App-based multi-factor authentication — which is still free on Twitter — is safer than SMS MFA. So in theory, forcing people to pay for it would make them less likely to use it and switch to the free option.

Thursday, February 23, 2023 14:02

Welcome to this week’s edition of the Threat Source newsletter.

Social media’s latest business plan seems to be charging for security.

Twitter recently announced a plan to make SMS-based two-factor authentication a paid service as part of Twitter Blue — asking users to pay either $8 or $11 monthly for the feature set. Meta, Facebook’s parent company, also announced a new pay-for-verification service on Facebook and Instagram that will allow users to pay up to $14 a month for “a verified badge that authenticates your account with government ID, proactive account protection, access to account support, and increased visibility and reach.”

The Twitter plan falls into a gray area for me. I’ve talked to experts who pointed out that app-based multi-factor authentication — which is still free on Twitter — is safer than SMS MFA. So in theory, forcing people to pay for it would make them less likely to use it and switch to the free option.

However, among all Twitter users who utilize MFA, more than 74 percent of them opt into SMS-based authentication. Based on the estimated number of Twitter users (more than 353 million) and the total amount of users who use any type of MFA (2.6 percent), that means about 6,845,841 accounts will be forced to pay to continue their use of SMS-based authentication or switch to an app-based method.

Many of these users may switch to Twitter Blue or find a new way to keep MFA on their accounts. Many of them will just drop the feature altogether. I would argue any good social media company needs to keep its users’ safety a priority no matter what.

Things like making sure you can’t be impersonated on a site seem like it would be a basic expectation when you give up the amount of personal information you already must to sign up. And many consumers (especially someone who’d be considered the “Average Joe”) do not want to spend time downloading a new MFA app and completing the setup process.

Even the security savvy are growing tired of having to download multiple MFA apps for various uses, leaving password managers as the clearest path to a safe login (but those aren’t foolproof, either).

Meta and Twitter users who don’t want to pay for the additional protections have a few other options to improve their account’s security:

*   Purchase a physical security key that generates a unique code each time you go to log into your account.
*   Enroll in app-based multi-factor authentication (like Cisco Duo), which is still free to use on Twitter.
*   If you’re setting up an MFA app for the first time, follow the U.S. Cybersecurity and Infrastructure Security Agency’s guidelines for implementing phishing-resistant MFA.
*   If you opt to not enroll in any sort of MFA, use a password management program to generate a new, random password with a mix of characters and cases and store it securely using the program. But app-based MFA is always the safest option.

**The one big thing**

An unknown actor is deploying the new MortalKombat ransomware a GO variant of the Laplas Clipper malware, to steal cryptocurrency from victims. Talos researchers have seen several campaigns targeting individuals, small businesses and large organizations that aim to steal or demand ransom payments in cryptocurrency.

**Why do I care?**

MortalKombat (yes, a reference to that “Mortal Kombat”) is a new ransomware that just appeared in January, so we still know relatively little about this malware family, though new protections are now available from Talos. While cryptocurrency’s value is down across the board, that doesn’t mean attackers have stopped caring about it, and it’s still the safest way for attackers to make money without being tracked.

**So now what?**

Talos released several new Snort rules and ClamAV signatures to protect against the threats we outlined in last week’s blog post. Cisco Secure Endpoint users can also use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat.

**Top security headlines of the week**

**The Clop ransomware gang claims its recently breached more than 130 organizations**, many of them related to health care, with a large chunk affecting CHS Healthcare patients. CHS reported the breach to the U.S. Securities and Exchange Commission, saying that the attack targeted GoAnywhere MFT, a managed file transfer product. The filing stated the breach affected up to 1 million individuals. Members of Clop said it exploited the security flaw, CVE-2023-0669, which enables them to gain remote code execution on unpatched GoAnywhere MFT instances with their administrative console exposed to the internet. The breaches took place over the course of 10 days earlier this year. (Bleeping Computer, Ars Technica)

