Good afternoon, Talos readers.

The good news keeps rolling in for our Incident Response team, who received another accolade by being featured in Forrester's recent quarterly report on the incident readiness industry. This comes on the heels of the team also being named a leader in IR services in an IDC MarketScape report.

If you are looking for a great holiday gift for the IT lover in your life, you should make sure to get your free copy of the SNORTⓇ calendar now. All you have to do is fill out this quick survey to get your free copy. (Sorry, shipping in the U.S. only.)

Cybersecurity week in review

  • Multiple U.S. State Department employees had their iPhones infected with the Pegasus spyware, according to a recent report. Apple recently sued the NSO Group, the creator of Pegasus, for targeting their devices with the spyware.
  • Someone sent anti-work messages to businesses across the U.S. last week by hijacking receipt printers. The printers produced a long message encouraging employees to talk about their pay with co-workers and to quit if they are unhappy with their jobs.
  • Many large tech companies, including Google, are making multi-factor authentication mandatory for their employees. But attackers are already developing workarounds.
  • Several important Maryland Department of Health services were disrupted after a cyber attack. As of Wednesday afternoon, the department had not updated its COVID-19 tracking information as hospitalizations rose in the state. However, officials say so private data has been compromised.
  • A network access broker named "Babam" has become increasingly popular over the past two years, selling stolen VPN credentials to threat actors so they can enter targeted networks and spread malware. Here's what researchers know so far about Babam.
  • Employees in all industries are experiencing serious burnout almost two full years into the COVID-19 pandemic and a new work-from-home reality. That's leading many organizations and individuals to make poor security decisions.
  • Microsoft seized more than 10,000 Chinese websites the company says were used by "highly sophisticated" threat actors. The group allegedly targeted government agencies, think tanks, and human rights organizations in the U.S. and 28 other countries since at least 2016.
  • Google says it's successfully disrupted the Glupteba botnet. The company disabled more than 100 Google accounts used by the threat actor, filed a lawsuit against its alleged operators and shut down servers the botnet used.
  • Israel recently led a 10-country exercisethat simulated a comprehensive cyber attack on the global financial system. The exercise involved a series of hypothetical attacks against global foreign exchange and bond markets, and transactions between importers and exporters.

Notable recent security issues

Magnat campaigns use malvertising to deliver information stealer, backdoor and malicious Chrome extension

Talos recently observed a malicious campaign offering fake installers of popular software as bait to get users to execute malware on their systems. This campaign includes a set of malware distribution campaigns that started in late 2018 and have targeted mainly Canada, along with the U.S., Australia and some EU countries. Two undocumented malware families (a backdoor and a Google Chrome extension) are consistently delivered together in these campaigns. An unknown actor with the alias "Magnat" is the likely author of these new families and has been constantly developing and improving them. The attacker's motivations appear to be financial gain from selling stolen credentials, fraudulent transactions and Remote Desktop access to systems.

SNORTⓇ SIDs: 58650 and 58651

ClamAV signature: Win.Dropper.MagnatExtension-9911899-0

Software company Zoho warned users that they should update their Desktop Central and Desktop Central MSP services as soon as possible. Attackers are actively exploiting a vulnerability in the products, tracked as CVE-2021-44515, that could allow them to bypass authentication and execute arbitrary code on affected ManageEngine Desktop Central servers. Zoho also released an exploit detection tool for organizations to see if they had been targeted by attackers using this vulnerability.


Most prevalent malware files this week

SHA 256: 0ab024b0da0436fddc99679a74a26fdcd9851eb00e88ff2998f001ccd0c9016f

MD5: ee30d6928c9de84049aa055417cc767e

Typical Filename: app.exe

Claimed Product: N/A

Detection Name: Glupteba::gravity::W32.Auto:0ab024b0da.in03.Talos

SHA 256: 5bab2ae1cada90f37b821e4803912c5b351fda417bbf0a9c768b715c6d492e13

MD5: a6a7eb61172f8d988e47322ebf27bf6d

Typical Filename: wx.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Wingo::in07.talos

SHA 256: 1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37

MD5: a5e345518e6817f72c9b409915741689

Typical Filename: swupdater.exe

Claimed Product: Wavesor SWUpdater

Detection Name: W32.1B259D8CA9.Wavesor.SSO.Talos

SHA 256: e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762

MD5: 6ea750c9d69b7db6532d90ac0960e212


Typical Filename:

Claimed Product: N/A

Detection Name: Auto.E5044D5AC2.242358.in07.Talos

SHA 256: 1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6

MD5: ee62e8f42ed70e717b2571c372e9de9a

Typical Filename: lHe

Claimed Product: N/A

Detection Name: W32.Gen:MinerDM.24ls.1201

Keep up with all things Talos by following us on Twitter. Snort, and ClamAV also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.