Researcher Spotlight: Globetrotting with Yuri Kramarz

From the World Cup in Qatar to robotics manufacturing in east Asia, this incident responder combines experience from multiple arenas 

By Jon Munshaw. 

Yuri “Jerzy” Kramarz helped secure everything from the businesses supporting the upcoming World Cup in Qatar to the Black Hat security conference and critical national infrastructure. 

He’s no stranger to cybersecurity on the big stage, but he still enjoys working with companies and organizations of all sizes in all parts of the world. 

“What really excites me is making companies more secure,” he said in a recent interview. “That comes down to a couple things, but it’s really about putting a few solutions together at first and then hearing the customer’s feedback and building from there.” 

Yuri is a senior incident response consultant with Cisco Talos Incident Response (CTIR) currently based in Qatar. He walks customers through various exercises, incident response plan creation, recovery in the event of a cyber attack and much more under the suite of offerings CTIR has. Since moving from the UK to Qatar, he is mainly focused on preparing various local entities in Qatar for the World Cup slated to begin in November. Qatar estimates more than 1.7 million people will visit the country for the international soccer tournament, averaging 500,000 per day at various stadiums and event venues. For reference, the World Bank estimates that 2.9 million people currently live in Qatar.

Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server

Cisco Talos has released new coverage to detect and prevent the exploitation of two recently disclosed vulnerabilities collectively referred to as "ProxyNotShell," affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers.

While no fixes or patches are available yet, Microsoft has provided mitigations for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. Cisco Talos is closely monitoring the recent reports of exploitation attempts against these vulnerabilities and strongly recommends users implement mitigation steps while waiting for security patches for these vulnerabilities. Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The Hafnium threat actor exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was one of the four attacks they saw most often last year.

Threat Roundup for September 23 to September 30

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 23 and Sept. 30. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Threat Source newsletter (Sept. 29, 2022) — Personal health apps are currently under a spotlight, but their warning signs have always been there

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

I’ve spent the past few months with my colleague Ashlee Benge looking at personal health apps’ privacy policies. We found several instances of apps that carry sensitive information stating they would share certain information with third-party advertisers and even law enforcement agencies, if necessary. 

One of the most popular period-tracking apps on the Google Play store, Period Calendar Period Tracker, has a privacy policy that states it will "share information with law enforcement agencies, public authorities, or other organizations if We’re [sic] required by law to do so or if such use is reasonably necessary. We will carefully review all such requests to ensure that they have a legitimate basis and are limited to data that law enforcement is authorized to access for specific investigative purposes only." 

A report from the Washington Post also released last week found that this app, as well as popular health sites like WebMD, “gave advertisers the information they’d need to market to people, or groups of consumers based on their health concerns.” 

To me — these were all things I had never considered before. I’m sure I’m not alone in just going to Google to type in “pain in left flank” or something along those lines to see if I’m dying or not. The research Ashlee and I did really make me rethink the type of information I’m inputting into apps on my phone, especially around my health.

New campaign uses government, union-themed lures to deliver Cobalt Strike beacons

By Chetan Raghuprasad and Vanja Svajcer.

• Cisco Talos discovered a malicious campaign in August 2022 delivering Cobalt Strike beacons that could be used in later, follow-on attacks.
• Lure themes in the phishing documents in this campaign are related to the job details of a government organization in the United States and a trade union in New Zealand.
• The attack involves a multistage and modular infection chain with fileless, malicious scripts.

Cisco Talos recently discovered a malicious campaign with a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints.

The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit that attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office. If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker-controlled Bitbucket repository.

Talos discovered two attack methodologies employed by the attacker in this campaign: One in which the downloaded DOTM template executes an embedded malicious Visual Basic script, which leads to the generation and execution of other obfuscated VB and PowerShell scripts and another that involves the malicious VB downloading and running a Windows executable that executes malicious PowerShell commands to download and implant the payload.

The payload discovered is a leaked version of a Cobalt Strike beacon. The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon's traffic.

Although the payload discovered in this campaign is a Cobalt Strike beacon, Talos also observed usage of the Redline information-stealer and Amadey botnet executables as payloads.

This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim's system memory. Defenders should implement behavioral protection capabilities in the organization's defense to effectively protect them against fileless threats.

Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker's attempts in the earlier stage of the attack's infection chain.

Threat Roundup for September 16 to September 23

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 16 and Sept. 23. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, orokibot ClamAV.net.

