The work is always going to be there, whether you take a day or a week off. Unfortunately, the cybersecurity community at large is not going to stop cybercrime overnight.

Thursday, May 18, 2023 14:05

Welcome to this week’s edition of the Threat Source newsletter.

You probably already know this by now, but May is Mental Health Awareness Month across the globe.

Many people will apply this time of reflection and education to their personal lives — it’s easy to discuss anxiety, depression and other mental health concerns when it comes to things like personal relationships, friendships, family and how you express yourself.

I think not enough of us are applying the discussions we have every May to work, though. After all, many of us spend more than half our day working, and probably even more than that, thinking about work. And yes, it’s important to maintain healthy relationships around you and share your feelings with loved ones openly, but I would like us all to start being more honest about how work can affect our mental health.

This is particularly a problem in the cybersecurity industry, where burnout is constantly a cloud hanging over the workforce. A study last year from email security company Mimecast found that 84 percent of cybersecurity professionals are experiencing some form of burnout and it’s impeding their motivation at work.

And the Australian non-profit Cybermindz also found cybersecurity workers ranked their “professional efficacy,” or how well they feel they’re performing in their current role, lower than the general population — this is a key metric used to measure burnout in each industry.

I feel this is a problem in cybersecurity for several reasons: it seems like defenders can never take a day (or even an hour) off without something “hitting the fan,” the work can often be incredibly high-stakes and there is the ghost of social media always hanging over our head to be the “first” to find something or always needing to add something witty or insightful to the conversation of the day.

I would certainly not call myself a cybersecurity practitioner, per se, so I don’t have much hands-on experience with this. But I know from talking to teammates as part of my Researcher Spotlight blog series how important it is to have other interests outside of work.

And while I can’t say I’m personally experiencing burnout at work, I have dealt with anxiety for pretty much my entire life and have attended talk therapy on and off over the past few years and currently take medication to manage my various mental health conditions. That makes me feel somewhat empowered to say: It’s OK to take a break.

This is something Talos VP Matt Watchinski said in a conversation with Hazel Burton and I this week that we recorded for an upcoming episode of Talos Takes. The work is always going to be there, whether you take a day or a week off. Unfortunately, the cybersecurity community at large is not going to stop cybercrime overnight. And the threat of state-sponsored actors is not going to be solved by a single botnet takedown.

I would encourage everyone to have harder barriers up around their work and personal lives. Take up a new hobby or find a way to get outside. For example, Azim Khodjibaev is a rowing coach. Giannis Tziakouris from Cisco Talos Incident Response scuba dives. Watchinski has shooting sports.

Find your thing that is not explicitly work — because the work will be there when you get back, I promise.

**The one big thing**

A new ransomware actor we’re calling “RA Group” has been active for about a month, already targeting organizations across multiple sectors in the U.S. and South Korea. Talos researchers believe with high confidence that the group is using altered leaked source code from the Babuk ransomware family. The group is launching double extortion attacks. Like other ransomware actors, RA Group also operates a data leak site in which they threaten to publish the data exfiltrated from victims who fail to contact them within a specified time or do not meet their ransom demands.

**Why do I care?**

The actor is swiftly expanding its operations. To date, the group has compromised three organizations in the U.S. and one in South Korea across several business verticals, including manufacturing, wealth management, insurance providers and pharmaceuticals. Since ransomware continues to be one of the top security threats all industries face, it’s always important to keep an eye out for new groups that pop up.

**So now what?**

The Talos blog outlines several ways that Cisco Secure products and Talos open-source software can detect and block RA Group’s activities.

**Top security headlines of the week**

**Global governments are being urged to take a more aggressive stance on spyware regulation.** The European Union has agreed to work on standards around the purchase and use of these types of tracking software, which often target vulnerable populations and industries like activists and journalists. A special European Parliament committee voted this week to ban the sale, acquisition, or use of spyware while the broader EU works on these new guidelines. In the U.S., some government agencies have still been attempting to use spyware, such as tools from the infamous NSO Group, despite bans on spyware from the Biden administration. Reporters from the New York Times found at least one government contract with Paragon, another Israeli software developer that makes spyware but is not as widely known as the NSO Group. (New York Times, The Guardian)

**A recent ransomware attack against Micro-Star International (MSI), including the theft of UEFI signing keys, is already having wide-ranging effects** across the security industry. MSI does not have a way to retract the keys after they were leaked onto the dark web, leading to fears of future supply chain attacks. Attackers could hypothetically inject malicious updates into legitimate software, using the MSI keys to sign them. MSI Keys are trusted by default by many end-user devices. Security researchers found that some of the keys work for the Intel BootGuard firmware-verification technology that runs on devices made by several different manufacturers. The Money Message ransomware group first claimed responsibility for the ransomware attack in April when it listed MSI as a new victim on its leak site and published screenshots purporting to show private encryption keys, source code and other data. (Decipher, Ars Technica)

