Welcome to this week’s edition of the Threat Source newsletter.

I am back after more than three months away from Talos on parental leave. Having a baby really resets your expectations for “keeping up” with the world. From November through mid-January or so I had no idea what was going on with the outside world, I only cared about my daughter’s feeding schedule and tried to squeeze in 30-minute naps where I could.

I’ve slowly started to re-introduce myself to social media and the news world at large over the past few weeks so my return to work wasn’t so abrupt, and I missed quite a bit. There was a stretch there where I was only getting the latest headlines from Weekend Update on “Saturday Night Live.”

My teammates Madison Burns and Bill Largent did a fantastic job filling in for me on the newsletter while I was out, but I figured it was worth taking the time to recap some major stories it seemed like I missed since Nov. 1.

Maybe our readers were also distracted during this period, it was the holidays after all and it’s easy for stories to slip through the cracks while we all have so much going on. Here are a few major trends and storylines that stood out to me while I caught up on the top security stories of late 2022 and early 2023.

  • The Russia-Ukraine war continues to evolve on all fronts, and the cyber attacks certainly haven’t slowed. Ukraine reported several state-sponsored attacks in early 2023, including against the country's national news agency. The infamous WhisperGate malware came back, too, looking to wipe data and steal sensitive information from high-profile Ukrainian targets. And the Gamaredon APT continues to do its thing. Thankfully, defenders made some headway in combatting Russian state-sponsored groups, as I’ll cover below.
  • The spyware industry boomed in 2022 and I suspect we’ll be hearing a lot about it going forward. This type of borderline-illegal software installed on users’ phones can track their every move and message and is often used to target high-profile users like politicians, activists and journalists. Spyware is proliferating all over the world and is now being used by many countries’ governments, including the U.S. But President Joe Biden’s administration has several moves in the works to try and combat foreign company’s spyware from making onto Americans’ phones.
  • The Lapsus$ ransomware group is still one of the most prolific threat actors out there. Cisco Talos researchers have extensively covered Lapsus$ throughout 2022, but it struck several times in late 2022 and early 2023, including threatening to leak “League of Legends’” source code and breaching authentication company Okta. That’s on top of other major attacks from earlier in ‘22 against T-Mobile, Uber and more.
  • AI is all over the place, from art, to voice acting and now full-on search engines. One of the most controversial tools, ChatGPT, has already entered the malware space. The chatbot, released in November, has already shown it can write "polymorphic" malware that can repeatedly mutate to avoid traditional detection methods. Scammers and threat actors are also using  ChatGPT to generate convincing spear-phishing emails quickly and impersonate people the targeted user may personally know.

The one big thing

This month’s Microsoft Patch Tuesday updates included three zero-day vulnerabilities that the company says are being actively used in attacks in the wild. CVE-2023-23376, CVE-2023-21715 and CVE-2023-21823 have all already been spotted in active attacks, according to Microsoft’s monthly patch release. In all, Microsoft disclosed 73 vulnerabilities. Of these vulnerabilities, eight are classified as “critical,” 64 are classified as “important” and one vulnerability is classified as “moderate.”

Why do I care?

The most severe of the issues disclosed Tuesday is CVE-2023-21823, a Windows graphics component remote code execution vulnerability. An attacker could exploit this vulnerability to gain System-level privileges. Outside of that, it’s always important to update all Microsoft products anyway after a Patch Tuesday.

So now what?

Users of any Microsoft products should apply these updates as soon as possible. Additionally, Talos released new Snort rules that detect attempts to exploit some of these vulnerabilities. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Top security headlines of the week

Several Russian nationals are facing new sanctions and have been unmasked as members of the Trickbot and Conti ransomware gangs. The actors are involved in various activities with these groups, ranging from developing ransomware code, to money laundering and managing command and control servers. The U.S. and U.K. governments also made a renewed push to unmask and name many of these actors, removing their anonymity and making it more difficult for them to operate in secrecy. Recent studies have shown that these types of sanctions are working to slow Russian state-sponsored ransomware attacks. (Wired, CPO Magazine)

While much of the headlines recently have centered around the infamous Chinese spy balloon and other unknown objects the U.S. military keeps shooting out of the sky, global government officials are warning that China’s cyber attack capabilities are still the most pressing threat. Taiwan’s government has already been the target of several high-profile defacement attacks in recent years, and the country recently established an entirely new government bureau to bolster its cyber security capabilities. The FBI’s Director is also offering new services and olive branches to private security companies who are looking to combat China’s growing surveillance and cyber capabilities. (Bloomberg, Wall Street Journal)

Social media site Reddit says it was the recent target of a “sophisticated and highly targeted phishing attack.” The adversaries gained access to “documents, code and some internal business systems,” though the company said no usernames or passwords are affected. Attackers duped a Reddit employee into approving a multi-factor authentication push notification, though the employee acted quickly and notified Reddit’s security team immediately upon realizing their mistake. (Dark Reading, Reddit)

Can’t get enough Talos?

Upcoming events where you can find Talos

WiCyS (March 16 - 18)

Denver, CO

RSA (April 24 - 27)

San Francisco, CA

Most prevalent malware files from Talos telemetry over the past week

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa
MD5: df11b3105df8d7c70e7b501e210e3cc3
Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

SHA 256: 36efad0617db0d45de00cc4f3cf49af7c2d6b5b15ca456d13703b5d366c58431
MD5: 147c7241371d840787f388e202f4fdc1
Typical Filename: EKSPLORASI.EXE
Claimed Product: N/A
Detection Name: Win32.Generic.497796

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645
MD5: 2c8ea737a232fd03ab80db672d50a17a
Typical Filename: LwssPlayer.scr
Claimed Product: 梦想之巅幻灯播放器
Detection Name: Auto.125E12.241442.in02