A vulnerability, TALOS-2023-1727 (CVE-2023-1424), exists in the device’s MELSOFT Direct functionality that is triggered if an adversary sends the targeted device a specially crafted network packet.

Friday, May 26, 2023 15:05

Cisco Talos recently discovered a memory corruption vulnerability in the Mitsubishi MELSEC iQ-F FX5U programmable logic controller that is caused by a buffer overflow condition.

The iQ-F FX5U is one offering in Mitsubishi’s MELSEC PLC line of hardware that comes with a built-in processor, power supply, Ethernet and 16 I/O points. Users can configure this PLC to host multiple network services, such as an HTTP Server, FTP Server, FTP Client, MODBUS/TCP interface and other Mitsubishi-specific protocols.

A vulnerability, TALOS-2023-1727 (CVE-2023-1424), exists in the device’s MELSOFT Direct functionality that is triggered if an adversary sends the targeted device a specially crafted network packet.

This buffer overflow condition could lead to a denial-of-service condition within the RTOS task responsible for parsing the MELSOFT Direct protocol, and potentially give the adversary the ability to execute remote code on the targeted device.

Cisco Talos worked with Mitsubishi to ensure this vulnerability is resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Mitsubishi Electric Corp. MELSEC iQ-F FX5U, versions 1.240 and 1.260. Talos tested and confirmed these versions of the controller could be exploited by this vulnerability, however, Mitsubishi also stated in its advisory that versions 1.220 and later are affected.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 61432 and 61433. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Memory corruption vulnerability in Mitsubishi PLC could lead to DoS, code execution

What are web shells? And why are attackers increasingly using them in their campaigns? We break it down in this blog.

Friday, May 26, 2023 08:05

_Editor's note: The Need to Know is a new series from Talos, which focuses on cybersecurity terms, threats, tools and tactics that are discussed in our broader threat research. Think of this as a living encyclopedia of security terms and trends._

Cisco Talos Incident Response recently released our 2023 Q1 Incident Response Quarterly Trends report. One of the most noteworthy trends was the prolific use of web shells in cyberattacks.

In fact, not only were web shells the most observed threat overall, but they also appeared in almost a quarter of all incidents. That’s a marked increased from our previous trends report (the usage growing from 6% to 25%).

You may be wondering, why is that? Or maybe, what are web shells? And why do attackers use them in their campaigns? Let’s break it down:

**What are web shells?**

A web shell is a tool that bad actors may use to interact with and maintain access to a system, after an initial compromise\[M(1\] . It takes the form of a web script (a piece of code) which is then uploaded to a vulnerable system. Afterwards, it can be used to interact with the underlying operating system.

The complexity of modern systems, especially websites that may include third-party software or libraries (that, in turn, make many outbound connections), means that malicious scripts that threat actors use for initial access, are easily missed.

After that initial access, malicious web scripts can leverage exploitation techniques, or are used to carry out further attacks.

**How are web shells typically used in attacks?**

Attackers will look for vulnerabilities within a system to find the best place (as far as they are concerned) to drop a web shell (or in many cases, multiple shells). Those vulnerabilities might be in a website content management system or an unpatched web server, for example.

The point of this is to establish a foothold to gain persistent access to a system. Imagine you’ve built a secret door that no one else knows about – you have the key, so you can return as often as you like.

Adversaries then have several options in front of them, depending on their ultimate motivation. We’ve seen them remotely execute arbitrary code or commands, as well as move laterally within the network, or deliver additional malicious payloads.

As noted in the Talos Q1 2023 Incident Response report, exploitation of public-facing applications was the top observed initial access technique, with the increased web shell activity likely contributing to this significant observation.

**Notable example: China Chopper**

China Chopper is a web shell that allows attackers to retain access to an infected system using a client side application, which contains all the information required to control the target.

In 2019, due to its significant use over the previous two years (including espionage campaigns), two Talos researchers took a closer look at the China Chopper web shell. They explored several cases studies where China Chopper was used.

**How can you detect web shells?**

A web shell will often leave sticky fingerprints at the scene. An intrusion prevention system such as Snort can help detect if an attacker has used a tool like a web shell to gain remote access.

Cisco Secure Network Analytics can help uncover rogue connections, as can Cisco Umbrella by blocking malicious connections at the DNS level.

Organizations should deploy endpoint detection and response tools such as Cisco Secure Endpoint, which gives users the ability to track process invocation and inspect processes.