**Twitter announced it was rolling out end-of-end encryption for its direct messages, though several security holes remain.** The company appears to not have actually completed a security audit of its DMs that it claimed it had, and the messages are still vulnerable to man-in-the-middle attacks. One security researcher also says it’s easy for Twitter employees to potentially hijack messages by adding their own keys to a list that are approved to read the messages. Encryption is also a paid feature — both users partaking in the messages must be either Twitter Blue subscribers or a verified organization on Twitter. Group conversations are also not included in this encryption process. Security and privacy experts say users who are looking for secure messaging should stick to encrypted apps like Telegram and Signal. (ZDNet, The Verge)

**Can’t get enough Talos?**

*   Talos Takes Ep. #138: What makes “Greatness” so great?
*   Beers with Talos Ep. #135: The XDR files
*   RA Group uses leaked Babuk code to attack companies in the US, South Korea
*   Cisco warns of new ‘Greatness’ phishing-as-a-service tool seen in the wild
*   New 'Greatness' service simplifies Microsoft 365 phishing attacks

**Upcoming events where you can find Talos**

**BSidesFortWayne** **(May 20)**

Fort Wayne, IN

**Threat Modeling webinar: Applying a Threat Informed Defense (May 23)**

Virtual

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Discover Cyber Workshop for Women (June 8)**

Doha, Qatar

**REcon** **(June 9 - 11)**

Montreal, Canada

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 7c8e1dba5c1b84a08636d9e6f225e1e79bb346c176e0ee2ae1dfec18953a1ce2  
**MD5:** 3e0fb82ed8ea6cd7d1f1bb9dca5f2bdc  
**Typical Filename:** PDFShark.exe  
**Claimed Product:** PDFShark  
**Detection Name:** Win.Dropper.Razy::95.sbx.tg

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

It’s really OK to take a break sometimes, especially in security

Cisco Talos recently discovered a new ransomware actor called RA Group that has been operating since at least April 22, 2023.

Monday, May 15, 2023 08:05

*   Cisco Talos recently discovered a new ransomware actor called RA Group that has been operating since at least April 22, 2023.
*   The actor is swiftly expanding its operations. To date, the group has compromised three organizations in the U.S. and one in South Korea across several business verticals, including manufacturing, wealth management, insurance providers and pharmaceuticals.
*   Talos assesses with high confidence that RA Group is leveraging leaked Babuk ransomware source code.

**Who is the RA Group?**

Talos recently discovered a new ransomware actor, RA Group, who emerged in April 2023 and seems to be using leaked Babuk source code in its attacks. After an alleged member of the Babuk group leaked the full source code of its ransomware in September 2021, various ransomware families have emerged leveraging the leaked Babuk code. Talos has compiled a timeline of these attacks conducted by different actors using ransomware families that branched off the leaked source code.

Timeline of ransomware families leveraging leaked Babuk ransomware code.

The group is launching double extortion attacks. Like other ransomware actors, RA Group also operates a data leak site in which they threaten to publish the data exfiltrated from victims who fail to contact them within a specified time or do not meet their ransom demands. This form of double extortion increases the chances that a victim will pay the requested ransom.

22 April 2023

27 April 2023

RA Group leak site contents April 22 - 28, 2023.

This actor is expanding its operations at a fast pace. RA Group launched their data leak site on April 22, 2023, and on April 27, we observed the first batch of victims, three in total, followed by another one on April 28. We also observed the actor making cosmetic changes to their leak site after disclosing the victim’s details, confirming they are in the early stages of their operation.

Example of a post with victim details.

In their leak site, RA Group discloses the name of the victim's organization, a list of their exfiltrated data and the total size, and the victim’s official URL, which is typical among other ransomware groups’ leak sites. The RA Group is also selling the victim’s exfiltrated data on their leak site by hosting the victims’ leaked data on a secured Tor site.

RA Group’s victims’ data hosting site. 

RA Group also provides URLs to download the full file listings of the victim’s data on their leak site.

Example of full victim’s data file list for download. 

RA Group uses customized ransom notes, including the victim’s name and a unique link to download the exfiltration proofs. After activating the ransomware executable on the victim’s machine, the actor drops the ransom note file called “How To Restore Your Files.txt.”

Based on the ransom notes we analyzed, if the victim fails to contact the actors within three days, the group leaks the victim’s files. The victims can confirm the exfiltration of their information by downloading a file using the gofile\[.\]io link in the ransom note.

Sample of a ransom note.

**RA Group ransomware code appears highly customized**

RA Group deploys their ransomware with a built-in ransom note specifically written to each victim with their name on it, a common practice among ransomware groups. However, it is unusual that RA Group names the victim in the executable, as well.

