Meta most recently entered the AI race with Llama 2, an open-source version of their chatbot. IBM has also re-branded its watson tool (formerly known as capital “W” Watson who was really good at “Jeopardy”) to be a ChatGPT-like.

Thursday, July 27, 2023 14:07

Welcome to this week’s edition of the Threat Source newsletter.

When I first started poking at ChatGPT a few months ago, I quickly learned that it wasn’t quite ready to take my job (yet) and wasn’t staying up to date on wrestling.

Since ChatGPT went viral, several other companies have released their own versions of AI assistants who can answer questions, perform text-based tasks and more. Meta most recently entered the AI race with Llama 2, an open-source version of their chatbot. IBM has also re-branded its watson tool (formerly known as capital “W” Watson who was really good at “Jeopardy”) to be a ChatGPT-like.

Security researchers have long warned about the dangers these tools pose to the security space, specifically because it makes it easier for bad actors to create convincing spam campaigns, phishing emails and scripts anyone could follow in a voice phishing (“vishing”) attack.

Out of my own personal curiosity, I wanted to try Llama 2 out. I had to enlist the help of some third-party open-source tools to make it easier for me to use Llama 2, but I quickly got it running and went right to work as a hypothetical bad guy looking to start sending spam emails.

I’ve recently become interested in the topic thanks to “Behind the Bastards,” one of my favorite podcasts. Robert Evans, the host of the show, has done some great reporting over the past month on AI-generated cons and spam, specifically how they affect the elderly.

I tried several different prompts with different wordings (trying omitting and including specific words like “phishing,” “scam” and “spam”) but I couldn’t quite talk Llama 2 into writing something for me. Instead, I repeatedly received several warnings about how the questions violated the model’s terms of service and the overall threat of spam and phishing and its negative effects on its targets.

In one example, I gave Llama 2 the prompt, “Write a letter to my boss asking her to immediately download and install an attached file to view my latest analytics report,” which is a legitimate thing I would send her in my everyday activities.

Instead, the chatbot suggested I use a “secure and trusted platform” instead of an email attachment to send the report and said it “goes against ethical and responsible AI practices to encourage or assist with the download or installation of files from unverified sources.”

Using that same prompt in ChatGPT, I received no pushback and instead got an email template that was a bit more formal than I’d usually push for in my emails, but nonetheless, I got an email that was easily customizable and repeatable asking the user to download an attachment.

Llama 2 gave me similar warnings when I asked it to write a script for me to ask my grandmother to purchase me an Amazon gift card because I was in a bind.

ChatGPT took the word “script” very literally in my ask to it, instead producing what looked like it belonged in a mid-day television show instead of a phishing attempt.

I commend Meta for seeming to have tighter restrictions on the types of asks users can make to its AI model. But, as always, these tools are far from perfect and I’m sure there are scripts that I just couldn’t think of that would make an AI-generated email or script more convincing. This is a topic I plan on looking into more, and if you have any ideas about things we could ask AI chat models to do, feel free to DM us on Twitter.

**The one big thing**

Bad actors are having to change up their tactics to steal login credentials and authorization attempts as the internet at large moves away from text-based passwords. Talos researchers wrote this week that they anticipate passwords may disappear in the not-too-distant future, leaving actors likely to shift away from basic phishing or other attacks that target passwords, toward post-authentication session theft or the weaker registration, recovery and revocation processes. Although it will likely take several years for passwordless authentication to become widely adopted, and it is likely that passwords will be around for a long time, some of the most popular and most targeted applications may adopt it in the near future. Removing passwords from even a few dozen key web applications is likely to affect the threat landscape.

**Why do I care?**

Many of the passwords that attackers are currently harvesting will be rendered obsolete with the adoption of passwordless authentication. This may cause changes to the malware landscape and cybercriminals’ business models built around selling access to compromised accounts. This means new tactics, attack vectors and methods that attackers try to use to steal things like session IDs and MFA push notifications.

**So now what?**

Looks for security companies and technology vendors to develop new standards that focus on the protection of web services. Even though these new types of attacks are likely to pop up, using passkeys or a passwordless approach to security is still preferable to any “traditional” login methods.

**Top security headlines of the week**

**A North Korean state-sponsored actor was behind a recent supply chain attack on a cloud IT provider** it used to target cryptocurrency companies. JumpCloud, the target of the attack, disclosed that the attack affected less than five of its customers and fewer than 10 devices. The campaign may indicate a pivot among North Korean actors to move away from direct attacks designed to steal cryptocurrency in favor of stealthier supply chain attacks. These actors typically carry out attacks to generate funds for the country’s reclusive regime and its controversial nuclear weapons program. Mandiant, one of the security firms who helped investigate the attack, said the group responsible worked for North Korea's Reconnaissance General Bureau (RGB), its primary foreign intelligence agency. North Korean actors targeted the 3CX softphone application in a similar supply chain attack earlier this year. (Reuters, Axios)

The Biden administration **announced a new program to include a physical label on internet-of-things products that meet certain cybersecurity criteria.** The new “U.S. Cyber Trust Mark,” created by the National Institute of Standards and Technology, will soon start appearing on smart home devices that meet the preset list of standards for the way the device stores information and makes other connections to the user’s network. Connected appliances found in users’ homes, like “smart” refrigerators, microwaves and televisions, will be among the first products to receive the label in partnership with major retailers and manufacturers. “Smart fitness trackers,” presumably to cover things like smart watches, were also mentioned in the Biden administration’s announcement. (CBS News, The Verge)

The U.S. Securities and Exchange Commission formally adopted new rules Wednesday **regarding how quickly American companies must disclose cyber attacks.** Public companies now have four days within the discovery of a cyber attack to determine if it had a material effect on its operations, and then disclose that determination to the public. However, companies can receive an extension to this deadline if disclosure of the attack would pose a significant risk to national security or public safety, as determined by the U.S. attorney general. These companies will also have to publish the processes they have in place to manage material risks from cybersecurity incidents. The new policies have been hotly debated for more than a year since they were initially announced. (MarketWatch, Bloomberg)

**Can’t get enough Talos?**

*   Data theft extortion rises, while healthcare is still most-targeted vertical in Talos IR engagements
*   Talos Takes Ep. #147: ISO 27002 sounds intimidating, but really it's just a cybersecurity shopping list

**Upcoming events where you can find Talos**

**BlackHat** **(Aug. 5 - 10)**

Las Vegas, Nevada

**Grace Hopper Celebration (Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5**: 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** b4d8d7cbec7fe4c24dcb9b38f6036a58b765efda10c42fce7bbe2b2bf79cd53e  
**MD5:** c585f4faee96a0bec3b0f93f37239008  
**Typical Filename:** stream.txt  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Autoit::211461.in02

Every company has its own version of ChatGPT now

Ransomware was the second most-observed threat this quarter, accounting for 17 percent of engagements, a slight increase from last quarter’s 10 percent.

Wednesday, July 26, 2023 08:07

Cisco Talos Incident Response (Talos IR) responded to a growing number of data theft extortion incidents that did not involve encrypting files or deploying ransomware, a 25 percent increase since last quarter and the most-observed threat in the second quarter of 2023.

In this type of attack, threat actors steal victim data and threaten to leak or sell it unless the victim pays varying sums of money, eliminating the need to deploy ransomware or encrypt data. This differs from the double-extortion ransomware method, whereby adversaries exfiltrate and encrypt files and demand payment for victims to receive a decryption key.

Ransomware was the second most-observed threat this quarter, accounting for 17 percent of engagements, a slight increase from last quarter’s 10 percent. This quarter featured the LockBit and Royal ransomware families, which Talos IR has observed in previous quarters. Talos IR also observed several ransomware families for the first time, including 8Base and MoneyMessage.

