Welcome to this week’s edition of the Threat Source newsletter.

There are plenty of jokes about whether we’re “aware” of cybersecurity during National Cybersecurity Awareness Month. But now I’m wondering if people are aware of supply chain attacks.

I thought we hit the pinnacle of supply chain attacks in 2020 with the SolarWinds attack, when these types of attacks dominated headlines and defenders started shouting from the mountaintops about how important it is to be ready for supply chain attacks.

And then Kaseya came along a few months later when attackers found a different way to deploy malicious updates that were disguised as legitimate patches.

And still today, we’re warning about the dangers of how prevalent supply chain attacks are and how everyone needs to be ready for this attacker technique. This leaves me wondering if Kaseya and SolarWinds weren’t the breaking point — what is?

It seems like no matter how many times we see major ransomware attacks, even coming to the point of making it impossible for people to get gas, attackers are back again with another ransomware attack a few weeks later.

We still have several hurdles to overcome to fix the supply chain attack problem, as Jaeson Schultz from our Outreach team outlined in this recent post. But it’s clear that these attacks aren’t going anywhere, and neither are defenders’ warnings.

As I wrote at the start of October, it can be easy to poke fun at Cybersecurity Awareness Month because it’s impossible to define what it even means to be “aware” of cybersecurity. Clearly, there’s still awareness to spread, though, and we keep needing to spread it in regard to supply chain attacks, ransomware and pretty much every other type of cyber attack.

The one big thing

For the first time since collecting such data, Cisco Talos Incident Response saw an equal number of ransomware and pre-ransomware engagements, making up nearly 40 percent of threats in the third quarter of 2022. It can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place. However, Talos IR assesses that the combination of Cobalt Strike and credential-harvesting tools like Mimikatz, paired with enumeration and discovery techniques, indicates a high likelihood that ransomware is the final objective.

Why do I care?

This data represents what Talos IR is actively seeing in the wild over the past few months and is likely representative of the broader threat landscape.

So now what?

A lack of MFA remains one of the biggest impediments to enterprise security. Nearly 18 percent of engagements either had no MFA or only had it enabled on a handful of accounts and critical services. Talos IR frequently observes ransomware and phishing incidents that could have been prevented if MFA had been properly enabled on critical services, such as endpoint detection and response (EDR) solutions. Talos IR recommends disabling VPN access for all accounts that are not using two-factor authentication.

Top security headlines of the week

The Biden administration is preparing to release updated guidelines and warnings around election security with a few days left before the midterm elections. A bulletin reportedly being drafted includes information on threats from Russia, China and other state-sponsored actors. Election workers and local officials are also having to deal with physical threats to polling workers and locations, all while the number of volunteers is dwindling. Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency released a PSA stating that malicious cyber activity is "unlikely to disrupt or prevent voting." (Politico, Axios, Voice of America)

Apple released security updates for its iOS and iPadOS operating systems this week, including fixes for a vulnerability that “may have been actively exploited.” There are 20 vulnerabilities fixed in these updates in all. CVE-2022-42827 is the most notable vulnerability, which could allow an attacker to execute code with Kernel privileges via an attacker-controlled app. This is the third Kernel-related out-of-bounds memory vulnerability that Apple has patched in each of its previous security updates: CVE-2022-32894 and CVE-2022-32917. CVE-2022-32917 was known to be used in attacks in the wild. (Forbes, The Hacker News)

Two vulnerabilities in Microsoft's Mark of the Web (MoTW) security feature could allow an attacker to send JavaScript files that could bypass security blocks in place. Attackers are reportedly actively exploiting both issues, though Microsoft has yet to issue any formal fixes for the vulnerabilities, and there are no workarounds available. Mark of the Web protects users against files from untrusted sources, but the two vulnerabilities could allow the attackers to construct the files in a way that they are not appropriately marked by Windows. Attackers commonly use .js files as attachments or downloads that can run outside a web browser. (Dark Reading, Bleeping Computer)

Can't get enough Talos?

Upcoming events where you can find Talos

Click or Treat? How not to fall for a phishing attack this Halloween (Oct. 31)

BSides Lisbon (Nov. 10 - 11)
Cidade Universitária, Lisboa, Portugal

Most prevalent malware files from Talos telemetry over the past week

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
MD5: 8c69830a50fb85d8a794fa46643493b2
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201

SHA 256: 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681
MD5: f1fe671bcefd4630e5ed8b87c9283534
Typical Filename: KMSAuto Net.exe
Claimed Product: KMSAuto Net
Detection Name: PUA.Win.Tool.Hackkms::1201

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645
MD5: 2c8ea737a232fd03ab80db672d50a17a
Typical Filename: LwssPlayer.scr
Claimed Product: 梦想之巅幻灯播放器
Detection Name: Auto.125E12.241442.in02