We expect this data-driven story will shed some insight into Cisco’s and the security community’s most notable successes and remaining challenges. As these Year in Review reports continue in the future, we aim to help explain how the threat landscape changes from one year to the next.

Wednesday, December 14, 2022 08:12

This report represents an unprecedented effort within Cisco to tell a comprehensive story of our work in the past year, relying on a wide variety of data and expertise.

As a large security organization with global reach, the data we use as the basis for our research presents us with both a gift and a curse. The gift lies in the diversity of inputs, ranging from endpoint detections, incident response engagements, network traffic, email corpus, data from our sandboxes and honeypots, and much, much more from customers all over the world. The curse is that with the multitude of telemetry we have access to and the urgency of some of the work we do, it can be difficult to take a step back and look at the bigger picture, like trying to make sense of a Monet with your nose up against the frame.

This is what inspired us to create the Cisco Talos Year in Review. We wanted to get insight from dozens of subject matter experts all throughout Cisco, including our reverse engineers, detection specialists, data scientists, linguists, managed hunt providers, incident responders, and threat intelligence analysts. To this diverse group, we posed a few key questions:

1.  What were the major security events Cisco responded to in 2022 and what is their current status and impact?
2.  What are the major trends in the threat landscape and what do we think may change?
3.  What are the top threats we observed in 2022 and what is their current state?

This report tells a story based on responses to these questions from our experts and their year-long data. Through the upcoming weeks, we will be highlighting different aspects of this story, including our efforts in Ukraine, the disastrous Log4j vulnerabilities, adversaries’ use of offensive frameworks and software native to the victim’s machine, shifts in the ransomware landscape, the ever-present threat of commodity loaders/trojans, as well as an overview of some of the advanced persistent threats (APTs) we are most concerned with. Throughout the story, one key theme is clear: adversaries are adapting to shifts in the geopolitical landscape, actions from law enforcement, and the efforts of defenders. Defenders will need to track and address these shifts in behavior in order to maintain resilience.

We expect this data-driven story will shed some insight into Cisco’s and the security community’s most notable successes and remaining challenges. In addition, as these Year in Review reports continue in the future, we aim to provide data and narratives that help explain how the threat landscape changes from one year to the next. We hope you find this report as elucidating to read as it was to research and write, and that it arms the security community with the information and context needed to continue fighting the good fight.

Talos Year in Review 2022

HTML smuggling is a technique attackers use to hide an encoded malicious script within an HTML email attachment or webpage.
Once a victim receives the email and opens the attachment, their browser decodes and runs the script, which then assembles a malicious payload directly on the victim’s device

Tuesday, December 13, 2022 15:12

*   HTML smuggling is a technique attackers use to hide an encoded malicious script within an HTML email attachment or webpage.
*   Once a victim receives the email and opens the attachment, their browser decodes and runs the script, which then assembles a malicious payload _directly on the victim’s device_.
*   Talos has witnessed Qakbot attackers using a relatively new technique that leverages Scalable Vector Graphics images embedded in HTML email attachments.

**HTML smuggling using SVG**

**Smuggling HTML using SVG**

There are multiple different ways attackers have been documented abusing the legitimate features of JavaScript and HTML to accomplish HTML smuggling. Recently, however, Talos has witnessed attackers deploying a relatively new HTML smuggling technique—the use of Scalable Vector Graphics (SVG) images.  

Unlike pixel-based raster images such as JPEG, SVG images are vector-based, which means they can be increased in size without sacrificing image quality. SVG images are constructed using XML, allowing them to be placed within HTML using ordinary XML markup tags. Talos has identified malicious emails featuring HTML attachments with encoded SVG images that themselves contain HTML <script> tags. Including script tags within a SVG image is a legitimate feature of SVG. Unfortunately this feature is being abused by attackers to smuggle JavaScript onto a victim's computer.  Attackers rely on the fact that most web browsers will happily decode and execute this JavaScript as if it were a standard part of the document’s HTML.