**Prevention recommendations**

The increase in web shell engagements highlights the need for more awareness and protections in helping to prevent web shells. Talos provides the following recommendations:

· Routinely update and patch all software and operating systems to identify and remediate vulnerabilities or misconfigurations in web applications and web servers.

· In addition to patching, perform general system hardening, including removing services or protocols where they are unnecessary and being aware of all systems exposed directly to the internet.

· Disable unnecessary php functions in your “php.ini”, such as eval(), exec(), peopen(), proc\_open() and passthru().

· Frequently audit and review logs from web servers for unusual or anomalous activity.

Read the full 2023 Q1 Talos Incident Response Quarterly Trends report\[MOU2\]

What is a web shell?

Steam, the most popular video game storefront on PCs, only recently announced that it was ending support for Windows 7 and 8, and even then, it won’t be official until January.

Thursday, May 25, 2023 14:05

Welcome to this week’s edition of the Threat Source newsletter.

As a longtime macOS user, I must admit I’m behind the times when it comes to Microsoft Windows. Since buying a Steam Deck, I’ve actually come to learn more about Linux and the Proton compatibility layer than I ever did about Windows.

But it still came as a shock to me this week when I uncovered a weird trend on social media: People bragging about still using Windows 7.

Microsoft stopped putting out free security updates for Windows 7 in January 2020 and only more recently stopped offering its paid Extended Security Updates (ESU). The company explicitly told users at the beginning of this year that it was unsafe to continue to keep using Windows 7 and that users should upgrade to Windows 10 or use a new machine that can run Windows 11.

Yet I still found an entire subreddit dedicated to keeping Windows 7 up and running on computers and countless posts promoting how well the 13-year-old operating system runs with modern GPUs and graphics cards.

Steam, the most popular video game storefront on PCs, only recently announced that it was ending support for Windows 7 and 8, and even then, it won’t be official until January. And Roblox, which is quietly one of the biggest video games in the world, only recently ended support for Windows 7 and 8.

I’m sure there are other examples of this among other types of software, but video games are the most specific corner of the internet I’m in, so that’s my frame of reference.

The moral of the story here is that using Windows 7 to do anything, but especially connecting to the internet (which is required to download and play video games) is a terrible idea. Attackers are always targeting outdated operating systems because they’re the most likely to be unpatched and vulnerable.

Running an operating system that is no longer receiving any type of security updates is extremely dangerous. If infected, that single machine could also be used as a springboard for the attacker to target and infect other machines on your network.

Since the start of this year, there have been 47 vulnerabilities discovered in Windows 7, according to the U.S.’s National Institute of Standards and Technology Vulnerability Database. There are even more security issues with third-party software running on Windows 7.

Just because something is old, doesn’t mean that attackers aren’t paying attention anymore. Without official support or security updates for Windows 7, Microsoft is no longer compelled to disclose formal vulnerabilities with CVEs attached to inform users about any security holes in the operating system.

Upgrading a PC or buying a new one is expensive, I get it. But Windows 7 isn’t a novelty anymore, it’s a security risk. If you feel like you absolutely have to keep Windows 7 running on a machine for some reason, make sure it is isolated from your network or just doesn’t connect to the internet at all.

But more preferably, upgrade to Windows 10. If you’re already using Windows 7, it’s free, and likely whatever hardware you’re using can support Windows 10. If you’re starting from scratch, many online stores have deeply discounted product keys for Windows 10 or 11 for $20 or less — just make sure to download the ISO directly from Microsoft still.

**The one big thing**

Montana recently became the first state in the U.S. to ban the app TikTok, though the law still has a long way to go before it can be enforced. The state’s governor signed a bill last week that prohibits mobile application stores from offering the app in the state by the start of 2024, or else they’ll face fines. However, it’s currently unclear if it’s even feasible for Montana to enforce this ban, as app stores don’t geofence certain applications on its stores, and internet service providers are exempt from having to enforce these rules. TikTok has recently become a target for Republican lawmakers over concerns that its Chinese-backed parent company is collecting and using Americans’ data. TikTok and popular TikTok creators in Montana have already sued the state to stop the law.

**Why do I care?**

Even if you are not an active TikTok user, the ban is noteworthy because it has major implications for American law and the enforcement of the First Amendment in the U.S. Opponents of Montana’s bill say it's a clear violation of the First Amendment. The various legal challenges are likely going to shift through the legal system for months, but any eventual decisions could influence how states view banning certain technology or even books and movies.

**So now what?**

There are many questions still unanswered about how this ban will work or whether it will stand. So for now, interested parties can’t do much but sit back and wait for the legal proceedings to play out.

