Don't expect AI to suddenly start stealing jobs or making malware more powerful.

Thursday, March 9, 2023 14:03

Welcome to this week’s edition of the Threat Source newsletter.

There is no shortage of hyperbolic headlines about ChatGPT out there, everything from how it and other AI tools like it are here to replace all our jobs, make college essays a thing of the past and change the face of cybersecurity as we know it.

It’s the talk of SEO managers everywhere who can’t wait to find a way to work “ChatGPT” into a headline. And in the security community, everyone is concerned that AI models will help attackers get smarter, faster or more dangerous.

The biggest issue I’m seeing with that is these tools aren’t that smart.

Other writers have done a far more eloquent and interesting job than I can in a few dozen words here about how bad these models are at writing creatively or interpreting human emotion, but I wanted to put my own spin on things with my incredibly niche interests and use case for ChatGPT.

First, I asked it to help me write this newsletter. While it politely declined to do the whole thing for me because it can’t produce something on Talos’ behalf, it did start to compile a list of “the top stories we’re following this week.”

These headlines included an update on the Cring malware that seems to be referencing a campaign from November 2021, a 16-month-old CVE from Microsoft and a story about money laundering in “Fortnite” that broke in January 2019.

Then I decided to ask it about wrestling, mainly because I was fresh off watching AEW: Revolution this weekend, about who will eventually beat Maxwell Jacob Friedman for the company’s title. The information it provided was shockingly lackluster considering a quick Google provided more accurate details.

One of the examples it floated was that Bryan Danielson could eventually dethrone MJF, and that “if” they two were to face, it’d be a “must see” match. Problem is, the two did literally face off Sunday night and Danielson lost. Another option, CM Punk, would create a “huge moment” for the company if he won the AEW titles, something he’s already done twice (he also may never appear on TV again, but that’s a long story for not this newsletter).

These are two incredibly specific examples, but I felt like it was cathartic for me to see this in action so I didn’t have to lose any sleep over thinking ChatGPT or another AI was going to take my job from me next week, or my wrestling fandom for that matter.

**The one big thing**

U.S. President Joe Biden’s administration released its new National Cybersecurity Strategy on March 2, outlining steps the federal government plans to take to combat cyber criminals, defend critical infrastructure and enforce security regulations in oft-targeted industries. The administration said it will pursue laws to hold software companies liable if they sell technology that lacks proper cybersecurity protections, and use "national powers” to disrupt state-sponsored actors.

**Why do I care?**

This is the first new cybersecurity policy from the U.S. government in five years, outlining how the next few years of cybersecurity policy may look and what other goals would look like in a hypothetical second term for Biden. If the desired laws eventually pass and are enforced, they would represent a major shift in the way we view digital service providers and reframes how government and private entities should look at cybersecurity.

**So now what?**

The strategy doesn’t mean much for the average user right now, but it does mean there will be heavy debates in the near future about regulating the software-as-a-service industry and the monetary investment needed to address many of the issues the Biden administration outlined.

**Top security headlines of the week**

Meta, Google and other social media sites are **sharing user data and chat logs to prosecute individuals in states where abortion is illegal.** Since the Supreme Court overturned U.S. national abortion law last year, there have been several cases where prosecutors have relied on data collected by online pharmacies, social media posts, and user data requests to charge women who were seeking an abortion. Online pharmacies that sell abortion medication share sensitive information with Google and other third-party sites, including users' web addresses, relative location and search data, which the third parties may eventually be asked to turn over to law enforcement. The large companies who manage this data rarely turn down law enforcement requests for data. (Insider, Mashable)

After the one-year anniversary of Russia’s invasion of Ukraine, experts are looking at how **this has become one of the world’s first hybrid wars**, including Russia’s many cyber weapons its deployed against Ukraine over the past year. Other countries who feel they may be vulnerable to large-scale cyber attacks from nation-states (such as Taiwan against China) can learn quite a bit from how Ukraine has responded so far to Russian attacks. A new deep-dive report also outlines how crucial a cyber attack against the Viasat satellite network helped Russia prepare for its ground invasion just a few days prior. (NPR, Bloomberg)

