Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables

By Asheer Malhotra and Vitor Ventura.

• Cisco Talos has observed a new campaign targeting Turkish private organizations alongside governmental institutions.
• Talos attributes this campaign with high confidence to MuddyWater — an APT group recently attributed to Iran's Ministry of Intelligence and Security (MOIS) by the U.S. Cyber Command.
• This campaign utilizes malicious PDFs, XLS files and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds into the target's enterprise. MuddyWater's use of script based components such as obfuscated PowerShell based downloaders is also a tactic described in the advisory from January 2021 by the U.S. Cyber Command.
• This campaign also utilizes canary tokens to track successful infection of targets, a new addition to this group's arsenal of tactics, techniques and procedures (TTPs).
• This specific method of taking advantage of canary tokens in this campaign may also be a measure to evade sandbox based detection systems.
• A highly motivated threat actor such as MuddyWater can use unauthorized access to conduct espionage, intellectual property theft and deploy ransomware and destructive malware in an enterprise.

Executive summary

MuddyWater has conducted various campaigns against entities spread throughout the U.S.A, Europe, Middle East and South Asia.

A typical TTP employed by the group is the heavy use of scripting in their infection chains using languages like PowerShell and Visual Basic coupled with the frequent use of living-off-the-land binaries (LoLBins).

Cisco Talos recently observed a campaign operated by MuddyWater targeting users in Turkey. This campaign consists of the use of malicious PDFs and Microsoft Office documents (maldocs) to serve as the initial infection vector. These maldocs were named in such a way as to masquerade as legitimate documents from the Turkish Health and Interior Ministries.

Next, the malware executes a series of scripts deployed on the infected endpoint to serve as downloaders and instrumentors for additional payloads.

We've also discovered the use of flags or tokens in attacks conducted by this threat actor in this campaign. These tokens are meant to signal a successful infection of a target by the group's malicious artifacts.

Vulnerability Spotlight: Memory corruption and use-after-free vulnerabilities in Foxit PDF Reader

Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered a memory corruption and use-after-free vulnerability in the Foxit PDF Reader.  

Foxit PDF Reader is one of the most popular PDF document readers currently available. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. These vulnerabilities could be triggered if an attacker tricks a user into opening a specially crafted, malicious PDF file, or open the file in a browser that has a PDF reader plugin installed.

TALOS-2021-1429 (CVE-2021-40420) exists in the JavaScript engine of Foxit PDF Reader and could trigger the reuse of previously freed memory, which can lead to arbitrary code execution. TALOS-2022-1439 (CVE-2022-22150) is a similar vulnerability, though instead of a use-after-free condition, it leads to memory corruption and arbitrary code execution.

Threat Roundup for January 21 to January 28

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 21 and Jan. 28. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Threat Source Newsletter (Jan. 27, 2022)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

It's great to have New Year's resolutions and all. But we don't want you taking the wrong lessons away from 2021, either. Like just because Log4j happened doesn't mean you should stop logging or stop using open-source software.

The latest Beers with Talos episode dropped this morning, and it's a great reflection on lessons we can learn from the major cyber attacks last year, from SolarWinds to Log4j. It's the perfect audio pairing to the latest Talos Incident Response Threat Assessment Report, which also looks at the trends IR saw in the field last year.

We also disclosed some notable vulnerabilities this week, including one that affects iOS and macOS, as well as a string of issues that could be exploited to completely wipe and reformat a video card on a popular WiFi-enabled camera. 

Beers with Talos, Ep. #115: Everybody's measured by quarters — even threat actors

Beers with Talos (BWT) Podcast episode No. 115 is now available. Download this episode and subscribe to Beers with Talos:

      

Recorded Jan. 14, 2022.

If iTunes and Google Play aren't your thing, click here.

We wanted to start off the new year by reflecting on 2021 with Talos Incident Response. The one thing many cyber attacks had in common? People. 

There are issues that arise any time humans are involved, whether it's being tempted by a phish or someone making simple human errors. So, Matt, Mitch and Liz discuss how logs are crucial during the worst-case scenario and look at how to remove human error as much as possible from the equation. 

Outside of initial infection vectors, there are plenty of other lessons learned from 2021 that we can take into incident response this year.

Vulnerability Spotlight: WiFi-connected security camera could be manipulated to spy on communications, among other malicious actions

Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered several vulnerabilities in the Reolink RLC-410W security camera that could allow an attacker to perform several malicious actions, including performing man-in-the-middle attacks, stealing user login credentials and more.  

The Reolink RLC-410W is a WiFi-connected security camera. The camera includes motion detection functionalities and multiple ways to save and view the recordings. The vulnerabilities Talos discovered exist in various functions and features of the camera. Some of these exploits could be combined, as well, to reboot the camera without authentication or run certain APIs.

Vulnerability Spotlight: Vulnerability in Apple iOS, iPad OS and MacOS could lead to disclosure of sensitive memory data

Jaewon Min of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered an out-of-bounds read vulnerability in Apple’s macOS and iOS operating systems that could lead to the disclosure of sensitive memory content. An attacker could capitalize on that information to aid in the exploitation of other vulnerabilities 

This vulnerability specifically exists in the DDS image parsing functionality of Apple’s ImageIO library that exists in its desktop and mobile operating systems.

