We're back with another year in review focused episode. This time I'm be joined by threat researcher Caitlin Huey. We discuss the general threat landscape in 2022 including dual use tools, lolbins, and the surprising re-emergence of USB attacks in 2022.

Friday, January 27, 2023 16:01

We're back with another year in review focused episode. This time the focus will be the threat landscape generally and I'll be joined by threat researcher Caitlin Huey. In this episode we'll discuss what we found in the last year, with a focus on the general threat landscape.  We'll spend time discussing dual use tools, lolbins, and the surprising re-emergence of USB attacks in 2022.

All episdoes are available on the Talos Takes podcast page and most major podcasting outlets.

Visit the Year in Review page for the full report, with topic summary reports, livestreams, podcasts, and other content starting December 14th.  New content will be added with each topic summary release through February.  You can access the full 2022 Cisco Talos Year in Review report directly here:

Talos Takes 126: Year in Review - Threat Landscape Edition

Did you miss our livestream covering the threat landscape section in the Cisco Talos Year in Review report? Join host Hazel Burton and special guests Caitlin Huey, Nick Biasini, and Tucker Favreau as they discuss Talos' findings and experiences monitoring the threat landscape in 2022.

Friday, January 27, 2023 12:01

Did you miss our livestream covering the threat landscape section in the Cisco Talos Year in Review report? Join host Hazel Burton and special guests Caitlin Huey, Nick Biasini, and Tucker Favreau as they discuss Talos' findings and experiences monitoring the threat landscape in 2022.  

Visit the Year in Review page for the full report, each topic summary report, livestreams, and podcasts.  New content will be added with each topic summary release through February 2023.  You can access the full 2022 Cisco Talos Year in Review report directly here:

2022 Year in Review: Threat Landscape Livestream Replay

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 20 and Jan. 27. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for January 20 to January 27

Knowing what Talos IR is responding to this quarter gives you a direct view into what needs to be most secured and most analyzed to ensure your own environment remains secure.

Thursday, January 26, 2023 18:01

Welcome to this week’s edition of the Threat Source newsletter.

What’s old is new again and what's old is still old. The fact that we are seeing a comeback of this USB thumb drive nonsense is giving me heartburn, and a headache, and my left eye is twitching …  and maybe numbness in my legs? Yes, I am getting old but I’m also just tired - not from age but from the unrelenting cycle of what’s old is new again. All simply because we can’t seem to learn from our own past. Please don’t put a random USB into any of your devices and for the last time GET OFF MY LAWN.

**The one big thing**

Cisco Talos IR posted their Incident Response Trends in Q4 2022. Ransomware continued to be a top threat Talos IR responded to this quarter, with appearances from both previously seen and newly observed ransomware families. However, Talos IR also observed a significant number of cases in which post-exploitation activities occurred where the actor’s motivation could not be determined. For example, phishing campaigns, our top initial-access vector this quarter, were equally as common and featured a variety of post-exploitation activities, including command execution to perform credential harvesting, red-teaming framework deployment and remote access tooling installation.

**Why do I care?**

Knowing what Talos IR is responding to this quarter gives you a direct view into what needs to be most secured and most analyzed to ensure your own environment remains secure.

**So now what?**

In all of Talos IR’s ransomware engagements that closed out this quarter, PsExec was used to facilitate lateral movement or execute the final ransomware executable. Talos IR recommends that organizations disable PsExec, as well as access to administrative shares, to limit lateral movement. Additionally, organizations should consider use of Microsoft AppLocker to block tools and files that have been consistently leveraged by adversaries. This helps to create another layer of enforcement for any known malicious or often-misused files.

**Top security headlines of the week**

CISA and the NSA released a joint advisory on January 25th detailing the use of legitimate remote monitoring and management software (RMM) for nefarious purposes. The joint advisory detailed attacks and warned the cybersecurity community about the malicious use of commercial RMM software, offering mitigations and indicators of compromise to watch out for.

