Cisco Talos is tracking and actively responding to a supply chain attack involving the 3CX Desktop Softphone application.
This is a multi-stage attack that involves sideloading DLLs, seven-day sleep routines, and additional payloads dependent on a now-removed GitHub repository for Windows based systems.
MacOS systems used a different infection chain

Thursday, March 30, 2023 18:03

*   Cisco Talos is tracking and actively responding to a supply chain attack involving the 3CX Desktop Softphone application.
*   This is a multi-stage attack that involves sideloading DLLs, seven-day sleep routines, and additional payloads dependent on a now-removed GitHub repository for Windows based systems.
*   MacOS systems used a different infection chain leveraging a hardcoded C2 domain, as opposed to the GitHub repo.
*   This is just the latest supply chain attack threatening users, after the SolarWinds incident in 2020 and the REvil ransomware group exploiting Kaseya VSA in 2021.

**Summary**

Cisco Talos recently became aware of a supply chain attack affecting Windows and MacOS users of the 3CX software-based phone application. This attack leveraged the legitimate update functionality of the 3CX application to deliver a set of malicious payloads to 3CX users.

The infection chain consists of several stages and involves sideloading DLLs along with a seven-day sleep cycle before the malware attempts to retrieve additional malicious artifacts from a now-removed GitHub repository for the Windows based infection. The GitHub repository hosted a series of icon files with encrypted data appended to the end of the files. These encrypted strings, once decrypted, contained the C2 domains for additional malicious artifacts.

The MacOS version used a hard coded C2 domain. These second-stage payloads are information stealers that attempt to obtain system information and the latest browsing history records, indicating this information may be used as a filtering mechanism to identify and discard some victims while maintaining unauthorized access to others.

During our investigation we were able to see file activity dating back to February 3, 2023. However, the GitHub repository has been active since December 2022. The full scope of the attack is uncertain at this point. The 3CX website claims to have over 600,000 customers and 12 million daily users. It's unclear how many are users of the 3CX Desktop App versus the web app option that was not affected. 3CX is currently asking users to use the web app while they work to release an update.

**Preparing since February 2022**

Based on Cisco Talos investigation, it appears the infrastructure that supported this attack was being prepared as early as February 2022 when the domains were first registered. A second cluster of activity happened toward the end of 2022 when the GitHub repository was created, along with a few other domains. The sbmsa\[.\]wiki domain was also created on Feb. 9, 2023, which was found to be used by the second stage of the MacOS version.  

The timeline below illustrates these clusters of activity.

Timeline of domain registration activity.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Talos created the following coverage for this:

Snort SIDs:

Snort 3: 300480,300481

Snort 2: 61550-61553

**Orbital Queries**

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, Cisco Secure Endpoint customers need to make sure that "%3CX%" is entered into the program field under the "Installed Program Search" for Windows and ".\*3CX.\*" under "Installed Applications Monitoring" for MacOS in Orbital.

Additionally, the users can access the OSQueries directly on GitHub for both Windows and MacOS.

**Indicators of Compromise (IOCs)**

Indicators of compromise (IOCs) associated with ongoing activity can be found here.

Threat Advisory: 3CX Softphone Supply Chain Compromise

XXE attacks allow an adversary to interact with other backend or external systems that OpManager accesses.

Thursday, March 30, 2023 15:03

_Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability._

Cisco Talos recently discovered a vulnerability in ManageEngine OpManager that could lead to an XML external entity (XXE) attack.

OpManager is network monitoring software that allows users to track and manage the performance of connected routers, switches, firewalls, servers, VMs and more. A vulnerability (TALOS-2022-1685/CVE-2022-43473) exists when the user attempts to add a unified computing system (UCS) to the software.

An attacker could exploit this vulnerability by providing a specially crafted, malicious XML file at an exact point during that connection process to allow them to carry out an XXE attack. XXE attacks allow an adversary to interact with other backend or external systems that OpManager accesses.