Our analysis shows that RA Group’s ransomware sample is written in C++ and was compiled on April 23, 2023. The binary has the debug path “C:\\Users\\attack\\Desktop\\Ransomware.Multi.Babuk.c\\windows\\x64\\Release\\e.pdb”. It contains the same mutex name as the Babuk ransomware, supporting our high-confidence assessment that RA Group built their ransomware using Babuk’s leaked source code.

RA Group’s code showing the mutex name is the same as that of Babuk ransomware. 

RA Group’s ransomware executable uses the cryptography scheme with curve25519 and eSTREAM cipher hc-128 algorithm for encryption. This process encrypts only a certain part of the source file’s contents, not the entire file. It uses WinAPI CryptGenRandom to generate cryptographically random bytes used as a private key for each victim. After encrypting the files, the ransomware appends the file extension “.GAGUP” to the encrypted files on the victim’s machine.

The ransomware deletes the contents of the victim machine’s Recycle Bin with the API SHEmptyRecyclebinA. It deletes the volume shadow copy by executing the local Windows binary vssadmin.exe, an administrative tool used to manipulate shadow copies.

The function that deletes the volume shadow copies on the victim’s machine. 

The ransomware enumerates every logical drive on the victim’s machine by comparing logical drive letters with the list of drive letter strings in the binary and mounts the identified drives to perform the encryption process. RA Group’s malware enumerates the network shares and available network resources on the victim’s machine using the APIs NetShareEnum, WNetOpenEnumW and WNetEnumResourceW to encrypt files on the remotely mapped drives of other machines or servers.

The function enumerates the local drives and the network shares.

The ransomware does not encrypt all files and folders. The image below shows the hardcoded list of folders the malware won’t encrypt so the victim can contact the RA Group operators.

Hardcoded folders name to exclude during encryption. 

These files and folders are necessary for the system to work properly and to allow the victims to download the qTox application and contact RA group operators using the qTox ID provided on the ransom note.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 61761-61764 for Snort 2 and 300543-30054 for Snort 3.

ClamAV detections are available for this threat:

Win.Ransomware.Babuk-9819006-0

**Indicators of Compromise**

Indicators of Compromise associated with this threat can be found here.

Newly identified RA Group compromises companies in U.S. and South Korea with leaked Babuk source code

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 5 and May 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for May 5 to May 12

A ransomware attack on the city of Dallas, Texas is still disrupting many social services as of Wednesday, including hampering police communications and operations and potentially putting personal information at risk.

Thursday, May 11, 2023 14:05

Welcome to this week’s edition of the Threat Source newsletter.

I wrote a few weeks ago about how, between the public and private sectors, the security community was making some strides in fighting back against ransomware.

Reports indicate that revenue for ransomware actors was down in 2022, and recent disruptions to larger ransomware networks like Hive have at least forced some actors offline for now.

It seems like if you were to survey various cybersecurity researchers, thought leaders and policymakers, there is a mixed consensus on whether ransomware is still the biggest problem defenders still face today.

The White House and U.S. Department of Justice seem bullish on their efforts to shut down ransomware gangs and dark web sites.

But recently, I’ve noticed that ransomware is still making headlines. This is completely anecdotal, but recent major examples come to mind:

*   A ransomware attack on the city of Dallas, Texas is still disrupting many social services as of Wednesday, including hampering police communications and operations, and potentially putting personal information at risk.
*   Ransomware group BlackCat claims it was responsible for an attack on Western Digital, a computer drive manufacturer, including stealing partial credit card numbers from customers.

*   San Bernadino County in California paid $1.1 million to resolve a ransomware incident.
*   Capita, a U.K.-based outsourcing and professional services company, says a recent ransomware attack on its systems could cost the company up to $25 million, without saying whether that includes a ransom payment.

These are just a handful of examples of recent ransomware attacks, but these stories have made me rethink my stance on where we stand with ransomware in 2023. I am trying to look for the space where both things can be true — ransomware may not be as profitable for actors as it once was, but the volume of attacks may not be changing all that much.

As education around ransomware, cyber insurance and whether to pay a requested ransom improves, a company hit with ransomware may be better prepared to rebound and recover faster than they were in, say, 2020.

Many companies are now keeping incident response teams (like Talos IR) on retainer to help in real-time with attacks, and with everyone shouting from the rooftops about the importance of backups, ransomware victims may be less likely to pay the ransom than they once were and simply rely on backups and Golden Images to recover quickly and resume normal business operations.

It’s too soon to make definitive statements about ransomware in 2023, but I’ll definitely be interested to see the next round of “Year in Review” reports come February 2024 to find out if ransomware is still the one thing we should all be talking about.