**The FBI said it recently “contained” a security incident** on its computer network, offering sparse details otherwise. “The FBI is aware of the incident and is working to gain additional information,” the bureau said in a statement to news network CNN. “This is an isolated incident that has been contained. As this is an ongoing investigation the FBI does not have further comment to provide at this time.” The report also indicates that the attack specifically targeted the portion of the FBI’s network it uses in investigations of images of child sexual exploitation. (CNN, InfoSecurity)

**Data brokers are increasingly relying on information from virtual therapy apps to profit from users’ information.** A new study from Duke University found that one firm even charged $100,000 a year for a "subscription" service to data that included information on individuals’ mental health conditions. This data included highly sensitive information, such as a person’s demographics, and what ailments they’ve reported, including depression, OCD, bipolar disorder and strokes. Virtual therapy apps have become increasingly popular among the American population, especially during the COVID-19 pandemic. They offer a cheaper and more accessible option to patients who often find it difficult to find therapy providers that accept insurance. (PBS, Washington Post, Duke University)

**Can’t get enough Talos?**

*   Crypto investors under attack by new malware, reveals Cisco Talos
*   Microsoft Patch Tuesday for February 2023 — Snort rules and prominent vulnerabilities
*   Beers with Talos Ep. #130: Ransomware is a people problem (but getting rid of email helps)

**Upcoming events where you can find Talos**

**WiCyS** **(March 16 - 18)**

Denver, CO

**RSA** **(April 24 - 27)**

San Francisco, CA

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423  
**MD5:** 954a5fc664c23a7a97e09850accdfe8e  
**Typical Filename:** teams15.exe  
**Claimed Product:** teams15  
**Detection Name:** Gen:Variant.MSILHeracles.59885

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

Threat Source newsletter (Feb. 23, 2023) — Social media sites are making extra security a paid

Two of the vulnerabilities are considered to be considered of critical importance, with a CVSS score of a maximum 10 out of 10.

Thursday, February 23, 2023 09:02

_Jared Rittle of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered three vulnerabilities in EIP Stack Group OpENer, an ethernet/IP stack for I/O adapter devices, that could allow an attacker to cause a targeted server to crash or open the door to remote code execution.

Two of the vulnerabilities, TALOS-2022-1662 (CVE-2022-43605) and TALOS-2022-1661 (CVE-2022-43604) are considered to be considered of critical importance, with a CVSS score of a maximum 10 out of 10.

An adversary could exploit either of these vulnerabilities with an ethernet/IP request targeted at two functions on the software. These malicious requests could lead to an out-of-bounds write, potentially causing the server to crash or allowing the adversary to execute remote code on the targeted server.

TALOS-2022-1663 (CVE-2022-43606) is also caused by a specially crafted ethernet/IP request, but in this case, could lead to the use of a null pointer, potentially causing the server to crash.

Cisco Talos worked with EIP Stack Group to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: EIP Stack Group OpENer, development commit 58ee13c. Talos tested and confirmed these versions of OpENer could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against this vulnerability: 60983 – 60985. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: EIP Stack Group OpENer open to two remote code execution vulnerabilities

Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 10 and Feb. 17.

Threat Round up for February 10 to February 17

Jon is back from parental leave and recapping the top security stories from late 2022 and early 2023 that totally blew by him.

Thursday, February 16, 2023 14:02

Welcome to this week’s edition of the Threat Source newsletter.

I am back after more than three months away from Talos on parental leave. Having a baby really resets your expectations for “keeping up” with the world. From November through mid-January or so I had no idea what was going on with the outside world, I only cared about my daughter’s feeding schedule and tried to squeeze in 30-minute naps where I could.

I’ve slowly started to re-introduce myself to social media and the news world at large over the past few weeks so my return to work wasn’t so abrupt, and I missed quite a bit. There was a stretch there where I was only getting the latest headlines from Weekend Update on “Saturday Night Live.”

My teammates Madison Burns and Bill Largent did a fantastic job filling in for me on the newsletter while I was out, but I figured it was worth taking the time to recap some major stories it seemed like I missed since Nov. 1.