Cisco Talos worked with the managers of ManageEngine to ensure that this issue is resolved and an update is available for affected users, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update ManageEngine OpManager, version 12.6.168 as soon as possible. Talos tested and confirmed this version of the software could be exploited by this vulnerability.

The following Snort rule will detect exploitation attempts against this vulnerability:  
49864\. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Vulnerability in ManageEngine OpManager could lead to XXE attack

Very few of us looking to buy these pieces of equipment are qualified to say if these products are even secure, and those among us who are are probably smart enough to know not to buy these products in the first place.

Thursday, March 30, 2023 14:03

Welcome to this week’s edition of the Threat Source newsletter.

Everyone loves a good video of someone slipping on their icy steps in the winter, captured thanks to their home security camera or smart doorbell. But what about when that camera is just kind of chilling out and not catching the moment your dog takes off after that squirrel?

The world of security cameras and recording devices attached to one’s home is becoming increasingly murky by the day. Law enforcement officials are finding ways to compel the companies that manufacture and manage these devices to turn over homeowners’ footage, even if the homeowner doesn’t consent to it.

And Amazon Ring, the biggest player in this space now, may or may not be the target of a ransomware attack.

So, while consumers might be purchasing these devices to ensure their physical security, the question about if these products are good for online security is a major question mark.

As Talos’ own Joe Marshall wrote in a guest column at Dark Reading this week, “IoT vendors continue to fail us on implementing solid cybersecurity controls.” This even goes for some of the largest tech companies in the world who would conceivably have the most money to invest in securing and testing these devices before they hit the market.

There are tons of budget options on the market that, unless you are an expert vulnerability researcher, are impossible to fully vet. I just went to Amazon’s website this week and searched for “smart doorbell.” Three of the best-selling items on the first page of results use nearly the exact same thumbnail art to advertise the product. Yet when you go to their product pages, each one is listed as being manufactured or sold by a different company.

If you’re merely reading the reviews of these products to figure out what’s right for you, or searching the internet for someone else’s review, they may mention if the resolution quality is up to snuff or if the app works well, but I doubt the reviewer has the time to physically tear apart the device looking for vulnerabilities or combing through the API for security holes. And if we can’t even trust the companies making these devices to differentiate their products based on appearance, there is no way to know how they may be prepared to respond to a data breach or what their stance is on sharing footage with law enforcement.

The same goes for security cameras. On Amazon’s search page for “home security camera,” the top five non-sponsored results are all made by different companies (Ring being one of them) and based on the features they offer, it’s nearly impossible to differentiate them outside of a difference in form factor. Very few of us looking to buy these pieces of equipment are qualified to say if these products are even secure, and those among us who are are probably smart enough to know not to buy these products in the first place.

I certainly wouldn’t stop anyone from buying a home security camera if they truly feel it improves their families’ safety. But I think that, no matter what brand we buy, everyone just needs to assume now that they’re taking a risk with their privacy and online security as a trade-off for catching possible package burglars.

**The one big thing**

Emotet is back from the dead once again. Since returning, Emotet has leveraged several distinct infection chains, indicating that they are modifying their approach based on their perceived success in infecting new systems. The initial emails delivered to victims are consistent with what has been observed from Emotet over the past several years.

Why do I care?

Emotet is arguably the most infamous botnet on the threat landscape, so it’s notable any time it spins back up. This network is known to go through quiet periods and then pop back up, so this isn’t particularly surprising, but it is noteworthy because Emotet’s creators are switching up their tactics by switching to new types of lure documents to evade detection and recent changes Microsoft made to macros to try and stop attackers from using malicious Office attachments.

**So now what?**

Because Emotet has been around for so long now, Cisco Secure and Talos have an exhaustive list of ways to stay protected from Emotet spam. But as a good general reminder, always make sure you triple-check the “From” field in an email to make sure it’s actually from who you think its from. And never open an attachment or click on a link in an email unless you’re sure it’s the correct destination.

