Thursday, September 30, 2021

Threat Source newsletter (Sept. 30, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

In the latest example of attackers trying to capitalize on current headlines, we've spotted a group using the recent fervor around the Pegasus spyware to spread malware. 

We've detailed a campaign in which the attackers have copied (nearly perfectly) Amnesty International's website and is advertising a tool to sniff out the spyware and remove it. The problem is, there is no such software, and instead, it just downloads a RAT on your device. 

Do you have a particular threat, IOC, malware family or actor you want us to be covering in the Threat Source newsletter? Let us know at threatsource@cisco.com.

A wolf in sheep's clothing: Actors spread malware by leveraging trust in Amnesty International and fear of Pegasus



By Vitor Ventura and Arnaud Zobec.

Threat actors are impersonating the group Amnesty International and promising to protect against the Pegasus spyware as part of a scheme to deliver malware.

Amnesty International recently made international headlines when it released a groundbreaking report on the widespread use of Pegasus to target international journalists and activists.

Adversaries have set up a phony website that looks like Amnesty International's — a human rights-focused non-governmental organization — and points to a promised anti-virus tool to protect against the NSO Group's Pegasus tool. However, the download actually installs the little-known Sarwent malware.

Sarwent contains the usual abilities of a remote access tool (RAT) — mainly serving as a backdoor on the victim machine — and can also activate the remote desktop protocol on the victim machine, potentially allowing the adversary to access the desktop directly. We believe this campaign has the potential to infect many users given the recent spotlight on the Pegasus spyware. In addition to Amnesty International's report, Apple also had to recently release a security update for iOS that patched a vulnerability attackers were exploiting to install Pegasus. Many users may be searching for protection against this threat at this time.

The malicious software being deployed is not a standard information stealer that, once executed, steals credentials and exfiltrates them immediately. In this case, Sarwent has a look and feel that could easily be recognized as a regular anti-virus program. It provides the attacker with the means to upload and execute any other malicious tools. Likewise, it can exfiltrate any kind of data from the victim's computer.

The campaign targets people who might be concerned that they are targeted by the Pegasus spyware. This targeting raises issues of possible state involvement, but there is insufficient information available to Talos to make any determination on which state or nation. It is possible that this is simply a financially motivated actor looking to leverage headlines to gain new access.

Friday, September 24, 2021

Threat Roundup for September 17 to September 24


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 17 and Sept. 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #69: Our armadillo in shining armor

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

We also preach the importance of multi-factor authentication. But what happens when the bad guys start going after those apps?

Asheer Maholtra and his colleagues have recently been tracking Operation: Armor Piercer, a new campaign targeted at military contractors and government agencies on the Indian subcontinent. The campaigns are themed around trying to pretend like the lure documents are associated with a popular MFA app used in the region.

Asheer joins Talos Takes this week to discuss this campaign and provide some advice to MFA users to make sure they're accessing the right apps, notifications and messages. He also discusses the similarities Armor Piercer has to other threat actors in the region like SideCopy and Transparent Tribe

Thursday, September 23, 2021

Threat Source newsletter (Sept. 23, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

The Russian APT Turla is one of the most notorious threat actors out there today. And they aren't stopping, recently adding a new backdoor to their arsenal that serves as a "last chance" to retain a foothold on victim machines, even after their other malware has been removed.

Elsewhere on the APT landscape, the U.S. Cybersecurity and Infrastructure Security Agency released an advisory warning users and organizations about a recent spike in Conti ransomware attacks. Their report even included a Talos shout-out! If you want to read our recent work on Conti, you can check out our major takeaways from their leaked playbook, and an episode of Talos Takes covering the matter.

Vulnerability Spotlight: Information disclosure vulnerability in D-LINK DIR-3040 mesh router



Dave McDaniel of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered an exploitable information disclosure vulnerability in the D-LINK DIR-3040 smart WiFi mesh router that could allow an adversary to eventually turn off the device or remove other connected devices from the mesh network. 

The DIR-3040 is an AC3000-based wireless internet router that creates a mesh network for the user, allowing them to connect multiple devices in their environment, oftentimes at home.

Operation “Armor Piercer:” Targeted attacks in the Indian subcontinent using commercial RATs



By Asheer Malhotra, Vanja Svajcer and Justin Thattil.

