Welcome to this week’s edition of the Threat Source newsletter.

I’m at the point in the calendar year where I’m a sponge for NFL content. I couldn’t be happier to escape from my six-month American football-free slumber and am ready to watch games three days a week and listen to NFL podcasts or read power rankings the other four.

So of course, I wasn’t going to miss this feature in Dark Reading from the NFL’s chief information security officer, which just happens to include several shoutouts to Talos and Cisco. Talos is a valuable security partner with the NFL, helping secure their major events like the NFL Draft and Super Bowl, the most-watched entertainment event in the U.S. every year.

One of the things that Tomás Maldonado said in the Dark Reading interview really stood out to me — that he’s worried about deepfakes of NFL players being used in scams. Deepfakes have been making the rounds for years in scams of celebrities and politicians seeming to ask for various things (often money), and Maldonado said he’s worried that attackers could start using the likenesses of popular NFL players for scams and spam.

I actually hadn’t realized that deepfakes had already been around in the NFL sphere for a while, though.

In an ESPN “30 for 30” documentary in 2021, the creators used deepfake, AI voices for former Raiders owner Al Davis and former commissioner Pete Rozelle, who both died many years before the creation of this documentary. Public reception was mixed, at best.

The league’s Dallas Cowboys are also jumping on the AI train and created a hologram, AI-powered version of team owner Jerry Jones. Fans can pay $55 to take a tour of the Cowboys’ AT&T Stadium and ask the AI version of Jones questions (as a Browns fan, I mainly would just like to thank him for only asking for a fifth-round pick in exchange for receiver Amari Cooper).

Bad actors have shown they will literally use any and all forms of deepfakes to try and trick users. So it’s not hard to see where Maldonado is coming from with his concerns.

With the popularity of pay-for-shoutout services like Cameo, it’d be fairly easy for someone to develop a convincing enough deepfake of a player and try to steal someone’s money by saying they could prank their fantasy football league for $50. This just isn’t a particular attack vector I had considered before — I always assumed deepfakes were reserved for political leaders or some of the highest-profile people in the world.

And while I couldn’t find any current examples of where this is actively happening in the wild, it’s not a crazy jump to think that if ESPN can create a convincing AI version of Al Davis that someone else can’t make an AI voice that sounds just like Aaron Rodgers asking for money or a fake Russell Wilson pushing season ticket “deals.”

The one big thing

Microsoft disclosed two zero-day vulnerabilities as part of this monthly security update on Tuesday, one of which already has proof-of-concept code floating around in the wild. There are five other critical vulnerabilities included in September’s Patch Tuesday, which is relatively low for a traditional Microsoft security release, and 56 vulnerabilities the company considers “important.”

Why do I care?

One of the vulnerabilities adversaries are already exploiting in the wild is CVE-2023-36802, an elevation of privilege vulnerability in Microsoft Streaming Service, a corporate video sharing platform integrated into SharePoint and Office 365. An adversary who successfully exploits this vulnerability can gain SYSTEM privileges. Additionally, CVE-2023-36761 has already been exploited in the wild and proof of concept code is publicly available. Although it is not clear how exactly an attacker could exploit this vulnerability in Microsoft Word, Microsoft states that the Preview Pane is also a potential attack vector in this case. If successful, an adversary could view NTLM hashes. Microsoft’s warnings about these vulnerabilities indicate attackers are already exploiting these issues in the wild, even prior to Tuesday’s patch, so all users should be sure to patch these ASAP.

So now what?

Microsoft’s security update guide has all the patches users need to install, which everyone should do now if they haven’t already. Talos’ Patch Tuesday blog also outlines several Snort rules we released to detect the exploitation of some of these vulnerabilities.

Top security headlines of the week

Apple released a series of security updates over the past week that users of all the companies’ mobile devices are encouraged to install as soon as possible. A security update on Sept. 7 warned that users needed to update to iOS 16.6.1 or iPadOS 16.6.1 right away to fix security updates that attackers were actively exploiting in the wild. In some cases, these exploits led to the installation of spyware on targeted devices. Apple said in an advisory that, “Processing a maliciously crafted image may lead to arbitrary code execution.” The company followed that up with another security update on Monday for older models of iPhones, iPads, Macs and other Apple devices that "provides important security fixes,” likely the same vulnerabilities. Apple was scheduled to announce its newest iPhone and Apple Watch at an event Wednesday. (USA Today, CNET)

The U.S. and U.K. have sanctioned more alleged members of the Trickbot cybercrime ring. Law enforcement officials in both countries announced sanctions against 11 individuals they claim are “involved in management and procurement for the Trickbot group.” Trickbot is known for targeting large businesses and organizations with ransomware and has alleged ties to the Russian government. Seven of the people listed are also charged with working with the Conti ransomware group, which broke up at the end of 2022. These people are alleged "administrators, managers, developers, and coders” for Conti. The U.K.’s National Crime Agency reported that Trickbot attacks have generated an estimated $180 million from victims, $33.6 million of that coming from victims in the U.K. The group’s list of reported victims includes hospitals, schools and government agencies across the globe. (TechCrunch, Dark Reading)

Security researchers are concerned that adversaries are starting to crack stolen passkeys taken during a data breach at LastPass. More than 150 people recently affected by cryptocurrency wallet thefts were LastPass users, leading to the equivalent of $35 million in virtual currency being stolen. Many cryptocurrency consumers use security phrases to protect their wallets, and then store that phase in an encrypted folder inside a password manager like LastPass. If an attacker were able to learn that phrase, they could essentially access all the victims’ cryptocurrency holdings tied to that key. LastPass has yet to comment on the researchers’ findings because they said an active law enforcement investigation is still ongoing into the 2022 breach. (Krebs on Security, The Verge)

Can’t get enough Talos?

Upcoming events where you can find Talos

LABScon (Sept. 20 - 23)

Scottsdale, Arizona

Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit.

Grace Hopper Celebration (Sept. 26 - 29)

Orlando, Florida

Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.

ATT&CKcon 4.0 (Oct. 24 - 25)

McLean, Virginia

Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

Most prevalent malware files from Talos telemetry over the past week

SHA 256: 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647
MD5: bbcf7a68f4164a9f5f5cb2d9f30d9790
Typical Filename: bbcf7a68f4164a9f5f5cb2d9f30d9790.vir
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::1201

SHA 256: d5763a87ec22a583b9dd853e31a9d4cb187d81251ce51099ce3d0f749bbf405a
MD5: 5cedec562076ac629453cc99dd0cdda6
Typical Filename: nYzVlQyRnQmDcXk
Claimed Product: N/A
Detection Name: W32.Auto:d5763a.in03.Talos

SHA 256: 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440
MD5: ef6ff172bf3e480f1d633a6c53f7a35e
Typical Filename: iizbpyilb.bat
Claimed Product: N/A
Detection Name: Trojan.Agent.DDOH

SHA 256: d5219579eec1819d52761730a72ce7a95ee3f598fcfd9a4b86d1010ea103e827
MD5: bf357485cf123a72a46cc896a5c4b62d
Typical Filename: bf357485cf123a72a46cc896a5c4b62d.virus
Claimed Product: N/A
Detection Name: W32.Auto:d5219579ee.in03.Talos

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991