**Top security headlines of the week**

**Defenders and detractors of TikTok both seem unmoved** after the popular social media app’s CEO testified in front of a U.S. Congressional panel last week. Lawmakers who are in favor of a blanket ban on the app in the U.S. over data and privacy concerns were unimpressed with the answers the company’s lead provided, while others mocked lawmakers for the types of questions they asked and instead advocated for broader data privacy laws. Republicans in Congress still plan to take up legislation to ban TikTok, with House Speaker Kevin McCarthy tweeting that, “It’s very concerning that the CEO of TikTok can’t be honest and admit what we already know to be true — China has access to TikTok user data.” (Buzzfeed, The Hill, The New Yorker)

**A bug in the popular ChatGPT AI tool exposed other users’ message history** and may have also leaked sensitive information like the payment information and emails of premium users. OpenAI, the company behind ChatGPT, took the tool offline last Tuesday for emergency maintenance after they became aware of the issue. The company confirmed the information was exposed during a nine-hour window on March 20, but it could have been exposed prior to that. The data leak exposes concerns that many users have around using tools like ChatGPT to share sensitive or potentially confidential information. (SecurityWeek, Engadget)

**A data breach at Latitude Financial affects millions of people in New Zealand and Australia,** potentially dating back to 2005. The personal lending company said attackers stole around 7.9 million driver’s license numbers and 53,000 passport numbers. Names, addresses, phone numbers and dates of birth are also among the data stolen. When Latitude first announced the attack on March 16, it estimated that 300,000 customers had been affected, but the number has grown as the investigation continued, though the company stopped the breach prior to the disclosure. The breach has called into question why financial companies retain records for so long after a customer has applied for financing and how that data is stored. (The Guardian, Yahoo Finance)

**Can’t get enough Talos?**

*   Talos Takes Ep. #132: Reflecting on one year of Talos' work in Ukraine
*   Graphic novel: Life inside the Talos Ukraine Task Unit
*   How an incident response retainer can drive proactive security
*   Threat Roundup for March 17 - 24
*   If your Netgear Orbi router isn’t patched, you’ll want to change that pronto

**Upcoming events where you can find Talos**

**RSA** **(April 24 - 27)**

San Francisco, CA

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423  
**MD5:** 954a5fc664c23a7a97e09850accdfe8e  
**Typical Filename:** teams15.exe  
**Claimed Product:** teams15  
**Detection Name:** Gen:Variant.MSILHeracles.59885

**SHA 256:** c74e7421f2021b46ee256e5f02d94c1bce15da107c8c997c611055412de1ac1  
**MD5:** 2d16d0af6183803a79d9ef5c744286c4  
**Typical Filename:** nano\_download.php  
**Claimed Product:** Web Companion Installer  
**Detection Name:** W32.1C74E7421F-100.SBX.VIOC

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

Threat Source newsletter (March 30, 2023) — It’s impossible to tell if your home security camera or doorbell is truly safe

OpenImageIO is a library that converts, compares and processes various image files. Blender and AliceVision, two often used computer imaging services, utilize the library, among other software offerings.

Thursday, March 30, 2023 12:03

_Lilith >\_> of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered three vulnerabilities in the OpenImageIO image-parsing library that many popular pieces of 3-D rendering software use.

OpenImageIO is a library that converts, compares and processes various image files. Blender and AliceVision, two often used computer imaging services, utilize the library, among other software offerings.

Two of the vulnerabilities — TALOS-2023-1707 (CVE-2023-24473) and TALOS-2023-1708 (CVE-2023-22845) — could lead to the disclosure of sensitive information. An adversary could exploit these vulnerabilities by sending the target a specially crafted, malicious Targa (.tga) file.

TALOS-2023-1709 (CVE-2023-24472) is a denial-of-service vulnerability that is a continuation of TALOS-2022-1653 (CVE-2022-43594 and CVE-2022-43595). Talos first discovered CVE-2022-43595 in December, though it was not fixed in the most recent version of OpenImageIO.

