TALOS-2022-1680 (CVE-2022-41985) could allow an attacker to bypass the authentication protocol on the operating system, or cause a denial-of-service, by sending the targeted machine a specially crafted set of network packets.

Wednesday, May 10, 2023 11:05

_Kelly Leuschner of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered two vulnerabilities in a library for µC/OS, an open-source operating system developed by Micrium.

µC/OS is an embedded operating system that supports TCP/IP, USB, CAN bus and Modbus. The two vulnerabilities Talos discovered specifically exist in the operating system’s FTP server.

TALOS-2022-1680 (CVE-2022-41985) could allow an attacker to bypass the authentication protocol on the operating system, or cause a denial-of-service, by sending the targeted machine a specially crafted set of network packets.

Similarly, TALOS-2022-1681 (CVE-2022-46377 - CVE-2022-46378) is also triggered by a set of network packets, though in this case, it can cause a denial-of-service and a use-after-free condition.

Cisco Talos worked with Weston Embedded, who maintains this software, to ensure these vulnerabilities are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Weston Embedded uC-FTPs, version 1.98.00. Talos tested and confirmed this version of the OS could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 125:4. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Authentication bypass, use-after-free vulnerabilities found in a library for the µC/OS open-source operating system

Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots.

Wednesday, May 10, 2023 08:05

*   A previously unreported phishing-as-a-service (PaaS) offering named “Greatness” has been used in several phishing campaigns since at least mid-2022. Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots.
*   Greatness, for now, is only focused on Microsoft 365 phishing pages, providing its affiliates with an attachment and link builder that creates highly convincing decoy and login pages. It contains features such as having the victim’s email address pre-filled and displaying their appropriate company logo and background image, extracted from the target organization’s real Microsoft 365 login page. This makes Greatness particularly well-suited for phishing business users.
*   An analysis of the domains targeted in several ongoing and past campaigns revealed the victims were almost exclusively companies in the U.S., U.K., Australia, South Africa, and Canada, and the most commonly targeted sectors were manufacturing, health care and technology. The exact distribution of victims in each country and sector varies slightly between campaigns.
*   To use Greatness, affiliates must deploy and configure a provided phishing kit with an API key that allows even unskilled threat actors to easily take advantage of the service’s more advanced features. The phishing kit and API work as a proxy to the Microsoft 365 authentication system, performing a “man-in-the-middle” attack and stealing the victim’s authentication credentials or cookies.

**Activity and victimology**

Greatness seems to have started operating in mid-2022 and, based on the number of attachment samples available on VirusTotal, there were spikes in activity in December 2022 and March 2023.

Number of attachment samples found on VirusTotal

Although each campaign had a slightly different geographic focus, collectively, over 50 percent of all targets were based in the U.S. The next most-targeted countries are the U.K., Australia, South Africa and Canada.

Geographical distribution of targeted organizations

Greatness is designed to compromise Microsoft 365 users and can make phishing pages especially convincing and effective against businesses. Based on the data Cisco Talos obtained, Greatness affiliates target almost exclusively businesses. An analysis of the targeted organizations across several campaigns shows that manufacturing was the most targeted sector, followed by health care, technology and real estate.

Distribution of targeted organizations by sector

**The attack flow**

The attack starts when the victim receives a malicious email, which typically contains an HTML file as an attachment and, under the pretext of a shared document, leads the victim to open the HTML page.

Once the victim opens the attached HTML file, the web browser executes a short piece of obfuscated JavaScript code that establishes a connection to the attacker's server to obtain the phishing page HTML code and display it to the user in the same browser window. This code contains a blurred image that shows a spinning wheel, pretending to load the document.

_Blurred attached document decoy._

The page then redirects the victim to a Microsoft 365 login page, usually pre-filled with the victim’s email address, and the custom background and logo used by their company. In the following example, for privacy reasons, we manually replaced the real victim’s email address, background image and company logo on an actual phishing sample with fake Talos data, to show what it looks like.  

_Example of a screen asking the targeted victim for a password._

Once the victim submits their password, the PaaS will connect to Microsoft 365, impersonate the victim and attempt to log in. If MFA is used, the service will prompt the victim to authenticate using the MFA method requested by the real Microsoft 365 page (e.g., SMS code, voice call code, push notification).

__Example of a page asking the victim to enter an MFA code.__

Once the service receives the MFA, it will continue to impersonate the victim behind the scenes and complete the login process to collect the authenticated session cookies. These will then be delivered to the service affiliate on their Telegram channel or directly through the web panel.

**The phishing service**

The service consists of three components: a phishing kit (which contains the admin panel), the service API and a Telegram bot or email address.

Graph of PaaS communication flow

The phishing kit, the service component delivered to affiliates and deployed on a server controlled by them, is the only part of the service the victim connects to. The kit delivers the HTML/JavaScript code for each step of the attack. The kit communicates with the PaaS API service in the background, forwarding the credentials received from the victim and receiving information on what page it should deliver to the victim at each step of the attack. As the victim submits their credentials to the kit, it stores them locally so they can be accessed via the administrative panel and, if configured to do so, sends them to the affiliate’s Telegram channel.

