Our hearts are with the people of Turkey and Syria and all those impacted by the tragic earthquake. The Cisco Foundation has launched a matching campaign to support local disaster relief organizations.

Thursday, February 9, 2023 14:02

Welcome to this week’s edition of the Threat Source newsletter.

Our hearts are with the people of Turkey and Syria and all those impacted by the tragic earthquake. The Cisco Foundation has launched a matching campaign to support local disaster relief organizations. As a person it’s always difficult to try to find impactful ways to help people so far removed from us.. As a security practitioner it’s my duty to remind you that criminals will exploit your empathy and this situation for their own profit. Be acutely aware of phishing scams, malvertising, and typosquats that will leverage your kindness for their gain. Give freely but take a moment when you do to ensure that you are donating to sources that can help and that above all you aren’t padding the pockets of cybercriminals.

**The one big thing**

Ransomware and commodity loaders remain at the forefront of the threat landscape. The ransomware space is dynamic, continually adapting to changes in the geopolitical environment, actions by defenders, and efforts by law enforcement, This leads groups to rebrand under different names, shut down operations, and form new strategic partnerships. Cisco Talos observed several related trends across 2022 and this activity is highlighted in the Ransomware and Commodity Loader Topic Summary Report.

**Why do I care?**

Understanding the most recent trends in ransomware, including the goals, victimology, and TTPs will increaser your ability to defend, understand, and react to these events. We've seen seismic shifts in how state sponsored actors attack and this will migrate to every level of threat actor.

**So now what?**

Education is key and continuing to follow the research that Talos releases and validating your environment against that research is critical.

**Top security headlines of the week**

This week, the Dutch national police shut down the criminal messaging service Exclu in conjunction with a sweeping crackdown that included 79 searches and 42 arrests in the Netherlands, Germany, and Belgium. The shutdown highlights the efforts authorities are putting into disrupting the use of messaging apps in the cybercriminal ecosystem. This particular service was unique in that it was exclusively the domain of cybercriminals and drug dealers, but it offers a glimpse into the evolving communication methods of the cybercrime in 2023.( DarkReading)

Exploit code has been released for an actively exploited zero-day vulnerability affecting Internet-exposed GoAnywhere MFT administrator consoles. GoAnywhere MFT is a web-based and managed file transfer tool designed to help organizations to transfer files securely with partners and keep audit logs of who accessed the shared files. (Bleepingcomputer)

**Can’t get enough Talos?**

*   https://blog.talosintelligence.com/ransomware-and-commodity-loader-topic-summary-report-cisco-talos-year-in-review-2022/
*   https://blog.talosintelligence.com/threat-landscape-topic-summary-report-cisco-talos-year-in-review-2022/
*   https://talosintelligence.com/podcasts/shows/beers\_with\_talos

**Upcoming events where you can find Talos**

Cisco Live Amsterdam (Feb 6-10)

Amsterdam, Netherlands

WiCyS (March 16-18, 2023)

Denver,CO

RSA (April 24-27, 2023)

San Francisco, CA

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

Typical Filename: A9CE7F0974.tmp

Claimed Product:  n/a

Detection Name: Simple\_Custom\_Detection

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

Typical Filename: Wextract

Claimed Product:  Internet Explorer

Detection Name: W32.File.MalParent

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

Typical Filename: software.Scr

Claimed Product:  梦想之巅幻灯播放器

Detection Name: Auto.125E12.241442.in02

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

Typical Filename: Wextract

Claimed Product:  Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423

MD5: 954a5fc664c23a7a97e09850accdfe8e

Typical Filename: teams15

Claimed Product:  n/a

Detection Name: Gen:Variant.MSILHeracles.59885

Threat Source newsletter (Feb. 9, 2023): Don't let criminals exploit your empathy

An active defense posture, where the defenders actively use threat intelligence and their own telemetry to uncover potential compromises, is the next stage in the cyber security maturity road. Instead of waiting for detections to trigger, defenders can take initiative and hunt threat actors.

Thursday, February 9, 2023 08:02

**Active defense a key approach to protecting against major threats**

Having an active defense posture, where the defenders actively use threat intelligence and their own environment telemetry to uncover potential compromises, is the next stage in the cyber security maturity road. Instead of waiting for detections to trigger, defenders can take initiative and hunt down threat actors inside their environment, putting a halt to their malicious activities before they can fully accomplish their goals.  