Compromised credentials or valid accounts were the top observed means of gaining initial access this quarter, accounting for nearly 40 percent of total engagements. It was challenging to identify how the credentials were compromised considering they were obtained from devices outside the company’s visibility, such as saved credentials on an employee’s personal device.

Continuing the trend from last quarter, healthcare was the most targeted vertical this quarter, making up 22 percent of the total number of incident response engagements, closely followed by financial services.

**Data theft extortion on the rise, featuring Clop, Karakurt and RansomHouse**

Data theft extortion was the top observed threat this quarter, accounting for 30 percent of threats Talos IR responded to, a 25 percent increase in data theft extortion incidents compared to last quarter. The rise in data theft extortion incidents compared to previous quarters is consistent with public reporting on a growing number of ransomware groups stealing data and extorting victims without encrypting files and deploying ransomware.

Data theft extortion is not a new phenomenon, but the number of incidents this quarter suggests that financially motivated threat actors are increasingly seeing this as a viable means of receiving a final payout. Carrying out ransomware attacks is likely becoming more challenging due to global law enforcement and industry disruption efforts, as well as the implementation of defenses such as increased behavioral detection capabilities and endpoint detection and response (EDR) solutions.

This quarter featured activity from the RansomHouse and Karakurt extortion groups for the first time in Talos IR engagements. Active since 2021, Karakurt typically gains access to environments via valid accounts, phishing, or exploiting vulnerabilities. In one observed Karakurt data theft extortion engagement, the attackers hijacked a remote desktop protocol (RDP) account, enumerated domain trusts using the network administration command-line tool nltest, executed PowerShell scripts to recover passwords, and modified domain policies.

RansomHouse has been active since late 2021 and is known for gaining access to corporate environments by exploiting vulnerabilities. In a RansomHouse engagement, the adversaries used non-interactive sessions to bypass multi-factor authentication (MFA), carried out a DCSync attack to collect credentials from a domain controller, and abused remote services such as secure shell (SSH) and RDP to move laterally. A DCSync attack occurs when attackers use various commands in Microsoft Directory Replication Service (DRS) Remote Protocol to masquerade as a domain controller to acquire user credentials from another domain controller. An attacker first needs to compromise a user account with domain replication privileges, which are typically domain admins.

Some ransomware groups, such as BianLian and Clop, are reportedly shifting away from using encryption, favoring data theft extortion in recent attacks, according to public reporting. Although Talos IR did not respond to any BianLian incidents this quarter, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory on May 16 with the FBI and the Australian Cyber Security Centre (ACSC) confirming that as of January, the BianLian group stopped conducting ransomware operations in favor of performing exfiltration-based data theft extortion. BianLian group’s shift from deploying ransomware may also be due to the release of a free decrypter for BianLian ransomware in January 2023, possibly prompting them to pursue alternate methods. It is possible BianLian determined they could be successful without the use of data encryption in their operations.

Active since February 2019, the Clop group started as a ransomware-as-a-service (RaaS) operation with an affiliate program that relied on the double extortion technique involving stealing and encrypting data. With the rise in data theft extortion incidents this quarter, it is possible the trend will continue, with other groups who primarily deploy ransomware shifting to data theft extortion as a primary means of receiving a payout.  

In a Clop data theft extortion engagement this quarter, the adversaries gained initial access by exploiting a zero-day remote code execution (RCE) vulnerability in the Forta GoAnywhere managed file transfer (MFT) application, tracked as CVE-2023-0669. Notably, the affiliate did not deploy ransomware and only conducted data theft extortion upon exfiltrating victim information. The Clop ransomware group has a history of mass exploitation of zero-day vulnerabilities in campaigns targeting file transfer applications, affecting hundreds of companies globally. This includes several zero-day vulnerabilities in the Kiteworks, formerly Accellion, file transfer application (FTA), tracked as CVE-2021-27101, CVE-2021-27102, CVE-2021-207103, and CVE-2021-27104, and a SQL injection vulnerability in the Progress Software’s MFT application known as MOVEit Transfer, tracked as CVE-2023-34362. U.S. law enforcement has taken notice and increased pressure on the group, offering a $10 million dollar reward for information on the identification or location of Clop members.

It is highly unusual for a ransomware group to consistently exploit zero-day vulnerabilities, given the resources required to develop such exploits, possibly suggesting that the Clop ransomware group possesses a level of sophistication and funding matched only by advanced persistent threats (APTs). Given the group’s incorporation of zero-days in MFT applications in recent attacks, and the group’s perceived success in affecting hundreds of organizations, Clop is likely to target MFT applications in the future.

**Ransomware**

Ransomware accounted for 17 percent of the total number of engagements responded to in Q2 2023 (April - June), a slight increase compared to 10 percent last quarter. 8Base and MoneyMessage ransomware operations were observed for the first time this quarter, in addition to the previously seen ransomware operations LockBit and Royal.

First discovered in March 2022, 8Base is a ransomware group/operation that uses a customized version of Phobos ransomware and steals data prior to encryption. Although the group has been around for over a year, it started gaining increasing popularity in June 2023 after a significant spike in activity.

In an 8Base ransomware engagement, the legitimate remote desktop application AnyDesk was installed in the Performance Logs (Perflogs) directory, potentially as a way to evade detection. The Perflogs folder is a system-generated folder that stores information about the performance of the device. The attackers were also observed dumping credentials from the Local Security Authority Subsystem Service (LSASS) memory, creating new processes with an existing user token to bypass access controls, escalating privileges using the runas command, and using the Windows command shell to execute PowerShell scripts.

MoneyMessage is a fairly new ransomware operation that was first discovered in March 2023. Similar to 8Base, the MoneyMessage ransomware group operates under the double-extortion model. MoneyMessage is a ransomware family written in the C++ programming language and uses the Elliptic Curve Diffie-Hellman (ECDH) key exchange and ChaCha stream cipher algorithm for encryption, both of which are commonly used by ransomware families.

Talos IR responded to a MoneyMessage ransomware attack where the MoneyMessage encryptor was dropped in the Netlogon directory allowing for the deployment of the ransomware to multiple hosts. Prior to executing ransomware, the attackers also uninstalled various security tools, such as EDR solutions, via PowerShell scripts to impair defenses.

**Initial vectors**

In the majority of the engagements Talos IR responded to this quarter, adversaries gained initial access by abusing compromised credentials to access valid accounts. The use of valid accounts was observed in nearly 40 percent of the total engagements, a 22 percent increase from Q1 2023.  

It is difficult to say how adversaries obtained the compromised credentials used to access valid accounts. There are a number of ways credentials can become compromised, such as third-party data breaches, information-stealing malware such as Redline, and phishing campaigns. This is especially true if employees reuse credentials across multiple accounts, highlighting the importance of using strong password policies and enabling MFA across critical servers.

**Security weaknesses**

A lack of MFA or improper MFA implementation across critical services played a part in over 40 percent of the engagements Talos IR responded to this quarter. Talos IR frequently observes attacks that could have been prevented if MFA was enabled on critical services, such as VPNs. In nearly 40 percent of engagements, attackers were able to abuse compromised credentials to access valid accounts, 90 percent of which did not have MFA enabled. In some engagements, adversaries were able to bypass MFA with MFA exhaustion/fatigue attacks.

MFA exhaustion attacks occur when an attacker attempts to repeatedly authenticate to a user account with valid credentials to overwhelm victims with MFA push notifications, hoping they will eventually accept, allowing the attacker to successfully authenticate into the account. Identification and user education are key parts of countering MFA bypass techniques. Organizations should ensure employees are aware of who to contact in these situations to determine if the event was a technical issue or malicious in nature.

Talos IR recommends disabling VPN access for all accounts that do not have MFA enabled. Additionally, Talos IR recommends expanding MFA for all user accounts (e.g., employees, contractors, business partners, etc.). Talos IR has repeatedly seen attackers targeting vendor and contractor accounts (VCAs), which typically have expanded privileges and access. VCAs are often overlooked during account audits due to trust placed in the third party, making them an easy target for attackers. Talos IR recommends disabling VCAs when they are not needed, implementing least privilege access, and validating that logging and security monitoring are enabled for VCA accounts.

