Good afternoon, Talos readers.

No, that's not Ratatouille. It's ServHelper, who is much more dangerous (albeit just as cute) as the cartoon chef. We have a new blog post out today detailing this RAT, run by the threat actor Group TA505, that is stealing credit card data and other sensitive information. We've been tracking this actor for a while now, and recently saw a huge spike in their activity. Find out what this means for your organization in our blog post and accompanying one-page overview.

Obviously, there are plenty more scary things to worry about on the threat landscape. And for that, there's the Talos Incident Response Quarterly Threat Report, where we run down the top TTPs, malware families and actors our incident responders are seeing in the wild.

As if all of that wasn't scary enough, you also need to make sure to update your Microsoft products as soon as possible after Patch Tuesday. Microsoft disclosed 44 vulnerabilities as part of its monthly security updates, two of which have a 9.8 severity score out of a possible 10.

Upcoming Talos public engagements

CTIR on the Technado podcast

Speaker: Chris DiSalle

Date: Sept. 9

Location: Virtual

Description: Chris DiSalle from Talos Incident Response will join the Technado podcast to share the ins and outs of the IR industry. Chris will talk to host Don Pezet about how he got started in incident response, horror stories he's seen in the field, and much more.

Workshop: Analysing Android malware at VirusBulletin localhost 2021

Speaker: Vitor Ventura

Date: Oct. 7 - 8

Location: Virtual

Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.

Cybersecurity week in review

  • International consulting company Accenture confirmed it was hit with a LockBit ransomware attack this week. Though the company recovered quickly using backups, the LockBit operators still claimed they were selling some stolen databases on its dark website.
  • Just days before the attack, Australia's government warned organizations that it was tracking an uptick in LockBit attacks. The Australian Cyber Security Centre released an advisory saying that LockBit was targeting, "a variety of sectors including professional services, construction, manufacturing, retail and food."
  • A massive infrastructure spending package passed in the U.S. Senate this week includes $1.9 billion for cybersecurity. The money includes a massive allotment for the federal government to provide to smaller governments looking to improve their cybersecurity defenses, mainly rural communities.
  • An affiliate with the Conti ransomware network leaked the malware group's playbook after the operator claimed they were underpaid. The playbook includes information on the group's Cobalt Strike beacons, and a group of commonly used tools.
  • A recently discovered vulnerability in Cobalt Strike could leave attacker-controlled botnets open to compromise. Although Cobalt Strike is a tool created for legitimate purposes, attackers commonly use it for malicious purposes.
  • As more employers, entertainment venues and colleges require a COVID-19 vaccination, the market for counterfeit vaccine cards is rising. Naturally, many of these services come riddled with additional scams.
  • Adobe patched 26 vulnerabilities in the Magneto e-commerce platform, most of which are considered critical. Many Magneto users are targeted with the Magecart card-skimming malware.
  • Apple announced a new initiative to scan iCloud accounts for potential images of child abuse. However, security advocates are raising concerns about the company's visibility into users' private photos and videos.
  • Attackers stole $600 million worth of virtual currency from the cryptocurrency platform Poly Network, which led to the company writing a "Dear hacker" note that went viral. Some individual victims also reached out directly to the attacker asking for some of their money back.

Notable recent security issues

Title: Microsoft discloses 44 vulnerabilities as part of Patch Tuesday, lowest in two years

Description: Microsoft released its monthly security update Tuesday, disclosing 44 vulnerabilities in the company’s firmware and software. This is the fewest amount of vulnerabilities Microsoft has patched in a month in more than two years. There are only nine critical vulnerabilities included in this release, and the remainder is “important.” The most serious of the issues is CVE-2021-26424 a remote code executing vulnerability that exists in the Windows TCP/IP protocol implementation. An attacker could remotely trigger this vulnerability from a Hyper-V guest by sending a specially crafted TCP/IP packet to a host utilizing the TCP/IP protocol stack. This raises the possibility of a malicious program running in a virtual machine compromising the host environment.

Snort SIDs: 57997 – 57999, 58003

Title: Multiple vulnerabilities in AT&T Labs’ Xmill utility

Description: Cisco Talos recently discovered multiple vulnerabilities in AT&T Labs’ Xmill utility. An attacker could take advantage of these issues to carry out a variety of malicious actions, including corrupting the application’s memory and gaining the ability to execute remote code. Xmill and Xdemill are utilities that are purpose-built for XML compression and decompression, respectively. These utilities claim to be roughly two times more efficient at compressing XML than other compression methods. As of publishing, AT&T Labs is no longer supporting this software and, therefore, will not be issuing any patches. The software, released in 1999, can still be found in modern software suites, such as Schneider Electric's EcoStruxure Control Expert. Schneider is working to fix issues directly affecting their products.

Snort SIDs: 57503 - 57508

Most prevalent malware files this week

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb

MD5: 6be10a13c17391218704dc24b34cf736

Typical Filename: smbscanlocal0906.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Ranumbot::in03.talos

SHA 256: 4d59e857c6923b6ead19109dbf591bbe93f3407153c992ad35fc6ed8969a34c3

MD5: 963aa12c1d0427cb154d519f21358ab4

Typical Filename: bld.exe

Claimed Product: cleaper.exe

Detection Name: W32.Auto:4d59e857c6.in03.Talos

SHA 256: f682bdbd612c0215192be6c52f08f10c01e7af9a3136c2f67ec3e7ba563f565d

MD5: 0b506c6dde8d07f9eeb82fd01a6f97d4

Typical Filename: ybcbqgo5z.dll

Claimed Product: N/A

Detection Name: Win.Dropper.Ecltys::1201

SHA 256: 5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af

MD5: 0a13d106fa3997a0c911edd5aa0e147a

Typical Filename: mg20201223-1.exe

Claimed Product: N/A

Detection Name: RanumBot::mURLin::W32.5E46ECFFCF.in12.Talos

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.