The phishing kit contains an administration panel that allows the affiliate to configure the service API key and Telegram bot and keep track of stolen credentials. The following images show an example of the administration panel login page and dashboard.

Phishing kit administrative panel login page

Phishing kit administrative panel dashboard

The administration panel also builds malicious attachments or links that are submitted via email to the victims. The following image shows the form used to generate the attachments:

Phishing kit malicious attachment builder

The PaaS is designed to be used in a very standard way. The payload delivered to the victim must be a link or, more commonly, an HTML attachment. The attacker can use the builder form above to create a payload with a few options:

*   Autograb: This feature prefills the Microsoft 365 login page with the victim’s email, adding credibility to the attack.
*   Background: The attacker can select the fake attachment background image to be a blurred Microsoft Word, Excel, or PowerPoint online document.

The API is the core part of the service. Each affiliate must have a valid API key to use Greatness, or else the phishing page will not load and displays a message saying the API key is invalid. The following image shows the configuration options available in the panel, where the affiliates can insert their API key.

_Administrative panel configuration page_

The service API contains logic to validate the affiliate’s key, block unwanted IP addresses from viewing the phishing page, and most importantly, behind-the-scenes communication with the real Microsoft 365 login page, posing as the victim.

Working together, the phishing kit and the API perform a “man-in-the-middle” attack, requesting information from the victim that the API will then submit to the legitimate login page in real time. This allows the PaaS affiliate to steal usernames and passwords, along with the authenticated session cookies if the victim uses MFA. Authenticated sessions usually time out after a while, which is possibly one of the reasons the Telegram bot is used — it informs the attacker about valid cookies as soon as possible to ensure they can reach quickly if the target is interesting.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following Snort SIDs are applicable to this threat: 61708.

**Indicators of Compromise (IOCs)**

IOCs for this research can also be found at our GitHub repository here

New phishing-as-a-service tool “Greatness” already seen in the wild

One of the vulnerabilities is being actively exploited in the wild, according to Microsoft, the fourth month in a row in which this is the case.

Tuesday, May 9, 2023 13:05

Microsoft disclosed 40 vulnerabilities across its suite of products and software Tuesday, the fewest the company’s included in a Patch Tuesday since December 2019.

However, two of the vulnerabilities is being actively exploited in the wild, according to Microsoft, the fourth month in a row in which this is the case for the monthly roundup of security issues.

In all, this Patch Tuesday includes seven critical vulnerabilities and 33 that are considered “important.”

One of the zero-day vulnerabilities included this month is CVE-2023-29336, an elevation of privilege vulnerability in the Win32k kernel mode driver. An adversary could exploit this vulnerability to gain SYSTEM privileges.

The most serious vulnerability disclosed Tuesday is CVE-2023-24941, a remote code execution vulnerability in the Windows Network File System that has a severity rating of 9.8 out of 10. An adversary could exploit this vulnerability over a network by making an unauthenticated, specially crafted call to an NFS service to execute code on the targeted machine. In addition to today’s patch, Microsoft also outlines several mitigation steps affected users can deploy to prevent the execution of this vulnerability.

Another remote code execution vulnerability, CVE-2023-29325, exists in Windows OLE that is also critical. An attacker could trigger this issue by tricking a target into opening a specially crafted, malicious email. The vulnerability can even trigger if the user just opens the email in the Preview pane.

CVE-2023-24955 is another remote code execution vulnerability in Microsoft SharePoint Server that Microsoft considers “more likely” to be exploited.

MSHTML, a software component that renders web pages in Microsoft browsers, also contains a critical vulnerability that could allow an attacker to gain admin privileges on a targeted device. CVE-2023-29324, however, is more difficult for an attacker to trigger than the other vulnerabilities mentioned above because it requires “an attacker to take additional actions prior to exploitation to prepare the target environment,” according to Microsoft.

There are two other critical vulnerabilities in this month’s security update that Microsoft considers “less likely” to be exploited:

*   CVE-2023-24943: Windows PGM remote code execution vulnerability
*   CVE-2023-28283: Windows LDAP remote code execution vulnerability

There are also three important vulnerabilities considered to be “more likely” to be exploited, though are not considered as serious:

*   CVE-2023-24949: Windows Kernel elevation of privilege vulnerability
*   CVE-2023-24950: Microsoft SharePoint Server spoofing vulnerability
*   CVE-2023-24954: Microsoft SharePoint Server information disclosure vulnerability

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 61705 - 61707,  61714 - 61720, 61722 and 61723.

Microsoft Patch Tuesday for May 2023 — Fewest vulnerabilities disclosed in a month in three-plus years

Today, Finn combs through Talos’ various intelligence sources, open-source research, partner resources, and Cisco product telemetry to track major attacker trends and emerging threats.

Monday, May 8, 2023 08:05

After working in government for several years, this Talos threat hunter is diving into the dark web

Growing up, Jacob Finn says he wanted to be a detective (or maybe a veterinarian, but there’s still plenty of time for that).