**The one big thing**

Talos researchers have discovered a new phishing-as-a-service tool called “Greatness” that’s being used in the wild to target businesses across multiple continents. Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots.

**Why do I care?**

Greatness creates convincing phishing pages to steal Microsoft Office login credentials from large organizations. Since it’s an “as a service” tool, anyone could conceivably purchase access to this tool. We’ve already seen it be used in attacks dating back to mid-2022 so there’s no reason to believe this threat won’t be around for a while.

**So now what?**

Although Greatness is a new and advanced phishing threat, detection and prevention essentially remain the same as with all phishing and spam threats. All organizations should have education in place to teach users about the dangers of phishing and how to spot illegitimate emails, attachments and links.

**Top security headlines of the week**

Newer exploit code for the critical PaperCut vulnerability is **now available that bypasses existing detection.** The vulnerability, tracked as CVE-2023-27350, is an unauthenticated remote code execution vulnerability in PaperCut MF or NG versions 8.0 or later that attackers have actively used in ransomware attacks. Exploit code first became available several weeks ago, and the new POC can bypass Sysmon-based detections that are already in place. Microsoft security researchers also say that two Iranian state-sponsored actors are now exploiting the vulnerability in the PaperCut MF/NG print management software: MuddyWater and Charming Kitten. The vulnerability originally received a 9.8 CVSS severity score. (Bleeping Computer, SecurityWeek)

**The FBI says it disrupted the infamous Russian Snake malware network this week,** using a tool that forced the program to self-destruct on infected computers. A release from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) stated that Snake infrastructure was found in more than 50 different countries. Russia’s Federal Security Service (FSA) was known for using Snake to target high-profile targets and collecting sensitive information, with the FBI calling it Russia’s “premiere espionage tool.” Cybersecurity agencies from several other countries have released details on how potentially infected machines can recover and additional steps taken to ensure Snake’s functionality is continually impaired. (CBS News, CISA)

**Two vulnerabilities being actively exploited in the wild** headlined a relatively light Microsoft Patch Tuesday this week. In all, Microsoft disclosed 40 vulnerabilities, the fewest in a month since December 2019. One of the zero-day vulnerabilities, CVE-2023-29336, is an elevation of privilege vulnerability in the Win23k kernel mode drive that could allow an adversary to gain SYSTEM privileges. Another, CVE-2023-24932, is a Secure Boot Security Feature Bypass issue that the BlackLotus malware group is already exploiting. In all, this Patch Tuesday includes seven critical vulnerabilities and 33 that are considered “important.” (Talos blog, Krebs on Security)

**Can’t get enough Talos?**

*   Talos Takes Ep. #137: Talos Incident Response livestream on top trends from the past quarter
*   Researcher Spotlight: Jacob Finn creates his own public-private partnership at Talos
*   Threat Roundup for April 28 - May 5
*   FBI disrupts Turla espionage malware network
*   New 'Greatness' service simplifies Microsoft 365 phishing attacks

**Upcoming events where you can find Talos**

**BSidesFortWayne** **(May 20)**

Fort Wayne, IN

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

Threat Source newsletter (May 11, 2023) — So much for that ransomware decline

TALOS-2022-1680 (CVE-2022-41985) could allow an attacker to bypass the authentication protocol on the operating system, or cause a denial-of-service, by sending the targeted machine a specially crafted set of network packets.

Wednesday, May 10, 2023 11:05

_Kelly Leuschner of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered two vulnerabilities in a library for µC/OS, an open-source operating system developed by Micrium.

µC/OS is an embedded operating system that supports TCP/IP, USB, CAN bus and Modbus. The two vulnerabilities Talos discovered specifically exist in the operating system’s FTP server.

TALOS-2022-1680 (CVE-2022-41985) could allow an attacker to bypass the authentication protocol on the operating system, or cause a denial-of-service, by sending the targeted machine a specially crafted set of network packets.

Similarly, TALOS-2022-1681 (CVE-2022-46377 - CVE-2022-46378) is also triggered by a set of network packets, though in this case, it can cause a denial-of-service and a use-after-free condition.

Cisco Talos worked with Weston Embedded, who maintains this software, to ensure these vulnerabilities are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Weston Embedded uC-FTPs, version 1.98.00. Talos tested and confirmed this version of the OS could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 125:4. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Authentication bypass, use-after-free vulnerabilities found in a library for the µC/OS open-source operating system

Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots.

Wednesday, May 10, 2023 08:05

*   A previously unreported phishing-as-a-service (PaaS) offering named “Greatness” has been used in several phishing campaigns since at least mid-2022. Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots.
*   Greatness, for now, is only focused on Microsoft 365 phishing pages, providing its affiliates with an attachment and link builder that creates highly convincing decoy and login pages. It contains features such as having the victim’s email address pre-filled and displaying their appropriate company logo and background image, extracted from the target organization’s real Microsoft 365 login page. This makes Greatness particularly well-suited for phishing business users.
*   An analysis of the domains targeted in several ongoing and past campaigns revealed the victims were almost exclusively companies in the U.S., U.K., Australia, South Africa, and Canada, and the most commonly targeted sectors were manufacturing, health care and technology. The exact distribution of victims in each country and sector varies slightly between campaigns.
*   To use Greatness, affiliates must deploy and configure a provided phishing kit with an API key that allows even unskilled threat actors to easily take advantage of the service’s more advanced features. The phishing kit and API work as a proxy to the Microsoft 365 authentication system, performing a “man-in-the-middle” attack and stealing the victim’s authentication credentials or cookies.

**Activity and victimology**

Greatness seems to have started operating in mid-2022 and, based on the number of attachment samples available on VirusTotal, there were spikes in activity in December 2022 and March 2023.

Number of attachment samples found on VirusTotal

Although each campaign had a slightly different geographic focus, collectively, over 50 percent of all targets were based in the U.S. The next most-targeted countries are the U.K., Australia, South Africa and Canada.

Geographical distribution of targeted organizations

Greatness is designed to compromise Microsoft 365 users and can make phishing pages especially convincing and effective against businesses. Based on the data Cisco Talos obtained, Greatness affiliates target almost exclusively businesses. An analysis of the targeted organizations across several campaigns shows that manufacturing was the most targeted sector, followed by health care, technology and real estate.

Distribution of targeted organizations by sector

**The attack flow**

The attack starts when the victim receives a malicious email, which typically contains an HTML file as an attachment and, under the pretext of a shared document, leads the victim to open the HTML page.

Once the victim opens the attached HTML file, the web browser executes a short piece of obfuscated JavaScript code that establishes a connection to the attacker's server to obtain the phishing page HTML code and display it to the user in the same browser window. This code contains a blurred image that shows a spinning wheel, pretending to load the document.

_Blurred attached document decoy._

The page then redirects the victim to a Microsoft 365 login page, usually pre-filled with the victim’s email address, and the custom background and logo used by their company. In the following example, for privacy reasons, we manually replaced the real victim’s email address, background image and company logo on an actual phishing sample with fake Talos data, to show what it looks like.  

_Example of a screen asking the targeted victim for a password._

Once the victim submits their password, the PaaS will connect to Microsoft 365, impersonate the victim and attempt to log in. If MFA is used, the service will prompt the victim to authenticate using the MFA method requested by the real Microsoft 365 page (e.g., SMS code, voice call code, push notification).

__Example of a page asking the victim to enter an MFA code.__

Once the service receives the MFA, it will continue to impersonate the victim behind the scenes and complete the login process to collect the authenticated session cookies. These will then be delivered to the service affiliate on their Telegram channel or directly through the web panel.

**The phishing service**

The service consists of three components: a phishing kit (which contains the admin panel), the service API and a Telegram bot or email address.

Graph of PaaS communication flow

The phishing kit, the service component delivered to affiliates and deployed on a server controlled by them, is the only part of the service the victim connects to. The kit delivers the HTML/JavaScript code for each step of the attack. The kit communicates with the PaaS API service in the background, forwarding the credentials received from the victim and receiving information on what page it should deliver to the victim at each step of the attack. As the victim submits their credentials to the kit, it stores them locally so they can be accessed via the administrative panel and, if configured to do so, sends them to the affiliate’s Telegram channel.

The phishing kit contains an administration panel that allows the affiliate to configure the service API key and Telegram bot and keep track of stolen credentials. The following images show an example of the administration panel login page and dashboard.

Phishing kit administrative panel login page

Phishing kit administrative panel dashboard

The administration panel also builds malicious attachments or links that are submitted via email to the victims. The following image shows the form used to generate the attachments:

Phishing kit malicious attachment builder

The PaaS is designed to be used in a very standard way. The payload delivered to the victim must be a link or, more commonly, an HTML attachment. The attacker can use the builder form above to create a payload with a few options:

*   Autograb: This feature prefills the Microsoft 365 login page with the victim’s email, adding credibility to the attack.
*   Background: The attacker can select the fake attachment background image to be a blurred Microsoft Word, Excel, or PowerPoint online document.

The API is the core part of the service. Each affiliate must have a valid API key to use Greatness, or else the phishing page will not load and displays a message saying the API key is invalid. The following image shows the configuration options available in the panel, where the affiliates can insert their API key.

_Administrative panel configuration page_

The service API contains logic to validate the affiliate’s key, block unwanted IP addresses from viewing the phishing page, and most importantly, behind-the-scenes communication with the real Microsoft 365 login page, posing as the victim.

Working together, the phishing kit and the API perform a “man-in-the-middle” attack, requesting information from the victim that the API will then submit to the legitimate login page in real time. This allows the PaaS affiliate to steal usernames and passwords, along with the authenticated session cookies if the victim uses MFA. Authenticated sessions usually time out after a while, which is possibly one of the reasons the Telegram bot is used — it informs the attacker about valid cookies as soon as possible to ensure they can reach quickly if the target is interesting.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following Snort SIDs are applicable to this threat: 61708.

**Indicators of Compromise (IOCs)**

IOCs for this research can also be found at our GitHub repository here

New phishing-as-a-service tool “Greatness” already seen in the wild

One of the vulnerabilities is being actively exploited in the wild, according to Microsoft, the fourth month in a row in which this is the case.

Tuesday, May 9, 2023 13:05

Microsoft disclosed 40 vulnerabilities across its suite of products and software Tuesday, the fewest the company’s included in a Patch Tuesday since December 2019.

However, two of the vulnerabilities is being actively exploited in the wild, according to Microsoft, the fourth month in a row in which this is the case for the monthly roundup of security issues.

In all, this Patch Tuesday includes seven critical vulnerabilities and 33 that are considered “important.”

One of the zero-day vulnerabilities included this month is CVE-2023-29336, an elevation of privilege vulnerability in the Win32k kernel mode driver. An adversary could exploit this vulnerability to gain SYSTEM privileges.

The most serious vulnerability disclosed Tuesday is CVE-2023-24941, a remote code execution vulnerability in the Windows Network File System that has a severity rating of 9.8 out of 10. An adversary could exploit this vulnerability over a network by making an unauthenticated, specially crafted call to an NFS service to execute code on the targeted machine. In addition to today’s patch, Microsoft also outlines several mitigation steps affected users can deploy to prevent the execution of this vulnerability.

Another remote code execution vulnerability, CVE-2023-29325, exists in Windows OLE that is also critical. An attacker could trigger this issue by tricking a target into opening a specially crafted, malicious email. The vulnerability can even trigger if the user just opens the email in the Preview pane.

CVE-2023-24955 is another remote code execution vulnerability in Microsoft SharePoint Server that Microsoft considers “more likely” to be exploited.

MSHTML, a software component that renders web pages in Microsoft browsers, also contains a critical vulnerability that could allow an attacker to gain admin privileges on a targeted device. CVE-2023-29324, however, is more difficult for an attacker to trigger than the other vulnerabilities mentioned above because it requires “an attacker to take additional actions prior to exploitation to prepare the target environment,” according to Microsoft.

There are two other critical vulnerabilities in this month’s security update that Microsoft considers “less likely” to be exploited:

*   CVE-2023-24943: Windows PGM remote code execution vulnerability
*   CVE-2023-28283: Windows LDAP remote code execution vulnerability

There are also three important vulnerabilities considered to be “more likely” to be exploited, though are not considered as serious:

*   CVE-2023-24949: Windows Kernel elevation of privilege vulnerability
*   CVE-2023-24950: Microsoft SharePoint Server spoofing vulnerability
*   CVE-2023-24954: Microsoft SharePoint Server information disclosure vulnerability

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 61705 - 61707,  61714 - 61720, 61722 and 61723.

Microsoft Patch Tuesday for May 2023 — Fewest vulnerabilities disclosed in a month in three-plus years

Today, Finn combs through Talos’ various intelligence sources, open-source research, partner resources, and Cisco product telemetry to track major attacker trends and emerging threats.

Monday, May 8, 2023 08:05

After working in government for several years, this Talos threat hunter is diving into the dark web

Growing up, Jacob Finn says he wanted to be a detective (or maybe a veterinarian, but there’s still plenty of time for that).

Today with Talos, he’s a detective. And while he’s still hunting for bad actors, instead of combing crime scenes for clues, he’s reading and analyzing dark web forums, leveraging open-source intelligence, and exploiting network telemetry for signs of where adversaries are headed next.

He works on Talos’ Threat Intelligence and Interdiction team as a strategic analyst, which in his words, “looks at the cyber threat landscape from a 30,000-foot view.” A huge part of Finn’s job is writing threat assessments and alerts for intelligence partners, customers, and cyber-attack victims. He’s also a major advocate of public-private partnerships across the cybersecurity ecosystem.

So, it’s fitting that Finn has always had one foot in the public sphere even while transitioning to work in the private sector.

Finn started his cybersecurity career as the Cybersecurity Policy Director for Los Angeles Mayor Eric Garcetti during Garcetti’s second term, working on new intelligence-sharing agreements between L.A. and other major cities with similar security concerns, helping the mayor write cybersecurity-related policies, and advocating for the government to improve its defensive capabilities.

Finn (center) speaking at a panel on behalf of Los Angeles Mayor Eric Garcetti in 2019.

But Finn says he “never expected cybersecurity to be in my long-term plan.”

After receiving his bachelor's degree from the University of California, Los Angeles (UCLA), he attended Reichman University in Herzliya, Israel to receive a master’s in homeland security and counterterrorism, the field he believed he’d make a career of. As part of the curriculum, Finn studied cyberterrorism, which drew him to research how global terrorist organizations use the Internet to advance their operations. He received the offer to advise the mayor in the L.A. Mayor’s Office of Public Safety upon returning home to California.

Finn worked for the Garcetti administration at a time when other major cities like Atlanta were dealing with massive, impactful ransomware attacks. One initiative he led involved working with two of L.A.’s sister cities — Auckland, New Zealand and Guangzhou, China — to establish a multilateral agreement regarding emerging security threats and natural disasters.

Finn (far left) at the signing of an information-sharing agreement between Los Angeles, Auckland, New Zealand and Guangzhou, China in 2019.

“Part of it was devising best practices to protect our communities from major emergencies, which included building mechanisms for information-sharing,” Finn said. “I think this just shows how important cities are in terms of leading the way in security policy and preparation… at the federal government, it’s all about funding and national-level policy, but you don’t actually see how that is implemented at the local level.”

Finn eventually took a job with the U.S. Department of Defense. After years of building expertise in intelligence and national security, he then decided to head into the private sector, applying for a job as a strategic intelligence analyst with Talos.

Today, Finn combs through Talos’ various intelligence sources, open-source research, partner resources, and Cisco product telemetry to track major attacker trends and emerging threats. He has mostly focused on state-sponsored actors and threats stemming from criminal groups.

This research eventually takes the form of public reports, customer alerts, and intelligence that’s shared with Talos’ detection teams to create defensive content for Cisco Secure products. Finn and his team were heavily involved in the creation of Talos’ first-ever Year in Review report, which recapped the major attacker trends in 2022.

Finn brings his public government experience to the role by knowing the importance of information-sharing and what types of security concerns are relevant to practitioners who are tasked with defending municipalities and important public services. But he also had to learn many of the technical skills on the job once he started at Talos — he jokes that he had never opened Terminal on Mac before his first day on the job.

“Everyone at Talos understands that each person comes from different backgrounds with different skills or contributions, and may not have the same level of technical knowledge,” he said. “And now I feel very comfortable using Talos’ different tools to look through datasets such and endpoint logs and other network telemetry.”

Finn still spends a lot of time thinking about the implications of security trends, though, and how that affects the American public.

He recently participated in a pitch competition (think “Shark Tank” but for national security policy) with the Center for the New American Security, a high-profile Washington, D.C. national security think tank. Finn’s idea that he shared with the panel involved a new cybersecurity certification program that private companies could apply for.

Finn’s idea involves a set of standards that private companies could adhere to regarding security measures, verification methods and other cybersecurity protocols they use to protect personal information.

“If a company which sells a service or product involving storage of sensitive data such as PII \[personally identifiable information\] or attorney-client privileged information, you as the consumer want to be satisfied that the company is meeting a certain level of standards so they’re less likely get breached,” Finn said. “This certification program is built on the underlying assumption that companies that are profit-driven, will seek to adopt stronger security standards if consumers are demanding it.”

You can watch Finn’s full pitch to the CNAS panel below.

It’s that type of broader thinking and thought leadership that makes Finn a perfect teammate for the Strategic Analysis team. Rather than diving into the nitty-gritty of a tactical malware campaign or a specific botnet, Finn is taking in information from all directions to try and figure out what’s going to be the next big threat or trend in the security landscape. This all goes to show that researchers with a variety of skillsets can still contribute to Cisco Talos’ defenses.

Researcher Spotlight: Jacob Finn creates his own public-private partnership at Talos

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 28 and May 5. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for April 28 to May 5

Unsurprisingly, it seems like AI was brought up anywhere and everywhere.

Thursday, May 4, 2023 14:05

Welcome to this week’s edition of the Threat Source newsletter.

I didn’t attend the RSA Conference in person, and on top of that, I was at the NFL Draft while the conference was going on. I’m behind on the biggest talks, panels and presentations that came out during the annual security conference, so I’ve spent the past few days catching up on what seems like the major talking points last week in San Francisco.

Unsurprisingly, it seems like AI was brought up anywhere and everywhere. It’s all tech executives are asked about currently and shareholders seem to want to know what X Company is doing to keep up with AI tools like ChatGPT.

Former Cisco CEO John Chambers said that he believes AI will be bigger than the internet and cloud combined "in every aspect of defense.”

