Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: April 2022

Friday, April 29, 2022

Threat Roundup for April 22 to April 29

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 22 and April 29. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Threat Source newsletter (April 28, 2022) — The 2022 Cybersecurity Mock Draft

By Jon Munshaw.

Welcome to this week’s edition of the Threat Source newsletter that’s going to be a little different, but bear with me.

In honor of the NFL Draft starting this evening — an event that Cisco is helping to secure — I thought it’d be appropriate to look at building a cybersecurity team from the ground up. As an avid NFL fan (go Browns!) I’m always thinking about what I would do if I was a general manager in a draft room. This year, if I was building a football team, I’d be steering clear of Aidan Hutchinson and Travon Walker early on and trying to trade back and take receivers like Chris Olave or Garrett Wilson.

But cybersecurity is also a team sport. You need a layered model to ensure your organization stays safe from everyday vulnerabilities, state-sponsored actors and everything in between. To build that team, we need to go through seven rounds of selections to build out the ultimate roster of security tools and skills that everyone needs to keep their organization secure (obviously, some of these are a bit tongue-in-cheek, if you want honest to goodness security advice, reach out to Cisco Talos Incident Response today). Email me at threatsource@cisco.com with what — or who — you would select in the first round of your Cybersecurity Draft.

Quarterly Report: Incident Response trends in Q1 2022

Ransomware continues as the top threat, while a novel increase in APT activity emerges

By Caitlin Huey.

Ransomware was still the top threat Cisco Talos Incident Response (CTIR) saw in active engagements this quarter, continuing a trend that started in 2020. As mentioned in the 2021 year-in-review report, CTIR continues to deal with an expanding set of ransomware adversaries and major cybersecurity incidents affecting organizations worldwide.

The first quarter of 2022 also featured an increase in engagements involving advanced persistent threat (APT) activity. This included Iranian state-sponsored MuddyWater APT activity, China-based Mustang Panda activity leveraging USB drives to deliver the PlugX remote access trojan (RAT), and a suspected Chinese adversary dubbed “Deep Panda” exploiting Log4j.

Researcher Spotlight: Liz Waddell, CTIR practice lead

How this Talos team member’s love of true crime led to a life in cybersecurity

By Jon Munshaw.

Liz Waddell is usually there on someone’s worst day of their professional lives.

Chief technology officers and chief information security officers can hope all they want that the day they get hit with a ransomware attack will never come. Unfortunately, for many organizations, they’re nearly impossible to avoid nowadays.

Waddell, the IR practice leader for Cisco Talos Incident Response, is then called in by the time the attacks already happened. While CTIR offers many proactive services to protect against cyber attacks, they also serve as boots-on-the-ground helpers to assist companies remediate attacks as soon as they happen and limit the potential damage.

“When you watch an active ransomware encryption happen, and there is nothing you can do to stop it, it’s the worst feeling in the world,” Waddell said in a recent sit-down interview. “When I lose that ability to control the situation, that's when it gets really hard for me."

Threat Roundup for April 15 to April 22

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 15 and April 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

Threat Source newsletter (April 21, 2022) — Sideloading apps is as safe as you make it

By Jon Munshaw.

Welcome to this week’s edition of the Threat Source newsletter.

If you pay attention to the video game community as much as I do, you’ve been closely following the ongoing legal battle between Apple and Epic over the sale of “Fortnite” on the Apple App Store. (I promise I won’t keep bringing up “Fortnite each week.”)

That lawsuit has now expanded into a larger debate about sideloading apps and allowing more than one app store on a mobile device. In this particular example, Epic believes the Epic Games Store should be allowed to run on Apple’s iOS where users can pay to download games and conduct other microtransactions.

And the European Union is considering a new law that would force smartphone producers to open the door for any app store on their devices. This would come with a few security red flags — we’ve noted several times where attackers have leveraged sideloading apps to deliver malware to users’ devices, sometimes malware that essentially tracks their every move on their device.

Apple CEO Tim Cook recently pushed back against the proposed EU law and other similar pushes in the U.S., and he’s right, bad actors would likely waste little time setting up their own seemingly legitimate app stores to instead spread malware or trojanized apps. They’re already able to circumvent current major app stores to do this all the time.