Maybe our readers were also distracted during this period, it was the holidays after all and it’s easy for stories to slip through the cracks while we all have so much going on. Here are a few major trends and storylines that stood out to me while I caught up on the top security stories of late 2022 and early 2023.

*   **The Russia-Ukraine war continues to evolve on all fronts**, and the cyber attacks certainly haven’t slowed. Ukraine reported several state-sponsored attacks in early 2023, including against the country's national news agency. The infamous WhisperGate malware came back, too, looking to wipe data and steal sensitive information from high-profile Ukrainian targets. And the Gamaredon APT continues to do its thing. Thankfully, defenders made some headway in combatting Russian state-sponsored groups, as I’ll cover below.
*   **The spyware industry** **boomed in 2022** and I suspect we’ll be hearing a lot about it going forward. This type of borderline-illegal software installed on users’ phones can track their every move and message and is often used to target high-profile users like politicians, activists and journalists. Spyware is proliferating all over the world and is now being used by many countries’ governments, including the U.S. But President Joe Biden’s administration has several moves in the works to try and combat foreign company’s spyware from making onto Americans’ phones.
*   **The Lapsus$ ransomware group is still one of the most prolific threat actors out there.** Cisco Talos researchers have extensively covered Lapsus$ throughout 2022, but it struck several times in late 2022 and early 2023, including threatening to leak “League of Legends’” source code and breaching authentication company Okta. That’s on top of other major attacks from earlier in ‘22 against T-Mobile, Uber and more.
*   AI is all over the place, from art, to voice acting and now full-on search engines. One of the most controversial tools, ChatGPT, has already entered the malware space. The chatbot, released in November, has already shown it can write "polymorphic" malware that can repeatedly mutate to avoid traditional detection methods. Scammers and threat actors are also using  ChatGPT to generate convincing spear-phishing emails quickly and impersonate people the targeted user may personally know.

**The one big thing**

This month’s Microsoft Patch Tuesday updates included three zero-day vulnerabilities that the company says are being actively used in attacks in the wild. CVE-2023-23376, CVE-2023-21715 and CVE-2023-21823 have all already been spotted in active attacks, according to Microsoft’s monthly patch release. In all, Microsoft disclosed 73 vulnerabilities. Of these vulnerabilities, eight are classified as “critical,” 64 are classified as “important” and one vulnerability is classified as “moderate.”

**Why do I care?**

The most severe of the issues disclosed Tuesday is CVE-2023-21823, a Windows graphics component remote code execution vulnerability. An attacker could exploit this vulnerability to gain System-level privileges. Outside of that, it’s always important to update all Microsoft products anyway after a Patch Tuesday.

**So now what?**

Users of any Microsoft products should apply these updates as soon as possible. Additionally, Talos released new Snort rules that detect attempts to exploit some of these vulnerabilities. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**Top security headlines of the week**

Several Russian nationals are facing new sanctions and have been unmasked as members of the Trickbot and Conti ransomware gangs. The actors are involved in various activities with these groups, ranging from developing ransomware code, to money laundering and managing command and control servers. The U.S. and U.K. governments also made a renewed push to unmask and name many of these actors, removing their anonymity and making it more difficult for them to operate in secrecy. Recent studies have shown that these types of sanctions are working to slow Russian state-sponsored ransomware attacks. (Wired, CPO Magazine)

While much of the headlines recently have centered around the infamous Chinese spy balloon and other unknown objects the U.S. military keeps shooting out of the sky, global government officials are warning that China’s cyber attack capabilities are still the most pressing threat. Taiwan’s government has already been the target of several high-profile defacement attacks in recent years, and the country recently established an entirely new government bureau to bolster its cyber security capabilities. The FBI’s Director is also offering new services and olive branches to private security companies who are looking to combat China’s growing surveillance and cyber capabilities. (Bloomberg, Wall Street Journal)

Social media site Reddit says it was the recent target of a “sophisticated and highly targeted phishing attack.” The adversaries gained access to “documents, code and some internal business systems,” though the company said no usernames or passwords are affected. Attackers duped a Reddit employee into approving a multi-factor authentication push notification, though the employee acted quickly and notified Reddit’s security team immediately upon realizing their mistake. (Dark Reading, Reddit)

**Can’t get enough Talos?**

*   New MortalKombat ransomware and Laplas Clipper malware threats deployed in financially motivated campaign
*   Talos Takes Ep. #128: Year in Review — Ransomware and Commodity Loaders
*   Cisco Live EMEA 2023 — Simplicity, Security And Sustainability
*   MortalKombat ransomware found punching targets in US, UK, Turkey, Philippines
*   Financially Motivated Threat Actor Strikes with New Ransomware and Clipper Malware

**Upcoming events where you can find Talos**

**WiCyS (March 16 - 18)**

Denver, CO

**RSA (April 24 - 27)**

San Francisco, CA

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 36efad0617db0d45de00cc4f3cf49af7c2d6b5b15ca456d13703b5d366c58431  
**MD5:** 147c7241371d840787f388e202f4fdc1  
**Typical Filename:** EKSPLORASI.EXE  
**Claimed Product:** N/A  
**Detection Name:** Win32.Generic.497796

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
**MD5:** 2c8ea737a232fd03ab80db672d50a17a  
**Typical Filename:** LwssPlayer.scr  
**Claimed Product:** 梦想之巅幻灯播放器  
**Detection Name:** Auto.125E12.241442.in02

Threat Source newsletter (Feb. 16, 2023) — Recapping what we may have missed so far this year

Microsoft released its monthly security update on Tuesday, disclosing 73 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical”, 64 are classified as “Important”, one vulnerability is classified as “Moderate.” 
According to Microsoft none of the vulnerabilities has been publicly disclosed before Patch Tuesday

Tuesday, February 14, 2023 13:02

Microsoft released its monthly security update on Tuesday, disclosing 73 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical”, 64 are classified as “Important”, one vulnerability is classified as “Moderate.”

According to Microsoft none of the vulnerabilities has been publicly disclosed before Patch Tuesday and only three vulnerabilities were seen in the wild. The most serious one is CVE-2023-21823 a Windows Graphics Component Remote Code Execution Vulnerability. Followed by CVE-2023-21715 a Microsoft Publisher Security Features Bypass Vulnerability which we are describing below and CVE-2023-23376 a local Windows Common Log File System Driver Elevation of Privilege Vulnerability.

Three of the most “Critical“ vulnerabilities, which Microsoft considers to be “more likely” to be exploited are CVE-2023-21689, CVE-2023-21690 and CVE-2023-21692. These are remote code execution (RCE) vulnerabilities in the Microsoft Protected Extensible Authentication Protocol (PEAP). As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call. Almost all Windows versions are vulnerable, including the latest Windows 11.

According to Microsoft the other “Critical“ vulnerabilities are “less likely” to be exploited.  CVE-2023-21716 is a critical Microsoft Word Remote Code Execution Vulnerability which allows an unauthenticated attacker to gain access to execute commands within the application used to open the malicious file.

Developers are at risk due to CVE-2023-21808 a .NET and Visual Studio Remote Code Execution Vulnerability and CVE-2023-21815 also a Visual Studio Remote Code Execution Vulnerability. Both can lead to Arbitrary Code Execution (ACE) .

The last “Critical“ vulnerability which we want to mention is CVE-2023-21803. The vulnerability exists in the way that the Microsoft iSCSI Discovery Service handles certain requests. An attacker might be able to send a specially crafted malicious DHCP discovery request to the iSCSI Discovery Service on 32-bit machines.

The "important" flagged Microsoft Office Security Feature Bypass Vulnerability CVE-2023-21715 is something we want to highlight. This vulnerability allows an attacker to bypass the Mark of the Web (MoTW) policy which usually blocks macro execution for documents originating from the internet. The user would have be enticed to open a malicious file in Microsoft Publisher by the attacker. We highly recommend that users should never open anything that they do not know or trust to be safe.

Talos would also like to highlight three other “Important“ Remote Code Execution vulnerabilities which are affecting the Microsoft Exchange Server.