Password management company **LastPass said attackers accessed a decrypted vault available to only a handful of company developers by hacking an employee’s home computer** in August. The new details add on to a data breach the company first disclosed several months ago. LastPass said an unknown threat actor stole valid login credentials from a senior DevOps engineer and accessed the contents of a LastPass data vault. That vault contained access to a shared cloud storage environment that included encryption keys for customers’ vault backups stored on Amazon S3 buckets. The attackers reportedly exploited a flaw in Plex, a media-sharing software, to access the user’s home device in the first place. Plex disclosed its own data breach in late August. (Ars Technica, Wired)

**Can’t get enough Talos?**

*   Threat Roundup for Feb. 24 - March 3

*   Talos Takes Ep. #129: The benefits of taking an active approach to threat defense
*   The role of cyber weapons in Russia's war on Ukraine

**Upcoming events where you can find Talos**

**WiCyS** **(March 16 - 18)**

Denver, CO

**RSA** **(April 24 - 27)**

San Francisco, CA

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423  
**MD5:** 954a5fc664c23a7a97e09850accdfe8e  
**Typical Filename:** teams15.exe  
**Claimed Product:** teams15  
**Detection Name:** Gen:Variant.MSILHeracles.59885

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

Threat Source newsletter (March 9, 2023) — Stop freaking out about ChatGPT

Prometei botnet continued its activity since Cisco Talos first reported about it in 2020.  Since November 2022, we have observed Prometei improving the infrastructure components and capabilities.

Prometei botnet improves modules and exhibits new capabilities in recent updates

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 24 and March 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup (Feb. 24 - March 3)

Serious sanctions and legal consequences may be slowing ransomware groups down, but it's still unclear if this is a permanent shift.

Thursday, March 2, 2023 14:03

Welcome to this week’s edition of the Threat Source newsletter.

For years, we as a cybersecurity community have been discussing ways we can fight the global ransomware problem. This included things like pushing for more sanctions against international ransomware groups, new laws from federal governments and decreased access to virtual currency often used by actors to stay undetected.

Now, here’s the crazy thing: It might be working.

As Talos discussed in our Year in Review report, ransomware engagements made up a smaller portion of Cisco Talos Incident Response’s engagements in 2022 compared to the previous year, and there’s been a greater democratization of ransomware families, meaning they’re less siloed and more focused into a few larger groups.

A study from blockchain analysis group Chainanalysis also found that ransomware groups extorted about $456.8 million from victims in 2022, a roughly 40 percent decrease from 2021 and 2020. The Wall Street Journal also recently reported that the U.S. government finally feels it's on the offensive when it comes to ransomware.

U.S. Deputy Attorney General Lisa Monaco told the paper that recent ransomware trends reflect "the pivot that we have made to a posture where we’re on our front foot. We’re focusing on making sure we’re doing everything to prevent the attacks in the first place.”

Yes, there are still major ransomware attacks happening (take the recent Dole cyber attack that halted production briefly for the food giant). But I feel like it’s not being talked about enough that defenders may be actually making some headway here thanks to private companies (like Talos) and global governments working together.

It seems to be a confluence of several things and not just one magic solution. Governments are taking more frequent and serious action to sanction ransomware actors and the individuals behind them, such as the recent penalties against Trickbot members. And some actors are even being arrested and being served criminal charges and jail time.

With improved backups, many ransomware targets are also bouncing back better than ever before and can hopefully avoid paying the requested ransom to their attackers. And asset seizures and freezes have even forced some ransomware groups to lay off people.

2022 could be an aberration. As we also pointed out in our Year in Review, there was a brief pause in ransomware activity at the onset of Russia’s invasion of Ukraine. It could also just be that the defenders got lucky.

This isn’t the time to take our foot off the gas and start turning our attention toward things like AI chatbots — ransomware continues to be a major threat to everyone, including some of society’s most important institutions like hospitals and schools. But I do think it’s important to step back every once in a while to enjoy the victories.

**The one big thing**

The U.S. Cybersecurity and Infrastructure Security Agency is warning that attackers are actively exploiting CVE-2022-36537, an unspecified vulnerability in ZK Framework AuUploader. This poses a significant threat to the software supply chain if any instances are still unpatched, and CISA warned the vulnerability “poses a significant risk to the federal enterprise.” Attackers are reportedly using the vulnerability to install backdoors on servers, specifically through ConnectWise's R1Soft Server Backup Manager, which utilizes the ZK Framework.