But at the end of the day, sideloading is going to be just as secure as you make it, just like current app stores. Every app store like the Epic Games Store will have its own data privacy policy rules and review processes for apps, and in this hypothetical sideloading scenario, it would be up to those stores to enforce those new rules. Sideloading an app is not inherently malicious or risky, but it can be if you don’t know where the app you’re trying to download is coming from, exactly, or if you don’t do enough digging into that store’s policies or history.

If these laws were to go into effect, it wouldn’t be security Armageddon, but it would force users to pay extra close attention to the apps they’re downloading. Keep these things in mind any time you go to download a new app, regardless of whether it’s from the Apple App Store, Google Play, or anywhere else.

Make sure the app is verified. On Android phones, you’ll see a small badge that says, “Verified by Play Protect.”
Check if any contact information listed in the app’s description is legitimate.
It’s never a good idea to click on pop-up ads in apps just to “make them go away.”
Use your phone’s settings to see if the app is using unusual amounts of data.
Customize each app’s privacy settings on your phone, restricting location access and other sensitive information to only those apps you truly trust or are needed to make the app function properly.

Beers with Talos (BWT) Podcast episode No. 120 is now available. Download this episode and subscribe to Beers with Talos:

Recorded April 6, 2022

If iTunes and Google Play aren't your thing, click here.

The trend of special guests continues, this time with Nate Pors from Cisco Talos Incident Response. Nate joins the crew to talk about multi-factor authentication and how attackers are finding new ways to "prompt bomb" users to trick them into letting bad guys in the door, and other ways bad guys are finding ways to get around MFA.

Also, Matt has to eat some humble pie regarding the FBI's takedown of the Cyclops Blink wireless router malware, which leads the crew to reflect on VPNFilter.

By Darin Smith.

TeamTNT is actively modifying its scripts after they were made public by security researchers.
These scripts primarily target Amazon Web Services, but can also run in on-premise, container, or other forms of Linux instances.
The group's payloads include credential stealers, cryptocurrency miners, persistence and lateral movement.
TeamTNT scripts are also capable of disabling cloud security tools, such as Alibaba's aegis cloud security agent.

Summary

Cisco Talos has recently received modified versions of the TeamTNT cyber crime group's malicious shell scripts, an earlier version of which was detailed by Trend Micro, from an intelligence partner. According to our intelligence partner, the malware author modified these tools after they became aware that security researchers published the previous version of their scripts. These scripts are primarily designed to target Amazon Web Services (AWS) but could also run in on-premise, container or other forms of Linux instances.

Besides the primary credential stealer scripts, there are several TeamTNT payloads focused on cryptocurrency mining, persistence and lateral movement using techniques such as discovering and deploying onto all Kubernetes pods in a local network. There is also a script with login credentials for the primary distribution server, and another with an API key that might provide remote access to a tmate shared terminal session. Some of the TeamTNT scripts even contain defense evasion functions focused on disabling Alibaba cloud security tools. The focus on compromising modern cloud environments sets TeamTNT apart from many of the other cybercriminals encountered by Cisco Talos.

This post describes the functionality of the various scripts provided, serving as a "field guide" of sorts for further analysis and provides centralized documentation for all indicators of compromise and other atomic intelligence attributes. Any alerts that may be triggered by the malware are described as well, though unfortunately, there are no AWS or cloud API calls made. The Secure Cloud Analytics (SCA) alert AWS Temporary Token Persistence should detect the use of temporary credentials generated by users of the credentials exfiltrated from the Instance Metadata Service, while a confirmed threat watchlist may catch traffic to the TeamTNT servers and cryptocurrency mining pools. Additionally, while most of the mining scripts are configured to use 70% of available CPU power, rather than 100%, this would still be apparent through the SCA Cloud Security Posture Management dashboard if that is monitored.

Threat Roundup for April 8 to April 15

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 8 and April 15. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

Threat Source newsletter (April 14, 2022) — It's Tax Day, and you know what that means

By Jon Munshaw.

Welcome to this week’s edition of the Threat Source newsletter.

The deadline to file taxes in the United States is Monday. That means a few things: everyone should probably make sure their liquor cabinet is fully stocked, your spam filters are all turned on in your email and the bad guys are going to crawl out of the woodwork from every crevasse of the internet.