*   CVE-2023-21529 - Attack complexity low , attacker needs to be an authenticated user
*   CVE-2023-21706 - Attack complexity low , attacker needs to be an authenticated user
*   CVE-2023-21707 \- Attack complexity low , attacker needs to be an authenticated user
*   CVE-2023-21710 - Attack complexity low , attacker needs to be an authenticated administrator

There are more vulnerabilities marked as “Important“ in the Microsoft advisory. This includes the Windows Kerberos and Active Directory services and others. A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 57907, 61312-61315, 61320, 61321, 61357, 61359. For Snort 3, the following rules are also available to protect against these vulnerabilities: 300416, 300417, 300420, 300438, 300439.

Microsoft Patch Tuesday for February 2023  — Snort rules and prominent vulnerabilities

Tuesday, February 14, 2023 13:02

Microsoft released its monthly security update on Tuesday, disclosing 73 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical”, 64 are classified as “Important”, one vulnerability is classified as “Moderate.”

According to Microsoft none of the vulnerabilities has been publicly disclosed before Patch Tuesday and only one vulnerability CVE-2023-21823, a privilege escalation vulnerability, was seen in the wild.

Three of the most “Critical“ vulnerabilities, which Microsoft considers to be “more likely” to be exploited are CVE-2023-21689, CVE-2023-21690 and CVE-2023-21692. These are remote code execution (RCE) vulnerabilities in the Microsoft Protected Extensible Authentication Protocol (PEAP). As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call. Almost all Windows versions are vulnerable, including the latest Windows 11.

According to Microsoft the other “Critical“ vulnerabilities are “less likely” to be exploited.  CVE-2023-21716 is a critical Microsoft Word Remote Code Execution Vulnerability which allows an unauthenticated attacker to gain access to execute commands within the application used to open the malicious file.

Developers are at risk due to CVE-2023-21808 a .NET and Visual Studio Remote Code Execution Vulnerability and CVE-2023-21815 also a Visual Studio Remote Code Execution Vulnerability. Both can lead to Arbitrary Code Execution (ACE) .

The last “Critical“ vulnerability which we want to mention is CVE-2023-21803. The vulnerability exists in the way that the Microsoft iSCSI Discovery Service handles certain requests. An attacker might be able to send a specially crafted malicious DHCP discovery request to the iSCSI Discovery Service on 32-bit machines.

The "important" flagged Microsoft Office Security Feature Bypass Vulnerability CVE-2023-21715 is something we want to highlight. This vulnerability allows an attacker to bypass the Mark of the Web (MoTW) policy which usually blocks macro execution for documents originating from the internet. The user would have be enticed to open a malicious file in Microsoft Publisher by the attacker. We highly recommend that users should never open anything that they do not know or trust to be safe.

Talos would also like to highlight three other “Important“ Remote Code Execution vulnerabilities which are affecting the Microsoft Exchange Server.

*   CVE-2023-21529 - Attack complexity low , attacker needs to be an authenticated user
*   CVE-2023-21706 - Attack complexity low , attacker needs to be an authenticated user
*   CVE-2023-21707 \- Attack complexity low , attacker needs to be an authenticated user
*   CVE-2023-21710 - Attack complexity low , attacker needs to be an authenticated administrator

There are more vulnerabilities marked as “Important“ in the Microsoft advisory. This includes the Windows Kerberos and Active Directory services and others. A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 57907, 61312-61315, 61320, 61321, 61357, 61359. For Snort 3, the following rules are also available to protect against these vulnerabilities: 300416, 300417, 300420, 300438, 300439.

Since December 2022, Cisco Talos has been observing an unidentified actor deploying two relatively new threats, the recently discovered MortalKombat ransomware and a GO variant of the Laplas Clipper malware, to steal cryptocurrency from victims.

New MortalKombat ransomware and Laplas Clipper malware threats deployed in financially motivated campaign

We're back with the final year in review focused episode. This time the focus is on the ever broadening ransomware landscape and the commodity malware loaders that often support it.