  • Cisco Talos is tracking a campaign targeting government personnel in India using themes and tactics similar to APT36 (aka Mythic Leopard and Transparent Tribe).
  • This campaign distributes malicious documents and archives to deliver the Netwire and Warzone (AveMaria) RATs.
  • The lures used in this campaign are predominantly themed around operational documents and guides such as those pertaining to the "Kavach" (hindi for "armor") two-factor authentication (2FA) application operated by India's National Informatics Centre (NIC).
  • This campaign utilizes compromised websites and fake domains to host malicious payloads, another tactic similar to Transparent Tribe.


What's new?


Cisco Talos recently discovered a malicious campaign targeting government employees and military personnel in the Indian sub-continent with two commercial and commodity RAT families known as NetwireRAT (aka NetwireRC) and WarzoneRAT (aka Ave Maria). The attackers delivered a variety of lures to their targets, predominantly posing as guides related to Indian governmental infrastructure and operations such as Kavach and I.T.-related guides in the form of malicious Microsoft Office documents (maldocs) and archives (RARs, ZIPs) containing loaders for the RATs.

Apart from artifacts involved in the infection chains, we've also discovered the use of server-side scripts to carry out operational tasks such as sending out malicious emails and maintaining presence on compromised sites via web shells. This provides additional insight into the attacker's operational TTPs.

Some of these lures and tactics utilized by the attackers bear a strong resemblance to the Transparent Tribe and SideCopy APT groups, including the use of compromised websites and fake domains.


How did it work?


This campaign uses a few distinct, yet simple, infection chains. Most infections use a maldoc that downloads and instruments a loader. The loader is responsible for downloading or decrypting (if embedded) the final RAT payload and deploying it on the infected endpoint. In some cases, we've observed the use of malicious archives containing a combination of maldocs, loaders and decoy images. The RAT payloads are relatively unmodified, with the command and control (C2) IPs and domains being the most pivotal configuration information.


So what?


This campaign illustrates another instance of a highly motivated threat actor using a set of commercial and commodity RAT families to infect their victims. These RATs are packed with many features out-of-the-box to achieve comprehensive control over the infected systems. It is also highly likely that these malware families establish footholds into the victim's networks to deploy additional plugins and modules.

Tuesday, September 21, 2021

TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines


News summary

  • Cisco Talos recently discovered a new backdoor used by the Russian Turla APT group.
  • We have seen infections in the U.S., Germany and, more recently, in Afghanistan.
  • It is likely used as a stealth second-chance backdoor to keep access to infected devices
  • It can be used to download, upload and/or execute files.
  • The backdoor code is quite simple but is efficient enough that it will usually fly under the radar.

What's new?

Cisco Talos found a previously undiscovered backdoor from the Turla APT that we are seeing in the wild. This simple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed. It could also be used as a second-stage dropper to infect the system with additional malware.

 

Friday, September 17, 2021

Threat Roundup for September 10 to September 17


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 10 and Sept. 17. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #68: The various pivots and pitfalls in a malware investigation

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

On this week's episode, Vitor Ventura from our research team walks through his recent work on connecting several malware campaigns leveraging the aviation industry. These attacks commonly use lure documents that pertain to fake flight itineraries, bills and more, and could possibly be targeting airlines themselves.

This is a perfect example of the various pitfalls, pivots and waves that come as part of a malware investigation, so we felt it was a great time to have Vitor on. He discusses what he learned about the threat actor in this case, what threw him off, and what he can learn for the next time he goes to look into a threat actor. 

Thursday, September 16, 2021

Threat Source newsletter (Sept. 16, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

It's a bird, it's a plane, it's a rat!

We've been tracking a series of trojans targeting the aviation industry, and trying to lure victims in by sending them spam related to flight itineraries and other transportation news. In our latest blog post, we discuss how we've followed the actor behind these attacks, and what we can learn about tracking a threat actor in the future.

This week was also Patch Tuesday, so you'll want to update your Microsoft products as soon as possible if you haven't already. Most notably, there's an official update to patch the high-profile MSHTML vulnerability

Operation Layover: How we tracked an attack on the aviation industry to five years of compromise




By Tiago Pereira and Vitor Ventura.

  • Cisco Talos linked the recent aviation targeting campaigns to an actor who has been targeting the aviation industry for two years.
  • The same actor has been running successful malware campaigns for more than five years.
  • Although always using commodity malware, the acquisition of crypters to wrap the malware makes them more effective.
  • This shows that a small operation can run for years under the radar, while still causing serious problems for its targets.


