Good afternoon, Talos readers.
No, that's not Ratatouille. It's ServHelper, who is much more dangerous (albeit just as cute) as the cartoon chef. We have a new blog post out today detailing this RAT, run by the threat actor Group TA505, that is stealing credit card data and other sensitive information. We've been tracking this actor for a while now, and recently saw a huge spike in their activity. Find out what this means for your organization in our blog post and accompanying one-page overview.
Obviously, there are plenty more scary things to worry about on the threat landscape. And for that, there's the Talos Incident Response Quarterly Threat Report, where we run down the top TTPs, malware families and actors our incident responders are seeing in the wild.
As if all of that wasn't scary enough, you also need to make sure to update your Microsoft products as soon as possible after Patch Tuesday. Microsoft disclosed 44 vulnerabilities as part of its monthly security updates, two of which have a 9.8 severity score out of a possible 10.
Upcoming Talos public engagements
Speaker: Chris DiSalle
Date: Sept. 9
Description: Chris DiSalle from Talos Incident Response will join the Technado podcast to share the ins and outs of the IR industry. Chris will talk to host Don Pezet about how he got started in incident response, horror stories he's seen in the field, and much more.
Speaker: Vitor Ventura
Date: Oct. 7 - 8
Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.
Cybersecurity week in review
- International consulting company Accenture confirmed it was hit with a LockBit ransomware attack this week. Though the company recovered quickly using backups, the LockBit operators still claimed they were selling some stolen databases on its dark website.
- Just days before the attack, Australia's government warned organizations that it was tracking an uptick in LockBit attacks. The Australian Cyber Security Centre released an advisory saying that LockBit was targeting, "a variety of sectors including professional services, construction, manufacturing, retail and food."
- A massive infrastructure spending package passed in the U.S. Senate this week includes $1.9 billion for cybersecurity. The money includes a massive allotment for the federal government to provide to smaller governments looking to improve their cybersecurity defenses, mainly rural communities.
- An affiliate with the Conti ransomware network leaked the malware group's playbook after the operator claimed they were underpaid. The playbook includes information on the group's Cobalt Strike beacons, and a group of commonly used tools.
- A recently discovered vulnerability in Cobalt Strike could leave attacker-controlled botnets open to compromise. Although Cobalt Strike is a tool created for legitimate purposes, attackers commonly use it for malicious purposes.
- As more employers, entertainment venues and colleges require a COVID-19 vaccination, the market for counterfeit vaccine cards is rising. Naturally, many of these services come riddled with additional scams.
- Adobe patched 26 vulnerabilities in the Magneto e-commerce platform, most of which are considered critical. Many Magneto users are targeted with the Magecart card-skimming malware.
- Apple announced a new initiative to scan iCloud accounts for potential images of child abuse. However, security advocates are raising concerns about the company's visibility into users' private photos and videos.
- Attackers stole $600 million worth of virtual currency from the cryptocurrency platform Poly Network, which led to the company writing a "Dear hacker" note that went viral. Some individual victims also reached out directly to the attacker asking for some of their money back.
Notable recent security issues
Description: Microsoft released its monthly security update Tuesday, disclosing 44 vulnerabilities in the company’s firmware and software. This is the fewest amount of vulnerabilities Microsoft has patched in a month in more than two years. There are only nine critical vulnerabilities included in this release, and the remainder is “important.” The most serious of the issues is CVE-2021-26424 a remote code executing vulnerability that exists in the Windows TCP/IP protocol implementation. An attacker could remotely trigger this vulnerability from a Hyper-V guest by sending a specially crafted TCP/IP packet to a host utilizing the TCP/IP protocol stack. This raises the possibility of a malicious program running in a virtual machine compromising the host environment.
Snort SIDs: 57997 – 57999, 58003
Description: Cisco Talos recently discovered multiple vulnerabilities in AT&T Labs’ Xmill utility. An attacker could take advantage of these issues to carry out a variety of malicious actions, including corrupting the application’s memory and gaining the ability to execute remote code. Xmill and Xdemill are utilities that are purpose-built for XML compression and decompression, respectively. These utilities claim to be roughly two times more efficient at compressing XML than other compression methods. As of publishing, AT&T Labs is no longer supporting this software and, therefore, will not be issuing any patches. The software, released in 1999, can still be found in modern software suites, such as Schneider Electric's EcoStruxure Control Expert. Schneider is working to fix issues directly affecting their products.
Snort SIDs: 57503 - 57508
Most prevalent malware files this week
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
Typical Filename: smbscanlocal0906.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Ranumbot::in03.talos
Typical Filename: bld.exe
Claimed Product: cleaper.exe
Detection Name: W32.Auto:4d59e857c6.in03.Talos
Typical Filename: ybcbqgo5z.dll
Claimed Product: N/A
Detection Name: Win.Dropper.Ecltys::1201
Typical Filename: mg20201223-1.exe
Claimed Product: N/A
Detection Name: RanumBot::mURLin::W32.5E46ECFFCF.in12.Talos
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.