Emotet is a ubiquitous and well-known banking trojan that has evolved over the years to become a very successful modular botnet capable of dropping a variety of other threats. Even after a global takedown campaign in early 2021 disrupted the botnet, it reemerged later that year, rebuilding its infrastructure and

Tuesday, November 8, 2022 11:11

Emotet is a ubiquitous and well-known banking trojan that has evolved over the years to become a very successful modular botnet capable of dropping a variety of other threats. Even after a global takedown campaign in early 2021 disrupted the botnet, it reemerged later that year, rebuilding its infrastructure and becoming highly active in a short time.  

Emotet is back again with a new campaign displaying many characteristics of older runs, including the use of Auto\_Open macros inside XLS documents. Cisco Talos has observed an increased activity of spam distributing this new strain beginning in early November 2022,  and the volume of spam and Emotet infrastructure has been increasing since then to target multiple geographies around the world.  

**Technical details**

Following Microsoft’s recent announcement that it would begin disabling macros by default in Office documents downloaded from the internet, many malware families have begun migrating away from Office macros to other delivery mechanisms like ISO and LNK files. Therefore, it is interesting to note that this new campaign of Emotet is using its old method of distributing malicious MS Office documents (maldocs) via email-based phishing.  

The malware is delivered via email spam messages that contain a zip file with a XLS file inside, or the XLS attached directly to the email. Based on the samples Talos observed, the messages have minimal content in the email body, typically only consisting of a filename and password. These emails might either be new emails arriving in a victim’s inbox or can even pose as responses to an existing, hijacked thread:  

In order to bypass Microsoft’s protection for macros downloaded from the internet, Emotet is using social engineering to convince victims to copy the maldoc to a whitelisted folder where the macro protection is not activated:  

Upon opening the maldoc, a message is displayed asking the victim to copy the maldoc to a folder that does not have macro protections activated. If the victim believes the fake security policy message above and does as it asks, the document will be opened without any restriction on executing the macro. We can see that once the file is in the right place, there is no message about macros being blocked anymore:  

The documents might look empty, but they contain hidden sheets with text in them, which is used by the VBA macro to assemble the URL from where the Emotet malware is downloaded. By simply un-hiding the sheets and copying the text to a text editor, we can see the content of these sheets:  

A request is made to one of the URLs listed above. This is a similar method used by other malware in the past, like Qakbot, which used XLSB files to perform a similar trick. The content of the remote page is then dropped in the C:\\Window\\System32 folder with one of the names also seen above.  

Based on their timestamp, most of these documents were created in early November. Sample subset of maldocs clustered by creation date/time stamps:  

**Coverage**

Ways our customers can detect and block this threat are listed below.  

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are: **43890-43892, 44559, 44560, 47616, 47617, 48402, 49888, 49889, 51967-51971, 52029, 53108, 53353-53360, 53770, 53771, 54804, 54805, 54900, 54901, 54924, 54925, 55253, 55254, 55591, 55592, 55781, 55782, 55787, 55788, 55869, 55870, 55873, 55874, 55929-55931, 56003, 56046, 56047, 56170, 56171, 56713, 56528, 56529, 56535, 56536, 56620, 56621, 56656,  56657, 56714, 56906, 56907, 56924, 56925, 56969, 56970, 56983, 56984, 57901, 58943**  

  
The following ClamAV detections are also available for this threat:

*   Xls.Downloader.Emotet-b649c93692b4c9d9-9976616-0
*   Win.Trojan.Botx-9976975-0
*   Win.Trojan.Botx-9976976-0

**Indicators of Compromise**

The IOC list is available in Talos' Github repo here.

Emotet coming in hot

Organizations must proactively limit supply chain risks through careful selection of the company they keep while preparing to respond to an incident that will invariably originate from the supply chain.

The Company You Keep – Preparing for supply chain attacks with Talos IR

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 28 and Nov. 4. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for October 28 to November 4

Welcome to this week’s edition of the Threat Source newsletter.
I’m fascinated by how things live and die on the internet. Things that are ubiquitous to our daily lives are simply gone the next. LiveJournal and Myspace we hardly knew you. Elon Musk’s purchase

Thursday, November 3, 2022 16:11

Welcome to this week’s edition of the Threat Source newsletter.