**Top security headlines of the week**

Apple released a security update for many of its devices last week that **fixed three zero-day vulnerabilities in the WebKit browser engine.** A few days after the patches initially dropped, security researchers also discovered the updates addressed a different vulnerability known as “ColdInvite” (CVE-2023-27930). An attacker could exploit ColdInvite to attack a co-processor chip on iPhones and escape its isolation environment, eventually accessing the iPhone’s kernel. The three WebKit vulnerabilities affect some iPhones and iPads. CVE-2023-28204, CVE-2023-32373 and CVE-2023-32409 could be exploited to escape the Web Content sandbox. Google’s Threat Analysis Group and Amnesty International co-reported CVE-2023-32409, which led many security experts to speculate means attackers exploited this issue to spread spyware. (SecurityWeek, Forbes)

**Two popular Android set-top TV boxes sold on Amazon are preloaded with malware** that quietly generates revenue for the manufacturers in the background. The devices click on ads while running without the user knowing and connect to a global botnet of other infected Android devices around the globe. Despite the reported security issues, the devices were still for sale on Amazon as of earlier this week. However, the security researcher who discovered this botnet worked with the internet company hosting the command and control servers that sent directions to devices part of the botnet to take those servers down. However, that doesn’t mean the botnet or ad-click malware could never come back — the easiest solution for users is to replace the devices immediately. (TechCrunch, ArsTechnica)

Security researchers are concerned that **two new top-level domains from Google — .zip and .mov — will cause confusion among users and potentially open the door for scammers.** Because these new TLDs (like .com, .gov, .uk, etc.) are the same as popular file extensions, adversaries could disguise legitimate-looking file names and actually send people to a malicious web address without the user knowing that it could even be a web page. They could also be used to create legitimate-looking URLs that match that of a real website but just add one character in a long string, eventually pointing people to a malicious file or site. However, Google says it's actively monitoring for domain abuse. (Wired, Ars Technica)

**Can’t get enough Talos?**

*   Highlights of Talos IR On Air: Reviewing Q1's top threats
*   Beers with Talos Ep. #135: The XDR Files
*   Talos Takes Ep. #139: RA Group is just the latest example of the ransomware landscape splintering

*   Beers with Talos Ep. #136: Oh hello, “Susan”

**Upcoming events where you can find Talos**

**Cisco Live U.S. (June 4 - 8)**

Las Vegas, NV

**Discover Cyber Workshop for Women** **(June 8)**

Doha, Qatar

**REcon (June 9 - 11)**

Montreal, Canada

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 856777e16c153722ebd3f389197d4b6482f8afb2e51345e1ab19760c486c3f78  
**MD5:** c720ac483a5752c2b69945a8ad673162  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** DeepScan:Generic.BitcoinMiner.9.88FBC400

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

It’s apparently hip to still be using Windows 7

Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco Talos has new details of a commercial spyware product sold by the spyware firm Intellexa (formerly known as Cytrox).

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware

The work is always going to be there, whether you take a day or a week off. Unfortunately, the cybersecurity community at large is not going to stop cybercrime overnight.

Thursday, May 18, 2023 14:05

Welcome to this week’s edition of the Threat Source newsletter.

You probably already know this by now, but May is Mental Health Awareness Month across the globe.

Many people will apply this time of reflection and education to their personal lives — it’s easy to discuss anxiety, depression and other mental health concerns when it comes to things like personal relationships, friendships, family and how you express yourself.

I think not enough of us are applying the discussions we have every May to work, though. After all, many of us spend more than half our day working, and probably even more than that, thinking about work. And yes, it’s important to maintain healthy relationships around you and share your feelings with loved ones openly, but I would like us all to start being more honest about how work can affect our mental health.

This is particularly a problem in the cybersecurity industry, where burnout is constantly a cloud hanging over the workforce. A study last year from email security company Mimecast found that 84 percent of cybersecurity professionals are experiencing some form of burnout and it’s impeding their motivation at work.

And the Australian non-profit Cybermindz also found cybersecurity workers ranked their “professional efficacy,” or how well they feel they’re performing in their current role, lower than the general population — this is a key metric used to measure burnout in each industry.

I feel this is a problem in cybersecurity for several reasons: it seems like defenders can never take a day (or even an hour) off without something “hitting the fan,” the work can often be incredibly high-stakes and there is the ghost of social media always hanging over our head to be the “first” to find something or always needing to add something witty or insightful to the conversation of the day.

I would certainly not call myself a cybersecurity practitioner, per se, so I don’t have much hands-on experience with this. But I know from talking to teammates as part of my Researcher Spotlight blog series how important it is to have other interests outside of work.

