Newsletter compiled by Jon Munshaw.
Good afternoon, Talos readers.
We know a lot of you may be tired of "content" after RSA week. But we have some more for you!
And specifically related to RSA, Cisco Talos Incident Response has new case studies out detailing a few recent engagements they helped resolve. These particular cases show how incident response is a "team sport" with customers and incident responders working hand-in-hand with an inherent level of trust to meet challenges.
Upcoming public engagements with Talos
Title: Snort 3 and me (Part 2)
Date: May 25 at 11 a.m. ET
Overview: Join us as we once again provide a base-level overview of Snort 3 — the next generation of IPS. Alex Tatistcheff returns to discuss Cisco IPS' internal operations. This is the perfect place to jump on if you haven't upgraded to Snort 3 yet. For more on Snort 3, head to Snort.org.
Title: Sowing Discord livestream
Date: June 2 at 11 a.m. ET
Overview: Join Cisco Talos for a livestream presentation to discuss malware campaigns targeting collaboration apps like Discord and Slack. Following up on Talos' blog post from earlier this year, the presentation will dive into campaigns we've spotted in the wild and discuss how users can stay safe while using these apps. You can watch along with us, and participate in a live Q&A, live on LinkedIn and the Talos YouTube channel.
Cybersecurity week in review
- Colonial Pipeline confirmed it paid a $4.4 million ransom to the attackers behind the shutdown of the massive oil pipeline. The CEO of the company said he believed it was in the U.S.'s best interests to get the pipeline operational again as quickly as possible.
- The DarkSide ransomware group behind the attack shut down last week after making more than $90 million in its career. DarkSide operated on a ransomware-as-a-service model, taking in payments in the form of bitcoin to their wallet.
- American officials said the country did not have a role in DarkSide shutting down. However, some security researchers say DarkSide's disappearance could be a ploy.
- U.S. President Joe Biden's 2022 budget proposal includes millions of dollars of new investment into the nation's cybersecurity. The spending package would be part of a larger infrastructure overhaul in the U.S.
- Health systems in Ireland are still relying on paper records after a "catastrophic" cyber attack. The head of the country's health service said officials are still in the assessment phase of recovery and looking at all possibly affected systems and servers.
- The upcoming Android 12 mobile operating system will include new privacy and security features to inform users when apps are using certain features, including their camera and microphone. Users will also have the option to share their approximate location with apps rather than their precise coordinates.
- Google warned users that four vulnerabilities in Qualcomm and Arm Mail chips are being exploited actively in the wild. The exploits range in severity from medium- to high-risk.
- An ongoing lawsuit between Apple and video game producer Epic has revealed information about Apple's approach to Mac security. A high-ranking Apple official said during testimony the company has discovered 130 types of Mac malware since May 2020, and one of them alone infected 300,000 systems.
- An online hacking group allegedly stole people's identities and used that information to create fake ride-sharing and food delivery profiles. The U.S. Department of Justice announced charges against 14 Brazilian natives who allegedly sold or rented those accounts to people who would otherwise not be eligible to work in the U.S.
Notable recent security issues
Description: Transparent Tribe, also known as APT36 and Mythic Leopard, continues to create fake domains mimicking legitimate military and defense organizations as a core component of their operations. While military and defense personnel continue to be the group's primary targets, Transparent Tribe is increasingly targeting diplomatic entities, defense contractors, research organizations and conference attendees, indicating that the group is expanding its targeting. Transparent Tribe uses a two-pronged approach for registering malicious domains: Fake domains masquerading as legitimate sites belonging to government, defense, or research entities, and malicious domains that resemble file-sharing websites.
Snort SIDs: 57551 - 57562
Description: Cisco Talos has recently observed updated infrastructure and new components associated with the Lemon Duck cryptocurrency mining botnet that target unpatched Microsoft Exchange Servers and attempts to download and execute payloads for Cobalt Strike DNS beacons. This activity reflects updated tactics, techniques and procedures (TTPs) associated with this threat actor. After several zero-day Microsoft Exchange Server vulnerabilities were made public on March 2, Cisco Talos and several other security researchers began observing various threat actors, including Lemon Duck, leveraging these vulnerabilities for initial exploitation before security patches were made available. Microsoft released a report on March 25 highlighting Lemon Duck's targeting of Exchange Servers to install cryptocurrency-mining malware and a malware loader that was used to deliver secondary malware payloads, such as information stealers. Talos also discovered that Lemon Duck actors have been generating fake domains on East Asian top-level domains (TLDs) to mask connections to their legitimate C2 domain since at least February 2020, highlighting another attempt to make their operations more effective.
Snort SIDs: 45549:4, 46237, 50795, 55926, 57469 – 57474
ClamAV signatures: Ps1.Trojan.Lemonduck-9856143, Ps1.Trojan.Lemonduck-9856144, Win.Trojan.CobaltStrike-7917400, Win.Trojan.CobaltStrike-8091534
Cisco Secure Endpoint Cloud IOCs: W32.LemonDuckCryptoMiner.ioc, Clam.Ps1.Dropper.LemonDuck-9775016-1, Win.Miner.LemonDuck.tii.Talos, Ps1.Dropper.LemonDuck, Clam.Js.Malware.LemonDuck-9775029-1
Most prevalent malware files this week
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
Typical Filename: webnavigatorbrowser.exe
Claimed Product: WebNavigatorBrowser
Detection Name: W32.5524FEE1BB.5A6DF6a61.auto.Talos
Typical Filename: FlashHelperService.exe
Claimed Product: Flash Helper Service
Detection Name: W32.Auto:d0442520e2.in03.Talos
Typical Filename: svchost.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.