Threat Source newsletter (Sept. 22, 2022) — Attackers are already using student loan relief for scams

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

We’ve seen attackers capitalize on the news time and again, from COVID-19 to U.S.-North Korea relationships and, of course, holiday shopping sales every November. 

So, I was far from surprised to see that attackers are already using U.S. President Joe Biden’s student loan forgiveness plan as a basis for scams and phishing emails.  

The Better Business Bureau and the U.S. Federal Trade Commission both released warnings over the past few weeks around fake offers, scams and website links related to the debt forgiveness plan, with which some borrowers will have up to $20,000 worth of loans forgiven. 

Many of these scams, coming via phone calls, text messages and emails, are promising to provide guaranteed access to the forgiveness program or early applications for a fee. (Hint: This will not work.)

Insider Threats: Your employees are being used against you

By Nick Biasini.

• Insider threats are becoming an increasingly common part of the attack chain, with malicious insiders and unwitting assets playing key roles in incidents over the past year.
• Social engineering should be part of any organization’s policies and procedures and a key area for user education in 2023 and beyond.
• Mitigating these types of risks include education, user/access control, and ensuring proper processes and procedures are in place when and if employees leave the organization.

Traditionally, attackers try to leverage vulnerabilities to deliver malicious payloads via exploitation. But more recently, that activity has shifted away from exploitation and consistently moved closer and closer to the user. Initially, threat actors loved to trick users into enabling malicious macros in Microsoft Office documents, but as Microsoft moves to blunt the effectiveness of macros, adversaries are always going to move to the next avenue to generate malicious revenue. This is where insider threats come into play. There are two broad categories of insider threats: the malicious insider and the unwitting asset. Both present unique challenges in detection and prevention for defenders and organizations’ IT admins. 

Malicious Insiders

There are a variety of reasons a user may choose to become a malicious insider, and unfortunately, many of them are occurring today. Let’s start with the most obvious: financial distress. When a user has a lot of debt, selling the ability to infect their employer can be a tempting avenue. We’ve seen examples of users trying to sell access into their employers’ networks for more than a decade, having spotted them on dark web forums. The current climate is, unfortunately, ripe for this type of abuse. The economy is on the brink of a recession, inflation continues to spike, and the cryptocurrency markets have lost as much as 70% of their peak value from late 2021. Combined, these factors can create an environment where employees are susceptible to coercion, putting the enterprise at risk.

Vulnerability Spotlight: Vulnerabilities in popular library affect Unix-based devices

Lilith >_> of Cisco Talos discovered these vulnerabilities. 

Cisco Talos recently discovered a memory corruption vulnerability in the uClibC library that could affect any Unix-based devices that use this library. uClibC and uClibC-ng are lightweight replacements for the popular gLibc library, which is the GNU Project's implementation of the C standard library. 

TALOS-2022-1517 (CVE-2022-29503 - CVE-2022-29504) is a memory corruption vulnerability in uClibC and uClibc-ng that can occur if a malicious user repeatedly creates threads. 

Many embedded devices utilize this library, but Talos specifically confirmed that the Anker Eufy Homebase 2, version 2.1.8.8h, is affected by this vulnerability. Anker confirmed that they’ve patched for this issue. However, uClibC has not issued an official fix, though we are disclosing this vulnerability in accordance with Cisco’s 90-day vulnerability disclosure policy. Talos tested and confirmed the following software is affected by these vulnerabilities: uClibC, version 0.9.33.2 and uClibC-ng, version 1.0.40. 

Our current world, health care apps and your personal data

What does your autonomy mean to you?

By Ashlee Benge and Jonathan Munshaw.

• After the recent Supreme Court ruling in Dobbs v. Jackson Women's Health Organization, the use of third-party apps to track health care has recently come under additional scrutiny for privacy implications.
• Many of these apps have privacy policies that state they are authorized to share data with law enforcement investigations, though the exact application of those policies is unclear.
• The use of health-tracking apps and wearable tech is rising, raising questions around the application of the 14th Amendment’s equal protection clause and HIPAA rules as to who can and cannot collect and share health care information. 

It’s become second nature for many users to blindly click on the “Accept” button on an app or website’s privacy policy and terms of service. But in the wake of the U.S. Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization that reversed previous interpretations of the 14th amendment on privacy from Roe v. Wade, users of sensitive health apps need to be mindful of the kinds of data these apps keep, sell and share. It is a privacy ruling at its core, with the decision raising concerns about the government’s ability to access our personal and private information. Today’s digital surveillance infrastructures, coupled with new and existing laws, digital health histories are nearly impossible to protect.