Today with Talos, he’s a detective. And while he’s still hunting for bad actors, instead of combing crime scenes for clues, he’s reading and analyzing dark web forums, leveraging open-source intelligence, and exploiting network telemetry for signs of where adversaries are headed next.

He works on Talos’ Threat Intelligence and Interdiction team as a strategic analyst, which in his words, “looks at the cyber threat landscape from a 30,000-foot view.” A huge part of Finn’s job is writing threat assessments and alerts for intelligence partners, customers, and cyber-attack victims. He’s also a major advocate of public-private partnerships across the cybersecurity ecosystem.

So, it’s fitting that Finn has always had one foot in the public sphere even while transitioning to work in the private sector.

Finn started his cybersecurity career as the Cybersecurity Policy Director for Los Angeles Mayor Eric Garcetti during Garcetti’s second term, working on new intelligence-sharing agreements between L.A. and other major cities with similar security concerns, helping the mayor write cybersecurity-related policies, and advocating for the government to improve its defensive capabilities.

Finn (center) speaking at a panel on behalf of Los Angeles Mayor Eric Garcetti in 2019.

But Finn says he “never expected cybersecurity to be in my long-term plan.”

After receiving his bachelor's degree from the University of California, Los Angeles (UCLA), he attended Reichman University in Herzliya, Israel to receive a master’s in homeland security and counterterrorism, the field he believed he’d make a career of. As part of the curriculum, Finn studied cyberterrorism, which drew him to research how global terrorist organizations use the Internet to advance their operations. He received the offer to advise the mayor in the L.A. Mayor’s Office of Public Safety upon returning home to California.

Finn worked for the Garcetti administration at a time when other major cities like Atlanta were dealing with massive, impactful ransomware attacks. One initiative he led involved working with two of L.A.’s sister cities — Auckland, New Zealand and Guangzhou, China — to establish a multilateral agreement regarding emerging security threats and natural disasters.

Finn (far left) at the signing of an information-sharing agreement between Los Angeles, Auckland, New Zealand and Guangzhou, China in 2019.

“Part of it was devising best practices to protect our communities from major emergencies, which included building mechanisms for information-sharing,” Finn said. “I think this just shows how important cities are in terms of leading the way in security policy and preparation… at the federal government, it’s all about funding and national-level policy, but you don’t actually see how that is implemented at the local level.”

Finn eventually took a job with the U.S. Department of Defense. After years of building expertise in intelligence and national security, he then decided to head into the private sector, applying for a job as a strategic intelligence analyst with Talos.

Today, Finn combs through Talos’ various intelligence sources, open-source research, partner resources, and Cisco product telemetry to track major attacker trends and emerging threats. He has mostly focused on state-sponsored actors and threats stemming from criminal groups.

This research eventually takes the form of public reports, customer alerts, and intelligence that’s shared with Talos’ detection teams to create defensive content for Cisco Secure products. Finn and his team were heavily involved in the creation of Talos’ first-ever Year in Review report, which recapped the major attacker trends in 2022.

Finn brings his public government experience to the role by knowing the importance of information-sharing and what types of security concerns are relevant to practitioners who are tasked with defending municipalities and important public services. But he also had to learn many of the technical skills on the job once he started at Talos — he jokes that he had never opened Terminal on Mac before his first day on the job.

“Everyone at Talos understands that each person comes from different backgrounds with different skills or contributions, and may not have the same level of technical knowledge,” he said. “And now I feel very comfortable using Talos’ different tools to look through datasets such and endpoint logs and other network telemetry.”

Finn still spends a lot of time thinking about the implications of security trends, though, and how that affects the American public.

He recently participated in a pitch competition (think “Shark Tank” but for national security policy) with the Center for the New American Security, a high-profile Washington, D.C. national security think tank. Finn’s idea that he shared with the panel involved a new cybersecurity certification program that private companies could apply for.

Finn’s idea involves a set of standards that private companies could adhere to regarding security measures, verification methods and other cybersecurity protocols they use to protect personal information.

“If a company which sells a service or product involving storage of sensitive data such as PII \[personally identifiable information\] or attorney-client privileged information, you as the consumer want to be satisfied that the company is meeting a certain level of standards so they’re less likely get breached,” Finn said. “This certification program is built on the underlying assumption that companies that are profit-driven, will seek to adopt stronger security standards if consumers are demanding it.”

You can watch Finn’s full pitch to the CNAS panel below.

It’s that type of broader thinking and thought leadership that makes Finn a perfect teammate for the Strategic Analysis team. Rather than diving into the nitty-gritty of a tactical malware campaign or a specific botnet, Finn is taking in information from all directions to try and figure out what’s going to be the next big threat or trend in the security landscape. This all goes to show that researchers with a variety of skillsets can still contribute to Cisco Talos’ defenses.

Researcher Spotlight: Jacob Finn creates his own public-private partnership at Talos

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 28 and May 5. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for April 28 to May 5

Unsurprisingly, it seems like AI was brought up anywhere and everywhere.