In this case, the JavaScript smuggled inside of the SVG image contains the entire malicious zip archive, and the malware is then assembled by the JavaScript directly on the end user's device. Because the malware payload is constructed directly on the victim’s machine and isn’t transmitted over the network, this HTML smuggling technique can bypass detection by security devices designed to filter malicious content in transit.

Below is a malicious Qakbot email. Qakbot is known to hijack a victim’s email and send itself out as a reply to an existing email thread. That behavior is on display here. One interesting facet of many email thread hijackers is that the email threads they hijack are often very old. This particular thread is from 2020.

****A Qakbot email features stolen email threads and a malicious HTML attachment.****

When the victim opens the HTML attachment from the email, the smuggled JavaScript code inside the SVG image springs into action, creating a malicious zip archive and then presenting the user with a dialog box to save the file.

**When the attachment is opened, the SVG image JavaScript pops up a file save dialog box.**

The HTML attachment also displays a password that the victim must use to open the encrypted zip archive that was constructed locally on the victim’s machine.

**The HTML attachment also includes the password to the zip file created by the JavaScript.**

Inside the HTML attachment, we can see the code used by the attackers to smuggle the JavaScript onto the victim machine. Besides some of the obvious obfuscation techniques like HTML encoding the “F” in File and the “P” in Password, we can also clearly see an <embed> tag containing a base64-encoded SVG image.

**The SVG image is base64-encoded and embedded inside the HTML attachment.**

When the base64 is decoded and the JavaScript is de-obfuscated, we can see the SVG HTML smuggling technique used by this Qakbot campaign. The charCodeAt() function is used to convert text from a JavaScript variable into a binary blob. Using the createObjectURL() function, the binary blob is converted into a zip archive that the user is prompted to save on their local filesystem.

****An example of a decoded base64 SVG image from a malicious Qakbot email**.**

If the user manages to enter the password provided by the attacker and open the zip archive, they can extract an .iso file. The .iso file is intended to infect the victim with Qakbot, according to Cisco Secure Malware Analytics.

**Conclusion**

Since HTML smuggling can bypass traditional network defenses, it is critical to deploy some sort of security protection to the endpoints in your environment. Having robust endpoint protection can prevent execution of potentially obfuscated scripts, and prevent scripts from launching downloaded executable content. Endpoint security can also enforce rules about which executables are trusted to run in your environment.

Another good defense against HTML smuggling is educating your users about HTML smuggling attacks. For years, email security professionals have been repeating the mantra that users should not open suspicious email attachments or click links in suspicious messages. This is even more true today, given that HTML smuggling attacks can bypass some security devices and are increasing in frequency.

As network defenders improve their abilities to scan for malicious content, we can expect to see attackers looking to counter and evade such content filtering. HTML smuggling’s ability to bypass content scanning filters means that this technique will probably be adopted by more threat actors and used with increasing frequency.

HTML smugglers turn to SVG images

Microsoft released its monthly security update on Tuesday, disclosing 48 vulnerabilities. Of these vulnerabilities, 6 are classified as “Critical”, 41 are classified as “Important”, with the remaining vulnerability classified as “Moderate.”

Tuesday, December 13, 2022 14:12

Microsoft released its monthly security update on Tuesday, disclosing 48 vulnerabilities. Of these vulnerabilities, 6 are classified as “Critical”, 41 are classified as “Important”, with the remaining vulnerability classified as “Moderate.”

One of the critical vulnerabilities, which Microsoft considers to be “more likely” to be exploited is CVE-2022-41076, a remote code execution (RCE) vulnerability in Windows PowerShell which could allow a previously authenticated attacker to escape the PowerShell Remoting Session Configuration and run unauthorized commands on compromised systems.

Another critical vulnerability, CVE-2022-41127, affects Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central. Successful exploitation could allow an attacker to execute code on Dynamic NAV servers within the context of the service account under which Dynamics is running.

Two additional critical vulnerabilities, CVE-2022-44670 and CVE-2022-44676 are remote code execution vulnerabilities affecting the Windows Secure Socket Tunneling Protocol (SSTP). Successful exploitation of these vulnerabilities requires an attacker to win a race condition but could enable an attacker to remotely execute code on RAS servers.