Cisco Talos worked with OpenImageIO to ensure that these issues are resolved and an update is available for affected users, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: OpenImageIO Project, version 2.4.7.1. Talos tested and confirmed this version of the library could be exploited by this vulnerability.

The following Snort rule will detect exploitation attempts against this vulnerability: 61271, 61272, 61384 and 61385. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Specially crafted files could lead to denial of service, information disclosure in OpenImageIO parser

An attacker could exploit this vulnerability by sending a specially crafted HTTP, TLS or DTLS packet to the target machine, potentially causing a denial of service or gaining the ability to execute remote code.

Thursday, March 30, 2023 10:03

_Keane O’Kelley of Cisco ASIG discovered this vulnerability._

Cisco ASIG recently discovered a remote code execution vulnerability in the SNIProxy open-source tool that occurs when the user utilizes wildcard backend hosts.

SNIProxy proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session. This open-source tool allows for users to carry out name-based proxying of HTTPS without decrypting traffic or needing a key or certificate.

Talos discovered a remote code execution vulnerability (TALOS-2023-1731/CVE-2023-25076) that exists if the user is utilizing wildcard backend hosts when configuring SNIProxy. An attacker could exploit this vulnerability by sending a specially crafted HTTP, TLS or DTLS packet to the target machine, potentially causing a denial of service or gaining the ability to execute remote code.

Cisco Talos worked with the managers of SNIProxy to ensure that these issues are resolved and an update is available for affected users, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: SNIProxy version 0.6.0-2 and SNIProxy Master, version 822bb80df9b7b345cc9eba55df74a07b498819ba. Talos tested and confirmed these versions of the open-source tool could be exploited by this vulnerability.

The following Snort rule will detect exploitation attempts against this vulnerability:  
61474\. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: SNIProxy contains remote code execution vulnerability

Whether it be threat hunting, an active defense posture or just improving security instrumentation alerts and logs an organization keeps, it’s best for every user — no matter the size — to be prepared for when a cybersecurity incident or breach occurs.

Wednesday, March 29, 2023 08:03

We’ve written before about the importance of taking a proactive approach to cybersecurity.

Whether it be threat hunting, an active defense posture or just improving security instrumentation alerts and logs an organization keeps, it’s best for every user — no matter the size — to be prepared for when a cybersecurity incident or breach occurs.

We saw this recently with a customer in the education industry vertical. The customer leveraged their Cisco Talos Incident Response retainer after conducting some proactive threat hunting to notify us that they identified some suspicious activity on their network. Talos IR responders quickly noticed that just a single box on the customer’s network alerted, and we isolated the intrusion to a single endpoint within the network. Talos IR concluded with high confidence that the adversary had compromised just a single endpoint with a single, compromised credential. This strong collaborative approach from the customer and Talos allowed us to quickly contain and eradicate the adversary from the environment.

Our Talos IR 2022 Q3 Quarterly Trends reflect pre-ransomware and ransomware activity being the top threat and this continues a trend that we’ve seen across the threat landscape where adversaries are increasingly carrying out pre-ransomware activities to establish a foothold on a network rather than diving in head-first with a full-blown ransomware attack. Regulation and small-medium business targets may be factors for adversaries evolving extortion tactics versus deploying ransomware within a compromised environment. Potential attack targets may just see smaller, potentially innocuous activities from an adversary that doesn’t have to include the encryption of files on a network and request for a ransom payment.

As outlined in Talos’ 2022 Year in Review, education is a particularly vulnerable sector and we expect adversaries to increase the targeting of schools and universities over the summer when students start to return to classes after break.

If you want to detect, quickly respond and eradicate an adversary like this customer, you need to have incident response expertise in place. Cisco Secure’s Security Outcomes Report recently found that there was 11 percent difference in average resilience scores between organizations that have an external incident response retainer versus those that don’t.