**Why do I care?**

ZK is an open-source Ajax Web app framework written in Java, allowing users to create GUIs for web applications without a deep knowledge of programming. Many open-source projects and software utilize the framework, so the impact of this vulnerability could be wide-reaching. Open-source reporting indicates that attackers could exploit the vulnerability in ConnectWise R1Soft to bypass authentication, upload a backdoor and gain the ability to execute remote code.

**So now what?**

Researchers first disclosed this vulnerability in October, so projects and products that utilize the framework have had plenty of time to patch. ConnectWise released its own patch on Oct. 28.

**Top security headlines of the week**

The Pentagon is investigating a potential yearslong email leak from the U.S. military’s Special Operations Command. A security researcher discovered that anyone who knew the IP address of the server could access the data without a password. However, the server was secured once the researcher disclosed their findings. The emails leaked included information about U.S. military contracts and messages from Department of Defense employees asking to have various pieces of paperwork processed. SOCOM said there was no evidence that anyone hacked the organization’s network and this was merely an error. (CNN, Bloomberg)

A journalist accessed his own bank account using an AI-generated voice, bypassing the bank’s automated phone system. The reporter used a fake version of his voice using a readily available AI tool online and was able to read off a list of recent transactions and account balances. Real-world abuse of this system is likely rare at this point, but it showcases why banks and other services should drop voice identification as a login method. Users have already started using AI voice tools to make memes and fake videos of noted individuals saying outlandish things. (Vice)

Satellite TV provider Dish confirmed a ransomware attack was responsible for a multi-day outage and that attackers may have exfiltrated data from its systems. The company said in a filing to the U.S. Securities and Exchange Commission that the attackers obtained “certain data” from its IT systems, potentially including personal information, though it was unclear if that information belonged to Dish employees, customers or both. As of Wednesday morning, the attack was still affecting the company’s main website, its mobile apps and customer support systems, and Dish's Sling TV streaming service. (TechCrunch, Bleeping Computer)

**Can’t get enough Talos?**

*   Threat Roundup for Feb. 17 - 24
*   Vulnerability Spotlight: EIP Stack Group OpENer open to two remote code execution vulnerabilities
*   Evaluating the Cyberwar Set Off by Russian Invasion of Ukraine
*   SBOM is a 'massive galaxy of mess' for supply chain security

**Upcoming events where you can find Talos**

**WiCyS** **(March 16 - 18)**

Denver, CO

**RSA** **(April 24 - 27)**

San Francisco, CA

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423  
**MD5:** 954a5fc664c23a7a97e09850accdfe8e  
**Typical Filename:** teams15.exe  
**Claimed Product:** teams15  
**Detection Name**: Gen:Variant.MSILHeracles.59885

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

Threat Source newsletter (March 2, 2023) — Little victories in the fight against ransomware

Today marks one year since Russia invaded Ukraine.  While there is much we could say, we will simply reiterate our unwavering support of our colleagues, partners, and the people of Ukraine as they defend their country and our hope that peace and comfort come quickly to them.

Friday, February 24, 2023 08:02

Today marks one year since Russia invaded Ukraine.  While there is much we could say, we will simply reiterate our unwavering support of our colleagues, partners, and the people of Ukraine as they defend their country and our hope that peace and comfort come quickly to them. Everything we said one year ago remains true to this day.

You can find additional information on our work in Ukraine here.

Слава Україні!

P.S. ThreatwiseTV made a documentary on our experience this past year; launching March 9. You can view a brief clip below:

February 24th

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 17 and Feb. 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed...

Threat Round up for February 17 to February 24

App-based multi-factor authentication — which is still free on Twitter — is safer than SMS MFA. So in theory, forcing people to pay for it would make them less likely to use it and switch to the free option.

Thursday, February 23, 2023 14:02

Welcome to this week’s edition of the Threat Source newsletter.

Social media’s latest business plan seems to be charging for security.

Twitter recently announced a plan to make SMS-based two-factor authentication a paid service as part of Twitter Blue — asking users to pay either $8 or $11 monthly for the feature set. Meta, Facebook’s parent company, also announced a new pay-for-verification service on Facebook and Instagram that will allow users to pay up to $14 a month for “a verified badge that authenticates your account with government ID, proactive account protection, access to account support, and increased visibility and reach.”

