targeted machine, and sap users' computing power to mine for these virtual currencies to generate income.

So this led us to wonder: Does the volatility of cryptocurrencies influence the volume of cryptocurrency miners in the wild? It stands to reason that the more a cryptocurrency is worth, the more likely an attacker would be to want to mine for it. As we've seen the value of these currencies skyrocket recently we began to dig into the data.

The biggest facilitator to this research is the value of the currencies themselves. With more traditional payloads like RATs or banking trojans, it's tough to assign a monetary value to the payload, as a lot depends on the victim and the attacker's capabilities. Illicit cryptomining is one of the few payloads where the monetary gain is directly tied to tangible value. With this in mind, we set out to try and see if the value of virtual coins changes actors' behavior.

Tuesday, July 13, 2021

Microsoft Patch Tuesday for July 2021 — Snort rules and prominent vulnerabilities



By Jon Munshaw, with contributions from Jaeson Schultz. 

Microsoft released its monthly security update Tuesday, disclosing 117 vulnerabilities across its suite of products, by far the most in a month this year. Today’s Patch Tuesday includes three vulnerabilities that Microsoft states are being exploited in the wild, which we will cover in more detail. 

There are 13 critical vulnerabilities patched in this month, and there is one low- and moderate-severity vulnerability each. The remainder are considered “important.” 

Most notably, Microsoft has released an update to patch the “PrintNightmare” vulnerability in its print spooler function that could allow an attacker to execute remote code. This vulnerability was first disclosed in April, though security researchers later discovered it could be exploited in a more serious way than initially thought.

Friday, July 9, 2021

Threat Roundup for July 2 to July 9


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 2 and July 9. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for thet following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #60: Everything you need to know about the Kaseya situation

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

In this special "XL edition" of Talos Takes, we're bringing you the audio version of our live stream this week discussing the Kaseya supply chain attack. Nick Biasini from Talos Outreach went live with Hazel Burton, a Cisco product marketing manager, to discuss what transpired over the long Fourth of July weekend. 

Nick discussed the Kaseya exploit leveraged in this campaign, plus the follow-on ransomware attacks. This is the best place to get the tl;dr on what happened, what you need to be doing now, and what Cisco Secure solutions can keep you protected.

Thursday, July 8, 2021

PrintNightmare: Here’s what you need to know and Talos’ coverage

Over the past several weeks, there's been a lot of discussion about a particular privilege escalation vulnerability in Windows affecting the print spooler, dubbed PrintNightmare. The vulnerability (CVE-2021-1675/CVE-2021-34527) has now been patched multiple times but is believed to still be exploitable.

The vulnerability itself is a privilege escalation bug found in the print spooler service on Windows platforms. It was believed to allow authenticated users to achieve escalated privileges, including admin rights. The vulnerability's severity was complicated by the fact that, if triggered, the vulnerability could affect domain controllers in enterprise networks. To make matters worse, this privilege escalation vulnerability can be used to achieve remote code execution. This can be done by using the print spooler to load drivers which, until the most recent patch, included both signed and unsigned drivers.

The most recent patch released by Microsoft included some additional protections. These protections include restricting the ability for non-administrative users to install unsigned drivers using the print spooler. Going forward, if unsigned drivers are attempted to be installed, administrative credentials will be required. Administrators are encouraged to install the patch, despite it being incomplete, to ensure they have as much protection as possible and can implement the mitigations described above.

Threat Source newsletter (July 8, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

Just like everyone else in the security world, our week's been dominated by the Kaseya supply chain attack. We went live on pretty much every social media platform we could think of yesterday to update everyone on the current situation and provide some recommendations for how users can stay protected.

You can also stay up to date on all of our coverage around this attack, and associated ransomware campaigns, by reading our blog post, which we will update as more information becomes available.

Wednesday, July 7, 2021

Vulnerability Spotlight: Information disclosure, privilege escalation vulnerabilities in IOBit Advanced SystemCare Ultimate



Cory Duplantis of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in IOBit Advanced SystemCare Ultimate. 

IOBit Advanced SystemCare Ultimate is a system optimizer that promises to remove unwanted files and application from PCs to improve performance. The software allows users to view services running on their computer, processes that are using a large amount of memory and updates for other software. These vulnerabilities all exist in a monitoring driver in the software.

InSideCopy: How this APT continues to evolve its arsenal

By Asheer Malhotra and Justin Thattil.