And while I can’t say I’m personally experiencing burnout at work, I have dealt with anxiety for pretty much my entire life and have attended talk therapy on and off over the past few years and currently take medication to manage my various mental health conditions. That makes me feel somewhat empowered to say: It’s OK to take a break.

This is something Talos VP Matt Watchinski said in a conversation with Hazel Burton and I this week that we recorded for an upcoming episode of Talos Takes. The work is always going to be there, whether you take a day or a week off. Unfortunately, the cybersecurity community at large is not going to stop cybercrime overnight. And the threat of state-sponsored actors is not going to be solved by a single botnet takedown.

I would encourage everyone to have harder barriers up around their work and personal lives. Take up a new hobby or find a way to get outside. For example, Azim Khodjibaev is a rowing coach. Giannis Tziakouris from Cisco Talos Incident Response scuba dives. Watchinski has shooting sports.

Find your thing that is not explicitly work — because the work will be there when you get back, I promise.

**The one big thing**

A new ransomware actor we’re calling “RA Group” has been active for about a month, already targeting organizations across multiple sectors in the U.S. and South Korea. Talos researchers believe with high confidence that the group is using altered leaked source code from the Babuk ransomware family. The group is launching double extortion attacks. Like other ransomware actors, RA Group also operates a data leak site in which they threaten to publish the data exfiltrated from victims who fail to contact them within a specified time or do not meet their ransom demands.

**Why do I care?**

The actor is swiftly expanding its operations. To date, the group has compromised three organizations in the U.S. and one in South Korea across several business verticals, including manufacturing, wealth management, insurance providers and pharmaceuticals. Since ransomware continues to be one of the top security threats all industries face, it’s always important to keep an eye out for new groups that pop up.

**So now what?**

The Talos blog outlines several ways that Cisco Secure products and Talos open-source software can detect and block RA Group’s activities.

**Top security headlines of the week**

**Global governments are being urged to take a more aggressive stance on spyware regulation.** The European Union has agreed to work on standards around the purchase and use of these types of tracking software, which often target vulnerable populations and industries like activists and journalists. A special European Parliament committee voted this week to ban the sale, acquisition, or use of spyware while the broader EU works on these new guidelines. In the U.S., some government agencies have still been attempting to use spyware, such as tools from the infamous NSO Group, despite bans on spyware from the Biden administration. Reporters from the New York Times found at least one government contract with Paragon, another Israeli software developer that makes spyware but is not as widely known as the NSO Group. (New York Times, The Guardian)

**A recent ransomware attack against Micro-Star International (MSI), including the theft of UEFI signing keys, is already having wide-ranging effects** across the security industry. MSI does not have a way to retract the keys after they were leaked onto the dark web, leading to fears of future supply chain attacks. Attackers could hypothetically inject malicious updates into legitimate software, using the MSI keys to sign them. MSI Keys are trusted by default by many end-user devices. Security researchers found that some of the keys work for the Intel BootGuard firmware-verification technology that runs on devices made by several different manufacturers. The Money Message ransomware group first claimed responsibility for the ransomware attack in April when it listed MSI as a new victim on its leak site and published screenshots purporting to show private encryption keys, source code and other data. (Decipher, Ars Technica)

**Twitter announced it was rolling out end-of-end encryption for its direct messages, though several security holes remain.** The company appears to not have actually completed a security audit of its DMs that it claimed it had, and the messages are still vulnerable to man-in-the-middle attacks. One security researcher also says it’s easy for Twitter employees to potentially hijack messages by adding their own keys to a list that are approved to read the messages. Encryption is also a paid feature — both users partaking in the messages must be either Twitter Blue subscribers or a verified organization on Twitter. Group conversations are also not included in this encryption process. Security and privacy experts say users who are looking for secure messaging should stick to encrypted apps like Telegram and Signal. (ZDNet, The Verge)

**Can’t get enough Talos?**

*   Talos Takes Ep. #138: What makes “Greatness” so great?
*   Beers with Talos Ep. #135: The XDR files
*   RA Group uses leaked Babuk code to attack companies in the US, South Korea
*   Cisco warns of new ‘Greatness’ phishing-as-a-service tool seen in the wild
*   New 'Greatness' service simplifies Microsoft 365 phishing attacks

**Upcoming events where you can find Talos**

**BSidesFortWayne** **(May 20)**

Fort Wayne, IN

**Threat Modeling webinar: Applying a Threat Informed Defense (May 23)**

Virtual

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Discover Cyber Workshop for Women (June 8)**

Doha, Qatar

**REcon** **(June 9 - 11)**

Montreal, Canada

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 7c8e1dba5c1b84a08636d9e6f225e1e79bb346c176e0ee2ae1dfec18953a1ce2  
**MD5:** 3e0fb82ed8ea6cd7d1f1bb9dca5f2bdc  
**Typical Filename:** PDFShark.exe  
**Claimed Product:** PDFShark  
**Detection Name:** Win.Dropper.Razy::95.sbx.tg

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

It’s really OK to take a break sometimes, especially in security

Cisco Talos recently discovered a new ransomware actor called RA Group that has been operating since at least April 22, 2023.