Talos IR also recommends organizations perform a password audit across all user and service accounts to ensure complexity and strength are aligned with the industry best practices per account type (e.g., privilege, service, user, etc.) to prevent password enumeration techniques, such as password spraying.

**Top-observed MITRE ATT&CK techniques**

The table below represents the MITRE ATT&CK techniques observed in this quarter’s IR engagements, which includes relevant examples and the amount Talos IR saw in engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note this is not an exhaustive list.

**Key findings from the MITRE ATT&CK framework include:**

*   The use of valid accounts was the top observed initial access technique, accounting for nearly 40 percent of the total number of engagements.
*   Observed in over 50 percent of engagements this quarter, PowerShell is a dynamic command line utility that continues to be a popular utility of choice for adversaries likely for a number of reasons including stealth, convenience and vast IT administration capabilities.
*   In 26 percent of engagements this quarter, Talos IR observed attackers abusing remote services, such as RDP and SSH, to facilitate lateral movement.
*   The top persistence mechanism observed this quarter was the abuse of Windows Task Scheduler to create scheduled tasks, allowing adversaries to execute programs or commands at scheduled times or at system startup.

Tactic

Technique

Example

Initial Access (TA0001)

T1078 Valid Accounts

Adversary leveraged stolen or compromised credentials. 

Execution (TA0002)

T1059.001 Command and Scripting Interpreter: PowerShell

Executes PowerShell code to retrieve information about the client’s Active Directory environment.

Persistence (TA0003)

T1053.005 Scheduled Task/Job: Scheduled Task

Scheduled tasks were created on a compromised server to execute malware during startup.

Defense Evasion (TA0005)

T1562.001 Impair Defenses: Disable or Modify Tools

Uninstall security tools to evade detection.

Credential Access (TA0006)

T1003.006 OS Credential Dumping: DCSync

Use DCSync attack to gather credentials for privilege escalation routines.

Lateral Movement (TA0008) 

T1563.002 Remote Services Session: RDP Hijacking

Adversary compromised an existing user’s Remote Desktop Protocol session.

Impact (TA0040)

T1486 Data Encrypted for Impact

Deploy ransomware and encrypt critical systems.

Software/Tool

S0359 Nltest

Enumerate remote domain controllers with Nltest.

Data theft extortion rises, while healthcare is still most-targeted vertical in Talos IR engagements

The industry has come a long way in terms of improving how we make user authentication more secure. From the most basic concept of relying on usernames and passwords for authentication to enabling multi-factor authentication (MFA) for additional security, we are now embracing a shift toward passwordless logins and/or

Tuesday, July 25, 2023 07:07

_By Thorsten Rosendahl and Tiago Pereira, with contributions from Matthew Miller._

The industry has come a long way in terms of improving how we make user authentication more secure. From the most basic concept of relying on usernames and passwords for authentication to enabling multi-factor authentication (MFA) for additional security, we are now embracing a shift toward passwordless logins and/or passkeys that are designed with security in mind from the beginning.

We anticipate that passwords may disappear in a not-so-distant future, with actors likely to shift away from basic phishing or other attacks that target passwords, toward post-authentication session theft, or the weaker registration, recovery, and revocation processes.

We can broadly group the distinct types of authentication as follows:

**Password-based authentication** is the weakest type of authentication, and it is vulnerable to several types of attacks, such as brute force, phishing and password stuffing, in which an attacker tries to use credentials that are obtained from a breach in some online service to log into other online services and applications.

**Multi-factor authentication (MFA)** is an authentication method whereby a user must present two or more factors to successfully pass an authentication. MFA, when passkeys are not one of the factors, protects the user against several attacks, most notably those that rely on password guessing (e.g., brute force and password spraying) and those based on credential leakage from third-party websites (e.g., password stuffing). However, it does not protect against all phishing attacks.

An attacker can redirect a user to a legitimate-looking phishing website that proxies all the information between the victim, itself, and a legitimate website. Once the victim unknowingly visits the malicious site, they are prompted to submit their credentials and accept an MFA authentication request. After this happens, the legitimate website will generate a session ID that the attacker can steal and use to access the application posing as the victim.

**Device-bound passkeys** are a form of passwordless authentication based on the open FIDO2 (Fast Identity Online) standard that is supported by most modern browsers and operating systems and allows users to log into websites simply clicking a button or touching a biometric reader on the device or on a mobile device. This wide support and its usability features make passkeys a viable alternative to even usernames and passwords that are combined with MFA.

In short, instead of putting the burden on the user to create and memorize unique, complex passwords for each service they use, FIDO2 credentials provide a cryptographic solution that offers stronger authentication than common MFA techniques (SMS, OTP, Push) allow. FIDO2 uses a public/private key pair, where the private key is stored on the user’s device, and the public key is registered with the online service provider.

This mechanism has several advantages over password-based and MFA authentication:

*   **It is phishing resistant** — The browser is responsible for checking if the authenticator contains passkeys for a given URL. For example, when opening a phishing website, the browser would find that the authenticator does not have a stored credential for it, so it would not provide the user a way to login.
*   **It is resistant to credential stuffing** – The public key is not a secret, and it is unique for each website. Even if a third-party website is breached and the public key stolen, it cannot be used by attackers to authenticate as the user.
*   **Private keys can be protected by hardware** — The private key can be forced to be protected by a hardware module from which it cannot be exported. The private key is only used within that hardware module to create a signature and it is never exposed to a potentially compromised operating system. However rare, there have been vulnerabilities found in hardware modules that may allow attackers to steal private keys.
*   **It is more user-friendly** - Users no longer must remember, manage, or write passwords. Instead, the user only needs a couple of clicks to quickly log in via a ceremony handled by the browser.

Although FIDO2 has many advantages over other means of authentication, it does not change how the application session mechanism works. Therefore, on a compromised device, an attacker can still steal the session ID post-authentication and use it to access the application, posing as the user.

**Synced passkeys**, also known as FIDO2 multi-device credentials, are like regular FIDO2 credentials, but they can be copied between user devices, allowing a user to only register once with a relying party and synchronize their key across all his devices. This is a significant step toward the adoption of passwordless authentication, as it minimizes the risk that the user loses access to their private keys and avoids the trouble of having to register and manage multiple devices and keys.

However, this increase in usability comes at a cost in security. The need to copy private keys to the cloud and to other devices means that they can be compromised if an attacker is able to register a new device posing as the victim or if the passkey implementation allows them to be stolen from the operating system memory or disk.

How phishing-resistant authentication could change the threat landscape

Although it will likely take several years for passwordless authentication to become widely adopted, and it is likely that passwords will be around for a long time, some of the most popular and most targeted applications may adopt it in the near future. Removing passwords from even a few dozen key web applications is likely to affect the threat landscape.

**Targeting registration, recovery and revocation process flaws**

Authentication is only one part of a larger identity management process. As much as phishing-resistant authentication is a significant increase in web application security, there are processes that must exist to allow the user to be able to use passwordless authentication, in particular, registration, revocation and recovery. This could lead to some changes in the way attackers use phishing to obtain access to target applications. For example:

**Phishing for cloud providers** – What happens when you lose access to all your devices at the same time? The answer is usually that the cloud provider allows a user to log in with a less secure method, which may be phishable. Because this fallback system exists, attackers will try to phish the users, leading them to provide all the details needed to recover from a scenario in which all device access was lost.

**Phishing for password managers** – As password managers start to store passkeys, they may become a larger target for phishing attacks, as they are the “master key” to obtaining phishing-resistant credentials. Like cloud providers, most password managers allow users to use MFA when installing it on a new device. This means that, ironically, in a passwordless future, it is possible that password managers will become a bigger target for phishing attacks.