Thursday, May 4, 2023 14:05

Welcome to this week’s edition of the Threat Source newsletter.

I didn’t attend the RSA Conference in person, and on top of that, I was at the NFL Draft while the conference was going on. I’m behind on the biggest talks, panels and presentations that came out during the annual security conference, so I’ve spent the past few days catching up on what seems like the major talking points last week in San Francisco.

Unsurprisingly, it seems like AI was brought up anywhere and everywhere. It’s all tech executives are asked about currently and shareholders seem to want to know what X Company is doing to keep up with AI tools like ChatGPT.

Former Cisco CEO John Chambers said that he believes AI will be bigger than the internet and cloud combined "in every aspect of defense.”

“If somebody could get AI and cybersecurity together uniquely, that gets exciting,” he said during an interview with theCUBE on the conference floor.

Longtime RSA panelist Adi Shamir, who said at least year’s conference that he wasn’t overly concerned about AI’s effects on cybersecurity, did a 180 and instead started sounding alarms.

"I now believe that the ability of ChatGPT to produce perfect English, to interact with people, is going to be misused on a massive scale,” Shamir said in a panel with other major cryptographers. He also said these tools will "have a major impact on social engineering."

This attitude matches how many people are feeling right now regarding AI. Several major tech executives are warning against unregulated AI tools and bots, and leaders from the G7 nations adopted a new agreement that their countries would take a “risk-based” approach to regulating AI.

Outside of AI, the other thing that stood out to me from RSA was a new level of transparency from the U.S. government regarding how it approaches fending off cyber attacks and cybercrime. At a joint panel at RSA, the U.S. Department of Homeland Security and Cybersecurity and Infrastructure Security Agency (CISA) disclosed a previously unknown defense of an Iranian state-sponsored actor infiltrating a local government elections’ page. The officials speaking at the conference said the U.S. government disrupted the attack before any votes were tallied or reported.

Several high-profile cybersecurity officials in the Biden administration appeared to show a united front against cybercrime, urging the importance of disrupting dark web forums and websites over trying to arrest the humans behind these sites.

**The one big thing**

The use of web shells is rising in cyber attacks, according to new data from Cisco Talos Incident Response. The latest Talos IR Quarterly Report found that web shells were the most-observed threat in the first quarter of 2023, comprising nearly a fourth of the incidents Talos IR engaged in. Ransomware made up a smaller portion of threats observed this quarter than in the past, from 20% to around 10%. However, Talos does not believe that data is reflective of the current threat landscape and is instead lower simply because several Talos IR ransomware engagements began in Q1 but did not close.

**Why do I care?**

These Talos IR reports are always a great way to see what tactics, techniques and procedures (TTPs) attackers are actively using in the wild. The types, and volume of, web shells Talos IR saw last quarter highlight the skills actors have in combining multiple means of access and tools and increase the likelihood that they will be able to deploy additional malware or obtain sensitive and private information.

**So now what?**

The lack of multi-factor authentication (MFA) remains one of the biggest impediments for enterprise security. Nearly 30 percent of engagements involved organizations that either had no MFA or only had it enabled on a handful of accounts and critical services. Talos IR frequently observes ransomware and phishing incidents that could have been prevented if MFA had been properly enabled on critical services, such as endpoint detection response (EDR) solutions or VPNs. To help minimize initial access vectors, Talos IR recommends disabling VPN access for all accounts that are not using MFA.

**Top security headlines of the week**

Meta says it flagged more than 1,000 domains since March **that were spreading ChatGPT-themed tools and offers actually containing malware.** A new quarterly security report from Facebook and Instagram’s parent company said it found at least 10 malware families on its platforms posing as ChatGPT and other similar tools to compromise user accounts. Many of these threats are fake browser extensions that claim to act like ChatGPT for users but instead steal sensitive information like login credentials, banking information and other user data. Meta Chief Information Security Officer Guy Rosen said at a press conference that "ChatGPT is the new crypto” for bad actors. (Axios, Reuters)

A federal judge this week **gave Google permission to take down current and future domains associated with the CryptBot information-stealer malware.** It's estimated that CryptBot has infected more than 670,000 users over the past year, stealing victims’ Google Chrome browser data and other sensitive information. With the court order, Google can identify the network providers whose services directly and indirectly make the malware’s distribution possible and allows the company to directly block traffic and disrupt other servers the malware’s actors could shift to. CryptBot is known for stealing login information and personally identifiable information (PII) that is then turned around and sold to other threat actors to carry out larger data breaches. (Decipher, SC Media)

**A critical vulnerability in the popular Illumina DNA sequencing devices could allow adversaries to modify or steal patients’ sensitive medical data.** A new warning from U.S. CISA states that the vulnerability, which has a maximum 10 out of 10 severity rating, allows attackers to remotely access an affected device over the internet without needing a password. “Successful exploitation of these vulnerabilities could allow an attacker to take any action at the operating system level,” according to CISA’s advisory. Illumina’s technology allows researchers and scientists to determine the order of certain DNA sequences, which is useful in researching disease and certain health conditions. (TechCrunch, CISA)

**Can’t get enough Talos?**

*   Talos IR On Air: Reviewing Q1's top threats
*   Video: State-sponsored campaigns target global network infrastructure
*   Talos Takes Ep. #136: Analyzing the recent takedown of popular dark web forums

**Upcoming events where you can find Talos**

**BSidesFortWayne** **(May 20)**

Fort Wayne, IN

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.ex  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

Threat Source newsletter (May 4, 2023) — Recapping the biggest headlines to come out of RSA

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 21 and April 28. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for April 14 to April 21

AI-generated spam comments on Amazon, the latest on the 3CX supply chain attack and more security headlines from the past week.

