Good afternoon, Talos readers.

This is our last newsletter before Thanksgiving in the U.S. next week, so now's as good of a time as any to remind you: If a deal seems too good to be true, it probably is.

To prep online shoppers for the upcoming Cyber Monday and Black Friday sales, we have this handy guide with past Talos podcasts, blog posts and television appearances to keep you safe. Attackers are especially likely to try and capitalize on supply chain fears this year, and keep pushing phony deals around the XBOX Series X and PlayStation 5.

Bookmark that page, too, because we'll update it as new content becomes available.

Upcoming Talos public engagements

AvengerCon VI Panel - Ransomware Cyber Kill Chain

Speaker: Azim Khodjibaev

Date: Nov. 30 at 1:10 p.m. ET

Location: Virtual

Description: "It’s clear that addressing ransomware will require an innovative and collaborative approach, and that businesses, governments, and information security professionals will have a part to play. But what approaches should be considered? What weaknesses or single points of failure exist in the ransomware ecosystem? How might we expect ransomware actors to respond to actions taken against them? And how might US adversaries take advantage of the situation?" Azim Khodjibaev will be a part of this panel discussion with other leading security researchers.

Cybersecurity week in review

  • Hackers used the FBI's email and domain to send phony emails regarding a cybercrime investigation. The actor behind the emails told reporters they wanted to point out a vulnerability in the FBI's website.
  • Cisco Talos discovered a malicious campaign using an obfuscated Meterpreter stager to deploy Cobalt Strike beacons in September 2021. The attackers redirected a Myanmar government-controlled domain to their servers, which deployed Cobalt Strike on victim machines.
  • U.S. President Joe Biden formally signed a massive infrastructure bill that includes $2 billion in new investments in cybersecurity. Local and state governments will now be able to apply for large grants to better secure their critical infrastructure.
  • The U.S. Department of Homeland Security launched a new initiative to recruit new cybersecurity talent by cutting some bureaucratic hurdles and increasing pay. One-hundred and fifty new "priority" jobs were also opened Monday.
  • The U.K.'s top cybersecurity defense agency said it's dealt with a record amount of cyber attacks this year. A new report found that ransomware attacks emanating from Russia made up the bulk of the attacks.
  • Security researchers at Google discovered attackers using a previously unknown Mac vulnerability to target users in Hong Kong. As of last week, there was not enough information to attribute the attack, though researchers said it was "likely state-backed."
  • New Zealand's government said cyber attacks against what it classifies as "nationally significant" organizations rose by 15 percent year-over-year. About 35 percent of those attacks reached the "post-compromise" phase, nearly double the rate from 2020.
  • Microsoft released an out-of-band security update for Windows Serverover the weekend. The company fixed a vulnerability that caused some servers to improperly authenticate users that relied on single sign-on tokens, or Active Directory and SQL Server services.
  • New "botnet schools" are popping up across the web that teach users how to operate and grow large botnets. Researchers are worried this will increase botnet activity heading into 2022.

Notable recent security issues

Attackers redirect government-controlled website to spread Cobalt Strike

Cisco Talos discovered a new malicious campaign using a leaked version of Cobalt Strike in September 2021. This shows that Cobalt Strike, although it was originally created as a legitimate tool, continues to be something defenders need to monitor, as attackers are using it to set up attacks. The malware is typically a loader that runs on a victim machine, decodes and executes the Cobalt Strike beacon DLL via reflective injection. It loads several libraries during the runtime and generates the beacon traffic according to the embedded configuration file. The configuration file contains the information related to the command and control (C2) server which instructs the victim's machine to send the initial DNS request attempting to connect to the host of the Myanmar government-owned domain www[.]mdn[.]gov[.]mm. The site is hosted behind the Cloudflare content delivery network and the actual C2 traffic is redirected to an attacker-controlled server test[.]softlemon[.]net based on the HTTP host header information specified in the beacon's configuration data.

ClamAV signature: Win.Backdoor.CobaltStrike-9909816-0

North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets

Cisco Talos has observed a new malware campaign operated by the Kimsuky APT group since June 2021. Kimsuky, also known as Thallium and Black Banshee, is a North Korean state-sponsored advanced persistent threat (APT) group active since 2012. This campaign utilizes malicious blogs hosted on Blogspot to deliver three types of preliminary malicious content: beacons, file exfiltrators and implant deployment scripts. The implant deployment scripts, in turn, can infect the endpoint with additional implants such as system information-stealers, keyloggers and credential stealers. These implants are derivatives of the Gold Dragon/Brave Prince family of malware operated by Kimsuky since at least 2017 — now forked into three separate modules. This campaign targets South Korea-based think tanks whose research focuses on political, diplomatic and military topics pertaining to North Korea, China, Russia and the U.S.

Snort SID: 58496 and 58497

Most prevalent malware files this week

SHA 256: 1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37

MD5: a5e345518e6817f72c9b409915741689

Typical Filename: swupdater.exe

Claimed Product: Wavesor SWUpdater

Detection Name: W32.1B259D8CA9.Wavesor.SSO.Talos

SHA 256: 5bab2ae1cada90f37b821e4803912c5b351fda417bbf0a9c768b715c6d492e13

MD5: a6a7eb61172f8d988e47322ebf27bf6d

Typical Filename: wx.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Wingo::in07.talos

SHA 256: e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762

MD5: 6ea750c9d69b7db6532d90ac0960e212


Typical Filename:

Claimed Product: N/A

Detection Name: Auto.E5044D5AC2.242358.in07.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6

MD5: ee62e8f42ed70e717b2571c372e9de9a

Typical Filename: lHe

Claimed Product: N/A

Detection Name: W32.Gen:MinerDM.24ls.1201

Keep up with all things Talos by following us on Twitter. Snort, and ClamAV also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.