Tuesday, August 31, 2021

Attracting flies with Honey(gain): Adversarial abuse of proxyware

By Edmund Brumaghin and Vitor Ventura.

  • With internet-sharing applications, or "proxyware," users download software that allows them to share a percentage of their bandwidth with other internet users for a fee, with the companies that created this software acting as a go-between.
  • As proxyware has grown in popularity, attackers have taken notice and are now attempting to exploit this interest to monetize their malware campaigns.
  • Malware is currently leveraging these platforms to monetize the internet bandwidth of victims, similar to how malicious cryptocurrency mining attempts to monetize the CPU cycles of infected systems.
  • In many cases, these applications are featured in multi-stage, multi-payload malware attacks that provide adversaries with multiple monetization methods.
  • Trojanized installers are some of the most common threats taking advantage of public interest in proxyware to infect victims.
  • These applications pose significant privacy and operational risks to organizations as they may allow nefarious or abusive network traffic to appear as if it originates from their corporate networks resulting in reputational damages that may also lead to service disruption.

Friday, August 27, 2021

Threat Roundup for August 20 to August 27


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 20 and Aug. 27. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, August 26, 2021

Talos Takes Ep: #65: How several RAT campaigns in Latin America are connected

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

As more people around the world start to get vaccinated against COVID-19, travel is becoming easier, especially during these summer months. But as much as you may be excited to travel, so are threat actors. Asheer Malhotra was part of a team that looked into a series of campaigns targeting users in Latin America, specifically using social engineering tactics centered around travel. Some of the lure documents, in this case, include fake travel itineraries, coupons for flights and hotel reservation confirmations. Asheer joins the show this week to discuss the throughline between all these attacks and their potential connections to the Aggah crimeware group.

Threat Source newsletter (Aug. 26, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We have RATs on RATs on RATs over the past few weeks. And last week, we found a few more heading to Latin America to target users and try to steal their login credentials.

The threat actor in this case has some compelling connections to the Aggah threat group we've written about in the past, but there doesn't appear to be any definitive link.

Friday, August 20, 2021

Threat Roundup for August 13 to August 20


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 13 and Aug. 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, August 19, 2021

Threat Source newsletter (Aug. 19, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

I'm writing this on Tuesday morning on account of vacation (again), so apologies if we miss any major stories. 

You certainly don't want to miss our latest blog post on the Neurevt remote access trojan that's targeting users in Mexico. This malware is mainly designed to steal login credentials to banking websites, and we don't really need to tell you why that would be bad.

Malicious Campaign Targets Latin America: The seller, The operator and a curious link



By Asheer Malhotra and Vitor Ventura, with contributions from Vanja Svajcer.

  • Cisco Talos has observed a new malware campaign delivering commodity RATs, including njRAT and AsyncRAT.
  • The campaign targets travel and hospitality organizations in Latin America.
  • Techniques utilized in this campaign bear a resemblance to those of the Aggah group but are operated by a distinct threat actor based out of Brazil.
  • We've also discovered a builder/crypter known as "Crypter 3losh rat" used to generate various stages of the highly modularized infection chain used by the campaign operators.
  • We've also seen instances where the crypter author has operated their own malicious campaigns abusing archive[.]org.


What's new?


Cisco Talos recently observed a new set of campaigns targeting Latin American countries. These campaigns use a multitude of infection components to deliver two widely popular commodity malware and remote access trojans (RATs): njRAT and AsyncRAT.

We also discovered a .NET-based infection chain builder/crypter binary used to generate the malicious infection artifacts used in recent campaigns, including the ones targeting Latin America. Such builders indicate the author's intent to bundle malware generation functionalities for easy distribution and use by operators, customers and affiliates.

We've also observed some resemblance to the tactics and techniques used by a known crimeware actor "Aggah," especially the final payload delivery stages. Aggah has traditionally utilized highly modular infection chains with a focus on hosting malicious payloads on public repositories such as Pastebin, Web Archive and Blogger.


How did it work?


The campaigns targeting Latin American countries consist of macro-enabled Office documents that act as the entry points into the infection. What follows is a modular chain of PowerShell and VB scripts, all working towards disabling anti-virus protection features such as AMSI and eventually delivering the RAT payloads.

We've also observed some Aggah campaigns using similar infection chains including scripts and similar commodity malware. However, unlike Aggah, the operators working the Latin American campaigns tend to use either compromised or attacker-controlled websites to host their components and payloads instead of using public hosting services such as Blogger, Pastebin and Web Archive.

The infection chains used in these campaigns are built using a .NET-based crypter called "3losh crypter rat" [SIC]. This crypter has been actively advertised on social media by the authors and used to generate infection chains for campaigns operated by the crypter's authors themselves.