Threat Roundup for September 9 to September 16

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 9 and Sept. 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Threat Source newsletter (Sept. 15, 2022) — Teachers have to be IT admins now, too

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

Public schools in the United States already rely on our teachers for so much — they have to be educators, occasional parental figures, nurses, safety officers, law enforcement and much more. Slowly, they’re having to add “IT admin” to their list of roles. 

Educational institutions have increasingly become a target for ransomware attacks, an issue already highlighted this year by a major cyber attack on the combined Los Angeles school district in California that schools are still recovering from. 

Teachers there reported that during the week of the attack, they couldn’t enter attendance, lost lesson plans and presentations, and had to scrap homework plans. Technology has become ever-present in classrooms, so any minimal disruption in a school’s network or software can throw pretty much everything off. 

The last thing teachers need to worry about now is defending against a well-funded threat actor who may live thousands of miles away — but we’re not making it easy on them. 

I asked my mom about this, who is a paraeducator for kindergarten students, and she told me each of her students (keep in mind these are mostly 5- and 6-year-olds) has their own Chromebooks that they bring to and from home and use for homework assignments. The elementary school she works at has more than 500 students enrolled across six grades, and yet there’s only one person for the whole school who acts as their overall IT and network administrator. That’s one person to manage 500-plus laptops and even more devices like iPads and smartboards as you get into the older grades. 

Gamaredon APT targets Ukrainian government agencies in new campaign

By Asheer Malhotra and Guilherme Venere.

• Cisco Talos recently identified a new, ongoing campaign attributed to the Russia-linked Gamaredon APT that infects Ukrainian users with information-stealing malware.
• The adversary is using phishing documents containing lures related to the Russian invasion of Ukraine.
• LNK files, PowerShell and VBScript enable initial access, while malicious binaries are deployed in the post-infection phase.
• We discovered the use of a custom-made information stealer implant that can exfiltrate victim files of interest and deploy additional payloads as directed by the attackers.

Cisco Talos discovered Gamaredon APT activity targeting users in Ukraine with malicious LNK files distributed in RAR archives. The campaign, part of an ongoing espionage operation observed as recently as August 2022, aims to deliver information-stealing malware to Ukrainian victim machines and makes heavy use of multiple modular PowerShell and VBScript (VBS) scripts as part of the infection chain. The infostealer is a dual-purpose malware that includes capabilities for exfiltrating specific file types and deploying additional binary and script-based payloads on an infected endpoint.

Microsoft Patch Tuesday for September 2022 — Snort rules and prominent vulnerabilities

By Jon Munshaw and Asheer Malhotra. 

Microsoft released its monthly security update Tuesday, disclosing 64 vulnerabilities across the company’s hardware and software line, a sharp decline from the record number of issues Microsoft disclosed last month. 

September's security update features five critical vulnerabilities, 10 fewer than were included in last month’s Patch Tuesday. There are two moderate-severity vulnerabilities in this release and a low-security issue that’s already been patched as a part of a recent Google Chromium update. The remainder is considered “important.” 

The most serious vulnerability exists in several versions of Windows Server and Windows 10 that could allow an attacker to gain the ability to execute remote code (RCE) by sending a singular, specially crafted IPv6 packet to a Windows node where IPSec is enabled. CVE-2022-34718 only affects instances that have IPSec enabled. This vulnerability has a severity score of 9.8 out of 10 and is considered “more likely” to be exploited by Microsoft.

Threat Source newsletter (Sept. 8, 2022) — Why there is no one-stop-shop solution for protecting passwords

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

It seems like there’s at least one major password breach every month — if not more. Most recently, there was an incident at Plex where all users had to reset their passwords.  

Many users pay for a password management service — which is something I’ve talked about a ton for Talos. But even those aren’t a one-size-fits-all solution. LastPass, one of the most popular password management services, recently suffered a breach of their own internal development environment, though as of right now, it doesn’t appear like any users’ primary passwords were compromised. 

This got me curious about how people prefer to manage their passwords, so I threw up a poll on our Twitter asking our readers how they managed their passwords. Paid password management services like LastPass and 1Password were the most popular response, followed by web browser-based managers like the ones Chrome and Safari offer.

Lazarus and the tale of three RATs

By Jung soo An, Asheer Malhotra and Vitor Ventura.

• Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government.
• This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations.
• Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan.
• The campaign is meant to infiltrate organizations around the world for establishing long term access and subsequently exfiltrating data of interest to the adversary's nation-state.
• Talos has discovered the use of two known families of malware in these intrusions — VSingle and YamaBot.
• Talos has also discovered the use of a recently disclosed implant we're calling "MagicRAT" in this campaign.

Talos EMEA Monthly Threat Update: How do you know if cyber insurance is right for you?

On September's edition of the Monthly EMEA Threat Update, Hazel Burton and Martin Lee break down cyber insurance.

Although many businesses and organizations will think insurance will only help them in a worst-case scenario, that worst-case scenario comes for us all eventually.

Martin and Hazel discuss the benefits of having a cyber insurance policy and how it protects the policy holder when a cyber attacks strike. You can watch the full episode above or over on our YouTube page here.

Multiple ransomware data leak sites experience DDoS attacks, facing intermittent outages and connectivity issues

By Azim Khodjibaev, Colin Grady, Paul Eubanks.

• Since Aug. 20, 2022, Cisco Talos has been monitoring suspected distributed denial-of-service (DDoS) attacks resulting in intermittent downtime and outages affecting several ransomware-as-a-service (RaaS) data leak sites.
• While the source and origin of this activity remain unknown, this appears to be a concentrated effort against RaaS leak sites to disrupt their efforts to announce and post new victim information.
• Actors' responses have varied, with LockBit and ALPHV implementing new measures to counteract DDoS attacks against their sites while other groups like Quantum have simply resorted to redirecting web traffic elsewhere. LockBit also appears to have co-opted this technique by advertising that they are now adding DDoS as an extortion tactic in addition to encrypting and leaking data.

RaaS leak sites experience intermittent outages

In late August, Talos became aware of several prominent ransomware operations, such as ALPHV (also referred to as BlackCat) and LockBit, experiencing suspected DDoS attacks against their public data leak sites. These leak sites are typically hosted on Tor hidden services where, in a tactic known as double extortion, RaaS affiliates post victim information if the ransom demand is not met. On Aug. 26, we also observed at least seven more RaaS leak sites for LV, Hive, Everest, BianLian, Yanluowang, Snatch and Lorenz become inaccessible and go offline intermittently and/or experience slow traffic. Security researchers have also identified additional RaaS leak sites for Ragnar Locker and Vice Society which may have also been affected by this activity. However, we have only verified the Ragnar Locker claim at this time, as their leak site continues to experience outages. At the time of analysis, many of the aforementioned groups are still affected by connectivity issues and continue to face a variety of intermittent outages to their data leak sites, including frequent disconnects and unreachable hosts, suggesting that this is part of a sustained effort to thwart updates to those sites.

MagicRAT: Lazarus’ latest gateway into victim networks

By Jung soo An, Asheer Malhotra and Vitor Ventura.

• Cisco Talos has discovered a new remote access trojan (RAT) we're calling "MagicRAT," developed and operated by the Lazarus APT group, which the U.S. government believes is a North Korean state-sponsored actor.
• Lazarus deployed MagicRAT after the successful exploitation of vulnerabilities in VMWare Horizon platforms.
• We've also found links between MagicRAT and another RAT known as "TigerRAT," disclosed and attributed to Lazarus by the Korean Internet & Security Agency (KISA) recently.
• TigerRAT has evolved over the past year to include new functionalities that we illustrate in this blog.

Researcher Spotlight: How Asheer Malhotra looks for ‘instant gratification’ in threat hunting

The India native has transitioned from a reverse-engineer hobbyist to a public speaker in just a few years

 

By Jon Munshaw. 

Ninety percent of Asheer Malhotra’s work will never see the light of day. But it’s that 10 percent that keeps him motivated to keep looking for something new. 

The Talos Outreach researcher spends most of his days looking into potential new threats. Many times, that leads to dead ends of threats that have already been discovered and blocked or don’t have any additional threads to pull on. 

But eventually, the “lightbulb goes off,” as he puts it, which indicates something is a new threat the wider public needs to know about. During his time at Talos, Malhotra has spent much of his time looking into cyber attacks and state-sponsored threat actors in Asia, like the Transparent Tribe group he’s written about several times. 

“At some point, I say ‘Hey, I don’t think I’ve seen this before.’ I start analyzing public disclosures, and slowly start gaining confidence and being able to craft a narrative around the motivations and tactics around a specific threat actor or malware campaign,” he said.