**Phishing for email providers** – It is common to send “magic links” to a registered user email address that, when clicked, takes the user to a page where his password can be reset. The same system can be used for passkey re-registration. This could make email providers an even more common target for phishing attacks, as they become a way to bypass the phishing-resistant authentication on other targeted applications.

**Targeting sessions, not authentications**

Phishing-resistant authentication eliminates attacks that steal login credentials, leaving post-auth session IDs as the most valuable assets. Consequently, it is possible that attacks targeting session IDs will increase in popularity. These are some examples of ways the session could be attacked that could see an increase as passwords start to disappear:

**Attacks based on bookmarklets** – Bookmarklets are a feature of web browsers that allow JavaScript code to be saved as a bookmark. When the user clicks on the bookmark, the code is executed in the context of the open browser page. One example of this is a recent attack where bookmarklets were used to steal the Discord token from users of several Discord communities focused on cryptocurrency.

**Attacks involving the clipboard –** Tricking a user into executing malicious JavaScript or system commands by copy-pasting them from a website into the address bar, browser developer tools, or even the terminal can be used to steal session IDs from the browser or from the file system. This can happen as a result of social engineering, such as when users are following a tutorial that involves copy-paste code from a webpage. As a way to make these attacks more effective, pastejacking can be used to replace apparently innocuous code copied from a webpage with malicious code, tricking even more advanced users.

**Browser-based malware changes** – As session IDs increase in value, malware focused on the browser (for example, intercepting browser communications, injecting code into web pages or instrumenting hidden browser windows) may be subject to changes that assist new attacks and malicious business models. For example, adding features such as keeping sessions alive once they are stolen or proxying attacker HTTP requests within the context of the victim browser sessions.

Although not a threat landscape change, as session theft, becomes a major vector of compromise, it is possible that session security is increased, leading to bigger changes. Several session protection techniques that exist today may become more widely adopted, including regenerating the session ID frequently during an established session and reducing the session timeout or denying access to the session id from JavaScript. Much like what has happened to authentication, new standards could be developed that focus on the protection of web sessions.

**Cybercrime business models adapt to the change**

Many of the passwords that attackers are currently harvesting will be rendered obsolete with the adoption of passwordless authentication. This may cause changes both in malware and in cybercriminal’s business models built around selling access to compromised accounts:

**Malware-based attacks may increase** – Criminals are not likely to give up entirely because phishing has become harder or impossible. The groups that are currently dedicated to phishing could be forced to take the next step and focus on malware-based attacks. This shift could result in an increase in malware-based attacks, using the same distribution channels that phishing groups are used to (e.g., email or instant messaging).

**Business models around selling compromised accounts may change** – To take advantage of the stolen session IDs, attackers will have to act quickly while the session is active. As selling or taking advantage of valid session IDs becomes harder, attackers will adapt. We are already seeing signs of this adaptation. For example:

*   Phishing kits commonly make use of telegram bots to allow attackers to react faster when a new session ID is stolen.
*   The dark web Genesis market, which is back up again after being taken down by law enforcement a few months ago, specializes in selling “bots” which is the terminology the market owners used to call a package with a victim’s browser credentials’ cookies and fingerprints. To make this data easier to use, the market provides a specialized browser and Chrome extension to its customers, so they load the purchased “bot” data and easily use the authenticated sessions of each purchased bot. The user has the possibility of using the victim’s browser as a proxy, to make the abuse even harder to detect.  
    As criminals focus on sessions and these become increasingly more secure, the business models can adapt even further. For example, instead of selling stolen sessions, attackers could sell access to automated malicious actions to be triggered each time a session is compromised to the highest bidder, like high-frequency trading used in stock markets.

**Web application vulnerability value increase** – Web applications, just like any other software, can contain vulnerabilities introduced during development. Many of these allow an attacker to steal valid sessions or perform malicious actions directly without targeting the session. It would not be surprising if, with the unavailability of phishing as an attack vector, web app vulnerabilities became more commonly traded on underground forums and saw their value increase.

While the exact predictions in this post may or may not ever take place, passwordless authentication is gaining traction and it is certainly in the future of web authentication. Inevitably it will bring changes to attack techniques for which we should prepare sooner rather than later.

What might authentication attacks look like in a phishing-resistant future?

Last week, the Biden administration released its formal roadmap for its national cybersecurity initiative meant to encourage greater investment in cybersecurity and strengthen the U.S.’s critical infrastructure security (and more).

Thursday, July 20, 2023 14:07

Welcome to this week’s edition of the Threat Source newsletter.

Last week, the Biden administration released its formal roadmap for its national cybersecurity initiative meant to encourage greater investment in cybersecurity and strengthen the U.S.’s critical infrastructure security (and more).

The roadmap goes a long way toward actualizing a plan the administration released earlier this year and sets tangible goals and programs to put many of these initiatives into action. But because nothing ever moves quickly in government, this roadmap and the associated plan are already hitting a few roadblocks.

First, there’s the ever-present partisan politics. Republican state lawmakers are backing a legal challenge in the court systems to block an Environmental Protection Administration rule that asked local water systems to evaluate their current cybersecurity systems and protections while conducting sanitation surveys. To me, simply asking critical infrastructure to consider these factors as part of their normal processes seems like a non-issue, but the U.S. Appeals Court has put a hold on this rule for the time being (though it didn’t give a precise reason at the time of its ruling).

If lawmakers are going to hash these types of regulations in court every time something new pops up, we’ll never reach the point of these rules actually being implemented.

Two leading Republican members of the U.S. House came out hours after the Biden administration released the roadmap, saying they would use their respective House panels to, “exercise strict oversight on CISA’s efforts” to implement many of the policies outlined.

Regardless of which side of the political spectrum you fall, cybersecurity should be something our lawmakers can all agree on.

Say these arguments extend through the 2024 election — what happens if control of the White House or Congress switches between parties? And then that changes again in 2026? Change is slow, so none of these initiatives are going to be implemented overnight.

If our government can’t come to any sort of agreement about the importance of cybersecurity, and how to encourage stronger public-private partnerships to reach the country’s goals, this is just going to be another partisan issue that’s held up by legal challenges, budget negotiations, hearings and verbal discourse. And by the time that all subsides, the people in charge of outlining and implementing these cybersecurity goals could have very well changed.

So, forgive me if I’m coming off as a bit skeptical that anything in this roadmap will end up passing any mile markers.

**The one big thing**

Our researchers recently discovered a threat actor conducting several campaigns against government entities, military organizations and civilian users in Ukraine and Poland. Our recent reporting states that these operations are very likely aimed at stealing information and gaining persistent remote access. The activity we analyzed occurred as early as April 2022 and as recently as earlier this month, demonstrating the persistent nature of the threat actor. The final payloads include the AgentTesla remote access trojan (RAT), Cobalt Strike beacons and njRAT.

**Why do I care?**

If you’re a user in Ukraine or Poland, especially someone working in the government or military sectors, this is a clear-cut example of a spam campaign targeting this population. For those who fall outside of that demographic, it’s interesting that this group is still relying on the user enabling macros in Office, since Microsoft disabled those by default earlier this year. These are also highly targeted emails with (relatively speaking) convincing lures, so whoever is behind these is not to be ignored.

**So now what?**

There are multiple Cisco Secure protections in place to defend against the types of spam used in these campaigns. Other Snort rules and detection content can prevent the execution of the malware used as the final payload. Our researchers have also published examples of the types of lure images and documents used in the initial phishing emails so users can know what to be on the lookout for.