Thursday, April 27, 2023 14:04

Welcome to this week’s edition of the Threat Source newsletter.

I’m writing this earlier in the week as I get ready for some personal travel (everyone is lucky I passed on writing another Cybersecurity Mock Draft), so apologies if I miss anything major that happens at RSA.

But Cisco beat everyone to the punch Monday morning anyway, making a slew of major announcements on RSA travel day. By the time you’re reading this, it’s still not too late to track down someone from our team if you want to learn more. (Read last week’s newsletter for more on that.)

Cisco Duo announced that all paid customers of its service can now use Trusted Endpoints to block access from unknown devices.

Duo is also re-introducing three editions of the product: Duo Essentials, Duo Advantage and Duo Premier. Even with the added security features announced Monday, the price-per-user is not rising, giving customers strong security at an unmatched value.

Cisco also announced its new extended detection and response (XDR) platform – Cisco XDR. This new offering combines users’ endpoint, network and application telemetry with customized detection based on their environment. This platform will detect threats in an environment that many other point products can’t see on their own.

Hazel Burton from Talos has a new episode of ThreatWise TV out this week discussing XDR, including an interview with a current enterprise XDR user. Nick Biasini, Talos’ head of outreach, is also on that episode to discuss how Cisco XDR is adapting to current attacker tactics, techniques and procedures.

**The one big thing**

More information and research is still coming out around the 3CX supply chain attack. A new report indicates that it was actually two supply chain attacks linked together. The adversaries involved in the 3CX compromise first backdoored another application, which it then used to infiltrate 3CX and send out a malicious, fake update there. Additional reporting indicates that these same state-sponsored actors also infiltrated several critical infrastructure networks with a backdoor during this same campaign.

**Why do I care?**

This news further highlights why it’s so important to plan for and defend against supply chain attacks. These are increasingly popular attacks that state-sponsored, well-funded adversaries are clearly using in the wild to target multiple sectors and industries.

**So now what?**

I already outlined several important steps to take that any organization can take to prepare for a supply chain attack. This recent Talos Takes episode with Craig Jackson of Cisco Talos Incident Response also provides valuable advice for organizations of all sizes.

**Top security headlines of the week**

**AI-generated spam is already hitting email inboxes, Amazon reviews and social media posts.** Security researchers and reporters have already spotted several instances where AI chat bots like ChatGPT are used to write fake reviews for popular Amazon products or even post tweets. Many of these reviews have a dead giveaway because they include the phrase “I cannot generate inappropriate content,” a message ChatGPT usually sends back when explicitly asked to generate spam or something with hateful content. Other AI models are learning to scan targets’ social media profiles to quickly learn and assume things such as political affiliation and employment status to create hyper-targeted spam and phishing. Experts warn this could lead to the further proliferation of fake news, misinformation and scams. (Vice, Gizmodo)

**Exploit code for a 9.8-severity vulnerability in the PaperCut printer management software went online this week,** potentially increasing the likelihood that attackers will try to exploit it in the wild. Although Cut disclosed this vulnerability and released a patch in March, many instances remain unpatched. CVE-2023-27350 is an improper access control issue in the SetupCompleted class of PaperCut MF/NG. An adversary could exploit this vulnerability to bypass authentication and execute arbitrary code with System-level privileges. Security researchers found attackers using this vulnerability to install two pieces of malicious remote management software. PaperCut users should ensure they are using PaperCut MF and NG versions 20.1.7, 21.2.11, and 22.0.9. (Ars Technica, SecurityWeek)

**U.S. law enforcement and intelligence agencies are increasingly prioritizing disrupting dark web networks** and forums versus arresting admins and users. U.S. Deputy Attorney General Lisa Monaco said during a talk at the RSA conference this week that prosecutors and investigators are being directed to have a “bias toward action to disrupt and prevent, to minimize that harm if it’s ongoing” and to “take that action to prevent that next victim.” That being said, the recent seizure of Genesis Market, a popular dark web forum, highlights how law enforcement is becoming better at unmasking many of these sites’ creators and making users’ activities less anonymous. (CyberScoop, SC Media)

**Can’t get enough Talos?**

*   Beers with Talos Ep. #133: The one where they talk a lot about wireless routers
*   Talos Takes Ep. #135: What does the future of MFA look like?
*   Cisco urges users to keep its network hardware up-to-date
*   Threat Roundup for April 14 - 21
*   Vulnerability Spotlight: Vulnerabilities in IBM AIX could lead to command injection with elevated privileges

