Good afternoon, Talos readers.

It's important to be proactive, and not reactive, with your security. It's always better to see the worst coming and block it than have to scramble to deal with the worst-case scenario in the moment.

That's why it's so important to have a polished Incident Response Plan that's tested and proven. A solid IR plan will ensure your team has the appropriate protections in place, and if you are the target of a cyber attack, you'll be ready to act at a moment's notice to snuff out the threat before it becomes a full-on cybersecurity incident.

Whether you want to create an IR plan from scratch or just refine yours, you'll want to watch our live stream from last week with Martin Lee from Talos research and Paul Lee from Talos Incident Response. Watch the full recording above or check out the Talos Takes audio version here.

Cybersecurity week in review

  • U.S. Congress passed sweeping legislation to improve the country's infrastructure, including allocating nearly $2 billion for cybersecurity. States and local governments are hailing the additional funds as their critical infrastructure faces cyber attacks with increasing frequency.
  • The bill also includes new rules regarding cryptocurrency transactions in the hopes of slowing down bad actors who use virtual currencies to conduct criminal operations. Now, anyone who transfers more than $10,000 worth of cryptocurrencies must report them on their taxes and they will be treated like cash.
  • Popular stock trading app Robinhood disclosed a massive data breach affecting 7 million accounts. In particular, 310 users were hit the hardest, with attackers accessing their personal information, including full names, dates of birth and ZIP codes.
  • The attackers in the Robinhood breach also accessed an internal platform that could have allowed them to change certain users' security settings, including disabling multi-factor authentication. However, Robinhood says no account settings were changed.
  • A new Android malware infected nearly 1,000 devices, gaining the ability to record their screen and audio in real-time. The app disguises itself as a variety of legitimate applications, including apps to learn yoga, stream television or view and upload their pictures.
  • The Pegasus spyware, a far more well-known mobile device malware that can track users' location and activities, was found on six Palestinian activists' phones. Pegasus is commonly used by state-sponsored actors to track journalists, government opponents and other high-profile figures.
  • U.S. law enforcement made several major charges and arrests against two people for their involvement with the REvil ransomware gang. The Department of Justice also announced rewards of up to $10 million for any information on the threat actor's leaders.
  • Many American federal government agencies were expected to miss a deadline for them to require multi-factor authentication on their networks. The directive was part of broader cybersecurity guidelines the Biden administration released earlier this year.
  • Major VoIP provider reported a distributed denial-of-service attack in September cost the company between $9 million and $12 million. Multiple similar companies have also reported these types of attacks in the past few months.

Notable recent security issues

Microsoft discloses 56 vulnerabilities, including one Excel issue exploited in the wild

Microsoft released its monthly security update Tuesday, disclosing 56 vulnerabilities in the company’s various software, hardware and firmware offerings, including one that’s actively being exploited in the wild. November’s security update features six critical vulnerabilities, up from last month’s two, which was far lower than average for Microsoft. The other 49 vulnerabilities fixed today are considered “important.” CVE-2021-42292 is one of those vulnerabilities considered “important” and not critical, though it is the only one included in this security update that Microsoft reports has been actively exploited in the wild. An attacker could exploit this vulnerability in Microsoft Excel to bypass certain security settings on targeted machines. In a time when email attachments are the major vector of system compromise, this vulnerability can be used to increase the efficiency of these attacks by avoiding a security prompt and consequently reducing the social engineering necessary to infect the victim.

Snort SIDs: 58519, 58520, 58539 – 58541

Snort 3 SID: 300054

Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk

Cisco Talos recently discovered a malicious campaign deploying variants of the Babuk ransomware predominantly affecting users in the U.S. with smaller number of infections in U.K., Germany, Ukraine, Finland, Brazil, Honduras and Thailand. The actor of the campaign is sometimes referred to as Tortilla, based on the payload file names used in the campaign. This is a new actor operating since July 2021. Prior to this ransomware, Tortilla has been experimenting with other payloads, such as the PowerShell-based netcat clone Powercat, which is known to provide attackers with unauthorized access to Windows machines. We assess with moderate confidence that the initial infection vector is exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of China Chopper web shell.

Snort SID: 58430 - 58433

Most prevalent malware files this week

SHA 256: 5bab2ae1cada90f37b821e4803912c5b351fda417bbf0a9c768b715c6d492e13

MD5: a6a7eb61172f8d988e47322ebf27bf6d

Typical Filename: wx.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Wingo::in07.talos

SHA 256: e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762

MD5: 6ea750c9d69b7db6532d90ac0960e212


Typical Filename:

Claimed Product: N/A

Detection Name: Auto.E5044D5AC2.242358.in07.Talos

SHA 256: 4d47791970c9e4b829ef0cc0049eecdfae3655f87a1e79620bbcc39eb8c21c8b

MD5: fdcdb2db7d4f9cb8b463ea2e8272d175

Typical Filename: javarx2.dat

Claimed Product: N/A

Detection Name: Auto.4D47791970.232152.in07.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6

MD5: ee62e8f42ed70e717b2571c372e9de9a

Typical Filename: lHe

Claimed Product: N/A

Detection Name: W32.Gen:MinerDM.24ls.1201

Keep up with all things Talos by following us on Twitter. Snort, and ClamAV also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.