The final two critical vulnerabilities being addressed this month are remote code execution vulnerabilities in Microsoft Sharepoint Server. Successful exploitation of CVE-2022-44690 or CVE-2022-44693 could enable an attacker to execute code on Sharepoint Servers but require the attacker to first be authenticated and granted the ability to use the Manage Lists feature in Sharepoint.

Talso would also like to highlight 6 important vulnerabilities that Microsoft considers to be “more likely” to be exploited.

*   CVE-2022-41121: Windows Graphics Component Elevation of Privilege Vulnerability
*   CVE-2022-44671: Windows Graphics Component Elevation of Privilege Vulnerability
*   CVE-2022-44673: Windows Client Server Run-Time Subsystem (CSRSS) Elevation of Privilege Vulnerability
*   CVE-2022-44675: Windows Bluetooth Driver Elevation of Privilege Vulnerability
*   CVE-2022-44683: Windows Kernel Elevation of Privilege Vulnerability
*   CVE-2022-44704: Microsoft Windows Sysmon Elevation of Privilege Vulnerability

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 60972 - 60975, 60977 - 60978. For Snort 3, the following rules are also available to protect against these vulnerabilities: 300339 - 300341.

Microsoft Patch Tuesday for December 2022  — Snort rules and prominent vulnerabilities

Marcin ‘Icewall’ Noga of Cisco Talos discovered this vulnerability.
Cisco Talos recently discovered a denial-of-service vulnerability in VMWare vCenter Server.
VMware vCenter Server is a platform that enables centralized control and monitoring over all virtual machines and EXSi hypervisors included in vSphere.
TALOS-2022-1588 (CVE-2022-31698) concerns a pre-authentication denial-of-service

Tuesday, December 13, 2022 11:12

_Marcin ‘Icewall’ Noga of Cisco Talos discovered this vulnerability._

Cisco Talos recently discovered a denial-of-service vulnerability in VMWare vCenter Server.

VMware vCenter Server is a platform that enables centralized control and monitoring over all virtual machines and EXSi hypervisors included in vSphere.

TALOS-2022-1588 (CVE-2022-31698) concerns a pre-authentication denial-of-service vulnerability in a handler of the content library. A specially crafted HTTP header can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.

Cisco Talos worked with VMWare to ensure that this issue is resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update the affected product as soon as possible: VMware vCenter Server 6.5 Update 3t. Talos tested and confirmed this version of VMWare could be exploited by this vulnerability.

The following Snort rule will detect exploitation attempts against this vulnerability: 60408. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: Denial-of-service vulnerability discovered in VMWare vCenter

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 2 and Dec. 9. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for December 2 to December 9

Welcome to this week’s edition of the Threat Source newsletter.
As we hurtle toward the end of another year I get that tightness in my chest – that feeling that I think most, if not all, Threat Source readers get at this time of year. That's

Thursday, December 8, 2022 16:12

Welcome to this week’s edition of the Threat Source newsletter.

As we hurtle toward the end of another year I get that tightness in my chest – that feeling that I think most, if not all, Threat Source readers get at this time of year. That's right, it’s once again the time of year when no matter what your current role or area of expertise you become tech support for your entire family and anyone they’ve ever met. They will give you unsolvable tech problems and expect holiday miracles. I have no particularly stellar advice that will help you. I have no words of wisdom that will keep you from your pain. I have only this – you aren’t alone. Make sure to take copious notes so that you can regale your workplace associates with the highlights and kick off the new year by putting that pain behind you.

Stay tuned next week for our inaugural Year in Review report!

**The one big thing**

Cisco Talos Incident Response shared a white paper on the steps organizations should follow to secure any major event. Outlining ten major event preparation focus areas, for each of the ten identified areas, Talos IR provides a short checklist to ensure that different organizations and committees can ask the right questions to vendors, suppliers and other event participants. Although the checklist can serve as a useful starting point for most of our readers, the complexity of the problem and diverse security requirements will likely require an in-depth analysis to identify all risk avenues.