Monday, May 15, 2023 08:05

*   Cisco Talos recently discovered a new ransomware actor called RA Group that has been operating since at least April 22, 2023.
*   The actor is swiftly expanding its operations. To date, the group has compromised three organizations in the U.S. and one in South Korea across several business verticals, including manufacturing, wealth management, insurance providers and pharmaceuticals.
*   Talos assesses with high confidence that RA Group is leveraging leaked Babuk ransomware source code.

**Who is the RA Group?**

Talos recently discovered a new ransomware actor, RA Group, who emerged in April 2023 and seems to be using leaked Babuk source code in its attacks. After an alleged member of the Babuk group leaked the full source code of its ransomware in September 2021, various ransomware families have emerged leveraging the leaked Babuk code. Talos has compiled a timeline of these attacks conducted by different actors using ransomware families that branched off the leaked source code.

Timeline of ransomware families leveraging leaked Babuk ransomware code.

The group is launching double extortion attacks. Like other ransomware actors, RA Group also operates a data leak site in which they threaten to publish the data exfiltrated from victims who fail to contact them within a specified time or do not meet their ransom demands. This form of double extortion increases the chances that a victim will pay the requested ransom.

22 April 2023

27 April 2023

RA Group leak site contents April 22 - 28, 2023.

This actor is expanding its operations at a fast pace. RA Group launched their data leak site on April 22, 2023, and on April 27, we observed the first batch of victims, three in total, followed by another one on April 28. We also observed the actor making cosmetic changes to their leak site after disclosing the victim’s details, confirming they are in the early stages of their operation.

Example of a post with victim details.

In their leak site, RA Group discloses the name of the victim's organization, a list of their exfiltrated data and the total size, and the victim’s official URL, which is typical among other ransomware groups’ leak sites. The RA Group is also selling the victim’s exfiltrated data on their leak site by hosting the victims’ leaked data on a secured Tor site.

RA Group’s victims’ data hosting site. 

RA Group also provides URLs to download the full file listings of the victim’s data on their leak site.

Example of full victim’s data file list for download. 

RA Group uses customized ransom notes, including the victim’s name and a unique link to download the exfiltration proofs. After activating the ransomware executable on the victim’s machine, the actor drops the ransom note file called “How To Restore Your Files.txt.”

Based on the ransom notes we analyzed, if the victim fails to contact the actors within three days, the group leaks the victim’s files. The victims can confirm the exfiltration of their information by downloading a file using the gofile\[.\]io link in the ransom note.

Sample of a ransom note.

**RA Group ransomware code appears highly customized**

RA Group deploys their ransomware with a built-in ransom note specifically written to each victim with their name on it, a common practice among ransomware groups. However, it is unusual that RA Group names the victim in the executable, as well.

Our analysis shows that RA Group’s ransomware sample is written in C++ and was compiled on April 23, 2023. The binary has the debug path “C:\\Users\\attack\\Desktop\\Ransomware.Multi.Babuk.c\\windows\\x64\\Release\\e.pdb”. It contains the same mutex name as the Babuk ransomware, supporting our high-confidence assessment that RA Group built their ransomware using Babuk’s leaked source code.

RA Group’s code showing the mutex name is the same as that of Babuk ransomware. 

RA Group’s ransomware executable uses the cryptography scheme with curve25519 and eSTREAM cipher hc-128 algorithm for encryption. This process encrypts only a certain part of the source file’s contents, not the entire file. It uses WinAPI CryptGenRandom to generate cryptographically random bytes used as a private key for each victim. After encrypting the files, the ransomware appends the file extension “.GAGUP” to the encrypted files on the victim’s machine.

The ransomware deletes the contents of the victim machine’s Recycle Bin with the API SHEmptyRecyclebinA. It deletes the volume shadow copy by executing the local Windows binary vssadmin.exe, an administrative tool used to manipulate shadow copies.

The function that deletes the volume shadow copies on the victim’s machine. 