As Nick Biasini and I talked about on the latest Talos Takes episode, attackers always use Tax Day as a jumping-off point to launch a barrage of run-of-the-mill scam campaigns. These can range anywhere from bogus emails asking for personal information, fake tax forms sent in the mail and phone calls warning that the “IRS” will come to your home if you don’t pay the person on the other end of the phone line immediately.

The COVID-19 pandemic adds another wrinkle to this, because attackers are now also leveraging topics like stimulus payments and unemployment benefits to try and steal users’ money or personal information.

At the end of the day, there is no skeleton key approach to avoiding these scams, because they’re going to come through text messages, phone calls, letters, emails and more. No antivirus program is going to stop your grandmother from believing a man who “sounds so nice” on the other end of a phone call. So it’s all about user education around this time of year. With that said, here are a few things I felt it was important to remind people of this time of year that can help you avoid becoming a victim of these tax scams:

The IRS will never use email to initiate contact with taxpayers.
The IRS cannot, and will not, threaten taxpayers with potential arrest or deportation over alleged unpaid tax bills.
If you do have a bill from the IRS, they will likely contact you via physical mail, informing you of your right to contest said bill. They will never demand immediate payment upon first contact with the taxpayer.
The IRS does not demand taxpayers pay their bills with a specific method (I.e., if someone says you have to give a credit card number over the phone) without first mailing out a physical bill.
The IRS very rarely calls a taxpayer over the phone or visits your home or workplace (relax, you’re not Bernie Madoff).
If you are deaf or hard of hearing, do not inherently trust any calls that come through a video relay service (VRS). VRS services do not screen calls for validity.
When in doubt, reach out to the IRS directly via any of the phone numbers listed here. Do not call a number back directly who leaves a voicemail or text message claiming to be from the IRS.

Update (04/14/22): Following the initial publication of this blog, we observed a new post in the Haskers Gang Telegram channel announcing that ownership of the ZingoStealer project is being transferred to a new threat actor.

We also observed the malware author offering to sell the source code for ZingoStealer for $500 (negotiable).

By Edmund Brumaghin and Vanja Svajcer, with contributions from Michael Chen.

Cisco Talos recently observed a new information stealer, called "ZingoStealer" that has been released for free by a threat actor known as "Haskers Gang."
This information stealer, first introduced to the wild in March 2022, is currently undergoing active development and multiple releases of new versions have been observed recently.
The malware leverages Telegram chat features to facilitate malware executable build delivery and data exfiltration.
The malware can exfiltrate sensitive information such as credentials, steal cryptocurrency wallet information, and mine cryptocurrency on victims' systems.
While this stealer is freely available and can be used by multiple threat actors, we have observed a focus on infecting Russian speaking victims under the guise of game cheats, key generators and pirated software, which likely indicates a current focus on home users.
The threat actor "Haskers Gang" uses collaborative platforms such as Telegram and Discord to distribute updates, share tooling and otherwise coordinate activities.
In many cases, ZingoStealer also delivers additional malware such as RedLine Stealer and the XMRig cryptocurrency mining malware to victims.

Microsoft Patch Tuesday includes most vulnerabilities since Sept. 2020

By Jon Munshaw and Nick Biasini.

Microsoft released its latest security update Tuesday, disclosing more than 140 vulnerabilities across its array of products. This is a departure from past Patch Tuesdays this year, which have only featured a few dozen vulnerabilities, and is the largest amount of issues in a single Patch Tuesday since September 2020.

Ten of these vulnerabilities are considered to be “critical,” while three others are listed as being of “moderate” severity and the remainder are considered “important.” There are also nine vulnerabilities that were first found in the Chromium web browser but affect Microsoft Edge, since it’s a Chromium-based browser. Edge users do not need to take any action to patch for these issues.

Threat Roundup for April 1 to April 8

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 1 and April 8. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

Threat Source newsletter (April 7, 2022) — More money for cybersecurity still doesn't solve the skills gap problem

By Jon Munshaw.

Welcome to this week’s edition of the Threat Source newsletter.

U.S. President Joe Biden’s proposed budget would include an 11 percent increase in the federal government’s IT budget, including a total of $10.9 billion for cybersecurity. On the surface — this is all great (we can save a discussion about the national debt and spending gap for a later time).

