Good afternoon, Talos readers.

The Thanksgiving holiday in the U.S. didn't slow us down at all, even though we were all still trying to sleep off the food coma from the long weekend. But we came back this week with lots of fun content.

Cisco received an early Christmas present when we were named a leader in incident response services by a recent IDC MarketScape report. We are incredibly proud of this honor, and you can find out what sets our incident response services apart by reading the blog here.

We're also excited because Cisco Talos Incident Response recently grew with the addition of the CTIR Red Team, which can perform penetration tests (even physical pen tests where they try to access an organization's physical office). Our new case study shows how this team discovered a vulnerability in a customer's website and helped them fix it before the bad guys could exploit it.

Cybersecurity week in review

  • A set of apps on the Google Play store downloaded more than a combined 300,000 times were stealing banking credentials from users. The apps posed as QR code and PDF scanners, and cryptocurrency wallets.
  • Apple is suing the NSO Group, the creator of the Pegasus spyware. The company claims the NSO Group specifically discussed spyware attacks with clients and created around 100 fake Apple IDs to facilitate those attacks.
  • Android 12 is now available to most users, and it comes with several new privacy features. Users now can be more hands-on with customizing privacy settings for certain apps and it's easier to opt-out of personalized ad tracking.
  • Retail chain IKEA is the target of an email-based cyber attack, with adversaries hijacking internal email chains. The spam emails "reply all" to emails and spread malware links.
  • A vulnerability in a startup blockchain company's network allowed adversaries to steal more than $30 million worth of cryptocurrency tokens. The company says it's attempting to contact the attackers to have the money returned.
  • Thousands of AT&T customers may be infected with data-stealing malwaredue to years-old vulnerabilities in networking products. The specific vulnerability targeted in this case was first discovered in 2017.
  • Meta, the new Facebook parent company, says it took down a large disinformation campaign on Facebook centered around COVID-19. The group in question spread false claims allegedly from a Swiss scientist who did not actually exist. The company added that Chinese state employees were involved in the campaign.

Notable recent security issues

Windows Installer vulnerability could allow attacker to become admin on systems

Security researchers recently discovered a vulnerability in Windows Installer that could allow a limited user account to elevate their privileges to become an administrator. This vulnerability affects every version of Microsoft Windows, including fully patched Windows 11 and Server 2022. Cisco Talos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability. Microsoft released an update that was intended to fix CVE-2021-41379 on Nov. 9 as part of its monthly security update. Security researcher Abdelhamid Naceri initially discovered this elevation of privilege vulnerability and worked with Microsoft to address it. However, the patch released by Microsoft was not sufficient to remediate the vulnerability, andNaceri published proof-of-concept exploit code on GitHub on Nov. 22 that works despite the fixes implemented by Microsoft. The code Naceri released leverages the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI file, allowing an attacker to run code as an administrator.

SNORTⓇ SIDs: 58635 and 58636

Emotet re-emerges, begins rebuilding to wrap up 2021

Emotet has been one of the most widely distributed threats over the past several years. It has typically been observed being distributed via malicious spam email campaigns, and often leads to additional malware infections as it provides threat actors with an initial foothold in an environment. These email campaigns exhibit characteristics previously described here. International police announced a takedown campaign to disrupt Emotet in early 2021, effectively removing the botnet from the threat landscape. But as of last week, Emotet has re-emerged and has been observed establishing the infrastructure and distribution required to rebuild the botnets. While the current distribution campaigns are not at the same volumes as those previously observed when Emotet was at full strength, this is likely the beginning of a resurgence in Emotet activity that will continue to amplify as more systems become infected and are leveraged for spam distribution.

SNORTⓇ SIDs: 548402, 43890, 51971, 55931 and 57901

ClamAV signatures: Xls.Downloader.EmotetExcel112100-9910690-0, Doc.Downloader.EmotetRed112100-9910732-0, Win.Trojan.Emotet11210-9911407-0

Most prevalent malware files this week

SHA 256: 0ab024b0da0436fddc99679a74a26fdcd9851eb00e88ff2998f001ccd0c9016f

MD5: ee30d6928c9de84049aa055417cc767e

Typical Filename: app.exe

Claimed Product: N/A

Detection Name: Glupteba::gravity::W32.Auto:0ab024b0da.in03.Talos

SHA 256: 5bab2ae1cada90f37b821e4803912c5b351fda417bbf0a9c768b715c6d492e13

MD5: a6a7eb61172f8d988e47322ebf27bf6d

Typical Filename: wx.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Wingo::in07.talos

SHA 256: 1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37

MD5: a5e345518e6817f72c9b409915741689

Typical Filename: swupdater.exe

Claimed Product: Wavesor SWUpdater

Detection Name: W32.1B259D8CA9.Wavesor.SSO.Talos

SHA 256: e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762

MD5: 6ea750c9d69b7db6532d90ac0960e212


Typical Filename:

Claimed Product: N/A

Detection Name: Auto.E5044D5AC2.242358.in07.Talos

SHA 256: 1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6

MD5: ee62e8f42ed70e717b2571c372e9de9a

Typical Filename: lHe

Claimed Product: N/A

Detection Name: W32.Gen:MinerDM.24ls.1201

Keep up with all things Talos by following us on Twitter. Snort, and ClamAV also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.