Talos Incident Response year-in-review for 2021

By David Liebenberg. 

Cisco Talos Incident Response (CTIR), as with everyone else in the cybersecurity world, dealt with a bevy of threats last year, as responders dealt with an expanding set of ransomware adversaries and several major cybersecurity incidents affecting organizations worldwide, all under the backdrop of the global pandemic, which brought its own set of cybersecurity challenges. In lieu of the regular incident response quarterly trends blog this quarter, this report will look at trends that emerged throughout 2021. Our findings reveal that: 

• Health care was the most targeted industry vertical for the vast majority of the year.  
• Ransomware was the clear top threat throughout 2021. 
• The most commonly observed initial vectors included exploitation of internet-facing applications and phishing attacks.  
• CTIR dealt with four major security incidents:  
• The SolarWinds supply chain attack. 
• Mass exploitation of Microsoft Exchange Server vulnerabilities. 
• REvil’s attack against IT solutions provider Kaseya. 
• The discovery of the Log4j vulnerability.  

Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation

By Nick Biasini, Michael Chen, Alex Karkins, Azim Khodjibaev, Chris Neal and Matt Olney, with contributions from Dmytro Korzhevin.

This post is also available in:

日本語 (Japanese)

Update Feb. 4, 2022

Since the initial publication of this blog, various organizations inside Ukraine have released advisories and other reports providing additional information about the January cyber attacks on Ukrainian entities. Based on these new details and Cisco Talos' continued investigatory work, we have discovered several previously unidentified connections that strongly support the notion that these attacks were part of a broader, ongoing disinformation campaign against Ukraine. This culminated in the addition of a section related to the ongoing disinformation campaigns associated with these incidents. Below are some of the high-level updates:

• Details of CERT-UA Advisory, including example bash commands.
• Details of SSSCIP advisory outlining a false flag operation, including additional analysis.
• Disinformation section added to outline various components of disinformation observed.
• Cisco Talos has determined with moderate confidence that there is an ongoing disinformation campaign attempting to attribute these attacks to Ukrainian groups that date back at least nine months.
• Cisco Talos has also found connections between actors in this campaign and FancyBear disinformation campaigns dating back to 2016-2017.

In late January, the Computer Emergency Response Team of Ukraine (CERT-UA) released an advisory detailing newly released information regarding the attacks.

Another advisory, published by the State Service of Special Communication and Information Protection of Ukraine (SSSCIP), states that the ransomware attack may be a false flag operation intentionally crafted to appear as the work of a pro-Ukrainian group. In this post, we have added a new section labeled "Role of disinformation in campaign" detailing the evidence provided by the advisory.

Cisco Talos has also done additional analysis on the connection between WhisperKill and WhiteBlackCrypt. The details of the findings, including the ties into ongoing disinformation campaigns are included in this update.

Threat Roundup for January 14 to January 21

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 14 and Jan. 21. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Threat Source Newsletter (Jan. 20, 2022)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

Even though we're nearly a month into 2022, we're still not quite ready to move on from 2021. That's why next week, we'll be going live on social media to talk about some of the top cybersecurity stories from the past year.

Liz Waddell from Talos Incident Response and Matt Olney from our threat intelligence team will be joining Hazel Burton from Cisco Secure to talk about everything from Log4j to supply chain attacks. You can find this stream live on any of Cisco Secure's social media platforms or the Talos YouTube page.

Threat Roundup for January 7 to January 14

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 7 and Jan. 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #82: Log4j followed us in 2022

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

Threat Source Newsletter (Jan. 13, 2022)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

Move out of the way, Log4j! Traditional malware is back with a bang in 2022. While Log4j is likely still occupying many defenders' minds, the bad guys are still out there doing not-Log4j things. We have new research out on a campaign spreading three different remote access tools (RATs) using public internet infrastructures like Amazon Web Services and Microsoft Azure Sphere.

If you're looking to unwind after all the Log4j madness, we also have a new Beers with Talos episode that's one of our more laid-back productions. We, unfortunately, said goodbye to Joel, but it was not without tequila and discussions about "Rent."

Beers with Talos, Ep. #114: And then there were two...

Beers with Talos (BWT) Podcast episode No. 114 is now available. Download this episode and subscribe to Beers with Talos:

      

Recorded Dec. 9, 2021.

If iTunes and Google Play aren't your thing, click here.

We joked when recording this episode that it wouldn't come out until Groundhog Day, so technically we're a few weeks early! Unfortunately, it comes with a shred of bad news — Joel is leaving us. We're now only down to two OG Beers with Talos hosts, but we still have exciting times ahead with Mitch, Matt, Liz and future guests. 

Don't expect any real cybersecurity discussion in this one. We gotta be honest, it went pretty off the rails. 

Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure

By Chetan Raghuprasad and Vanja Svajcer.

• Cisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire and AsyncRATs targeting user's information.
• According to Cisco Secure product telemetry, the victims of this campaign are primarily distributed across the United States, Italy and Singapore.
• The actor used complex obfuscation techniques in the downloader script. Each stage of the deobfuscation process results with the decryption methods for the subsequent stages to finally arrive at the actual malicious downloader method.
• The campaign is the latest example of threat actors abusing cloud services like Microsoft Azure and Amazon Web Services and are actively misusing them to achieve their malicious objectives.
• The actor is using the DuckDNS dynamic DNS service to change domain names of the C2 hosts.

Executive Summary

Threat actors are increasingly using cloud technologies to achieve their objectives without having to resort to hosting their own infrastructure. These types of cloud services like Azure and AWS allow attackers to set up their infrastructure and connect to the internet with minimal time or monetary commitments. It also makes it more difficult for defenders to track down the attackers' operations.

The threat actor in this case used cloud services to deploy and deliver variants of commodity RATs with the information stealing capability starting around Oct. 26, 2021. These variants of Remote Administration Tools (RATs) are packed with multiple features to take control over the victim's environment to execute arbitrary commands remotely and steal the victim's information.

The initial infection vector is a phishing email with a malicious ZIP attachment. These ZIP archive files contain an ISO image with a malicious loader in the form of JavaScript, a Windows batch file or Visual Basic script. When the initial script is executed on the victim's machine, it connects to a download server to download the next stage, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance.

To deliver the malware payload, the actor registered several malicious subdomains using DuckDNS, a free dynamic DNS service. The malware families associated with this campaign are variants of the Netwire, Nanocore and AsyncRAT remote access trojans.

Organizations should be inspecting outgoing connections to cloud computing services for malicious traffic. The campaigns described in this post demonstrate increasing usage of popular cloud platforms for hosting malicious infrastructure.

Microsoft Patch Tuesday for Jan. 2022 — Snort rules and prominent vulnerabilities

By Jon Munshaw and Vitor Ventura. 

Microsoft released its monthly security update Tuesday, disclosing 102 vulnerabilities across its large collection of hardware and software. This is the largest amount of vulnerabilities Microsoft has disclosed in a monthly security update in eight months, however, none of the issues have been exploited in the wild, according to Microsoft. 

2022’s first security update features nine critical vulnerabilities, with all but one of the remaining being considered “important.”

Vulnerability Spotlight: Two vulnerabilities in Adobe Acrobat DC could lead to arbitrary code execution

Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered two vulnerabilities in Adobe Acrobat Reader DC that could allow an attacker to eventually gain the ability to execute arbitrary code.  

Acrobat is one of the most popular PDF reader software options available currently. It includes the ability to read and process JavaScript to give PDFs greater interactivity and customization options for users. Both vulnerabilities exist in the way Acrobat Reader processes JavaScript.  

TALOS-2021-1387 (CVE-2021-44710) is a use-after-free vulnerability that is triggered if the user opens a PDF with specially crafted, malicious JavaScript. The code could give attackers control over reused memory, which can lead to arbitrary code execution.

Vulnerability Spotlight: Heap buffer overflow condition in Google Chrome could lead to code execution

Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in Google Chrome.  

Google Chrome is a cross-platform web browser — and Chromium is the open-source version of the browser that other software developers use to build their browsers, as well. This specific vulnerability exists in WebRTC, a technology that enables websites to capture and stream audio or video and other data between browsers. 

TALOS-2021-1372 (CVE-2021-37979) is a heap-based buffer overflow vulnerability that triggers if the user opens a specially crafted web page in Chrome. That page could trigger a heap buffer overflow and memory corruption error in the application and buffer overflow, which could lead to code execution.

Vulnerability Spotlight: Buffer overflow vulnerability in AnyCubic Chitubox plugin

Carl Hurd of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in the Chitubox AnyCubic plugin. 

Chitubox is 3-D printing software for users to download and process models and send them to a 3-D printer. The specific AnyCubic plugin allows the software to convert the output of the Chitubox slicer (general format files) into the format expected by AnyCubic's series of printers. These converted files are then used directly for all functionality provided by the printers. 

TALOS-2021-1376 (CVE-2021-21948) is a heap-based buffer overflow vulnerability that triggers if the user opens a specially crafted .gf file.

Threat Roundup for December 31 to January 7

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 31 and Jan. 7. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Threat Source Newsletter (Jan. 6, 2022)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We hope everyone had some well-deserved, relaxing time off over the holidays. Unfortunately, we are all back now and Log4j is still an issue.

And even though it seems like Log4j has already been in the news for a year, it's actually only been a few weeks. There were several other stories worth taking a look back in 2021, from the fallout of SolarWinds to the Kaseya supply chain attack. Take a look back with us to see what we can learn from the past year with our Year in Review.

We also released a new video walkthrough, which you can watch above, that covers how to safely and securely set up a new IoT assistant. Many of you may have received a new Google Home or Alexa smart device. And while these devices certainly come with inherent cybersecurity risks, there are many ways to set them up with privacy settings to keep you secure. Follow along with me and leave any feedback in the comments you have about what settings you use with your IoT devices.