I’m fascinated by how things live and die on the internet. Things that are ubiquitous to our daily lives are simply gone the next. LiveJournal and Myspace we hardly knew you. Elon Musk’s purchase of Twitter and the subsequent exodus led me down the nostalgic path of thinking about how times change and platforms change but things largely remain the same. Until now. We’ve grown as an entire internet community and we remember the pain of moving from app to app and site to site. Many top infosec follows have deactivated their accounts while others are weighing when and if they will leave. Several have moved to decentralized solutions like mastodon.social which saw an uptick of more than 70,000 new users in a single day after the purchase was official. In theory Mastadon can’t be controlled by a single person or entity and to me it feels like this is the next step in our path as an internet community. Will it catch on and be the answer to all of our needs? Doubtful. It is a step in the evolution of the internet and I’m very interested to see what the next adaptation brings.

**The one big thing**

Cisco Talos Incident Response recently released their Quarterly Report highlighting the ransomware and pre-ransomware engagements, making up nearly 40 percent of threats this quarter. This quarter saw ongoing Qakbot, Hive, and Vice Society activity as well as the emergence of Black Basta, which first surfaced in April 2022. Adversaries continue to leverage not only LoLBins but a variety of publicly available tools and scripts hosted on GitHub repositories or free to download from third-party websites to support operations across multiple stages of the attack lifecycle. Defenders continue to struggle with MFA rollouts, as lack of MFA remains one of the biggest impediments to enterprise security. Nearly 18 percent of engagements either had no MFA or only had it enabled on a handful of accounts and critical services.

**Why do I care?**

Understanding the current tools and trends used by attackers, as well as understanding the vulnerabilities that are targeted are intrinsic to good security posture. Knowing your environment is step one. Understanding that same environment from the view of the attacker is the next step. Per the report “In nearly 15 percent of engagements this quarter, adversaries identified and/or exploited misconfigured public-facing applications by conducting SQL injection attacks against external websites, exploiting Log4Shell in vulnerable versions of VMware Horizon, and targeting misconfigured and/or publicly exposed servers.”

**So now what?**

Ensuring that you know your environment and are covering the base of the security pyramid well is critical. Patch, self-assess, and follow trusted threat intelligence sources. Talos IR recommends disabling VPN access for all accounts that are not using two-factor authentication and to disable or delete inactive accounts from Active Directory to prevent suspicious activity.

For the OpenSSL vulnerability we strongly recommend users mitigate affected OpenSSL systems as soon as possible by upgrading to version 3.0.7. Talos has released coverage across the device portfolio including Snort Rules: 60790, 300306-300307 to protect against exploitation of CVE-2022-3602 and ClamAV signature, Multios.Exploit.CVE\_2022\_3602-9976476-0, to detect malware artifacts related to this threat.

**Top security headlines of the week**

Security researchers were once again falsely implied by a ransomware gang in an effort to indicate their involvement. This time around Azov implicated BleepingComputer, Hasherazade, MalwareHunterTeam, Michael Gillespie, Lawrence Abrams, and Vitali Kremez, urging infected users to contact them via their accounts on Twitter to recover files.

Dropbox was the target of a recent phishing campaign that led to attackers gaining access to code stored in Github and copying 130 code repositories, including third-party libraries, internal software projects, and a few tools and configuration files maintained by the Dropbox security team. The attackers didn't gain access to any user content, passwords, or payment information. The Dropbox security team released a report detailing how they handled the incident.

**Can't get enough Talos?**

*   https://blog.talosintelligence.com/researcher-spotlight-how-azim-khodjibaev-went-from-hunting-real-world-threats-to-threats-on-the-dark-web/
*   https://blog.talosintelligence.com/quarterly-report-incident-response-trends-in-q3-2022/
*   https://blog.talosintelligence.com/openssl-vulnerability/
*   https://youtu.be/KhG6RUZgMas

**Upcoming events where you can find Talos**

BSides Lisbon (Nov. 10 - 11)  
Cidade Universitária, Lisboa, Portugal

SIS(Security Intelligence Summit), 2022.ON (Nov. 29)  
Josun Palace, Seoul

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256:  
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection

  
SHA256:  
d5dc790f6f220cf7e42c6c1c9f5bc6e4443cb52d07bcdef24a6bf457153c1d86  
MD5: 69fbf6849d935432bac8b04bdb00fd68  
Typical Filename: KMSAuto++.exe  
Detection Name: W32.File.MalParent

SHA256:  
e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256:  
125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
MD5: 2c8ea737a232fd03ab80db672d50a17a  
Typical Filename: LwssPlayer.scr  
Claimed Product: 梦想之巅幻灯播放器  
Detection Name: Auto.125E12.241442.in02

SHA 256:  
00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
MD5: d47fa115154927113b05bd3c8a308201  
Typical Filename: outlook.exe  
Claimed Product: MS Outlook  
Detection Name: W32.00AB15B194-95.SBX.TG

Threat Source newsletter (Nov. 3, 2022): Mastadon, evolution, and LiveJournal oh my!

