Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 30 and July 7. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for June 30 to July 7

The economic damage of DDoS attacks is tough to measure — who can really say how much money Blizzard missed out on by not having players in “Diablo IV” for a few hours spending money on microtransactions or choosing to buy the game?

Thursday, July 6, 2023 14:07

Welcome to this week’s edition of the Threat Source newsletter.

Distributed denial-of-service attacks (DDoS) have been around since before I even knew how to turn a computer on.

These types of attacks, I feel, have the same vibe as the term “computer virus” — something we used to talk about in the days of LAN parties and Netscape. But recently, they’ve had a major comeback with adversaries enhancing the ways in which they can launch DDoS attacks and actors targeting high-profile services and organizations that have made headlines.

“Diablo IV,” one of the biggest video games going right now, suffered a DDoS attack over the weekend of June 25, leaving players unable to access the game’s servers and affecting other games developed by Blizzard, such as “World of Warcraft” (another throwback to the days of LAN parties).

Microsoft also recently confirmed that Layer 7 DDoS attacks were responsible for outages in June affecting Azure, Outlook and OneDrive. Anonymous Sudan — a group that may or may not be related to Russia but also claims to be working in the interest of the country of Sudan — claimed responsibility for those attacks.

These recent major DDoS attempts led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to release an advisory last week warning about the dangers of DDoS attacks. It advises that anyone who suspects they’re the target of a DDoS or DoS attack should “identify the source, and mitigate the situation by applying firewall rules and possibly rerouting traffic through a DoS protection service.”

There seem to be a few reasons why DDoS attacks are on the rise, despite them being looked at as “outdated” attacks.

For starters, the fact that they are simple attacks that date back to the development of the internet is the whole point — DDoS attacks are relatively easy to carry out compared to something like a sophisticated big game-hunting ransomware attack. Any actor with a base level of networking knowledge could start a DDoS attack.

Dark Utilities, which is an “as-a-service" platform Talos discovered last year, is a good example of this. Even though their C2-as-a-service and cryptocurrency mining offerings are the platform’s bread-and-butter, there is Layer 4 and Layer 7 DDoS tooling within their kit available to anyone willing to pay into their business model.

There also seems to be an uptick in funding behind these attacks, and money can frankly make any threat actor more powerful. Whether Russia directly, or Russian state-sponsored actors, are behind these attacks, the sign that these groups seem to be associated with major APTs show that there is a drive to carry out DDoS attacks and make sure they’re successful and send a message to the target.

The economic damage of DDoS attacks is tough to measure — who can really say how much money Blizzard missed out on by not having players in “Diablo IV” for a few hours spending money on microtransactions or choosing to buy the game? So it’s not as concrete of an argument as you could make for why an organization should be prepared for a ransomware attack that explicitly can cost a certain amount of time and money to recover, re-install backups or pay the requested ransom.

DDoS can be a punchline sometimes, but recent weeks have shown that it’s not to be slept on as a tool that actors with a range of motivations and resources can turn to.

**The one big thing**

Commercial spyware is still a going concern despite efforts from governments around the world to curb its use. Though the NSO Group started out as the most notorious example of a spyware creator, other “Mercenary Groups” are popping up like Intellexa, DSIRF, Variston IT, and the newly disclosed Quadream. And there are likely more companies operating covertly today.

**Why do I care?**

Although advertised as “tools” for law enforcement and government agencies strictly intended for legal use, report after report has shown commercial spyware has consistently been used against ethically questionable targets that don't fit the profile of criminals or terrorists. To avoid legal repercussions, these companies have headquarters in countries that do not have laws governing the export of their products or which classify the entities as IT service providers, effectively removing them from any product liability. These companies can therefore ultimately sell to whomever can pay without regard for who the intended targets are or what the impacts on the victims might be.

**So now what?**

For those that believe they are being or could be targeted by commercial spyware, rebooting the device before contacting a source or switching to lockdown mode might be the only options for the foreseeable future.

If you feel that you have been targeted by commercial spyware, there are also more generic habits that should be part of your daily routine:

*   Reboot your device regularly.
*   Use lockdown mode if your device is an iPhone.
*   Don’t click on links from dubious sources.
*   Don’t accept private messages from unknown persons.
*   If you have to keep a public contact, use an empty device to receive such contacts and reset it frequently.
*   Keep your devices up-to-date.

**Top security headlines of the week**

Microsoft is **denying that it was the victim of a data breach** after the alleged hacktivist group Anonymous Sudan said they stole credentials belonging to more than 30 million users. The threat actor says it’s willing to sell the stolen information for $50,000 and interested parties could engage the group’s Telegram bot to arrange the sale. However, a Microsoft representative told reporters that “our analysis of the data shows that this is not a legitimate claim and an aggregation of data. We have seen no evidence that our customer data has been accessed or compromised.” Anonymous Sudan gained notoriety over the past few months for a DDoS attack against Microsoft and recently admitted it was connected to the Russian state-sponsored actor Killnet, though its true goals and affiliations are unclear. (Bleeping Computer, TechRadar)

Representatives from the White House **publicly warned that any attempt by a U.S. entity to purchase the NSO Group or its spyware tools would prompt serious review over national security concerns**. A recent report connected a group of American financiers to being interested in acquiring the infamous NSO Group, known for the creation of the Pegasus spyware. However, it’s recently fallen on financial difficulties after international governments took steps to restrict the use and purchase of spyware. The NSO Group is already on a White House banned list, and the National Security Council said that any mergers or transactions involving the NSO Group would “prompt a review of whether the acquisition gives rise to a counterintelligence threat to the US government and its systems and information, whether other US equities may be at risk, and to what extent a foreign entity or government retains a degree of access or control.” (The Guardian)

The **Clop ransomware gang continues to be one of the top threat actors in the world** as the list of victims of the MOVEit zero-day vulnerability grows. Two U.S. colleges announced last week that they were affected by a data breach at the Teachers Insurance and Annuity Association of America that resulted from the exploitation of the it vulnerability. The mass hack has now affected about 160 different organizations and companies. Security researchers say that Clop’s recent attacks could represent a new era for threat actors who may opt to move away from the execution of ransomware while still relying on the tools they traditionally use for ransomware campaigns. The scope and success of the MOVEit attack is also likely to influence other threat actors. (TechCrunch, Dark Reading)

**Can’t get enough Talos?**

*   Taking over Milesight UR32L routers behind a VPN: 22 vulnerabilities and a full chain
*   The Future of Ransomware: Inside Cisco Talos Threat Hunters
*   Talos Takes Ep. #145: The various ways attackers can mess with URLs, TLDs and DNS

**Upcoming events where you can find Talos**

**BlackHat (Aug. 5 - 10)**

Las Vegas, Nevada

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

DDoS attacks want to make sure you haven’t forgotten about them

In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.