Threat Roundup for August 26 to September 2

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 26 and Sept. 2. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Threat Source newsletter (Sept. 1, 2022) — Conversations about an unborn baby's privacy

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

This week marks about 90 days before my wife’s due date with our first child, a baby girl. We’re both incredibly excited and nervous at the same time, and we have much to discuss, like how to lay out the nursery, what times we’ll put her down for a nap and who must be the one to get up the first time she starts crying at 2 a.m. 

But the first true argument my wife and I have had about having a child is whether we should show the baby’s face on Instagram. 

This child isn’t even born yet, and social media companies are probably already building out a data profile on her. I signed up for the What to Expect app so I could follow along with my wife’s pregnancy progress and learn more about what she’s going through and how the baby is developing. Already I’m getting targeted ads on the app and my Instagram for specific brands of baby food, the stroller that we’ve listed on our registry and an automatic children’s toothbrush.

ModernLoader delivers multiple stealers, cryptominers and RATs

By Vanja Svajcer

• Cisco Talos recently observed three separate, but related, campaigns between March and June 2022 delivering a variety of threats, including the ModernLoader bot, RedLine information-stealer and cryptocurrency-mining malware to victims.

• The actors use PowerShell, .NET assemblies, and HTA and VBS files to spread across a targeted network, eventually dropping other pieces of malware, such as the SystemBC trojan and DCRAT, to enable various stages of their operations. The attackers' use of a variety of off-the-shelf tools makes it difficult to attribute this activity to a specific adversary.

• The final payload appears to be ModernLoader, which acts as a remote access trojan (RAT) by collecting system information and deploying various modules. In the earlier campaigns from March, we also observed the attackers delivering the cryptocurrency mining malware XMRig. The March campaigns appeared to be targeting Eastern European users, as the constructor utility we analyzed had predefined script templates written in Bulgarian, Polish, Hungarian and Russian.

• The actors are attempting to compromise vulnerable web applications to serve malware and deliver threats via files masquerading as fake Amazon gift cards.

Threat Roundup for August 19 to August 26

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 19 and Aug. 26. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Threat Source newsletter (Aug. 25, 2022) — We're still not talking about Ukraine enough

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

Russia’s invasion of Ukraine was once the most talked about story in the world. Six months into the conflict, modern attention spans have moved on to other news stories. But Ukraine Independence Day yesterday should serve as a reminder to everyone that the threats to Ukraine have not gone anywhere. 

The country still faces a physical conflict with Russia every day that seemingly has no easy end, and the barrage of cyber attacks is suspected to continue.  

As discussed in our livestream yesterday, Talos continues to see evolving cybersecurity threats in the region, including the most recent GoMet backdoor. And as Joe Marshall highlighted in his blog post last week, Ukraine’s agriculture industry — which is vital to the global food supply chain — remains vulnerable to kinetic and virtual attacks.

Ukraine Independence Day: Talos update

On Independence Day for Ukraine, Aug. 24, 2022, Cisco Talos provided a live update on its continued support for the region.  

Six months since Russia's invasion of Ukraine, Dmytro Korzhevin, a senior threat intelligence researcher, JJ Cummings, Talos' national intelligence principal, and Ashlee Benge, a strategic intelligence lead, provided insights into their past few months of work in the region.

The discussion primarily focused on the resiliency of Ukrainians, who have worked tirelessly over the years to transform their cybersecurity capabilities.

Threat Roundup for August 12 to August 19

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 12 and Aug. 19. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Threat Source newsletter (Aug. 18, 2022) — Why aren't Lockdown modes the default setting on phones?

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

As the data privacy landscape gets increasingly murky, app developers and device manufacturers are finding new ways to sure up users’ personal information. Of course, all users have to do is go out of their way to opt-in. 

Apple recently announced a new Lockdown Mode for the iOS operating system that powers the company’s iPhones. When enabled, it turns off many of the features that attackers will exploit when targeting a mobile device with spyware. Spyware is a growing concern across the world, especially the NSO Group’s Pegasus tool.  

With Lockdown Mode enabled, a hypothetical attacker would not have access to certain functions on the phone, and it blocks access to important APIs such as speech and facial recognition, which research has shown are relatively easy to bypass. 

In a review of Lockdown Mode, Zack Whittaker of TechCrunch said, “...we didn’t find using our iPhone in Lockdown Mode to be overly prohibitive or frustrating as thought when the feature was first announced.