**Upcoming events where you can find Talos**

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6  
**MD5:** 1e2a99ae43d6365148d412b5dfee0e1c  
**Typical Filename:** PDFpower.exe  
**Claimed Product:** PdfPower  
**Detection Name:** Win32.Adware.Generic.SSO.TALOS

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** 4ad8893f8c7cab6396e187a5d5156f04d80220dd386b0b6941251188104b2e53  
**MD5:** cdd331078279960a1073b03e0bb6fce4  
**Typical Filename:** mediaget.exe  
**Claimed Product:** MediaGet  
**Detection Name:** W32.DFC.MalParent

Threat Source newsletter (April 27, 2023) — New Cisco Secure offerings and extra security from Duo

In 45 percent of engagements, attackers exploited public-facing applications to establish initial access, a significant increase from 15 percent the previous quarter.

Wednesday, April 26, 2023 08:04

**Web shell usage spikes in Q1 compared to previous quarters, correlating with higher instances of exploitation of public-facing applications.**

In a novel increase compared to previous quarters, Cisco Talos Incident Response (Talos IR) reports that web shells were the most-observed threat in the first quarter of 2023, comprising nearly a fourth of the incidents Talos IR engaged in. The functionality of these web shells and the specific vulnerabilities and weaknesses in the platforms they targeted varied. Although each web shell had its own sets of basic functions, when there were multiple web shells present in a single engagement, threat actors chained them together to provide a more flexible toolkit for spreading access across the network. This demonstrates the skills actors have in combining multiple means of accesses and tools and increases the liklihood that they will be able to deploy additional malware or obtain sensitive and private information.

Ransomware made up a smaller portion of threats observed this quarter than in the past, from 20% to around 10%. Given that Talos IR observed a recent surge of ransomware incidents at the end of the quarter that did not close off, this decrease does not necessarily signify a decline in general ransomware activity as much as it is a reflection of activity seen against Talos IR’s customer base. However, ransomware and pre-ransomware incidents combined made up more than 20 percent of threats observed. While it can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place, many of the pre-ransomware engagements featured activity associated with prominent ransomware groups, such as Vice Society. We note that in this quarter, particularly in an aforementioned Vice Society engagement, swift action from defenders at victim organizations as well as Talos IR helped mitigate malicious activity before encryption could occur.

This quarter also featured previously seen commodity loaders, such as Qakbot. In engagements this quarter, Qakbot leveraged malicious OneNote documents, consistent with an uptick in various malware distributing weaponized Microsoft Office OneNote attachments. This is evidence of an ongoing trend of threat actors experimenting with file types that do not rely on macros to deliver malicious payloads following Microsoft’s move to start disabling macros by default in its applications in July 2022.

In 45 percent of engagements, attackers exploited public-facing applications to establish initial access, a significant increase from 15 percent the previous quarter. In many of these engagements, web shell usage contributed to this uptick where adversaries were attempting to compromise web-based servers exposed to the internet.

**Targeting**

Health care and public health was the most targeted vertical this quarter, closely followed by the retail and trade, real estate and food services/accommodation sectors, including hospitality.

**Web shell usage spike, featuring activity from FIN13**

Since January 2023, Talos IR observed an increase in web shell usage from 6% of all threats last quarter to now comprising nearly 25% of all threats. Web shells are malicious scripts that enable threat actors to compromise web-based servers exposed to the internet. This quarter, Talos observed threat actors using publicly available or modified web shells coded in various languages, including PHP, ASP.NET and Perl. After leveraging web shells to establish a foothold and gain persistent access to a system, adversaries remotely executed arbitrary code or commands, moved laterally within the network, or delivered additional malicious payloads. In many of these web shell incidents, adversaries relied heavily on web shell code sourced from publicly available GitHub repositories. This finding is also in line with a trend observed from Talos IR engagements from July to September 2022 (Q3 2022), where adversaries used a variety of open-source tools and scripts hosted on GitHub repositories to support operations across multiple stages of the attack lifecycle.

In one cluster of web shell activity, Talos observed targeting patterns and tactics, techniques and procedures (TTPs) potentially associated with the FIN13 cybercriminal threat actor, a significant finding in Talos IR engagements given FIN13’s targeted behavior. The web shells with known FIN13 TTPs have varying levels of functionality which include allowing queries to Microsoft SQL (MS-SQL) instances, creating reverse shell connection(s) to external IP addresses, and executing PHP scripts which can be used as a proxy to connect to other services. Consistent with public reporting on FIN13, Talos IR observed a PHP-based web shell (“404.php”) that took an IP or DNS entry and a port and attempted to create a proxy connection. The second web shell (“ms3.aspx”) was Windows-based and allowed SQL connections to an internal server and, if successful, results would be rendered in the browser. The third was another PHP-based web shell (“re.php”) that conducted port scans and created an outbound socket to respond/exfiltrate data to the attacker. This specific web shell contained a hardcoded IP address which resolved to cloud service provider DigitalOcean. The final web shell (“tx.asp”) was a Windows-based web shell that used “wscript.shell” and exec() to run commands rendered to the screen via an HTML document. While each web shell on its own had basic functionality, by chaining them together, the actor created a flexible toolkit for spreading their access across the network, while providing a proxy for exfiltrating sensitive data.