The ransomware enumerates every logical drive on the victim’s machine by comparing logical drive letters with the list of drive letter strings in the binary and mounts the identified drives to perform the encryption process. RA Group’s malware enumerates the network shares and available network resources on the victim’s machine using the APIs NetShareEnum, WNetOpenEnumW and WNetEnumResourceW to encrypt files on the remotely mapped drives of other machines or servers.

The function enumerates the local drives and the network shares.

The ransomware does not encrypt all files and folders. The image below shows the hardcoded list of folders the malware won’t encrypt so the victim can contact the RA Group operators.

Hardcoded folders name to exclude during encryption. 

These files and folders are necessary for the system to work properly and to allow the victims to download the qTox application and contact RA group operators using the qTox ID provided on the ransom note.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 61761-61764 for Snort 2 and 300543-30054 for Snort 3.

ClamAV detections are available for this threat:

Win.Ransomware.Babuk-9819006-0

**Indicators of Compromise**

Indicators of Compromise associated with this threat can be found here.

Newly identified RA Group compromises companies in U.S. and South Korea with leaked Babuk source code

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 5 and May 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for May 5 to May 12

A ransomware attack on the city of Dallas, Texas is still disrupting many social services as of Wednesday, including hampering police communications and operations and potentially putting personal information at risk.

Thursday, May 11, 2023 14:05

Welcome to this week’s edition of the Threat Source newsletter.

I wrote a few weeks ago about how, between the public and private sectors, the security community was making some strides in fighting back against ransomware.

Reports indicate that revenue for ransomware actors was down in 2022, and recent disruptions to larger ransomware networks like Hive have at least forced some actors offline for now.

It seems like if you were to survey various cybersecurity researchers, thought leaders and policymakers, there is a mixed consensus on whether ransomware is still the biggest problem defenders still face today.

The White House and U.S. Department of Justice seem bullish on their efforts to shut down ransomware gangs and dark web sites.

But recently, I’ve noticed that ransomware is still making headlines. This is completely anecdotal, but recent major examples come to mind:

*   A ransomware attack on the city of Dallas, Texas is still disrupting many social services as of Wednesday, including hampering police communications and operations, and potentially putting personal information at risk.
*   Ransomware group BlackCat claims it was responsible for an attack on Western Digital, a computer drive manufacturer, including stealing partial credit card numbers from customers.

*   San Bernadino County in California paid $1.1 million to resolve a ransomware incident.
*   Capita, a U.K.-based outsourcing and professional services company, says a recent ransomware attack on its systems could cost the company up to $25 million, without saying whether that includes a ransom payment.

These are just a handful of examples of recent ransomware attacks, but these stories have made me rethink my stance on where we stand with ransomware in 2023. I am trying to look for the space where both things can be true — ransomware may not be as profitable for actors as it once was, but the volume of attacks may not be changing all that much.

As education around ransomware, cyber insurance and whether to pay a requested ransom improves, a company hit with ransomware may be better prepared to rebound and recover faster than they were in, say, 2020.

Many companies are now keeping incident response teams (like Talos IR) on retainer to help in real-time with attacks, and with everyone shouting from the rooftops about the importance of backups, ransomware victims may be less likely to pay the ransom than they once were and simply rely on backups and Golden Images to recover quickly and resume normal business operations.

It’s too soon to make definitive statements about ransomware in 2023, but I’ll definitely be interested to see the next round of “Year in Review” reports come February 2024 to find out if ransomware is still the one thing we should all be talking about.

**The one big thing**

Talos researchers have discovered a new phishing-as-a-service tool called “Greatness” that’s being used in the wild to target businesses across multiple continents. Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots.

**Why do I care?**

Greatness creates convincing phishing pages to steal Microsoft Office login credentials from large organizations. Since it’s an “as a service” tool, anyone could conceivably purchase access to this tool. We’ve already seen it be used in attacks dating back to mid-2022 so there’s no reason to believe this threat won’t be around for a while.

**So now what?**

Although Greatness is a new and advanced phishing threat, detection and prevention essentially remain the same as with all phishing and spam threats. All organizations should have education in place to teach users about the dangers of phishing and how to spot illegitimate emails, attachments and links.