Ukraine war spotlights agriculture sector's vulnerability to cyber attack

By Joe Marshall.

• The war in Ukraine has caused massive problems for global food supplies, underscoring the high impact of disruptive events to agriculture entities and related organizations.  
• The challenges to the Ukrainian agriculture sector imposed by the war--and global ripple effects--have been well-documented and garnered international attention. We judge that the current media spotlight on these issues will motivate cyber threat actors to conduct future attacks on this industry as they realize the consequences of prolonged disruption for related entities and potential leverage they would have over victims.  
• The agriculture sector is highly vulnerable to cyber-attacks given its low downtime tolerance, insufficient cyber defenses, and far-reaching ripple effects of disruption. We assess those future threats to the agriculture section will mainly include financially motivated ransomware actors and disruptive attacks carried out by state-sponsored APTs. 
• Network defenders and leaders should consider their business resiliency in agriculture or agriculture adjacent industries.

For the past six years, Cisco Talos has been actively involved in assisting public and private institutions in Ukraine to defend themselves against state-sponsored actors. Our involvement ranges from commercial and critical infrastructure to election security. Our presence has afforded us unique opportunities and observations about cybersecurity in a macro and micro way.  

Ukraine has been a frequent victim of state-sponsored cyber-attacks aimed at critical infrastructures like power and transportation. Russia’s invasion of Ukraine not only increased the risk to these sectors but also effectively sparked a global food crisis, with the war driving rising prices and scarcity of many essential foods desperately needed by consumers around the world. The exposed fragility of the global food supply chain will also likely have implications for future cyber threats, as adversaries are notorious for targeting vulnerable sectors with low downtime tolerance and insufficient cyber defenses. This was most recently seen in the wave of ransomware attacks against health care entities during the COVID-19 pandemic. 

To truly grasp the implications of the war in Ukraine, we must examine how vital Ukrainian agriculture feeds the world, the current situation, and what this means for the global cybersecurity posture to protect agricultural assets.  

Vulnerability Spotlight: Vulnerabilities in WWBN AVideo web app could lead to command injection, authentication bypass

Claudio Bozzato of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in the WWBN AVideo web application that could allow an attacker to carry out a wide range of malicious actions, including command injection and authentication bypass. 

AVideo is an open-source web application that allows users to build a video streaming and sharing platform. Anyone who joins the community can host videos on-demand, launch a live stream or encode different video formats. 

Vulnerability Spotlight: Three vulnerabilities in HDF5 file format could lead to remote code execution

Dave McDaniel of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered three vulnerabilities in a library that works with the HDF5 file format that could allow an attacker to execute remote code on a targeted device. 

These issues arise in the libhdf5 gif2h5 tool that’s normally used to convert a GIF file to the HDF5 format, commonly used to store large amounts of numerical data. An attacker could exploit these vulnerabilities by tricking a user into opening a specially crafted, malicious file.

Threat Roundup for August 5 to August 12

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 5 and Aug. 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Threat Source newsletter (Aug. 11, 2022) — All of the things-as-a-service

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

Everyone seems to want to create the next “Netflix” of something. Xbox’s Game Pass is the “Netflix of video games.” Rent the Runway is a “Netflix of fashion” where customers subscribe to a rotation of fancy clothes. 

And now threat actors are looking to be the “Netflix of malware.” All categories of malware have some sort of "as-a-service" twist now. Some of the largest ransomware groups in the world operate “as a service,” allowing smaller groups to pay a fee in exchange for using the larger group’s tools.  

Our latest report on information-stealers points out that “infostealers as-a-service" are growing in popularity, and our researchers also discovered a new “C2 as-a-service" platform where attackers can pay to have this third-party site act as their command and control. And like Netflix, this Dark Utilities site offers several other layers of tools and malware to choose from.

Cisco Talos shares insights related to recent cyber attack on Cisco

THIS POST IS ALSO AVAILABLE IN:

日本語 (Japanese)

Update History

Date	Description of Updates
Sept. 11th 2022	Update related to data posted online added.
Aug. 10th 2022	Adding clarifying details on activity involving active directory.
Aug. 10th 2022	Update made to the Cisco Response and Recommendations section related to MFA.

Update Sept. 11, 2022

On September 11, 2022, the bad actors who previously published a list of file names from this security incident to the dark web, posted the actual contents of the same files to the same location on the dark web. The content of these files match what we already identified and disclosed. 