In late October two new buffer overflow vulnerabilities, CVE-2022-3602 and CVE-2022-3786, were announced in OpenSSL versions 3.0.0 to 3.0.6. These vulnerabilities can be exploited by sending an X.509 certificate with a specially crafted email address, potentially causing a buffer overflow resulting in a crash or

Tuesday, November 1, 2022 15:11

In late October two new buffer overflow vulnerabilities, CVE-2022-3602 and CVE-2022-3786, were announced in OpenSSL versions 3.0.0 to 3.0.6. These vulnerabilities can be exploited by sending an X.509 certificate with a specially crafted email address, potentially causing a buffer overflow resulting in a crash or remote code execution (RCE). X.509 is the standard defining the format of public key certificates, commonly used in protocols including TLS as well as digital signatures. Importantly, these vulnerabilities can affect both the client and server in contrast to most vulnerabilities that typically impact one or the other, broadening the potential attack surface.  

These vulnerabilities could be very impactful as OpenSSL is widely used, and the affected version is included in some major Linux distributions. However, the affected version was released relatively recently in September of 2021 so adoption may not be as widespread as older versions, such as 1.1.1 and 1.0.2, which are currently unaffected by this vulnerability.  

For more information about these vulnerabilities’ impact on Cisco products, please refer to Cisco’s Security Advisory here.  

Cisco Talos is closely monitoring for potential exploitation attempts in the wild as new details of the vulnerabilities are released. We strongly recommend users mitigate affected systems as soon as possible by upgrading to version 3.0.7.  

**Vulnerability details**

A buffer overflow can be triggered by sending an X.509 certificate with a specially crafted email address in the “id-on-SmtpUTF8Mailbox” field ( OID 1.3.6.1.5.5.7.8.9 )  resulting in a crash (Denial of Service - DoS) or potential remote code execution on a vulnerable client or server. Potential opportunities for exploitation can occur if a server requests authentication information after a malicious client connects, or if a client connects to a malicious server, which would then make the client vulnerable.

CVE-2022-3602 is assigned for a 4-byte buffer overflow (single unsigned int overwrite) resulting in a crash or remote code execution. However, CVE-2022-3786 refers to the variable length overflow variant in the X.509 email address field with the potential to result in crashes.

**Coverage & Mitigations**

  
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

For more information about this vulnerability’s impact on Cisco products, please refer to Cisco’s Security Advisory here.  

Cisco Talos is releasing Snort Rules: **60790, 300306-300307** to protect against exploitation of CVE-2022-3602.  

The following ClamAV signatures have been released to detect malware artifacts related to this threat:

*   Multios.Exploit.CVE\_2022\_3602-9976476-0

Threat Advisory: High Severity OpenSSL Vulnerabilities

Most of the time, Khodjibaev is combing through various dark web forums, ransomware group chats, Russian-speaking websites and other sources trying to learn of attackers’ next moves.

Monday, October 31, 2022 14:10

**A case study in why cybersecurity experience is not a prerequisite to work in security**

Azim Khodjibaev knows all sides of the “security” industry.

That doesn’t just cover cybersecurity, either — he spent the first part of his career ensuring the physical safety of civilians and military personnel, which is about as high-stakes as it gets.

Today, he’s using his knack for tracking physical threats to hunt down other types of threats on the deepest corners of the internet so Talos can stay one step ahead of threat actors.

Khodjibaev is a senior intelligence analyst with Talos’ Threat Intelligence and Interdiction team. The idea of collecting intelligence of all types has been in his life for years — he’s no stranger to geopolitical conflict growing up in the late days of the Soviet Union.

When his family immigrated to the U.S. in the mid-1990s, he knew he wanted to follow a career in political science, which led him to get his bachelor’s degree in international relations. Since then, the word “threats” has meant all sorts of things to Khodjibaev.

He spent several years in different contracting positions with the U.S. government where he worked in counterintelligence research, utilizing his native Russian language to try and warn potential targets of military action, by infiltrating various online networks and tapping other sources to learn as much as possible about adversaries’ plans. Khodjibaev was also a part of the intelligence-gathering operations in the wake of the Boston Marathon bombing in 2013 and spent time tracking the location of improvised explosive devices (IEDs) on real battlefields.