Initial Access Broker market is booming, posing growing threat to enterprises. Research shows a sharp year-over-year growth in the number of IABs operating in underground forums and markets. For ransomware operators and other cybercriminals that are looking for quick access to enterprise networks, these brokers are the answer. (Dark Reading and GroupIB)

**Can’t get enough Talos?**

*   https://blog.talosintelligence.com/quarterly-report-incident-response-trends-in-q4-2022/
*   https://blog.talosintelligence.com/threat-landscape-topic-summary-report-cisco-talos-year-in-review-2022/
*   https://talosintelligence.com/podcasts/shows/beers\_with\_talos
*   https://talostakes.talosintelligence.com/2018149/12016411-year-in-review-apt-summary-edition

**Upcoming events where you can find Talos**

CactusCon (Jan 27-28)  
Mesa, AZ

Cisco Live Amsterdam (Feb 6-10)  
Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256:  
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection

SHA256:  
e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256:  
125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
MD5: 2c8ea737a232fd03ab80db672d50a17a  
Typical Filename: LwssPlayer.scr  
Claimed Product: 梦想之巅幻灯播放器  
Detection Name: Auto.125E12.241442.in02

SHA 256:  
1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d  
MD5: 26f927fb7560c11e509f0b8a7e787f79  
Typical Filename: Iris QuickLinks.exe  
Claimed Product: N/A  
Detection Name: W32.File.MalParent

What Old is New Again and What's Old is Me?

Francesco Benvenuto of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router.
The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and

Thursday, January 26, 2023 16:01

_Francesco Benvenuto of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router.

The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others. FreshTomato is an open source firmware based on Linux. The firmware offers several features for Broadcom-based routers.

**Quartz-Gold Vulnerabilities**

Several OS command injection vulnerabilities were found which could lead to arbitrary command execution, making them all high risk. TALOS-2022-1607 (CVE-2022-40969) and TALOS-2022-1612 (CVE-2022-40220) can be triggered with HTTP requests, while TALOS-2022-1615 (CVE-2022-38066), TALOS-2022-1638 (CVE-2022-40222) and TALOS-2022-1640 (CVE-2022-42490-CVE-2022-42493) can each be triggered with a network request.

Three directory traversals were recorded in QUARTZ-GOLD, TALOS-2022-1606 (CVE-2022-40701) and TALOS-2022-1637 (CVE-2022-41154), which can lead to arbitrary file deletion. Advisory 1637 has a higher CVSS risk rating and can be triggered by a network request. TALOS-2022-1609 (CVE-2022-38088) can lead to arbitrary file read.

Three stack-based buffer overflows were found: TALOS-2022-1605 (CVE-2022-36279) and TALOS-2022-1608 (CVE-2022-38459) can lead to remote code execution, triggered by an HTTP request. TALOS-2022-1613 (CVE-2022-40985-CVE-2022-41030) can lead to arbitrary command execution and is triggered by a sequence of requests.

A heap-based buffer overflow vulnerability was also reported in TALOS-2022-1639 (CVE-2022-41991), which can be triggered by a network request.

Two other vulnerabilities were discovered, including TALOS-2022-1610 (CVE-2022-38715), a leftover debug code that can lead to remote code execution, and TALOS-2022-1611 (CVE-2022-39045), a file write vulnerability that can lead to arbitrary file upload. Both can be triggered by HTTP requests.

**FreshTomato Vulnerabilities**

In FreshTomato, there is TALOS-2022-1641 (CVE-2022-42484), an OS command injection vulnerability and a directory traversal vulnerability, TALOS-2022-1642 (CVE-2022-38451). An attacker can send an HTTP request to trigger these vulnerabilities.

Cisco Talos worked with Siretta and FreshTomato to ensure that these issues were resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Siretta QUARTZ-GOLD G5.0.1.5-210720-141020, FreshTomato 2022.5, Siretta QUARTZ-GOLD G5.0.1.5-210720-141020, AdvancedTomato commit 67273b0. Talos tested and confirmed these versions of Siretta and FreshTomato could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against this vulnerability: 60649-60652, 60656-0664, 60667, 60692, 60721-60724, 60761-60763, 60771-60775, 60846-60847, 60914. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: OS command injection, directory traversal and other vulnerabilities found in Siretta Quartz-Gold and FreshTomato

Syncro, a remote management and monitoring tool, emerges as an increasingly common tool for adversaries.
By Caitlin Huey.
Ransomware continued to be a top threat Cisco Talos Incident Response (Talos IR) responded to this quarter, with appearances from both previously seen and newly observed ransomware families. However, IR also observed

Thursday, January 26, 2023 04:01

Syncro, a remote management and monitoring tool, emerges as an increasingly common tool for adversaries.