Friday, February 10, 2023 13:02

We're back with the final year in review focused episode. This time the focus is on the ever broadening ransomware landscape and the commodity malware loaders that often support it. I'll be joined by one of the researchers from the year in review report, Aliza Johnson to talk about what we saw on the ransomware landscape over the last year as well as how threats like Qakbot, IcedID, and Trickbot have changed and evolved over the last year. We'll also cover how these threats overlap and how LoLBins are yet again an area of concern.

All episodes are available on the Talos Takes podcast page and most major podcasting outlets.

Visit the Year in Review page for the full report, with topic summary reports, livestreams, podcasts, and other content starting December 14th.  New content will be added with each topic summary release through February.  You can access the full 2022 Cisco Talos Year in Review report directly here:

Talos Takes 128: Year in Review - Ransomeware and Commodity Loaders Edition

Our hearts are with the people of Turkey and Syria and all those impacted by the tragic earthquake. The Cisco Foundation has launched a matching campaign to support local disaster relief organizations.

Thursday, February 9, 2023 14:02

Welcome to this week’s edition of the Threat Source newsletter.

Our hearts are with the people of Turkey and Syria and all those impacted by the tragic earthquake. The Cisco Foundation has launched a matching campaign to support local disaster relief organizations. As a person it’s always difficult to try to find impactful ways to help people so far removed from us.. As a security practitioner it’s my duty to remind you that criminals will exploit your empathy and this situation for their own profit. Be acutely aware of phishing scams, malvertising, and typosquats that will leverage your kindness for their gain. Give freely but take a moment when you do to ensure that you are donating to sources that can help and that above all you aren’t padding the pockets of cybercriminals.

**The one big thing**

Ransomware and commodity loaders remain at the forefront of the threat landscape. The ransomware space is dynamic, continually adapting to changes in the geopolitical environment, actions by defenders, and efforts by law enforcement, This leads groups to rebrand under different names, shut down operations, and form new strategic partnerships. Cisco Talos observed several related trends across 2022 and this activity is highlighted in the Ransomware and Commodity Loader Topic Summary Report.

**Why do I care?**

Understanding the most recent trends in ransomware, including the goals, victimology, and TTPs will increaser your ability to defend, understand, and react to these events. We've seen seismic shifts in how state sponsored actors attack and this will migrate to every level of threat actor.

**So now what?**

Education is key and continuing to follow the research that Talos releases and validating your environment against that research is critical.

**Top security headlines of the week**

This week, the Dutch national police shut down the criminal messaging service Exclu in conjunction with a sweeping crackdown that included 79 searches and 42 arrests in the Netherlands, Germany, and Belgium. The shutdown highlights the efforts authorities are putting into disrupting the use of messaging apps in the cybercriminal ecosystem. This particular service was unique in that it was exclusively the domain of cybercriminals and drug dealers, but it offers a glimpse into the evolving communication methods of the cybercrime in 2023.( DarkReading)

Exploit code has been released for an actively exploited zero-day vulnerability affecting Internet-exposed GoAnywhere MFT administrator consoles. GoAnywhere MFT is a web-based and managed file transfer tool designed to help organizations to transfer files securely with partners and keep audit logs of who accessed the shared files. (Bleepingcomputer)

**Can’t get enough Talos?**

*   https://blog.talosintelligence.com/ransomware-and-commodity-loader-topic-summary-report-cisco-talos-year-in-review-2022/
*   https://blog.talosintelligence.com/threat-landscape-topic-summary-report-cisco-talos-year-in-review-2022/
*   https://talosintelligence.com/podcasts/shows/beers\_with\_talos

**Upcoming events where you can find Talos**

Cisco Live Amsterdam (Feb 6-10)

Amsterdam, Netherlands

WiCyS (March 16-18, 2023)

Denver,CO

RSA (April 24-27, 2023)

