Welcome to this week’s edition of the Threat Source newsletter.
There are plenty of jokes about whether we’re “aware” of cybersecurity during National Cybersecurity Awareness Month. But now I’m wondering if people are aware of supply chain attacks.
I thought we hit the pinnacle of supply chain attacks in 2020 with the SolarWinds attack, when these types of attacks dominated headlines and defenders started shouting from the mountaintops about how important it is to be ready for supply chain attacks.
And then Kaseya came along a few months later when attackers found a different way to deploy malicious updates that were disguised as legitimate patches.
And still today, we’re warning about the dangers of how prevalent supply chain attacks are and how everyone needs to be ready for this attacker technique. This leaves me wondering if Kaseya and SolarWinds weren’t the breaking point — what is?
It seems like no matter how many times we see major ransomware attacks, even coming to the point of making it impossible for people to get gas, attackers are back again with another ransomware attack a few weeks later.
We still have several hurdles to overcome to fix the supply chain attack problem, as Jaeson Schultz from our Outreach team outlined in this recent post. But it’s clear that these attacks aren’t going anywhere, and neither are defenders’ warnings.
As I wrote at the start of October, it can be easy to poke fun at Cybersecurity Awareness Month because it’s impossible to define what it even means to be “aware” of cybersecurity. Clearly, there’s still awareness to spread, though, and we keep needing to spread it in regard to supply chain attacks, ransomware and pretty much every other type of cyber attack.
The one big thing
For the first time since collecting such data, Cisco Talos Incident Response saw an equal number of ransomware and pre-ransomware engagements, making up nearly 40 percent of threats in the third quarter of 2022. It can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place. However, Talos IR assesses that the combination of Cobalt Strike and credential-harvesting tools like Mimikatz, paired with enumeration and discovery techniques, indicates a high likelihood that ransomware is the final objective.
Why do I care?
This data represents what Talos IR is actively seeing in the wild over the past few months and is likely representative of the broader threat landscape.
So now what?
A lack of MFA remains one of the biggest impediments to enterprise security. Nearly 18 percent of engagements either had no MFA or only had it enabled on a handful of accounts and critical services. Talos IR frequently observes ransomware and phishing incidents that could have been prevented if MFA had been properly enabled on critical services, such as endpoint detection and response (EDR) solutions. Talos IR recommends disabling VPN access for all accounts that are not using two-factor authentication.
Top security headlines of the week
The Biden administration is preparing to release updated guidelines and warnings around election security with a few days left before the midterm elections. A bulletin reportedly being drafted includes information on threats from Russia, China and other state-sponsored actors. Election workers and local officials are also having to deal with physical threats to polling workers and locations, all while the number of volunteers is dwindling. Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency released a PSA stating that malicious cyber activity is "unlikely to disrupt or prevent voting." (Politico, Axios, Voice of America)
Apple released security updates for its iOS and iPadOS operating systems this week, including fixes for a vulnerability that “may have been actively exploited.” There are 20 vulnerabilities fixed in these updates in all. CVE-2022-42827 is the most notable vulnerability, which could allow an attacker to execute code with Kernel privileges via an attacker-controlled app. This is the third Kernel-related out-of-bounds memory vulnerability that Apple has patched in each of its previous security updates: CVE-2022-32894 and CVE-2022-32917. CVE-2022-32917 was known to be used in attacks in the wild. (Forbes, The Hacker News)
Can't get enough Talos?
- Talos Takes Ep. #118: Threat Hunting 101
- Beers with Talos Ep. #127: I’m a skiddie, and you can too!
- A bug in Abode’s home security system could let hackers remotely switch off cameras
- Talos Incident Response Q3 2022 Quarterly Report
Upcoming events where you can find Talos
Click or Treat? How not to fall for a phishing attack this Halloween (Oct. 31)
BSides Lisbon (Nov. 10 - 11)
Cidade Universitária, Lisboa, Portugal
Most prevalent malware files from Talos telemetry over the past week
SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201
SHA 256: 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681
Typical Filename: KMSAuto Net.exe
Claimed Product: KMSAuto Net
Detection Name: PUA.Win.Tool.Hackkms::1201
SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645
Typical Filename: LwssPlayer.scr
Claimed Product: 梦想之巅幻灯播放器
Detection Name: Auto.125E12.241442.in02