_By_ _Caitlin Huey__._

Ransomware continued to be a top threat Cisco Talos Incident Response (Talos IR) responded to this quarter, with appearances from both previously seen and newly observed ransomware families. However, IR also observed a significant number of cases in which post-exploitation activities occurred where the actor’s motivation could not be determined. For example, phishing campaigns, our top initial-access vector this quarter, were equally as common and featured a variety of post-exploitation activities, including command execution to perform credential harvesting, red-teaming framework deployment and remote access tooling installation.

This quarter also featured several engagements where adversaries leveraged Syncro, a legitimate and full-featured remote access platform. Syncro was among many other remote access and management tools, including AnyDesk and SplashTop, that adversaries leveraged to establish and maintain remote access to compromised hosts. The use of Syncro to support a number of operations is consistent with a key finding from the Talos’ 2022 Year in Review, which reported that adversaries are increasingly relying on dual-use tools to stay undetected in victim environments.

**Targeting**

The telecommunications sector was the most targeted this quarter, closely followed by the education and manufacturing sectors, respectively. Telecommunications was a consistently top-targeted vertical in Talos IR engagements in 2022, apart from Q3, in which organizations in the education sector were most targeted.

**Ransomware**

Talos IR observed the BlackCat (ALPHV) ransomware, a ransomware family consistently seen in incidents throughout 2022, in a few engagements this quarter. This quarter also featured Royal ransomware, which had not previously been observed in Talos IR engagements. First emerging in early 2022 as a suspected Conti rebrand, Royal has been increasingly observed in attacks since September, according to public reporting.

This quarter Talos IR responded to an incident involving Royal ransomware. The group did not start posting victim data, which has been used as a means of extortion for over 50 companies globally spanning multiple business verticals, to their Tor leaks site until September 2022. In one Royal ransomware incident, Talos IR identified the affiliate(s) using red team frameworks such as Cobalt Strike and Mimikatz, and by performing mass uninstallation of security software across the environment. Talos IR also observed both the legitimate utility PsExec executing a shell on a remote share on one host, as well as AnyDesk service’s creation for persistence. The actor also used batch script files for persistence to perform various actions such as adding admin accounts using the “net user /add” command, executing commands to boot in Safe Mode and modifying the registry.

The emergence of Royal ransomware, as a suspected rebrand of Conti, which shut down its operations in June 2022, highlights the resilience of ransomware actors following the shut down and/or rebrand of high-profile groups. Royal’s appearance in an engagement this quarter coincided with increased public reporting on a malware downloader, dubbed BatLoader, which has delivered Cobalt Strike Beacon implants that distributed Royal ransomware. Researchers identified several attributes within the BatLoader attack chain that are similar to activity linked to Conti. The overlaps between the two include shared indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) such as the use of the Atera agent for remote access, as well as an IP address used by Conti affiliates in a campaign leveraging Log4j. While the exact relationship between Conti and BatLoader is still unknown, this nexus may suggest BatLoader’s potential for adoption by multiple ransomware operators/affiliates. Additionally, BatLoader’s incorporation of Royal as a primary ransomware payload likely indicates Royal rising in prominence as operators look to incorporate new threats and techniques to carry out financially motivated operations that will help them remain effective.

**Adversaries increasingly relying on Syncro**

Talos IR observed the Syncro remote management and monitoring (RMM) tool used in nearly 30 percent of engagements, a significant increase compared to previous quarters. Syncro is a commercially available RMM solution that advertises remote desktop access, remote registry editor, remote event viewer and more. Talos IR observed Syncro used as part of attack chains supporting multiple threats this quarter, including BatLoader. Syncro was also distributed in phishing campaigns to gain access to newly-compromised accounts. While the reason for Syncro’s increased usage is unknown, its use as a full-featured remote access platform for managed service providers (MSPs) and its ubiquity across enterprise environments likely makes it an attractive option.