Ransomware compromises, which usually involve data exfiltration, are not fast nor swift. Attackers need time to find their way in the network, including identifying the databases with the relevant information they are seeking, to exfiltrate the information and finally to deploy the ransomware. This is the time window when an active defense strategy can make the most impact, by looking from the inside out: The perimeter was already compromised, no relevant alerts were raised, and the attackers have already begun to carry out their malicious activities within the victim’s network.  

Conducting periodic threat hunting exercises increases the chances of detection. However, despite the potential benefits of threat hunting, the odds are against defenders, as the hunter has limited time and resources, their target is unknown, and the type of activity the defender is searching for is often undefined. As threat hunting becomes more routine and as the hunter becomes more familiar with the environment, this exercise will become more efficient, the findings and analysis will become more useful, and the defender’s visibility of the environment will improve.  

Besides the possible detection results, there are two important outcomes of threat hunting:  

*   **Identifying weak spots in the organization’s overall defense.** By analyzing successful detections at a deeper level, defenders can understand what failed and on which levels.  
    
*   **Exposing the blindspots in defenders’ network visibility.** Threat hunting is about analyzing the available information and searching for what shouldn't be there as well as identifying potentially useful data that we don’t have access to.  This type of assessment provides valuable information on what can be improved in the visibility of the environment.  
    

There is no “one size fits all” approach or “magic bullet” solution that will get organizations to their best defense posture. Rather, it's an iterative process that greatly improves with repetition. Threat hunting supports—and can dramatically improve—active defense, particularly when hunt results can be leveraged to  improve the environment. In the next sections, we introduce some of the quick wins that can help organizations implement an effective active defense approach.  

**Monitor DNS queries**

Monitoring the domain name system (DNS) queries provides a unique view into what is going on in the network. Analyzing the DNS query logs and singling out the systems that resolved recently created domains provides a good starting point. The analysis of known malicious domains should also be done, as that would provide visibility into the effectiveness of the first line of defense. Keep in mind that this is about searching for what was not detected, as known malicious domains should already be blocked.  

On the other hand, If a compromise did occur, the DNS query logs may also provide a good source of information about the adversary’s actions and the extent of their malicious activities on the network.

**Create high-priority alerts**

Implement high-priority triggers with near-zero false positive alerts. No organization has unlimited resources to monitor security events, as alert fatigue is a real problem in security operation centers. High-priority triggers won’t eliminate security incidents, but they will help focus on critical events.There are two types of these triggers: generic and intelligence-driven.  

The generic triggers are those that are designed to alert in the event of abnormal behavior usually triggered by attackers while trying to establish a foothold or while in search of relevant information. Here are a couple of examples of such triggers:  

*   Canary accounts - Accounts that are not used by the organization but are instead intended to lure malicious actors to use in their operations. Create triggers to events regarding these accounts’ usage.  
    
*   Monitor and raise alerts on administrative accounts - Newly created accounts where privileges are added, or password changes on already existing accounts are good events to monitor.  
    
*   Domain controllers contacting unknown systems - Communications on the domain controllers should be well known. Any communication starting from a domain controller to an unknown system should be targeted for in-depth analysis.  
    
*   Profile key systems’ dual usage tools executions - Attackers often hide their actions by using dual-use tools. Starting with the critical systems, profile the execution of such tools so that abnormal usage can be detected and investigated.  
    
*   Remote administration tools - Having a well-known usage pattern of such tools allows defenders to monitor for  unusual or anomalous usage.  
    

Intelligence-driven triggers, by comparison, are created by analyzing the dynamic tactics, techniques, and procedures (TTPs). Therefore, these triggers should alert on adversaries’ behaviors rather than more static indicators of compromise (IOCs), such as known lists of IPs or domains. Such activity should be detected by basic cyber security tools that are already in place, and these triggers should cover the TTPs generically used by threat actors that are applicable to one's organization. For example, if your organization doesn't use ConnectWise, TeamViewer or Anydesk, create a trigger in your monitoring system that will generate a high-priority alert whenever those tools are executed, as they are commonly used by threat actors. If a defender concludes that there is no way to create such an alert, then a blindspot has been found. The resolution of such an issue should be prioritized based on that organization’s resources and other competing issues that require attention.

**Perform root cause analysis on deep alerts**

The most important question a threat hunter must try to answer while doing detection systems log analysis is, “How did the malware get to the endpoint?” Deep alerts like this, that come from the most inner layer of the security architecture, need to be analyzed.  