**Top security headlines of the week**

Newer exploit code for the critical PaperCut vulnerability is **now available that bypasses existing detection.** The vulnerability, tracked as CVE-2023-27350, is an unauthenticated remote code execution vulnerability in PaperCut MF or NG versions 8.0 or later that attackers have actively used in ransomware attacks. Exploit code first became available several weeks ago, and the new POC can bypass Sysmon-based detections that are already in place. Microsoft security researchers also say that two Iranian state-sponsored actors are now exploiting the vulnerability in the PaperCut MF/NG print management software: MuddyWater and Charming Kitten. The vulnerability originally received a 9.8 CVSS severity score. (Bleeping Computer, SecurityWeek)

**The FBI says it disrupted the infamous Russian Snake malware network this week,** using a tool that forced the program to self-destruct on infected computers. A release from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) stated that Snake infrastructure was found in more than 50 different countries. Russia’s Federal Security Service (FSA) was known for using Snake to target high-profile targets and collecting sensitive information, with the FBI calling it Russia’s “premiere espionage tool.” Cybersecurity agencies from several other countries have released details on how potentially infected machines can recover and additional steps taken to ensure Snake’s functionality is continually impaired. (CBS News, CISA)

**Two vulnerabilities being actively exploited in the wild** headlined a relatively light Microsoft Patch Tuesday this week. In all, Microsoft disclosed 40 vulnerabilities, the fewest in a month since December 2019. One of the zero-day vulnerabilities, CVE-2023-29336, is an elevation of privilege vulnerability in the Win23k kernel mode drive that could allow an adversary to gain SYSTEM privileges. Another, CVE-2023-24932, is a Secure Boot Security Feature Bypass issue that the BlackLotus malware group is already exploiting. In all, this Patch Tuesday includes seven critical vulnerabilities and 33 that are considered “important.” (Talos blog, Krebs on Security)

**Can’t get enough Talos?**

*   Talos Takes Ep. #137: Talos Incident Response livestream on top trends from the past quarter
*   Researcher Spotlight: Jacob Finn creates his own public-private partnership at Talos
*   Threat Roundup for April 28 - May 5
*   FBI disrupts Turla espionage malware network
*   New 'Greatness' service simplifies Microsoft 365 phishing attacks

**Upcoming events where you can find Talos**

**BSidesFortWayne** **(May 20)**

Fort Wayne, IN

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

Threat Source newsletter (May 11, 2023) — So much for that ransomware decline

TALOS-2022-1680 (CVE-2022-41985) could allow an attacker to bypass the authentication protocol on the operating system, or cause a denial-of-service, by sending the targeted machine a specially crafted set of network packets.

Wednesday, May 10, 2023 11:05

_Kelly Leuschner of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered two vulnerabilities in a library for µC/OS, an open-source operating system developed by Micrium.

µC/OS is an embedded operating system that supports TCP/IP, USB, CAN bus and Modbus. The two vulnerabilities Talos discovered specifically exist in the operating system’s FTP server.

TALOS-2022-1680 (CVE-2022-41985) could allow an attacker to bypass the authentication protocol on the operating system, or cause a denial-of-service, by sending the targeted machine a specially crafted set of network packets.

Similarly, TALOS-2022-1681 (CVE-2022-46377 - CVE-2022-46378) is also triggered by a set of network packets, though in this case, it can cause a denial-of-service and a use-after-free condition.

Cisco Talos worked with Weston Embedded, who maintains this software, to ensure these vulnerabilities are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Weston Embedded uC-FTPs, version 1.98.00. Talos tested and confirmed this version of the OS could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 125:4. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Authentication bypass, use-after-free vulnerabilities found in a library for the µC/OS open-source operating system

Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots.

Wednesday, May 10, 2023 08:05

*   A previously unreported phishing-as-a-service (PaaS) offering named “Greatness” has been used in several phishing campaigns since at least mid-2022. Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots.
*   Greatness, for now, is only focused on Microsoft 365 phishing pages, providing its affiliates with an attachment and link builder that creates highly convincing decoy and login pages. It contains features such as having the victim’s email address pre-filled and displaying their appropriate company logo and background image, extracted from the target organization’s real Microsoft 365 login page. This makes Greatness particularly well-suited for phishing business users.
*   An analysis of the domains targeted in several ongoing and past campaigns revealed the victims were almost exclusively companies in the U.S., U.K., Australia, South Africa, and Canada, and the most commonly targeted sectors were manufacturing, health care and technology. The exact distribution of victims in each country and sector varies slightly between campaigns.
*   To use Greatness, affiliates must deploy and configure a provided phishing kit with an API key that allows even unskilled threat actors to easily take advantage of the service’s more advanced features. The phishing kit and API work as a proxy to the Microsoft 365 authentication system, performing a “man-in-the-middle” attack and stealing the victim’s authentication credentials or cookies.