First discovered in February 2022, BatLoader uses legitimate tools, like Syncro and the Atera remote access software, to maintain access to infected systems. Since October 2022, Talos has observed a general uptick in our endpoint telemetry and Talos IR investigations associated with BatLoader, which deploys a variety of secondary malware payloads including the Vidar information stealer and the commodity loader Ursnif/Gozi. In one BatLoader engagement, the initial access vector relied on phishing and/or search engine optimization (SEO) poisoning to lure users to download the malware from attacker-created websites. This is consistent with public reporting on typical BatLoader infections. After initial access was established, the BatLoader infection chain leveraged multiple PowerShell and batch scripts to download tools and components needed for subsequent stages of the attack.

In another incident, Talos IR identified legitimate accounts sending phishing emails with email subjects that translated from Arabic to “Staff Promotion.” The emails contained OneDrive and OneHub phishing links with a compressed Microsoft Windows Installer (MSI) file that would install Syncro. The adversary attempted to use Syncro to stay connected to the targeted user’s workstation. During analysis of the MSI file, multiple Syncro services were installed, including SyncroRecovery (SyncroLive) and SyncroOvermind. The adversary’s tactics appeared to focus on maintaining initial access through installation of Syncro. The lack of two-factor authentication (2FA) for email access allowed the adversary to perform phishing attacks, highlighting the need to ensure multi-factor authentication (MFA) across all critical assets.

Talos IR also observed Syncro installed as part of post-compromise behavior after successful phishing attacks established initial access. In a Qakbot engagement, a phishing email contained a malicious password-protected ZIP file that, when opened, contained an ISO file detected as Qakbot. The adversary was able to crack a weak password for a service account, then used the compromised account to deploy installers for remote access tools Syncro and SplashTop. Active Directory (AD) mapping tools such as ADFind and SharpHound were also identified when a compromised host attempted to access “SharpHound.exe” in the Downloads folder. Shortly after, the adversary created a new folder for the purpose of placing and staging additional tooling.

**Initial vectors**

This quarter, nearly 40 percent of engagements featured phishing emails used as a means to establish initial access, followed by user execution of a malicious document or link. In many engagements, valid accounts and/or accounts with weak passwords also helped facilitate initial access whereby the adversary leveraged compromised credentials. It is important to note that for the majority of incidents, Talos IR could not reasonably determine the initial vector because of logging deficiencies or a lack of visibility into the affected environment.

Talos IR continues to observe threats consistently seen across quarters, including attempts to take advantage of weaknesses or vulnerabilities in public-facing applications. In one engagement, the adversary entered the environment through an exposed Microsoft Remote Desktop Services (RDS) web application. After gaining access, the adversary took over service accounts via a successful Kerberoasting attack. Talos IR identified several script files that contained credentials for various user accounts, many of which had been hard-coded into the scripts themselves. ZIP files were also created shortly after the scripts, suggesting possible data staging activity. Talos IR believes the adversary was able to enter the environment using stolen credentials obtained through a previous phishing campaign against a user account, highlighting the need for user training and password reset policies, especially following suspected phishing attacks.

**Security weaknesses**

Lack of MFA remains one of the biggest impediments for enterprise security. Nearly 30 percent of engagements either had no MFA or only had it enabled on a handful of accounts and critical services. Talos IR frequently observes ransomware and phishing incidents that could have been prevented if MFA had been properly enabled on critical services, such as endpoint detection response (EDR) solutions or VPNs. To help minimize initial access vectors, Talos IR recommends disabling VPN access for all accounts that are not using two-factor authentication.

In all of the ransomware engagements that closed out this quarter, PsExec was used to facilitate lateral movement or execute the final ransomware executable. Talos IR recommends that organizations disable PsExec, as well as access to administrative shares, to limit lateral movement. Additionally, organizations should consider use of Microsoft AppLocker to block tools and files that have been consistently leveraged by adversaries. This helps to create another layer of enforcement for any known malicious or often-misused files.

