Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

We know a lot of you may be tired of "content" after RSA week. But we have some more for you!

And specifically related to RSA, Cisco Talos Incident Response has new case studies out detailing a few recent engagements they helped resolve. These particular cases show how incident response is a "team sport" with customers and incident responders working hand-in-hand with an inherent level of trust to meet challenges.

Upcoming public engagements with Talos

Title: Snort 3 and me (Part 2)

Date: May 25 at 11 a.m. ET

Overview: Join us as we once again provide a base-level overview of Snort 3 — the next generation of IPS. Alex Tatistcheff returns to discuss Cisco IPS' internal operations. This is the perfect place to jump on if you haven't upgraded to Snort 3 yet. For more on Snort 3, head to

Title: Sowing Discord livestream

Date: June 2 at 11 a.m. ET

Overview: Join Cisco Talos for a livestream presentation to discuss malware campaigns targeting collaboration apps like Discord and Slack. Following up on Talos' blog post from earlier this year, the presentation will dive into campaigns we've spotted in the wild and discuss how users can stay safe while using these apps. You can watch along with us, and participate in a live Q&A, live on LinkedIn and the Talos YouTube channel.

Cybersecurity week in review

  • Colonial Pipeline confirmed it paid a $4.4 million ransom to the attackers behind the shutdown of the massive oil pipeline. The CEO of the company said he believed it was in the U.S.'s best interests to get the pipeline operational again as quickly as possible.
  • The DarkSide ransomware group behind the attack shut down last week after making more than $90 million in its career. DarkSide operated on a ransomware-as-a-service model, taking in payments in the form of bitcoin to their wallet.
  • American officials said the country did not have a role in DarkSide shutting down. However, some security researchers say DarkSide's disappearance could be a ploy.
  • U.S. President Joe Biden's 2022 budget proposal includes millions of dollars of new investment into the nation's cybersecurity. The spending package would be part of a larger infrastructure overhaul in the U.S.
  • Health systems in Ireland are still relying on paper records after a "catastrophic" cyber attack. The head of the country's health service said officials are still in the assessment phase of recovery and looking at all possibly affected systems and servers.
  • The upcoming Android 12 mobile operating system will include new privacy and security features to inform users when apps are using certain features, including their camera and microphone. Users will also have the option to share their approximate location with apps rather than their precise coordinates.
  • Google warned users that four vulnerabilities in Qualcomm and Arm Mail chips are being exploited actively in the wild. The exploits range in severity from medium- to high-risk.
  • An ongoing lawsuit between Apple and video game producer Epic has revealed information about Apple's approach to Mac security. A high-ranking Apple official said during testimony the company has discovered 130 types of Mac malware since May 2020, and one of them alone infected 300,000 systems.
  • An online hacking group allegedly stole people's identities and used that information to create fake ride-sharing and food delivery profiles. The U.S. Department of Justice announced charges against 14 Brazilian natives who allegedly sold or rented those accounts to people who would otherwise not be eligible to work in the U.S.

Notable recent security issues

Title: Transparent Tribe APT expands its Windows malware arsenal

Description: Transparent Tribe, also known as APT36 and Mythic Leopard, continues to create fake domains mimicking legitimate military and defense organizations as a core component of their operations. While military and defense personnel continue to be the group's primary targets, Transparent Tribe is increasingly targeting diplomatic entities, defense contractors, research organizations and conference attendees, indicating that the group is expanding its targeting. Transparent Tribe uses a two-pronged approach for registering malicious domains: Fake domains masquerading as legitimate sites belonging to government, defense, or research entities, and malicious domains that resemble file-sharing websites.

Snort SIDs: 57551 - 57562

Title: Lemon Duck cryptocurrency miner targeting vulnerable Microsoft Exchange Servers

Description: Cisco Talos has recently observed updated infrastructure and new components associated with the Lemon Duck cryptocurrency mining botnet that target unpatched Microsoft Exchange Servers and attempts to download and execute payloads for Cobalt Strike DNS beacons. This activity reflects updated tactics, techniques and procedures (TTPs) associated with this threat actor. After several zero-day Microsoft Exchange Server vulnerabilities were made public on March 2, Cisco Talos and several other security researchers began observing various threat actors, including Lemon Duck, leveraging these vulnerabilities for initial exploitation before security patches were made available. Microsoft released a report on March 25 highlighting Lemon Duck's targeting of Exchange Servers to install cryptocurrency-mining malware and a malware loader that was used to deliver secondary malware payloads, such as information stealers. Talos also discovered that Lemon Duck actors have been generating fake domains on East Asian top-level domains (TLDs) to mask connections to their legitimate C2 domain since at least February 2020, highlighting another attempt to make their operations more effective.

Snort SIDs: 45549:4, 46237, 50795, 55926, 57469 – 57474

ClamAV signatures: Ps1.Trojan.Lemonduck-9856143, Ps1.Trojan.Lemonduck-9856144, Win.Trojan.CobaltStrike-7917400, Win.Trojan.CobaltStrike-8091534

Cisco Secure Endpoint Cloud IOCs: W32.LemonDuckCryptoMiner.ioc, Clam.Ps1.Dropper.LemonDuck-9775016-1, Win.Miner.LemonDuck.tii.Talos, Ps1.Dropper.LemonDuck, Clam.Js.Malware.LemonDuck-9775029-1

Most prevalent malware files this week

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name:

SHA 256: 5524fee1bb95b3778857b414586611584794867c5fce1952d22dcba93c5cd243

MD5: f2c1aa209e185ed50bf9ae8161914954

Typical Filename: webnavigatorbrowser.exe

Claimed Product: WebNavigatorBrowser

Detection Name:

SHA 256: 3bc24c618151b74ebffb9fbdaf89569fadcce6682584088fde222685079f7bb9

MD5: d709ea22945c98782dc69e996a98d643

Typical Filename: FlashHelperService.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Auto:d0442520e2.in03.Talos

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

Typical Filename: svchost.exe

Claimed Product: N/A

Detection Name:

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.