Newsletter compiled by Jon Munshaw.
Thursday, September 30, 2021
Threat Source newsletter (Sept. 30, 2021)
A wolf in sheep's clothing: Actors spread malware by leveraging trust in Amnesty International and fear of Pegasus
By Vitor Ventura and Arnaud Zobec.
Threat actors are impersonating the group Amnesty International and promising to protect against the Pegasus spyware as part of a scheme to deliver malware.
Amnesty International recently made international headlines when it released a groundbreaking report on the widespread use of Pegasus to target international journalists and activists.
Adversaries have set up a phony website that looks like Amnesty International's — a human rights-focused non-governmental organization — and points to a promised anti-virus tool to protect against the NSO Group's Pegasus tool. However, the download actually installs the little-known Sarwent malware.
Sarwent contains the usual abilities of a remote access tool (RAT) — mainly serving as a backdoor on the victim machine — and can also activate the remote desktop protocol on the victim machine, potentially allowing the adversary to access the desktop directly. We believe this campaign has the potential to infect many users given the recent spotlight on the Pegasus spyware. In addition to Amnesty International's report, Apple also had to recently release a security update for iOS that patched a vulnerability attackers were exploiting to install Pegasus. Many users may be searching for protection against this threat at this time.
The malicious software being deployed is not a standard information stealer that, once executed, steals credentials and exfiltrates them immediately. In this case, Sarwent has a look and feel that could easily be recognized as a regular anti-virus program. It provides the attacker with the means to upload and execute any other malicious tools. Likewise, it can exfiltrate any kind of data from the victim's computer.
The campaign targets people who might be concerned that they are targeted by the Pegasus spyware. This targeting raises issues of possible state involvement, but there is insufficient information available to Talos to make any determination on which state or nation. It is possible that this is simply a financially motivated actor looking to leverage headlines to gain new access.
Friday, September 24, 2021
Threat Roundup for September 17 to September 24
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 17 and Sept. 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Talos Takes Ep. #69: Our armadillo in shining armor
By Jon Munshaw.
The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.
We also preach the importance of multi-factor authentication. But what happens when the bad guys start going after those apps?
Asheer Maholtra and his colleagues have recently been tracking Operation: Armor Piercer, a new campaign targeted at military contractors and government agencies on the Indian subcontinent. The campaigns are themed around trying to pretend like the lure documents are associated with a popular MFA app used in the region.
Asheer joins Talos Takes this week to discuss this campaign and provide some advice to MFA users to make sure they're accessing the right apps, notifications and messages. He also discusses the similarities Armor Piercer has to other threat actors in the region like SideCopy and Transparent Tribe.
Thursday, September 23, 2021
Threat Source newsletter (Sept. 23, 2021)
Newsletter compiled by Jon Munshaw.
Vulnerability Spotlight: Information disclosure vulnerability in D-LINK DIR-3040 mesh router
Dave McDaniel of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.
Cisco Talos recently discovered an exploitable information disclosure vulnerability in the D-LINK DIR-3040 smart WiFi mesh router that could allow an adversary to eventually turn off the device or remove other connected devices from the mesh network.
The DIR-3040 is an AC3000-based wireless internet router that creates a mesh network for the user, allowing them to connect multiple devices in their environment, oftentimes at home.
Operation “Armor Piercer:” Targeted attacks in the Indian subcontinent using commercial RATs

- Cisco Talos is tracking a campaign targeting government personnel in India using themes and tactics similar to APT36 (aka Mythic Leopard and Transparent Tribe).
- This campaign distributes malicious documents and archives to deliver the Netwire and Warzone (AveMaria) RATs.
- The lures used in this campaign are predominantly themed around operational documents and guides such as those pertaining to the "Kavach" (hindi for "armor") two-factor authentication (2FA) application operated by India's National Informatics Centre (NIC).
- This campaign utilizes compromised websites and fake domains to host malicious payloads, another tactic similar to Transparent Tribe.
What's new?
Apart from artifacts involved in the infection chains, we've also discovered the use of server-side scripts to carry out operational tasks such as sending out malicious emails and maintaining presence on compromised sites via web shells. This provides additional insight into the attacker's operational TTPs.
Some of these lures and tactics utilized by the attackers bear a strong resemblance to the Transparent Tribe and SideCopy APT groups, including the use of compromised websites and fake domains.
How did it work?
So what?
Tuesday, September 21, 2021
TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines
News summary
- Cisco Talos recently discovered a new backdoor used by the Russian Turla APT group.
