I know I’m a little late to the party to hit the prime SEO for Black Friday, Cyber Monday and holiday shopping. But if I know the readers of this newsletter, everyone is far from done with their holiday shopping already after a few days. 

I also know I’m far from the only person to warn consumers about scams during this season, so I’m trying to split the difference and highlight a few specific scams and spam campaigns that are already circulating in the wild, some of which popped up right on Black Friday, so you don’t get caught in the remaining days leading up to the winter holidays. 

Fake Facebook ads seem to be the flavor of the month for scammers. This is completely anecdotal, but my mom almost got “got” with a fake Facebook post in a group she belongs to claiming to have some great deals on Nintendo Switch games on Amazon that were not actually real (thankfully she hadn’t clicked the link before she asked me if “Mario Odyssey” was a good deal at $15).  

Still, several other reports have shown that scammers are using Facebook ads to advertise a deal for a $19 Stanley cup — these are the water bottles all the influencers are using nowadays and, even when they are on sale, don’t go for any less than about $35. In this case, it looks like the actors are just looking to take your money or credit card information with a fake ordering process and no plans to send you anything. 

Adversaries have also set up fake Facebook pages and web pages disguising themselves as the retailer Big Lots. These fake ads and posts offer vague deals and sales on various products but instead point to typo-squatted Big Lots websites (or URLs that vaguely seem like they could be connected to Big Lots).  

Scammers are also sending mass emails to subscribers of various streaming services like Amazon Prime, Paramount+ and Peacock claiming that their subscription has lapsed, but they can resubscribe for a deeply discounted price, or even free, as part of a Black Friday special.  

Amazon also issued a warning recently that attackers have been sending emails with malicious attachments asking for users' personal information in exchange for having their “accounts” unlocked. 

This is just a sampling of the likely hundreds of different scams and spam campaigns attackers are deploying right now, so in general, when shopping online, here are a few tips: 

• Only download apps from trusted and official app stores like the Google Play store and iOS App Store. 
• Look out for apps that ask for suspicious permissions, such as access to your text messages, contacts, stored passwords and administrative features. 
• Some malicious apps will try to masquerade as a legitimate version of the one you could be searching for. Signs of these apps include poor spelling and grammar in app descriptions and interfaces, lack of high-quality performance and a developer contact that uses a free email service (such as @gmail.com). 
• Avoid clicking on unsolicited emails. Make sure you purposefully subscribed to any marketing emails you receive from retailers before opening it. 
• Use an ad blocker locally on your browser. These will often block any malvertising campaigns that aim to capitalize on shoppers looking for deals. 
• Try to use payment services such as Google Pay, Samsung Pay and Apple Pay. These services use tokenization instead of the “Primary Account Number” (your credit card number), making your transaction more secure. 
• Use unique, complex passwords, per site. Attackers commonly reuse passwords to compromise multiple accounts with the same username. Use a password locker if you have a hard time creating and remembering secure passwords. 
• Manually type in URLs to sites you want to visit rather than clicking on links. 
• Use multi-factor authentication, such as Cisco Duo, to log into your email account to avoid unauthorized access. 

Next week, Talos will have a holiday special of our own! On Dec. 5, we’ll be launching our second-ever Year in Review report, complete with all new data and insights about the attacks and malware we’ve seen in 2023. Stay tuned to our social media channels or blog for that release.  

The one big thing 

Cisco Talos recently discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.” We assess with high confidence that the SugarGh0st RAT is a new customized variant of Gh0st RAT, an infamous trojan that’s been active for more than a decade, with customized commands to facilitate the remote administration tasks as directed by the C2 and modified communication protocol based on the similarity of the command structure and the strings used in the code. 

Why do I care? 

If infected, SugarGh0st serves as a fully functional backdoor for the adversary that can execute most remote-control functionalities. It can launch the reverse shell and run the arbitrary commands sent from C2 as strings using the command shell. SugarGh0st can collect the victim’s machine hostname, filesystem, logical drive, and operating system information. It can access the running process information of the victim’s machine and control the environment by accessing the process information and terminating the process as directed by the C2 server. It can also manage the machine’s service manager by accessing the configuration files of the running services and can start, terminate or delete the services. 

So now what? 

Since this seems to be an offshoot of GhostRAT, we certainly can’t rule out any other variants that may be floating out there. Talos also has new ClamAV signatures, Snort rules and other Cisco Secure protection to specifically detect and stop SugarGh0st.  