So what?


It is important for defenders to identify distinct adversaries and their tactics. The usage of crypters makes it difficult to do so since completely disjointed actors can now generate identical infection chains for unrelated campaigns. Our research uncovers one such scenario where there are three distinct campaigns identified using the 3losh crypter: the Latin American campaigns, the Aggah campaigns and those operated by the crypter authors.

All these campaigns however, aim to distribute commodity RAT families. Commodity malware families are increasingly being used by both crimeware and APT groups to infect their targets. RATs in particular are extremely popular since they provide a wide range of functionalities to their operators to take advantage of the infected systems. These functionalities can be used for malicious activities such as:

  • Performing preliminary reconnaissance to scope out victim networks and infrastructure.
  • Deploying more malware such as ransomware and wipers to disrupt enterprise operations.
  • Executing arbitrary commands.
  • Exfiltrating confidential and proprietary information from enterprises.
  • Stealing credentials, opening up more systems and services to unauthorized access.


Tuesday, August 17, 2021

Neurevt trojan takes aim at Mexican users

By Chetan Raghuprasad, with contributions from Vanja Svajcer.

News summary

What's new?

Although Neurevt has been around for a while, recent samples in Cisco Secure Endpoint show that the actors combined this trojan with backdoors and information stealers. This trojan appears to target Mexican organizations. Talos is tracking these campaigns embedding URLs in the associated droppers, which belong to many major banks in Mexico.

Friday, August 13, 2021

Vulnerability Spotlight: Memory corruption vulnerability in Daemon Tools Pro

Piotr Bania of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered a memory corruption vulnerability in Disc Soft Ltd.'s Daemon Tools Pro. 

Daemon Tools Pro is a professional emulation software that works with disc images and virtual drives. It allows the user to mount ISO images on Windows systems.

TALOS-2021-1295 (CVE-2021-21832) can cause memory corruption in the application if the user opens an adversary-created ISO file that causes an integer overflow. This vulnerability exists in the way the application parses ISOs.

Threat Roundup for August 6 to August 13


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 6 and Aug. 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Vulnerability Spotlight: Multiple integer overflow vulnerabilities in GPAC Project on Advanced Content

A Cisco Talos team member discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple integer overflow vulnerabilities in the GPAC Project on Advanced Content that could lead to memory corruption.

The GPAC Project on Advanced Content is an open-source cross-platform library that implements the MPEG-4 system standard and provides tools for media playback, vector graphics, and 3-D rendering. The project comes with the MP4Box tool, which allows the user to encode or decode media containers in multiple supported formats.

TALOS-2021-1297 (CVE-2021-21834 - CVE-2021-21852), TALOS-2021-1298 (CVE-2021-21859 - CVE-2021-21862) and TALOS-2021-1299 (CVE-2021-21853 - CVE-2021-21858) could all allow an adversary to corrupt the memory of the application. An adversary could exploit these vulnerabilities by sending the target a specially crafted MPEG-4 input. This could cause an integer overflow due to unchecked addition arithmetic, eventually resulting in a heap-based buffer overflow that causes memory corruption.

Talos Takes Ep. #64: Back 2 Skool edition



By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

There's no shortage of complications leading into this new school year. Students, parents, teachers and admins alike are adapting to the "new normal," and each county and state seem to have their own set of restrictions, challenges and plans to address those challenges.

This can be a cybersecurity nightmare for everyone involved. We hope we can provide a bit of help heading into the start of the new school year with this week's Talos Takes episode, where we talk about students bringing computers to and from school, the dangers of hybrid learning and the best steps for education networks' admins. 

We also address Talos' research into online homework scams and associated, follow-on malware. For more on that, check out our original post here and Forbes' recent article on our work here.

Thursday, August 12, 2021

Vice Society leverages PrintNightmare in ransomware attacks

By Edmund Brumaghin, Joe Marshall, and Arnaud Zobec.

Executive Summary


Another threat actor is actively exploiting the so-called PrintNightmare vulnerability (CVE-2021-1675 / CVE-2021-34527) in Windows' print spooler service to spread laterally across a victim's network as part of a recent ransomware attack, according to Cisco Talos Incident Response research. While previous research found that other threat actors had been exploiting this vulnerability, this appears to be new for the threat actor Vice Society.

Talos Incident Response's research demonstrates that multiple, distinct threat actors view this vulnerability as attractive to use during their attacks and may indicate that this vulnerability will continue to see more widespread adoption and incorporation by various adversaries moving forward. For defenders, it is important to understand the attack lifecycle leading up to the deployment of ransomware. If users have not already, they should download the latest patch for PrintNightmare from Microsoft.