A foundational component of this proactive plan is a Cisco Talos Incident Response Retainer. If a Talos IR retainer customer sees something suspicious, we’re there immediately to respond and determine what containment actions are appropriate and if a further forensic investigation is required. Just because you are not experiencing file encryption in your environment does not mean that an adversary doesn’t have the capability to deploy ransomware leading to a business-impacting cybersecurity incident. It is common for an adversary to gain initial access to a target organization and maintain access.

With an incident response retainer, an organization doesn’t have to conglomerate a plan or response together. Instead, it’s a one-size-fits-all package that includes tabletop exercises, cyber range training, purple teaming, intelligence on-demand, and much more. Then, if (more likely when) your worst career day occurs and your organization is the target of a cyber-attack, Talos IR stands at the ready to help the team respond immediately to detect and eradicate an advanced or determined adversary.

We’ll be covering more about Incident Response retainers in our upcoming Talos IR On Air live stream on April 27 at noon Eastern, which you can watch on our LinkedIn and Twitter pages live.

With a retainer from Talos IR, organizations and users will have peace of mind that they have a trusted digital forensic and incident response team ready at any time. There’s no need to purchase emergency incident response services from one vendor, training exercises from another and a third vendor to assist in the creation of an incident response plan to prepare for the next time there’s an incident. Talos IR offers all these services in one package with a retainer.

If a customer doesn’t have a breach or an incident, there are many ways to leverage Talos IR proactively by enlisting us to lead your team through a hypothetical tabletop exercise or conducting a compromise assessment to identify potential gaps in your network before the adversaries can.

Even if your organization doesn’t already have Cisco products in place, Talos IR can work with you — we’re completely vendor-agnostic. Whatever tools and software you have, we’re here to help.

No matter what tools you must detect or scan for the next threat, our responders can start their work immediately to remediate the threat. If you require new hardware or software solutions, our team can always help with that, too.

If you are already a Cisco customer, a Talos IR retainer is the perfect way to continue your security journey with us and become more resilient. We’ll find the full capabilities of your security team and then develop a prescriptive plan for how your security team can best work with us over the lifetime of the retainer. The team that starts working with you from the first day you sign onto a retainer will be there with you.

If you’d like to learn more about a Talos IR retainer, please reach out to us through our website, and tune into the next Talos IR On Air to hear more about this service.

How an incident response retainer can drive proactive security

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 17 and March 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for March 17 to March 24

Facebook users are notoriously the biggest offenders for sharing fake news and misinformation.

Thursday, March 23, 2023 14:03

Welcome to this week’s edition of the Threat Source newsletter.

After asking ChatGPT to write the newsletter for me two weeks ago, I was tempted to have Google’s Bard do the same, but I resisted making this the newsletter’s new gimmick.

Instead, I wanted to write about another tech giant — Meta.

The company recently doubled down on a threat to remove news links and sharing from its Facebook and Instagram platforms if Canada passes its proposed Online News Act, or bill C-18. The proposed legislation would compel companies like Meta and Google to sign agreements with Canadian news organizations that would pay them each time a user clicks on a news link through one of their platforms (i.e., via a shared link on Facebook or a Google search result).

But as the great Tobey Maguire once said in the cinematic classic “Spider-Man:” “I fail to see how that’s my problem.”

If Facebook stops users from sharing news links on their pages, it could be a net positive. Facebook users are notoriously the biggest offenders for sharing fake news and misinformation. A May 2020 study published in Nature Human Behavior found that Facebook pointed users to fake news websites during the 2016 presidential election at a higher rate than any other social media platform.

A separate study from Harvard found that during the first few months of 2020, the rate of user engagement with fake news to mainstream news stories was 1:3.5, and the International Communications Association found via a study of social media users that, “sharing countermedia content on Facebook is positively associated with ideological extremity and negatively associated with trust in the mainstream news media.”