The Twitter plan falls into a gray area for me. I’ve talked to experts who pointed out that app-based multi-factor authentication — which is still free on Twitter — is safer than SMS MFA. So in theory, forcing people to pay for it would make them less likely to use it and switch to the free option.

However, among all Twitter users who utilize MFA, more than 74 percent of them opt into SMS-based authentication. Based on the estimated number of Twitter users (more than 353 million) and the total amount of users who use any type of MFA (2.6 percent), that means about 6,845,841 accounts will be forced to pay to continue their use of SMS-based authentication or switch to an app-based method.

Many of these users may switch to Twitter Blue or find a new way to keep MFA on their accounts. Many of them will just drop the feature altogether. I would argue any good social media company needs to keep its users’ safety a priority no matter what.

Things like making sure you can’t be impersonated on a site seem like it would be a basic expectation when you give up the amount of personal information you already must to sign up. And many consumers (especially someone who’d be considered the “Average Joe”) do not want to spend time downloading a new MFA app and completing the setup process.

Even the security savvy are growing tired of having to download multiple MFA apps for various uses, leaving password managers as the clearest path to a safe login (but those aren’t foolproof, either).

Meta and Twitter users who don’t want to pay for the additional protections have a few other options to improve their account’s security:

*   Purchase a physical security key that generates a unique code each time you go to log into your account.
*   Enroll in app-based multi-factor authentication (like Cisco Duo), which is still free to use on Twitter.
*   If you’re setting up an MFA app for the first time, follow the U.S. Cybersecurity and Infrastructure Security Agency’s guidelines for implementing phishing-resistant MFA.
*   If you opt to not enroll in any sort of MFA, use a password management program to generate a new, random password with a mix of characters and cases and store it securely using the program. But app-based MFA is always the safest option.

**The one big thing**

An unknown actor is deploying the new MortalKombat ransomware a GO variant of the Laplas Clipper malware, to steal cryptocurrency from victims. Talos researchers have seen several campaigns targeting individuals, small businesses and large organizations that aim to steal or demand ransom payments in cryptocurrency.

**Why do I care?**

MortalKombat (yes, a reference to that “Mortal Kombat”) is a new ransomware that just appeared in January, so we still know relatively little about this malware family, though new protections are now available from Talos. While cryptocurrency’s value is down across the board, that doesn’t mean attackers have stopped caring about it, and it’s still the safest way for attackers to make money without being tracked.

**So now what?**

Talos released several new Snort rules and ClamAV signatures to protect against the threats we outlined in last week’s blog post. Cisco Secure Endpoint users can also use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat.

**Top security headlines of the week**

**The Clop ransomware gang claims its recently breached more than 130 organizations**, many of them related to health care, with a large chunk affecting CHS Healthcare patients. CHS reported the breach to the U.S. Securities and Exchange Commission, saying that the attack targeted GoAnywhere MFT, a managed file transfer product. The filing stated the breach affected up to 1 million individuals. Members of Clop said it exploited the security flaw, CVE-2023-0669, which enables them to gain remote code execution on unpatched GoAnywhere MFT instances with their administrative console exposed to the internet. The breaches took place over the course of 10 days earlier this year. (Bleeping Computer, Ars Technica)

**The FBI said it recently “contained” a security incident** on its computer network, offering sparse details otherwise. “The FBI is aware of the incident and is working to gain additional information,” the bureau said in a statement to news network CNN. “This is an isolated incident that has been contained. As this is an ongoing investigation the FBI does not have further comment to provide at this time.” The report also indicates that the attack specifically targeted the portion of the FBI’s network it uses in investigations of images of child sexual exploitation. (CNN, InfoSecurity)

**Data brokers are increasingly relying on information from virtual therapy apps to profit from users’ information.** A new study from Duke University found that one firm even charged $100,000 a year for a "subscription" service to data that included information on individuals’ mental health conditions. This data included highly sensitive information, such as a person’s demographics, and what ailments they’ve reported, including depression, OCD, bipolar disorder and strokes. Virtual therapy apps have become increasingly popular among the American population, especially during the COVID-19 pandemic. They offer a cheaper and more accessible option to patients who often find it difficult to find therapy providers that accept insurance. (PBS, Washington Post, Duke University)

