Friday, October 22, 2021

Threat Roundup for October 15 to October 22


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 15 and Oct. 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, October 21, 2021

Threat Source newsletter (Oct. 21, 2021)



 Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We're writing this on Wednesday for PTO reasons, so apologies if we miss any major news that happens after Wednesday afternoon. 

Above, you can watch our awesome live stream from Monday with Brad Garnett from Cisco Talos Incident Response. Brad sat down for a long discussion about the basics of engaging with an incident response team, provided some tips for hybrid work and answered questions live from the audience. 

On the written front, we just published new research on the recent wave of cyber attacks against users on the Indian Subcontinent. We recently spotted another set of threat actors trying to spread RATs to India and Afghanistan. Our blog has the latest information on why that matters, and what defenders can do to stay protected.

Tuesday, October 19, 2021

Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India


  • Cisco Talos recently discovered a threat actor using political and government-themed malicious domains to target entities in India and Afghanistan.
  • These attacks use dcRAT and QuasarRAT for Windows delivered via malicious documents exploiting CVE-2017-11882 — a memory corruption vulnerability in Microsoft Office — and AndroidRAT to target mobile devices.
  • The actor also uses a custom file enumerator and infector in their initial reconnaissance phase of the attack.
  • The actor appears to be a lone wolf using a front company to run a crimeware campaign, possibly to establish initial footholds into high-value targets for future operations or monetary gain.


What's new?


Cisco Talos has observed a new campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver a variety of commodity malware to victims. The campaign consists of two phases: A reconnaissance phase that involves a custom file enumerator and infector to the victims and an attack phase that deploys a variety of commodity RATs, such as DcRAT and QuasarRAT.


How did it work?


The threat actor registered multiple domains with political and government themes. These domains hosted malware payloads that were distributed to their victims. Their malicious lures also contained themes related to Afghan entities, specifically diplomatic and humanitarian efforts. We assess with high confidence that the threat actor behind these attacks is an individual operating under the guise of a Pakistani IT firm called "Bunse Technologies."

The infection chains consist of malicious RTF documents and PowerShell scripts that distribute malware to victims. We've also observed the usage of C#-based downloader binaries to deploy malware while displaying decoy images to victims to appear legitimate.


So what?


This campaign is a classic example of an individual threat actor employing political, humanitarian and diplomatic themes in a campaign to deliver commodity malware to victims. Commodity RAT families are increasingly being used by both crimeware and APT groups to infect their targets. These RATs are packed with multiple functionalities to achieve complete control over the victim's endpoint - from preliminary reconnaissance capabilities to arbitrary command execution and data exfiltration. These families also act as excellent launch pads for deploying additional malware against their victims. Furthermore, these out-of-the-box features enable the attackers to make minimal configuration changes to the RATs taking away the need for a full-fledged development cycle of custom malware by an actor.

The use of a custom file enumerator and infector module by the attackers indicates their intent to proliferate by infecting benign, trusted documents to achieve an even greater degree of infection.


Beers with Talos, Ep. #110: The 10 most-exploited vulnerabilities this year (You won't believe No. 6!)

Beers with Talos (BWT) Podcast episode No. 110 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

We mainly spend this episode doing some catching up because it's been a while since we recorded. But on the actual, helpful, front, we discuss a recently released list of the vulnerabilities that are most often exploited in the wild, according to the U.S. Cybersecurity and Infrastructure Security Agency. 

It's particularly interesting to compare the lists from 2020 and 2021 to see how threat actors have changed up their tactics and parse through all the information to tell you what you need to know. It's also important to question these types of reports and how helpful they are to defenders.

This is also a great episode for any Snort fans out there who are interested in the old days of writing rules for some Y2K-era malware.

Monday, October 18, 2021

Vulnerability Spotlight: Multiple vulnerabilities in ZTE MF971R LTE router



Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in the ZTE MF971R LTE portable router. 