“After doing that for a while, out of the blue, I got a message on LinkedIn that actually looked like a phish because it was too good to be true,” he jokes now.

The message was a Cisco recruiter reaching out to him about a potential job opportunity at Talos in the cybersecurity space, something Khodjibaev had never directly worked in before. But after a successful interview and a promise of further education in the field, he jumped on board with Talos in 2016. One of his first challenges was to translate the infamous BlackEnergy attacks against Ukraine and pass along his findings to the Talos detection team who needed to react quickly to the cyber attack.

“For about three-and-a-half years, I was blind, I had no idea what was going on. I knew nothing about the network structure, and only knew the very basic levels of cybersecurity,” he said.

But by working on a team with cybersecurity-focused researchers, he grew his knowledge of virtual threats and how to apply his intelligence-gathering skills to focus on cyber attacks rather than kinetic ones.

Most of the time, Khodjibaev is combing through various dark web forums, ransomware group chats, Russian-speaking websites and other sources trying to learn of attackers’ next moves.

“Over time, I realized I could contribute to the entire cybersecurity enterprise by building on those human intelligence skills and cyber intelligence skills,” he said.

When Khodjibaev finds a new potential threat or piece of malware, he tries to get it to Talos’ team of reverse engineers and rule writers to write detection as quickly as possible. He also partners with the Outreach team’s researchers to put together public-facing intelligence on the threat, such as one of Talos’ blog posts or intelligence partner alerts.

“As soon as I see something that’s beyond my ability to do something, we have a very specific mechanism that Talos has developed and refined to be speedy, yet accurate, with our detection,” he said.

Most recently, Khodjibaev’s been researching the LockBit ransomware group and regularly updates his Twitter followers about the group’s ongoing developments, even leading to a mini-series of Talos Takes episodes jokingly dubbed “Days of our Ransomware” as he sees drama between these groups play out on message boards, private chats and more.

These can often be very high-risk situations, though, and Khodjibaev continually imperils himself by trying to infiltrate virtual spaces with well-funded and highly skilled threat actors, so one slip-up could make him a personal target of an attack. But it doesn’t deter him from checking as many spaces as possible for the latest developments.

“There have been times when I’ve been legitimately scared because I pushed the envelope too far,” he said. “I am paranoid and careful in a good way where I’m always documenting things. But I’ve pushed the envelope into how far I’ve gone. The bad guys need to understand and learn that if they create a space that has more than one person in it, it’s only a matter of time before someone like me gets in there and takes advantage of that.”

These high-stress situations are admittedly less of a literal life-and-death situation that Khodjibaev used to work in when he would be forced to watch videos or read plans of “violence, abuse, crimes against innocent, defenseless people.”

So, he enjoys the quieter moments of his life where he can either work in his yard at his home or get out and kayak. He’s also a rowing coach for a local high school program.

“Given that unstable childhood I went through \[in the Soviet Union\], I am really into just living a really boring suburban life,” Khodjibaev said.

Now several years into his cybersecurity journey, Khodjibaev said he’s learned that cybersecurity isn’t a problem that can only be solved by looking at raw intelligence like datasets, he more so subscribes to Matt Olney’s, the director of Threat Intelligence and Interdiction at Talos, theory that “cybersecurity is a human problem.”

“I’ve always been a curious person and have always had a low tolerance of malicious activity against people who can’t help themselves,” Khodjibaev said. “Most cybercrime is just that — it’s not these state-sponsored actors, it’s cyber criminals ruining people’s days and targeting hospitals, and schools, and I always wanted to do something about it.”

Researcher Spotlight: How Azim Khodjibaev went from hunting real-world threats to threats on the dark web

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 21 and Oct. 28. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for October 21 to October 28

This year’s theme, “See Yourself in Cyber,” allowed Talos to highlight the various positions and people that make up our organization.

Friday, October 28, 2022 09:10

As yet another October comes to an end, so does another Cybersecurity Awareness Month. Since 2004 when the President of the United States and Congress declared October Cybersecurity Awareness Month, we’ve taken the time to share our cybersecurity knowledge with the broader general public year after year. This year we focused on the 2022 theme, “See Yourself in Cyber.” As the talent gap continues to affect the cybersecurity field, Talos aims to share resources and inspire the next generation of cyber defenders.

**See yourself in cyber**

This year’s theme, “See Yourself in Cyber,” allowed Talos to highlight the various positions and people that make up our organization. From team members with military backgrounds to no formal cybersecurity education there’s a place in Talos for everyone regardless of background, location or experience.