In this post, we'll analyze the various TTPs used in a recent ransomware attack from Vice Society that leveraged this vulnerability. Many of these same TTPs are commonly observed in other ransomware attacks, such as a previously published analysis of a WastedLocker attack.

Threat Source newsletter (Aug. 12, 2021)

 

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

No, that's not Ratatouille. It's ServHelper, who is much more dangerous (albeit just as cute) as the cartoon chef. We have a new blog post out today detailing this RAT, run by the threat actor Group TA505, that is stealing credit card data and other sensitive information. We've been tracking this actor for a while now, and recently saw a huge spike in their activity. Find out what this means for your organization in our blog post and accompanying one-page overview.

Obviously, there are plenty more scary things to worry about on the threat landscape. And for that, there's the Talos Incident Response Quarterly Threat Report, where we run down the top TTPs, malware families and actors our incident responders are seeing in the wild.

As if all of that wasn't scary enough, you also need to make sure to update your Microsoft products as soon as possible after Patch Tuesday. Microsoft disclosed 44 vulnerabilities as part of its monthly security updates, two of which have a 9.8 severity score out of a possible 10.

Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT


By Vanja Svajcer.

News summary

  • Group TA505 has been active for at least seven years, making wide-ranging connections with other threat actors involved in ransomware, stealing credit card numbers and exfiltrating data. One of the common tools in TA505's arsenal is ServHelper. In mid-June, Cisco Talos detected an increase in ServHelper's activity. We investigated the activity and discovered a set of intertwined malware families and TTPs.
  • We found that ServHelper is being installed onto the targeted systems using several different mechanisms, ranging from fake installers for popular software to using other malware families such as Raccoon and Amadey as the installation proxies.
  • This threat demonstrates several techniques of the MITRE ATT&CK framework, most notably Scripting - T1064, PowerShell - T1059.001, Process Injection - T1055, Non-Standard Port - T1571, Remote Access Software - T1219, Input Capture - T1056, Obfuscated Files or Information - T1027, Ingress Tool Transfer - T1105, and Registry Run Keys/Startup Folder - T1547.001.

What's new?

Although ServHelper has existed since at least early 2019, we detected the use of other malware families to install it. The installation comes as a GoLang dropper, .NET dropper or PowerShell script. Its activity is generally linked to Group TA505, but we cannot be certain that they are the exclusive users of this RAT.

ServHelper will also sometimes install a module that includes either Monero or Ethereum cryptocurrency mining tools.
 

How did it work?

One path for infection starts with the compromise of a legitimate site that hosts cryptographically signed MSI installers. These install popular software such as Discord. However, they also launch a variant of the Raccoon stealer, which downloads and installs a ServHelper RAT if instructed by the command and control (C2) server.

Attackers also deploy the ServHelper RAT with a variant of the Amadey malware which gets a full command line from the server to install an initial PowerShell downloader component for ServHelper.

ServHelper includes the functionality to remotely control the infected system, log keystrokes, exfiltrate users' confidential data, launch RDP sessions, install cryptomining software and install the NetSupport remote access tool.
 

So what?

Although many threat actors, such as TA505 or its associated groups — to which we attribute these campaigns with moderate confidence — have been affected by the arrests of several CLOP members in Ukraine, they continued to operate using a different set of tools. These attacks are geared toward taking control over the infected systems and stealing confidential data which the group will likely leverage for financial gain later on.

Users need to make sure they install software only from trusted sources. Even if installers are signed with a valid certificate, that does not mean that the functionality is legitimate.
 

Wednesday, August 11, 2021

Talos Incident Response quarterly threat report — The top malware families and TTPs used in Q2 2021



By David Liebenberg and Caitlin Huey. 

Last quarter, ransomware was not the most dominant threat for the first time since we began compiling these reports. We theorized that this was due to a huge uptick in Microsoft Exchange exploitation, which temporarily became a primary focus for Cisco Talos Incident Response (CTIR). We believed that ransomware would soon return to its position as the most observed threat. This proved correct, as ransomware cases exploded this quarter, comprising nearly half of all incidents, underscoring that it remains one of the top threats targeting enterprises.   

Although ransomware was the top threat, there were very few observations of commodity trojan use this quarter. Ransomware actors continued to use commercial tools such as Cobalt Strike, open-source tools, including Rubeus, and tools native on the victim’s machine (living-off-the-land binaries, aka “LoLBINs”) such as PowerShell.

Tuesday, August 10, 2021

Microsoft Patch Tuesday for August 2021 — Snort rules and prominent vulnerabilities



By Jon Munshaw, with contributions from Martin Lee. 