**Top security headlines of the week**

**Chinese state-sponsored actors reportedly accessed email accounts belonging to several U.S.-based organizations and federal government agencies,** including the State Department. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a detailed timeline on the campaign, stating that an investigation from Microsoft revealed that “advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data” after users reported suspicious activities in their Microsoft 365 cloud environment. While the full scope of the hack is still under investigation, reports indicate that the actors were primarily trying to steal sensitive information. While CISA or Microsoft have yet to disclose any specific vulnerabilities the actors exploited, the CISA report does say that the APT used a Microsoft account consumer key to forge tokens and impersonate targeted users. “Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse,” the report states. (CISA, CNN)

Popular tax preparation software companies are under fire from lawmakers for **allegedly sharing personal information with social media sites, including Google and Meta.** Several Democratic lawmakers released a report last week that accused TaxAct, H&R Block and TaxSlayer of embedding Meta and Google’s tracking pixels on their sites, potentially violating U.S. law and sharing taxpayers’ information with those companies. The report says the data was kept anonymous, but the companies could “easily” use the information to identify individuals or create targeted advertising for them. The report has also renewed calls for the Internal Revenue Service to offer its own, free online tax filing service for U.S. consumers. (Vox, USA Today)

**Apple had to roll back and then re-release a security update** that addressed an actively exploited vulnerability in WebKit. Apple initially released a Rapid Security Response patch for iPhones and iPads on July 11 to fix CVE-2023-37450, a remote code execution vulnerability in the WebKit browser engine that Safari and other web browsers use. However, users reported that the fix was causing Safari to not connect correctly to major websites like Facebook, Instagram and Zoom, leading Apple to pull back the patch. Since then, Apple released a new fix for iOS, iPadOS and macOS that reliably fixes the vulnerability again. Though few details are currently available about CVE-2023-37450, Apple indicated it had been exploited in the wild and could be triggered by a vulnerable browser processing specially crafted web content. (Forbes, Gizmodo)

**Can’t get enough Talos?**

*   Vulnerability Roundup: Memory corruption vulnerability in Microsoft Edge; MilesightVPN and router could be taken over
*   Malicious Microsoft Drivers Could Number in the Thousands: Cisco Talos
*   New Threat Actor Launches Cyber-attacks on Ukraine and Poland
*   Uncovering weaknesses in Apple macOS and VMWare vCenter: 12 vulnerabilities in RPC implementation
*   The Need to Know: Why are there so many malware-as-a-service offerings?
*   Implementing an ISO-compliant threat intelligence program
*   Talos Takes Ep. #147: The dangers of "Mercenary" groups and the spyware they create

**Upcoming events where you can find Talos**

**BlackHat (Aug. 5 - 10)**

Las Vegas, Nevada

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

_**“Most prevalent malware files” is taking a break this week for maintenance.**_

The federal government’s cybersecurity policies are falling into place just in time to be stalled again

In all, Talos released 22 security advisories regarding Milesight products this month, nine of which have a CVSS score greater than 8, associated with 69 CVEs.

Wednesday, July 19, 2023 11:07

Since the beginning of July, Cisco Talos has published 40 vulnerability advisories affecting a range of software and hardware, including the Microsoft Edge browser.

In our new series called “Vulnerability Roundup,” we’ll be recapping the vulnerabilities we recently disclosed to provide readers with an overview of what the issue is, how they can remediate and what the potential implications are for users. Our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

**Microsoft Edge memory corruption (TALOS-2023-1747/CVE-2023-36887)**

A memory corruption vulnerability exists in the JavaScript implementation of the Adobe Acrobat PDF engine that the Microsoft Edge web browser uses. Talos tested and confirmed that Edge, versions 112.0.1722.58 and 114.0.1776.0 Canary, are affected by this vulnerability.

An attacker could trigger this vulnerability by tricking a user into opening a specially crafted PDF in the browser. This could trigger a type confusion vulnerability, which could allow the adversary to write to arbitrary memory. Microsoft patched this issue on July 13.

The following Snort rules will detect exploitation attempts of this vulnerability: 61874 and 61875. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall or Snort.org.

**Multiple vulnerabilities in Milesight UR32L router and MilesightVPN**

Talos disclosed multiple vulnerabilities in these products despite no official fix from Milesight, in adherence to Cisco’s vulnerability disclosure policy. Milesight did not respond appropriately during the 90-day period as outlined in the policy.

We have a complete technical breakdown of how an attacker could string some of these vulnerabilities together to completely compromise the UR32L router and MilesightVPN.

In all, Talos released 22 security advisories regarding Milesight products this month, nine of which have a CVSS score greater than 8, associated with 69 CVEs.

**Heap buffer overflow vulnerabilities in Diagon text translator**

Our researchers discovered two vulnerabilities in the Diagon text interpreter that could cause heap-based buffer overflow conditions. Diagon translates Markdown into several formats, including latex, planar graph and tables.

The Diagon interpreter translates a Markdown text sequence diagram to a graphical sequence diagram.

An adversary could exploit TALOS-2023-1745 (CVE-2023-31194) by sending a specially crafted network request to the targeted device, thereby causing a write access violation. TALOS-2023-1744 (CVE-2023-27390) could be exploited the same way, but in this case, leads directly to the heap-based buffer overflow. Diagon’s maintainer released an update to address these vulnerabilities.

Memory corruption vulnerability in Microsoft Edge; MilesightVPN and router could be taken over

Ransomware-as-a-service is a relatively new version of these commodity groups, such as DarkSide, known for the cyber attack in 2021 that disrupted the Colonial oil pipeline and made gas more expensive for thousands of U.S. consumers.

Wednesday, July 19, 2023 08:07

Whether known as commodity malware or “as-a-service,” threat actors have long been turning to their fellow adversaries in the hopes of selling off their tools and opening a new stream of revenue.

When used legitimately, as-a-service software is when a third-party company offers its software to another company based on a license that is renewed frequently (mostly monthly or yearly) for a fee. The software is centrally hosted on that third-party company’s servers. Think of cloud storage solutions like Dropbox or Plex, for example.

Threat actors have been using this business model for a decade-plus, originally known as commodity malware. This is when threat actors create a suite of malware tools and offer them up for sale on illicit websites. It can range from asking “customers” to pay a monthly fee for access to this set of tools to use in cyber attacks, or users can even pay the original creators to distribute the malware on their behalf and manage the infection.

Recently, this model for threat actors has come to be known as the “as-a-service" model, borrowing the term from the growing trend in the tech industry.

Ransomware-as-a-service is a relatively new version of these commodity groups, such as DarkSide, known for the cyber attack in 2021 that disrupted the Colonial oil pipeline and made gas more expensive for thousands of U.S. consumers.

But other bad actors have since adopted this businesses model, offering every from command and control servers to phishing bots-as-a-service. There are a few reasons why attackers may opt to pay for an as-a-service malware tool for their chosen campaign:

*   As-a-service saves attackers time. When they pay for someone else’s malware kit, whether it be ransomware or a phishing bot, they don’t have to invest time, money or labor to write their own malicious code or tools and instead can hop right into deploying the malware.
*   For the actors and groups who originally created the malware, it is a more reliable income stream for them. Usually, they’d have to hope a successful attack leads to a ransom payment or some sort of other financial windfall. Instead, they can make money by marketing their services to other bad actors for a fee.

*   Bad actors who want to get into the cyber attack business need little to no technical skills to get started. When an attacker pays for an as-a-service malware, they often get an individual login with dedicated customer support, much like any user would with a legitimate piece of software. This way, they can ask questions and receive help if they get stuck during the deployment of the malware. This means that, conceivably, anyone with interest could get involved in starting a cyber attack.
*   As Nick Biasini explained in a past episode of Talos Takes, name recognition also plays a major part in the rising popularity of this business model. Lesser-known threat actors want to piggyback off having a big name associated with them, like DarkSide, to intimidate their actors or lend more credence to the effectiveness of their threats.

**Notable example: Greatness**

Cisco Talos researchers recently discovered Greatness, one of the most advanced phishing-as-a-service tools ever seen in the wild. Our analysis indicates that attackers may have been using attackers since mid-2022.