To showcase the different roles at Talos and within the cybersecurity community, we brought together a global panel of Talos members to share their career paths and offer career advice for those looking to start a career in the cyber field. Rewatch our “See Yourself in Cybersecurity” career panel livestream to learn how you can start a career in cybersecurity.

October also featured our sixth Researcher Spotlight, Cisco Talos Incident Response Principal Engineer Yuri Kramarz. Each month we spotlight a different researcher highlighting their career journey, work at Talos and cybersecurity career advice. Read Yuri’s spotlight and the rest of our Research Spotlight series here.

Our second livestream of the month, Threat Hunting 101, brought together a panel of threat researchers to not only discuss what Threat Hunting is but also how to start a career in the field. Through the round table conversation Talos members highlighted the key skills one needs to be a successful threat hunter and shared their thoughts on where they see the future of threat hunting headed. Watch the livestream on demand to learn how Talos approaches their threat hunting programs.

October may be Cybersecurity Awareness Month, but every day, our incident responders are working to keep our customers, partners – and ultimately the internet at large -- safe. We recognized our Incident Responders of the Cisco Talos Incident Response team and how their work impacts the world and what keeps them motivated every day on a nearly 24/7 basis.

It’s never too late to start a career in the cybersecurity field regardless of your previous experience. Cisco Talos Incident Response Consultant Gergana Karadzhova shared her six tips on how to pivot into cybersecurity as a mid-career professional to encourage those looking to break into the industry. Her first tip? It’s never too late! Sammi Seaman and Jon Munshaw also recorded a Talos Takes episode reflecting on their pivot from non-security fields to careers at Talos.

Interested in joining Team Talos? You can view all our current openings and apply here. Follow along with us all year long on social media and subscribe to our Threat Source newsletter to stay up to date on the latest threats news.

See Yourself in Cyber: A Cybersecurity Awareness Month recap

Supply chain attacks were all the rage in 2020 after SolarWinds, but we seem to have forgotten how important they are.

Thursday, October 27, 2022 14:10

Welcome to this week’s edition of the Threat Source newsletter.

There are plenty of jokes about whether we’re “aware” of cybersecurity during National Cybersecurity Awareness Month. But now I’m wondering if people are aware of supply chain attacks.

I thought we hit the pinnacle of supply chain attacks in 2020 with the SolarWinds attack, when these types of attacks dominated headlines and defenders started shouting from the mountaintops about how important it is to be ready for supply chain attacks.

And then Kaseya came along a few months later when attackers found a different way to deploy malicious updates that were disguised as legitimate patches.

And still today, we’re warning about the dangers of how prevalent supply chain attacks are and how everyone needs to be ready for this attacker technique. This leaves me wondering if Kaseya and SolarWinds weren’t the breaking point — what is?

It seems like no matter how many times we see major ransomware attacks, even coming to the point of making it impossible for people to get gas, attackers are back again with another ransomware attack a few weeks later.

We still have several hurdles to overcome to fix the supply chain attack problem, as Jaeson Schultz from our Outreach team outlined in this recent post. But it’s clear that these attacks aren’t going anywhere, and neither are defenders’ warnings.

As I wrote at the start of October, it can be easy to poke fun at Cybersecurity Awareness Month because it’s impossible to define what it even means to be “aware” of cybersecurity. Clearly, there’s still awareness to spread, though, and we keep needing to spread it in regard to supply chain attacks, ransomware and pretty much every other type of cyber attack.

**The one big thing**

For the first time since collecting such data, Cisco Talos Incident Response saw an equal number of ransomware and pre-ransomware engagements, making up nearly 40 percent of threats in the third quarter of 2022. It can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place. However, Talos IR assesses that the combination of Cobalt Strike and credential-harvesting tools like Mimikatz, paired with enumeration and discovery techniques, indicates a high likelihood that ransomware is the final objective.

**Why do I care?**

This data represents what Talos IR is actively seeing in the wild over the past few months and is likely representative of the broader threat landscape.

**So now what?**

A lack of MFA remains one of the biggest impediments to enterprise security. Nearly 18 percent of engagements either had no MFA or only had it enabled on a handful of accounts and critical services. Talos IR frequently observes ransomware and phishing incidents that could have been prevented if MFA had been properly enabled on critical services, such as endpoint detection and response (EDR) solutions. Talos IR recommends disabling VPN access for all accounts that are not using two-factor authentication.