**Can’t get enough Talos?**

*   Crypto investors under attack by new malware, reveals Cisco Talos
*   Microsoft Patch Tuesday for February 2023 — Snort rules and prominent vulnerabilities
*   Beers with Talos Ep. #130: Ransomware is a people problem (but getting rid of email helps)

**Upcoming events where you can find Talos**

**WiCyS** **(March 16 - 18)**

Denver, CO

**RSA** **(April 24 - 27)**

San Francisco, CA

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423  
**MD5:** 954a5fc664c23a7a97e09850accdfe8e  
**Typical Filename:** teams15.exe  
**Claimed Product:** teams15  
**Detection Name:** Gen:Variant.MSILHeracles.59885

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

Threat Source newsletter (Feb. 23, 2023) — Social media sites are making extra security a paid

Two of the vulnerabilities are considered to be considered of critical importance, with a CVSS score of a maximum 10 out of 10.

Thursday, February 23, 2023 09:02

_Jared Rittle of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered three vulnerabilities in EIP Stack Group OpENer, an ethernet/IP stack for I/O adapter devices, that could allow an attacker to cause a targeted server to crash or open the door to remote code execution.

Two of the vulnerabilities, TALOS-2022-1662 (CVE-2022-43605) and TALOS-2022-1661 (CVE-2022-43604) are considered to be considered of critical importance, with a CVSS score of a maximum 10 out of 10.

An adversary could exploit either of these vulnerabilities with an ethernet/IP request targeted at two functions on the software. These malicious requests could lead to an out-of-bounds write, potentially causing the server to crash or allowing the adversary to execute remote code on the targeted server.

TALOS-2022-1663 (CVE-2022-43606) is also caused by a specially crafted ethernet/IP request, but in this case, could lead to the use of a null pointer, potentially causing the server to crash.

Cisco Talos worked with EIP Stack Group to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: EIP Stack Group OpENer, development commit 58ee13c. Talos tested and confirmed these versions of OpENer could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against this vulnerability: 60983 – 60985. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: EIP Stack Group OpENer open to two remote code execution vulnerabilities

Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 10 and Feb. 17.

Threat Round up for February 10 to February 17

Jon is back from parental leave and recapping the top security stories from late 2022 and early 2023 that totally blew by him.

Thursday, February 16, 2023 14:02

Welcome to this week’s edition of the Threat Source newsletter.

I am back after more than three months away from Talos on parental leave. Having a baby really resets your expectations for “keeping up” with the world. From November through mid-January or so I had no idea what was going on with the outside world, I only cared about my daughter’s feeding schedule and tried to squeeze in 30-minute naps where I could.

I’ve slowly started to re-introduce myself to social media and the news world at large over the past few weeks so my return to work wasn’t so abrupt, and I missed quite a bit. There was a stretch there where I was only getting the latest headlines from Weekend Update on “Saturday Night Live.”

My teammates Madison Burns and Bill Largent did a fantastic job filling in for me on the newsletter while I was out, but I figured it was worth taking the time to recap some major stories it seemed like I missed since Nov. 1.

Maybe our readers were also distracted during this period, it was the holidays after all and it’s easy for stories to slip through the cracks while we all have so much going on. Here are a few major trends and storylines that stood out to me while I caught up on the top security stories of late 2022 and early 2023.

*   **The Russia-Ukraine war continues to evolve on all fronts**, and the cyber attacks certainly haven’t slowed. Ukraine reported several state-sponsored attacks in early 2023, including against the country's national news agency. The infamous WhisperGate malware came back, too, looking to wipe data and steal sensitive information from high-profile Ukrainian targets. And the Gamaredon APT continues to do its thing. Thankfully, defenders made some headway in combatting Russian state-sponsored groups, as I’ll cover below.
*   **The spyware industry** **boomed in 2022** and I suspect we’ll be hearing a lot about it going forward. This type of borderline-illegal software installed on users’ phones can track their every move and message and is often used to target high-profile users like politicians, activists and journalists. Spyware is proliferating all over the world and is now being used by many countries’ governments, including the U.S. But President Joe Biden’s administration has several moves in the works to try and combat foreign company’s spyware from making onto Americans’ phones.
*   **The Lapsus$ ransomware group is still one of the most prolific threat actors out there.** Cisco Talos researchers have extensively covered Lapsus$ throughout 2022, but it struck several times in late 2022 and early 2023, including threatening to leak “League of Legends’” source code and breaching authentication company Okta. That’s on top of other major attacks from earlier in ‘22 against T-Mobile, Uber and more.
*   AI is all over the place, from art, to voice acting and now full-on search engines. One of the most controversial tools, ChatGPT, has already entered the malware space. The chatbot, released in November, has already shown it can write "polymorphic" malware that can repeatedly mutate to avoid traditional detection methods. Scammers and threat actors are also using  ChatGPT to generate convincing spear-phishing emails quickly and impersonate people the targeted user may personally know.