If Instagram, Facebook and other social media sites were to follow along with this with Canada (Google already started quietly removing news links from its search engine last month in protest of the Online News Act), I think it could go a long way toward fighting disinformation. If users can’t get their news through social media, they may be forced to seek out information independently rather than blindly clicking “share” on Great Aunt Betty’s post, which is just a bad parody from the Babylon Bee.

I also would be remiss to not discuss the benefits this legislation would possibly have on newsrooms in Canada. As a former journalist, and someone who was worried about being laid off 24/7 in my previous jobs, it’s a financial struggle out there right now for legitimate news organizations. Online advertising isn’t what it once was, so many outlets are being forced to pivot to hard paywalls or rely on clickbait articles that don’t deliver any news. If this presents a new way to fund legitimate journalism, especially if the only financial burden falls on the richest companies in the world, it could go a long way to sustaining newsrooms.

Just because something becomes legal in Canada doesn’t mean other countries are going to be adopting the same rules any time soon. But if news sharing does suddenly go away on Facebook in Canada, maybe it will force all of us to think about where we’re really consuming our news from and how we consumed news even just 15 years ago.

**The one big thing**

We’re still reminding people to update their Microsoft Outlook clients as soon as possible after the disclosure of CVE-2023-23397. Attackers have reportedly been exploiting this vulnerability since last year, though a fix is available now through Microsoft. Adversaries could manipulate a targeted system into supplying the user’s Net-NTLMv2 hash to the attacker, which can then be used in NTLM Relay attacks against other systems.

**Why do I care?**

Multiple sources, including Microsoft itself, have confirmed that this vulnerability is being used in the wild. Plus, users don’t even have to open the email or any malicious attachments to trigger this vulnerability, the specially crafted email just has to hit the target’s Outlook inbox. This is a high-severity, low-complexity vulnerability everyone should be patching for if they haven’t already.

**So now what?**

Microsoft has released a patch that should be applied, but Talos also has several layers of detection and protection available. If, for some reason, your organization cannot apply this patch, Microsoft also provided a few mitigation options, including adding users to the Protected Users Security Group to prevent the use of NTLM as an authentication mechanism as well as blocking port TCP/445 outbound from your network to block the NTLM messages from leaving the network.

**Top security headlines of the week**

The **popular dark web site BreachForums shut down this week** after the FBI arrested its main admin. This is the latest in a string of law enforcement wins against cybercrime groups, who also brought down the Hive ransomware gang in January and RaidForums, BreachForums’ predecessor, last year. The site’s administrator, who goes by the username “Pompompurin,” also claimed responsibility for a data breach of the FBI’s email system in November 2021. Cyber criminals commonly used BreachForums to buy and sell stolen databases of information and had been at the center of recent high-profile data breaches, including this month's attack on DC Health Link that led to the theft of sensitive information belonging to several Congressional representatives. (Krebs on Security, Axios)

Google’s security research team **discovered several zero-day vulnerabilities in certain Samsung chips** that leave many Google smartphones and other wearable devices vulnerable. There are four critical flaws that could compromise affected devices “silently and remotely” over the cellular network, according to Google Project Zero’s blog post on the matter. An attacker could exploit those vulnerabilities to “remotely compromise a phone at the baseband level with no user interaction and require only that the attacker know the victim’s phone number.” Google says it was forced to disclose the vulnerabilities without a patch for many of the affected devices because Samsung did not adhere to its 90-day deadline to issue a fix. (TechCrunch, Google Project Zero)

TikTok’s CEO was scheduled to **appear before a U.S. Congressional committee Thursday** to discuss the popular app’s data security and privacy policies as there are renewed calls among the federal government to block the app. Prepared statements from CEO Shou Zi Chew showed that he would tout TikTok’s $1.5 billion investment in storing U.S. users’ information on Oracle servers and allow outside monitors to inspect the company’s source code. U.S. regulators have reportedly threatened to ban TikTok unless the company’s Chinese owners sell their stake, though the actual mechanics of blocking and de-listing the app are more complicated than they seem on the surface. (ABC News, New York Times)

**Can’t get enough Talos?**

*   New threat actor wages espionage campaigns across Central Asia and Eastern Europe
*   Threat Roundup for March 10 - 17
*   Vulnerability Spotlight: Netgear Orbi router vulnerable to arbitrary command execution
*   Vulnerability Spotlight: WellinTech ICS platform vulnerable to information disclosure, buffer overflow vulnerabilities
*   Talos Takes Ep. #131: Why does the Prometei botnet keep growing?

