Two notable vulnerabilities in Google Chrome should be patched asap, and an allegedly new ransomware-as-a-service group.

Thursday, September 28, 2023 14:09

Welcome to this week’s edition of the Threat Source newsletter.

Since Elon Musk first started talking about purchasing Twitter/X around this time last year, one of his main sticking points has been how many bot accounts are on the platform and how that potentially affects advertising revenue and user counts.

In the latest advancement in the alleged fight against bots, X recently launched a government ID-based authentication process available to its paid premium users. The social media platform is partnering with a third-party security company to provide advanced, faster support to make it more difficult for others to impersonate the user.

The setup process says it involves the user taking a picture with their computer’s camera with their government-issued ID. According to X’s Verification Policy, the third-party company only keeps the provided picture for as long as it takes to verify the provided information, and any ID images are only kept for 72 hours. The information derived from the submitted pictures is stored for 30 days by the third party in the name of providing users “an opportunity to appeal a verification decision and for X to review your appeal.”

Meta, Facebook and Instagram’s parent company, has been rolling out a similar program called Meta Verified that also asks users to submit photos of a government ID and pay a subscription fee to receive “account verification with impersonation protections and access to increased visibility and support.”

Taken at face value, X and Meta’s retention policies for these provided images of IDs seem fine. The main issue for me is I don’t really see what the concrete benefits here are.

On X, submitting the ID information and paying for the premium subscription only says it provides faster support, and an additional verification badge on a user’s account along with the now-infamous blue checkmark. The option is not available to business or organizational accounts, which seems like it’d be the space most ripe for impersonation — I’ve certainly observed my fair share of Talos-impersonated accounts on that platform where someone tried passing as our organization.

X is also saying it will only look into future benefits for this verification program, which “may explore additional measures, such as ensuring users have access to age-appropriate content and protecting against spam and malicious accounts.” The service still isn’t offered in the EU and U.K., either, presumably because of the stricter data privacy laws in those regions.

When these verification procedures are in place, there’s no guarantee they work, either. My sister-in-law had her Instagram/Meta account taken over by a cryptocurrency spammer last year, and even when she submitted a 360-degree selfie and images of her government-issued ID to Instagram, they denied her claim that her account was hacked, and to this day it’s still sending cryptocurrency spam to her family members even though she’s created a new account. Her appeal was not accepted by the company, either.

That’s one very specific case, I know, but if I’m going to start sending these companies with dubious security histories pictures of my driver’s license, I’m going to need a bit more than promises of future features and vague support promises before I’m sold on this method of multi-factor authentication.

**The one big thing**

Google Chrome users should update their browsers as soon as possible after the company disclosed multiple, serious vulnerabilities. Google initially disclosed CVE-2023-4863 as a heap buffer overflow in the WebP image format in Chrome. However, on Wednesday, it released a new advisory with CVE-2023-5129 identifying that the vulnerability actually existed in libwebp, meaning it affects multiple applications and not just Chrome. The updated advisory also elevated the severity score to a maximum 10 out of 10. This week, Talos also disclosed CVE-2023-3421, a use-after-free vulnerability that affects Chrome. An attacker could exploit this vulnerability by tricking the target into visiting a specially crafted HTML web page.

**Why do I care?**

Chrome is a very popular web browser, and its Chromium open-source version serves as the basis for many other browsing software. The fact that critical WebP vulnerability is particularly notable because WebP is the new default file format that most images use when  processed in Chrome. According to the advisory, “With a specially crafted WebP lossless file, libwebp may write data out of bounds to the heap,” if an attacker exploits CVE-2023-5129.

**So now what?**

The advice here is pretty simple — update your Google Chrome if you haven’t already!

**Top security headlines of the week**

**MGM casinos went back online last week after 10 days** due to a ransomware attack. The company’s casinos and hotels were able to fix all issues pertaining to guest services and the electronic slot machines that had been taken down due to the attack. One estimate suggests the outage may have cost the company upward of $80 million. The Scattered Spider threat actor is taking credit for the attack, partnering with known ransomware magnate ALPHV. Security researchers believe Scattered Spider is actually a hacking group that calls itself Star Fraud. New research presented at LABScon last week also stated that the group infiltrated MGM and Caesars, another casino manager, after gaining access to Okta authentication servers. (Washington Post, Associated Press)

**A hacking group claims to have breached “all of Sony \[SIC\] Systems”** and is reportedly selling stolen data on the dark web. A new group called Ransomed.vc is taking credit for the alleged attack and says it accessed more than 6,000 files from the tech giant known for producing the PlayStation video game console. Sony says it is still investigating the group’s claims. Despite the name, Ransomed.vc is actually an extortion group and does not have its own encryptor. Instead, it plans to sell the data on the dark web for $2.5 million. However, other threat actors have since stepped up to also take credit for the attack, leaving exact attribution in doubt. Another threat actor calling themselves MajorNelson says they “leaked for free" a 2.4 GB compressed archive that contains 3.14 GB of uncompressed data it claims belongs to Sony. (Bleeping Computer, Kotaku)

**A new ransomware-as-a-service syndicate ShadowSyndicate is reportedly operating a massive network of servers** that’s connected to other large ransomware families. Security researchers say the group has potential ties to the ALPHV ransomware group and other ransomware families like Clop, Play, Royal and Cactus. A new report outlines dozens of systems that ShadowSyndicate controls, including 52 containing the group’s secure shell (SSH) fingerprint it uses as Cobalt Strike beacons to manage and coordinate its various malware campaigns. It’s currently unclear if ShadowSyndicate is truly a ransomware-as-a-service group or more of an initial access broker. (DarkReading, SC Magazine)

**Can’t get enough Talos?**

*   Talos Takes Ep. #155: How Talos helped defend BlackHat's network in Vegas
*   Beers with Talos Ep. #139: Who is Jacques Wagon?
*   Decipher Security Podcast Source Code 9/22
*   ICS protocol coverage using Snort 3 service inspectors
*   10 new vulnerabilities disclosed by Talos, including use-after-free issue in Google Chrome

**Upcoming events where you can find Talos**

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

> _Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking._

**misecCON** **(Nov. 17)**

Lansing, Michigan

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** e2cdf48bc6741afd7aba54d7c0b30401d2d6dd06138979ca73f3167915bf22b3  
**MD5:** eba4ad9540713d5956ab0b6a566c1487  
**Typical Filename:** webnavigatorbrowser.exe  
**Claimed Product:** WebNavigatorBrowser  
**Detection Name:** Win64:WebNav.26k0.rlsync.Talos

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647  
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790  
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::1201

**SHA 256:** 7f66d4580871e3ee6a35c8fef6da7ab26a93ba36b80279625328aaf184435efa  
**MD5:** e9a6b1346d1a2447cabb980f3cc5dd27  
**Typical Filename:** профиль 10 класс.exe  
**Claimed Product:** N/A  
**Detection Name:** Application\_Blocker

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

The security pitfalls of social media sites offering ID-based authentication

Talos disclosed 10 vulnerabilities over the past two weeks affecting a range of software, including the popular Google Chrome web browser.

Wednesday, September 27, 2023 12:09

Cisco Talos disclosed 10 vulnerabilities over the past two weeks affecting a range of software, including the popular Google Chrome web browser.