Thursday, July 6, 2023 11:07

*   Cisco Talos discovered 17 vulnerabilities (63 CVEs) in the Milesight UR32L router and five vulnerabilities (six CVEs) in the Milesight MilesightVPN remote access solution software.
*   An attacker could exploit the vulnerabilities discovered to completely compromise the UR32L and MilesightVPN.
*   This post presents an attack scenario in which the UR32L is only reachable through the MilesightVPN remote access solution. The blog explains how an attacker could exploit the MilesightVPN and then fully compromise the UR32L.

Cisco Talos recently discovered several vulnerabilities in Milesight‘s UR32L – an ARMv7 Linux-based industrial cellular router — and Milesight’s MilesightVPN, a remote access solution for Milesight devices.

In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs. Talos is disclosing these vulnerabilities despite no official fix from Milesight, in adherence to Cisco’s vulnerability disclosure policy. Milesight did not respond appropriately during the 90-day period as outlined in the policy.

The MilesightVPN is the remote access solution for Milesight devices not directly exposed to the internet. The MilesightVPN will perform this through a VPN system, making the VPN setup for the devices and the administrator easy. The MilesightVPN provides an HTTP admin page to monitor devices’ tunnel connection to the MilesightVPN itself and generate VPN configuration to join devices’ VPNs. By default, the MilesightVPN binds the HTTP server ports and the one VPN port on all interfaces. This software must be installed on a server machine reachable by the administrator and devices. Because of this, the most popular setup for administrator is to expose the MilesightVPN to the internet.

The Milesight UR32L is an industrial router that offers cellular capabilities. The router supports multiple users with different permissions. It offers a shell with restricted capabilities access. And many common industrial router features and functionalities. The Milesight UR32L does not include the ability to obtain and act with root privileges.

**Attack scenario overview**

In this blog post, Talos will present an attack scenario in which an adversary targets the Milesight UR32L, where the router is not exposed to the internet and instead uses a VPN tunnel for providing access to its internal network and the router itself. We considered the scenario where the device is managed through MilesightVPN. This software must be installed on a machine that is reachable by the UR32L router and the administrator. For the purposes of this post, we assume the MilesightVPN server is exposed to the internet.

MilesightVPN uses OpenVPN as the underlying VPN system. It is an excellent choice to use a well-established VPN system. OpenVPN is a well-known, tested VPN technology, which means it is less likely to have major security issues. But the MilesightVPN creates services around the OpenVPN tunnel like an HTTP server to monitor the connections and to generate OpenVPN configuration for joining the device’s VPN. By default, the MilesightVPN binds the HTTP server ports and the OpenVPN one on all interfaces. So, if the MilesightVPN is accessible on the internet, those services are by default accessible, too.

The UR32L has its own HTTP server; which allows users to manage the router configuration. We are also assuming the UR32L’s HTTP server is only accessible from the VPN and the MilesightVPN server is the only node that can generate a VPN configuration.

_An illustration of the proposed attack scenario._

The graphic below includes only the vulnerabilities relevant to this proposed attack scenario. This graphic shows the steps that an attacker could take to obtain root access to a Milesight UR32L:

**Attack walkthrough**

After locating the IP address of the MilesightVPN server, the attacker still cannot log in to the HTTP admin page due to the lack of valid credentials. The HTTP server login page of MilesightVPN looks like this:

From this point, an attacker could exploit TALOS-2023-1701 (CVE-2023-22319) to bypass the login and access the admin web pages on MilesightVPN. This vulnerability is a SQL injection in the _LoginAuth_ function responsible for checking the provided credentials. The check uses SQL without a prepared statement or any form of sanitization. The _LoginAuth_ code is shown below:

        function LoginAuth(res,postdata,connection){ 
            console.info('#######log.node:loginauth start'); 
            var sha512=crypto.createHash('sha512'); 
            sha512.update(postdata.pwd); 
            var pwd=sha512.digest('hex'); 
    [1]     $sql="select * from user where user='"+postdata.user+"' and passwd='"+pwd+"'"; 
    [2]     connection.query($sql).then(function(data){ 
                var result={}; 
                if(data['error']) 
                { 
                    [...] 
                } 
                else 
                { 
                    if(data['result'].length>0) 
                    { 
                        var dt=data['result']; 
                        result['status']=1; 
                        var token=generateToken(dt[0]['user']); 
                        var exp=new Date(
                            new Date().getTime()+
                                expiretime*1000).toUTCString(); 
                        res.setHeader('Set-Cookie',['token='+token]); 
                        console.info('#######log.node:loginauth success'); 
                        res.write(JSON.stringify(result)); 
                        res.end(); 
                    } 
                    else 
                    { 
                        [...] 
                    } 
                } 
            }); 
        } 
    

At _[1],_ the function composes, the SQL query for checking if the username and password provided correspond to the one of an existing user. Then, at _[2]_, the query is executed, if the resulting table is not empty a JWT, corresponding to the first matched user, is crafted and placed in the response header as the value of _Set-Cookie_. This function is vulnerable to a SQL injection vulnerability because the "preparation" of the query string is performed through string concatenation instead of a prepared statement. This SQL injection can allow an attacker to bypass the authentication of the HTTP server and gain admin access.

After bypassing the login page, an attacker would be presented with the following interface. The example below includes an interface with multiple devices registered and a single device that has an active connection.