**The one big thing**

This month’s Microsoft Patch Tuesday updates included three zero-day vulnerabilities that the company says are being actively used in attacks in the wild. CVE-2023-23376, CVE-2023-21715 and CVE-2023-21823 have all already been spotted in active attacks, according to Microsoft’s monthly patch release. In all, Microsoft disclosed 73 vulnerabilities. Of these vulnerabilities, eight are classified as “critical,” 64 are classified as “important” and one vulnerability is classified as “moderate.”

**Why do I care?**

The most severe of the issues disclosed Tuesday is CVE-2023-21823, a Windows graphics component remote code execution vulnerability. An attacker could exploit this vulnerability to gain System-level privileges. Outside of that, it’s always important to update all Microsoft products anyway after a Patch Tuesday.

**So now what?**

Users of any Microsoft products should apply these updates as soon as possible. Additionally, Talos released new Snort rules that detect attempts to exploit some of these vulnerabilities. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**Top security headlines of the week**

Several Russian nationals are facing new sanctions and have been unmasked as members of the Trickbot and Conti ransomware gangs. The actors are involved in various activities with these groups, ranging from developing ransomware code, to money laundering and managing command and control servers. The U.S. and U.K. governments also made a renewed push to unmask and name many of these actors, removing their anonymity and making it more difficult for them to operate in secrecy. Recent studies have shown that these types of sanctions are working to slow Russian state-sponsored ransomware attacks. (Wired, CPO Magazine)

While much of the headlines recently have centered around the infamous Chinese spy balloon and other unknown objects the U.S. military keeps shooting out of the sky, global government officials are warning that China’s cyber attack capabilities are still the most pressing threat. Taiwan’s government has already been the target of several high-profile defacement attacks in recent years, and the country recently established an entirely new government bureau to bolster its cyber security capabilities. The FBI’s Director is also offering new services and olive branches to private security companies who are looking to combat China’s growing surveillance and cyber capabilities. (Bloomberg, Wall Street Journal)

Social media site Reddit says it was the recent target of a “sophisticated and highly targeted phishing attack.” The adversaries gained access to “documents, code and some internal business systems,” though the company said no usernames or passwords are affected. Attackers duped a Reddit employee into approving a multi-factor authentication push notification, though the employee acted quickly and notified Reddit’s security team immediately upon realizing their mistake. (Dark Reading, Reddit)

**Can’t get enough Talos?**

*   New MortalKombat ransomware and Laplas Clipper malware threats deployed in financially motivated campaign
*   Talos Takes Ep. #128: Year in Review — Ransomware and Commodity Loaders
*   Cisco Live EMEA 2023 — Simplicity, Security And Sustainability
*   MortalKombat ransomware found punching targets in US, UK, Turkey, Philippines
*   Financially Motivated Threat Actor Strikes with New Ransomware and Clipper Malware

**Upcoming events where you can find Talos**

**WiCyS (March 16 - 18)**

Denver, CO

**RSA (April 24 - 27)**

San Francisco, CA

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 36efad0617db0d45de00cc4f3cf49af7c2d6b5b15ca456d13703b5d366c58431  
**MD5:** 147c7241371d840787f388e202f4fdc1  
**Typical Filename:** EKSPLORASI.EXE  
**Claimed Product:** N/A  
**Detection Name:** Win32.Generic.497796

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
**MD5:** 2c8ea737a232fd03ab80db672d50a17a  
**Typical Filename:** LwssPlayer.scr  
**Claimed Product:** 梦想之巅幻灯播放器  
**Detection Name:** Auto.125E12.241442.in02