Threat Source newsletter (Sept. 16, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

It's a bird, it's a plane, it's a rat!

We've been tracking a series of trojans targeting the aviation industry, and trying to lure victims in by sending them spam related to flight itineraries and other transportation news. In our latest blog post, we discuss how we've followed the actor behind these attacks, and what we can learn about tracking a threat actor in the future.

This week was also Patch Tuesday, so you'll want to update your Microsoft products as soon as possible if you haven't already. Most notably, there's an official update to patch the high-profile MSHTML vulnerability. 

Operation Layover: How we tracked an attack on the aviation industry to five years of compromise

By Tiago Pereira and Vitor Ventura.

• Cisco Talos linked the recent aviation targeting campaigns to an actor who has been targeting the aviation industry for two years.
• The same actor has been running successful malware campaigns for more than five years.
• Although always using commodity malware, the acquisition of crypters to wrap the malware makes them more effective.
• This shows that a small operation can run for years under the radar, while still causing serious problems for its targets.

Summary

Cisco Talos and other security researchers have recently reported on a series of malicious campaigns targeting the aviation industry. These reports mainly center around the crypter that hides the usage of commodity malicious remote access tools.

We decided this would be a good starting point to demonstrate how a researcher can pivot from the initial discovery of a RAT and eventually profile a threat actor. This post will show how we discovered previous campaigns targeting the aviation industry, which links back to an actor that's been active for approximately six years.

We believe the actor is based out of Nigeria with a high degree of confidence and doesn't seem to be technically sophisticated, using off-the-shelf malware since the beginning of its activities without developing its own malware. The actor also buys the crypters that allow the usage of such malware without being detected, throughout the years it has used several different cryptors, mostly bought on online forums.

We also believe with a high degree of confidence that the actor has been active for at least five years. For the last two, they've been targeting the aviation industry, while conducting other campaigns at the same time. Pivoting from an initial discovery is not an exact science — in this process, a researcher must assert a certain level of confidence in these associations.

In this post, we will show how our research uncovered information about the attackers spreading AsyncRAT and njRAT using specific lure documents centered around the aviation industry. If infected with these threats, organizations could fall victim to data theft, financial fraud or future cyber attacks with much worse consequences.

In the end, our research shows that actors that perform smaller attacks can keep doing them for a long period of time under the radar. However, their activities can lead to major incidents at large organizations. These are the actors that feed the underground market of credentials and cookies, which can then be used by larger groups on activities like "big game hunting."

Microsoft Patch Tuesday for Sept. 2021 — Snort rules and prominent vulnerabilities

By Jon Munshaw, with contributions from Holger Unterbrink. 

Microsoft released its monthly security update Tuesday, disclosing 85 vulnerabilities across the company’s firmware and software. This month’s release is headlined by an official patch for the critical remote code execution vulnerability disclosed earlier this month in MSHTML.  

CVE-2021-40444 is being actively exploited in the wild, according to Microsoft, and proof-of-concept code is now available, potentially widening the potential for attacks exploiting this vulnerability. This is the first official Microsoft update to address this issue. Talos has additional protection available here. 

Users should download this patch immediately. Additionally, they can disable the installation of all ActiveX controls in Internet Explorer to mitigate this attack.

Downtime on Talos Intelligence

TalosIntelligence.com will be down for a short time on Sept. 17 around 10 a.m. ET while we perform some routine maintenance on the site. 

We apologize for any inconvenience this may cause. We expect the interruption will only last for about 30 minutes.  

Vulnerability Spotlight: Code execution vulnerability in Nitro Pro PDF

A Cisco Talos team member discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered a vulnerability in the Nitro Pro PDF reader that could allow an attacker to execute code in the context of the application. 

Nitro Pro PDF is part of Nitro Software’s Productivity Suite. Pro PDF allows users to create and modify PDFs and other digital documents. It includes support for several capabilities via third-party libraries to parse the PDFs.  

TALOS-2021-1267 (CVE-2021-21798) is a use-after-free vulnerability that can be triggered if a target opens a specially crafted, malicious PDF. 

Threat Roundup for September 3 to September 10

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 3 and Sept. 10. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #67: What a leaked playbook tells us about the Conti ransomware group

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

There's a lot to take apart in the recently leaked Conti ransomware playbook. After a disgruntled member of the ransomware-as-a-service group leaked it in August, people immediately started combing through it to gain insight into this threat actor. 

But few people spent more time with it than David Liebenberg and Azim Khodjibaev, who were part of a Cisco Talos team that translated the entire paper, by hand, to English. Azim and Dave join Talos Takes this week to discuss what they learned from the project, and how attackers' human sides are starting to show.