While the exact reason for this quarter’s increased appearance of web shells is unknown, their recent increased popularity may potentially be related to the ease of obtaining their code through open-source repositories. The availability of and easy access to open-source web shell code, paired with systems that may be publicly exposed or have poorly managed patching, make the use of web shells a lucrative option.

**Ransomware**

Ransomware made up a much smaller portion of threats this quarter, from 20% of threats to 10%. Looking ahead, there was a recent spike in ransomware engagements which we expect to level out again next quarter. Combined, ransomware and pre-ransomware incidents made up over 20 percent of threats observed.

In a Phobos ransomware engagement, a threat that Talos IR has responded to since 2020, the initial access likely involved remote desktop protocol (RDP). The adversary deployed a file named “mimidrv.sys," which is a signed Windows kernel mode software driver meant to be used with the Mimikatz executable. Talos IR also identified seven startup items that included downloading the ransomware executable, “Fast.exe.” This is a common persistence technique that followed activity where the adversary made modifications to the registry on the customer’s Amazon Relational Database Service (RDS) server. Upon encryption, attackers encrypted the files, appending them with the “.faust” extension and dropped a ransom note on the targeted systems.

This quarter also featured the Daixin ransomware, a newer ransomware-as-a-service (RaaS) family that Talos IR had never seen before in an engagement. Daixin, which first emerged in June 2022, typically involves affiliates gaining access to victim systems through virtual private networks (VPN) servers or by exploiting unpatched vulnerabilities, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). In a Daixin ransomware engagement, the affiliate modified registry values, mapped network shares, and ran randomly named BAT files as services on the system. Talos IR also identified the Impacket toolset, a collection of Python classes for working with different network protocols, and a PowerShell script loading a Cobalt Strike payload which subsequently launched a Cobalt Strike shellcode listening on port 4444.

We assess that the recent law enforcement efforts to disrupt ransomware actors will create space for new groups to emerge, consistent with a pattern that has been ongoing for years. In January 2023, the U.S. Department of Justice announced a months-long disruption campaign against the Hive ransomware group. The FBI, along with foreign law enforcement partners, seized Hive servers after entering its networks and capturing keys to decrypt its software, effectively disrupting operations. We have not observed Hive ransomware in Talos IR engagements since August 2022, a likely indication that Hive operations have ceased while former members possibly look to join other groups or rebrand under new names.

**Malicious OneNote documents continue to be leveraged in engagements this quarter**

The Qakbot commodity loader was observed across engagements this quarter leveraging ZIP files containing malicious OneNote documents, consistent with endpoint telemetry and public reporting on threats leveraging OneNote documents in phishing emails starting at the end of 2022 and early 2023. In one Qakbot engagement, a ZIP file ("Inv\_02\_02\_#3.zip") was detected as Qakbot and contained a malicious OneNote document which attempted to lure a user to click “open” containing a malicious embedded URL.

While Talos IR did not respond to any Emotet incidents this quarter, Emotet reemerged in March 2023, resuming its spam operations after a months-long hiatus. In a relatively short period, Emotet modified its infection chain several times to maximize the likelihood of successfully infecting victims. By mid-March, Emotet had switched to distributing malicious OneNote documents, highlighting the ways in which threat actors will continue to identify and quickly implement updated delivery methods to infect victims.

**Initial vectors**

This quarter featured 45 percent of engagements where attackers exploited public-facing applications to establish initial access, a significant increase from 15 percent the previous quarter. In many of these engagements, web shell usage contributed to this uptick where adversaries were attempting to compromise web-based servers exposed to the internet. Valid accounts and/or accounts with weak passwords or single-factor authentication also helped facilitate initial access where an adversary was leveraging compromised credentials.

Several known vulnerabilities contributed to adversaries gaining initial access via exploiting public-facing applications. In one incident, Talos IR identified activity consistent with exploitation of the WordPress vulnerability, tracked as CVE-2021-24867, in AccessPress Plugin and Theme. As a result, Talos IR identified approximately 20 different web shells and/or website defacements, likely from multiple threat actors identifying and exploiting this older flaw.

In another web shell engagement, Talos IR identified a vulnerable version of Magento (Adobe Commerce) version 2.4.2 that was operating in the Kubernetes deployment at the time of exploitation. Talos IR identified a total of nine known vulnerabilities for this version of the software, not including extensions. Talos IR recommends upgrading all instances of Magento to the latest available version, and routinely checking for vulnerable outdated extension versions that need patching or removed completely to reduce the available attack surface.