There‘s still a way to go before any of that money becomes real — a president’s proposed budget rarely gets passed as-is after layers of negotiation and Congressional votes. But this is a promising sign that the administration is ready and willing to invest more in cybersecurity to address holes in federal networks that are constantly being targeted. The FBI is already preparing to put that money to use to track down ransomware actors.

But I think it’s important to remember that money can’t solve all our security problems. It’s great to have the cash to invest in new technology, better equipment and more experts to be in the field. Those people still need the proper training, and the end users need to be continuously educated on the latest threats and scams that are likely to come their way. Regardless of how many millions are invested in a zero-trust framework, if the people implementing and overseeing that framework aren’t properly trained and educated, how likely is it that the zero-trust model will be effective?

A study released in the summer from the Information Systems Security Association (ISSA) found that the skills gap in cybersecurity worsened for the fifth year in a row in 2021. This means there continues to be a growing disparity between the skills cybersecurity teams have versus the resources they actually have on hand. Respondents to the survey noted a heavier workload, unfilled positions and worker burnout as the three main contributors to this gap.

An increase in federal funding can help resolve the issue of unfilled positions by, hopefully, increasing pay and benefits for prospective employees, possibly luring them into the cybersecurity space or encouraging them to stay in their roles. But it can’t solve burnout and heavy workloads overnight. That falls down to those workers’ managers and companies, nor does it help set up the appropriate training and education these cybersecurity teams need to use the new, shiny tools their companies are procuring for them.

So while we can celebrate this potential new financial windfall to the industry, I would hesitate to take a victory lap too soon before we address the soft skill issues that still face the security industry and end-users.

Threat Spotlight: AsyncRAT campaigns feature new version of 3LOSH crypter

By Edmund Brumaghin, with contributions from Alex Karkins.

Ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT, LimeRAT and other commodity malware to victims.
The infections leverage process injection to evade detection by endpoint security software.
These campaigns appear to be linked to a new version of the 3LOSH crypter, previously covered here.

Malware distributors often leverage tools to obfuscate their binary payloads and make detection and analysis more difficult. These tools often combine functionality normally associated with packers and crypters and, in many cases, are not directly tied to the malware payload itself. Over the past several months we have observed a series of campaigns that leverage a new version of one of these tools, referred to as 3LOSH crypter. The threat actor(s) behind these campaigns have been using 3LOSH to generate the obfuscated code responsible for the initial infection process. Based on analysis of the embedded configuration stored within the samples associated with these campaigns, we have identified that the same operator is likely distributing a variety of commodity RATs, such as AsyncRAT and LimeRAT. These RATs feature various functionality that enables them to be used to gain access to systems and exfiltrate sensitive information from victims.

Threat Roundup for March 25 to April 1

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 25 and April 1. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

Beers with Talos (BWT) Podcast episode No. 119 is now available. Download this episode and subscribe to Beers with Talos:

Recorded March 25, 2022.

If iTunes and Google Play aren't your thing, click here.

We're still dealing with everything going on with Ukraine, and there's more going on there than we could possibly cover in a podcast episode. But we still wanted to check back in and update our listeners on the malware we're seeing in the wild in Ukraine and discuss President Biden's recent warning that state-sponsored actors could soon target U.S. critical infrastructure.

On the non-Ukraine front, we also are joined by special guest Nick Biasini from the Talos Outreach team to talk about the BlackCat ransomware group. BlackCat seemingly has some ties to BlackMatter/DarkSide (infamous for the Colonial Pipeline attack) but is there any formal connection?

Turns out, ransomware groups work more like a real business than you'd think.

Friday, April 29, 2022

Thursday, April 28, 2022

Tuesday, April 26, 2022

Ransomware continues as the top threat, while a novel increase in APT activity emerges

Monday, April 25, 2022

How this Talos team member’s love of true crime led to a life in cybersecurity

Friday, April 22, 2022

Thursday, April 21, 2022

Summary

Friday, April 15, 2022

Thursday, April 14, 2022

Tuesday, April 12, 2022

Friday, April 8, 2022

Thursday, April 7, 2022

Tuesday, April 5, 2022

Friday, April 1, 2022

categories

Subscribe To Our Feed

Blog Archive

Recommended Blogs