The MF971R is a portable router with Wi-Fi support and works as an LTE/GSM modem. An attacker could exploit all these vulnerabilities by sending a specially crafted HTTP request to the targeted device. 

TALOS-2021-1320 and TALOS-2021-1321 are stack-based buffer overflow vulnerabilities. An attacker could exploit these issues to execute arbitrary remote code on the targeted device. As part of these exploits, the attacker needs to complete a referrer bypass, which is outlined in TALOS-2021-1317.

Friday, October 15, 2021

Threat Roundup for October 8 to October 15


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 8 and Oct. 15. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #73 (NCSAM edition): Fight the phish from land, sea and air

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

Most people may think of spam as being the classic email promising that you've won the lottery or some great prize, only for the badly photoshopped picture to take you to a malicious site. But attackers are getting more sophisticated, taking users on with text messages, phone calls and several layers of communication. 

Jaeson Schultz joins Talos Takes this week to discuss the basics of spam in 2021 for National Cybersecurity Awareness Month as we celebrate "Fight the phish" week. Jaeson discusses some recent campaigns he's seen asking victims to call a specific phone number and provides some basic spam advice we could all use — and could pass along to some of our less-than-technically savvy relatives and loved ones.

Thursday, October 14, 2021

Threat Source newsletter (Oct. 14, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

It's still Cybersecurity Awareness Month, and what better way to celebrate by patching and then patching some more? 

This week was Microsoft Patch Tuesday, which only included two critical vulnerabilities, but still requires patching diligence. Here's our full breakdown of this month's security updates for Microsoft products, and some additional details on a code execution vulnerability we discovered in Excel.

If you're looking for other ways to celebrate this month of security awareness, you can also listen to our latest special edition of Talos Takes reflecting on ransomware in 2021. The Cisco newsroom also wrote up a profile on one of our researchers, Vanja Svajcer, if you want to find out what a day in the life of a threat researcher is like. 

Do you have a particular threat, IOC, malware family or actor you want us to be covering in the Threat Source newsletter? Let us know at threatsource@cisco.com.

Vulnerability Spotlight: Code execution vulnerabilities in Nitro Pro PDF



A Cisco Talos team member discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in the Nitro Pro PDF reader that could allow an attacker to execute code in the context of the application. 

Nitro Pro PDF is part of Nitro Software’s Productivity Suite. Pro PDF allows users to create and modify PDFs and other digital documents. It includes support for several capabilities via third-party libraries to parse the PDFs.

Tuesday, October 12, 2021

Vulnerability Spotlight: Use-after-free vulnerability in Microsoft Excel could lead to code execution



Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered a use-after-free vulnerability in the ConditionalFormatting functionality of Microsoft Office Excel 2019 that could allow an attacker to execute arbitrary code on the victim machine. 

Microsoft disclosed and patched this vulnerability in the popular spreadsheet creation and editing platform as part of its monthly security update. You can read more about Patch Tuesday here.

Microsoft Patch Tuesday for Oct. 2021 — Snort rules and prominent vulnerabilities

By Jon Munshaw, with contributions from Asheer Malhotra. 

Microsoft released its monthly security update Tuesday, disclosing 78 vulnerabilities in the company’s various software, hardware and firmware offerings.  

This month’s release is particularly notable because there are only two critical vulnerabilities included, with the rest being important. This is the fewest number of critical vulnerabilities disclosed as part of a Patch Tuesday in at least a year. 

CVE-2021-40461 is one of the critical vulnerabilities — a flaw in the Network Virtualization Service Provider that could allow an attacker to execute remote code on the target machine. This vulnerability has a severity rating of 9.9 out of a possible 10, virtually the highest severity rating seen in Patch Tuesdays. 

The other critical vulnerability, CVE-2021-38672, exists in Windows Hyper-V. This vulnerability could also lead to remote code execution and has the same severity score as CVE-2021-40461. 