From here, an attacker can glean information about the devices connected to the server and their IPs. Furthermore, it is possible to obtain an OpenVPN configuration file to join the VPN tunnel and communicate with the devices that were previously unreachable. The attacker can now communicate with all devices in the VPN. The following image is the HTTP server login page of the Milesight UR32L router:

From here, several attack paths are possible. TALOS-2023-1697 (CVE-2023-23902) is a pre-authentication stack-based buffer overflow that can lead to arbitrary remote code execution (RCE).

The attacker's only requirement is to be able to communicate with the router's HTTP server. This vulnerability is a pre-authentication, stack-based buffer overflow in the _decrypt_string_ function of the _uhttpd_ binary, the UR32L’s HTTP server binary. This function is responsible for decrypting the login password provided for the webpage login. The password sent from the browser is first AES-encrypted and then Base64-encoded. The _decrypt_string_ will Base64 decode and then AES decrypt the password.

The _uhttpd_ binary is not a Position Independent Executable (PIE), meaning that the binary is always loaded at the same virtual memory addresses, but the libraries are Position Independent Code (PIC). This makes it possible for an attacker to perform a code reuse attack using the binary code without any information leaks unless the attacker needs to reuse some of the libraries' code. Furthermore, the code reuse attack scenario is the path of least resistance for exploitation because no stack canary is used in this binary.

The binary is executed as root and makes use of functions such as _system_ and _popen_, as such, one of the options would be to mount an attack aiming to execute OS commands.

The following is a code snippet of the _uhttpd’ decrypt_string_:

    void decrypt_string(
        char *b64_encrypted_password,
        char *decrypted_password,
        size_t size_decrypted_password)
    { 
        [...] 
        uchar stack_decrypted_string [72]; 
        [... init the AES_key variable] 
        [... init the AES_IV variable] 
        [... calculate the __size variable value ...] 
        base64_decoded_string_start = (uchar *)malloc(__size); 
        [...] 
        memset(base64_decoded_string_start,0,__size); 
        processed_len = 0; 
        base64_decode_string_cursor = base64_decoded_string_start; 
        do { 
            // this check allow to base64 decode the string before decrypting it 
            if ((password_len_ - padding) <= processed_len) { 
                *base64_decode_string_cursor = '\0'; 
                ctx = EVP_CIPHER_CTX_new(); 
                [... check error ...] 
                cipher_type = EVP_aes_128_cbc(); 
                processed_len = EVP_DecryptInit_ex(
                    ctx,
                    cipher_type,
                    (ENGINE *)0x0,
                    AES_key,
                    AES_IV); 
                [... check error ...] 
    [1]         processed_len = EVP_DecryptUpdate(
                    ctx,
                    stack_decrypted_string,
                    &output_len,
                    base64_decoded_string_start,
                    (base64_decode_string_cursor + 
                        (-1 - base64_decoded_string_start)));                              
                [... check error ...] 
                processed_len = output_len; 
                iVar3 = EVP_DecryptFinal_ex(
                    ctx,
                    stack_decrypted_string + output_len,&output_len); 
                [... check error ...] 
                processed_len = processed_len + output_len; 
                EVP_CIPHER_CTX_free(ctx); 
                stack_decrypted_string[processed_len] = '\0'; 
                EVP_cleanup(); 
                ERR_free_strings(); 
                free(base64_decoded_string_start); 
    [2]         strncpy(
                    decrypted_password,
                    (char*)stack_decrypted_string,
                    size_decrypted_password);                 
                return; 
            } 
            [...] 
    [3]    	[... base64 decode ...]                 
        } while( true ); 
    } 
    

This function has three parameters: the _b64_encrypted_password_ parameter is the AES-encrypted and Base64-encoded password string that will be Base64 decoded and then AES decrypted; _decrypted_password_ is the destination buffer where the decoded and decrypted password will be copied;  _size_decrypted_password_ is the size of the _decrypted_password_ buffer. At _[3]_ the _b64_encrypted_password_ string is Base64 decoded and then, at _[1],_ the decoded value is AES decrypted into stack_decrypted_string, a 72-byte long stack buffer. Eventually, at _[2],_ _size_decrypted_password_ bytes will be copied from the _stack_decrypted_string_ buffer into the decrypted_password buffer.

In the _decrypted_password_ only _size_decrypted_password_ bytes will be copied, which will prevent any type of buffer overflow in the _decrypted_password_ buffer.

At _[1]_ the _OpenSSL's EVP_DecryptUpdate_ function will perform the AES decryption of the Base64 decoded user-controlled data into the _stack_decrypted_string_ stack buffer. Because the _stack_decrypted_string_ stack buffer is fixed in size and the decrypted string, provided by a user, can be greater in length than the stack buffer. This can lead to a buffer overflow in the _stack_decrypted_string_ buffer.

Essentially, the login API accepts the password as the Base64 encoding of the AES encryption of the password content. This function is used to decode the Base64 string and then AES decrypts it to obtain the actual password value.  The vulnerability is that the password can overflow a stack buffer overwriting the stack content, including the stored return address.

The exploitation of this vulnerability becomes easier because of the epilogue of this function:

      strncpy(
          decrypted_password,
          (char*)stack_decrypted_string,
          size_decrypted_password);          
      return; 
    

The _decrypted_password_ is a buffer in the function caller stack space where the decoded and decrypted password is saved. In assembly, this looks like:

    ldr r0, [sp,#0xc]  
    bl strncpy  
    add sp, sp, #0x84  
    pop {r4,r5,r6,r7,r8,r9,r10,r11,pc} 
    

The function that copies the plain text password into the _decrypted_password_ array, which is also the last function call before returning to the caller, is _strncpy_. The r0 register is used for passing the first argument of the function; in the case of _strncpy_, _r0_ points to the destination buffer. After the _strncpy_ function call r0 will point to the beginning of the plaintext password.

The fact that the vulnerability considered is a stack buffer overflow, the binary does not have a stack canary, the binary is not PIE and uses the _system_ function in combination with the fact that we control the content of what r0 points to, makes the exploitation straightforward. An attacker could overwrite the return address making the function return to the _system_ function and controlling the executed shell command by placing the command to execute at the beginning of the plaintext password payload, as shown in the gdb screenshot below.

