Friday, June 24, 2022

Threat Roundup for June 17 to June 24


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 17 and June 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Tuesday, June 21, 2022

Avos ransomware group expands with new attack arsenal



By Flavio Costa, Chris Neal and Guilherme Venere.

  • In a recent customer engagement, we observed a month-long AvosLocker campaign.
  • The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners.
  • The initial ingress point in this incident was a pair of VMWare Horizon Unified Access Gateways that were vulnerable to Log4Shell. While Cisco products were deployed on the network, the appliances were never configured, allowing the attacker to gain access to internal servers and maintain a foothold.
  • During the time the attacker was active in the network, several security events were detected by the security products but were not reviewed by the security team, which could have prevented the ransomware activity.


Threat Actor Profile: Avos


Avos is a ransomware group first identified in 2021 initially targeting Windows machines. More recently, a new ransomware variant of AvosLocker, named after the group, is also targeting Linux environments. Well-funded and financially motivated, Avos has been active since June 2021 and follows the ransomware-as-a-service (RaaS) model, an affiliate program to recruit potential partners. The announcement of the program includes information about the features of the ransomware and lets affiliates know that AvosLocker operators will handle negotiation and extortion practices. The user "Avos" has also been observed trying to recruit individuals on the Russian forum XSS.


Friday, June 17, 2022

Threat Roundup for June 10 to June 17


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 10 and June 17. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, June 16, 2022

Threat Source newsletter (June 16, 2022) — Three top takeaways from Cisco Live

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

I’m still decompressing from Cisco Live and the most human interaction I’ve had in a year and a half.  

But after spending a few days on the show floor and interacting with everyone, there are a few things that stand out to me about the state of security and what people are interested in at Cisco Live. So, I wanted to take some time to highlight a few things that stood out to me at this year’s Cisco Live. Editor's note: The Threat Source newsletter will be on a summer break next week, so no new edition! 

Don’t think about the worst 


A lot of our lightning talks at the Cisco Secure Pub this week centered around some crazy days, many of which left us scrambling — the Colonial Pipeline ransomware attack, Log4J, Kaseya, you name it. The problem is no one wants to think about how awful these days are. 

During these talks, I saw a lot of heads in the audience nodding around how we need to be prepared for the worst, but no one wants to talk about that. Who wants to be the one to predict the next Log4J? Unfortunately, it’s going to happen, we just don’t know when. That’s why things like Incident Response plans and playbooks are so important. 

You may not want to talk about the toughest day of your professional career, but it’s going to come, so we may as well embrace it and be ready. 


A wink and a nod 


Speaking of these major incidents, it seems like a ton of major security events have happened since the last Cisco Live in person. While they were happening, it was all anyone could talk about. But in person, words like “SolarWinds” and “Kaseya” were all spoken in hush tones or were just vaguely referenced to in-person like “back then” or “the dark times.”  

If we are going to truly learn from these events, I feel like we need to speak about them openly and honestly. I try to have a judgment-free security zone because eventually, a breach is going to happen to everyone. So the point is not to shame someone when it happens, we should be discussing the lessons learned openly so we can do better next time, rather than trying to brush it under the rug. 

During these stretches, we were all busy and stressed and it made for some late nights. That’s OK, and it should be OK to talk about that, even if you’re within earshot of someone who was involved.


We can’t replicate everything over the internet 


The future is hybrid work, there’s no doubt about it. And I’d be the first person to tell you I prefer working from home versus commuting to the office today. But I must admit — it’s tough to replicate the connections at conferences and shows over Webex. 

Meetings and 1:1 check-ins work great for virtual meeting platforms, but there’s something about just making a personal connection in-person to a stranger. I was working at the Talos booth this week and struck up a conversation with someone who worked in network operations for an NFL team. Being a huge NFL fan, I had all sorts of questions to ask about the ins and outs of his job and the organization, especially given Cisco Talos Incident Response’s recent work at the Super Bowl and NFL draft. 

Unfortunately, this isn’t something we’ve been able to capture virtually. That operations person and I exchanged information on what we’re seeing in the field, what pain points exist and even got to talking about the NFL offseason. My wife, boss and parents would be shocked to hear me say this — but I actually missed talking to people in person.    

  

The one big thing 


Microsoft’s Patch Tuesday for this month included 40 high-severity vulnerabilities, including one critical issue. The most serious issue is CVE-2022-30136, a remote code execution vulnerability in the Windows Network File System (NFS) service, version NFSv4.1, with a severity score of near-maximum 9.8. An attacker can exploit the vulnerability over the network by making an unauthenticated, specially crafted call to an NFS service to execute remote code. To mitigate this vulnerability, users are advised to disable the vulnerable version NFSV4.1 and restart the NFS server or reboot the machine. 