**Top-observed MITRE ATT&CK techniques**

The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagement. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note, this is not an exhaustive list.

Key findings from the MITRE ATT&CK appendix include:

*   Legitimate remote access and management software, such as AnyDesk and TeamViewer, were leveraged in over 35 percent of engagements this quarter.
*   In every ransomware engagement this quarter, PsExec was used to facilitate lateral movement or execute the ransomware executable.
*   Phishing emails with malicious links and/or attachments were the top initial access vector this quarter, seen in nearly 40 percent of engagements. User execution of a malicious file or link would subsequently lead to a variety of malicious threats, including execution of commodity malware such as Qakbot.

Tactic 

Technique 

Example 

Initial Access (TA0001) 

T1078 Valid Accounts  

Adversary leveraged stolen or compromised credentials  

Reconnaissance (TA0043) 

T1592 Gather Victim Host Information 

Text file contains details about host 

Persistence (TA0003) 

T1136 Create Account 

Created a user to add to the local administrator’s group 

Execution (TA0002) 

T1059.001 Command and Scripting Interpreter: PowerShell  

Executes PowerShell code to retrieve information about the client's Active Directory environment 

Discovery (TA0007) 

T1046 Network Service Scanning   

Use a network or port scanner utility  

Credential Access (TA0006) 

T1003 OS Credential Dumping 

Deploy Mimikatz and publicly available password lookup utilities 

Privilege Escalation (TA0004)  

T1484 Domain Policy Modification   

Modify GPOs to execute malicious files  

Lateral Movement (TA0008) 

T1021.001 Remote Desktop Protocol  

Adversary made attempts to move laterally using Windows Remote Desktop 

Defense Evasion (TA0005) 

T1027 Obfuscated Files or Information 

Use base64-encoded PowerShell scripts 

Command and Control (TA0011) 

T1219 Remote Access Software   

Remote access tools found on the compromised system   

Impact (TA0040) 

T1486 Data Encrypted for Impact  

Deploy Hive ransomware and encrypt critical systems 

Exfiltration (TA0010) 

T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol  

Use WinSCP for potential exfiltration of system information   

Collection (TA0009) 

T1560.001 Archive Collected Data: Archive via Utility  

Adversary leveraged xcopy on Windows to copy files  

Software/Tool 

S0002 Mimikatz 

Use Mimikatz to obtain account logins and passwords

Quarterly Report: Incident Response Trends in Q4 2022

In this section, we provide an overview of the general threat landscape throughout 2022 and major trends based on telemetry sets gathered across Talos.

Tuesday, January 24, 2023 09:01

While our ongoing support to Ukraine and response to the Log4j vulnerabilities were two of our most comprehensive and impactful efforts in 2022, we also dealt with a multitude of other threats as the security community faced an expanding set of adversaries and malware. In January, we identified several emerging trends that we expected would affect or dominate the threat landscape in 2022, many of which ultimately played out as significant events this year. In this section, we provide an overview of the general threat landscape throughout 2022 and major trends based on telemetry sets gathered across Talos, including:

*   Behavioral indicators from Secure Malware Analytics.
*   Snort and ClamAV alerts .
*   Behavioral Protections (BPs) from Cisco Secure Endpoint.
*   Case studies from CTIR engagements.

Visit the Year in Review page for the full report, with topic summary reports, livestreams, podcasts, and other content starting December 14th.  New content will be added with each topic summary release through February.  You can access the full 2022 Cisco Talos Year in Review report directly here:

Threat Landscape Topic Summary Report: Cisco Talos Year in Review 2022

As 2023 begins I wanted to look forward on the future of state sponsored aggression and how we can see it change and evolve over the next year and beyond.

Tuesday, January 24, 2023 07:01

As we begin 2023 I wanted to take some time and look at the state sponsored threat landscape. Over the last few decades we've seen seismic shifts in how state sponsored actors attack, starting with traditional espionage with attacks like Moonlight Maze and Project Gunman and evolving into more intellectual property theft and dissident targeting with attacks like Operation Aurora. Now activity is moving into increasingly destructive or destabilizing attacks we've seen used in both Ukraine and the Middle East with information warfare emerging as one of the key battlefields. One thing to note is espionage never left the landscape. It is a constant and significant force driving state sponsored hacking and always will be.

