Welcome to 2024! 

The Threat Source newsletter is back after our winter break. 

When I wasn’t spending my downtime chasing around my toddler, one of my main projects was to upgrade the internet connection at my house. My ISP started offering Gigabit speeds and a 60 GHz connection, which was appealing to me as someone who is always on a quest to find the best way to stream PS5 games to my Steam Deck. 

This sent me down a path of reconfiguring my home network and re-adding a bunch of devices to a new network. And even though this sounds like a totally basic skill for anyone who works in cybersecurity, it was a big deal for me to set up a separate IoT-only network. 

Many readers may have even gotten a new IoT device for a holiday gift. This mobile projector was featured on several “Top Gifts of 2023” lists I was looking at in December, and there are always the slam dunk gifts of a new home AI assistant like Google Home or the Amazon Echo Show to control all things “smart” in your home. 

And we all know that, by being connected to the internet, many of these IoT devices are going to be vulnerable to adversaries. Last week, researchers found a network-connected torque wrench used in many industrial environments could be infected with ransomware.  

There are many examples of WiFi-enabled home cameras, assistants and doorbells vulnerable to a wide range of security issues, so I don’t think I need to run down those dangers in this newsletter. I wanted to take this space to share a few reminders and best practices of how to best set up these devices and manage them. This is a topic I covered previously in video format a few years ago, but I’m sure much of the UI/UX in this tutorial has changed since then, and I feel like I learned quite a bit from “YouTube University” over the past week or so in my own journey. 

• Use network mapping software to track which devices connect to your network using what communication methods. NetworkMaps is a free, open-source option that I used when I was taking cybersecurity courses online.  
• Create an IoT-specific network. This was super easy for me to do with the Gigabit-enabled router my ISP sent me, but I set up a network specifically for these devices to connect to (like my baby monitor, smart TVs, etc.) with a completely different network name and password from my “main” network. This keeps these devices segmented so that, if a bad guy is lurking, they stay on that IoT-specific network that doesn’t talk to your more sensitive devices like a work laptop. 
• Make sure your router’s firewall is enabled, disable WPS and enable the WPA2 or WPA3 security protocol. 
• Immediately change the default usernames and passwords that come with any new WiFi-connected device you’re setting up. 
• Any home routers or IoT devices could point to OpenDNS servers for an additional (and free!) layer of security.
• Disable any additional features or data-sharing you feel like you don’t need. The prime example of this for me is Amazon Sidewalk, the community network that allows Amazon devices to talk to one another and send alerts to users about various goings-on in their respective communities. The main drawback for me is that it allows your neighbors to pull off just a little of your internet bandwidth for their connected devices, too, and opens a whole slew of privacy concerns. 

The one big thing 

Cisco Talos recently worked with fellow security company Avast to release a new version of the decryptor for the Babuk ransomware. Our researchers obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor in its latest variant. 

Why do I care? 

Babuk is one of the most prevalent ransomware families in the wild right now, so any additional resources for victims to potentially recover faster, and for free, is good news. And Dutch Police, acting on threat intelligence supplied by Talos, identified, apprehended and the Dutch Prosecution Office prosecuted the threat actor behind Babuk Toa bad guy is lurkingtilla operations, demonstrating the power of cooperation between law enforcement agencies and commercial security organizations such as Talos and Avast.  

So now what? 

The newest version of the decryptor is now available through No More Ransom, or directly on Avast’s website. Continued action from law enforcement to track down, apprehend and charge the operators behind ransomware is one of the many important steps we can take as a society and security community to reduce the prevalence of ransomware. 

Top security headlines of the week 

Security researchers are warning of actively exploited vulnerabilities in the Ivanti Connect Secure VPN that, as of Wednesday, still did not have a patch available. The vulnerabilities are an authentication bypass flaw (CVE-2023-46805) and a command injection issue (CVE-2024-21887). An adversary could chain these vulnerabilities to execute arbitrary commands on the targeted appliance. Incident response firm Volexity said earlier this week that government agencies and military branches across the globe, as well as several Fortune 500 private companies. Chinese state-sponsored actor UTA0178 is suspected to be behind the exploitation of these vulnerabilities, some dating back to December. Ivanti says it is still developing patches for these issues, one of which may not be available until mid-February. In the meantime, users should follow the mitigation steps outlined by Ivanti, and implement a new scanner that can detect exploitation attempts. (DarkReading, SecurityWeek) 

Britain’s national library is working to restore its online services 11 weeks after a cyber attack, though a full recovery may take until the end of the year. The British Library started restoring read-only versions of its online catalog last week, including records of printed and rare books, maps, journals and music scores. The Rhysida ransomware group initially took credit for the attack in October 2023, claiming it was offering personal information for sale on the dark web. The library eventually confirmed that some employee data had been stolen in the attack, and it had to temporarily take its entire catalog offline. The attack also held up the payment system for which the library rewards authors and creators each time one of their works is checked out. (The Guardian, The New York Times) 

Chinese government officials have apparently found a way to de-anonymize Apple AirDrop users to track anyone sharing content that’s outlawed by the country. AirDrop is normally encrypted, and has been used previously to share messages, content and art with other iPhone users in public that is against the ruling Communist Party in China. But the Beijing municipal government's justice bureau says China-backed experts have found a way to carry out a complex encryption attack to reveal the original sender of the messages and prosecute them. In November 2022, Apple updated AirDrop settings so users in China could only opt-in to receive files from unknown contacts during a 10-minute window before it automatically shut off. The feature did not previously have a time limit. Translations of government statements indicate that the method involves what are known as “rainbow tables” to defeat the measures AirDrop has in place to obfuscate users' phone numbers and email addresses. (Ars Technica, CBS) 

Can’t get enough Talos? 

• Beers with Talos Ep. #142: Talos Speed Dating (the episode we never set out to make but did anyway) 
• Intellexa and Cytrox: From fixer-upper to Intel Agency-grade spyware 
• Microsoft starts off new year with relatively light Patch Tuesday, no zero-days 
• Video series discussing the major threat actor trends from 2023 
• Year in Malware 2023: Recapping the major cybersecurity stories of the past year 

Most prevalent malware files from Talos telemetry over the past week  

SHA 256: b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31 
MD5: 2fb86be791b4bb4389e55df0fec04eb7 
Typical Filename: KMSAuto Net.exe 
Claimed Product: KMSAuto Net 
Detection Name: W32.File.MalParent 

SHA 256: 36efad0617db0d45de00cc4f3cf49af7c2d6b5b15ca456d13703b5d366c58431 
MD5: 147c7241371d840787f388e202f4fdc1 
Typical Filename: EKSPLORASI.EXE 
Claimed Product: N/A  
Detection Name: Win32.Generic.497796 

SHA 256: 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab 
MD5: 4c648967aeac81b18b53a3cb357120f4 
Typical Filename: yypnexwqivdpvdeakbmmd.exe 
Claimed Product: N/A  
Detection Name: Win.Dropper.Scar::1201 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376 
Typical Filename: c0dwjdi6a.dll 
Claimed Product: N/A  
Detection Name: Trojan.GenericKD.33515991 

SHA 256: 39b0d4bad98713924775595834f1e07598a12c2622977578739222e09766066c 
MD5: a543017b4fa809e9f6b7251e7c14a5b0 
Typical Filename: a543017b4fa809e9f6b7251e7c14a5b0 
Claimed Product: N/A   
Detection Name: Auto.39B0D4BAD9.232061.in07.Talos