Good afternoon, Talos readers.

We're writing this on Wednesday for PTO reasons, so apologies if we miss any major news that happens after Wednesday afternoon.

Above, you can watch our awesome live stream from Monday with Brad Garnett from Cisco Talos Incident Response. Brad sat down for a long discussion about the basics of engaging with an incident response team, provided some tips for hybrid work and answered questions live from the audience.

On the written front, we just published new research on the recent wave of cyber attacks against users on the Indian Subcontinent. We recently spotted another set of threat actors trying to spread RATs to India and Afghanistan. Our blog has the latest information on why that matters, and what defenders can do to stay protected.

Upcoming Talos public engagements

Resilient Incident Response: Effective strategies for blocking ransomware attacks at SANS Cyber Solutions Fest

Speaker: Brad Garnett

Date: Oct. 22 at 8:30 a.m. ET

Location: Virtual

Description: In this session, Brad Garnett, the general manager of Cisco Talos Incident Response, will discuss practical incident response strategies that every CISO and business leader faces with a hybrid workforce. Brad will share his insights from the front lines in the fight against ransomware and why organizations need to re-evaluate existing incident response plans and share how Talos is fighting the good fight against evolving adversaries.

Cybersecurity week in review

  • The REvil ransomware group is going dark once again after their payment portal and data leak websites were breached. This threat actor already went quiet for a few months earlier this year after the U.S. government blamed it for the Kaseya supply chain attack.
  • Many local TV stations across the U.S. experienced disruptions this week after Sinclair Broadcast Group was hit with a ransomware attack. As of Monday afternoon, the company told employees the full extent of the attack was still unknown.
  • Twitter suspended two accounts believed to be connected with North Korean state-sponsored actors. The accounts allegedly tried to lure security researchers into clicking on malicious links.
  • The U.S. government released a warning last week that attackers are increasingly targeting the country’s water and wastewater systems sector. The report highlights three major campaigns targeting these critical infrastructure organizations since 2020.
  • The Biden Administration took several steps over the past week to crack down on illegal cryptocurrency transactions, especially those linked to cyber attacks. This included a warning to private companies that they could face the consequences of sanctions if they deal with virtual currencies that facilitate ransomware payment.
  • Rural communities in the U.S. are particularly susceptible to ransomware attacks. As a new profile shows, it can sometimes shut down key resident services for weeks because the community's IT departments are so under-prepared.
  • The number of ransomware victims who have paid extortion payments has already risen 30 percent this year from 2020. A new report from the U.S. Department of Treasury found ransomware attacks cost victims $590 million in the first six months of 2021.
  • Electronics company Acer announced it was hit with a second cyber attack in less than a week. The attackers behind both campaigns said they wanted to prove a point that the company is behind on its data security practices.
  • Hackers reportedly hailing from Turkey compromised a portion of former President Donald Trump's website. A portion of the site briefly displayed positive messages regarding Turkish President Recep Tayyip Erdoğan.

Notable recent security issues

Predecessor to DarkSide ransomware game could make waves in coming weeks

Major U.S. government agencies released a warning this week that the BlackMatter ransomware could strike major organizations or public sector targets. An advisory from the U.S. Cybersecurity and Infrastructure Security Agency, the FBI and the National Security Agency stated that BlackMatter is likely a predecessor to DarkSide, the ransomware group known for attacking the Colonial Pipeline earlier this year. The advisory warns businesses that they should implement multi-factor authentication and enact stronger credential rules to prepare for potential BlackMatter attacks. According to the report, the ransomware has already targeted two large food cooperatives in the U.S.

Snort SIDs: 58237, 58238

Multiple vulnerabilities in ZTE MF971R LTE router

Cisco Talos recently discovered multiple vulnerabilities in the ZTE MF971R LTE portable router. The MF971R is a portable router with Wi-Fi support and works as an LTE/GSM modem. An attacker could exploit all these vulnerabilities by sending a specially crafted HTTP request to the targeted device. TALOS-2021-1320 and TALOS-2021-1321 are stack-based buffer overflow vulnerabilities. An attacker could exploit these issues to execute arbitrary remote code on the targeted device. As part of these exploits, the attacker needs to complete a referrer bypass, which is outlined in TALOS-2021-1317. TALOS-2021-1318 and TALOS-2021-1319 are cross-site scripting vulnerabilities that an attacker could use to execute arbitrary JavaScript in the victim’s browser. In this case, an attacker would need to trick the user into opening an attacker-controlled URL that hosts the malicious HTTP request.

Snort SID: 57749 - 57752, 57798, 57799, 57802, 57803, 57829

Most prevalent malware files this week

SHA 256: f0a5b257f16c4ccff520365ebc143f09ccf233e642bf540b5b90a2bbdb43d5b4

MD5: 84452e3633c40030e72c9375c8a3cacb

Typical Filename: sqhost.exe

Claimed Product: sqhost.exe

Detection Name: W32.Auto:f0a5b257f1.in03.Talos

SHA 256: 8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2

MD5: fe3659119e683e1aa07b2346c1f215af

Typical Filename: SqlBase.exe

Claimed Product: SqlServerWorks.Runner

Detection Name: W32.8639FD3EF8-95.SBX.TG

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 0e043149a1970990d0098bf986585bf2f224e4be7407348ff91efe89f8c5999c

MD5: 7b7e4f2878799268e9dd0a515420a88e

Typical Filename: S A Service.exe

Claimed Product: S_A_Service

Detection Name: W32.Auto:0e043149a1.in03.Talos

SHA 256: 33677846134841aa2541b5707102646aeedb1fc32a717a58e89a6ff69f0ef7bb

MD5: bdd455b064413ee7e1997bd10daa4904

Typical Filename: 461502.exe

Claimed Product: N/A

Detection Name: W32.3367784613-100.SBX.TG

Keep up with all things Talos by following us on Twitter. Snort, and ClamAV also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.