  • Cisco Talos is tracking an increase in SideCopy's activities targeting government personnel in India using themes and tactics similar to APT36 (aka Mythic Leopard and Transparent Tribe).
  • SideCopy is an APT group that mimics the Sidewinder APT's infection chains to deliver its own set of malware.
  • We've discovered multiple infection chains delivering bespoke and commodity remote access trojans (RATs) such as CetaRAT, Allakore and njRAT.
  • Apart from the three known malware families utilized by SideCopy, Talos also discovered the usage of four new custom RAT families and two other commodity RATs known as "Lilith" and "Epicenter."
  • Post-infection activities by SideCopy consist of deploying a variety of plugins, ranging from file enumerators to credential-stealers and keyloggers.
  • Talos is releasing a new, detailed paper on SideCopy's operations today, which you can read here.

What's new?


Cisco Talos has observed an expansion in the activity of SideCopy malware campaigns, targeting entities in India. In the past, the attackers have used malicious LNK files and documents to distribute their staple C#-based RAT. We are calling this malware "CetaRAT." SideCopy also relies heavily on the use of Allakore RAT, a publicly available Delphi-based RAT.

Recent activity from the group, however, signals a boost in their development operations. Talos has discovered multiple new RAT families and plugins currently used in SideCopy infection chains.

Targeting tactics and themes observed in SideCopy campaigns indicate a high degree of similarity to the Transparent Tribe APT (aka APT36) also targeting India. These include using decoys posing as operational documents belonging to the military and think tanks and honeytrap-based infections.


How did it work?


SideCopy's infection chains have remained relatively consistent with minor variations — using malicious LNK files as entry points, followed by a convoluted infection chain involving multiple HTAs and loader DLLs to deliver the final payloads.

Talos also discovered the usage of other new RATs and plugins. These include DetaRAT, ReverseRAT, MargulasRAT and ActionRAT. We've also discovered the use of commodity RATs such as njRAT, Lilith and Epicenter by this group since as early as 2019.

Successful infection of a victim results in the installation of independent plugins to serve specific purposes such as file enumeration, browser password stealing and keylogging.


So what?


These campaigns provide insights into the adversary's operations:

  • Their preliminary infection chains involve delivering their staple RATs.
  • Successful infection of a victim leads to the introduction of a variety of modular plugins.
  • The development of new RATs is an indication that this group of attackers is rapidly evolving its malware arsenal and post-infection tools since 2019.
  • The group's current infrastructure setup indicates a special interest in victims in Pakistan and India.

Friday, July 2, 2021

REvil ransomware actors attack Kaseya in supply chain attack








Updated on July 6, 2021:

As analysis of the ransomware attack affecting organizations using Kaseya VSA has continued, we are sharing an update containing additional information. As new details are identified, this information may be updated as needed. 

  • This event consisted of two separate, but related incidents. The initial compromise was the result of a zero-day attack against MSSPs that enabled adversaries to conduct a service supply chain attack on additional victims.
  • The initial compromise of Kaseya VSA servers appears to have been the result of the successful exploitation of an unpatched software vulnerability (CVE-2021-30116) which allowed attackers to obtain privileged access to vulnerable Kaseya VSA servers for the purposes of ransomware deployment. 
  • Ransom demands varied across victim organizations. This indicates that once attackers obtained access to VSA servers, the server configuration was analyzed to identify victims prior to the activation of malicious ransomware payloads.
  • The absence of data exfiltration activity, deletion of shadow copies on infected systems, and the advertisement of a campaign-wide decryption key is a notable divergence from the TTPs typically observed during REvil ransomware attacks.
  • The REvil ransomware samples identified as being associated with this attack were configured to disable communication with C2 infrastructure that is normally used to send encryption information and statistics.
  • During the infection process, the current system time is compared to July 2, 2021 at 12:30 ET. At this time, the ping function is executed, which causes a delay between the initial infection and when additional malicious activity may be detected on systems.

Threat Roundup for June 25 to July 2


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 25 and July 2. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #59: How to secure the devices that secure your home network

By Jon Munshaw.

As consumers start having more “smart” devices connected to their home network, they may want an easy solution to keeping those devices safe. But what if that device gets owned?

Carl Hurd of our vulnerability research team recently discovered several vulnerabilities in Trend Micro’s Home Network Security Station. He joins the show for the first time to talk about his research, the pros and cons of these all-in-one home network security devices, and how an attacker could exploit these issues to spy on your devices.

We hope this discussion spurs users to think about protecting the devices that are meant to protect their other devices, and the trade-offs of privacy when you deploy these devices on your network.

Thursday, July 1, 2021

Threat Source newsletter (July 1, 2021)

 

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

There's been a lot of talk recently around how to address America's infrastructure cybersecurity. After attacks like Colonial Pipeline and JBS, everyone across the public and private sectors are wondering what they should be doing to avoid becoming the next major ransomware victim that disrupts their given industry.

While we don't have all the answers, our critical infrastructure experts recently suggested what some security partnerships could look like in the U.S. One of the authors of that post, Joe Marshall, joined the Talos Takes podcast last week with yours truly to discuss CI security and how operational technology can so often intersect with information technology.