Welcome to this week’s edition of the Threat Source newsletter. 

I continue to be saddened by all the conflict in Israel and Gaza that’s still ongoing. I’ll be back with a “normal” newsletter next week, as unfortunately, there doesn’t seem to be a peaceful solution coming any time soon.  

In the meantime, I just wanted to use this space again to provide a roundup of the best resources I found this week for Cybersecurity Awareness Month. Taking a “Security Action” of any kind — whether it be simply enabling multi-factor authentication for your online banking login or marking that weird email as spam — can go a long way toward you and any organizations you’re a part of be more security resilient. 

The one big thing 

Cisco has identified active exploitation of a previously unknown, zero-day vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks. This affects physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS Server feature enabled. Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity.   

Why do I care? 

Security researchers have already confirmed that threat actors have installed implants on targeted devices by exploiting this vulnerability. Up to 10,000 devices could already be affected, according to some estimates. In a worst-case scenario, the attacker could execute arbitrary code on the targeted devices. 

So now what? 

Cisco recommends in its security advisory disabling the HTTP server feature on internet-facing systems. This is consistent with, not only best practices, but guidance the U.S. government has provided in the past on mitigating risk from internet-exposed management interfaces. As this is a critical vulnerability, Talos strongly recommends affected entities immediately implement the steps outlined in Cisco’s PSIRT advisory. As soon as a patch is available, Talos and Cisco will be informing users, who should then patch as soon as possible.  

Top security headlines of the week 

Government officials are starting to disclose the true breadth of Russia’s cyber attacks at the outset of its invasion of Ukraine. The head of the cyber division of Ukraine’s intelligence service said in a recent interview with Recorded Future that Ukraine worked with the U.S. to disrupt multiple attempts at disrupting Ukraine’s critical infrastructure in February 2022, right as Russia was launching a ground invasion of Ukraine. Sandra Joyce, the executive vice president of global intelligence at Mandiant, also said in a separate interview this week that protecting Ukraine in the initial weeks and months of the invasion was like “hand-to-hand combat.” Joyce also said that her company saw more wiper malware deployed against Ukraine in the first few weeks of the invasion than it had all of the past eight years it had partnered with Ukraine. Another top Ukrainian cybersecurity official called these attacks from Russia “nothing but a war crime.” (The Record, Yahoo! News

Internet giant Amazon is slowly rolling out passkeys as a login method for its users. Amazon quietly added the feature under users’ account management portal to opt into setting up a passkey. This means users can login using biometric authentication on their device, such as their fingerprint or face scan. This conceivably makes it more difficult for bad actors to access their accounts unknowingly, as they’d need physical access to their device. However, this login option still does not work on Amazon’s native apps, like Prime Video or Amazon shopping, on mobile devices. And the passkey login still requires a multi-factor authentication code to be entered, which would conceivably be redundant with a passkey. A spokesperson for Amazon told news outlet TechCrunch that the company is “in the early stages of adding Passkey support for Amazon.com to give customers another secure way to access their accounts. We will have more to share soon.” (TechCrunch, Dark Reading

Threat actors in Vietnam attempted to infiltrate U.S. government officials’ devices with spyware earlier this year, according to a new report, as well as devices belonging to a high-profile CNN anchor. The spyware was embedded in links placed in messages on the social media platform formerly known as Twitter. While the attempts appear to be unsuccessful, it does highlight the continued threat that spyware poses, specifically the Predator software, which Talos has written about previously. An Italian cybersecurity research group also recently found that bad actors were trying to spread spyware through fake national alerts in Italy. The actors have set up a fake site posing as Italy’s recently released IT Alert program for natural disasters, urging users to download an app to receive critical alerts. (Washington Post, Cyber Security Hub

Can’t get enough Talos? 

Upcoming events where you can find Talos 

ATT&CKcon 4.0 (Oct. 24 - 25) 

McLean, Virginia 

Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking. 

misecCON (Nov. 17) 

Lansing, Michigan 

Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines. 

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: 744c5a6489370567fd8290f5ece7f2bff018f10d04ccf5b37b070e8ab99b3241 
MD5: a5e26a50bf48f2426b15b38e5894b189 
Typical Filename: a5e26a50bf48f2426b15b38e5894b189.vir 
Claimed Product: N/A 
Detection Name: Win.Dropper.Generic::1201 

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5 
MD5: 8c80dd97c37525927c1e549cb59bcbf3   
Typical Filename: Eternalblue-2.2.0.exe   
Claimed Product: N/A   
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos 

SHA 256: 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440 
MD5: ef6ff172bf3e480f1d633a6c53f7a35e 
Typical Filename: iizbpyilb.bat 
Claimed Product: N/A  
Detection Name: Trojan.Agent.DDOH 

SHA 256: 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa 
MD5: 9403425a34e0c78a919681a09e5c16da 
Typical Filename: vincpsarzh.exe 
Claimed Product: N/A 
Detection Name: Win.Dropper.Scar::tpd 

SHA 256: 2ebfc0b6ae3e80ca4e5a3ebfa4d9d7e99818be183d57ce6fbb9705104639bf95 
MD5: 2371212b783f959809647de4f476928b 
Typical Filename: wzncntdmgkm.bat 
Claimed Product: N/A 
Detection Name: Win.Dropper.Scar::tpd