Threat Source newsletter (Sept. 9, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

The biggest security news this week is no doubt another Microsoft zero-day. On the heels of PrintNightmare and multiple Exchange Server vulnerabilities comes a code execution vulnerability in MSHTML, the rendering engine in Internet Explorer. 

We have new Snort rules out today that protect users against the exploitation of this vulnerability, which could allow an attacker to take complete control of a victim machine.

Talos release protection against zero-day vulnerability (CVE-2021-40444) in Microsoft MSHTML

Cisco Talos released new SNORT® rules Thursday to protect against the exploitation of a zero-day vulnerability in Microsoft MSHTML that the company warns is being actively exploited in the wild. 

Users are encouraged to deploy SIDs 58120 – 58129, Snort 3 SID 300049 and ClamAV signature ID: 9891528 (Doc.Exploit.CVE_2021_40444-9891528-0) to detect and prevent the exploitation of CVE-2021-40444. Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are vulnerable to this specific threat. An OSquery (CVE-2021-40444_vulnerability status) has been added for this threat. 

If an adversary were to successfully exploit this vulnerability, they could remotely execute code on the victim machine or gain complete control. The Microsoft advisory also stated that proof-of-concept code for this vulnerability is available in the wild.

Vulnerability Spotlight: Heap buffer overflow vulnerability in Ribbonsoft dxflib library

Lilith >_> of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in Ribbonsoft’s dxflib library that could lead to code execution. 

The dxflib library is a C++ library utilized by digital design software such as QCAD and KiCad to parse DXF files for reading and writing. 

Threat Roundup for August 27 to September 3

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 27 and Sept. 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #66: Dude, where's my bandwidth?

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

“Proxyware” sounds like a complicated topic that you’re too afraid to ask about. But really, it’s just software that allows users to sell off a portion of their internet bandwidth for a small profit. Problem is, attackers are swooping in on this popular software to spread malware and steal users’ money. 

Edmund Brumaghin joins the show this week to discuss his recent research into proxyware applications and how malware is hiding in plain sight. Edmund discusses why these types of apps are potentially unwanted applications, and what the threat is for enterprise users with remote workers, as well as personal PC users.

Beers with Talos, Ep. #109: We have not secured our society — Or, working out a conference talk in realtime

Beers with Talos (BWT) Podcast episode No. 109 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Most of the Beers with Talos guys got a chance to take a summer vacation after the last episode, so they're rejuvenated and equally unprepared for this recording. 

We recorded this before BlackHat, so you'll get a live look into Matt's preparation for the talk he co-hosted with Wendy Nather as the hosts discuss cyber warfare. How far is too far? Have we done enough as a society to secure ourselves? And is this just going to be an existential dread we live with forever?

Find out inside!

Threat Source newsletter (Sept. 2, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

If you haven't seen already, our blog has a lot of cool and new stuff this week.

We first dove into the world of proxyware on Tuesday (aka internet-sharing applications). Attackers are hiding in this newly popular software to steal users' bandwidth and money, while spreading malware along the way. This is a perfect case to show how willing users are to trade away some of their privacy and security for literally a few cents a day.

In another first, we got our hands on the leaked Conti ransomware playbook and translated it to English. Read our blog post and the full translation for some awesome insight into how this ransomware-as-a-service group operates.

Translated: Talos' insights from the recently leaked Conti ransomware playbook

By Caitlin Huey, David Liebenberg, Azim Khodjibaev, and Dmytro Korzhevin.

Executive summary

Cisco Talos recently became aware of a leaked playbook that has been attributed to the ransomware-as-a-service (RaaS) group Conti. Talos has a team of dedicated, native-level speakers that translated these documents in their entirety into English. We also translated a Cobalt Strike manual that the authors referenced while creating their playbook.

These documents, written mostly in Cyrillic, were allegedly released by an affiliate upset with Conti. We believe that this translation is an extremely important contribution to the community, as machine-translated efforts have missed some interesting insights and led to some garbled passages.

Notably, the LockBit operator we interviewed warned us that something like this would take place. They stated that in a ransomware cartel, "Someone will sell them out from the inside," which is allegedly what took place in this case. The LockBit operator also told us that ransomware actors use various channels on the messaging app Telegram to stay on top of the latest exploits and attack trends. A look into a list of Telegram channels deemed interesting by the playbook authors shows numerous channels that were potentially leveraged for this exact use.

Talos' main takeaway from this playbook is that operators of all skill levels are involved with Conti. Some adversaries who are very new to the malware scene could follow this playbook to compromise a major, enterprise network with relatively little experience. At the end of this post, we've attached a full English translation of the documents.