- We have seen infections in the U.S., Germany and, more recently, in Afghanistan.
- It is likely used as a stealth second-chance backdoor to keep access to infected devices
- It can be used to download, upload and/or execute files.
-
The backdoor code is quite simple but is efficient enough that it will usually fly under the radar.
What's new?
Friday, September 17, 2021
Threat Roundup for September 10 to September 17
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 10 and Sept. 17. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Talos Takes Ep. #68: The various pivots and pitfalls in a malware investigation
By Jon Munshaw.
The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.
On this week's episode, Vitor Ventura from our research team walks through his recent work on connecting several malware campaigns leveraging the aviation industry. These attacks commonly use lure documents that pertain to fake flight itineraries, bills and more, and could possibly be targeting airlines themselves.
This is a perfect example of the various pitfalls, pivots and waves that come as part of a malware investigation, so we felt it was a great time to have Vitor on. He discusses what he learned about the threat actor in this case, what threw him off, and what he can learn for the next time he goes to look into a threat actor.
Thursday, September 16, 2021
Threat Source newsletter (Sept. 16, 2021)
Newsletter compiled by Jon Munshaw.
Operation Layover: How we tracked an attack on the aviation industry to five years of compromise
- Cisco Talos linked the recent aviation targeting campaigns to an actor who has been targeting the aviation industry for two years.
- The same actor has been running successful malware campaigns for more than five years.
- Although always using commodity malware, the acquisition of crypters to wrap the malware makes them more effective.
- This shows that a small operation can run for years under the radar, while still causing serious problems for its targets.
Summary
Cisco Talos and other security researchers have recently reported on a series of malicious campaigns targeting the aviation industry. These reports mainly center around the crypter that hides the usage of commodity malicious remote access tools.
We decided this would be a good starting point to demonstrate how a researcher can pivot from the initial discovery of a RAT and eventually profile a threat actor. This post will show how we discovered previous campaigns targeting the aviation industry, which links back to an actor that's been active for approximately six years.
We believe the actor is based out of Nigeria with a high degree of confidence and doesn't seem to be technically sophisticated, using off-the-shelf malware since the beginning of its activities without developing its own malware. The actor also buys the crypters that allow the usage of such malware without being detected, throughout the years it has used several different cryptors, mostly bought on online forums.
We also believe with a high degree of confidence that the actor has been active for at least five years. For the last two, they've been targeting the aviation industry, while conducting other campaigns at the same time. Pivoting from an initial discovery is not an exact science — in this process, a researcher must assert a certain level of confidence in these associations.
In this post, we will show how our research uncovered information about the attackers spreading AsyncRAT and njRAT using specific lure documents centered around the aviation industry. If infected with these threats, organizations could fall victim to data theft, financial fraud or future cyber attacks with much worse consequences.
In the end, our research shows that actors that perform smaller attacks can keep doing them for a long period of time under the radar. However, their activities can lead to major incidents at large organizations. These are the actors that feed the underground market of credentials and cookies, which can then be used by larger groups on activities like "big game hunting."
Tuesday, September 14, 2021
Microsoft Patch Tuesday for Sept. 2021 — Snort rules and prominent vulnerabilities
By Jon Munshaw, with contributions from Holger Unterbrink.
Microsoft released its monthly security update Tuesday, disclosing 85 vulnerabilities across the company’s firmware and software. This month’s release is headlined by an official patch for the critical remote code execution vulnerability disclosed earlier this month in MSHTML.
CVE-2021-40444 is being actively exploited in the wild, according to Microsoft, and proof-of-concept code is now available, potentially widening the potential for attacks exploiting this vulnerability. This is the first official Microsoft update to address this issue. Talos has additional protection available here.
Users should download this patch immediately. Additionally, they can disable the installation of all ActiveX controls in Internet Explorer to mitigate this attack.
Monday, September 13, 2021
Downtime on Talos Intelligence
TalosIntelligence.com will be down for a short time on Sept. 17 around 10 a.m. ET while we perform some routine maintenance on the site.
We apologize for any inconvenience this may cause. We expect the interruption will only last for about 30 minutes.
Vulnerability Spotlight: Code execution vulnerability in Nitro Pro PDF
A Cisco Talos team member discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered a vulnerability in the Nitro Pro PDF reader that could allow an attacker to execute code in the context of the application.
Nitro Pro PDF is part of Nitro Software’s Productivity Suite. Pro PDF allows users to create and modify PDFs and other digital documents. It includes support for several capabilities via third-party libraries to parse the PDFs.