The _pc_ is the last instruction of the _decrypt_string_ function and the return address was overwritten with the system plt entry, know because the binary is not PIE, and the _r0_ registry points to the _controllable_ string. So, the _decrypt_string_ returning will execute _system(“controllable”)_.

**Vulnerability Details**

The following vulnerabilities are command injection issues in Milesight UR32L. These vulnerabilities exist in different functionalities of the router. An attacker could exploit these vulnerabilities by sending a specially crafted network packet to a targeted device:

*   TALOS-2023-1694 (CVE-2023-23550)
*   TALOS-2023-1698 (CVE-2023-22306)
*   TALOS-2023-1699 (CVE-2023-22659)
*   TALOS-2023-1706 (CVE-2023-24519 - CVE-2023-24520)
*   TALOS-2023-1710 (CVE-2023-24582 - CVE-2023-24583)
*   TALOS-2023-1711 (CVE-2023-22365)
*   TALOS-2023-1712 (CVE-2023-22299)
*   TALOS-2023-1713 (CVE-2023-24595)
*   TALOS-2023-1714 (CVE-2023-22653)
*   TALOS-2023-1723 (CVE-2023-25582 - CVE-2023-25583)

There are also several vulnerabilities in the UR32L that could lead to a buffer overflow. An attacker could trigger these vulnerabilities by sending a specially crafted HTTP request or network request to the targeted device, depending on the specific vulnerability.

*   TALOS-2023-1697 (CVE-2023-23902)
*   TALOS-2023-1715 (CVE-2023-24018)
*   TALOS-2023-1716 (CVE-2023-25081 - CVE-2023-25124)
*   TALOS-2023-1718 (CVE-2023-24019)

TALOS-2023-1705 (CVE-2023-23546) is a misconfiguration vulnerability in the Milesight UR32L that could lead to an attacker obtaining increased privileges on the device. The adversary, in this case, would need to carry out a man-in-the-middle attack to exploit this vulnerability.

There is also an access violation vulnerability — TALOS-2023-1696 (CVE-2023-23571) — that could lead to a denial-of-service if the attacker sends the device a specially crafted network request. TALOS-2023-1695 (CVE-2023-23547) can also be exploited with a specially crafted network request, but in this case, can lead to arbitrary file read.

Talos also discovered five vulnerabilities in the MilesightVPN:

*   TALOS-2023-1700 (CVE-2023-22844): Authentication bypass vulnerability
*   TALOS-2023-1701 (CVE-2023-22319): SQL injection vulnerability
*   TALOS-2023-1702 (CVE-2023-23907): Directory traversal vulnerability
*   TALOS-2023-1703 (CVE-2023-22371): Command injection vulnerability
*   TALOS-2023-1704 (CVE-2023-24496 - CVE-2023-24497): Cross-site scripting vulnerability

**Coverage**

The following Snort rules will detect exploitation attempts against these vulnerabilities: 61206 – 61208, 61212, 61255 - 61258, 61266 - 61269, 61395 - 61397. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall or Snort.org.

Taking over Milesight UR32L routers behind a VPN: 22 vulnerabilities and a full chain

Commercial spyware has become so notorious that international governments are taking notice and action against it, as evidenced by the Biden administration’s recent Executive Order on commercial spyware.

Thursday, July 6, 2023 08:07

Attackers have long used commercial products developed by legitimate companies to compromise targeted devices. These products are known as commercial spyware. Commercial spyware operations mainly target mobile platforms with zero- or one-click zero-day exploits to deliver spyware. This threat initially came to light with the leaks of HackingTeam back in 2015, but gained new notoriety with public reporting on the NSO Group, and, in the years that have followed, the landscape has exploded.

There are now numerous companies with similar offerings, like Intellexa, DSIRF, Variston IT, and the newly disclosed Quadream representing just a small subset — there are likely more that are operating covertly today.

Commercial spyware has become so notorious that international governments are taking notice and action against it, as evidenced by the Biden administration’s recent Executive Order on commercial spyware. A recent report from the United Kingdom’s National CyberSecurity Center (NCSC) highlights the accessibility of these tools “lowers the barrier to entry to state and non-state actors in obtaining capability and intelligence.” As recently as June 2023, the European Parliament’s plenary session voted on an ongoing investigation concerning the illicit usage of NSO’s Pegasus and equivalent surveillance spyware by EU member states (PEGA report). In this session, European Parliament members argued that the illicit usage of spyware has put “democracy itself at stake” and called for legislative changes and stricter regulation of the use of commercial spyware. The full press release and report can be found here.

**Commercial spyware companies don't care who is targeted by their products**

Commercial spyware companies advertise their products simply as a means of obtaining access and deny having any knowledge of who their customers’ targets are. This tactic is possibly a means of plausible deniability in the event that illegal targeting of individuals is traced back to their spyware. To avoid legal repercussions, these companies have headquarters in countries that do not have laws governing the export of their products or which classify the entities as IT service providers, effectively removing them from any product liability. These companies can therefore ultimately sell to whomever can pay without regard for who the intended targets are or what the impacts on the victims might be.

Although advertised as “tools” for law enforcement and government agencies strictly intended for legal use, report after report has shown commercial spyware has consistently been used against ethically questionable targets that don't fit the profile of criminals or terrorists. Such targets have repeatedly been journalists, politicians and activists who the host government perceives as competitors or existential threats. While these technologies may exist to fight terrorism and organized crime, their sale and usage must be regulated and subject to scrutiny by judicial authorities at an international level to prevent their misuse and abuse.  

One such example of limited repercussions within a host state is the case where a journalist in Greece was targeted with Predator Spyware, eventually leading to the resignation of Greece’s National Intelligence Service’s director in 2022 and the subsequent ban on the use of commercial spyware in Greece. Earlier in 2022, we also saw the departure of the NSO group’s CEO from the company amid widespread public outrage over the use of their spyware by Israeli Police forces.