Throughout 2022 we faced one of the more unique landscapes that we have seen in cyberspace due to the ongoing war in Ukraine and associated attacks. Interestingly we saw the war leveraged in different ways by other state sponsored groups, not just those originating from Russia. As we discovered this past year, groups like Mustang Panda were launching malicious campaigns with documents related to the Ukrainian war as a lure. Demonstrating how this war is having far reaching impacts on the threat landscape, far beyond the actual war zone.

The war provided us with one of the first real life demonstrations of how much of a role cyber activities would play in kinetic warfare. Unfortunately, the answer is clouded by doubt of whether it played a surprisingly small role or if the Russians underestimated the capabilities and perseverance of Ukrainian people, neglecting the full scope of cyber capabilities. The question now is: where do state sponsored attacks move in the future? The retreat from globalization is going to shift the landscape and change the ways nation states are operating in cyberspace. As countries move to manufacture and build internally, their targeting will change accordingly. Instead of just attacking for espionage purposes, economic considerations will play a significant role. For the first time we will see how nation states will leverage cyber when facing the economic strain of this move away from globalization coupled with high inflation and interest rates that we haven't seen in decades.

**Retreat from globalization could usher in another era of IP theft**

The post pandemic push against globalization could drive a new era in cyber-based intellectual property theft in the months and years ahead. The pandemic has changed the world in a staggering number of ways, but most crucially it could precipitate the end to the decades long march to globalization. Countries around the world were met with supply chain bottlenecks and the realization that just-in-time (JIT) shipping only works when your suppliers are available, and the push to bring jobs back stateside has already begun. Whether it's Apple announcing chip manufacturing will begin in the United States or the CHIPS act being passed in the United States pushing hundreds of billions of dollars into semiconductor research, both enterprises and nation states are revisiting manufacturing.

This shift will have many downstream impacts, but the largest impacts will be felt in those countries where manufacturing dominates their GDP. This is also going to result in more autocratic nations spinning up domestic versions of products and technologies. Developing these new capabilities isn't a simple process and typically requires significant investment into research and development to achieve the technological breakthroughs required for some manufacturing.

However, there is another avenue for those nations willing to take it –theft. More specifically cyber theft of intellectual property. This isn't a new behavior, in fact back in 2012 General Keith Alexander famously said, cyber theft was the "greatest transfer of wealth in history" but since then the activity has cooled slightly. China and the US agreed to scale back their offensive operations and we haven't had a barrage of high profile breaches at defense contractors and other high value targets in some time.

The playing field has grown considerably for state-sponsored actors. What used to be dominated by a handful of well-resourced countries is now seeing more nations turn to offensive capabilities to support their missions. As such the likelihood that other countries take a similar path seems likely. History has shown that the fastest way to come up to speed is to steal the intellectual property instead of developing it yourself. It's also plausible that you could start to see criminal organizations take increasing interest in the intellectual property of their ransom and extortion victims as that data could be worth many times the ransom demand to a nation state trying to make up critical ground in technology or manufacturing.

**Destructive attacks will increase as the retreat from globalization hastens**

Over the last decade state-sponsored actors have increased their use of destructive attacks. They have historically been largely associated with Russian aggression: NotPetya, OlympicDestroyer, WhisperGate, CaddyWiper, etc. However, we have seen examples of other groups launching destructive attacks, most notably against Saudi Aramco and other Shamoon\-associated targets. The use of destructive malware is poised to increase in the months and years ahead. These actors have learned that wipers are an effective means to destabilize a region or impact vital services. This was demonstrated most clearly in the Colonial Pipeline attack where a ransomware attack against its enterprise systems resulted in pipelines being stopped. This attack demonstrated how nations don't need to attack critical infrastructure directly to disrupt it. There is little reason for these actors to avoid critical infrastructure as, to this point, cyberspace based aggression has seen little or no response.