Top security headlines of the week 

Cisco Talos and other teams across Cisco recently worked with multiple government partners to help protect the Ukrainian power grid and ensure it runs appropriately. The effort, spearheaded by Talos’ Joe Marshall, involved creating bespoke hardware for Ukraine’s energy supplier, Ukrenergo, to operate in place of traditional GPS devices that the Ukrainian power grid relies on to keep running on time. GPS satellites and Ukrainian substations have constantly been the target of kinetic and cyber threats during Russia’s invasion of Ukraine. Officials from multiple U.S. government agencies assisted in the project.  The Pentagon set up flights to physically deliver the manipulated switches, the Department of Energy helped coordinate the equipment’s delivery, and, as Ukrenergo told CNN, the Department of Commerce was a part of critical meetings that first outlined this project. Taras Vasyliv, who oversees power dispatching for Ukrenergo, told CNN that the custom-built switches were the equivalent of a “flashlight” for a surgeon who is trying to operate in the dark. (CNN, Business Insider) 

Leaked government documents show that some local, federal and state law enforcement officers have been able to view the phone records of millions of Americans, even those who have not been accused or suspected of a crime. The little-known Pentagon program was partially uncovered because of a letter sent from U.S. Sen. Ron Wyden of Oregon to U.S. Attorney General Merrick Garland, in Wyden’s office requested more information on the project and encouraged the federal government to publicly disclose this knowledge. The letter states the White House pays wireless company AT&T to give all federal, state, local, and Tribal law enforcement agencies “the ability to request often-warrantless searches.” Known as the “Hemisphere Project,” this program has apparently been around since 2007 and reported on by the New York Times in 2013 but has largely gone unnoticed since. Wyden is attempting to challenge the legality of the Hemisphere Project. (Wired) 

Security researchers have found a way to bypass the Microsoft Hello login authentication system used in many fingerprint readers and face ID scanners on devices from Dell, Lenovo and Microsoft. Researchers hired by Microsoft to test the security of the readers have since informed the company of these vulnerabilities. The attack the researchers outlined could provide access to a stolen laptop or carry out what's called an “evil maid” attack on an unattended device. Microsoft introduced Hello with its Windows 10 operating system, and since then has included fingerprint scanners on all its devices (though in some cases, Microsoft’s own hardware like the Surface tablet did not use Hello). Though the manufacturers are now aware of these vulnerabilities, the variety of attacks means it can be difficult to patch for these issues. However, all the attacks ultimately required physical access to a device. (Ars Technica, The Verge) 

Can’t get enough Talos? 

• Tech giant Cisco built special device to help Kyiv ward off cyberattacks on power grid 
• Cisco whips up modded switch to secure Ukraine grid against Russian cyberattacks 
• Talos Takes Ep. #163: Why has the Phobos ransomware been working for so long? 
• The Need to Know: What is threat hunting? 
• Vulnerability Roundup: Vulnerabilities in Adobe Acrobat, Microsoft Excel could lead to arbitrary code execution 

Upcoming events where you can find Talos 

"Power of the Platform” by Cisco (Dec. 5 & 7) 

Virtual (Please note: This presentation will only be given in German) 

The annual IT event at the end of the year where Cisco experts, including Gergana Karadzhova-Dangela from Cisco Talos Incident Response, discuss the future-oriented topics in the implementation of digitalization together with you.  

What Threats Kept Us Up in 2023: A Year in Review and a Look Ahead (Dec. 13, 11 a.m. PT) 

Virtual 

Each year brings new threats that take advantage of increasingly complex security environments. Whether it’s Volt Typhoon targeting critical infrastructure organizations across the United States or ALPHV launching an attack against casino giant MGM, threat actors are becoming bolder and more evasive. That’s why it’s never been more important to leverage broad telemetry sources, deep network insights and threat intelligence to respond effectively and recover faster from sophisticated attacks. Join Amy Henderson, Director of Strategic Planning and Communications at Cisco Talos and Briana Farro, Director of XDR Product Management at Cisco, as they discuss some of the top threat trends and threats we have seen this past year and how to leverage security technology like XDR and network insights to fight against them. 

NIS2 Directive: Why Organizations Must Act Now to Ensure Compliance and Security (Jan. 11, 2024, 10 a.m. GMT) 

Virtual 

The NIS2 Directive is a crucial step toward securing Europe’s critical infrastructure and essential services in an increasingly interconnected world. Organizations must act now to prepare for the new requirements, safeguard their operations, and maintain a robust cybersecurity posture. Gergana Karadzhova-Dangela from Cisco Talos Incident Response and other Cisco experts will talk about how organizations can best prepare for the coming regulations.  

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7  
MD5: 0e4c49327e3be816022a233f844a5731  
Typical Filename: aact.exe  
Claimed Product: AAct x86  
Detection Name: PUA.Win.Tool.Kmsauto::in03.talos 

SHA 256: 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e 
MD5: 040cd888e971f2872d6d5dafd52e6194 
Typical Filename: streamer.exe 
Claimed Product: Ultra Virus Killer 
Detection Name: PUA.Win.Virus.Ultra::95.sbx.tg 

SHA 256: abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6 
MD5: 22ae85259273bc4ea419584293eda886 
Typical Filename: KMSAuto++ x64.exe 
Claimed Product: KMSAuto++ 
Detection Name: Hacktool:PUP.26ld.in14.Talos 

SHA 256: 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e 
MD5: 040cd888e971f2872d6d5dafd52e6194 
Typical Filename: tmp000c3787 
Claimed Product: Ultra Virus Killer 
Detection Name: PUA.Win.Virus.Ultra::95.sbx.tg 

SHA 256: 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa 
MD5: 9403425a34e0c78a919681a09e5c16da 
Typical Filename: vincpsarzh.exe 
Claimed Product: N/A 
Detection Name: Win.Dropper.Scar::tpd