**Upcoming events where you can find Talos**

**RSA** **(April 24 - 27)**

San Francisco, CA

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423  
**MD5:** 954a5fc664c23a7a97e09850accdfe8e  
**Typical Filename:** teams15.exe  
**Claimed Product:** teams15  
**Detection Name:** Gen:Variant.MSILHeracles.59885

**SHA 256:** 280c8c4f08700f0fea08f0e3ca6e96eadccf49c414c56b6a855c945769678e66  
**MD5:** cd1f364e46c6367dd96f8469eb226981  
**Typical Filename:** cd1f364e46c6367dd96f8469eb226981.scr  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Upatre::dk

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

Threat Source newsletter (March 23, 2023) — Meta is threatening to ban news sharing in Canada. Good.

In the months leading up to Russia’s invasion of Ukraine, Cisco and Talos did everything we could to support our friends, partners and colleagues, who were facing a reality unlike anything that can be found in any technical training manual, SOP or SLA.

Thursday, March 23, 2023 08:03

As we spoke about in the new ThreatWise TV documentary, “People Matter: A look back on how Cisco Talos has been supporting Ukraine,” war isn’t something that often appears in an organization’s business continuity or disaster recovery plans.

In the months leading up to Russia’s invasion of Ukraine, Cisco and Talos did everything we could to support our friends, partners and colleagues, who were facing a reality unlike anything that can be found in any technical training manual, SOP or SLA.

Once the invasion began, there was an influx of people across Cisco and Talos who wanted to help. That led to the development of an internal Ukraine task unit, which has become a prototype for how we can respond to future global events that are likely to have significant, ongoing cyber implications.

We also deployed and managed Cisco Secure products within a variety of Ukrainian organizations, and refocused parts of our workforce to monitor and detect threats against critical infrastructure. Much of this work continues today as part of an ongoing, comprehensive wartime effort to protect the people of Ukraine and enhance the resilience of Ukrainian organizations.

Many people have asked about our task unit, and what we do on a day-to-day basis to help organizations in Ukraine detect and respond to attacks against their critical infrastructure.

As you can probably imagine, there isn’t a typical day.

One of the key outcomes of the task unit, which has been wonderful to witness, is that people without a technical threat hunting background can add a great deal to our efforts. The power in diversity of thought and experience is explicit in our efforts to support Ukraine.

We decided to encapsulate this difficult, but important, work in the form of a graphic novel, which explores some of the themes we touched on in the documentary. Read it below or click here.

**Further resources**

*   Learn about the trends and threats Cisco Talos observed from monitoring Ukraine critical infrastructure.
*   For the latest on the cybersecurity situation in Ukraine, visit the Talos hub page.

Fighting the Good Fight: Life inside the Talos Ukraine Task Unit

As of April 20, 2023, we are decommissioning SenderBase.org and any attempts to visit that web page will fail.

Thursday, March 23, 2023 07:03

As of April 20, 2023, we are decommissioning SenderBase.org and any attempts to visit that web page will fail.

Talos Intelligence’s website (TalosIntelligence.com) has served as the replacement for SenderBase.org for many years, with TalosIntelligence.com providing the same information as SenderBase.org once did. Since that time, visitors to SenderBase.org have been automatically redirected to TalosIntelligence.com, and the redirect from SenderBase.org is finally being removed on \[date\]. After that, attempts to visit SenderBase.org will fail.

Any users still utilizing bookmarks or links pointing to Senderbase.org should update these to ensure they still work appropriately.

Thank you for assisting us in this process.