Summary


Cisco Talos and other security researchers have recently reported on a series of malicious campaigns targeting the aviation industry. These reports mainly center around the crypter that hides the usage of commodity malicious remote access tools.

We decided this would be a good starting point to demonstrate how a researcher can pivot from the initial discovery of a RAT and eventually profile a threat actor. This post will show how we discovered previous campaigns targeting the aviation industry, which links back to an actor that's been active for approximately six years.

We believe the actor is based out of Nigeria with a high degree of confidence and doesn't seem to be technically sophisticated, using off-the-shelf malware since the beginning of its activities without developing its own malware. The actor also buys the crypters that allow the usage of such malware without being detected, throughout the years it has used several different cryptors, mostly bought on online forums.

We also believe with a high degree of confidence that the actor has been active for at least five years. For the last two, they've been targeting the aviation industry, while conducting other campaigns at the same time. Pivoting from an initial discovery is not an exact science — in this process, a researcher must assert a certain level of confidence in these associations.

In this post, we will show how our research uncovered information about the attackers spreading AsyncRAT and njRAT using specific lure documents centered around the aviation industry. If infected with these threats, organizations could fall victim to data theft, financial fraud or future cyber attacks with much worse consequences.

In the end, our research shows that actors that perform smaller attacks can keep doing them for a long period of time under the radar. However, their activities can lead to major incidents at large organizations. These are the actors that feed the underground market of credentials and cookies, which can then be used by larger groups on activities like "big game hunting."

Tuesday, September 14, 2021

Microsoft Patch Tuesday for Sept. 2021 — Snort rules and prominent vulnerabilities



By Jon Munshaw, with contributions from Holger Unterbrink. 

Microsoft released its monthly security update Tuesday, disclosing 85 vulnerabilities across the company’s firmware and software. This month’s release is headlined by an official patch for the critical remote code execution vulnerability disclosed earlier this month in MSHTML.  

CVE-2021-40444 is being actively exploited in the wild, according to Microsoft, and proof-of-concept code is now available, potentially widening the potential for attacks exploiting this vulnerability. This is the first official Microsoft update to address this issue. Talos has additional protection available here

Users should download this patch immediately. Additionally, they can disable the installation of all ActiveX controls in Internet Explorer to mitigate this attack.

Monday, September 13, 2021

Downtime on Talos Intelligence

TalosIntelligence.com will be down for a short time on Sept. 17 around 10 a.m. ET while we perform some routine maintenance on the site. 

We apologize for any inconvenience this may cause. We expect the interruption will only last for about 30 minutes.  

Vulnerability Spotlight: Code execution vulnerability in Nitro Pro PDF



A Cisco Talos team member discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered a vulnerability in the Nitro Pro PDF reader that could allow an attacker to execute code in the context of the application. 

Nitro Pro PDF is part of Nitro Software’s Productivity Suite. Pro PDF allows users to create and modify PDFs and other digital documents. It includes support for several capabilities via third-party libraries to parse the PDFs.  

TALOS-2021-1267 (CVE-2021-21798) is a use-after-free vulnerability that can be triggered if a target opens a specially crafted, malicious PDF. 

Friday, September 10, 2021

Threat Roundup for September 3 to September 10


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 3 and Sept. 10. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #67: What a leaked playbook tells us about the Conti ransomware group

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

There's a lot to take apart in the recently leaked Conti ransomware playbook. After a disgruntled member of the ransomware-as-a-service group leaked it in August, people immediately started combing through it to gain insight into this threat actor. 

But few people spent more time with it than David Liebenberg and Azim Khodjibaev, who were part of a Cisco Talos team that translated the entire paper, by hand, to English. Azim and Dave join Talos Takes this week to discuss what they learned from the project, and how attackers' human sides are starting to show.

Thursday, September 9, 2021

Threat Source newsletter (Sept. 9, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

The biggest security news this week is no doubt another Microsoft zero-day. On the heels of PrintNightmare and multiple Exchange Server vulnerabilities comes a code execution vulnerability in MSHTML, the rendering engine in Internet Explorer. 

We have new Snort rules out today that protect users against the exploitation of this vulnerability, which could allow an attacker to take complete control of a victim machine.