Our previous analysis of this incident remains unchanged-we continue to see no impact to our business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.

Executive summary

• On May 24, 2022, Cisco became aware of a potential compromise. Since that point, Cisco Security Incident Response (CSIRT) and Cisco Talos have been working to remediate. 
• During the investigation, it was determined that a Cisco employee’s credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized. 
• The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user. 
• CSIRT and Talos are responding to the event and we have not identified any evidence suggesting that the attacker gained access to critical internal systems, such as those related to product development, code signing, etc. 
• After obtaining initial access, the threat actor conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment. 
• The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful. 
• We assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators. 
• For further information see the Cisco Response page here.

Microsoft Patch Tuesday for August 2022 — Snort rules and prominent vulnerabilities

By Jon Munshaw and Vanja Svajcer.

Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its line of products and software, the most in a single Patch Tuesday in four months.  

This batch of updates also includes a fix for a new vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) that’s actively being exploited in the wild, according to Microsoft. MSDT was already the target of the so-called “Follina” zero-day vulnerability in June.  

In all, August’s Patch Tuesday includes 15 critical vulnerabilities and a single low- and moderate-severity issue. The remainder is classified as “important.” 

Two of the important vulnerabilities CVE-2022-35743 and CVE-2022-34713 are remote code execution vulnerabilities in MSDT. However, only CVE-2022-34713 has been exploited in the wild and Microsoft considers it “more likely” to be exploited.

Small-time cybercrime is about to explode — We aren't ready

By Nick Biasini.

The cybersecurity industry tends to focus on extremely large-scale or sophisticated, state-sponsored attacks. Rightfully so, as it can be the most interesting, technically speaking.

When most people think of cybercrime they think of large-scale breaches because that's what dominates the headlines. However, the problem is much bigger. In 2021, the Internet Crime Complaint Center (IC3) received a staggering 847,376 complaints, with each victim losing a little more than $8,000 on average. Once you account for the high-value breaches, the true impact is even lower. The average person is far more likely to have their identity stolen or fall victim to some other sort of scam than be directly affected by a large-scale breach — and business is booming.

A deeper look at the data from IC3 shows that the amount of complaints and revenue being generated from cybercrime continues to rise. Interestingly there is a huge jump in cybercrime during the pandemic with a staggering increase of more than 60% in complaints between 2019 and 2020, with it increasing further in 2021. It's clear that cybercrime is on the rise, but what's driving it?

Threat Roundup for July 29 to August 5

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 29 and Aug. 5. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

New SDR feature released for Cisco Secure Email

Cisco Talos today announced the release of a new mechanism that allows Cisco Secure Email customers the option to submit Sender Domain Reputation (SDR) disputes through TalosIntelligence.com.

Customers now have the option of receiving self-service support through TalosIntelligence.com or may continue engaging with TAC. This new feature improves efficiency for Secure Email customers by streamlining the SDR dispute ticket process.

Users can submit email sender domains and email addresses for investigation if they believe a domain or address should be marked as malicious or has been wrongfully marked as malicious. Please provide as much data as possible to assist our investigation team.

Threat Source newsletter (Aug. 4, 2022) — BlackHat 2022 preview

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

After what seems like forever and honestly has been a really long time, we’re heading back to BlackHat in-person this year. We’re excited to see a lot of old friends again to commiserate, hang out, trade stories and generally talk about security.  

Throughout the two days of the main conference, we’ll have a full suite of flash talks at the Cisco Secure booth and several sponsored talks. Since this is the last edition of the newsletter before BlackHat starts, it’s probably worthwhile running through all the cool stuff we’ll have going on at Hacker Summer Camp. 

Our booth should be easy enough to find — it’s right by the main entrance to Bayside B. If you get to the Trellix Lounge, you’ve gone too far north. Our researchers will be there to answer any questions you have and present on a wide variety of security topics, from research into Adobe vulnerabilities to the privacy effects of the overturn of Roe vs. Wade.

Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns

By Edmund Brumaghin, Azim Khodjibaev and Matt Thaxton, with contributions from Arnaud Zobec.

Executive Summary

• Dark Utilities, released in early 2022, is a platform that provides full-featured C2 capabilities to adversaries.
• It is marketed as a means to enable remote access, command execution, distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems.
• Payloads provided by the platform support Windows, Linux and Python-based implementations and are hosted within the Interplanetary File System (IPFS), making them resilient to content moderation or law enforcement intervention.
• Since its initial release, we've observed malware samples in the wild leveraging it to facilitate remote access and cryptocurrency mining.

