Threat Source newsletter (Aug. 4, 2022) — BlackHat 2022 preview

By Jon Munshaw.

Welcome to this week’s edition of the Threat Source newsletter.

After what seems like forever and honestly has been a really long time, we’re heading back to BlackHat in-person this year. We’re excited to see a lot of old friends again to commiserate, hang out, trade stories and generally talk about security.

Throughout the two days of the main conference, we’ll have a full suite of flash talks at the Cisco Secure booth and several sponsored talks. Since this is the last edition of the newsletter before BlackHat starts, it’s probably worthwhile running through all the cool stuff we’ll have going on at Hacker Summer Camp.

Our booth should be easy enough to find — it’s right by the main entrance to Bayside B. If you get to the Trellix Lounge, you’ve gone too far north. Our researchers will be there to answer any questions you have and present on a wide variety of security topics, from research into Adobe vulnerabilities to the privacy effects of the overturn of Roe vs. Wade. Attendees who watch a lightning talk can grab a never-before-seen Snort 3-themed Snorty and our malware mascot stickers, which were a big hit at Cisco Live this year.

We’ll also be over at the Career Center if you want to come work with us. Or even if you don’t, word on the street is there’ll be silver and gold Snortys there. And on Thursday the 11th between 10 a.m. and noon local time a Talos hiring manager will be on site reviewing resumes and taking questions.

If you want more in-depth talks, we’ll have five sponsored sessions between the 10th and 11th. If you want the latest schedule and location on those talks, be sure to follow us on Twitter or check out Cisco’s BlackHat event page here. Our sponsored talks cover Talos’ latest work in Ukraine, the growing threat of business email compromise and current trends from state-sponsored actors. Make sure to catch all five of them.

And if you liked our speakeasy at Cisco Live, you’ll love the next secret we have in store at the BlackHat booth. Swing by and ask us about it.

For anyone sticking around for DEF CON, we’ll also have a presence there with Blue Team Village. Drop any questions in the Blue Team Village Discord for us, and be sure to attend the BTV Pool Party on Aug. 12 from 8 – 11 p.m. local time.

To stay up to date on all things Talos at both conferences, be sure to follow us on social media. -

The one big thing

Cisco Talos recently discovered a new attack framework called “Manjusaka” being used in the wild that could be the next evolution of Cobalt Strike — and is even advertised as so. This framework is advertised as an imitation of the Cobalt Strike framework. Although we haven’t observed widespread usage of this framework in the wild, it has the potential to be adopted by threat actors all over the world.

Why do I care? Our researchers discovered a fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, that’s freely available and can generate new implants with custom configurations with ease. This increases the likelihood of wider adoption of this framework by malicious actors. If you’re a defender of any kind, you want to stay up on the latest tools attackers are likely to use. And since Cobalt Strike is already one of the most widely used out there, it’s safe to assume any evolution of it is going to draw some interest.
So now what? Organizations must be diligent against such easily available tools and frameworks that can be misused by a variety of threat actors. In-depth defense strategies based on a risk analysis approach can deliver the best results in the prevention of this framework. Talos also released Snort rule 60275 and ClamAV signature Win.Trojan.Manjusaka-9956281-1 to detect the use of Manjusaka.

Other news of note

Everything from convenience stores to government websites in Taiwan saw an uptick in cyber attacks this week after U.S. House Speaker Nancy Pelosi visited the country this week. She was the U.S.’ highest-ranking official to visit there in more than 20 years. However, many of the attacks appeared to be from low-skilled attackers and some could even be attributed to a normal uptick in traffic from a busy news day. China could still retaliate for the visit with a cyber attack against Taiwan or the U.S., as the Chinese government has voiced its displeasure over Pelosi’s actions and launched several kinetic warfare exercises. (Reuters, Washington Post) The U.S. Cybersecurity and Infrastructure Security Agency is warning that attackers are actively exploiting a critical vulnerability in Atlassian Confluence disclosed last week. CISA added CVE-2022-26138, a hardcoded password vulnerability in the Questions for Confluence app, to its list of Known Exploited Vulnerabilities on Friday. Adversaries can exploit this vulnerability to gain total access to data in on-premises Confluence Server and Confluence Data Center platforms. U.S. federal agencies have three weeks to patch for the issue under CISA’s new guidance. (Dark Reading, Bleeping Computer) North Korean state-sponsored actors continue to be active, recently adding a new Gmail attack to its arsenal. The infamous SharpTongue group uses the SHARPEXT malware to target organizations in the U.S., Europe and South Korea that work on nuclear weapons and other topics that North Korea sees as relevant to its national security. SHARPEXT installs a Google Chrome extension that allows the attackers to bypass users’ Gmail multi-factor authentication and passwords, eventually entering the inbox and reading and downloading email and attachments. Other North Korean actors continue to use fake LinkedIn applications to apply for remote jobs, hoping to eventually steal cryptocurrency and fund the country’s weapons program. (Ars Technica, Bloomberg)

Can’t get enough Talos?

Talos Takes Ep. #106: The top attacker trends from the past quarter Beers with Talos Ep. #124: There’s no such thing as “I have nothing to hide” BlackHat — A poem Vulnerability Spotlight: Vulnerabilities in Alyac antivirus program could stop virus scanning, cause code execution Vulnerability Spotlight: How misusing properly serialized data opened TCL LinkHub Mesh Wi-Fi system to 17 vulnerabilities Researcher Spotlight: You should have been listening to Lurene Grenier years ago Manjusaka, a new attack tool similar to Sliver and Cobalt Strike

Upcoming events where you can find Talos

BlackHat U.S.A 2022 (Aug. 6 - 11, 2022) Las Vegas, Nevada

USENIX Security '22 (Aug. 10 - 12, 2022) Las Vegas, Nevada

DEF CON U.S. (Aug. 11 - 14, 2022) Las Vegas, Nevada

Security Insights 101 Knowledge Series (Aug. 25, 2022) Virtual

Most prevalent malware files from Talos telemetry over the past week

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645
MD5: 2c8ea737a232fd03ab80db672d50a17a
Typical Filename: LwssPlayer.scr
Claimed Product: 梦想之巅幻灯播放器
Detection Name: Auto.125E12.241442.in02

SHA 256: f21b040f7c47d8d3d9c1f0ef00f09e69f2c3f0e19d91988efc0ddd4833ced121
MD5: 9066dff68c1d66a6d5f9f2904359876c
Typical Filename: dota-15_id3622928ids1s.exe
Claimed Product: N/A
Detection Name: W32.F21B040F7C.in12.Talos

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201

SHA 256: 168e625c7eb51720f5ce1922aec6ad316b3aaca838bd864ee2bcdbd9b66171d0
MD5: 311d64e4892f75019ee257b8377c723e
Typical Filename: ultrasurf-21-32.exe
Claimed Product: N/A
Detection Name: W32.DFC.MalParent