**The untethered future of commercial spyware**

Mobile platform developers such as Google and Apple have repeatedly introduced and implemented protections and mitigations in their operating systems. However, commercial spyware providers often use zero-day, zero-click exploits to compromise victims’ mobile devices and are so confident in their ability to repeatedly compromise phones _without getting caught_ that, in some cases, they don't even deploy persistence mechanisms — a simple device reboot is enough to remove the implant from the device. However, a device reboot simply results in the commercial spyware outfit reinfecting the device using the zero-day, zero-click combination they had used during the initial compromise indicating the aggressive nature of these campaigns.

We see no indications that these commercial spyware offerings are slowing down. If anything, they are growing along with the constant availability of exploitable, unpatched/unknown vulnerabilities. Until the international community acts to regulate the technology, very little is going to change. When exposed by researchers, some of these companies just cease to exist. But in reality, they do not shut down, they just rebrand under a different name or merge with others sharing the technology they have produced. A typical example of such a case is the commercial spyware firm Cytrox, which was on the verge of disappearing, but was subsequently “rescued” and is now part of the Intellexa conglomerate.

Private and government organizations have taken steps to legally curb the use of commercial spyware, including attempts to hold them responsible for their actions in the past. Meta, formerly Facebook, is one of the first to move against commercial spyware companies by opening a lawsuit against the NSO Group for leveraging Meta-owned WhatsApp in their infection chain. The Biden administration has also taken an important step in fighting these companies with the Executive Order putting limitations on the U.S. government's ability to use commercial spyware to “discourage the improper use of commercial spyware; and encourage the development and implementation of responsible norms regarding the use of commercial spyware that are consistent with respect for the rule of law, human rights, and democratic norms and values.”

However, limited legal and legislative actions are yet to have an _immediate_ positive effect on curbing the use of commercial spyware. Despite these steps toward limiting the operations of these spyware companies, they are likely to keep operating in any region as long as it's financially and legally feasible. Increasing scrutiny with export regulations, criminal liability and fines may be a way forward towards ensuring that their activity does not go beyond the legitimate purposes they advertise.

**Risk profile**

For almost everyone on the planet, your Apple or Android phone’s built-in security features are more than sufficient to keep you protected. However, the commercial spyware industry has proven that it is easy to compromise targets if you have access to these products and the means to use them. We've seen numerous deeply concerning reports of people being compromised and are commonly met with the news that it was a journalist or dissident. The ability of these companies to repeatedly compromise devices, regardless of patch level, makes protection difficult.

For those that believe they are being or could be targeted by commercial spyware, rebooting the device before contacting a source or switching to lockdown mode might be the only options for the foreseeable future.

If you feel that you have been targeted by commercial spyware, there are also more generic habits that should be part of your daily routine:

*   Reboot your device regularly.
*   Use lockdown mode if your device is an iPhone.
*   Don’t click on links from dubious sources.
*   Don’t accept private messages from unknown persons.
*   If you have to keep a public contact, use an empty device to receive such contacts and reset it frequently.
*   Keep your devices up-to-date.

_If readers suspect their system(s) may have been compromised by commercial spyware or hack-for-hire groups, please consider notifying Talos’ research team at talos-mercenary-spyware-help@external.cisco.com to assist in furthering the community’s knowledge of these threats._

The growth of commercial spyware based intelligence providers without legal or ethical supervision

Apple's emergency patch, AI-generated art and more security headlines from the past week.

Thursday, June 29, 2023 14:06

Welcome to this week’s edition of the Threat Source newsletter.

AI-generated art is causing drama across the internet over the past few months, from Marvel TV show opening credits scenes to predatory YouTubers who claim YOU can make millions by having AI tools create children’s books for you.

There are all sorts of ethical and legal implications that AI-generated art has that I don’t have the space here to cover, but I did think it was worth noting that these tools are already being used in cyber attacks and online scams.

These tools can create extremely convincing deepfake art that could lead to the spread of misinformation or disinformation, especially concerning major news events and political figures. I’ve written about this in the newsletter before.

There are also dozens of apps that promise to create convincing AI art or portraits of people serving another malicious purpose. As McAfee pointed out in this blog post, some Android apps offered to “zhuzh up” users’ profile pictures with AI filters but were actually trojanized apps with hidden information stealers. And at the end of the day, they were all using the same basic filters. Many of these apps could also be stealing and re-using the pictures users submitted to these apps (remember the saga of the app that showed what it would be like when you got old?).

I have more to get to this week, so I’m not going to go much deeper into the subject, but as always, be vigilant of apps’ privacy policies and do a quick background check on their creators before downloading something hoping to create a Skrull version of yourself.

I’m also excited to show off this new video featuring a behind-the-scenes interview with Talos.

This video from Cisco Secure shines a spotlight on the evolution and future of ransomware. Watch it below or over on Cisco.com here to find out how our threat hunters identify new and evolving threats in the wild, and how their research and intelligence help organizations build strong defenses.

**The one big thing**

Apple released an emergency patch last week for all its operating systems for two zero-click vulnerabilities that could allow an attacker to completely take over a targeted device. The two vulnerabilities, identified as CVE-2023-32434 and CVE-2023-32435, were used to reportedly compromise phones in Russia. The issues were part of the so-called Triangulation spyware discovered on iPhones of employees of Kaspersky, a Russia-based cybersecurity company, but the malware was removed from phones after a device reboot.

**Why do I care?**

The chances of being targeted by the Triangulation spyware is slim-to-none based on what the security community knows to this point, but either way, the existence of a zero-day vulnerability in iOS is always big news. Apple encouraged users to upgrade to iOS 16.5.1 and iPadOS 16.5.1 for users of those devices. The company also said that CVE-2023-32434 "may have been actively exploited against versions of iOS released before iOS 15.7."

**So now what?**

All Apple users should update these affected products as soon as possible. The U.S. Cybersecurity and Infrastructure Security Agency also released an advisory telling “users and administrators to review \[Apple’s\] advisories and apply the necessary updates.”