**Activity and victimology**

Greatness seems to have started operating in mid-2022 and, based on the number of attachment samples available on VirusTotal, there were spikes in activity in December 2022 and March 2023.

Number of attachment samples found on VirusTotal

Although each campaign had a slightly different geographic focus, collectively, over 50 percent of all targets were based in the U.S. The next most-targeted countries are the U.K., Australia, South Africa and Canada.

Geographical distribution of targeted organizations

Greatness is designed to compromise Microsoft 365 users and can make phishing pages especially convincing and effective against businesses. Based on the data Cisco Talos obtained, Greatness affiliates target almost exclusively businesses. An analysis of the targeted organizations across several campaigns shows that manufacturing was the most targeted sector, followed by health care, technology and real estate.

Distribution of targeted organizations by sector

**The attack flow**

The attack starts when the victim receives a malicious email, which typically contains an HTML file as an attachment and, under the pretext of a shared document, leads the victim to open the HTML page.

Once the victim opens the attached HTML file, the web browser executes a short piece of obfuscated JavaScript code that establishes a connection to the attacker's server to obtain the phishing page HTML code and display it to the user in the same browser window. This code contains a blurred image that shows a spinning wheel, pretending to load the document.

_Blurred attached document decoy._

The page then redirects the victim to a Microsoft 365 login page, usually pre-filled with the victim’s email address, and the custom background and logo used by their company. In the following example, for privacy reasons, we manually replaced the real victim’s email address, background image and company logo on an actual phishing sample with fake Talos data, to show what it looks like.  

_Example of a screen asking the targeted victim for a password._

Once the victim submits their password, the PaaS will connect to Microsoft 365, impersonate the victim and attempt to log in. If MFA is used, the service will prompt the victim to authenticate using the MFA method requested by the real Microsoft 365 page (e.g., SMS code, voice call code, push notification).

__Example of a page asking the victim to enter an MFA code.__

Once the service receives the MFA, it will continue to impersonate the victim behind the scenes and complete the login process to collect the authenticated session cookies. These will then be delivered to the service affiliate on their Telegram channel or directly through the web panel.

**The phishing service**

The service consists of three components: a phishing kit (which contains the admin panel), the service API and a Telegram bot or email address.

Graph of PaaS communication flow

The phishing kit, the service component delivered to affiliates and deployed on a server controlled by them, is the only part of the service the victim connects to. The kit delivers the HTML/JavaScript code for each step of the attack. The kit communicates with the PaaS API service in the background, forwarding the credentials received from the victim and receiving information on what page it should deliver to the victim at each step of the attack. As the victim submits their credentials to the kit, it stores them locally so they can be accessed via the administrative panel and, if configured to do so, sends them to the affiliate’s Telegram channel.

The phishing kit contains an administration panel that allows the affiliate to configure the service API key and Telegram bot and keep track of stolen credentials. The following images show an example of the administration panel login page and dashboard.

Phishing kit administrative panel login page

Phishing kit administrative panel dashboard

The administration panel also builds malicious attachments or links that are submitted via email to the victims. The following image shows the form used to generate the attachments:

Phishing kit malicious attachment builder

The PaaS is designed to be used in a very standard way. The payload delivered to the victim must be a link or, more commonly, an HTML attachment. The attacker can use the builder form above to create a payload with a few options:

*   Autograb: This feature prefills the Microsoft 365 login page with the victim’s email, adding credibility to the attack.
*   Background: The attacker can select the fake attachment background image to be a blurred Microsoft Word, Excel, or PowerPoint online document.

The API is the core part of the service. Each affiliate must have a valid API key to use Greatness, or else the phishing page will not load and displays a message saying the API key is invalid. The following image shows the configuration options available in the panel, where the affiliates can insert their API key.

_Administrative panel configuration page_

The service API contains logic to validate the affiliate’s key, block unwanted IP addresses from viewing the phishing page, and most importantly, behind-the-scenes communication with the real Microsoft 365 login page, posing as the victim.

Working together, the phishing kit and the API perform a “man-in-the-middle” attack, requesting information from the victim that the API will then submit to the legitimate login page in real time. This allows the PaaS affiliate to steal usernames and passwords, along with the authenticated session cookies if the victim uses MFA. Authenticated sessions usually time out after a while, which is possibly one of the reasons the Telegram bot is used — it informs the attacker about valid cookies as soon as possible to ensure they can reach quickly if the target is interesting.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following Snort SIDs are applicable to this threat: 61708.

**Indicators of Compromise (IOCs)**

IOCs for this research can also be found at our GitHub repository here