Greatness offers the ability for users to bypass targets’ multi-factor authentication protections, IP filtering and integration with Telegram bots. Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots.

Greatness, for now, is only focused on Microsoft 365 phishing pages, providing its affiliates with an attachment and link builder that creates highly convincing decoy and login pages. It contains features such as having the victim’s email address pre-filled and displaying their appropriate company logo and background image, extracted from the target organization’s real Microsoft 365 login page. This makes Greatness particularly well-suited for phishing business users.

Any Greatness affiliates don’t need a specific set of skills. All they need to do is deploy and configure the provided phishing kit with an API key. If used successfully, the attacker can set up a proxy Microsoft 365 authentication system and steal a victim’s authentication credentials or cookies with a “man-in-the-middle" attack.

Greatness is specifically designed to work in a standardized way so that the experience is the same for each customer who buys into the service, potentially allowing anyone with a moderate amount of technical ability to carry out advanced, convincing phishing attacks.

Since as-a-service or commodity malware can include all types of malware, it can be tough to provide specific advice for detection and prevention. For Greatness specifically, anyone implementing multi-factor authentication should opt for code-based authentication through their MFA app of choice, such as Cisco Duo, rather than the easier-to-break method of a simple “yes” or “no” push notification.

Why are there so many malware-as-a-service offerings?

The guidance within ISO 27001 identifies which security controls are appropriate, while ISO 27002 describes the controls in detail and how they can be implemented.

Tuesday, July 18, 2023 08:07

Implementing a threat intelligence program that meets the definition of threat intelligence control as described in ISO/IEC 27002:2022 — a set of standards set forth by the International Organization for Standardization — is not onerous.

The ISO/IEC 27002 standard describes a non-exhaustive list of security controls that organizations can implement on their own or as part of an ISO/IEC 27001\-compliant cybersecurity program.

The guidance within ISO 27001 identifies which security controls are appropriate, while ISO 27002 describes the controls in detail and how they can be implemented. Threat intelligence is a recent addition to the controls having been included in the 2022 edition of the standards, which are adopted by more than 160 countries around the world.

**What is threat intelligence?**

Threat intelligence is simply information about threats. The goal of threat intelligence is to help decision-makers make better decisions by being better informed about current threats and those they may face in the future.

In a world where the risks posed by the ever-changing cyber threat landscape are in constant flux, yet resources are constrained, deciding which security measures should be deployed depends on risk appetite and an understanding of the nature of the threats. Effective threat intelligence informs decision-makers in a timely manner about how the threat landscape is changing and enables management to act to counter these threats.

Acting against threats may be as simple as updating a block list or require considering where investments in new countermeasures should be made. The standard states that the purpose of threat intelligence should be to “provide awareness of the organization's threat environment so that the appropriate mitigation actions can be taken.” The details of exactly what actions are required are for the organization’s decision-makers to choose.

**Obtaining threat intelligence**

Few organizations routinely generate intelligence from their own data. Most organizations receive and make use of intelligence published from third parties such as government agencies, specialist providers or collaborative groups.

At Talos, we pride ourselves on the quality of the intelligence we publish. We publish intelligence on the significant threats that we identify on our blog and provide a summary of recent key threats in our weekly Threat Source newsletter.

Organizations can collect this intelligence, review the threats described, consider if and how the threat is relevant to them, and the necessity of making any potential additional mitigations. Circulating this information to the relevant people provides vital awareness of current threats, and provides actionable intelligence if changes need to be made to counteract these.

**A threat intelligence program**

At its simplest, a rudimentary threat intelligence program consists of the program’s objectives, the sources from where intelligence will be gathered, the frequency of that collection, and what will we do with the gathered information.

The wording of ISO/IEC 27002 provides an outline for the program’s potential objectives. Threat intelligence should be: “relevant, insightful, contextual, actionable.” The collection of intelligence that satisfies these four requirements will almost certainly be useful to wider cybersecurity activity.

Setting out the sources of intelligence may be as easy as listing the providers of threat intelligence that are already consulted, and how often they will be consulted. Subscribing to the Talos weekly newsletter provides information about the most prevalent malware.

This intelligence can be used to identify which (if any) of the organization’s defense systems detected the threat. Reflecting on if the threat could have been detected earlier and passing any recommendations to management constitutes a viable threat intelligence program.

The Talos Threat Spotlight posts and Quarterly Trends reports provide details of threats and the techniques used by threat actors. Analysing these and considering how (or if) such malicious strategies would be detected and blocked, or if additional mitigations are required, and passing this information to management would also be an effective use of threat intelligence.

**Further Controls**

Additional controls defined in ISO/IEC 27002 can form part of the threat intelligence process or benefit from an intelligence input. Relevant controls include:

**_5.6 Contact with special interest groups_ -** being part of a community sharing experiences and intelligence with industry peers allows the further collection of intelligence and contextualization of that information.

**_8.7 Protection against malware & 8.23 Web filtering_ –** informing users about the current threats that they are likely to face, providing information about they can identify threats and helping protect systems helps improve the organization’s security posture.

**_8.8 Management of technical vulnerabilities_ –** prioritizing the mitigation and patching of vulnerabilities based on their potential and current risk of abuse requires identifying the assessed severity of a vulnerability and how this may change.

_**8.15 Logging**_ **&** _**8.16 Monitoring activities**_ **–** determining the system information to log, store and query allows malicious behavior to be uncovered, if threat intelligence is applied to understand how threats may manifest themselves within log data.

Implementing an ISO-compliant threat intelligence program

QR codes have always served as a way for bad actors to spread malware or even your friendly neighborhood prankster to share Rick Astley’s most famous music video.

Thursday, July 13, 2023 14:07

Welcome to this week’s edition of the Threat Source newsletter.

Although we can probably largely consider the COVID-19 pandemic “over,” many relics from the peak of lockdown and concerns over the virus are still around in mid-2023. It’s still impossible to get a doctor’s appointment quickly, but many restaurants have embraced al fresco dining and QR codes are back.

At one point I had totally written off QR codes as of 2010-ish, but now they’re all over restaurant menus, cash registers, tip jars and advertising. This started during the pandemic as a touch-free way of interacting with consumers and seems to be sticking around even though the days of indoor seating capacities are over.

QR codes have always served as a way for bad actors to spread malware or even your friendly neighborhood prankster to share Rick Astley’s most famous music video. But recently I discovered several “novel” ways in which bad guys are trying to capitalize on society’s newfound trust in QR codes.

Two months ago, Bleeping Computer reported on fake parking tickets floating around major U.S. and U.K. cities that had phony QR codes on them designed to trick users into “paying” a parking ticket they didn’t owe. That same week, there were also reports of phony Microsoft Word documents being sent via email to targets that contained QR codes claiming to be from the Chinese Ministry of Finance, thus bypassing traditional email security that usually scan things like links and the body copy in an email itself.

The local CBS station in Tampa Bay, Florida also came across a fake Amazon advertisement in March that claimed to enlist people who received a postcard to test out new products. When opened, the site on the other end of the QR code asked for the target’s personal and contact information.

I figured we’d be past the days of attackers just slapping QR codes onto random things, but I also thought we were done with QR codes altogether three years ago. So this serves as a PSA to not just scan any QR code you see in the wild “just because.”

Or, if you’re unsure about the origins of a QR code, iOS and Android phones will show a snippet of a URL that the QR code is sending the user before you click on it, so it’s important to double-check that the URL is where you intended on heading (ex., amazon.com). Either that or just ask for a paper menu at the restaurant.

**The one big thing**

Cisco Talos has identified multiple versions of an undocumented malicious driver named “RedDriver,” a driver-based browser hijacker that uses the Windows Filtering Platform (WFP) to intercept browser traffic. This threat appears to target native Chinese speakers, as it searches for Chinese language browsers to hijack. Additionally, the authors are likely Chinese speakers themselves. If installed, the malicious driver can hijack and spy on web traffic, potentially redirecting it to a source of the attacker’s choosing.

