Welcome to this week’s edition of the Threat Source newsletter. Cisco Talos continues to be heads-down working on the current Ukraine situation. This is incredibly difficult for everyone across the globe, especially for those directly affected. But that doesn’t mean those of us who are looking from the outside-in aren’t still feeling emotional effects.

As the Beers with Talos crew talked about in their newest episode this week, it’s a tough time for our researchers and everyone in the security community and beyond. Of course, the people of Ukraine who are seeing the worst of this — some of our Ukrainian-based employees have even opted to join the military there to defend their country. It is incredibly noble and moving to see.

This conflict can still take a mental toll on everyone who is involved and watching from the outside. Folks at Cisco and Talos are working unreal hours to help defend Ukrainian networks and keep critical infrastructure there online. Following the news is stressful for everyone, and it can sometimes be overwhelming, so it’s important to take a break from the news and social media every once and a while to recharge.

This can sometimes come across as “burying your head in the sand” or ignoring the outside world. But taking some time for yourself is not selfish. If anything, it’s recharging so that you can return and be your best self for everyone around you who needs you. We can all channel the anxiety, stress and heartbreak we’re suffering currently into something positive. Take Martin Lee from our strategic communications team, for example, who recently ran *50* miles in the U.K. to help raise money for Ukraine. Or Vitor Ventura from our threat intelligence and interdiction team who drove to Poland from Portugal to hand-deliver donations and even offered a Ukrainian family a ride back to Portugal where they were looking to relocate.

For me, personally, I’ve been making sure to play “Elden Ring” every night as a work cooldown. This recharges me to come back to work the next day so I feel I can give my all to Talos, supporting our strategic communication platforms and helping inform users, customers and the wider public about our work in Ukraine and making sure we are getting the important information out there quickly and accurately. I’ve also been able to research legitimate non-profits who are helping in Ukraine and donate to them after removing myself from the constant news stream and calls for action on Instagram.

These are all small acts of kindness we can be making right now. But if we choose to instead invest our team in doomscrolling, virtue-signaling on social media or just drowning in our own anxiety, that zaps us of our energy to do those things. So, take any stress or anxiety you’re feeling and channel it into some “productive worry” and know that we are all doing our part to address this injustice and help those in need.

The one big thing

We’ve been following the MuddyWater APT even before U.S. Cyber Command publicly outed the threat actor as being connected to Iranian state interests. This is a prolific threat actor who spreads spam, ransomware and other assorted scams.

Upon a closer look, it appears like MuddyWater is actually not one, large group but rather a bunch of smaller groups working together to accomplish a common goal. As we outlined in our latest research, these sub-groups seem to operate independently, motivated by the same factors that align with Iranian national security objectives, including espionage, intellectual theft, and destructive or disruptive operations based on the victims they target.

Why do I care? 

In addition to this new hypothesis, we also discovered the actor is still cranking out new malware campaigns and tools. This includes a new campaign targeting Turkey and the Arabian Peninsula with maldocs to deliver a Windows script file (WSF)-based RAT we're calling "SloughRAT.” 

The setup of these various sub-groups also gives MuddyWater a greater opportunity to refine their tactics. Every time they start a new campaign, the group seems to develop new TTPs that they use down the road. And since they first launched, they’ve expanded their attacks to include countries all over the Middle East. This group clearly is not shy about who they attack and how often they pick up their activities, so don’t expect them to go away any time soon.  

So now what? 

In-depth defense strategies based on a risk analysis approach can deliver the best results in protecting against such a highly motivated set of threat actors.  

However, this should always be complemented by a solid, tested incident response plan so that you’re ready for the worst-case scenario. It’ll be interesting to see how this group evolves, and whether their sub-groups start getting their own IDs and names from government agencies who track those sorts of things. This group is bold and should not be taken lightly.  

Other newsy nuggets

The Cyclops Blink malware, which we first wrote at the onset of the Russian invasion of Ukraine, is now targeting Asus routers. We first spotted this campaign targeting MikroTik routers, a popular brand of routers used in Europe. Cyclops Blink is likely a replacement framework for the VPNFilter attack Talos discovered in 2019 that had the ability to completely brick some routers. For anyone infected, the best move is to reset the router to its factory settings and start over in setting up their home network. (ZDNet, Talos)

A Linux vulnerability known as “Dirty Pipe” seems to be the most serious exploit affecting the operating system in years. The vulnerability affects Linux Kernel 5.8 and later versions in a similar way to the Dirty COW exploit discovered in 2016 and could result in an attacker obtaining root privileges. QNAP already warned users that most of its network-attached storage (NAS) appliances are affected by this vulnerability. Dirty Pipe even affects Android devices that utilize Linux, and security researchers have found a way to fully root a Google Pixel 6 smartphone and the Samsung S22. (Bleeping Computer, ThreatPost, Ars Technica)

Attackers are finding new ways to launch bigger distributed denial-of-service attacks. They are exploiting a group of misconfigured servers that block restricted content in some countries, known as middleboxes, to amplify junk data and send it to targeted sites to shut them down. Researchers and CDNs warn that adversaries have already used this technique to target banking, travel, gaming and media websites. The Israeli government was also the victim of a DDoS attack this week, with many state websites going offline earlier this week and some officials saying it could be the largest cyber attack the country has ever faced. (TechRadar, Wired, Talos)

Can’t get enough Talos?

Upcoming events where you can find Talos

RSA 2022 (June 6 – 9, 2022)
San Francisco, California

Cisco Live U.S. (June 12 – 16, 2022)
Las Vegas, Nevada

Most prevalent malware files from Talos telemetry over the past week

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
MD5: c578d9653b22800c3eb6b6a51219bbb8
Typical Filename: invisible.vbs
Claimed Product: N/A
Detection Name: Win.Trojan.Pistacchietto.Talos

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa
MD5: df11b3105df8d7c70e7b501e210e3cc3
Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645
MD5: 2c8ea737a232fd03ab80db672d50a17a
Typical Filename: LwssPlayer.scr
Claimed Product: LwssPlayer
Detection Name: Auto.125E12.241442.in02

SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1
MD5: 3e10a74a7613d1cae4b9749d7ec93515
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::1201