Why do I care? 

This month’s round of updates also includes a fix for the high-profile Follina vulnerability disclosed a few weeks ago. Attackers are actively exploiting this in the wild to deliver malware, so this is especially important to patch for immediately. Also, this release marks the official end of Internet Explorer, the Microsoft browser that’s been around for more than 25 years. As of Tuesday, Microsoft stopped officially supporting most versions of Explorer and disabled the IE desktop application. All Explorer users are encouraged to switch over to Microsoft Edge (or another web browser). 

Wednesday, June 15, 2022

Vulnerability Spotlight: Vulnerabilities in Anker Eufy Homebase could lead to code execution, authentication bypass



Lilith >_> of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered three vulnerabilities in the Anker Eufy Homebase 2. 

The Eufy Homebase 2 is the video storage and networking gateway that works with Anker’s Eufy Smarthome ecosystem. All Eufy devices connect to this cloud-connected device and allow users to adjust the settings on other Eufy Smarthome devices.

Tuesday, June 14, 2022

Microsoft Patch Tuesday for June 2022 — Snort rules and prominent vulnerabilities


By Chetan Raghuprasad.

Microsoft released its monthly security update Tuesday, disclosing 55 vulnerabilities in the company’s firmware and software. One of these vulnerabilities is considered critical, 40 are listed as high severity, and the remainder is considered "moderate." 

The most serious issue is CVE-2022-30136, a remote code execution vulnerability in the Windows Network File System (NFS) service, version NFSv4.1, with a severity score of near-maximum 9.8. An attacker can exploit the vulnerability over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to execute remote code. To mitigate this vulnerability, users are advised to disable the vulnerable version NFSV4.1 and restart the NFS server or reboot the machine.

Thursday, June 9, 2022

Threat Source newsletter (June 9, 2022) — Get ready for Cisco Live

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

Another week, another conference. We’re heading a few miles southeast from San Francisco to Las Vegas for Cisco Live. I hope everyone had a safe, healthy and enjoyable RSA, but the fun isn’t over just yet. 

We’ve got another week chock full of talks, meet-and-greets, podcasts and much more at Cisco Live this week. Come find us at the center of the Cisco Secure booth where we have something awesome planned (it’s a surprise!). I’ve also got a few other highlights from Talos at Cisco Live to know about this week.  

I’ll personally be giving my first-ever talk at the Cisco Secure Pub on Wednesday, so come by and say hi and tell me how much you love the newsletter.  

Cisco Secure Pub 

The best place to find us is at the Cisco Secure Pub on the show floor. The Pub will be serving coffee in the morning and alcoholic drinks in the afternoon. Every day, we’ll be represented in lightning talks at the booth on a wide variety of topics, including Talos’ work in Ukraine, securing industrial control systems and a look back at Log4j. 

And since this is my newsletter, I’m also going to plug my talk on Wednesday at 2:30 p.m. local time when I’ll be discussing disinformation and propaganda campaigns in the age of social media, especially as it relates to Russia’s invasion of Ukraine. 

Talos Insights: The State of Cybersecurity 

This is our annual overview of the threat landscape, this year delivered by Nick Biasini from our Outreach team. In this talk on the 15th, Nick will talk about the threats and trends Talos has uncovered in the past 12 months and provide the technical details on how they operate. Use the Cisco Live Session Catalog for more details on location. 

Interactive sessions 

Talos and Cisco Talos Incident Responses are hosting several interactive sessions throughout the conference where attendees will get a chance to work face-to-face with our researchers and work hands-on with Cisco Secure products. 

I’ve created a personal filter here in the Session Catalog so you can easily find all our interactive sessions throughout the week.    
  

The one big thing 


Attackers are actively exploiting a zero-day vulnerability in Atlassian Confluence Data Center and Server to execute remote code on targeted machines. The attacks delivered several payloads, including the in-memory BEHINDER implant as well as web shells, including China Chopper. In addition to the initial attacks outlined in the report, researchers confirmed additional, continued exploitation is ongoing. There is now a Proof of Concept (PoC) available so exploitation could increase in the near term.  

Why do I care? 

If an attacker exploited this vulnerability, they could completely take over the targeted host and execute remote code on the targeted machine. And although a patch is available for this vulnerability, many instances remain unpatched, and reports continue to pour in that attackers are using exploit code available in the wild. This is all a bad recipe for a vulnerability that I relatively easy for attackers to exploit and we know they’re scanning for. Attackers are also exploiting this issue to spread China Chopper, a longstanding malware that can act as a backdoor on targeted machines and essentially be a backup plan for threat actors to retain access.  