Critical infrastructure has always been a red line, albeit one that's already been crossed several times. Russia has attacked Ukraine’s power system multiple times, resulting in a loss of service and in some cases black outs. However, I'd argue that all of Russia's attacks could be associated with the war against Ukraine, a war that started in 2014 with Russia's invasion of Crimea. Looking at the conflict as it stands now, it appears that, in regional wars, kinetic attacks against critical infrastructure seem far more efficient with bombs being able to inflict more lasting damage. This may not be the case for more long distance opponents where kinetic attacks are more costly and difficult. The only reason to use exclusively digital attacks would be the desire to keep the facilities functioning, although there is no guarantee that a cyber attack couldn't be destructive, as demonstrated by Stuxnet.

Today state-sponsored actors are looking for ways to disrupt critical infrastructure without attacking it directly, for fear of reprisal. The colonial pipeline attack gave them the playbook they needed and in all likelihood we'll see it play out again. The only way to prevent critical infrastructure from being a target is to establish rules of engagement for cyberspace which is unlikely to happen anytime soon, barring a calamitous cyber event. The reason is that the big players aren't willing to give up their own capabilities for times of war, at least not yet. Critical infrastructure isn't the only place where these groups attempt to destabilize their adversaries. The information battlefield has only grown from the days of pamphlet drops and forgeries. With the advent of social media, information can be used in powerful and unexpected ways.

Information moves impossibly fast today. Viral news spreads like wildfire across the globe and in a matter of hours has traversed it many times over. The issue is, how do we know it's true? The line between true and false has been blurred repeatedly by leaders both elected and otherwise around the world. As such an opportunity has been created for state-sponsored groups to leverage this as a wedge. We've seen it in the US elections in 2016, we saw it again in the French election-related hacking, and we saw it countless times in the COVID era. Misinformation and disinformation are now powerful tools that can be wielded to effect change on a scale previously thought to require physical involvement, and those with the capacity to abuse it have noticed.

One of the interesting aspects of social media is that each user's experience is largely unique to them. Meaning that it's based on aspects of your life, for instance your location, profession, and social circle. This provides avenues for targeted misinformation and disinformation to hit specific groups. We've already seen this done in the election interference where things were targeted at certain demographics or groups.

For most nation states this is an incredibly attractive avenue as it's easy to conduct, relatively cheap, and easy to plausibly deny. Worst case scenario they get exposed, fold up the current campaign and spin up new companies or organizations to start the next one armed with the lessons learned from the previous failures. The activities on social media for nation states hardly ends with misinformation and disinformation.

**Targeting of citizens will continue as mobile spyware market grows**

The last five years has seen an explosion in the mobile spyware market. NSO Group is the most well known but there are new startups flooding the market, all promising the same level of zero-day support and repeatable in-memory access. These tools are marketed as the ultimate spy tool to expose criminals and terrorists around the globe but it is often being found used against dissidents, activists, and journalists. Today everyone's life exists on their devices from email to documents to private communications. It's all right there and if you have millions of dollars to spend it's easily accessible. The truth is that if someone deems your information valuable enough, they can get it, they just have to be willing to spend the money to accomplish it. For most of us that means we're in the clear. Unfortunately, the risks are quite high for the few that choose to challenge those in positions of power or aid those in doing so. To be clear this isn't something an average person or even company would be able to purchase, but for intelligence apparatuses around the globe it's all too easy to achieve.

  
In many countries around the world there are rules and protections in place to prevent domestic abuse or targeting overreach. The problem is that there are lots of countries with access and willingness to skirt the typical rules of engagement. Governments are starting to take action against these mobile spyware companies, but for every company they knock down another one will rise up. There are no easy solutions for the small minority of people that fall into this targeting, but technology companies are beginning to work on it.