Most organizations have a multi-layered, in-depth security architecture. When an endpoint defense system detects and blocks some malicious software, this is good news for the defenders. It's also an opportunity for the threat hunter to identify and improve the security in the organization. Having a multi-layered and in-depth architecture means that there are several security systems between the production systems and the untrusted environments. If a threat was detected and stopped in an organization’s most inner systems, then some outer layer defense failed.  

Conducting a root cause analysis is essential to determining what failed and how, as this will provide invaluable information to the continuous improvement process.  There can be multiple explanations for initial infection. For example, an endpoint can be compromised somewhere else and then connected to the organization’s environment, or credentials can be compromised and used to establish a malicious VPN connection.

**Monitor communications on critical systems**

Critical systems’ communications patterns can be the first high-priority alert indicating the potential exfiltration of information. Organizations don’t have infinite resources, and not all systems have the same value.  For example, a file server will have communications from a lot of systems, but not all systems/endpoints will transfer an abnormal quantity of information in a short amount of time. Or, if all the systems in the environment must use a local DNS server if a system attempts to contact Google or Cloudflare DNS servers, those systems should probably be reviewed. Having a list of critical systems is one of the basic steps that organizations with a mature security posture can take to help detect malicious activity early.  

**Improve your visibility**

Having good visibility into what is happening in the defender's environment is the first step to  performing threat hunting. However, the mere exercise of threat hunting will also show defenders if there are any blindspots, thus providing opportunities for improvement. Visibility should also be seen as a powerful source of information when recovering from a compromise. Organizations often don’t have the means to implement a complete, comprehensive detection system on their entire environment. However, that does not mean that some kind of logging should not be performed. Logs may be extremely relevant during the recovery phase of a compromise. Knowing how and when a compromise occurred, even after the fact, is crucial. Proper logging can be extremely useful in determining this information, especially when analyzed from a threat hunter’s point of view, so that they can also provide information that leads to the development of proper detections.  

**Deploy tiered accounts**

Have administration accounts that are only used on specific systems. Not all systems need to contact all the systems or the internet, and, likewise, not all accounts need to be used on all systems, especially if they are high-privilege accounts. Have specific domain administrator accounts, which are only used on domain controllers, complemented by second-tier administrator accounts. This tiering is done at the functional level and not at the privilege level. These two different account tiers may ultimately have the same privileges, but by tiering their access based on their functions,  it’s possible to set high-priority alerts to trigger when they behave abnormally.

Beyond the basics: Implementing an active defense

Join host Mitch Neff and special guests Aliza Johnson, Azim Khodjibaev, and Nick Biasini as they discuss Talos' findings and experiences monitoring ransomware and commodity loaders in 2022.

Wednesday, February 8, 2023 14:02

Did you miss our livestream covering the ransomware and commodity loader section in the Cisco Talos Year in Review report? Join host Mitch Neff and special guests Aliza Johnson, Azim Khodjibaev, and Nick Biasini as they discuss Talos' findings and experiences monitoring ransomware and commodity loaders in 2022.

 Visit the Year in Review page for the full report, each topic summary report, livestreams, and podcasts.  New content will be added with each topic summary release through February 2023.  You can access the full 2022 Cisco Talos Year in Review report directly here:

2022 Year in Review: Ransomeware & Commodity Loaders Livestream Replay

The ransomware space is dynamic, continually adapting to changes in the geopolitical environment, actions by defenders, and efforts by law enforcement, which increased in scope and intensity in 2022. Cisco Talos observed several related trends across 2022. Read the full report here.

Monday, February 6, 2023 08:02

The ransomware space is dynamic, continually adapting to changes in the geopolitical environment, actions by defenders, and efforts by law enforcement, which increased in scope and intensity in 2022. This leads groups to rebrand under different names, shut down operations, and form new strategic partnerships. Cisco Talos observed several related trends across 2022.

Visit the Year in Review page for the full report, with topic summary reports, livestreams, podcasts, and other content starting December 14th.  New content will be added with each topic summary release through February.  You can access the full 2022 Cisco Talos Year in Review report directly here:

Ransomware and Commodity Loader Topic Summary Report: Cisco Talos Year in Review 2022

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 27 and Feb. 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for January 27 to February 3

Next week will be our final installment of our 2022 Year in Review report coverage. We’ll be publishing a final topic summary on Ransomware and Commodity Loaders and follow up these reports with a livestream on LinkedIn and Twitter with report and subject matter experts.

Thursday, February 2, 2023 15:02

Welcome to this week’s edition of the Threat Source newsletter.