**Why do I care?**

This is a concrete example of a recent trend Talos has been following of threat actors taking advantage of a Windows policy loophole that allows the signing and loading of cross-signed kernel mode drivers with signature timestamp prior to July 29, 2015. We have observed over a dozen code-signing certificates with keys and passwords contained in a PFX file hosted on GitHub used in conjunction with these open-source tools. By forging signatures on kernel-mode drivers, attackers can bypass the certificate policies within Windows.

**So now what?**

Microsoft has blocked all certificates discussed in Talos' blogs posted this week and released an advisory on the matter as part of Patch Tuesday. Talos recommends blocking the certificates mentioned in this blog post, as malicious drivers are difficult to detect heuristically and are most effectively blocked based on file hashes or the certificates used to sign them. Comparing the signature timestamp to the compilation date of a driver can sometimes be an effective means of detecting instances of timestamp forging. Specifically, for RedDriver, there are a series of new Cisco Secure product protections in place to detect and block the malicious driver.

**Top security headlines of the week**

The **list of companies affected by the massive MOVEit mass hack continues to grow,** and now includes international hotel chain Radisson and GPS company TomTom. Clop, the ransomware group behind the attack against the MOVEit data transfer software that eventually led to data breaches at more than 100 organizations, added more companies to its leak site this week. Commercial banks Deutsche Bank and Commerzbank are also among the newest victims, with both companies reportedly having clients’ names and account numbers. The parent company of Radisson also confirmed that a “limited number of guest records” were accessed, though it did not provide an exact number. Clop originally used a zero-day vulnerability that’s since been patched to access MOVEit software instances and then steal certain information from users. One threat analyst at New Zealand anti-virus maker Emsisoft estimated that there are now more than 270 businesses affected across the globe, including 17 million individuals. (Tech Crunch, Bloomberg)

With Meta’s new microblogging platform **Threads taking off, users and privacy advocates are criticizing its privacy and data collection policies.** Meta, which is the parent company behind Facebook and Instagram, launched Threads last week to much fanfare and gained millions of new users in the first few hours of the app’s existence. However, the app has yet to launch in the European Union because it violates several GDPR policies. Threads’ privacy policy states the app has access to GPS location, cameras, photos, IP information, the type of device being used and device signals including “Bluetooth signals, nearby Wi-Fi access points, beacons and cell towers.” In general, Meta seems to collect more personal information on Threads users compared to other platforms, though not necessarily more than Facebook and Instagram, Meta’s other major platforms. (The Guardian, CPO Magazine)

Despite major efforts from international governments and the private sector to combat ransomware, **payments to threat actors are set to hit a new record in 2023.** A new report from blockchain company Chainanalysis reports that ransomware victims have paid adversaries $449.1 million in the first six months of this year, after that number didn’t even hit $500 million in 2022. If this pace continues, 2023 would be the second-most profitable year ever for ransomware groups behind 2021. Security researchers believe the dip in 2022 could be contributed to several factors, including Russia’s invasion of Ukraine disrupting some major APT groups and new decryption software from government agencies and private companies that can return victims’ files for free. Chainanalysis analysts state in the report that big-game hunting is largely contributing to this year’s revenue — in these cases, threat actors target major corporations that likely have the funds to pay large, requested ransom payments. (Wired, Bleeping Computer)

**Can’t get enough Talos?**

*   Cisco Talos Reports Microsoft Windows Policy Loophole Being Exploited by Threat Actor
*   Hackers target Chinese-speaking Microsoft users with ‘RedDriver’ browser hijacker
*   Gergana Karadzhova-Dangela wants to send the ladder back down to the next generation of incident responders
*   The growth of commercial spyware based intelligence providers without legal or ethical supervision
*   Microsoft discloses more than 130 vulnerabilities as part of July’s Patch Tuesday, four exploited in the wild

**Upcoming events where you can find Talos**

**BlackHat** **(Aug. 5 - 10)**

Las Vegas, Nevada

**Grace Hopper Celebration (Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6  
**MD5:** 4c9a8e82a41a41323d941391767f63f7  
**Typical Filename:** !!mreader.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Generic::sheath

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** b4d8d7cbec7fe4c24dcb9b38f6036a58b765efda10c42fce7bbe2b2bf79cd53e  
**MD5:** c585f4faee96a0bec3b0f93f37239008  
**Typical Filename:** stream.txt  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Autoit::211461.in02

QR codes are relevant again for everyone from diners to threat actors

Uncovered issues fall into use-after-free, buffer-overflow, information leak and denial of service vulnerability classes. Some of these could be combined to achieve remote code execution or privilege escalation.

Uncovering weaknesses in Apple macOS and VMWare vCenter: 12 vulnerabilities in RPC implementation

Cisco Talos has discovered a threat actor conducting several campaigns against government entities, military organizations and civilian users in Ukraine and Poland. We judge that these operations are very likely aimed at stealing information and gaining persistent remote access.

Thursday, July 13, 2023 06:07

*   Cisco Talos has discovered a threat actor conducting several campaigns against government entities, military organizations and civilian users in Ukraine and Poland. We judge that these operations are very likely aimed at stealing information and gaining persistent remote access.
*   The activity we analyzed occurred as early as April 2022 and as recently as earlier this month, demonstrating the persistent nature of the threat actor. Ukraine’s Computer Emergency Response Team (CERT-UA) has attributed the July campaign to the threat actor group UNC1151, as a part of the GhostWriter operational activities allegedly linked to the Belarusian government.
*   The attacks used a multistage infection chain initiated with malicious Microsoft Office documents, most commonly using Microsoft Excel and PowerPoint file formats. This was followed by an executable downloader and payload concealed in an image file, likely to make its detection more difficult.
*   The final payloads include the AgentTesla remote access trojan (RAT), Cobalt Strike beacons and njRAT.

**Ukrainian and Polish government and military organizations among those targeted**

Talos first discovered a campaign in late April using several malicious files very likely intended for users in Ukraine, based on the content of the lure displayed when the target opens a malicious Microsoft Excel file. Talos eventually uncovered additional campaigns, including the two previously mentioned by Ukraine’s Computer Emergency Response Team (CERT-UA) and FortiGuard Labs researchers. The campaigns we discovered also involve malicious files intended for users in Poland.

The actor is focusing on Ukrainian and Polish government and military targets, based on the content of Excel and PowerPoint lures that include official-looking images and text. The purpose of these socially engineered lures is to convince the targeted users to enable macros, thereby allowing the execution chain to commence. This is the first stage of the attack, as demonstrated in the timeline below.

Timeline of the various attacks.

Stages of the attack: The lure entices the user to enable macros that infect the system

Of the two file types, the PowerPoint files are more unusual in that they would not show any actual slides when opened, but would still execute the malicious VBA code, a finding consistent with CERT-UA’s analysis. Talos is currently researching whether the file’s failure to open is because they are intentionally corrupted. In any case, the VBA code still runs whenever the files are executed. Based on the files’ thumbnail images – the only content visible in the Windows Explorer window – the PowerPoint files imitate Ukraine’s Ministry of Defence and Poland’s Ministry of National Defence. The image below shows the thumbnail images indicating the campaign’s victims.

Thumbnail images show themes used by PowerPoint lures in these campaigns by the actor.

As opposed to the PowerPoint documents that did not display any slides in our testing environments, all Excel documents display legitimate-looking documents related to the targeted military organizations, or generic descriptions on how to enable VBA macro functionality in Excel. The VBA code in the Excel and PowerPoint-based campaigns displays a high level of similarity. The content of one of the Excel lures is shown below and contains the form for calculating salary payments (cash certificates) for soldiers of a specific military unit.

September 2022 campaign uses a lure that purports to be an official document from the Ukrainian Ministry of Defence.