Talos EMEA monthly update: Business email compromise

The latest edition of the Talos EMEA Monthly Update is available now on Cisco.com and Cisco's YouTube page. You can also view the episode in its entirety above.

For June, Hazel and Martin got together to discuss business email compromise. BEC has quickly become the most lucrative attack vector for threat actors, even surpassing ransomware. This episode provides a quick explainer of what BEC is and how organizations can be prepared for when, not if, this type of spam campaign comes for them. 

Friday, June 3, 2022

Threat Advisory: Atlassian Confluence zero-day vulnerability under active exploitation


Cisco Talos is monitoring reports of an actively exploited zero-day vulnerability in Confluence Data Center and Server. Confluence is a Java-based corporate Wiki employed by numerous enterprises. At this time, it is confirmed that all supported versions of Confluence are affected by this vulnerability.

Vulnerability Details

The vulnerability, CVE-2022-26134, is reportedly associated with command injection. An attacker could exploit this vulnerability to execute remote code and, per reports, is being actively exploited in the wild. The attacks delivered several payloads, including the in-memory BEHINDER implant as well as webshells, including China Chopper. In addition to the initial attacks outlined in the report, researchers confirmed additional, continued exploitation is ongoing. There is now a Proof of Concept (PoC) available so exploitation could increase in the near term.

The vulnerability itself appears to be an OGNL injection vulnerability specifically impacting the web server and can be exploited via an HTTP request. It appears that all HTTP methods are vulnerable as well. The exploitation appears to be relatively straightforward and should be resolved immediately either through patching or other mitigations.

Threat Roundup for May 27 to June 3


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 27 and June 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, June 2, 2022

Threat Source newsletter (June 2, 2022) — An RSA Conference primer

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

Many of you readers may be gearing up for a West Coast swing over the next few weeks through San Francisco and Las Vegas for RSA and Cisco Live, respectively. And we’re right behind you!  

Talos will have plenty of representation at both conferences, including giving lightning talks at the Cisco Secure booth, several features talks and spots, live podcast recordings, and more. To get you ready for RSA, I wanted to highlight a few special things we’re doing at the conference you should know about before you go.  

As always, you can keep posted on our latest plans and talk schedule by following us on Twitter. 

Main booth 

Stop by the main Talos and Cisco Secure booth at Moscone North Hall to say hi, ask questions and get the latest information on what we’re up to. 

At the booth, we’ll be premiering a new video series and giving out some of our newest stickers created in the image of our favorite malware “mascots.” Everyone will be jealous if you have one of these on your laptop. 

Evolving Your Defense: Making Heads or Tails of Threat Actor Trends 

Nick Biasini and Pierre Cadieux are hosting our sponsored session on June 7 at 9:40 a.m. PT. In this talk, they’ll be breaking down the latest threat actor tactics, techniques and procedures and telling you which ones you should be worried about and what can be ignored. 

Beers with Talos/Security Stories 

We’re hosting two live podcasts back-to-back at the Marriott Marquis: Sierra C ballroom from 2 – 5 p.m. PT on June 7. Security Stories and Beers with Talos are getting together to play a game of “Would I lie to you?”  

Talos’ vice president, Matt Watchinski, will be on hand for both episodes, along with other special guests.  

The Beers with Talos episode will cover Talos’ work in Ukraine, and we’ll hear from the audience about their hottest security takes.  
  

The one big thing 


A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft Word or via an RTF file. An attacker could exploit this vulnerability to gain the ability to run arbitrary code on the targeted system. 

Why do I care? 

If an attacker were to successfully exploit this vulnerability, they could execute remote code on the targeted machine. Needless to say, that’s bad. This is just the latest in a string of Microsoft vulnerabilities to make headlines over the past 12 months, including PrintNightmare and multiple Exchange Server issues. If those cases have taught us anything, it’s that attackers aren’t afraid to look for vulnerable Microsoft products to try and gain a foothold on a targeted network or machine.  

Wednesday, June 1, 2022

Threat Advisory: Zero-day vulnerability in Microsoft diagnostic tool MSDT could lead to code execution



A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft Word or via an RTF file. An attacker could exploit this vulnerability to gain the ability to run arbitrary code on the targeted system.

Although a patch hasn't been released yet, Microsoft has provided workarounds and Windows Defender protections for the CVE and malware exploiting this vulnerability. Cisco Talos has also released coverage to protect against this vulnerability, the full details of which are available below.