**Top security headlines of the week**

The self-identifying hacktivist group “Anonymous Sudan” is **more active than initially thought.** While researchers are still unsure as to the group’s connections to any nation-states, the group says it’s advocating on behalf of Sudan. It first came onto the scene earlier this month, taking credit for a distributed denial-of-service attack against Microsoft that affected Outlook. Now, researchers are saying their activities actually started prior to that with attacks targeting Israel, Sweden and other nations earlier this year. Microsoft confirmed last week that a Layer 7 DDoS attack was responsible for outages affecting Azure, Outlook and OneDrive, saying that, “these attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools” and that there is “no evidence that customer data has been accessed or compromised." (Bloomberg, Bleeping Computer)

**The list of companies affected by the MOVEit breach continues to grow.** Clop, the threat actor behind the attacks, added Schneider Electric and Siemens Energy — two major electric corporations — to its leak site this week. The University of California Los Angeles (UCLA) also confirmed it discovered on June 1 that it was the target of the campaign, though it quickly engaged the college’s incident response team and patched the issue. Since the attack went public, Clop’s leak site mainly called out seven U.S. state and local governments, including the nation’s largest public-employee pension fund — the California Public Employees’ Retirement System. And the New York City public school system was also affected, with more than 45,000 students having their personal data stolen, including sensitive information like Social Security numbers. (The Record by Recorded Future, CyberScoop)

**The FBI seized the domain belonging to the infamous hacking site BreachForums,** three months after arresting its creator. Users of BreachForums were known for sharing and selling stolen personal data from a variety of websites and companies. BreachForums was quiet for several weeks after the admin, known as “Pompompurin,” was arrested. However, the site’s newest admin decided to launch the site on new servers earlier this month. In addition to the usual display of the law enforcement agencies’ logos who were involved in the takedown, BreachForums’ homepage now also displays an image of the avatar Pompompurin used in handcuffs. (TechCrunch, Infosecurity Magazine)

**Can’t get enough Talos?**

*   Service overview: Talos Incident Response purple team
*   Vulnerability Spotlight: Use-after-free condition in Google Chrome WebGL
*   Video: How Talos’ open-source tools can assist anyone looking to improve their security resilience
*   Talos Takes Ep. #144: What we know so far about the MOVEit zero-day making the rounds

**Upcoming events where you can find Talos**

**BlackHat** **(Aug. 5 - 10)**

Las Vegas, Nevada

**Grace Hopper Celebration (Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

New video provides a behind-the-scenes look at Talos ransomware hunters

A Purple Team exercise is a collaborative approach between offensive (Red) teams and defensive (Blue) teams.

Thursday, June 29, 2023 08:06

Purple Team exercises are included within the Cisco Talos Incident Response Retainer service and our experts can help your organization find security holes before the bad guys can.

As your trusted advisor, our purple team, which is a combination of both red and blue teams, emulates one joint attack scenario, executes the scenario, and records how your current incident response capabilities perform to evaluate your current gaps and inform future enhancements.

Can your organization’s current security incident response program withstand an emulated adversarial attack? Need to put your current TTPs detections to the test? Not sure where to start, what to test, or what gaps exist in your program? No fear, Talos IR can partner with you to provide Purple Team expertise and exercises, tailored for your organization to proactively test and enhance your prevention, detection and response capabilities.

During the Purple Team exercise, an external Red Team acts as an Advanced Persistence Threat (APT) actor while the Talos IR Blue Team, together with the organization’s defender team, is responsible for detecting those activities and responding to the attack in accordance with the existing security procedures.

If you want to learn more about Talos IR's Purple Team, tune into the next Talos IR On Air stream on July 27 at 12 p.m. ET. The stream will be available live on Talos' Twitter and LinkedIn, with a replay going up shortly after on our YouTube page.

Organizations of all sizes can benefit from the Purple Team exercises Cisco offers to proactively test your current cybersecurity risks and solidify your team’s TTPs and increase your overall security knowledge in advance of a cybersecurity incident.

**Purple Team value for joint teams**

Cisco can partner with you to provide Purple Team expertise and exercises, tailored for your organization, to proactively test and enhance your detection and response capabilities. A Purple Team exercise is a collaborative approach between offensive (Red) teams and defensive (Blue) teams. The Red Team emulates adversary TTPs, while the Blue Team, which consists of seasoned Talos IR responders, works side-by-side with your organization’s defenders to detect and respond to those attacks. During the exercise, the Blue Team is challenged to use the organization’s existing internal security TTPs policies and procedures and test available security tooling. This type of dynamic emulation helps proactively identify any gaps in training and resources and increases the organization’s security awareness and preparedness for the future.

These Purple Team exercises also help organizations optimize their security investments by identifying weaknesses in their current security toolsets. Once these gaps are identified and shared your organization has more insightful data to support future cybersecurity solutions investments. Making informed decisions about where to allocate resources will mitigate the risk of wasting resources on ineffective cybersecurity solutions and can ensure your financial investments are optimized to meet your needs today and tomorrow.

Purple Team exercises also offer a valuable opportunity for knowledge exchange between members of the Blue and Red Teams.

*   The Red Team learns more from the Blue Team about the different security controls that are in place and tries to identify new ways to circumvent these controls.
*   The Blue Team, on the other hand, gains insights into the specific techniques used by the adversaries to compromise the environment, including specific tools and attack scripts.

Internal defenders, employed by the organization, use the firsthand experience from the Purple Team to update and optimize their monitoring and detection capabilities and build new processes.

**Testing approach and steps**

Purple Team exercises have been designed around the MITRE ATT&CK Framework to provide common terminology for identifying and blocking commonly used adversarial TTPs.

During the engagement, Talos Red Team and Talos Incident Response teams work together with the customer’s team to exchange knowledge about common attacks and corresponding detection. The responders from Talos IR collaborated closely with the customer security teams to properly identify all techniques executed by Talos Red Team and verify the defense’s actions. The workshop-style Purple Team engagement increases team trust among members of the internal security team and creates a base to improve the overall organization’s resilience against active threats. With clearly defined steps Talos IR collaborates with your organization’s security teams to properly identify all techniques executed by Talos Red Team and verifies the recorded activity.

The Purple Team exercise starts with the customer and Cisco Talos jointly defining and testing attack scenarios based on the organization’s existing security capabilities. An important part of this process is an evaluation of the strengths and weaknesses across different deployed security capabilities and the identification of areas of concern.

The final scenario is uniquely crafted to meet the risk concerns of the organization in terms of protecting its environment and “crown jewel” assets. A document with scenario details is agreed upon with the organization’s representatives before launching the agreed attack. Throughout the active execution of the attack, the Cisco Talos team will document the response of the security team by collecting detailed notes on topics such as the coverage of the security capabilities, availability of telemetry to detect and analyze the TTPs and, finally, the overall organization.

Integrating threat intelligence into our exercises helps organizations better understand the threats that they face and identify potential vulnerabilities in their security defenses. The intelligence data from Cisco Talos is a key differentiator of our Purple Team capabilities. The Cisco Talos team incorporates threat intelligence data from historical threats related to your organization's unique industry vertical and geography, as well as information on current adversary activity to create your tailored attack scenario. To protect your organization, Cisco Talos offers publicly available Threat Assessment Reports, which are published quarterly and yearly, and are an integral component used to build scenarios based on the latest threat intelligence. The final scenario aims to emulate as closely as possible a specific real-life threat that was analyzed by Talos in the wild, often leveraging existing research on observed threats and direct emergency response experience.

The outcome of the Purple Team exercise heavily relies on visibility into the organization's environment. The Security Operations Team within your organization relies on the existence of sufficient logs and properly configured security tools to quickly identify threats targeting the environment and stop them at an early stage. Verification of detection capabilities and visibility gives the team insights about potential gaps and better preparation for incidents.

Below is a list of standard tools that the Purple Team could use depending on the specific needs of the engagement:

*   Antivirus and Endpoint Detection and Response (EDR)
*   Traditional, Next-Generation and Web Application Firewall(s)
*   NetFlow and Network Telemetry
*   Email Server and Security Appliance Logs
*   DNS Security and Visibility Logs
*   Operating System and Application Logs
*   Auxiliary Operating System Logs
*   Proxy Network Logs
*   Application Logs
*   Data Loss Prevention Logs

**Attack scenario execution**

During the delivery of a Purple Team exercise, Talos IR team supports actively but non-intrusively the security team with detection and identification activities. As the Talos Red team executes step-by-step the pre-defined attack, compromising selected hosts or parts of the environment, Talos IR, in collaboration with the customer’s security team, works on detection across applicable security capabilities and cross-referencing logs to gain full identification of the attack.

For each TTP used by the attacker, the Talos IR team documents the following attributes of the security team’s response:

*   Logged, Alerted, and Mitigated
*   Logged and Alerted
*   Logged and Mitigated
*   Alerted and Mitigated
*   Not Detected

This type of detailed documentation builds up the foundation for the post-exercise report.

**Attack scenario results and reporting**

The Purple Team engagement concludes with a report and a debrief session. The report summarizes the overall activities during the exercise, the preparatory actions in the scenario-building phase, and the results of the detection and response verification. This engagement report serves as a foundation for future improvement of environment detection capabilities and paves the way for enhanced security resilience of the company.

Please contact your Cisco Account Team representatives or directly email Talos IR if you are interested or have questions regarding our new Purple Team service.

How Talos IR’s Purple Team can help you prepare for the worst-case scenario

TALOS-2023-1724 (CVE-2023-1531) occurs if the user opens a specially crafted web page in Chrome.

Monday, June 26, 2023 12:06

Cisco Talos recently discovered an exploitable use-after-free vulnerability in Google Chrome’s Web Graphics Library (WebGL).

Google Chrome is a cross-platform web browser — and Chromium is the open-source version of the browser that both Google and other software developers use as the basis to build their browsers. This specific vulnerability exists in WebGL, a JavaScript API that renders 2-D and 3-D graphics.

TALOS-2023-1724 (CVE-2023-1531) occurs if the user opens a specially crafted web page in Chrome. That page could trigger a use-after-free condition in the application. Adversaries often leverage use-after-free conditions to corrupt data on the targeted machine or purposefully leak data.

Cisco Talos worked with Google to ensure that this issue is resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Google Chrome, version 110.0.5481.78 (64-bit) and Chromium, version 112.0.5592.0 (64-bit). Talos tested and confirmed these versions of Chrome could be exploited by this vulnerability.

The following Snort rules will detect exploitation attempts against this vulnerability: 61412 and 61413. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall or Snort.org.

Vulnerability Spotlight: Use-after-free condition in Google Chrome WebGL

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 16 and June 23. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for June 16 to June 23

These clinics offers pro-bono cybersecurity services — like incident response, general advice and ransomware defense — to community organizations, non-profits and small businesses that normally couldn’t afford to pay a private company for these same services.

Thursday, June 22, 2023 14:06

Welcome to this week’s edition of the Threat Source newsletter.

I recently stumbled upon news that the University of Texas at Austin is launching a new cybersecurity clinic run by faculty and students studying security and IT at the university. This clinic offers pro-bono cybersecurity services — like incident response, general advice and ransomware defense — to community organizations, non-profits and small businesses that normally couldn’t afford to pay a private company for these same services.

That news led me to another discovery: Clinics like these are actually more common than you’d think.

Though UT Austin’s clinic is one of the newest ones to exist in the U.S., similar programs at the University of California Berkeley and the University of Indiana have been around for four-plus years. And in 2021, several universities got together to create the Consortium of Cybersecurity Clinics. Today, that Consortium has 14 members who have similar clinics that offer similar, free, services.

Maybe this is old news to many readers, but it’s all new to me, and it also seems like a no-brainer.

The cybersecurity world is always discussing the skills gap that exists and a high burnout rate among defenders, leading to a dearth of security practitioners in the private and public sectors. These types of clinics can help solve that gap by giving students on-hands training and experience they can eventually take into the field while helping to support organizations that are often most at risk for falling victim to a cyber attack. Small organizations don’t have the traditional resources to build a security program, and if they’re hit with a ransomware attack, they’re also more likely to do whatever allows them to return to “normal” as soon as possible, which often means paying the ransom.