Microsoft released its monthly security update Tuesday, disclosing 44 vulnerabilities in the company’s firmware and software. This is the fewest amount of vulnerabilities Microsoft has patched in a month in more than two years. 

There are only nine critical vulnerabilities included in this release, and the remainder is “important.” 

The most serious of the issues is CVE-2021-26424 a remote code executing vulnerability which exists in the Windows TCP/IP protocol implementation. An attacker could remotely trigger this vulnerability from a Hyper-V guest by sending a specially crafted TCP/IP packet to a host utilizing the TCP/IP protocol stack. This raises the possibility of a malicious program running in a virtual machine compromising the host environment. 

Other products included in this month’s Patch Tuesday include the Windows Graphic Component, print spooler and Microsoft Office. For a full rundown of these CVEs, head to Microsoft’s security update page.

Vulnerability Spotlight: Multiple vulnerabilities in AT&T Labs’ Xmill utility



Carl Hurd of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in AT&T Labs’ Xmill utility. An attacker could take advantage of these issues to carry out a variety of malicious actions, including corrupting the application’s memory and gaining the ability to execute remote code. 

Xmill and Xdemill are utilities that are purpose-built for XML compression and decompression, respectively. These utilities claim to be roughly two times more efficient at compressing XML than other compression methods. As of publishing, AT&T Labs is no longer supporting this software and, therefore, will not be issuing any patches. The software, released in 1999, can still be found in modern software suites, such as Schneider Electric's EcoStruxure Control Expert.

Vulnerability Spotlight: Code execution vulnerability in Mozilla Firefox



Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered a use-after-free vulnerability in Mozilla Firefox that could lead to code execution. 

Firefox is a widely used web browser available on many operating systems. This specific vulnerability exists in the software’s nsBufferedStream component, which is part of the Stream buffering functionality. 

TALOS-2021-1345 (CVE-2021-29985) can be triggered if an attacker tricks a user into visiting a specially crafted, malicious web page. This could cause a race condition situation, which can lead to a use-after-free vulnerability and potential remote code execution.

Friday, August 6, 2021

Talos Takes Ep: #63: Shield your eyes from the Solarmarker

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

Andrew Windsor has been following the Solarmarker threat for months. But it really started to catch his eye when he spotted a surge in credential-harvesting activity.

Andrew recently wrote about the new modules this threat is adding as part of a blog post. And this week, he joins Talos Takes to dive further into his research on this threat and break down each of the new modules and explain why they're dangerous to users. He discusses how this threat has been able to fly under the radar while still ramping up its activities.

Threat Roundup for July 30 to August 6


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 30 and Aug. 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date tof publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, August 5, 2021

Threat Source newsletter (Aug. 5, 2021)

 

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We hope everyone is enjoying BlackHat and/or DEFCON this week, regardless of if you're attending virtually or in person. In case you missed any of our talks from BlackHat, you can check them out here, along with some other Cisco Secure offerings.

And if you didn't hear enough of our voices after that, there's a new Beers with Talos episode out this week. The guys got together for a retrospective on the Kaseya supply chain incident and follow-on ransomware attacks.

Wednesday, August 4, 2021

Beers with Talos, Ep. #108: Kaseya it ain't so



Beers with Talos (BWT) Podcast episode No. 108 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Who needed a summer vacation anyway? The whole Beers with Talos family was trying to take some time off or just go fishing for a few hours, but the bad guys have had other ideas. In the latest episode, we're dissecting the Kaseya incident and associated ransomware campaigns.

We give some unsolicited advice to Kaseya's leadership, discuss best patching practices and cover other lessons learned from this event.

Also, we have an exciting announcement: Cisco is letting us take over their Twitter account! Join the BWT guys live tomorrow, Thursday, Aug. 5, as they recap some of the year's top threats and respond to your hottest security takes. There may or may not be an episode No. 109 after this – who can say?

Vulnerability Spotlight: Use-after-free vulnerability in tinyobjloader



Lilith >_> of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered that a specific function of tinyobjloader does not properly validate array indexes. An adversary could trick a user into opening a specially crafted file, causing an index out-of-bounds condition, potentially leading to code execution. Tinyobjloader is an open-source loader for embedding the .obj loader into graphics-rendering projects.

In accordance with our coordinated disclosure policy, Cisco Talos worked with tinyobjloader to ensure that this issue is resolved and that an update is available for affected customers.

Tuesday, August 3, 2021

Updates to the Cisco Talos Email Status Portal

Cisco Talos is rolling out several changes to the Email Status Portal that adds new features and makes the Portal even easier to use. 

The Talos Email Status Portal allows users to view mail samples submitted and their statuses, analyze graphical displays of submission metrics, administer domains and user access and generate reports of this data.