TALOS-2021-1267 (CVE-2021-21798) is a use-after-free vulnerability that can be triggered if a target opens a specially crafted, malicious PDF.
Friday, September 10, 2021
Threat Roundup for September 3 to September 10
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 3 and Sept. 10. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Talos Takes Ep. #67: What a leaked playbook tells us about the Conti ransomware group
By Jon Munshaw.
The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.
There's a lot to take apart in the recently leaked Conti ransomware playbook. After a disgruntled member of the ransomware-as-a-service group leaked it in August, people immediately started combing through it to gain insight into this threat actor.
But few people spent more time with it than David Liebenberg and Azim Khodjibaev, who were part of a Cisco Talos team that translated the entire paper, by hand, to English. Azim and Dave join Talos Takes this week to discuss what they learned from the project, and how attackers' human sides are starting to show.
Thursday, September 9, 2021
Threat Source newsletter (Sept. 9, 2021)
Newsletter compiled by Jon Munshaw.
Talos release protection against zero-day vulnerability (CVE-2021-40444) in Microsoft MSHTML
Cisco Talos released new SNORT® rules Thursday to protect against the exploitation of a zero-day vulnerability in Microsoft MSHTML that the company warns is being actively exploited in the wild.
Users are encouraged to deploy SIDs 58120 – 58129, Snort 3 SID 300049 and ClamAV signature ID: 9891528 (Doc.Exploit.CVE_2021_40444-9891528-0) to detect and prevent the exploitation of CVE-2021-40444. Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are vulnerable to this specific threat. An OSquery (CVE-2021-40444_vulnerability status) has been added for this threat.
If an adversary were to successfully exploit this vulnerability, they could remotely execute code on the victim machine or gain complete control. The Microsoft advisory also stated that proof-of-concept code for this vulnerability is available in the wild.
Tuesday, September 7, 2021
Vulnerability Spotlight: Heap buffer overflow vulnerability in Ribbonsoft dxflib library
Lilith >_> of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.
Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in Ribbonsoft’s dxflib library that could lead to code execution.
The dxflib library is a C++ library utilized by digital design software such as QCAD and KiCad to parse DXF files for reading and writing.
Friday, September 3, 2021
Threat Roundup for August 27 to September 3
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 27 and Sept. 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Talos Takes Ep. #66: Dude, where's my bandwidth?
By Jon Munshaw.
The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.
“Proxyware” sounds like a complicated topic that you’re too afraid to ask about. But really, it’s just software that allows users to sell off a portion of their internet bandwidth for a small profit. Problem is, attackers are swooping in on this popular software to spread malware and steal users’ money.
Edmund Brumaghin joins the show this week to discuss his recent research into proxyware applications and how malware is hiding in plain sight. Edmund discusses why these types of apps are potentially unwanted applications, and what the threat is for enterprise users with remote workers, as well as personal PC users.
Thursday, September 2, 2021
Beers with Talos, Ep. #109: We have not secured our society — Or, working out a conference talk in realtime
Beers with Talos (BWT) Podcast episode No. 109 is now available. Download this episode and subscribe to Beers with Talos:
Find out inside!
Threat Source newsletter (Sept. 2, 2021)
Newsletter compiled by Jon Munshaw.
Translated: Talos' insights from the recently leaked Conti ransomware playbook
Executive summary
Cisco Talos recently became aware of a leaked playbook that has been attributed to the ransomware-as-a-service (RaaS) group Conti. Talos has a team of dedicated, native-level speakers that translated these documents in their entirety into English. We also translated a Cobalt Strike manual that the authors referenced while creating their playbook.
These documents, written mostly in Cyrillic, were allegedly released by an affiliate upset with Conti. We believe that this translation is an extremely important contribution to the community, as machine-translated efforts have missed some interesting insights and led to some garbled passages.
Notably, the LockBit operator we interviewed warned us that something like this would take place. They stated that in a ransomware cartel, "Someone will sell them out from the inside," which is allegedly what took place in this case. The LockBit operator also told us that ransomware actors use various channels on the messaging app Telegram to stay on top of the latest exploits and attack trends. A look into a list of Telegram channels deemed interesting by the playbook authors shows numerous channels that were potentially leveraged for this exact use.
Talos' main takeaway from this playbook is that operators of all skill levels are involved with Conti. Some adversaries who are very new to the malware scene could follow this playbook to compromise a major, enterprise network with relatively little experience. At the end of this post, we've attached a full English translation of the documents.