Headline
Threat Source newsletter (April 6, 2023) — Another friendly reminder about supply chain attacks
Be prepared to discuss difficult topics with potential new third-party software vendors, such as incident notification requirements, access to logs during a security incident and who the important emergency contacts are.
Thursday, April 6, 2023 14:04
Welcome to this week’s edition of the Threat Source newsletter.
It seems like we can’t go a full calendar year without a major supply chain attack. In late 2020 we had the SolarWinds incident (which, doesn’t that somehow seem like five years ago but also yesterday?), then the REvil ransomware group infiltrating the Kaseya VSA software in the summer of 2021 and last week we had another attack targeting the 3CX Desktop Softphone application.
For now, the adversaries behind the 3CX supply chain attack seem mainly focused on infiltrating cryptocurrency-related companies and exchanges to steal money. But we’ve still yet to see the full scale of this attack — the 3CX website claims to have over 600,000 customers and 12 million daily users. In the company’s latest update on the security incident, 3CX said the “incident was carried out by a highly experienced and knowledgeable hacker.”
So even though we’ve been talking about the importance of defending against supply chain attacks for three years now, I felt like this was a good place to round up all the information Talos has available on preparing for and preventing supply chain attacks. Here are a few tips with some handy links:
- If your organization is specifically affected by the 3CX supply chain attack, Cisco Secure and Talos have a range of detection available across the Cisco portfolio. 3CX also has instructions for uninstalling the affected desktop application on its website.
- Be prepared to discuss difficult topics with potential new third-party software vendors, such as incident notification requirements, access to logs during a security incident and who the important emergency contacts are. Talos Incident Response has a full list of these questions in this blog.
- Take an inventory of the SaaS applications your organization uses and document their business use case and relevant access authorizations. Nick Biasini and I talk about the importance of asset management in this episode of Talos Takes right after the SolarWinds incident.
- Implement a zero-trust approach to security so that your organization verifies every access attempt. This also means only assigning the appropriate rights to each user on a network that they need to do their job.
- Create an incident response plan and/or playbook so your organization is ready to respond in the event of a supply chain attack. Cisco Talos Incident Response can help with that.
The one big thing
The developer of the Typhon Reborn information stealer recently released an updated version (V2) that includes significant updates to its codebase and improved capabilities. Most notably, the new version features additional anti-analysis and anti-virtual machine (VM) capabilities to evade detection and make analysis more difficult.
Why do I care?
Once on an infected machine, the stealer can harvest and exfiltrate sensitive information and uses the Telegram API to send stolen data to attackers. This can include highly sensitive data, such as login information to cryptocurrency wallets and exchanges, VPN clients and email and messaging clients. The latest version of the stealer is available on dark web forums for a relatively low price in comparison to other information stealers, so Talos researchers suspect this malware will pop up in cyber attacks going forward.
So now what?
The Talos blog has a full rundown of the Cisco Secure detection capabilities in place to prevent the execution of this malware and alert users if it’s on their network.
Top security headlines of the week
While the proposed “RESTRICT Act” in U.S. Congress is widely known as the “TikTok ban,” it would actually do much more than restrict the popular social media app in the U.S. Critics of the bill say, if passed, it would give the Executive Branch greater control over the online marketplace and potentially restrict the sale of other software that could be viewed as potentially dangerous like VPNs that consumers use to encrypt and route their traffic. The White House is in favor of the bill, saying that it would protect American national security by restricting data collection from foreign governments. However, the language of the bill only says it would restrict software from countries identified as a “foreign adversary,” which currently includes China, Cuba, Iran, North Korea, Russia and Venezuela. (Vice, The Electronic Frontier Foundation)
International law enforcement agencies seized several domain names tied to Genesis Market, a popular cybercrime store, on Wednesday, while also arresting some of its alleged administrators. Genesis Market was known to sell access to stolen passwords and other data. Customers who purchased this information could load the victim’s authentication cookies into their web browser to access their online accounts without needing a password and sometimes bypass multi-factor authentication. Arrest warrants were reportedly out for several individuals involved in the marketplace in the U.S., Canada and Europe. During a series of raids this week, the UK’s National Crime Agency (NCA) arrested 24 people who are suspected users of the site. (BBC News, Krebs on Security)
Online alcohol recovery startups Monument and Tempest were mistakenly sharing users’ health information and data with third-party advertisers for years without their consent, according to a data breach notification filed with California’s attorney general. Monument, which acquired Tempest last year, assists customers in dealing with and recovering from alcohol abuse, including offering online counseling, an anonymous forum and the ability to prescribe medication. The company said in the filing that they were mistakenly sharing information through third-party ad tracking systems such as those from Google and Meta. The data shared with advertisers included patients’ photos, the answers to online questionnaires about their health and alcohol use, personally identifiable information (PII) and their insurance providers. (TechCrunch, The Verge)
Can’t get enough Talos?
- Talos Takes Ep. #133: The defensive and offensive implications of ChatGPT and AI
- Vulnerability Spotlight: Buffer overflow vulnerability in ADMesh library
- Threat Roundup for March 24 - 31
- Vulnerability Spotlight: Vulnerability in ManageEngine OpManager could lead to XXE attack
- Typhon Reborn Stealer Malware Resurfaces with Advanced Evasion Techniques
Upcoming events where you can find Talos
RSA (April 24 - 27)
San Francisco, CA
Cisco Live U.S. (June 4 - 8)
Las Vegas, NV
Most prevalent malware files from Talos telemetry over the past week
SHA 256: e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6
MD5: 1e2a99ae43d6365148d412b5dfee0e1c
Typical Filename: PDFpower.exe
Claimed Product: PdfPower
Detection Name: Win32.Adware.Generic.SSO.TALOS
SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725
MD5: d47fa115154927113b05bd3c8a308201
Typical Filename: mssqlsrv.exe
Claimed Product: N/A
Detection Name: Trojan.GenericKD.65065311
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423
MD5: 954a5fc664c23a7a97e09850accdfe8e
Typical Filename: teams15.exe
Claimed Product: teams15
Detection Name: Gen:Variant.MSILHeracles.59885
SHA 256: c74e7421f2021b46ee256e5f02d94c1bce15da107c8c997c611055412de1ac1
MD5: 2d16d0af6183803a79d9ef5c744286c4
Typical Filename: nano_download.php
Claimed Product: Web Companion Installer
Detection Name: W32.1C74E7421F-100.SBX.VIOC