If you haven’t noticed yet we’ve had a few guest writers on this newsletter over the last few months. Alas my time covering the newsletter has ended and I leave you with one final edition. Have no fear, William Largent will be rounding out the guest appearances next week and your long-time host Jon Munshaw will be back at the helm. Thanks for sticking with us this long and if you’re newly subscribed welcome!

**The one big thing**

Next week will be our final installment of our 2022 Year in Review report coverage. We’ll be publishing a final topic summary on Ransomware and Commodity Loaders and follow up these reports with a livestream on LinkedIn and Twitter with report and subject matter experts.

**Why do I care?**

We published our full 2022 Year in Review early December. If you haven’t read  it yet we highly suggest your download your copy here or check out our previous  livestreams. Through these reports and videos we’ve broken down the threat  landscape and trends Talos observed over 2022. What’s that saying, history    repeats itself? Take a minute to look back and prepare for what lies ahead in 2023.

**So now what?**

Mark your calendar for our fourth and final livestream on Tuesday February 7th at 12 PM EST. Read the report, browse the topic summaries, or watch our livestreams on demand. Looking for extra credit? Read through Talos’ Head of Outreach Nick Biasini’s future predictions of State Sponsored attacks in 2023.

**Top security headlines of the week**

Coming back from the dead yet again a new Lazaurs campaign has been found to exploit unpatched Zimbra devices targeting medical research and energy industries along with their supply chain partners in attempts to gather intelligence. Through unpatched devices the threat actors are gaining network access and escalation privileges. (SC Media)

Google’s official mobile virtual network operator (MVNO), Google Fi, was in headlines due to a customer data breach via T-Mobile. Using technology to switch between cellular provides Google Fi provides constant coverage for customers through T-Mobile and US cellular. It’s reported the breach happened in November 2022 but wasn’t discovered until early January 2023. Customers have been notified but many questions remain, like are users still vulnerable? (TechCrunch)

Surprising quite literally no one, ChatGPT sets a record for the fastest-growing user base in history. Reaching an estimated 100 million active monthly users in December just two months after launch (yet every time I try to get it to write this newsletter it says the app is at capacity…). Whether you’re a user, a skeptic, or simply don’t care ChatGPT has stirred up a lot of attention lately, we’ll all just have to keep an eye on the evolution of ChatGPT. (Ars Techinca)

**Can't get enough Talos?**

·  State Sponsored Attacks in 2023 and Beyond

·  Quarterly Report: Incident Response Trends in Q4 2022

· CTIR On Air: Reviewing Q4's top threats livestream

· Threat Landscape Topic Summary Report: Cisco Talos Year in Review 2022

·  2022 Year in Review: Threat Landscape Livestream

**Upcoming events where you can find Talos**

Cisco Live Amsterdam (Feb 6-10)

Amsterdam, Netherland

WiCyS (March 16-18, 2023)

Denver,CO

RSA (April 24-27, 2023)

San Francisco, CA

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

Typical Filename: VID001.exe

Claimed Product:  n/a

Detection Name: Simple\_Custom\_Detection

SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725

MD5:  d47fa115154927113b05bd3c8a308201

Typical Filename: msaccess.exe

Claimed Product: n/a

Detection Name: rojan.GenericKD

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c

MD5: a087b2e6ec57b08c0d0750c60f96a74c

Typical Filename: aact.exe

Claimed Product: n/a

Detection Name: W32.File.MalParent

SHA 256:  125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

Typical Filename: LwssPlayer

Claimed Product:  梦想之巅幻灯播放器

Detection Name: Auto.125E12.241442.in02

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

Typical Filename: Wextract

Claimed Product:  Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

Threat Source newsletter (Feb. 2, 2023): I bid you all adieu

We're back with another year in review focused episode. This time I'm be joined by threat researcher Caitlin Huey. We discuss the general threat landscape in 2022 including dual use tools, lolbins, and the surprising re-emergence of USB attacks in 2022.

Friday, January 27, 2023 16:01

We're back with another year in review focused episode. This time the focus will be the threat landscape generally and I'll be joined by threat researcher Caitlin Huey. In this episode we'll discuss what we found in the last year, with a focus on the general threat landscape.  We'll spend time discussing dual use tools, lolbins, and the surprising re-emergence of USB attacks in 2022.

All episdoes are available on the Talos Takes podcast page and most major podcasting outlets.