Attackers could exploit these vulnerabilities to carry out a variety of attacks, in some cases gaining the ability to execute remote code on the targeted machine.

Four of the vulnerabilities included in today’s Vulnerability Roundup that affect the Accusoft ImageGear development toolkit have a CVSS severity score of 9.8 out of a possible 10.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

**Use-after-free vulnerability in Google Chrome web browser**

TALOS-2023-1751 (CVE-2023-3421) is a use-after-free vulnerability that affects the Google Chrome web browser. An attacker could exploit this vulnerability by tricking the target into visiting a specially crafted HTML web page.

The vulnerability arises when an adversary manipulates a specific function in Chrome to cause an out-of-bounds heap memory access, which could lead to a heap use-after-free or heap overflow.

**Multiple vulnerabilities in Accusoft ImageGear**

Talos researchers recently discovered eight vulnerabilities in Accusoft ImageGear, a document-imaging developer toolkit that allows users to convert, edit and create images.

Three of the vulnerabilities — TALOS-2023-1802 (CVE-2023-32653), TALOS-2023-1830 (CVE-2023-39453) and TALOS-2023-1760 (CVE-2023-35002) are heap-based buffer overflow vulnerabilities that could allow an attacker to execute arbitrary code on the targeted machine. Another issue, TALOS-2023-1836 (CVE-2023-40163), also has a critical severity score of 9.8 out of 10, but in this case, a specially crafted file could lead to memory corruption.

TALOS-2023-1729 (CVE-2023-23567) can also lead to arbitrary code execution, though this vulnerability is considered less severe. An attacker could also exploit this vulnerability by supplying the target with a malformed file.

There are three other vulnerabilities Talos discovered in this software that could cause a heap-based buffer overflow condition or memory corruption if the attacker sends a specially crafted file to the target.

*   TALOS-2023-1750 (CVE-2023-32284)
*   TALOS-2023-1742 (CVE-2023-28393)
*   TALOS-2023-1749 (CVE-2023-32614)

Hancom Office is one of the most popular software packages in South Korea, offering word processing and other services similar to Microsoft Office 365.

Talos discovered a use-after-free vulnerability in HWord, the package’s word processing software. TALOS-2023-1759 (CVE-2023-32541) can be manipulated in a way that will eventually allow the attacker to execute arbitrary code if they trick the target into opening a specially crafted, malicious .doc file.

10 new vulnerabilities disclosed by Talos, including use-after-free issue in Google Chrome

Service inspectors are an evolution of Snort 2's preprocessors, providing access to additional built-in rules that look for protocol-level abnormalities.

ICS protocol coverage using Snort 3 service inspectors

It reads as if ALPHV really wants to come across as the “good guys” in this case, but I’m not sure who outside of dark web circles would be willing to feel sorry for them.

Thursday, September 21, 2023 14:09

Welcome to this week’s edition of the Threat Source newsletter.

As a former reporter, I’ve seen my fair share of press releases. But one from a threat actor was definitely a new one for me last week.

ALPHV (aka BlackCat) publicly took credit for a massive cyber attack against MGM, a resort, gambling and sports betting company best known for its massive casinos. The attack took down slot machines, guest reservation systems, and more belonging to MGM, and the company is still feeling the effects as of Tuesday.

And despite every major news outlet reporting on the incident, the actor wanted to take messaging into its own hands and “clarify” what happened exactly. Attackers have occasionally posted updates and pseudo-press releases in the past, but this particular press release on ALPHV’s leak site (don’t worry I didn’t actually link to their site) was peak unintentional comedy to me.

For starters, the actor blamed MGM for not using their official communication channels to contact them to start negotiating a ransom payment:

“As they were not responding to our emails with the special link provided (In order to prevent other IT Personnel from reading the chats) we could not actively identify if the user in the victim chat was authorized by MGM Leadership to be present,” the statement reads.

They also said that, hypothetically, if personally identifiable information \*had\* been stolen, they would allow the website Have I Been Pwned? to responsibly disclose this information, even though they stopped short of saying they stole PII.

Lastly, they took a victory lap by saying several news outlets had reported false information, claimed attribution too early, or made ALPHV seem too basic of a threat actor because the tactics, techniques and procedures “used by the people they blame for the attacks are known to the public and are relatively easy for anyone to imitate.”

The entire statement reads as someone who thinks they’ve done nothing wrong, and certainly written to intimate that the situation could have gone much more smoothly had MGM just reached out to the threat actor early on through what is deemed as the appropriate channels and negotiated early.

So, it makes me wonder what ALPHV thinks they’re gaining from all this? Part of me wonders if they were upset that public reporting had connected the attack to a group called “'Scattered Spider” and they wanted to make sure everyone knew who deserved the credit. Or it could have been that they wanted to turn up the heat on MGM representatives and apply public pressure to hopefully get them to communicate and settle on a ransom payment.

It reads as if ALPHV really wants to come across as the “good guys” in this case, but I’m not sure who outside of dark web circles would be willing to feel sorry for them.

**The one big thing**

Talos researchers recently discovered a new malware family we’re calling “HTTPSnoop” being deployed against telecommunications providers in the Middle East. HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint. We also discovered a sister implant to “HTTPSnoop” we’re naming “PipeSnoop,” which can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint. All these new tools are linked to a group we’re calling “ShroudedSnooper.”

**Why do I care?**

This activity is a continuation of a trend we have been monitoring over the last several years in which sophisticated actors are frequently targeting the telecommunications sector. This sector was consistently a top-targeted industry vertical in 2022, according to Cisco Talos Incident Response data. However, since this is a new, relatively unknown group, we can’t be certain that they’ll only stick to targeting this particular field. The various malware at their disposal can leave a backdoor on infected machines for future attacks and malware installations and execute arbitrary shellcode on the infected endpoint.

**So now what?**

We found specific URL patterns that make it look like the infected system being contacted is a server hosting Microsoft’s Exchange Web Services (EWS) API. The URLs consisted of “ews” and “autodiscover” keywords over Ports 443 and 444. The blog post has a list of these patterns so potentially affected targets can scan to see if they're infected. There is also a host of detection content available for Cisco Secure products.

**Top security headlines of the week**

**Apple released long-awaited updates to its “Lockdown Mode” with iOS 17 this week, its answer to a recent global uptick in spyware attacks.** Lockdown Mode now also works on Apple Watches, in addition to iPhones and iPads, which is notable because threat actors have increasingly started targeting Apple Watches with spyware. New features also remove geolocation information from photos when Lockdown Mode is enabled and automatically block insecure Wi-Fi networks. Apple and other cellphone manufacturers are working on addressing the use of cell site simulators, also known as “stingrays.” These fake cell base stations track phone locations and spy on calls and messages after a device connects to it. Google also announced new features earlier this year that ensure their devices’ communications are always encrypted when connecting to cell towers. (TechCrunch, Electronic Frontier Foundation)

**The U.S. Cybersecurity and Infrastructure Security Agency announced a new program offering free security scans to public water utilities and other critical infrastructure.** CISA is offering to run specialized scanners to identify a facility’s vulnerabilities and any weak configurations on internet-exposed endpoints. Then, they generate a report of any flaws or vulnerabilities found and send the plant a list of recommendations and offers for further scans to determine if the potential target has taken the appropriate steps to solve the issues. A brochure for the new program promises a “significant reduction in identified vulnerabilities in the first few months of scanning for newly enrolled water utilities.” (StateScoop, CISA)

**China’s government has accused the U.S. of a campaign to infiltrate servers belonging to tech company Huawei to conduct cyber attacks and steal information,** potentially as far back as 2009. China's Ministry of State Security on Wednesday outlined the accusations in a post on its WeChat account Wednesday. "In 2009, the Office of Tailored Access Operations started to infiltrate servers at Huawei's headquarters and continued conducting such surveillance operations," the post reads. China and the U.S. have continually launched accusations of spying on one another this year as tensions between the two nations rise. China also accused the U.S. National Security Agency of installing a backdoor tool that "runs secretly on thousands of network devices in many countries around the world” meant to steal data from other governments, including China and Russia. (Nikkei Asia, The Register)

**Can’t get enough Talos?**

*   New threat actor targets Middle Eastern telcos
*   How Cisco Talos IR helped a healthcare company quickly resolve a Qakbot attack
*   Middle East telcos targeted by new malware with suspected nation-state backing
*   APJC Monthly Talos Update

**Upcoming events where you can find Talos**

**LABScon** **(Sept. 20 - 23)**

Scottsdale, Arizona

> _Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit._

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

> _Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** 7f66d4580871e3ee6a35c8fef6da7ab26a93ba36b80279625328aaf184435efa  
**MD5:** e9a6b1346d1a2447cabb980f3cc5dd27  
**Typical Filename:** профиль 10 класс.exe  
**Claimed Product:** N/A  
**Detection Name:** Application\_Blocker

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a  
**MD5:** 200206279107f4a2bb1832e3fcd7d64c  
**Typical Filename:** lsgkozfm.bat  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647  
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790  
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::1201

What’s the point of press releases from threat actors?

Cisco Talos has discovered a new intrusion set we're calling "ShroudedSnooper" consisting of two new implants "HTTPSnoop" and "PipeSnoop" targeting telecommunications firms in the middle-east.

Tuesday, September 19, 2023 08:09

*   Cisco Talos recently discovered a new malware family we’re calling “HTTPSnoop” being deployed against telecommunications providers in the Middle East.
*   HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint.
*   We also discovered a sister implant to “HTTPSnoop” we’re naming “PipeSnoop,” which can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint.
*   We identified DLL- and EXE-based versions of the implants that masquerade as legitimate security software components, specifically extended detection and response (XDR) agents, making them difficult to detect.
*   We assess with high confidence that both implants belong to a new intrusion set we’re calling “ShroudedSnooper.” Based on the HTTP URL patterns used in the implants, such as those mimicking Microsoft’s Exchange Web Services (EWS) platform, we assess that this threat actor likely exploits internet-facing servers and deploys HTTPSnoop to gain initial access.
*   This activity is a continuation of a trend we have been monitoring over the last several years in which sophisticated actors are frequently targeting telecoms. This sector was consistently a top-targeted industry vertical in 2022, according to Cisco Talos Incident Response data.

**ShroudedSnooper activity highlights latest threat to telecommunications entities**

This specific cluster of implants involving HTTPSnoop and PipeSnoop and associated tactics, techniques, and procedures (TTPs) do not match a known group that Talos tracks. We are therefore attributing this activity to a distinct intrusion set we’re calling “ShroudedSnooper.”

In recent years, there have been many instances of state-sponsored actors and sophisticated adversaries targeting telecommunications organizations around the world. In 2022, this sector was consistently a top-targeted vertical in Talos IR engagements. Telecommunications companies typically control a vast number of critical infrastructure assets, making them high-priority targets for adversaries looking to cause significant impact. These entities often form the backbone of national satellite, internet and telephone networks upon which most private and government services rely. Furthermore, telecommunications companies can serve as a gateway for adversaries to access other businesses, subscribers or third-party providers.

Our IR findings are consistent with reports from other cybersecurity firms outlining various attack campaigns targeting telecommunications companies globally. In 2021, CrowdStrike disclosed a years-long campaign by the LightBasin (UNC1945) advanced persistent threat (APT) targeting 13 telecommunications companies globally using Linux-based implants to maintain long-term access in compromised networks. That same year, McAfee discovered activity targeting telecommunication firms in Europe, the U.S. and Asia dubbed “Operation Diànxùn” linked to the Chinese APT group MustangPanada (RedDelta). This campaign heavily relied on the PlugX malware implant. Also in 2021, Recorded Future reported that four distinct Chinese state-sponsored APT groups were targeting the email servers of a telecommunications firm in Afghanistan, again using the PlugX implant.

The targeting of telecommunications firms in middle-east Asia is also quite prevalent. In January 2021, Clearsky disclosed the “Lebanese Cedar” APT leveraging web shells and the “Explosive” RAT malware family to target telecommunication firms in the U.S., U.K. and middle-east Asia. In a separate campaign, Symantec noted the MuddyWater APT targeting telecommunication organizations in the Middle East, deploying web shells on Exchange Servers to instrument script-based malware and dual-use tools to carry out hands-on-keyboard activity.

**Masquerading as a security component**

We also discovered both HTTPSnoop and PipeSnoop masquerading as components of Palo Alto Networks’ Cortex XDR application. The malware executable is named “CyveraConsole.exe,” which is the application that contains the Cortex XDR agent for Windows. The variants of both HTTPSnoop and PipeSnoop we discovered had their compile timestamps tampered with but masqueraded as XDR agent from version 7.8.0.64264. Cortex XDR v7.8 was released on Aug. 7, 2022, and decommissioned on April 24, 2023. Therefore, it is likely that the threat actors operated this cluster of implants during the aforementioned timeframe. For example, one of the “CyveraConsole.exe” implants was compiled on Nov. 16, 2022, falling approximately in the middle of this time window of the life of Cortex XDR v7.8.

Version information of HTTPSnoop sample with fake Cortex XDR information.

**A primer on HTTPSnoop**

HTTPSnoop is a simple, yet effective, new backdoor that uses low-level Windows APIs to interact directly with the HTTP device on the system. It leverages this capability to bind to specific HTTP(S) URL patterns to the endpoint to listen for incoming requests. Any incoming requests for the specified URLs are picked up by the implant, which then proceeds to decode the data accompanying the HTTP request. The decoded HTTP data is, in fact, shellcode that is then executed on the infected endpoint.

HTTPSnoop consists of the same code across all observed variants, with the key difference in samples being the URL patterns that it listens for. So far, we have discovered three variations in the configuration:

*   Generic HTTP URL-based: Listens for generic HTTP URLs specified by the implant.
*   EWS-related URLs listener: Listen for URLs that mimic Microsoft’s Exchange Web Services (EWS) API.
*   OfficeCore’s Location Based Services (LBS)-related URL listener: Listens for URLs that mimic OfficeCore’s LBS/OfficeTrack and telephony applications.

**HTTPSnoop variants**

The DLL-based variants of HTTPSnoop usually rely on DLL hijacking in benign applications and services to get activated on the infected system. The attackers initially crafted the first variant of the implant on April 17, 2023, so that it could bind to specific HTTP URLs on the endpoint to listen for incoming shellcode payloads that are then executed on the infected endpoint. These HTTP URLs resemble those of Microsoft’s Exchange Web Services (EWS) API, a product that enables applications to access mailbox items.

A second variant, generated on April 19, 2023, is nearly identical to the initial version of HTTPSnoop from April 17. The only difference is that this second variant is configured to listen to a different set of HTTP URLs on Ports 80 and 443 exclusively, indicating that the attackers may have intended to focus on a separate non-EWS internet-exposed web server.

The attackers then built a third variant that consisted of a killswitch URL and one other URL that the implant listens to. This implant was crafted on April 29, 2023. This version of the implant was likely an effort to minimize the number of URLs that the implant listens to, to reduce the likelihood of detection.

**HTTPSnoop analysis**

The DLL analyzed simply consists of two key components:

*   Encoded Stage 2 shellcode.
*   Encoded Stage 2 configuration.

The malicious DLL on activation will XOR decode the Stage 2 configuration and shellcode and run it.

Single byte XOR routine to decode Stage components.

**Stage 2 analysis**

Stage 2 is a single-byte XOR’ed backdoor shellcode that uses the accompanying configuration data to listen for incoming shellcode to execute on the infected endpoint. As part of Stage 2, the sample proceeds to make numerous calls to kernel devices in order to set up a web server endpoint for its backdoor. The implant opens a handle to “\\Device\\Http\\Communication” and calls the HTTP driver API “http.sys!UlCreateServerSession” with IOCTL code 0x1280000to initialize the connection to the HTTP server. The sample continues by creating a new URL group using http.sys!UlCreateUrlGroup with IOCTL code 0x128010 opens a request queue device “\\Device\\Http\\ReqQueue” and sets the new URL group for the session using http.sys!UlSetUrlGroupwith IOCTL code 0x12801d.  

Using the decrypted configuration the sample begins to feed the URLs to the HTTP server via http.sys!UlAddUrlToUrlGroup with IOCTL code l 0x128020. This binds the specified  URL patterns to a listenable endpoint for the malware to communicate. The implant takes care to _not_ overwrite already existing URL patterns being serviced by the HTTP server, to coexist with previous configurations on the server, such as EWS and prevent URL listener collisions.

With the URLs bound to listen on the kernel’s web server, the malware proceeds to listen in a loop for incoming HTTP requests, carried out via http.sys!UlReceiveHttpRequest. If the headers from the HTTP request contain a configured keyword, in this particular sample’s case, “api\_delete”, the listening loop for the infection will terminate. Once a request comes in, it creates a new thread and calls http.sys!UlReceiveEntityBody with IOCTL codes 0x12403b, or 0x12403a when running Windows Server 2022 version 21H2, to receive the full message body from the implant operator. If the request has valid data, the sample proceeds to process the request or else returns an HTTP 302 Found redirect response to the requester.

Valid data comes in the form of a base64-encoded request body. Upon decoding, it proceeds to use the first byte of data to single-byte XOR-decode the rest of the data. Once decrypted, a simple data structure is unveiled. The payload received from the operator is an arbitrary shellcode payload. The execution metadata consists of an uninitialized pointer and size, plus the size of the metadata structure, which is a constant 0x18. These uninitialized pointers are initialized by the execution of the shellcode, used to pass back data to the implant to eventually send back to the operator as a response to the HTTP request.

Payload structure from C2.

The ultimate result of the execution of the arbitrary shellcode is returned to the requester (operator) in the form of a base64-encoded XOR-encoded blob. The first byte of the response is a random letter from the ASCII table, which is used to XOR the rest of the response. With this, the malware sends back a 200 OK response with the encoded execution result in its body via http.sys!UlSendHttpResponsewith IOCTL code  0x12403f.

**Introducing PipeSnoop**

The PipeSnoop implant, created in May 2023, is a simple implant that can run arbitrary shellcode payloads on the infected endpoint by reading from an IPC pipe. Although semantically similar, the PipeSnoop implant should not be considered an upgrade of HTTPSnoop. Both implants are likely designed to work under different environments. The HTTP URLs used by HTTPSnoop along with the binding to the built-in Windows web server indicate that it was likely designed to work on internet-exposed web and EWS servers. PipeSnoop, however, as the name may imply, reads and writes to and from a Windows IPC pipe for its input/output (I/O) capabilities This suggests the implant is likely designed to function further within a compromised enterprise--instead of public-facing servers like HTTPSnoop — and probably is intended for use against endpoints the malware operators deem more valuable or high-priority. PipeSnoop is likely used in conjunction with another component that is capable of feeding it the required shellcode. (This second component is currently unknown.)

**PipeSnoop analysis**

PipeSnoop is a simple backdoor that, much like HTTPSnoop, aims to act as a backdoor executing arbitrary shellcode on the infected endpoint. In contrast to HTTPSnoop however, PipeSnoop does not rely on initiating and listening for incoming connections via an HTTP server. As indicated by the name, PipeSnoop will simply attempt to connect to a pre-existing named pipe on the system. Named pipes are a common means of Inter-Process Communication (IPC) on the Windows operating system. The key requirement here is that the named pipe that PipeSnoop connects to should have been already created/established - PipeSnoop does not attempt to create the pipe, it simply tries to connect to it. This capability indicates that PipeSnoop cannot function as a standalone implant (unlike HTTPSnoop) on the endpoint. It needs a second component, that acts as a server that will obtain arbitrary shellcode via some methods and will then feed the shellcode to PipeSnoop via the named pipe.

Implant connecting to a named pipe to obtain arbitrary shellcode.

**Masquerading as benign traffic on the wire**

We’ve observed HTTPSnoop listening for URL patterns that make it look like the infected system being contacted is a server hosting Microsoft’s Exchange Web Services (EWS) API. The URLs consisted of “ews” and “autodiscover” keywords over Ports 443 and 444:

Some of the HTTPSnoop implants use HTTP URLs that masquerade as those belonging to OfficeTrack, an application developed by software company OfficeCore that helps users manage different administrative tasks. In several instances, we see URLs ending in “lbs” and “LbsAdmin,” references to the application’s earlier name (OfficeCore’s LBS System) before it was later rebranded as OfficeTrack. OfficeTrack is currently marketed as a workforce management solution geared toward providing coverage for logistics, order orchestration and equipment control. OfficeTrack is especially marketed towards telecommunication firms_._ Some of the LBS URLs used by HTTPSnoop are:

The HTTP URLs also consist of patterns mimicking provisioning services from an Israeli telecommunications company. This telco may have used OfficeTrack in the past and/or currently uses this application, based on open-source findings.

Some of the URLs in the HTTPSnoop implant are also related to those of systems from the telecommunications firm:

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

_**Note**: We have shared our findings with both Microsoft and Palo Alto Networks for this threat and intrusion set._

ClamAV detections are available for this threat:  
Win.Trojan.WCFBackdoor

**Indicators of Compromise (IOCs)**

Indicators of Compromise associated with this threat can be found here.

New ShroudedSnooper actor targets telecommunications firms in the Middle East with Novel Implants

With the popularity of pay-for-shoutout services like Cameo, it’d be fairly easy for someone to develop a convincing enough deepfake of a player and try to steal someone’s money by saying they could prank their fantasy football league for $50.

Thursday, September 14, 2023 14:09

Welcome to this week’s edition of the Threat Source newsletter.

I’m at the point in the calendar year where I’m a sponge for NFL content. I couldn’t be happier to escape from my six-month American football-free slumber and am ready to watch games three days a week and listen to NFL podcasts or read power rankings the other four.

So of course, I wasn’t going to miss this feature in Dark Reading from the NFL’s chief information security officer, which just happens to include several shoutouts to Talos and Cisco. Talos is a valuable security partner with the NFL, helping secure their major events like the NFL Draft and Super Bowl, the most-watched entertainment event in the U.S. every year.

One of the things that Tomás Maldonado said in the Dark Reading interview really stood out to me — that he’s worried about deepfakes of NFL players being used in scams. Deepfakes have been making the rounds for years in scams of celebrities and politicians seeming to ask for various things (often money), and Maldonado said he’s worried that attackers could start using the likenesses of popular NFL players for scams and spam.

I actually hadn’t realized that deepfakes had already been around in the NFL sphere for a while, though.

In an ESPN “30 for 30” documentary in 2021, the creators used deepfake, AI voices for former Raiders owner Al Davis and former commissioner Pete Rozelle, who both died many years before the creation of this documentary. Public reception was mixed, at best.

The league’s Dallas Cowboys are also jumping on the AI train and created a hologram, AI-powered version of team owner Jerry Jones. Fans can pay $55 to take a tour of the Cowboys’ AT&T Stadium and ask the AI version of Jones questions (as a Browns fan, I mainly would just like to thank him for only asking for a fifth-round pick in exchange for receiver Amari Cooper).

Bad actors have shown they will literally use any and all forms of deepfakes to try and trick users. So it’s not hard to see where Maldonado is coming from with his concerns.

With the popularity of pay-for-shoutout services like Cameo, it’d be fairly easy for someone to develop a convincing enough deepfake of a player and try to steal someone’s money by saying they could prank their fantasy football league for $50. This just isn’t a particular attack vector I had considered before — I always assumed deepfakes were reserved for political leaders or some of the highest-profile people in the world.

And while I couldn’t find any current examples of where this is actively happening in the wild, it’s not a crazy jump to think that if ESPN can create a convincing AI version of Al Davis that someone else can’t make an AI voice that sounds just like Aaron Rodgers asking for money or a fake Russell Wilson pushing season ticket “deals.”

**The one big thing**

Microsoft disclosed two zero-day vulnerabilities as part of this monthly security update on Tuesday, one of which already has proof-of-concept code floating around in the wild. There are five other critical vulnerabilities included in September’s Patch Tuesday, which is relatively low for a traditional Microsoft security release, and 56 vulnerabilities the company considers “important.”

**Why do I care?**

One of the vulnerabilities adversaries are already exploiting in the wild is CVE-2023-36802, an elevation of privilege vulnerability in Microsoft Streaming Service, a corporate video sharing platform integrated into SharePoint and Office 365. An adversary who successfully exploits this vulnerability can gain SYSTEM privileges. Additionally, CVE-2023-36761 has already been exploited in the wild and proof of concept code is publicly available. Although it is not clear how exactly an attacker could exploit this vulnerability in Microsoft Word, Microsoft states that the Preview Pane is also a potential attack vector in this case. If successful, an adversary could view NTLM hashes. Microsoft’s warnings about these vulnerabilities indicate attackers are already exploiting these issues in the wild, even prior to Tuesday’s patch, so all users should be sure to patch these ASAP.

**So now what?**

Microsoft’s security update guide has all the patches users need to install, which everyone should do now if they haven’t already. Talos’ Patch Tuesday blog also outlines several Snort rules we released to detect the exploitation of some of these vulnerabilities.

**Top security headlines of the week**

**Apple released a series of security updates over the past week that users of all the companies’ mobile devices are encouraged to install as soon as possible.** A security update on Sept. 7 warned that users needed to update to iOS 16.6.1 or iPadOS 16.6.1 right away to fix security updates that attackers were actively exploiting in the wild. In some cases, these exploits led to the installation of spyware on targeted devices. Apple said in an advisory that, “Processing a maliciously crafted image may lead to arbitrary code execution.” The company followed that up with another security update on Monday for older models of iPhones, iPads, Macs and other Apple devices that "provides important security fixes,” likely the same vulnerabilities. Apple was scheduled to announce its newest iPhone and Apple Watch at an event Wednesday. (USA Today, CNET)

**The U.S. and U.K. have sanctioned more alleged members of the Trickbot cybercrime ring.** Law enforcement officials in both countries announced sanctions against 11 individuals they claim are “involved in management and procurement for the Trickbot group.” Trickbot is known for targeting large businesses and organizations with ransomware and has alleged ties to the Russian government. Seven of the people listed are also charged with working with the Conti ransomware group, which broke up at the end of 2022. These people are alleged "administrators, managers, developers, and coders” for Conti. The U.K.’s National Crime Agency reported that Trickbot attacks have generated an estimated $180 million from victims, $33.6 million of that coming from victims in the U.K. The group’s list of reported victims includes hospitals, schools and government agencies across the globe. (TechCrunch, Dark Reading)

**Security researchers are concerned that adversaries are starting to crack stolen passkeys taken during a data breach at LastPass.** More than 150 people recently affected by cryptocurrency wallet thefts were LastPass users, leading to the equivalent of $35 million in virtual currency being stolen. Many cryptocurrency consumers use security phrases to protect their wallets, and then store that phase in an encrypted folder inside a password manager like LastPass. If an attacker were able to learn that phrase, they could essentially access all the victims’ cryptocurrency holdings tied to that key. LastPass has yet to comment on the researchers’ findings because they said an active law enforcement investigation is still ongoing into the 2022 breach. (Krebs on Security, The Verge)

**Can’t get enough Talos?**

*   Talos Takes Ep. #154: SapphireStealer hits the open internet
*   Researcher Spotlight: You can try to hide your firmware from Kelly Patterson, but she’ll find it (and break it)
*   Eight vulnerabilities in Open Automation Software Platform could lead to information disclosure, improper authentication
*   Cyber-criminals Exploit GPUs in Graphic Design Software

**Upcoming events where you can find Talos**

**LABScon** **(Sept. 20 - 23)**

Scottsdale, Arizona

> _Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit._

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

> Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647  
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790  
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::1201

**SHA 256:** d5763a87ec22a583b9dd853e31a9d4cb187d81251ce51099ce3d0f749bbf405a  
**MD5:** 5cedec562076ac629453cc99dd0cdda6  
**Typical Filename:** nYzVlQyRnQmDcXk  
**Claimed Product:** N/A  
**Detection Name:** W32.Auto:d5763a.in03.Talos

**SHA 256:** 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440  
**MD5:** ef6ff172bf3e480f1d633a6c53f7a35e  
**Typical Filename:** iizbpyilb.bat  
**Claimed Product:** N/A  
**Detection Name:** Trojan.Agent.DDOH

**SHA 256:** d5219579eec1819d52761730a72ce7a95ee3f598fcfd9a4b86d1010ea103e827  
**MD5:** bf357485cf123a72a46cc896a5c4b62d  
**Typical Filename:** bf357485cf123a72a46cc896a5c4b62d.virus  
**Claimed Product:** N/A  
**Detection Name:** W32.Auto:d5219579ee.in03.Talos

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

Turns out even the NFL is worried about deepfakes

A healthcare company recently detected a potential Qakbot infection early, and with the help of the Talos IR team, evicted the threat actor from their network quickly before any harm could come to the organization or its customers.

Thursday, September 14, 2023 08:09

**Partnership and proactive measures reduce resolution time from weeks to mere hours.**

Healthcare is one of the most popular targets for threat actors, as evidenced by the fact that it was the most-targeted sector in each of Cisco Talos Incident Response’s past two Quarterly Trends Reports.

But if these organizations are ready for when, not if, an incident occurs, they can avoid the worst-case scenario of potentially losing money, risking patient safety, or dealing with technology downtime.

Veradigm is a healthcare technology company that drives value through its unique combination of platforms, data, expertise, connectivity, and scale. The Veradigm Network features a dynamic community of solutions and partners providing advanced insights, technology, and data-driven solutions, all working together to transform healthcare insightfully. Veradigm recently detected an intrusion and potential information-stealing attack before bad actors could execute their plan.

Thanks to the Cisco Talos Incident Response Retainer service, Veradigm detected a potential Qakbot infection early, and with the help of the Cisco Talos Incident Response (Talos IR) team, evicted the threat actor from their network quickly before any harm could come to the organization or its customers.

Veradigm has partnered with Cisco for technology and services for years, with the ongoing goal of making Veradigm’s systems and network more resilient – the ability to protect every aspect of their business, withstand unpredictable threats or changes, and emerge stronger.

A few months ago, their team acted quickly when they noticed a potential security incident in a development environment and immediately reached out to Talos IR for assistance. The Talos IR team helped them swiftly deal with the attack which included attempts to deploy the modular information-stealer Qakbot.

Veradigm and the Talos IR team worked together to determine that adversaries had attempted to established command & control (C2) via DNS, and although Veradigm had the affected system isolated via Cisco Secure Endpoint with default settings, they found that the DNS traffic was not stopped by default. However, the traffic was blocked by Cisco Umbrella until the team could modify the isolation policy to stop the DNS beaconing.  Veradigm’s ability to prevent C2 highlights the value of their robust defense-in-depth strategy.  The adversary attempted to penetrate the network, but due to the security controls and quick response, could not successfully deploy Qakbot.

This incident was resolved in hours, not days or weeks, because of Talos IR’s established relationship with Veradigm. The Talos IR team shared remediation recommendations to Veradigm to implement in the event threat actors attempted another intrusion. The swift action of the Talos IR team, coupled with the proactive preparation of the Veradigm team, resulted in a faster and more efficient response to the incident.

Dr. Jeremy Maxwell, the CSO at Veradigm touted, “We avoided worst case scenario due to our experience, practices, and relationships … by having the ‘good guys’ from Cisco join with our ‘good guys,’ we can navigate each situation to success.”

This is one of many customer success stories in which Talos IR sees, responds, and helps organizations across the globe fortify their readiness and defense.

The recent Cisco Cybersecurity Readiness Index study found that a mere 15% of organizations globally are deemed to have a mature level of preparedness to handle security risks. Those in the sectors with the most to lose tend to have more companies in the mature state of readiness, including healthcare (18%) and financial services (19%).

Dr. Maxwell said that because of his company’s retainer with Talos IR, he was lucky enough to count his company among those organizations who were ready for a cyber-attack.

“Working in a highly regulated domain, it is important that we establish good relationships with all partners, but incident response in particular,” Maxwell said. “We have been partnering with Cisco Talos IR since 2017, and across that time we have established a solid relationship with the same cast of characters through both proactive and reactive incidents. This has built a special level of trust and efficiency in response when we have those knowledgeable about our unique environment on our side and ready to be there.”

Veradigm chose Cisco Secure solutions based on several factors: the ease of integration with their existing hosting and corporate environment tools, plus being known in the industry as a strong performer. It just made sense, then, to partner with Talos IR for their incident response needs.

> _“With the \[Talos IR\] retainer service we really appreciate established and met Service Level Agreements (SLAs). Plus, the knowledge of Cisco’s IR team on our unique environment, prior incidents, and their intelligence on the latest threats ensure we smoothly navigate, and balance preparation exercises and incidents based on our unique needs. Time to response in our SLA along with the unique knowledge, there isn’t a delay as one would expect. They are ready and we have ‘muscle memory’ from both tabletop scenarios and real-life situations. As a result of being in the highly regulated world of healthcare and with the constant need to consider patient safety, our circumstances can be tense from the start. They know how we need to react based on both exercises and incidents and can navigate smoothly in delicate situations/balances with our unique needs in mind,” Jeremy Maxwell, Veradigm CISO._

Having a trusted partner on Veradigm’s side who knows their environment, popular attacker tactics, techniques, and procedures (TTPs) and is familiar with regulatory obligations of the healthcare sector meant both sides could work together to achieve more. The strong connection is based on a solid foundational relationship grounded in expediency and knowledge, according to Maxwell.

“Cisco knows our structure, they know our IR plans, they know our privilege and information sharing practices, they know our regulatory obligations,” he said after the incident was resolved. “As a result of this unique relationship, we save precious minutes and hours in response time not having to bring them up to speed each time. They are already ready to go with our team side by side, step by step.”

Veradigm takes preparation seriously, not trying to formulate a plan during an active incident, but actively reviewing their IR plan and playbooks regularly. The company has also participated in multiple Talos IR tabletop exercises to stress test its processes and adjust as needed to respond and succeed more quickly.

“Preparation is crucial. During your IR, you cannot formulate a plan on how to respond and react,” Maxwell said. “When something does occur, we do what we planned, we have enabled ourselves to succeed with the IR plan in action. It’s not just theory — it’s practice.”

_In this episode of the Cisco Security Stories podcast, Jeremy Maxwell talks through the incident step by step, and how Veradigm has benefitted from a close relationship with Talos Incident Response over many years._

An additional benefit Veradigm has from the retainer is the sharing of knowledge and experiences to not only apply during an incident but leveraging to boost the expertise of their in-house IR team.

“Another bonus is that due to the size of Cisco, their team is not only our ally, but also a fountain of information with their global network of responses and knowledge across the spectrum. We can leverage that experience and skillset to our advantage,” Maxwell said. “Cisco also brings professional backing and confidence to further expand our team of expertise and process.”

Are you looking to build or further enhance your incident response readiness program? We can help with the Cisco Talos Incident Response Retainer service. Connect with us to learn more:

How Cisco Talos IR helped a healthcare company quickly resolve a Qakbot attack

Microsoft disclosed 65 vulnerabilities across its suite of products and software Tuesday, only five of which are considered critical, which is very low compared to Microsoft’s usual security updates.

Tuesday, September 12, 2023 16:09

Microsoft disclosed 65 vulnerabilities across its suite of products and software Tuesday, only five of which are considered critical, which is very low compared to Microsoft’s usual security updates.

However, there are two issues disclosed and patched this month that have already been exploited in the wild.

Fifty-six of the vulnerabilities included in this month’s Patch Tuesday are considered “important,” according to Microsoft, while two are of “moderate” severity. One remote code execution vulnerability in Microsoft Exchange Server, CVE-2023-36756, was meant to be included in August’s security update but was mistakenly excluded. Users should ensure the August 2023 security update for Exchange is already downloaded to remediate this issue.

One of the vulnerabilities adversaries are already exploiting in the wild is CVE-2023-36802, an elevation of privilege vulnerability in Microsoft Streaming Service, a corporate video sharing platform integrated into SharePoint and Office 365. An adversary who successfully exploits this vulnerability can gain SYSTEM privileges.

Additionally, CVE-2023-36761 has already been exploited in the wild and proof of concept code is publicly available. Although it is not clear how, exactly, an attacker could exploit this vulnerability in Microsoft Word, Microsoft states that the Preview Pane is also a potential attack vector in this case. If successful, an adversary could view NTLM hashes.

Another Word vulnerability included in Tuesday’s security update is CVE-2023-36762, which could lead to arbitrary code execution. An adversary could exploit this issue by tricking a user into opening a specially crafted Word document. It’s common for attackers to use this method and try to trick users into opening the document as an email attachment.

There are also four remote code execution vulnerabilities in Microsoft Visual Studio — CVE-2023-36794, CVE-2023-36796, CVE-2023-36792 and CVE-2023-36793 — that could be triggered if a user opens a specially crafted, weaponized file. This type of attack is particularly notable, as Google’s Threat Analysis Group reported that the high-profile Lazarus Group APT is using this method to target security developers and researchers on social media.

Lastly, we also believe CVE-2023-36745, CVE-2023-36756 and CVE-2023-36744 are worth highlighting. These are remote code execution vulnerabilities in Microsoft Exchange Server, which attackers are known to target as part of a variety of attacks.

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 57193, 62385-62388, 62394-62396, 62401, 300687-300688.

Microsoft Patch Tuesday for September 2023 — Unusually low 5 critical vulnerabilities included in Microsoft Patch Tuesday, along with two zero-days

Patterson and her teammates are responsible for helping to disclose and patch more than 200 security vulnerabilities a year, some of which affect devices used in thousands of households around the world.

Monday, September 11, 2023 08:09

**How her work illustrates the difference Talos’ vulnerability research team makes**

When Kelly Patterson first learned how to code by making small programs in her high school class, she preferred breaking her creations to building them.

She’d make a game and then spend double the time debugging that same code, looking for holes in her work.

Today, she’s always looking for what’s wrong with other people’s code, whether that be in a wireless router, IoT speaker, or an open-source software stack that dates back to 1991.

Patterson (né Leuschner) is one of the researchers that make up Talos’ Vulnerability Discovery team, a group of reverse-engineers, penetration testers and general expert coders who look for vulnerabilities in firmware, software and hardware and help the creators fix those issues.

Patterson and her teammates are responsible for helping to disclose and patch more than 200 security vulnerabilities a year, some of which affect devices used in thousands of households around the world, and others that support everything from industrial control systems to critical infrastructure.

Specifically for Patterson, she enjoys looking at hardware and its accompanying firmware. She began her IT career as a systems engineer but quickly found that she was more interested in debugging what she was working on, so she started pursuing projects outside of the office that allowed her to reverse-engineer code and talk about it publicly. This eventually led her to Talos, which was specifically attractive because it allowed her to be a researcher full-time.

“I like to spread the word that these bugs are still out there and we’re finding them, proving that we haven’t ‘solved’ security completely,” Patterson said.

One of her first and most memorable projects at Talos was looking at a series of programmable logic controllers (PLCs) made by WAGO, a German company specializing in automation solutions. She teamed up with other researchers to approach these devices from different angles, trying to dissect what attack surface existed, exactly. By the time their research was public, they had found several critical vulnerabilities in two WAGO PLCs that could allow a remote, unauthenticated attacker to execute arbitrary code on the devices or cause a denial of service by sending specially crafted packets.

Patterson performing with her improv troupe. 

Patterson specifically focused on the cloud-connected portion of the software, which opened her eyes to the attack surface that cloud storage and communication presents.

“That was fun research for me. It helped open my eyes to the fact that the cloud is an attack vector for embedded devices,” she said. “Myself, Carl \[Hurd\] and Patrick \[DeSantis\] split it up and came at it from different angles — it was a great device to research because it was so customizable and had a huge attack surface.”

That research led her to look at more industrial control systems and internet-of-things devices that are virtually always on and talking to the network. Right now she’s examining various open-source software stacks that ICS environments typically use and has multiple fuzzers running to search for potential code vulnerabilities.

As Patterson puts it, not all code bugs are vulnerabilities, but all vulnerabilities are bugs — it’s up to her to determine if a bug could allow a bad actor to carry out any undesirable action. Once she confirms a vulnerability exists, her team reports it to the vendor (all adhering to Cisco’s third-party vulnerability disclosure policy) and works with them to create a patch. Then, she also has to confirm that that patch works and fixes the issue, which isn’t always the case.

“I think a lot of times vendors patch the bugs we find, but I think it provides a way for other developers to look into what kind of bugs they’re hiding and accidentally actually designing and creating into their products. Hopefully, this information helps them so other vendors’ bugs don’t end up in the wild,” she said.

When she starts any research into a particular product, her endgame is usually to gain access to the firmware. Many times, vendors will do everything they can to hide the firmware, so she’ll develop a method to intercept a firmware update or look for ways she can physically access the device’s inner workings to exploit any vulnerabilities that exist there.

“I try to think of things that I know are commonly used and would have a large impact if they were compromised. In the past, that’s been a lot of ICS,” Patterson said. “Or maybe it’s a new architecture or framework that I haven’t worked with before.”

All this research has made Patterson slightly more paranoid than the average user — she always opts for the “dumb” version of any appliance or electronic she brings into her home to limit the number of devices connected to her home network. But she doesn’t balk at using certain IoT devices like home assistants or smart speakers, either, because she trusts certain manufacturers’ internal testing teams who look for vulnerabilities before a product is released.

Though she’s now four-plus years into her career as a vulnerability researcher, Patterson was not always sure she was going to stay on this path.

During the COVID-19 pandemic, she elected to leave her role at Talos to be a stay-at-home mom while her children couldn’t attend school in person.

“I was scared — it was a really tough time,” Patterson said. “And I hadn’t ever been solely responsible for caring for my children all the time. But it ended up being a really good experience.”

Patterson spent about 21 months away from work, during which she questioned whether she wanted to keep at her vulnerability research or look down another IT-related career path. After taking on some personal projects and home and mulling it over, she decided to re-apply for an opening at Talos and re-joined the vulnerability research team in September 2022 part-time.

She currently works a half-time schedule to balance her duties as a mom and her work.

“That was a lot of personal growth for me to figure out a work-life balance, which I never was forced to do before until \[crap\] hit the fan,” Patterson said.

Patterson has several interests outside of work, including rock climbing.

Patterson said her current goals are built around writing and creating new tools she can use to examine firmware and software, she says she often learns more from the process of building those tools than examining the vulnerabilities themselves.

And while she does enjoy breaking apart routers every now and then, she said she views her work creating fuzzers and other tools for examining code as part of the larger vulnerability puzzles her team works on.

"That’s the major benefit of working on a team is that we all have our own specialties,” she said.  “It can feel challenging because you can feel like you get stuck, but that’s where other people come in to make suggestions or push you over the hump.”

You can try to hide your firmware from Kelly Patterson, but she’ll find it (and break it)

Cybercriminals are abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware on infected machines, new Cisco Talos research shows.

Thursday, September 7, 2023 14:09

Welcome to this week’s edition of the Threat Source newsletter.

Up until last week, I had never considered the timing of a scam to be important. I’m so used to just swiping away emails or text messages at random times during the day that I’d never considered what would happen if an adversary happened to get me at _just_ the right time.

That’s what happened to my wife last week.

We were on vacation, and I was away for a few hours at lunch with my friends while she and the other spouses stayed back with our children to hang out at the pool for a bit.

She received a text message from an unknown number asking her to confirm a Zelle payment to someone she had never heard of for a not-insignificant amount of money. Not even a minute later, she received a call from the same number from someone claiming to represent our bank asking if the transaction was fraudulent and if could she provide some personal information to verify the transaction or cancel it.

In most cases, she probably would have put them on hold and Googled the number to see if it was legitimate or logged into her online account to view her recent transactions. The problem was this scammer had hit her at the worst possible time. It was right in the middle of a diaper change for our 10-month-old daughter, and she was trying to change our daughter out of a wet bathing suit and stop her from crying because they were just a few minutes away from naptime.

Already in a panic (and not to mention exhausted from the heat at the beach), she answered the phone call and listened to the person on the other line, growing increasingly frustrated and just wanting to end the phone call as quickly as possible so she could return her attention to our daughter while trying to make sure we weren’t legitimately about to be scammed out of money.

Our friends thankfully intervened after she put the phone on speaker, and they all noticed some similar red flags and she ended the conversation before giving away any significant information the scammer didn’t already seem to have.

But it did get me thinking about how the timing and urgency of these scams can make such a difference. I can’t say the same thing wouldn’t have happened to me had I been in the middle of a diaper change and having to worry about something as stressful as money. Or what if they had caught my wife while she was in the car and didn’t have the internet or friends at her disposal?

This timing was purely blind luck on the attacker’s part, but it nonetheless almost worked out for them. I’m not trying to throw my wife under the bus or anything, I just wanted to use this story to illustrate that anyone can be a target of these types of scams at any time, and the scammers don’t care if you have to change a dirty diaper or not.

**The one big thing**

Cybercriminals are abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware on infected machines, new Cisco Talos research shows. The campaign, active since late last year, appears to primarily target graphic designers or any other engineers who may rely on 3-D modeling software who speak French. Cybercriminals are likely targeting these users because this type of software requires large GPUs, which also happen to be extremely useful when mining cryptocurrency.

**Why do I care?**

This campaign specifically targets business verticals such as architecture, engineering, construction, manufacturing and entertainment, though anyone using a computer of any type could be a target of a cryptocurrency mining malware. The attackers’ use of Advanced Installer also allows the backdoors used in this campaign to often slip by undetected.

**So now what?**

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. And if you’re ever curious about what your GPU is up to, use Task Manager on Windows or Activity Monitor on Mac to check out what your machine’s computing power is going toward. There are also specific Cisco Secure protections available that we outlined in Talos’ blog on this campaign.

**Top security headlines of the week**

With students around the globe going back to school over the past few weeks, **cyber attacks against the education sector are back in the spotlight.** This time of year is often a popular time for attackers to strike against schools, colleges and universities because their systems are under the most stress at the start of a new school year. Private security companies in the U.K. issued public warnings to school leaders that their systems are likely not prepared for a sophisticated threat actor, days after a school in northern London had to delay its start date by six days due to a cyber attack. More than 100,000 people may have also had their personal information stolen as the result of a data breach against Minneapolis’ school district, with the Medusa ransomware group claiming it was behind the attack. Although the intrusion took place in February, the district last week sent home letters to students and parents describing the results of an investigation into the breach. (The Record by Recorded Future, Yahoo! News, BBC)

The FBI announced last week that it **successfully dismantled the infamous Qakbot botnet.** Known as “Operation: Duck Hunt,” the takedown involved the FBI deploying an in-house uninstaller tool to Qakbot-infected devices. International law enforcement also seized Qakbot infrastructure located in the U.S. and across Europe. In the announcement of the takedown, U.S. officials blamed Qakbot for more than 40 ransomware attacks over the past 18 months, generating $58 million in ransom payments. Authorities also seized millions of dollars’ worth of cryptocurrency from Qakbot, which they are working to return to the original owners. However, security researchers are warning that the operation likely won’t be gone forever, as the operators and creators of Qakbot apparently still remain at large, and these types of botnets typically find ways to be reborn after takedowns. (BankInfoSecurity, TechCrunch)

**Researchers and reporters at “Wired” have unmasked one of the leaders of the Trickbot threat actor.** A 41-year-old is allegedly behind the online monikers “Bentley” and “Manuel” who are known as being the creators of Trickbot. The investigation also uncovered potential connections between Trickbot and the Russian government and other cybercriminal games. Thousands of messages in a Trickbot group message were leaked last year, which included sensitive information researchers have been able to use to unmask some of the group’s operations. A single CEO-like figure also appears to be at the helm of Trickbot and the Conti ransomware gang, receiving daily updates on the groups’ operations, the messages show. (Wired, NISOS)

**Can’t get enough Talos?**

*   Talos Takes Ep. #153: You're never going to believe this, but Lazarus Group is back again
*   Vulnerability Roundup: Eight vulnerabilities in Open Automation Software Platform could lead to information disclosure, improper authentication
*   Hackers modify open-source ‘SapphireStealer’ malware, leading to multiple variants
*   Cisco Talos Research: New Lazarus Group Attack Malware Campaign Hits UK & US Businesses
*   Healthcare remains the top target of hackers, reports Cisco

**Upcoming events where you can find Talos**

**LABScon** **(Sept. 20 - 23)**

Scottsdale, Arizona

> Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit.

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

> Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

> Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** d5219579eec1819d52761730a72ce7a95ee3f598fcfd9a4b86d1010ea103e827  
**MD5:** bf357485cf123a72a46cc896a5c4b62d  
**Typical Filename:** bf357485cf123a72a46cc896a5c4b62d.virus  
**Claimed Product:** N/A  
**Detection Name:** W32.Auto:d5219579ee.in03.Talos

**SHA 256:** 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab  
**MD5:** 4c648967aeac81b18b53a3cb357120f4  
**Typical Filename:** iptjqbjtb.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::1201

**SHA 256:** 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa  
**MD5:** 9403425a34e0c78a919681a09e5c16da  
**Typical Filename:** vincpsarzh.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201