**Security weaknesses**

The lack of multi-factor authentication (MFA) remains one of the biggest impediments for enterprise security. Nearly 30 percent of engagements involved organizations that either had no MFA or only had it enabled on a handful of accounts and critical services. Talos IR frequently observes ransomware and phishing incidents that could have been prevented if MFA had been properly enabled on critical services, such as endpoint detection response (EDR) solutions or VPNs. To help minimize initial access vectors, Talos IR recommends disabling VPN access for all accounts that are not using MFA.

The increase in web shell engagements highlights the need for more vigilance in helping to prevent web shells. Talos provides the following recommendations:

*   Routinely update and patch all software and operating systems to identify and remediate vulnerabilities or misconfigurations in web applications and web servers.
*   In addition to patching, perform general system hardening, including removing services or protocols where they are unnecessary and being aware of all systems exposed directly to the internet.
*   Disable unnecessary php functions in your “php.ini”, such as eval(), exec(), peopen(), proc\_open() and passthru().
*   Frequently audit and review logs from web servers for unusual or anomalous activity.

**Top-observed MITRE ATT&CK techniques**

The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note, this is not an exhaustive list.

Key findings from the MITRE ATT&CK framework include:

*   Exploitation of public-facing applications was the top observed initial access technique, with the increased web shell activity likely contributing to this significant observation.
*   PowerShell is routinely used by adversaries to support a multitude of threats. We continued to observe high usage of PowerShell, in addition to a number of other scripting languages, including Python, Unix shell, and Windows command shell, which enabled web shell execution.
*   The open source red-teaming security toolkit Mimikatz was used to support nearly 60 percent of ransomware and pre-ransomware engagements this quarter. Consistently observed across previous quarters, Mimikatz is a widely used post-exploitation tool used to steal login IDs, passwords, and authentication tokens from compromised Windows systems.

Tactic 

Technique 

Example 

Initial Access (TA0001) 

T1190 Exploit Public-Facing Application  

Attackers successfully exploited a vulnerable application that was publicly exposed to the internet 

Reconnaissance (TA0043) 

T1592 Gather Victim Host Information 

Text file contains details about host 

Persistence (TA0003) 

T1505.003 Server Software Component: Web Shell  

Adversaries deployed web shells against web-based servers 

Execution (TA0002) 

T1059.001 Command and Scripting Interpreter: PowerShell  

Executes PowerShell code to retrieve information about the client's Active Directory environment 

Discovery (TA0007) 

T1046 Network Service Scanning   

Use a network or port scanner utility  

Credential Access (TA0006) 

T1003 OS Credential Dumping 

Deploy Mimikatz and publicly available password lookup utilities 

Privilege Escalation (TA0004)  

1484 Domain Policy Modification

Modify GPOs to execute malicious files  

Lateral Movement (TA0008) 

T1021.001 Remote Desktop Protocol  

Adversary made attempts to move laterally using Windows Remote Desktop 

Defense Evasion (TA0005) 

T1027 Obfuscated Files or Information 

Use base64-encoded PowerShell scripts 

Command and Control (TA0011) 

T1105 Ingress Tool Transfer  

Adversaries transfer/download tools from an external system 

Impact (TA0040) 

T1486 Data Encrypted for Impact  

Deploy Hive ransomware and encrypt critical systems 

Exfiltration (TA0010) 

T1567 Exfiltration Over Web Service 

Use legitimate external web service to  system information  

Collection (TA0009) 

T1560.001 Archive Collected Data 

Adversary leveraged xcopy on Windows to copy files  

Software/Tool 

S0002 Mimikatz 

Use Mimikatz to obtain account logins and passwords

Quarterly Report: Incident Response Trends in Q1 2023

Video explanation of the Jaguar Tooth vulnerabilities with Matt Olney, J.J. Cummings and Hazel Burton.

Tuesday, April 25, 2023 13:04

Cisco and Talos are continuing to track and research a series of ongoing cyber attacks and espionage targeting out-of-date and unpatched network hardware.

In this video, Hazel Burton interviews Matt Olney and J.J. Cummings from Talos to discuss the “Jaguar Tooth” campaign the U.K. government and other global intelligence agencies recently disclosed. J.J. and Matt were at the forefront of Talos’ research into these campaigns and have spent years providing advice to customers and users about the importance of network hygiene and resilience on the perimeter.

Jaguar Tooth is an example of a much broader trend of sophisticated adversaries targeting networking infrastructure to advance espionage objectives or pre-position for future destructive activity.

“What happened in this case, is that we had a series of incidents that we worked...and put some pieces together. What we were seeing multiple threat actors in sustained campaigns going after router infrastructure in a similar way,” Olney says in the video. “They were targeting different devices, but they were most successful in out-of-date hardware and end-of-life software.”

Watch the video above to learn more about Talos’ research into these campaigns, advice on steps to take if you believe you could be the target of one of these attacks, and a broader overview of the importance of network hygiene.

Organizations that fail to update their hardware and software will both be more likely to be a victim of unpatched security vulnerabilities but also will have fewer tools to combat adversaries. Cisco customers can check their version of software to see if any known vulnerabilities exist in it here. You can learn more about Cisco Trustworthy Technologies here. Several related resources, tools, and services can be found at The Trust Center here.