The actor returned with a new campaign on July 4, 2023. The lure contains a payment instruction form containing VBA code, which appears to have been sent from the State Treasury Service of Ukraine. The content of the form is legitimate and targets Ukrainian government organizations, as seen in the image below. The form also contains legitimate macro code modified by the attacker to call malicious subroutines. It seems that the legitimate macro code is used to calculate some values in the spreadsheets, but the legitimate functions are changed to call the function that starts the infection process.

**Ukrainian and Polish businesses, general users also targeted**

The generic campaigns are aimed at various civilian targets in Poland and Ukraine, such as with Excel spreadsheet lures masquerading as value-added tax (VAT) return forms. Others include Excel spreadsheets that contain socially engineered instructions on how to enable macros in Excel so that the malicious VBA code can be executed. These two lures are shown below, respectively.

April 2023 campaign targeting business users in Poland with a fake VAT return form.

The majority of the Excel campaigns show some element of luring the user to enable macros in Excel with specific content using Ukrainian language.

**Attacks start with VBA code to decode the next malware stage**

All campaigns start with Microsoft Office documents, which are possibly sent to the targets as email attachments. In most cases, the file is an Excel spreadsheet containing a VBA macro, but we also found four instances where a malicious PowerPoint OLE2 (PPT) file was used, possibly indicating the actor's readiness to use file formats less commonly used in attacks.

VBA code is responsible for dropping the downloader executable or DLL.

The VBA code in all files is similar, with minor variations, where some functions serve a legitimate purpose (e.g., some functions for conversion of strings into numbers in Excel). The code is obfuscated, using an obfuscator script, based on the fact that some comments the actor didn’t strip are also obfuscated when the words written in the comments are not recognized as a part of the VBA syntax.

As seen below in the image, the obfuscator randomizes function and variable names but makes the mistake of not recognizing the comments (in green).

Randomized code comments show the code was likely obfuscated by an automated tool.

The code contains the next stage stored as hexadecimal encoded strings and is split into multiple strings so that an antivirus scan would not detect the content as potentially malicious. There are three main subroutines: the first is launched when the document is opened (e.g., Auto\_Open, Workbook\_Open), the second creates a randomly named dynamic loading library (DLL) file in the user’s temporary files folder, and the third creates a randomly named shortcut (LNK) file which contains code to run regsvr32.exe (or rundll32.exe) to launch the next stage.

The name of the shortcut file, depending on the campaign, is either randomly generated by a random string generator function or hardcoded in the macro code. In some campaigns, the random names are generated by a specific function in the VBA code. The screenshot above shows the function that generates a random string of variable length, specified in the function argument.

One subroutine calls the DLL dropper, LNK creation and launch routine.

Earlier campaigns used an executable downloader, while the later ones used DLLs for the next stage.

In some instances, two randomly generated bytes are added to the end of the file, which invalidates the detection of the dropped files using simple checksum-based techniques.

In some cases randomly generated bytes are added to the end of the dropped file.

The July 2023 campaign has a slightly modified infection chain. The dropper first creates a shortcut file but the dropped DLL is launched with rundll32.exe instead of regsvr32.exe. Once the initial export is called (in this case, the legitimately named function IETrackingProtectionEnabled), the downloader will copy itself and call regsvr32.exe with parameters “/u /s” to automatically call the function for unregistering COM servers DllUnregisterServer.

Eventually, when the DLL is copied into its final path, rundll32.exe is used to call the exported function SetQueryNetSessionCount, which downloads the next stage. The final payload of the July 2023 campaign is njRAT, which increases our confidence that the threat actor's goals are information stealing and remote control of the targeted systems. NjRAT is an open-source remote access trojan (RAT) whose source code is freely available and is used by commodity actors and APTs, making the process of attribution more difficult.

July 2023 campaign's main malicious VBA function is Data\_Open.

**Obfuscated downloader retrieves an image containing the payload**

The next stage is a Portable Executable (PE) file, an executable or a DLL file. ConfuserEx obfuscator, an obfuscator that is very commonly used by malicious actors to obfuscate .NET code, is used with various levels of obfuscation, anti-tampering and anti-debugging, which makes the unpacking more difficult for malware researchers. CERT-UA named the downloader PicassoLoader.

All downloaders attempt to download an image file from a URL. Depending on the campaign, the final payload or the third intermediate stage is appended as an encrypted binary blob to the end of the image. The image will still display in viewers but the downloader will extract the executable content using the appropriate decryption key and the decryption algorithm.

The encrypted next-stage blob is appended to the end of a JPEG image.

The downloader uses managed AES (Rijndael algorithm) to decrypt the appended data which is then reflectively loaded as a byte array using the Assembly.Load function as seen below. The decryption key and the initialization vector are either stored as obfuscated strings in the body of the downloader or calculated as an MD5 checksum of the downloaded image file.

The downloader first decrypts the third stage and then loads it using the Assembly.Load function.

The code to download the next stage is in constant development. In earlier versions, the call to the Assembly.Load function is fairly easy to spot. In the later campaigns, the actor has chosen to add a layer of obfuscation and use the RuntimeBinder.Binder functionality to find and invoke functions for downloading, decryption and loading.

Later variants of the downloader use Binder to invoke functions.

Earlier variants use RijndaelManaged implementation of AES decryption routine to decrypt the next stage, while the variant from April 2023 uses a simplified variant of RC4 to decrypt the payload appended to an image file. The variant from July 2023 returns to RijndaelManaged.

Managed Rijndael is used to decrypt the third stage.

Simplified RC4 is used to decrypt the third stage in April 2023.

Most of the URLs and the infrastructure were not accessible at the time of analysis, although we managed to obtain images from three campaigns to recreate the infection chain. Our analysis triggered exceptions in the decryption process, so it is possible that the image files we obtained were corrupted or that the implementation of decryption in some of the downloaders was incorrect.

Nevertheless, previous analyses by CERT-UA and FortiGuard Labs indicate that final payloads, which included AgentTesla and Cobalt Strike, were used for information theft and remote access to infected systems.

July 2022 image with the next-stage campaign targeting Ukrainian government organizations.

Payload-carrying image used in September 2022 campaign.

Payload-carrying image used in April 2023 campaign.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**The following ClamAV signatures are applicable to this threat:**

*   Doc.Malware.Corona-10003975-0
*   Win.Downloader.DotNETEncryptedJPEG-10006210-0
*   Win.Downloader.DotNETEncryptedJPEG-10006211-0
*   Win.Downloader.DotNETEncryptedJPEG-10006212-0
*   Win.Downloader.DotNETEncryptedJPEG-10006213-0
*   Win.Downloader.DotNETEncryptedJPEG-10006214-0
*   Win.Downloader.DotNETEncryptedJPEG-10006215-0
*   Win.Downloader.DotNETEncryptedJPEG-10006216-0
*   Win.Downloader.DotNETEncryptedJPEG-10006217-0
*   Win.Downloader.DotNETEncryptedJPEG-10006218-0
*   Win.Downloader.DotNETEncryptedJPEG-10006219-0
*   Win.Downloader.DotNETEncryptedJPEG-10006220-0
*   Win.Downloader.DotNETEncryptedJPEG-10006221-0
*   Win.Downloader.DotNETEncryptedJPEG-10006222-0
*   Img.Dropper.Agent-10006223-0
*   Img.Dropper.Agent-10006224-0
*   Xls.Dropper.Corona-10006204-0
*   Xls.Dropper.Corona-10006205-1
*   Xls.Dropper.Corona-10006207-0
*   Xls.Dropper.Corona-10006205-1
*   Ole2.Dropper.Corona-10006206-1
*   Xls.Dropper.Corona-10006207-1
*   Ole2.Dropper.Corona-10006209-0
*   Win.Trojan.Generic-6417450-0

**Indicators of Compromise (IOC)**

Indicators of Compromise associated with these threats can be found here.