“If somebody could get AI and cybersecurity together uniquely, that gets exciting,” he said during an interview with theCUBE on the conference floor.

Longtime RSA panelist Adi Shamir, who said at least year’s conference that he wasn’t overly concerned about AI’s effects on cybersecurity, did a 180 and instead started sounding alarms.

"I now believe that the ability of ChatGPT to produce perfect English, to interact with people, is going to be misused on a massive scale,” Shamir said in a panel with other major cryptographers. He also said these tools will "have a major impact on social engineering."

This attitude matches how many people are feeling right now regarding AI. Several major tech executives are warning against unregulated AI tools and bots, and leaders from the G7 nations adopted a new agreement that their countries would take a “risk-based” approach to regulating AI.

Outside of AI, the other thing that stood out to me from RSA was a new level of transparency from the U.S. government regarding how it approaches fending off cyber attacks and cybercrime. At a joint panel at RSA, the U.S. Department of Homeland Security and Cybersecurity and Infrastructure Security Agency (CISA) disclosed a previously unknown defense of an Iranian state-sponsored actor infiltrating a local government elections’ page. The officials speaking at the conference said the U.S. government disrupted the attack before any votes were tallied or reported.

Several high-profile cybersecurity officials in the Biden administration appeared to show a united front against cybercrime, urging the importance of disrupting dark web forums and websites over trying to arrest the humans behind these sites.

**The one big thing**

The use of web shells is rising in cyber attacks, according to new data from Cisco Talos Incident Response. The latest Talos IR Quarterly Report found that web shells were the most-observed threat in the first quarter of 2023, comprising nearly a fourth of the incidents Talos IR engaged in. Ransomware made up a smaller portion of threats observed this quarter than in the past, from 20% to around 10%. However, Talos does not believe that data is reflective of the current threat landscape and is instead lower simply because several Talos IR ransomware engagements began in Q1 but did not close.

**Why do I care?**

These Talos IR reports are always a great way to see what tactics, techniques and procedures (TTPs) attackers are actively using in the wild. The types, and volume of, web shells Talos IR saw last quarter highlight the skills actors have in combining multiple means of access and tools and increase the likelihood that they will be able to deploy additional malware or obtain sensitive and private information.

**So now what?**

The lack of multi-factor authentication (MFA) remains one of the biggest impediments for enterprise security. Nearly 30 percent of engagements involved organizations that either had no MFA or only had it enabled on a handful of accounts and critical services. Talos IR frequently observes ransomware and phishing incidents that could have been prevented if MFA had been properly enabled on critical services, such as endpoint detection response (EDR) solutions or VPNs. To help minimize initial access vectors, Talos IR recommends disabling VPN access for all accounts that are not using MFA.

**Top security headlines of the week**

Meta says it flagged more than 1,000 domains since March **that were spreading ChatGPT-themed tools and offers actually containing malware.** A new quarterly security report from Facebook and Instagram’s parent company said it found at least 10 malware families on its platforms posing as ChatGPT and other similar tools to compromise user accounts. Many of these threats are fake browser extensions that claim to act like ChatGPT for users but instead steal sensitive information like login credentials, banking information and other user data. Meta Chief Information Security Officer Guy Rosen said at a press conference that "ChatGPT is the new crypto” for bad actors. (Axios, Reuters)

A federal judge this week **gave Google permission to take down current and future domains associated with the CryptBot information-stealer malware.** It's estimated that CryptBot has infected more than 670,000 users over the past year, stealing victims’ Google Chrome browser data and other sensitive information. With the court order, Google can identify the network providers whose services directly and indirectly make the malware’s distribution possible and allows the company to directly block traffic and disrupt other servers the malware’s actors could shift to. CryptBot is known for stealing login information and personally identifiable information (PII) that is then turned around and sold to other threat actors to carry out larger data breaches. (Decipher, SC Media)

**A critical vulnerability in the popular Illumina DNA sequencing devices could allow adversaries to modify or steal patients’ sensitive medical data.** A new warning from U.S. CISA states that the vulnerability, which has a maximum 10 out of 10 severity rating, allows attackers to remotely access an affected device over the internet without needing a password. “Successful exploitation of these vulnerabilities could allow an attacker to take any action at the operating system level,” according to CISA’s advisory. Illumina’s technology allows researchers and scientists to determine the order of certain DNA sequences, which is useful in researching disease and certain health conditions. (TechCrunch, CISA)

**Can’t get enough Talos?**

*   Talos IR On Air: Reviewing Q1's top threats
*   Video: State-sponsored campaigns target global network infrastructure
*   Talos Takes Ep. #136: Analyzing the recent takedown of popular dark web forums

**Upcoming events where you can find Talos**

**BSidesFortWayne** **(May 20)**

Fort Wayne, IN

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.ex  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311