**Why do I care?**

Cisco Talos IR has successfully participated in a number of global events at both the forefront as well as in supporting roles, to ensure that threats are contained before causing major disruption. This white paper leverages that experience to provide the reader with insight into the challenges, critical aspects and methodologies that can be utilized to achieve a strong sense of cyber security and IR readiness at both strategic and tactical levels.

**So now what?**

Ensure that the proper teams read the white paper, follow the blueprint, and are prepared to handle several types of attacks before, during and after the event. Leverage the ten focus areas to help your organization build appropriate security strategies ahead of major events.

**Top security headlines of the week**

Many endpoint detection and response (EDR) technologies may have a vulnerability in them that gives attackers a way to manipulate the products into erasing any data on installed systems. Or Yair, a security researcher at SafeBreach discovered the issue, Security products, such as EDR tools have super-user rights on systems, which could allow an attacker to wipe almost any file on the system, including system files. Yair disclosed the issue at the Black Hat Europe conference on Wednesday, Dec 7 having notified the vendors between July and August. Vulnerable products included Microsoft Windows Defender, Windows Defender for Endpoint, TrendMicro ApexOne, Avast Antivirus, AVG Antivirus, and SentinelOne. (Darkreading)

Rackspace has confirmed today that a ransomware attack is behind an ongoing Hosted Exchange outage. Rackspace tweeted "Since becoming aware of suspicious activity in our Hosted Exchange environment on 12/2, we’ve determined that the isolated disruption is the result of ransomware and our security team is working with a lead cyber defense firm to investigate." The cloud service provider says it will notify customers if it finds evidence that the attackers gained access to their sensitive information.(Bleepingcomputer)

**Can’t get enough Talos?**

*   https://blog.talosintelligence.com/vulnerability-spotlight-memory-corruption-vulnerability-discovered-in-poweriso/
*   https://blog.talosintelligence.com/vulnerability-spotlight-nvidia-driver-memory-corruption-vulnerabilities-discovered/
*   https://blog.talosintelligence.com/vulnerability-spotlight-callback-technologies-cbfs-filter-denial-of-service-vulnerabilities/
*   https://blog.talosintelligence.com/vulnerability-spotlight-lansweeper-directory-traversal-and-cross-site-scripting-vulnerabilities/

**Upcoming events where you can find Talos**

CactusCon (Jan 27-28)  
Mesa, AZ

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256:  
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection

SHA 256:  
1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d  
MD5: 26f927fb7560c11e509f0b8a7e787f79  
Typical Filename: Iris QuickLinks.exe  
Claimed Product: N/A  
Detection Name: W32.File.MalParent

SHA256:  
e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256:  
125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
MD5: 2c8ea737a232fd03ab80db672d50a17a  
Typical Filename: LwssPlayer.scr  
Claimed Product: 梦想之巅幻灯播放器  
Detection Name: Auto.125E12.241442.in02

Threat Source newsletter (Dec. 8, 2022): Your uncle clicked every link

Since August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor called Silence Group that is responsible for several high-impact attacks on financial institutions in several countries around the world.

Breaking the silence - Recent Truebot activity

TEST-2022YiR Livestream Post-TEST

Did you miss our livestream focused on the Ukraine topics presented in the Cisco Talos Year in Review report? Join host Hazel Burton and special guests Kendall McKay, Nick Randolph, and Vanja Svajcer as they discuss Talos' now-years-long critical infrastructure effort in Ukraine.

Thursday, December 8, 2022 11:12

Did you miss our livestream focused on the Ukraine topics presented in the Cisco Talos Year in Review report? Join host Hazel Burton and special guests Kendall McKay, Nick Randolph, and Vanja Svajcer as they discuss Talos' now-years-long critical infrastructure effort in Ukraine.  Their breifing gives critical insight into the topic of cyber warfare and creates useful comparisons for those defending against these same actors in different contexts.

Visit the Year in Review page for the full report, with topic summary reports, livestreams, podcasts, and other content starting December 14th.  New content will be added with each topic summary release through February.  

You can access the full 2022 Cisco Talos Year in Review report directly here: