Good afternoon, Talos readers.

Even though we're nearly a month into 2022, we're still not quite ready to move on from 2021. That's why next week, we'll be going live on social media to talk about some of the top cybersecurity stories from the past year.

Liz Waddell from Talos Incident Response and Matt Olney from our threat intelligence team will be joining Hazel Burton from Cisco Secure to talk about everything from Log4j to supply chain attacks. You can find this stream live on any of Cisco Secure's social media platforms or the Talos YouTube page.

Cybersecurity week in review

  • In the latest round of cyber incidents in Ukraine, attackers hijacked many government-run websites and some agencies even lost important data. Microsoft was the first security research team to discover the attack, who dubbed it "WhisperGate."
  • Security experts and government leaders are struggling with how to address these cyber attacks. Given the sensitivity around Ukraine and Russia currently, it's unclear if these could be constituted as an act of war or anything that could lead to kinetic warfare.
  • Russian authorities arrested several alleged members of the REvil ransomware group at the request of U.S. authorities. It also seized multiple millions of dollars in international currencies that likely came from cyber attacks.
  • UniCC, one of the largest darknet forums for selling stolen credit card information, shut down last week when its founder retired. The creator of the forum claims to have made $358 million during the site's lifespan.
  • U.S. Cyber Command formally attributed the MuddyWater threat actor as an Iranian state-sponsored actor. The government also released an outline of the group's tactics, techniques and procedures (TTPs) and likely entry points into victims' networks.
  • North Korean state-sponsored actors stole nearly $400 million worth of cryptocurrency in 2021. There were a reported seven different intrusions against different virtual currency wallets and trading sites from these groups.
  • Two high-profile women's rights activists recently came forward saying they were being tracked by the Pegasus spyware. This particular case highlights how much more detrimental this type of tracking can be to female targets.
  • Microsoft released fixes for a Patch Tuesday update that interrupted some types of VPN connections. The original updates earlier this month were meant to fix vulnerabilities in Microsoft Server.
  • Attackers cloned a U.S. Department of Labor website to look like its hosting official government contracts. However, the phony website instead points to malicious links that harvest the credentials of any users who try to log in.

Notable recent security issues

Attackers use AWS, Azure, to spread group of RATs

Cisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire and AsyncRATs targeting user's information. According to Cisco Secure product telemetry, the victims of this campaign are primarily distributed across the United States, Italy and Singapore. The actor used complex obfuscation techniques in the downloader script. Each stage of the deobfuscation process results with the decryption methods for the subsequent stages to finally arrive at the actual malicious downloader method. The campaign is the latest example of threat actors abusing cloud services like Microsoft Azure and Amazon Web Services and are actively misusing them to achieve their malicious objectives.

Snort SIDs: 58758 – 58773

ClamAV signatures:

  • Ps1.Dropper.HCrypt-9913873-0
  • Txt.Trojan.BatchDownloader-9913886-0
  • Win.Trojan.AsyncRAT-9914220-0
  • Txt.Downloader.Agent-9914217-0
  • Js.Trojan.Agent-9914218-0
  • Js.Downloader.Agent-9914219-0
  • Win.Packed.Samas-7998113-0
  • Win.Trojan.NanoCore-9852758-0
  • Win.Dropper.NetWire-8025706-0
  • Win.Malware.Generickdz-9865912-0
  • Win.Dropper.Joiner-6

Security researchers recently discovered a critical vulnerability in the H2 open-source Java SQL database that’s like the widespread Log4shell exploit. However, the issue in H2 is considered to be less serious, as it's harder to exploit and gives potential attackers less of an attack surface. The flaw, identified as CVE-2021-42392, could allow an adversary to execute remote code on vulnerable systems. H2 is widely used by developers in web and internet-of-things platforms. This issue specifically lies in JNDI remote class loading, making it similar to Log4Shell, in that it allows several code paths in the H2 database framework to pass unfiltered attacker-controlled URLs to the javax.naming.Context.lookup function.

Snort SIDs: 58876 and 58877

Most prevalent malware files this week

SHA 256: 1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37

MD5: a5e345518e6817f72c9b409915741689 Typical Filename: swupdater.exe Claimed Product: Wavesor SWUpdater Detection Name: W32.1B259D8CA9.Wavesor.SSO.Talos

SHA 256: d339e195ca0b74746b02a4ee1a5820fa3074f43bec2988737005d2562a90cd34 MD5: 3f75eb823cd1a73e4c89185fca77cb38 Typical Filename: signup.png Claimed Product: N/A Detection Name: Win.Dropper.Generic::231945.in02

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd MD5: 8193b63313019b614d5be721c538486b Typical Filename: SAService.exe Claimed Product: SAService Detection Name:

SHA 256: bda6b6c45eabfad23b72c1982820202fa35a73211680c90e2e9d04e98fe91dae MD5: 7c5eaac8c756691c422027f7b3458759 Typical Filename: santivirusservice.exe Claimed Product: SA_Service Detection Name: W32.Auto:bda6b6c45e.in03.Talos

SHA 256: 8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2 MD5: fe3659119e683e1aa07b2346c1f215af Typical Filename: SqlServerWorks.Runner.exe Claimed Product: SqlServerWorks.Runner Detection Name: W32.8639FD3EF8-95.SBX.TG

Keep up with all things Talos by following us on Twitter. Snort, and ClamAV also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.