0xCC'd

We spend a lot of time preparing for Blackhat, and as part of putting together content for the show, one of our best, Lurene Grenier, submitted an unexpected piece of content: a poem. Now this poem isn't our regular security research or a shiny piece of corporate correspondence (which we would never do anyways) — but it is raw, and it is painful and it is brilliant. And it raises a number of issues that Cisco takes very seriously, including work-life balance and mental health. In particular, by my interpretation, it speaks about early-in-career work-life balance. I know at that point in my career I felt grateful just to be in the industry while at the same time I felt powerless to advocate for myself in the face of the overwhelming demands of the workplace. This poem hit me hard, and in truth I wouldn't want it published anywhere other than on the Talos blog. So we are presenting Lurene's words here, in hopes that they trigger important conversations and also to remind everyone to just take care of each other. If you'd like to chat with Lurene or myself or another Cisco manager about these issues, we'll be at the Cisco booth (#1932) at Blackhat.  Please come by, say hi, and share your thoughts.

-- Matthew Olney

-- Director, Threat Intelligence & Interdiction

Vulnerability Spotlight: Vulnerabilities in Alyac antivirus program could stop virus scanning, cause code execution

Jaewon Min of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Update (Aug. 3, 2022): Talos disclosed two new vulnerabilities in the Alyac antivirus software and added their details to this post.

Cisco Talos recently discovered out-of-bounds read and buffer overflow vulnerabilities in ESTsecurity Corp.’s Alyac antivirus software that could cause a denial-of-service condition or arbitrary code execution. Alyac is an antivirus software developed for Microsoft Windows machines. 

TALOS-2022-1452 (CVE-2022-21147) is a vulnerability that exists in a specific Alyac module that, eventually, leads to a crash of Alyac’s scanning process, which effectively neutralizes the antivirus scan. If successful, an attacker could trigger this vulnerability to stop the program from scanning for malware, which would be crucial in a potential attack scenario. 

Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

By Asheer Malhotra and Vitor Ventura.

• Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework.

• The implants for the new malware family are written in the Rust language for Windows and Linux.
• A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors.
• We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints.
• We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.

Introduction

Cisco Talos has discovered a relatively new attack framework called "Manjusaka" (which can be translated to "cow flower" from the Simplified Chinese writing) by their authors, being used in the wild.

As defenders, it is important to keep track of offensive frameworks such as Cobalt Strike and Sliver so that enterprises can effectively defend against attacks employing these tools. Although we haven't observed widespread usage of this framework in the wild, it has the potential to be adopted by threat actors all over the world. This disclosure from Talos intends to provide early notification of the usage of Manjusaka. We also detail the framework's capabilities and the campaign that led to the discovery of this attack framework in the wild.

The research started with a malicious Microsoft Word document (maldoc) that contained a Cobalt Strike (CS) beacon. The lure on this document mentioned a COVID-19 outbreak in Golmud City, one of the largest cities in the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. During the investigation, Cisco Talos found no direct link between the campaign and the framework developers, aside from the usage of the framework (which is freely available on GitHub). However, we could not find any data that could support victimology definition. This is justifiable considering there's a low number of victims, indicating the early stages of the campaign, further supported by the maldoc metadata that indicates it was created in the second half of June 2022.

While investigating the maldoc infection chain, we found an implant used to instrument Manjusaka infections, contacting the same IP address as the CS beacon. This implant is written in the Rust programming language and we found samples for Windows and Linux operating systems. The Windows implant included test samples, which had non-internet-routable IP addresses as command and control (C2). Talos also discovered the Manjusaka C2 executable — a fully functional C2 ELF binary written in GoLang with a User Interface in Simplified Chinese — on GitHub. While analyzing the C2, we generated implants by specifying our configurations. The developer advertises it has an adversary implant framework similar to Cobalt Strike or Sliver.

The developers have provided a design diagram of the Manjusaka framework illustrating the communications between the various components. A lot of these components haven't been implemented in the C2 binary available for free. Therefore, it is likely that either:

• The framework is actively under development with these capabilities coming soon OR
• The developer intends to or is already providing these capabilities via a service/tool to purchase - and the C2 available for free is just a demo copy for evaluation.

Manjusaka design diagram.