The world is shifting away from globalization in the post pandemic era. Interest rates are exploding and borrowing just got a lot more expensive. State-sponsored groups are going to be squeezed just as we all are. Cyber operations are cheap both financially and politically. Rarely do you need to put boots on the ground and you can launch the attack from the other side of the planet without a single physical asset at risk of being discovered. Additionally, cyber campaigns carry a much higher level of deniability and rarely have political repercussions. The appetite to expend scarce resources in espionage activities will always exist, but if an agency can conduct five or six cyber operations for every non-cyber campaign, then the value is in cyber. Maximizing value will be increasingly important as budgets around the world tighten to counter the increased cost of borrowing. Additionally, the push away from globalization likely increased the non-governmental targets for state-sponsored groups going forward.

State Sponsored Attacks in 2023 and Beyond

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 13 and Jan. 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for January 13 to January 20

Talent retention and institutional knowledge go hand in hand. Both are critical to ensuring the security of your network environment.

Thursday, January 19, 2023 16:01

Welcome to this week’s edition of the Threat Source newsletter.

Talent retention and institutional knowledge go hand in hand. Both are critical to ensuring the security of your network environment. To that end, I want to talk briefly about why talent retention isn’t just about money. So I am going to speak directly to the people managers from the team leads in the SOC to the C-Level execs. When you examine what you do on a day-to-day basis are you telling your team members what they can and can’t do? How often do the things you say and the goals you provide fall between those two things? Now, ask yourself what you’ve done to enable them to grow today, both technically and as people. One of the easiest ways to very quickly identify quality leadership is to find out if the mindset and actions of the people managers is that the employees work for and reflect on them, or if they understand that they work for the team and that the team is a reflection of their leadership. Yes, there are plenty of employees that will leave simply based on pay, and we all have budgets to work within – but there is no cost to show respect and fighting to find budget for pet projects, training, or even niche learning for your employees is your job. When you can’t find budget find other ways to show the employees that you respect them and are actively working to ensure their growth. In the end your efforts will be rewarded with a stronger team and a more secure environment.

**The one big thing**

Focus on the basics. As we run headlong into the impending brick wall of 2023 take a moment to look at your environment and simply relearn it.

**Why do I care?**

Without knowing your baseline environment there is absolutely no way that you can expect to protect it.

**So now what?**

Learn your network. Observe and reevaluate your physical security standards in this crazy post pandemic world. Ensure that your patch management strategy is sound and that you have good cross-team collaboration to get those change windows handled. Ensure dead accounts are handled correctly. On and on – you know the steps. Take a beat and follow them.

**Top security headlines of the week**

Yum Brands, the parent company of fast-food chains KFC, Pizza Hut and Taco Bell, has confirmed that company data was stolen in a ransomware attack.

Yum Brands said a ransomware attack impacted “certain information technology systems,” prompting the chain to take some of its systems offline. The incident also led to the closure of roughly 300 restaurants in the United Kingdom for 24 hours, the company said. Although the ransomware attack largely affected the company’s U.K. operations, Yum Brands said it notified U.S. federal law enforcement as its investigation continues. (Tech Crunch and Yum)

Initial Access Broker market is booming, posing growing threat to enterprises. Research shows a sharp year-over-year growth in the number of IABs operating in underground forums and markets. For ransomware operators and other cybercriminals that are looking for quick access to enterprise networks, these brokers are the answer. (Dark Reading and GroupIB)

**Can’t get enough Talos?**

*   https://blog.talosintelligence.com/following-the-lnk-metadata-trail/
*   https://blog.talosintelligence.com/talos-year-in-review-2022/
*   https://talosintelligence.com/podcasts/shows/beers\_with\_talos
*   https://talostakes.talosintelligence.com/2018149/12016411-year-in-review-apt-summary-edition

**Upcoming events where you can find Talos**

CactusCon (Jan 27-28)  
Mesa, AZ

Cisco Live Amsterdam (Feb 6-10)  
Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256:  
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection

SHA 256:  
1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d  
MD5: 26f927fb7560c11e509f0b8a7e787f79  
Typical Filename: Iris QuickLinks.exe  
Claimed Product: N/A  
Detection Name: W32.File.MalParent

SHA 256:

125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
MD5: 2c8ea737a232fd03ab80db672d50a17a  
Typical Filename: LwssPlayer.scr  
Claimed Product: 梦想之巅幻灯播放器  
Detection Name: Auto.125E12.241442.in02

SHA256:  
e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg