Many organizations are curious about the idea of threat hunting, but what does this really entail? In this video, four experienced security professionals from across Cisco recently sat down to discuss the basics of threat hunting, and how to go about searching for the unknown.

Tuesday, November 28, 2023 08:00

Many organizations are curious about the idea of threat hunting, but what does this really entail?  

What should you be hunting for? And what do you need to put in place to threat hunt properly? 

Four experienced security professionals from across Cisco recently sat down to discuss the basics of threat hunting, and how to go about “searching for the unknown.” In this video, we cover: 

*   The core principles of threat hunting. 
*   What are attackers looking for? And therefore, what should defenders be putting in place? 
*   Stories and experiences of threat hunting. 
*   How to approach failure.  

Talos Incident Response can help organizations review specific areas of your network and its systems for indicators of potential compromise. Threat hunting is hypothesis-driven and backed by the most current threat intelligence available from Talos. 

If you are interested in how Talos Incident Response can help you with your threat hunting goals, or even help you plan a compromise assessment, take a look at the various services our team can help you with.

What is threat hunting?

Adobe recently patched two use-after-free vulnerabilities in its Acrobat PDF reader that Talos discovered, both of which could lead to arbitrary code execution.

Wednesday, November 22, 2023 12:00

Cisco Talos’ Vulnerability Research team recently worked with Adobe and Microsoft to patch multiple vulnerabilities in the Acrobat and Excel software, respectively, that could lead to arbitrary code execution. 

Talos also disclosed six vulnerabilities in the Weston Embedded µC-HTTP HTTP server implementation, some of which could also lead to code execution. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Adobe Acrobat Reader use-after-free vulnerabilities **

_Discovered by Jaewon Min and Aleksandar Nikolic of Cisco Talos._ 

Adobe recently patched two use-after-free vulnerabilities in its Acrobat PDF reader that Talos discovered, both of which could lead to arbitrary code execution. Acrobat is one of the most popular PDF readers currently available, especially in the U.S., and many browsers utilize an Acrobat plugin. This means an attacker could trick a user into opening a specially crafted, malicious file in the browser as a file or tricking them into opening it in the desktop application. 

a TALOS-2023-1794 (CVE-2023-44336) exists in the Thermometer JavaScript object in Acrobat Reader. An attacker who exploits this vulnerability could use specially crafted JavaScript code to cause a use-after-free vulnerability, which can lead to memory corruption and arbitrary code execution. 

TALOS-2023-1842 (CVE-2023-44372) works in the same way, but in this case, the vulnerability affects the page event processing in Acrobat Reader. 

**Arbitrary code execution vulnerability in Microsoft Excel **

_Discovered by Marcin “Icewall” Noga of Cisco Talos._ 

Talos discovered a vulnerability in Microsoft Office Professional Plus 2019 (specifically the spreadsheet creation software Excel) that could lead to arbitrary code execution. 

Microsoft patched this vulnerability, CVE-2023-36041 (TALOS-2023-1835), as part of its monthly security update earlier this month. 

This use-after-free vulnerability exists in the ElementType attribute parsing in Microsoft Office Professional Plus 2019 Excel and could allow an attacker to execute remote code on the targeted machine. An adversary would need to trick the targeted user into opening a specially crafted Excel spreadsheet to exploit this vulnerability. 

**6 vulnerabilities in open-source embedded operating system **

_Discovered by Kelly Patterson of Cisco Talos._ 

Cisco Talos recently discovered multiple vulnerabilities in Weston Embedded µC-HTTP, the open-source embedded HTTP server and client module for µC/TCP-IP. µC/TCP-IP is an embedded operating system first developed by Micrium, and is now maintained by Weston Embedded Solutions. 

TALOS-2023-1732 (CVE-2023-28391), TALOS-2023-1738 (CVE-2023-28379) and TALOS-2023-1746 (CVE-2023-31247) are memory corruption vulnerabilities that could lead to arbitrary code execution on the targeted device. An adversary could exploit these vulnerabilities by sending a specially crafted packet. There are various mitigation options for these issues, as outlined in Talos’ advisories, that can prevent the exploitation of these vulnerabilities. 

TALOS-2023-1726 (CVE-2023-25181) and TALOS-2023-1733 (CVE-2023-27882) both also lead to code execution, but in these cases, are caused by buffer overflows in the operating system triggered by a specially crafted packet. 

There is also TALOS-2023-1725 (CVE-2023-24585), an out-of-bounds write vulnerability that could lead to memory corruption. This vulnerability occurs when parsing the method of an HTTP request and could lead to heap corruption.

Vulnerabilities in Adobe Acrobat, Microsoft Excel could lead to arbitrary code execution

Cisco Talos has recently observed an increase in activity conducted by 8Base, a ransomware group that uses a variant of the Phobos ransomware and other publicly available tools to facilitate their operations.

A deep dive into Phobos ransomware, recently deployed by 8Base group

Cisco Talos identified the most prolific Phobos variants, TTPs and affiliate structure, based on their activity and analysis of over 1,000 samples from VirusTotal dating back to 2019. We assess with moderate confidence Eking, Eight, Elbie, Devos and Faust are the most common variants

Friday, November 17, 2023 08:01

*   Cisco Talos recently identified the most prolific Phobos variants, common affiliate tactics, techniques and procedures (TTPs), and characteristics of the Phobos affiliate structure, based on observed Phobos activity and analysis of over 1,000 Phobos samples from VirusTotal dating back to 2019.
*   We assess with moderate confidence Eking, Eight, Elbie, Devos and Faust are the most common Phobos variants, as they appeared most frequently across the samples we analyzed. 
*   The affiliates use similar TTPs to deploy Phobos and commonly target high-value servers, likely to pressure victims into paying the ransom. 
*   We assess with moderate confidence that the Phobos ransomware is closely managed by a central authority, as there is only one private key capable of decryption for all campaigns we observed.
*   There are also indications that Phobos may be sold as a ransomware-as-a-service (RaaS). We discovered hundreds of contact emails and IDs associated with Phobos campaigns, indicating the malware has a dispersed affiliate base, which is commonly seen among RaaS affiliates.

**Identifying the most prolific Phobos variants**

Phobos ransomware is an evolution of the Dharma/Crysis ransomware and, since it was first observed in 2019, has undergone only minimal developments despite its popularity among cybercriminal groups. This is a continuation of our analysis on Phobos ransomware, previously addressed in a blog on the ransomware group 8Base.

Talos identified five of the most prolific variants of the Phobos ransomware family, based on the volume of samples in VirusTotal. We examined several variations in the malware builder’s configuration settings, as this was the only distinguishing feature among the samples analyzed. The samples all contained the same source code and were configured to avoid encrypting files that other Phobos affiliated already locked, but the configuration changed slightly depending on the variant being deployed. 

For example, a Phobos sample deployed by the 8Base ransomware group contained a list of other Phobos variants that should not be encrypted, as seen below. A common trend for this configuration entry among all samples is that the group behind that specific sample had their name added to the beginning of the list.

__List of file extensions to be ignored by the encryption loop with names of previous campaigns.__

Once we extracted the samples’ configuration settings and identified the Phobos variant, Talos determined the most active Phobos affiliates by matching the most commonly observed variants with the unique IDs associated with each Phobos ransomware campaign. 

*   Eking: Active since at least 2019, usually targets users in the Asia-Pacific region.
*   Eight: Believed to be an older campaign run by the same group running 8Base now.
*   Elbie: Also seen targeting users in the APAC region and active since 2022.
*   Devos: Although this group has been active since 2019, not much has been written about it in terms of victimology or TTPs.
*   Faust: Another variant active since 2022 that does not target specific industries or regions.

The only differences between the samples of each variant are generally the contact email addresses used in the file extension for encrypted files, and the ransom note embedded in one of the settings, with all other settings being the same. The file extension used in all Phobos variants we analyzed follows the same template as the example shown below, where <<ID>> is replaced by the victim’s machine drive serial number. The next number is an identifier for the current campaign, then an email used to contact the ransomware actors is listed, and finally, the extension representing the variant is appended.

.id[<>-3253].[musonn@airmail[.]cc].eking

We defanged the email address for readers’ security, but the remaining square brackets are part of the actual extension used in all variants.

These variants have used hundreds of different contact emails over the past few years, as we can see in the graph below:

__Count of contact emails in use by each Phobos variant over the period of this research.__

These emails are generally created using free or secure email providers, shown below:

__Most common email providers in use for Phobos ransomware.__

In some cases, we have also seen affiliates using instant messaging services such as ICQ, Jabber and QQ to support their operations. The graph below illustrates the different providers chosen by the actors for each variant:

Devos

Eight

Elbie

Eking

Faust

email\[.\]tg

gmx\[.\]com

tutanota\[.\]com

tutanota\[.\]com

gmx\[.\]com

cock\[.\]li

aol\[.\]com

onionmail\[.\]org

airmail\[.\]cc

tutanota\[.\]com

protonmail\[.\]com

protonmail\[.\]com

tuta\[.\]io

aol\[.\]com

onionmail\[.\]org

libertymail\[.\]net

tutanota\[.\]com

techmail\[.\]info

firemail\[.\]cc

waifu\[.\]club

qq\[.\]com

onionmail\[.\]org

cock\[.\]li

tuta\[.\]io

tuta\[.\]io

pressmail\[.\]ch

cock\[.\]li

privatemail\[.\]com

protonmail\[.\]com

gmail\[.\]com

medmail\[.\]ch

keemail\[.\]me

gmail\[.\]com

cock\[.\]li

airmail\[.\]cc

tutanota\[.\]com

mailfence\[.\]com

yandex\[.\]ru

criptext\[.\]com

mailfence\[.\]com

cumallover\[.\]me

zohomail\[.\]eu

msgsafe\[.\]io

ctemplar\[.\]com

xmpp\[.\]jp

airmail\[.\]cc

zohomail\[.\]com

cyberfear\[.\]com

gmx\[.\]com

zohomail\[.\]eu

countermail\[.\]com

ICQ@HONESTHORSE

aol\[.\]com

techmail\[.\]info

cock\[.\]li

mailfence\[.\]com

ICQ@VIRTUALHORSE

  

msgsafe\[.\]io

zohomail\[.\]com

mail\[.\]fr

  

  

  

lenta\[.\]ru

  

  

  

  

proton\[.\]me

  

  

  

  

privatemail\[.\]com

We observed Devos affiliates using QQ\[.\]com, a Chinese instant message application, and eight affiliates using ICQ, an instant message service currently owned by a Russian company. We also saw the use of service providers that are considered to be more secure than others, like Proton Mail. This diversity of providers further supports our assessment that Phobos has a dispersed affiliate base and may be operating as a RaaS. 

Because of the varied use of the email service providers listed above, and the sheer number of different contact emails in use for each variant, Talos assesses with moderate confidence that multiple threat actors are behind each of these variants instead of a single threat actor moving to different providers to avoid being banned.

**Observed tactics, techniques and procedures in Phobos intrusions**

In early 2023, Talos observed an intrusion associated with the “Elbie” variant of Phobos. In this attack, the threat actor targeted the organization’s exchange server and then moved laterally, attempting to compromise additional server-side infrastructure including backup servers, database servers and hypervisor hosts. Rather than attempting to deploy the ransomware to a large number of systems concurrently, the attackers appeared to focus on specific infrastructure and attempted to deploy the ransomware on each system individually. We believe this is because Phobos affiliates usually go after high-value servers in the victim’s network as a way to increase the damage and chance of a payout.

After gaining initial access to the organization’s exchange server, the attackers created a working directory in the compromised user’s Desktop directory and attempted to drop various tools including, but not limited to:

*   Process Hacker: A process visualization tool which also contains a kernel mode driver used by malicious actors sometimes to delete files, services and kill processes.
*   Automim: This toolkit enables automated credential collection on compromised hosts and includes the LaZagne and Mimikatz utilities.
*   IObit File Unlocker: A tool used to remove a lock on files open by other applications, used by malicious actors to increase the chance of encrypting files like databases, open documents and similar files that are usually kept open.
*   Nirsoft Password Recovery Toolkit: A toolkit used to extract passwords for common applications like browsers and email clients.
*   Network Scanner (NS.exe): An executable used to scan the network for open services and move laterally over the network.
*   Angry IP Scanner: A tool used to scan the network for open services and identify network information for the machines found.

The attacker also dropped a variety of batch files responsible for various post-compromise activities.

One batch file clears Windows event logs on compromised systems to minimize forensic artifacts and make detection more difficult:

FOR /F "delims=" %%I IN ('WEVTUTIL EL') DO (WEVTUTIL CL "%%I")

Another was responsible for deleting Volume shadow copies, likely to make recovery following Phobos deployment more difficult:

vssadmin delete shadows /all /quiet  
wmic shadowcopy delete  
bcdedit /set {default} bootstatuspolicy ignoreallfailures  
bcdedit /set {default} recoveryenabled no  
wbadmin delete catalog -quiet  
exit

The script above is included in the Phobos configuration as we noted in our previous blog, which is extracted and saved as a temporary .BAT file before the encryption process starts.

Additionally, a batch file was created to configure the Windows Registry keys that enable the accessibility features present on the Windows logon screen to spawn a SYSTEM-level command prompt without requiring previous authentication. This may have been used as a persistence mechanism, allowing the attacker to regain full control of systems via RDP later in the attack. 

First, the script disables User Account Control (UAC) on the system by setting the following Registry entry:

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f

Next, the script sets the Image File Execution Options debugger entry for various accessibility features to the Windows Command Processor. This allows an attacker to execute an elevated command shell on the system by invoking the accessibility features from the Windows logon screen. Any time one of these applications is launched, the debugging application specified is launched with elevated permissions instead, which in this case, is the Windows command processor. 

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f /v Debugger /t REG_SZ /d "%windir%\system32\cmd.exe"

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /f /v Debugger /t REG_SZ /d "%windir%\system32\cmd.exe"

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe" /f /v Debugger /t REG_SZ /d "%windir%\system32\cmd.exe"

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /f /v Debugger /t REG_SZ /d "%windir%\system32\cmd.exe"

Finally, the script configures various Registry entries responsible for enabling RDP and disabling network-level authentication. 

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v fDenyTSConnections /t REG_DWORD /d "00000000"

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v fAllowUnsolicited /t REG_DWORD /d "00000001"

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v UserAuthentication /t REG_DWORD /d "00000000"

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /f /v SecurityLayer /t REG_DWORD /d "00000001"

An additional script dropped by the threat actor was responsible for making the following service configuration changes on compromised systems:

sc config Dnscache start= auto  
net start Dnscache  
sc config SSDPSRV start= auto  
net start SSDPSRV  
sc config FDResPub start= auto  
net start FDResPub  
sc config upnphost start= auto  
net start upnphost

File-sharing was enabled on compromised hosts via the following command execution:

dism /online /enable-feature /featurename:File-Services /NoRestart

The attacker also attempted to uninstall endpoint protection software on compromised hosts to minimize detection of various components used throughout the attack and prevent alerting security staff. 

Once the defenses were disabled and the persistence mechanisms enabled, the threat actor deployed the Phobos ransomware, encrypting the files in the server. In this case, the variant we observed during the infection was part of the “Elbie” campaign and displayed the same behavior we described in our previous blog. At the end of the process, the ransom note “_info.hta_” was dropped to the user’s Desktop with details on how to contact the attacker:

__Example of Phobos info.hta displaying the contact address.__

**Unveiling the developers and affiliates behind Phobos**

Through our analysis of Phobos campaigns and malware samples, we made several discoveries that helped shed light on mysteries surrounding the ransomware’s little-known affiliate structure and developers.

There is some indication that Phobos may be a RaaS, due to the variation in email addresses we observed. Each Phobos variant from VirusTotal was associated with at least a dozen emails that were provided to victims to maintain contact, and some had close to 200 unique email addresses with various domains. In some instances, ICQ and Jabber were used as the main contact address. While it’s possible that there is a single group behind Phobos, it would be uncommon to have a threat actor change their contact email address so often. This would take extra time and effort while many ransomware campaigns very successfully use just a few contact addresses. For example, when we observed the ransomware group 8base using Phobos as described in our other blog, they only used a single contact email, “_support@rexsdata\[.\]pro_”.

We also assess that Phobos is likely closely managed by a central authority that controls the ransomware’s private decryptor key. For each file Phobos decides to encrypt, it generates a random AES key to use in the encryption, then encrypts this key along with some metadata with an RSA key present in the configuration data, and saves this data at the end of the encrypted file. That means in order to decrypt the file, one needs the private key corresponding to that public RSA key.

Every Phobos sample we analyzed contains the same public RSA key in its configuration data, implying there is only one private key capable of decryption. We assess that a single threat actor controls the private key as every single sample we analyzed contains the same public key. It’s possible the Phobos developer offers the decryption service to their affiliates for a cut of their proceedings. 

During our research, we did find variants of these decryptors in the wild, like this sample found in VirusTotal which promises to decrypt samples for the “**_Elbie_**” variant. However, the decryptor needs two pieces of information that are not available in the file itself, so using it to decrypt samples is not possible. 

__Phobos decryption tool screen asks for base64-encoded data.__

The first piece needed seems to be a file with a base64-encoded encrypted blob of data which seems to be the RSA private key used to decrypt the samples. The second piece of information needed is a password which is used to decrypt the content of this blob. So, it may be possible for the RSA private key to be recovered if these two pieces of data are found, shared by a victim who paid for the decryption or leaked it in the wild. 

Further supporting our assessment that Phobos is run by a central authority, is how meticulously the ransomware’s extension block lists are updated. As we stated previously, Phobos avoids encrypting files that were previously locked by other Phobos affiliates. This is based on a file extension block list in the ransomware’s configuration settings. The extension blocklists appear to tell a story of which groups used that same base sample over time. When a malware builder tool usually generates a binary for a campaign, it does so based on a fixed and clean “stub” binary, which is then populated with whatever payload of configuration is necessary for that current build. This is not what happens with Phobos.

The extension block lists found in the many Phobos samples Talos analyzed are continually updated with new files that have been locked in previous Phobos campaigns. This may support the idea that there is a central authority behind the builder who keeps track of who used Phobos in the past. The intent could be to prevent Phobos affiliates from interfering with one another's operations.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

ClamAV detections are available for this threat:

**Win.Packed.Zusy  
Win.Ransomware.8base  
Win.Downloader.Generic  
Win.Ransomware.Ulise**

**IOCs**

Indicators of Compromise associated with this threat can be found here.

Understanding the Phobos affiliate structure and activity

YouTube’s new rules may not be around for long anyway, because they might run afoul of European Union regulations

Thursday, November 16, 2023 14:00

I don’t think this is a particularly bold take — but I’m not afraid to say that ad blockers are good! 

Ever since I started using one sometime in 2016, my experience of using the internet has improved exponentially. I can finally easily find a recipe for dinner on a random influencer’s blog, get a faster answer to “how to replace my car’s headlights” and likely avoid hundreds of pieces of malvertising. 

But their use has increasingly come into question with YouTube’s new policies on preventing users from using ad blockers on its site, with new warnings saying the user has a certain number of videos they can watch before they must allowlist youtube.com in their ad blocker, thus allowing the site to display ads before YouTube videos. 

The second this popped up for me two weeks ago, I immediately started researching workarounds and quickly found a secure solution that works for my browsing habits. The easy explanation for why Google (YouTube’s parent company) wants to get rid of ad blockers is, simply, money. They run the Google Ads service that provides the stereotypical ads everyone has been used to seeing on websites since the early aughts. Unfortunately, bad actors will often use enticing headlines, fake images or sales pitches to trick people into clicking on links that lead to malicious sites, attacker-run scams or downloads that are malware. 

Ad blockers are a major tool users can deploy to block this type of threat, so the explanation for why everyone should be using one is also clear. 

Google isn’t the only major company looking to bypass ad blockers, either. Spotify’s terms of service explicitly outlaws “circumventing or blocking advertisements or creating or distributing tools designed to block advertisements” on its platforms, and many news websites like CNBC have warnings about turning off your ad blocker before you can proceed to read an article. 

I am all for publishers charging for their content or putting it behind a paywall, or even “premium” subscriptions to disable ads from podcasts or videos. But we all need to universally agree that ad blockers (at least legitimate ones) are good for the internet at large and keep users safer. The FBI and CIA agree with me on this and have both advised that users enable ad blockers in web browsers before.

The argument that ads benefit the creators, and therefore we’re robbing them of money, is largely off-base from these corporations. 

Creators who are part of the YouTube Partner program, which means they have filled out an application and meet a minimum standard for views and subscribers, make between $1.61 and $29.30 for every 1,000 views on their videos through YouTube’s ads. So Mr. Beast might make a decent payday out of that every month, but I’m sure Mr. Beast would also be doing just fine without the extra few thousand dollars in his pocket currently. 

The people who are just trying to be helpful by showing me how to fix my washing machine or install a car seat properly are likely not missing my singular ad view when I use an ad blocker.  

Thankfully, YouTube’s new rules may not be around for long anyway, because they might run afoul of European Union regulations, and privacy advocates have already filed a formal challenge to the EU’s independent data regulator.  

**The one big thing **

Microsoft disclosed three zero-day vulnerabilities as part of its monthly security update this week, and all three have already been added to CISA’s Known Exploited Vulnerabilities catalog. However, Patch Tuesday only included three critical vulnerabilities, an unusually small number based on previous months’ Patch Tuesdays. CVE-2023-36033 is an elevation of privilege vulnerability in the Windows DWM Core Library that could allow an attacker to gain SYSTEM-level privileges. According to Microsoft, this vulnerability has already been exploited in the wild and there is proof-of-concept code available. Another zero-day elevation of privilege vulnerability, CVE-2023-36036, exists in the Windows Cloud Files mini-filter driver that could also allow an attacker to gain SYSTEM privileges. 

**Why do I care? **

Unfortunately, zero-days have become commonplace for Patch Tuesdays this year, and it seems like a few more pop up each month. In these cases, attackers were able to discover the exploits before Microsoft had a chance to patch them, and CISA already acknowledged that attackers are exploiting these vulnerabilities in the wild.  

**So now what? **

All Microsoft users should ensure their updates are installed correctly if you have auto-update on, or make sure to manually download the patches as soon as possible otherwise. The Talos blog also has a rundown of Snort rules that can detect the exploitation of many of the vulnerabilities Microsoft disclosed this week. 

**Top security headlines of the week **

**U.S. intelligence agencies are warning that the Royal ransomware group could soon be headed for a rebrand and may already be operating under the name “BlackSuit.”** Government sanctions have previously limited Royal’s ability to make money off their ransomware attacks, but new research from private firms and government agencies indicate that Royal may be connected to BlackSuit, another threat actor that uses similar open-source tools. Royal is a prolific ransomware group that the FBI says is responsible for infecting more than 350 companies, generating revenue in excess of $275 million. Security researchers are also speculating that Royal may have formed from the splintering of the former Conti ransomware gang, which was also the victim of sanctions and government takedown efforts. The U.S. and U.K. announced sanctions against 11 individuals believed to be a part of Conti in September. (TechCrunch, The Register) 

**Fighting election misinformation has only gotten more difficult since the 2020 presidential election.** New reporting and testimony indicate that many key programs and partnerships dedicated to fighting fake news and disinformation online have eroded over the past few years after political attacks from right-wing leaders and organizations. FBI Director Chris Wray told a Senate committee last week that an alliance of federal agencies, tech companies, election officials and security researchers dedicated to fighting foreign propaganda has fallen apart recently, with little to no communication between the various parties involved. Other officials in charge of fighting election disinformation say its been months since they heard from the FBI after once connecting with the agency regularly about fighting fake news on social media platforms. Additionally, many poll workers and election officials are afraid to discuss the topic after years of online pushback from right-wing voters who view the word “misinformation” as a synonym for censorship. (NBC News, NPR) 

**Chip makers Intel and AMD disclosed new vulnerabilities this week that could lead to privilege escalation.** Some Intel CPUs are vulnerable to the newly discovered “Reptar” vulnerability (CVE-2023-23583) that was disclosed on Tuesday. Adversaries can exploit this high-severity flaw if they already have access to the targeted system, eventually causing a crash on the machine leading to privilege escalation or the disclosure of sensitive system information. Another attack on AMD CPUs called “CacheWarp” could allow an attacker to infiltrate encrypted virtual machines and perform privilege escalation. This vulnerability, identified as CVE-2023-20592, affects AMD's Secure Encrypted Virtualization (SEV) technology. Users do not need to take any additional actions to address these vulnerabilities other than ensuring drivers and operating systems are up-to-date and patched. (SecurityWeek, The Hacker News) 

**Can’t get enough Talos? **

Rather than putting a bunch of links here this week, I instead encourage you to watch this whole segment from Fox 11 in Los Angeles, featuring Nick Biasini from Talos Outreach. The story covers online scams, but features Nick discussing Talos’ recent research into various scams in the online video game “Roblox.” 