Universities have long used clinic methods to train future professionals in the medical and legal fields, so they already have the infrastructure and funding in place to support these types of programs.

Reading about these clinics reminded me of working at my collegiate newspaper. Although writing about a student government association isn’t as high stakes as trying to recover from a ransomware attack, I can confidently say that gaining real-world experience is far more valuable than anything you can learn in a classroom.

Working at the paper taught me how to be a better communicator, and how to treat people fairly and it just made me a better writer in general by getting reps in.

I’m somehow already two years removed from going back to college for a cybersecurity education, but I would have relished the opportunity to work in a clinic like this as opposed to reading another textbook or going through one more coding exercise.

I’m assuming I’m not the only person late to the party on these clinics, so I only hope this serves as a PSA to someone that these options exist for students and organizations.

**The one big thing**

Cisco Talos is monitoring recent reports of exploitation attempts against CVE-2023-34362, a SQL injection zero-day vulnerability in the MOVEit Transfer managed file transfer (MFT) solution that has been actively targeted since late May 2023. Successful exploitation could lead to remote code execution (RCE), allowing unauthenticated adversaries to execute arbitrary code to support malicious activity, such as disabling anti-virus solutions (AV) or deploying malware payloads. The Clop ransomware group has claimed responsibility for exploiting the vulnerability to deploy a previously unseen web shell, LemurLoot, to exfiltrate victims’ data and extort payments.

**Why do I care?**

The exploitation of this vulnerability has already affected many organizations across the globe, including the BBC, British Airways, the government of Nova Scotia and U.K. pharmacy chain Boots. This clearly has wide-reaching implications, and security researchers are already discovering other vulnerabilities in MOVEit, though those aren’t being exploited in the wild.

**So now what?**

Talos has a list of recommendations over on our blog that potential targets should take. First and foremost, though, users should implement the patch that Progress Software released for CVE-2023-34362. Additionally, Talos released new ClamAV signatures and Snort rules to detect and prevent the exploitation of the MOVEit vulnerabilities.

**Top security headlines of the week**

Microsoft identified that a **group of actors connected to Russia’s GRU is behind a recent wave of cyber attacks against Ukrainian government agencies and information technology vendors**. The same report linked this actor, now known as “Cadet Blizzard,” to a series of data-wiping attacks that took place right before Russia’s invasion of Ukraine last year. Cadet Blizzard also appears to target NATO member countries who are supporting Ukraine during the military conflict and sending aid to the country. The actor typically uses stolen credentials to gain access to targets’ internet servers on the perimeter of their network. Then, it uses web shells to maintain persistence and carry out a variety of malicious actions. Outside of the wiper campaign in 2022, Cade Blizzard is largely considered to be less successful than other GRU-connected threat actors. (Microsoft, Yahoo! News)

The U.S. Department of Justice is adding a **new unit to its organization that will specifically focus on prosecuting state-sponsored threat groups** and individuals behind cyber attacks. The new National Security Cyber Section will be on the same footing as the organization’s three other sectors that also prosecute other types of crimes and terrorism. This new organization is “positioned to act quickly as soon as the FBI or an \[intelligence community\] partner identifies a cyber enabled threat and we will be in a position to support investigations and disruption,” according to a news release from the Department of Justice. The Department of Justice has taken a harder stance against cyber attacks in recent months and has specifically charged and arrested several high-profile threat actors during the Biden administration’s time in office. (Recorded Future, CyberScoop)

**U.S. President Joe Biden convened a group of AI experts and companies to discuss the dangers the new technologies pose to privacy, the U.S. economy and more,** this week. "My administration is committed to safeguarding America’s rights and safety, from protecting privacy to addressing bias and disinformation to making sure AI systems are safe before they are released," Biden said after the meeting. Vice President Kamala Harris is also expected to meet with civil rights leaders, consumer protection groups and AI experts to discuss the inherent biases in AI models and the rise of these technologies in mainstream culture. (NBC News, Politico)

**Can’t get enough Talos?**

*   Talos Takes Ep. #143: The hidden threat to the software supply chain you may not be thinking about
*   Threat Roundup (June 9 – 16, 2023)
*   No Password Required: Threat Researcher at Cisco Talos and a Veteran of the Highest-Profile Cyber Incidents Who Roasts His Own Coffee Beans
*   Cisco releases new security offerings at Cisco Live 2023
*   Video: How Talos’ open-source tools can assist anyone looking to improve their security resilience

**Upcoming events where you can find Talos**

**BlackHat (Aug. 5 - 10)**

Las Vegas, Nevada

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

Cybersecurity hotlines at colleges could go a long way toward filling the skills gap

A rundown of Talos open-source software tools, which anyone in the security community can download for free, and use for research, skills, training, or integration into existing security infrastructure.

Thursday, June 22, 2023 08:06

Cisco Talos’ remit is not just to protect our customers from cyber attacks. We also strive to make the internet a better and safer place.

That’s one of the reasons why we create and release open-source software, for free. These tools are available to anyone in the security community to enhance their skills or to use and develop within their security operations.

We currently have 27 tools, all of which are available to download on our website at talosintelligence.com/software and on GitHub.

Here are the categories that you can find our open-source tools in:

*   Detection and protection engines: Software suites that can work alone or be integrated into broader security systems.
*   Decrytors for decrypting various samples of malware or ransomware.
*   Professional tools for malware analysis and the discovery of vulnerabilities.

In a newly released video from Talos, Martin Lee, our EMEA lead for Strategic Planning and Communications, discusses these categories and how defenders can use our open-source tools:

**Snort**

Our most well-known open-source tool is Snort, which is a leading intrusion prevention and detection system. It is the same engine that is included in Cisco Secure Firewall.

Anyone can download Snort and use it in their security operations to protect against network attacks and/or develop their own network rules.

In this episode of ThreatWise TV, Cisco Talos researchers Brandon Stultz and Nick Mavis not only provide a great overview of Snort 3.0, they also touch on the type of vulnerabilities that tend to trigger the most Snort signatures:

Check out the range of Talos open-source tools available, and do keep the security community informed of how you’re developing them so that we can all learn from each other.