San Francisco, CA

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

Typical Filename: A9CE7F0974.tmp

Claimed Product:  n/a

Detection Name: Simple\_Custom\_Detection

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

Typical Filename: Wextract

Claimed Product:  Internet Explorer

Detection Name: W32.File.MalParent

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

Typical Filename: software.Scr

Claimed Product:  梦想之巅幻灯播放器

Detection Name: Auto.125E12.241442.in02

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

Typical Filename: Wextract

Claimed Product:  Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423

MD5: 954a5fc664c23a7a97e09850accdfe8e

Typical Filename: teams15

Claimed Product:  n/a

Detection Name: Gen:Variant.MSILHeracles.59885

Threat Source newsletter (Feb. 9, 2023): Don't let criminals exploit your empathy

An active defense posture, where the defenders actively use threat intelligence and their own telemetry to uncover potential compromises, is the next stage in the cyber security maturity road. Instead of waiting for detections to trigger, defenders can take initiative and hunt threat actors.

Thursday, February 9, 2023 08:02

**Active defense a key approach to protecting against major threats**

Having an active defense posture, where the defenders actively use threat intelligence and their own environment telemetry to uncover potential compromises, is the next stage in the cyber security maturity road. Instead of waiting for detections to trigger, defenders can take initiative and hunt down threat actors inside their environment, putting a halt to their malicious activities before they can fully accomplish their goals.  

Ransomware compromises, which usually involve data exfiltration, are not fast nor swift. Attackers need time to find their way in the network, including identifying the databases with the relevant information they are seeking, to exfiltrate the information and finally to deploy the ransomware. This is the time window when an active defense strategy can make the most impact, by looking from the inside out: The perimeter was already compromised, no relevant alerts were raised, and the attackers have already begun to carry out their malicious activities within the victim’s network.  

Conducting periodic threat hunting exercises increases the chances of detection. However, despite the potential benefits of threat hunting, the odds are against defenders, as the hunter has limited time and resources, their target is unknown, and the type of activity the defender is searching for is often undefined. As threat hunting becomes more routine and as the hunter becomes more familiar with the environment, this exercise will become more efficient, the findings and analysis will become more useful, and the defender’s visibility of the environment will improve.  

Besides the possible detection results, there are two important outcomes of threat hunting:  

*   **Identifying weak spots in the organization’s overall defense.** By analyzing successful detections at a deeper level, defenders can understand what failed and on which levels.  
    
*   **Exposing the blindspots in defenders’ network visibility.** Threat hunting is about analyzing the available information and searching for what shouldn't be there as well as identifying potentially useful data that we don’t have access to.  This type of assessment provides valuable information on what can be improved in the visibility of the environment.  
    

There is no “one size fits all” approach or “magic bullet” solution that will get organizations to their best defense posture. Rather, it's an iterative process that greatly improves with repetition. Threat hunting supports—and can dramatically improve—active defense, particularly when hunt results can be leveraged to  improve the environment. In the next sections, we introduce some of the quick wins that can help organizations implement an effective active defense approach.  

**Monitor DNS queries**

Monitoring the domain name system (DNS) queries provides a unique view into what is going on in the network. Analyzing the DNS query logs and singling out the systems that resolved recently created domains provides a good starting point. The analysis of known malicious domains should also be done, as that would provide visibility into the effectiveness of the first line of defense. Keep in mind that this is about searching for what was not detected, as known malicious domains should already be blocked.  

On the other hand, If a compromise did occur, the DNS query logs may also provide a good source of information about the adversary’s actions and the extent of their malicious activities on the network.

**Create high-priority alerts**

Implement high-priority triggers with near-zero false positive alerts. No organization has unlimited resources to monitor security events, as alert fatigue is a real problem in security operation centers. High-priority triggers won’t eliminate security incidents, but they will help focus on critical events.There are two types of these triggers: generic and intelligence-driven.  

The generic triggers are those that are designed to alert in the event of abnormal behavior usually triggered by attackers while trying to establish a foothold or while in search of relevant information. Here are a couple of examples of such triggers:  

*   Canary accounts - Accounts that are not used by the organization but are instead intended to lure malicious actors to use in their operations. Create triggers to events regarding these accounts’ usage.  
    
*   Monitor and raise alerts on administrative accounts - Newly created accounts where privileges are added, or password changes on already existing accounts are good events to monitor.  
    
*   Domain controllers contacting unknown systems - Communications on the domain controllers should be well known. Any communication starting from a domain controller to an unknown system should be targeted for in-depth analysis.  
    
*   Profile key systems’ dual usage tools executions - Attackers often hide their actions by using dual-use tools. Starting with the critical systems, profile the execution of such tools so that abnormal usage can be detected and investigated.  
    
*   Remote administration tools - Having a well-known usage pattern of such tools allows defenders to monitor for  unusual or anomalous usage.  
    

Intelligence-driven triggers, by comparison, are created by analyzing the dynamic tactics, techniques, and procedures (TTPs). Therefore, these triggers should alert on adversaries’ behaviors rather than more static indicators of compromise (IOCs), such as known lists of IPs or domains. Such activity should be detected by basic cyber security tools that are already in place, and these triggers should cover the TTPs generically used by threat actors that are applicable to one's organization. For example, if your organization doesn't use ConnectWise, TeamViewer or Anydesk, create a trigger in your monitoring system that will generate a high-priority alert whenever those tools are executed, as they are commonly used by threat actors. If a defender concludes that there is no way to create such an alert, then a blindspot has been found. The resolution of such an issue should be prioritized based on that organization’s resources and other competing issues that require attention.

**Perform root cause analysis on deep alerts**

The most important question a threat hunter must try to answer while doing detection systems log analysis is, “How did the malware get to the endpoint?” Deep alerts like this, that come from the most inner layer of the security architecture, need to be analyzed.  

Most organizations have a multi-layered, in-depth security architecture. When an endpoint defense system detects and blocks some malicious software, this is good news for the defenders. It's also an opportunity for the threat hunter to identify and improve the security in the organization. Having a multi-layered and in-depth architecture means that there are several security systems between the production systems and the untrusted environments. If a threat was detected and stopped in an organization’s most inner systems, then some outer layer defense failed.  

Conducting a root cause analysis is essential to determining what failed and how, as this will provide invaluable information to the continuous improvement process.  There can be multiple explanations for initial infection. For example, an endpoint can be compromised somewhere else and then connected to the organization’s environment, or credentials can be compromised and used to establish a malicious VPN connection.

**Monitor communications on critical systems**

Critical systems’ communications patterns can be the first high-priority alert indicating the potential exfiltration of information. Organizations don’t have infinite resources, and not all systems have the same value.  For example, a file server will have communications from a lot of systems, but not all systems/endpoints will transfer an abnormal quantity of information in a short amount of time. Or, if all the systems in the environment must use a local DNS server if a system attempts to contact Google or Cloudflare DNS servers, those systems should probably be reviewed. Having a list of critical systems is one of the basic steps that organizations with a mature security posture can take to help detect malicious activity early.  

**Improve your visibility**

Having good visibility into what is happening in the defender's environment is the first step to  performing threat hunting. However, the mere exercise of threat hunting will also show defenders if there are any blindspots, thus providing opportunities for improvement. Visibility should also be seen as a powerful source of information when recovering from a compromise. Organizations often don’t have the means to implement a complete, comprehensive detection system on their entire environment. However, that does not mean that some kind of logging should not be performed. Logs may be extremely relevant during the recovery phase of a compromise. Knowing how and when a compromise occurred, even after the fact, is crucial. Proper logging can be extremely useful in determining this information, especially when analyzed from a threat hunter’s point of view, so that they can also provide information that leads to the development of proper detections.  

**Deploy tiered accounts**

Have administration accounts that are only used on specific systems. Not all systems need to contact all the systems or the internet, and, likewise, not all accounts need to be used on all systems, especially if they are high-privilege accounts. Have specific domain administrator accounts, which are only used on domain controllers, complemented by second-tier administrator accounts. This tiering is done at the functional level and not at the privilege level. These two different account tiers may ultimately have the same privileges, but by tiering their access based on their functions,  it’s possible to set high-priority alerts to trigger when they behave abnormally.