**Upcoming events where you can find Talos **

**misecCON** **(Nov. 17)** 

_Lansing, Michigan_ 

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._ 

**"Power of the Platform” by Cisco** **(Dec. 5 & 7)** 

_Virtual (Please note: This presentation will only be given in German)_ 

> _The annual IT event at the end of the year where Cisco experts, including Gergana Karadzhova-Dangela from Cisco Talos Incident Response, discuss the future-oriented topics in the implementation of digitalization together with you._  

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59   
**MD5:** 3b100bdcd61bb1da816cd7eaf9ef13ba   
**Typical Filename:** vt-upload-C6In1   
**Claimed Product:** N/A    
**Detection Name:** Backdoor:KillAV-tpd 

**SHA 256:** 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab   
**MD5:** 4c648967aeac81b18b53a3cb357120f4   
**Typical Filename:** yypnexwqivdpvdeakbmmd.exe   
**Claimed Product:** N/A    
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a   
**MD5:** 200206279107f4a2bb1832e3fcd7d64c   
**Typical Filename:** lsgkozfm.bat   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd

We all just need to agree that ad blockers are good

Avoiding some of these common mistakes ensures your organization’s plan will be updated faster and is more thorough, so you are ready to act when, not if, an incident happens.

Thursday, November 16, 2023 08:00

Cisco Talos recently covered the basics of NIS2, a new set of requirements for cybersecurity and security incident disclosures set to take effect next year in the European Union.

As part of these new guidelines, organizations with operations in the EU must have up-to-date “incident handling” procedures and “policies on risk analysis and information system security”

To comply, Talos IR recommends creating or updating your organization’s incident response (IR) plan, along with the Information Security Policy, Business Continuity and Crisis Management Plan. The IR plan is a crucial document for each organization’s cybersecurity practice and should be among the first documents to be updated to comply with NIS2.

Below, we’ll outline seven common pitfalls that organizations make when creating or updating an incident response plan. Avoiding some of these common mistakes ensures your organization’s plan will be updated faster and is more thorough, so you are ready to act when, not if, an incident happens.

**Part II: Pitfalls to avoid when creating an incident response plan**

**Failing to define a document hierarchy**

A common mistake when starting to work on a new or updated IR plan is to look at the plan in isolation, without consideration for all the cybersecurity documents that exist in your organization.

The term “document hierarchy" might sound complicated and foreign, but it describes exactly this simple concept: All documents within an organization should have a specific scope, purpose and intended audience — A bit like LEGO blocks that build upon each other.

Document B can deepen the information presented in Document A by providing more details on a specific part of the process without the need to repeat what was already presented in Document A. Having a clear overview on how the individual documents fit within the overall document hierarchy helps avoid duplication of information, thus keeping documents only as long as they really need to be. A shorter document with a clear focus is more likely to be read and effectively used by its intended audience.

In the context of cybersecurity, Talos IR recommends a document hierarchy consisting of the following building blocks:

The incident response plan focuses on the incident handling process. It is a second- or third-level document that builds on the higher-level information in the security policy or the security principal statement. In the plan, which has a narrower audience than the previous two documents, one can find details on the formation and operations of the incident response team, actions and available resources in each phase of the incident response process, escalation procedures and communication flows. The information in the incident response plan is applicable to all cybersecurity incidents and serves as a basis for the development of the next level of documentation, which is more procedural and scenario-based.

By failing to define and adhere to a clear document hierarchy you run the risk of overloading the IR plan with specific checklist type of information, which would be more fitting for a playbook. Playbooks usually build upon the incident response plan to provide step-by-step guidance for responding to a specific incident type, such as ransomware, suspicious emails, and unusual network traffic. Another risk is the plan is too broad, borrowing content from the policy and listing general cyber hygiene advice and end-user training topics. This makes it hard for the responders, who are the main audience of the plan, to find the vital information for their needs.

**Being too general**

An Incident Response Plan should at the very least answer the “Who, What, When and How?” of a cybersecurity incident.

If you break it down:

*   **Who** – What are the roles that are part of the IR process, what skillsets or capabilities are required for the members of the role (technical and in terms of crisis management and coordination), and what other supporting roles are involved during the different IR phases.
*   **What** – What activities are performed at each stage of the incident response process? Remember, an IRP is not a playbook, so you do not need to describe the details of, for example, investigating suspicious executable files on a host. Instead, the plan should have a description of the general triage process, available data sources within the organization and possible playbooks to follow once the incident has been narrowed down.
*   **When** – Time is precious during an incident, so it is good to have an order of actions that is pre-determined to take place whenever an incident occurs. For example, based on the priority classification of the incident (which is something that should also be in the plan) an escalation process might be started. Would a high-priority event occurring on the weekend necessitate calling immediately the manager immediately? Is such an escalation point available outside of normal working hours? Each action should also have a role owner identified.
*   **How** – An incident response plan should contain high-level information about the tools that would typically be used during an incident for the technical response (including data capturing, detection capabilities and analysis tools) and the incident communication (e.g., what alternative infrastructure can be used if the network is suspected to be compromised). Yet, the plan should offer only an overview of the capabilities of the tools, the toolkit at the team’s disposal, rather than procedural details on using them. The latter should be added to the organization’s playbooks.

**Being too specific**

An IRP is not a playbook. The information in the plan is the foundation that doesn’t need to be repeated in the other playbooks. For example, ensure that the plan does not include procedural information that is only applicable to one type of attack, such as ransomware or distributed denial-of-service (DDoS), because this will water down the scope of the document.

**Writing in isolation**

In all fairness, few technical personnel are truly enthusiastic about writing process documentation. This makes it even more important to ensure that whoever works on the IR plan is supported by the broader team.

One of the most successful ways to create a meaningful IR plan is to involve the company stakeholders, such as the primary business application owners, so they can have an understanding and make sure their needs and expectations are being met with the plan.

The initial plan draft should be reviewed by at least two team members who have process knowledge and will be responsible for the IR process implementation. Then, the next level of review should be done by teams outside of the core IR team, such as Networking and Storage Management, which play a key role during recovery. Supporting non-technical teams such as legal, communications and HR, should be provided with a final draft for review. The input of the latter is just as valuable as the technical ones, because some regulations, such as NIS2, will require incident notification within 24 hours. For example, it would be up to the legal team to confirm if, and who will be available on the weekend to contact law enforcement for an incident that started on a Friday afternoon and by Sunday needs to be reported.

**Not testing the IR plan**

We all know that testing processes are essential, but not all processes are created equal. How often do you test your backup recovery procedure? And how often do you test your incident response process?

An Incident Response Plan typically contains several sub-process descriptions, such as an escalation process, triage process, alternative communication channels activation process, etc. The plan is only as good as its use during a real incident, and the best way to identify any gaps in any of those sub-processes is to put them to a test.

How can you test the IR Plan? Start by breaking it down into key processes which are part of the overall incident handling. Then rank those processes according to their criticality for the overall response and their level of effort to test. Start with the sub-processes on top and work your way down.  

For example, look at the recovery action, “the incident lead contacts the backup management team to get the status of the backups.” Here are some of the questions that you might need to check:

*   How does the incident commander contact the backup management team? Is that communication channel available offline if the company’s communications tools are down or compromised?
*   Will the backup management team be available at this time of the day? What if the incident happens on the weekend or during a public holiday?
*   Where will the backup management team find the latest test date of the backups? Does the backup management team have a procedure to follow during the verification of the backup’s integrity? How quickly such an overview be created?
*   If backups have been isolated, could they be checked for integrity?
*   In case of a suspicion of compromise, does the backup management team have a list of all accounts that have access to the backups?
*   How will the incident commander keep track of all information sent to them during the incident and make them available to the larger team?

To test the tools, people and processes involved in this situation, Talos IR recommends conducting tabletop exercises at least once a year.  A tabletop is a dry run through a scenario customized to your organization, the attack being only on paper without environmental impact, to see how responsible teams will react. It might seem harmless but if done properly, the tabletop can empower teams to see their IR plan with new eyes, discovering both the power of a well-written document with up-to-date information and the areas that need improvement.

**Letting it get stale**

An IRP should be renewed and updated at least once a year, and additionally, whenever you have major software or hardware changes in your environment. Changes in the organization's legal structure, such as mergers and acquisitions, also necessitate a review. At the conclusion of any major incidents, it is also recommended to review the IR Plan and adjust based on the incident. Regular reviews also help ensure that in case of personnel changes — e.g., members rotating outside the team or the organization, or IT landscape changes — the plan is still effective.

**Being too IT-focused**

An IR plan should be created in consultation with other non-technical teams, starting with legal, compliance, HR and communications. Specific examples of when you will need to work closely with those teams are cases when the personal data of employees has been affected, when you have regulatory requirements to notify authorities about an incident, or when you need to publish a public statement about a major incident.

Another team that is often overlooked but should be part of the IR plan development is the service desk team. Are agents able to route a cybersecurity incident properly and get it quickly escalated to the IR team? Have they been trained to recognize, even with fewer affected users, high-confidence signs of common attacks such as ransomware, wipers and social engineering?

If you remain too focused on the technical aspects of handling an incident, you run the risk of creating an incomplete document. Supporting teams should be part of the development process, the distribution list of the final document, and the testing and training exercises. Raising a child takes a village, and so does protecting an organization.

Talos IR can support customers in preparing to meet the requirements of NIS2. The following services address one or more of the requirements of the directive:

*   **Preparing:** IR Plan, IR Playbooks, IR Readiness Assessment, Log Architecture Assessment
*   **Simulating:** Purple Team
*   **Training:** Tabletop , Cyber Range
*   **Hunting:** Compromise Assessment, Threat Hunting
*   **Core:** Emergency Response, Intel on Demand

The implementation of technical and procedural measures, which would support you in achieving compliance with NIS2, is a process that might require creating new processes and updating your technology stack. Time flies when you are having fun so we recommend that you start by reviewing the requirements you will need to comply with and putting together an actionable plan for how to achieve this in the course of the upcoming year.

7 common mistakes companies make when creating an incident response plan and how to avoid them

In all, this set of vulnerabilities Microsoft patched includes 57 vulnerabilities, 54 of which are considered “important.”

Tuesday, November 14, 2023 14:11

Microsoft’s monthly security update released Tuesday only includes three critical vulnerabilities, an unusually small number based on previous months’ Patch Tuesdays.  

In all, this set of vulnerabilities Microsoft patched includes 57 vulnerabilities, 54 of which are considered “important.” This is the fewest number of vulnerabilities Microsoft disclosed in a month since May.  

However, there are three zero-day vulnerabilities included in November’s Patch Tuesday, and another three that have already been publicly disclosed. 

CVE-2023-36033 is an elevation of privilege vulnerability in the Windows DWM Core Library that could allow an attacker to gain SYSTEM-level privileges. According to Microsoft, this vulnerability has already been exploited in the wild and there is proof-of-concept code available. 

Another zero-day elevation of privilege vulnerability, CVE-2023-36036, exists in the Windows Cloud Files mini-filter driver that could also allow an attacker to gain SYSTEM privileges. 

The other vulnerability that’s being exploited in the wild is CVE-2023-36025, which could allow an adversary to bypass Windows Defender SmartScreen checks and other associated prompts. An attacker could exploit this vulnerability by tricking the targeted user into clicking on a specially crafted internet shortcut or hyperlink pointing to an attacker-controlled website. 

CVE-2023-36397 has one of the highest possible severity scores among the vulnerabilities disclosed Tuesday, a 9.8 out of a possible 10 CVSS score. However, Microsoft considers it “less likely” to be exploited. An attacker could exploit this vulnerability in the Windows Pragmatic General Multicast (PGM) by sending a specially crafted file over the network, potentially allowing them to execute remote malicious code on the targeted machine. 

One of the vulnerabilities Microsoft patched today, CVE-2023-36041 (TALOS-2023-1835), was discovered by Marcin “Icewall” Noga of Cisco Talos’ vulnerability research team.  

This use-after-free vulnerability exists in the ElementType attribute parsing in Microsoft Office Professional Plus 2019 Excel, and could allow an attacker to execute remote code on the targeted machine. An adversary would need to trick the targeted user into opening a specially crafted Excel spreadsheet to exploit this vulnerability. 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.  

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 62627, 62628, 62630 - 62633 and 62641 - 62644. There are also Snort 3 rules 300751 - 300753, 300757 and 300758.

Microsoft discloses only three critical vulnerabilities in November’s Patch Tuesday update, three other zero-days

It can be easy to get caught up in the “big” questions in cybersecurity, like how to stop ransomware globally or keep hospitals up and running when they’re targeted by data theft extortion.

Thursday, November 9, 2023 14:11

I found the juxtaposition of stories on the Talos blog over the past week-plus kind of funny. 

On one hand, we had a massive story about Arid Viper, a Middle Eastern threat actor spreading spyware, one of the most dangerous types of malware out there right now, operating out of Gaza no less. 

Then, we had “Roblox,” a children’s video game (which I’ve written about multiple times and I maintain was the OG metaverse).  

The scale of these attacks is obviously vastly different. Spyware is being used across the globe to monitor some of the most vulnerable activists, journalists and government officials to track their physical movement.  

Meanwhile, “Roblox” players are losing money in a game where the characters look like vague LEGO minifigure knockoffs.  

And the blog homepage is just a perfect encapsulation of how cybersecurity means more than just blocking malware. It can mean teaching your children how to stay safe when they go online, how to properly lock down your login credentials and just being smart at spotting scams. 

But it can also have global implications in areas where there is a global military conflict, just like we’ve written about countless times in Ukraine. 

I would never call one security researcher’s work more “important” than another's — everyone in the security community works extremely hard to keep the internet safe, no matter what company you work for or what your area of expertise is. Tiago from our Outreach team who wrote about the “Roblox” scams has certainly done way more malware research beyond this. But it’s clear that the real-world implications of both these threats are very different. 

For me, the takeaway is just to leave room for all of this. It can be easy to get caught up in the “big” questions in cybersecurity, like how to stop ransomware globally or keep hospitals up and running when they’re targeted by data theft extortion. But that doesn’t mean we can ignore the “small stuff” either because those problems are more likely to end up on our virtual front door. 

If I may continue to plug Talos’ work, we have a new video series launching today, too, under our Threat Spotlight banner. Each month, Decipher reporters and Talos researchers will team up to recap the top stories, malware and threats in the headlines. We’re excited about this new partnership with Decipher.

 **The one big thing **

Attackers are using a new tactic to get spam through their email inbox filters via Google Forms. Google Forms has a “quiz” option for their fields, and adversaries have found a workaround to send the “answers” to a quiz to targets, which are actually spam messages that appear to the user like they’re legitimate messages coming from Google. In one case, we found a deep cryptocurrency-related scam using this method, and other actors are just hoping to get the user to click on a malicious link that could lead to other scams or malware.  

**Why do I care? **

The average user is going to see a message from Google Forms, especially after they just filled out a Form, and assume it’s legitimate, so attackers are more likely to be successful using this method of delivering their spam compared to traditional email methods. Google Forms abuse has been present in spam attacks for several years, though our investigation showed that this particular feature of Google Forms quizzes was not very heavily abused to send spam until relatively recently. 

**So now what? **

As with all types of spam, follow the basic rule, “If it seems too good to be true, it probably is.” While there is no concrete method of blocking these comments and quiz results from coming through, if you’re using Google Forms, be weary of illegitimate messages making their way through. Look for things like misspellings, typos, or URLs that you don’t recognize.  

**Top security headlines of the week **

**A coalition of more than 40 international governments, including the European Union and Interpol, have agreed to not pay ransomware attackers’ extortion payments.** The commitment came from last week's U.S.-led Counter Ransomware Initiative meeting and applies to those countries’ government agencies. Private companies who operate in these nations are most often the targets of ransomware, however, but leaders hope the pledge will influence them to take the same stance. Whether to pay the ransom is often a tough decision for the private sector, which needs to balance the cost of keeping their network operations offline during recovery versus having their files returned as quickly as possible. However, there is never a guarantee that the ransomware actor will provide a decryption key as promised. Government officials hope that cutting off the flow of income to the threat actors will dry up their resources and discourage future attacks. (Axios, Reuters) 

**Atlassian elevated a recently disclosed vulnerability to the maximum severity rating after threat actors started exploiting it to deliver the Cerber ransomware.** CVE-2023-22518 is an improper authorization vulnerability in Confluence Data Center and Server, which first received a patch on Oct. 31. Adversaries can exploit this vulnerability on internet-facing Confluence servers by sending specially devised requests to setup-restore endpoints. Confluence accounts hosted in Atlassian’s cloud environment are not affected, according to the company. In its initial disclosure of CVE-2023-22518, Atlassian warned of “significant data loss if exploited” and said, “customers must take immediate action to protect their instances.” (SC Media, Ars Technica) 

**The Mozi botnet mysteriously has gone offline, and experts are unsure if the original creators are responsible.** Mozi was once a massive network that attackers used to carry out distributed denial-of-service (DDoS) attacks, data exfiltration and payload execution against internet-of-things (IoT) devices. Once one of the largest botnets in the world, it’s now essentially offline, according to security researchers. A kill switch seems to be the root cause, though it’s unclear if the operators did this on their own volition if they had their hand forced by law enforcement, or if another third party was involved. The kill switch code shares some code snippets with the original botnet, and whoever deployed it used the correct private keys to sign the payload. Botnets tend to still come back to life after reported takedowns, so there is no guarantee that Mozi is gone forever. (Dark Reading, The Register) 

**Can’t get enough Talos? **

*   Threat Roundup for Oct. 27 - Nov. 3 
*   Talos Takes Ep. #161 (XL Edition): The top incident response trends of Q3 
*   Cisco Talos researcher Nick Biasini on chasing APTs, mercenary hackers 
*   Cyber attackers are increasingly targeting web applications 

**Upcoming events where you can find Talos **

**Black Hat Middle East and Africa** **(Nov. 16)** 

_Riyadh, Saudi Arabia_ 

> _Rami Atalhi from Talos Incident Response will discuss how generative AI affects red and blue teams in cybersecurity. Discover how generative AI creates a bridge between these teams, fostering teamwork and innovative strategies. Real-world cases will demonstrate how generative AI drives success, providing insights for building resilient cybersecurity plans._ 

**misecCON** **(Nov. 17)** 

_Lansing, Michigan_ 

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._ 

**"Power of the Platform” by Cisco** **(Dec. 5 & 7)** 

_Virtual (Please note: This presentation will only be given in German)_ 

> _The annual IT event at the end of the year where Cisco experts, including Gergana Karadzhova-Dangela from Cisco Talos Incident Response, discuss the future-oriented topics in the implementation of digitalization together with you._  

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a   
**MD5:** 200206279107f4a2bb1832e3fcd7d64c   
**Typical Filename:** lsgkozfm.bat   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd 

**SHA 256:** 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7    
**MD5:** 0e4c49327e3be816022a233f844a5731    
**Typical Filename:** aact.exe    
**Claimed Product:** AAct x86    
**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos 

**SHA 256: 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf**   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd 

**SHA 256:** 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa   
**MD5:** 9403425a34e0c78a919681a09e5c16da   
**Typical Filename:** vincpsarzh.exe   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd

A new video series, Google Forms spam and the various gray areas of cyber attacks

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 3 and Nov. 10. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for November 3 to November 10

Cisco Talos has recently observed an increase in spam messages abusing a feature of quizzes created within Google Forms.

Thursday, November 9, 2023 08:11

*   Spammers are exploiting the "Release scores" feature of Google Forms quizzes to deliver email.
*   The emails originate from Google's own servers and consequently may have an easier time bypassing anti-spam protections and finding the victim's inbox.
*   Volumes of these messages hovered near noise levels but have recently spiked into the hundreds.

Cisco Talos has recently observed an increase in spam messages abusing a feature of quizzes created within Google Forms. In particular, spammers have discovered that they can create a new quiz in Google Forms, use the victim’s email address to respond to the quiz, and then abuse the “Release Scores” feature of the Google Form to deliver their spam to the victim. Because the spam messages emanate from Google itself, the messages have a good chance of landing in the victim’s inbox.

A histogram showing the volume of “Score released:” emails for the past two years.

Cisco Talos examined a recent spam campaign in which the Subject headers all contained the text, “Score released:”. During our investigation, we quickly realized these messages were being generated through a feature of Google Forms’ quizzes. Google Forms abuse has been present in spam attacks for several years, though our investigation showed that this particular feature of Google Forms quizzes was not very heavily abused to send spam until relatively recently.

**Google Forms’ quizzes**

In Google Forms, when creating a new form, an author can choose to “Make this a quiz.” Choosing to release grades “Later, after manual review,” enforces the collection of email addresses in the quiz.

An example Google Forms quiz is configured to release grades after manual review.

Elsewhere, under the settings for Responses, choosing “Responder input” allows a spammer to fill in their form using any victim’s email address.

An example form configured to allow responder-controlled values for email addresses.

Once the form is configured in this way, a link to the form can be obtained and accessed by the spammer. The spammer then fills out the form using the victim’s email address and submits it. Whether the question in the quiz is answered does not matter. Afterward, the fake quiz responses generated by the attacker can be viewed.

Quiz responses as seen by the Google Forms quiz owner.

Clicking the “Release scores” dialog in the upper right will prompt the form owner to “Send emails and release” the scores. The message delivered as part of the email can be customized to include any text or URL, and the message will then be delivered by Google using the “From:” address of the Google account that created the quiz. Because the email messages generated using this technique emanate from Google’s servers, they stand a good chance of being delivered to the victim’s inbox. 

**Google Forms quiz spam used in an elaborate cryptocurrency scam**

A recent example of one of these Google Forms quiz score release spam attacks appears below. 

An example of a recent spam campaign utilizing the “Release scores” feature of Google Forms quizzes.

When the victim clicks the “View” button in this email, they are directed to the fake form response generated by the spammer.

Clicking “View” on a “Scores released:” spam directs the victim to the spammer-generated form response.

In this particular form response, the spammer has provided a link “>>> GO TO THE SITE” which points to another Google Form that asks the victim to confirm their email address. At this stage of the attack, when an email address is entered into the second form, the victim is provided a form response containing a link to an external website: go-procoinwhu\[.\]top. 

After the victim “confirms” their email address they are presented with a link to a third party website.

The go-procoinwhu\[.\]top domain was created only just created on October 28, 2023, but it is already seeing a large uptick in the number of DNS queries requesting it.

Clicking the go-procoinwhu\[.\]top link in the Google Form response results in a 302 redirect from Cloudflare, which directs the victim to https://hdlgr\[.\]dudicyqehama\[.\]top/, which is also hosted by Cloudflare. This domain was also recently created (October 25, 2023), and exhibits a very similar DNS traffic pattern in Umbrella Investigate.

When the victim navigates to the dudicyqehama.top website, they are presented with an elaborate scam website that claims that the victim possesses more than 1.3 Bitcoin in their account as a result of “automatic cloud Bitcoin mining,” which the site claims is worth more than $46,000 USD. 

A malicious cryptocurrency-related website claims the victim has over 1.3 BTC. 

Once the victim clicks “Continue,” they are brought into the main website “login page.” The username and password are pre-filled into the login form, so the victim only needs to click the “Sign in” button. 

A fake login form for the scammer's website. The username/password are pre-filled into the form.

Once logged in, it is readily apparent that the website goes to great lengths to appear legitimate. The site even includes a group chat feature near the bottom where you can see various other users discussing cryptocurrency-related topics. As a logged-in user, the victim can even comment. Watching the text scroll by in the chat, it becomes apparent that they are recycling the same comments over and over, and these are not real users.

The scammer's website tries very hard to look legitimate. They even include a fake group chat.

When the victim attempts to claim their Bitcoin from the main site, they are redirected to what looks like a live chat with an agent named “Sophia.”

When the victim tries to claim their BTC they are directed to a “live” chat with an agent named “Sophia.”

Sophia chats with us for a moment before sending a form to fill out to collect the Bitcoin.

Sophia sends the victim a form to fill out to collect their BTC. 

The form asks the victim to fill in their name, email address and the cashout method the user prefers. 

The victim must fill out a form indicating how they wish to receive the money from the BTC they exchanged for USD.

Once the form has been filled out and submitted, the victim is again redirected back to the chat with Sophia, who proceeds to give us a button to kick off the currency exchange of BTC into USD.

Sophia finishes chatting with the victim and provides a button to facilitate the Currency Exchange.

Now, we can begin to see the end game for this particular scam. The victim is instructed that to claim the almost $48,000 USD, the victim must pay an “exchange fee” of 0.25%, or $64 USD.

To receive the USD from the converted BTC, the victim must pay an exchange fee of 0.25%.

When the victim clicks “Exchange Bitcoin,” they are presented with one last form where the victim is prompted to enter their name, email and phone number. 

A payment form from the scammers. They are asking for $64.

Clicking “Pay” brings up a QR code for the BTC wallet of the spammers. Fortunately, nobody has fallen for this scam and paid the attackers, as the connected Bitcoin wallet was empty as of November 6, 2023.

The BTC wallet the attackers are using to receive the “exchange fee.”

The amount of setup work necessary to conduct a spam attack such as this, combined with the extraordinary attention to detail put into the social engineering for the subsequent cryptocurrency scam, demonstrates just how far cybercriminals will go when it comes to separating victims from even a small amount of money. As is usually the case with scams such as this, when something sounds too good to be true, it often is.

**IOCs**

IOCs for this research can also be found in our GitHub repository here.

Source

TALOS