**Top security headlines of the week**

The Biden administration is preparing to release updated guidelines and warnings around election security with a few days left before the midterm elections. A bulletin reportedly being drafted includes information on threats from Russia, China and other state-sponsored actors. Election workers and local officials are also having to deal with physical threats to polling workers and locations, all while the number of volunteers is dwindling. Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency released a PSA stating that malicious cyber activity is "unlikely to disrupt or prevent voting." (Politico, Axios, Voice of America)

Apple released security updates for its iOS and iPadOS operating systems this week, including fixes for a vulnerability that “may have been actively exploited.” There are 20 vulnerabilities fixed in these updates in all. CVE-2022-42827 is the most notable vulnerability, which could allow an attacker to execute code with Kernel privileges via an attacker-controlled app. This is the third Kernel-related out-of-bounds memory vulnerability that Apple has patched in each of its previous security updates: CVE-2022-32894 and CVE-2022-32917. CVE-2022-32917 was known to be used in attacks in the wild. (Forbes, The Hacker News)

Two vulnerabilities in Microsoft's Mark of the Web (MoTW) security feature could allow an attacker to send JavaScript files that could bypass security blocks in place. Attackers are reportedly actively exploiting both issues, though Microsoft has yet to issue any formal fixes for the vulnerabilities, and there are no workarounds available. Mark of the Web protects users against files from untrusted sources, but the two vulnerabilities could allow the attackers to construct the files in a way that they are not appropriately marked by Windows. Attackers commonly use .js files as attachments or downloads that can run outside a web browser. (Dark Reading, Bleeping Computer)

**Can't get enough Talos?**

*   Talos Takes Ep. #118: Threat Hunting 101
*   Beers with Talos Ep. #127: I’m a skiddie, and you can too!
*   A bug in Abode’s home security system could let hackers remotely switch off cameras
*   Talos Incident Response Q3 2022 Quarterly Report

**Upcoming events where you can find Talos**

**Click or Treat? How not to fall for a phishing attack this Halloween** (Oct. 31)  
Virtual

**BSides Lisbon** (Nov. 10 - 11)  
Cidade Universitária, Lisboa, Portugal

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681  
**MD5:** f1fe671bcefd4630e5ed8b87c9283534  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** PUA.Win.Tool.Hackkms::1201

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
**MD5:** 2c8ea737a232fd03ab80db672d50a17a  
**Typical Filename:** LwssPlayer.scr  
**Claimed Product:** 梦想之巅幻灯播放器  
**Detection Name:** Auto.125E12.241442.in02

Threat Source newsletter (Oct. 27, 2022): I thought we were already aware of supply chain attacks?

This is just the latest set of vulnerabilities Talos has discovered in the InRouter302.

Thursday, October 27, 2022 11:10

_Francesco Benvenuto of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered several vulnerabilities in InHand Networks’ InRouter302 that could allow an attacker to access the router’s console and make changes to the router’s settings, including security protocols.

The InRouter is an industrial LTE router that includes remote management functionalities and several security protection mechanisms, such as VPN connections and a firewall.

This is just the latest set of vulnerabilities Talos has discovered in the InRouter302. We previously outlined how an attacker could string together several other since-patched security issues to gain root access to the device.

TALOS-2022-1523 (CVE-2022-25932) is actually an updated vulnerability for a new patch, as the previous security update to cover TALOS-2022-1472 and TALOS-2022-1474 was not effective.

Additionally, the router’s firmware contains leftover code in the debug feature. The InRouter302 offers telnet and SSHD services. When provided with the correct credentials, both will allow access to the router’s console. From the console, an attacker could manipulate several crucial security settings, including providing a specific command to manipulate the firmware signature verification flag and upload malicious firmware to the device.

These vulnerabilities are:

*   TALOS-2022-1518 (CVE-2022-29481)
*   TALOS-2022-1519 (CVE-2022-30543)
*   TALOS-2022-1520 (CVE-2022-26023)
*   TALOS-2022-1521 (CVE-2022-28689)

TALOS-2022-1522 (CVE-2022-29888) could be exploited if an attacker sends the device a specially crafted HTTP request. If exploited correctly, the adversary could gain the ability to delete arbitrary files on the device, potentially disrupting its operations or settings.

Cisco Talos worked with InHand Networks to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: InHand Networks InRouter302, version 3.5.45. Talos tested and confirmed these versions of the router could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against this vulnerability: 59152, 59153, 59882 – 59884 and 59886. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.