Vulnerability Spotlight: Vulnerabilities in Anker Eufy Homebase could lead to code execution, buffer overflows



Lilith >_> of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered two vulnerabilities in the Anker Eufy Homebase. 

The Eufy Homebase 2 is the video storage and networking gateway that works with Anker’s Eufy Smarthome ecosystem. All Eufy devices connect to this cloud-connected device and allow users to adjust the settings on other Eufy Smarthome devices.

Friday, October 8, 2021

Threat Roundup for October 1 to October 8


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 1 and Oct. 8. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #71 (NCSAM edition): Reflecting on ransomware in 2021

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

We are from the first (or last) people to say this, but 2021 is the year of ransomware. It’s by far the biggest story on the security landscape right now. And everything from oil pipelines to grain co-ops, to hospitals and schools have been targeted by ransomware this year. Azim Khodjibaev joins the show for National Cybersecurity Awareness Month to wrap up everything we’ve seen on the ransomware landscape this year. Azim reflects on his interview with a LockBit operator, the pros and cons of “double extortion campaigns,” and discusses the lessons defenders can learn from the past 10 months.

Thursday, October 7, 2021

Threat Advisory: Apache HTTP Server zero-day vulnerability opens door for attackers


A recently discovered vulnerability in Apache HTTP Server (CVE-2021-41733) is being actively exploited in the wild.

This vulnerability is a path traversal and file disclosure vulnerability that could allow an attacker to map URLs outside of the document root. It could also result in the exposure of the source of interpreted files like CGI scripts. The exploitation of this vulnerability is of very low complexity and poses a critical threat to all users of this open-source software.

This particular vulnerability was introduced in a recent version of Apache (2.4.49). Users running older versions of Apache are not currently affected. The fix for CVE-2021-41733 in 2.4.50 was found to be insufficient, leading to a second, new vulnerability (CVE-2021-42013) that Apache is now reporting. As a result, version 2.4.51 was released to fully address the issue. Users are recommended to upgrade to 2.4.51 as soon as possible.

Threat Source newsletter (Oct. 7, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

Every day, we see mountains and mountains of data. So how do we comb through all of it to find out what's important to customers and users? Well, there are many ways, but we wanted to give readers and researchers a look into at least one option using Apache Spark.

Our new walkthrough will show we use machine learning, software and good 'ole fashioned intuition to work through a huge dataset. 

October is the start of National Cybersecurity Awareness Month. To celebrate, we'll be releasing special episodes of the Talos Takes podcast each week centered around a specific theme. First up, we have Chris Marshall from Talos discussing how to avoid burnout. Cybersecurity is a stressful industry even when we're not in a global pandemic. So how have we adapted to our new hybrid work style at Talos? Listen to find out.

Do you have a particular threat, IOC, malware family or actor you want us to be covering in the Threat Source newsletter? Let us know at threatsource@cisco.com.

Monday, October 4, 2021

Threat hunting in large datasets by clustering security events

By Tiago Pereira.

  • Security tools can produce very large amounts of data that even the most sophisticated organizations may struggle to manage.
  • Big data processing tools, such as spark, can be a powerful tool in the arsenal of security teams.
  • This post walks through threat hunting on large datasets by clustering similar events to reduce search space and provide additional context.

Friday, October 1, 2021

Threat Roundup for September 24 to October 1


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 24 and Oct. 1. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #70: Let's put a positive spin on this whole working from home thing for once

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

As part of National Cybersecurity Awareness Month, we're releasing a special series of Talos Takes episodes focused on broader security topics. Send these to your parents, grandparents or anyone who will listen! 

This week, we kick things off with Christopher Marshall, the leader of Talos' detection and response team. He wears many hats within Talos, though, so he's the perfect person to have on to discuss company culture and avoiding burnout.

Chris talks about what he's done to avoid burnout on his team (regardless of what's happening in our world outside of security), what we're most looking forward to when we can get back in the office and the positives that have actually sprung up doing this hybrid work period.