Visit the Year in Review page for the full report, with topic summary reports, livestreams, podcasts, and other content starting December 14th.  New content will be added with each topic summary release through February.  You can access the full 2022 Cisco Talos Year in Review report directly here:

Talos Takes 126: Year in Review - Threat Landscape Edition

Did you miss our livestream covering the threat landscape section in the Cisco Talos Year in Review report? Join host Hazel Burton and special guests Caitlin Huey, Nick Biasini, and Tucker Favreau as they discuss Talos' findings and experiences monitoring the threat landscape in 2022.

Friday, January 27, 2023 12:01

Did you miss our livestream covering the threat landscape section in the Cisco Talos Year in Review report? Join host Hazel Burton and special guests Caitlin Huey, Nick Biasini, and Tucker Favreau as they discuss Talos' findings and experiences monitoring the threat landscape in 2022.  

Visit the Year in Review page for the full report, each topic summary report, livestreams, and podcasts.  New content will be added with each topic summary release through February 2023.  You can access the full 2022 Cisco Talos Year in Review report directly here:

2022 Year in Review: Threat Landscape Livestream Replay

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 20 and Jan. 27. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for January 20 to January 27

Knowing what Talos IR is responding to this quarter gives you a direct view into what needs to be most secured and most analyzed to ensure your own environment remains secure.

Thursday, January 26, 2023 18:01

Welcome to this week’s edition of the Threat Source newsletter.

What’s old is new again and what's old is still old. The fact that we are seeing a comeback of this USB thumb drive nonsense is giving me heartburn, and a headache, and my left eye is twitching …  and maybe numbness in my legs? Yes, I am getting old but I’m also just tired - not from age but from the unrelenting cycle of what’s old is new again. All simply because we can’t seem to learn from our own past. Please don’t put a random USB into any of your devices and for the last time GET OFF MY LAWN.

**The one big thing**

Cisco Talos IR posted their Incident Response Trends in Q4 2022. Ransomware continued to be a top threat Talos IR responded to this quarter, with appearances from both previously seen and newly observed ransomware families. However, Talos IR also observed a significant number of cases in which post-exploitation activities occurred where the actor’s motivation could not be determined. For example, phishing campaigns, our top initial-access vector this quarter, were equally as common and featured a variety of post-exploitation activities, including command execution to perform credential harvesting, red-teaming framework deployment and remote access tooling installation.

**Why do I care?**

Knowing what Talos IR is responding to this quarter gives you a direct view into what needs to be most secured and most analyzed to ensure your own environment remains secure.

**So now what?**

In all of Talos IR’s ransomware engagements that closed out this quarter, PsExec was used to facilitate lateral movement or execute the final ransomware executable. Talos IR recommends that organizations disable PsExec, as well as access to administrative shares, to limit lateral movement. Additionally, organizations should consider use of Microsoft AppLocker to block tools and files that have been consistently leveraged by adversaries. This helps to create another layer of enforcement for any known malicious or often-misused files.

**Top security headlines of the week**

CISA and the NSA released a joint advisory on January 25th detailing the use of legitimate remote monitoring and management software (RMM) for nefarious purposes. The joint advisory detailed attacks and warned the cybersecurity community about the malicious use of commercial RMM software, offering mitigations and indicators of compromise to watch out for.

Initial Access Broker market is booming, posing growing threat to enterprises. Research shows a sharp year-over-year growth in the number of IABs operating in underground forums and markets. For ransomware operators and other cybercriminals that are looking for quick access to enterprise networks, these brokers are the answer. (Dark Reading and GroupIB)

**Can’t get enough Talos?**

*   https://blog.talosintelligence.com/quarterly-report-incident-response-trends-in-q4-2022/
*   https://blog.talosintelligence.com/threat-landscape-topic-summary-report-cisco-talos-year-in-review-2022/
*   https://talosintelligence.com/podcasts/shows/beers\_with\_talos
*   https://talostakes.talosintelligence.com/2018149/12016411-year-in-review-apt-summary-edition

**Upcoming events where you can find Talos**

CactusCon (Jan 27-28)  
Mesa, AZ

Cisco Live Amsterdam (Feb 6-10)  
Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256:  
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection

SHA256:  
e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256:  
125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
MD5: 2c8ea737a232fd03ab80db672d50a17a  
Typical Filename: LwssPlayer.scr  
Claimed Product: 梦想之巅幻灯播放器  
Detection Name: Auto.125E12.241442.in02

SHA 256:  
1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d  
MD5: 26f927fb7560c11e509f0b8a7e787f79  
Typical Filename: Iris QuickLinks.exe  
Claimed Product: N/A  
Detection Name: W32.File.MalParent

Source

TALOS