Talos release protection against zero-day vulnerability (CVE-2021-40444) in Microsoft MSHTML



Cisco Talos released new SNORT® rules Thursday to protect against the exploitation of a zero-day vulnerability in Microsoft MSHTML that the company warns is being actively exploited in the wild. 

Users are encouraged to deploy SIDs 58120 – 58129, Snort 3 SID 300049 and ClamAV signature ID: 9891528 (Doc.Exploit.CVE_2021_40444-9891528-0) to detect and prevent the exploitation of CVE-2021-40444. Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are vulnerable to this specific threat. An OSquery (CVE-2021-40444_vulnerability status) has been added for this threat. 

If an adversary were to successfully exploit this vulnerability, they could remotely execute code on the victim machine or gain complete control. The Microsoft advisory also stated that proof-of-concept code for this vulnerability is available in the wild.

Tuesday, September 7, 2021

Vulnerability Spotlight: Heap buffer overflow vulnerability in Ribbonsoft dxflib library



Lilith >_> of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in Ribbonsoft’s dxflib library that could lead to code execution. 

The dxflib library is a C++ library utilized by digital design software such as QCAD and KiCad to parse DXF files for reading and writing. 

Friday, September 3, 2021

Threat Roundup for August 27 to September 3


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 27 and Sept. 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #66: Dude, where's my bandwidth?

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

“Proxyware” sounds like a complicated topic that you’re too afraid to ask about. But really, it’s just software that allows users to sell off a portion of their internet bandwidth for a small profit. Problem is, attackers are swooping in on this popular software to spread malware and steal users’ money. 

Edmund Brumaghin joins the show this week to discuss his recent research into proxyware applications and how malware is hiding in plain sight. Edmund discusses why these types of apps are potentially unwanted applications, and what the threat is for enterprise users with remote workers, as well as personal PC users.

Thursday, September 2, 2021

Beers with Talos, Ep. #109: We have not secured our society — Or, working out a conference talk in realtime

Beers with Talos (BWT) Podcast episode No. 109 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Most of the Beers with Talos guys got a chance to take a summer vacation after the last episode, so they're rejuvenated and equally unprepared for this recording. 

We recorded this before BlackHat, so you'll get a live look into Matt's preparation for the talk he co-hosted with Wendy Nather as the hosts discuss cyber warfare. How far is too far? Have we done enough as a society to secure ourselves? And is this just going to be an existential dread we live with forever?

Find out inside!

Threat Source newsletter (Sept. 2, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

If you haven't seen already, our blog has a lot of cool and new stuff this week.

We first dove into the world of proxyware on Tuesday (aka internet-sharing applications). Attackers are hiding in this newly popular software to steal users' bandwidth and money, while spreading malware along the way. This is a perfect case to show how willing users are to trade away some of their privacy and security for literally a few cents a day.

In another first, we got our hands on the leaked Conti ransomware playbook and translated it to English. Read our blog post and the full translation for some awesome insight into how this ransomware-as-a-service group operates.

Translated: Talos' insights from the recently leaked Conti ransomware playbook











By Caitlin Huey, David Liebenberg, Azim Khodjibaev, and Dmytro Korzhevin.

Executive summary


Cisco Talos recently became aware of a leaked playbook that has been attributed to the ransomware-as-a-service (RaaS) group Conti. Talos has a team of dedicated, native-level speakers that translated these documents in their entirety into English. We also translated a Cobalt Strike manual that the authors referenced while creating their playbook.

These documents, written mostly in Cyrillic, were allegedly released by an affiliate upset with Conti. We believe that this translation is an extremely important contribution to the community, as machine-translated efforts have missed some interesting insights and led to some garbled passages.

Notably, the LockBit operator we interviewed warned us that something like this would take place. They stated that in a ransomware cartel, "Someone will sell them out from the inside," which is allegedly what took place in this case. The LockBit operator also told us that ransomware actors use various channels on the messaging app Telegram to stay on top of the latest exploits and attack trends. A look into a list of Telegram channels deemed interesting by the playbook authors shows numerous channels that were potentially leveraged for this exact use.

Talos' main takeaway from this playbook is that operators of all skill levels are involved with Conti. Some adversaries who are very new to the malware scene could follow this playbook to compromise a major, enterprise network with relatively little experience. At the end of this post, we've attached a full English translation of the documents.