Relive some of the major cybersecurity incidents and events that have shaped Talos over the past 10 years.

Wednesday, July 24, 2024 06:00

A lot has happened in Talos’ 10 years of existence. And to celebrate our birthday, we wanted to look back on some of the major moments in Talos’ history. Here’s an overview of some of the major events, cyber attacks, research breakthroughs and more that truly make Talos _Talos_. We hope this walk down memory lane inspires good times reminiscing, provides lessons learned from cyber attacks past, or PTSD from those late nights — whether you worked at Talos or not.

*   **2001:** Martin Roesch, the creator of Snort, founds Sourcefire.
*   **July 2013:** Cisco Systems announces an agreement to buy Sourcefire for $2.7 billion.
*   **April 2014:** Stakeholders from Sourcefire, Cisco Threat Research, Analysis and Communications (TRAC), and Security Applications (SecApps) start meeting to discuss the formation of Talos — including what the name would be!
*   **August 2014:** Talos is formally launched at the BlackHat cybersecurity conference.
*   **March 2015:** Talos publishes breaking research on the POSeidon point-of-sale malware, one of the first major coordinated cyber attacks found under the Talos banner.
*   **Oct. 2015:** Talos helped to shut down the Angler exploit kit by shutting down access for customers by updating Cisco products to stop redirects to the Angler proxy servers, and releasing new Snort rules to detect and block checks from the exploit kit. At the time, we estimated that Angler was targeting more than 90,000 users a day and generating $30 million annually.     
*   **May 2017:** WannaCry, which to this day is one of the largest ransomware attacks ever, hits several notable victims, including FedEx and the National Health Service in the U.K. Attackers exploited the NSA-created EternalBlue exploit.

*   **May 2017:** The first-ever episode of Beers with Talos goes live.
*   **June 2017:** EternalBlue pops up again, this time with the Nyetya ransomware attack. The attackers primarily deployed the malware via a fake update to the Ukrainian-made MeDoc tax software.
*   **June 2017:** A team of Talosians comes first in the Fake News Challenge after creating a tool that uses advanced machine learning and artificial intelligence technology to detect fake headlines and misleading “facts.”
*   **Feb. 2018:** Talos’ discovered samples of malware used to disrupt various technologies at the Olympic Games in Japan, including ticket-taking operations during the Opening Ceremony. OlympicDestroyer would have ripple effects for months as we tried to figure out who exactly was (or wasn’t) behind the attack.
*   **May 2018:** Talos publishes our findings on VPNFilter, a massive malware campaign from Russian state-sponsored actors. At the time of publishing, we estimated that VPNFilter affected more than 500,000 internet-connected devices.

*   **Nov. 2018:** DNSpionage, a previously undiscovered malware, makes headlines for targeting a Lebanese airline and companies in the United Arab Emirates. Adversaries set up fake job application phishing pages hoping to infect targets with malicious Microsoft Word applications.
*   **Feb. 2019:** Talos releases our 3-D printed model of an oil pumpjack into the wild to demonstrate how an attacker could overload it if it exploits the human-machine interface the pump relies on.

*   **Oct. 2019:** Cisco Talos Incident Response is officially launched. Merging Incident Response from Cisco’s CX organization with Talos’ threat intelligence, Talos IR offers proactive and reactive assistance to customers around the world.
*   **May 2020:** Talos’ Vulnerability Research team takes part in the Microsoft Azure Sphere Research Challenge, eventually discovering 16 security vulnerabilities in the popular application platform. Talos was one of only a handful of teams selected for the challenge. Specifically, a vulnerability the team discovered made headlines for potentially allowing an adversary to acquire Azure Sphere Capabilities, the most valuable Linux normal-world permissions in the Azure Sphere context.
*   **Nov. 2020:** The infamous “pig couch” goes viral after a fake Craigslist ad for it spreads on social media. This somehow ended up with the Snort Twitter account also going viral, and Marty Roesch making it into The New York Times.

Via Craigslist

*   **Dec. 2020:** Capping off a string of major supply chain attacks, adversaries compromise the legitimate SolarWinds Orion IT management software to deploy malware via a fake software update.
*   **Jan. 2021:** Snort 3, the first major release for Snort in more than a decade, goes open-source.
*   **Dec. 2021:** Just days before the winter holidays, the internet nearly catches on fire with the infamous Log4shell vulnerability in Log4j.

*   **Feb. 2022:** The Russian military launches an offensive assault against Ukraine. Talos immediately responds to assist Ukraine, capitalizing on yearslong partnerships to help keep critical infrastructure online and users protected from a barrage of cyber attacks. We would also assist Talos teammates in staying protected, supporting them in moving to other countries.
*   **May 2022:** ClamAV, Sourcefire’s original anti-virus detection solution, turns 20 (and will finally go 1.0 a few months later!)
*   **April 2023:** Cisco and Talos help to launch the Network Resilience Coalition, a group of technology companies working to ensure users and companies upgrade and update their network infrastructure. The effort was launched after the discovery of JaguarTooth, a massive campaign targeting unpatched wireless routers.
*   **May 2023:** Talos enters the world of private sector offensive actors (PSOAs) by disclosing new technical details about the Predator spyware and its creator, Intellexa. Spyware from these so-called “mercenary groups” is still spreading, often being used to target potentially sensitive users like journalists, activists and politicians.
*   **December 2023:** Talos discloses the details of Project PowerUp, a cross-team effort to help protect Ukraine’s power grid and the GPS positioning it relies on. Spearheaded by Joe Marshall, the multi-national, multi-company global team of power grid security practitioners, who had never worked together before, built a device to help Ukraine keep the lights on.

*   **March 2024:** Talos releases SnortML, a machine learning-based detection engine for the Snort Intrusion prevention system.
*   **August 2024:** Talos celebrates its 10th anniversary — cheers to many more!

A (somewhat) complete timeline of Talos’ history

Telecommunications provider AT&T disclosed earlier this month that adversaries stole a cache of data that contained the phone numbers and call records of “nearly all” of its customers.

Thursday, July 18, 2024 14:00

Between AT&T, all the follow-on activity from Snowflake, Microsoft Outlook, and more, it’s best to probably just assume at this point that your personal information has somehow been involved in a data breach. 

We’re only halfway through 2024, and we’ve already seen some of the largest data breaches and leaks in history. Telecommunications provider AT&T disclosed earlier this month that adversaries stole a cache of data that contained the phone numbers and call records of “nearly all” of its customers, which equates to about 110 million people.  

Even if you’ve yet to receive the dreaded boilerplate notification email from any company, it’s probably just best for all of us to assume that some of our personal information has been accessed, leaked or stolen over the past few years, or it’s going to be eventually.  

I took this as an opportunity to check for myself. The ever-popular Have I Been Pwned? says my personal email address has been involved in 14 breaches, some dating back to 2017 and one as recently as June.  

Thankfully, Trend Micro’s ID Protect says that my personal cell phone hasn’t been involved in any data breaches, but that certainly hasn’t stopped me from getting my fair share of spam texts and phone calls. 

Outside of those two search engines, I felt like this would be a good space to provide additional resources and advice for anyone reading this. Even if you haven’t been a part of the recent spate of data breaches, I think it’s a good idea to take these steps now anyway, because you never know when the next breach is going to happen.  

*   **Stop reusing passwords.** Use a free password manager to generate random, secure passwords for each new account you create. That way, if one of your passwords \*is\* leaked, it makes it impossible for adversaries to start using those leaked credentials to try and brute force their way into other accounts.  
*   Once you enroll in that password manager, use it to frequently update and rotate your passwords.  
*   **Enroll in multi-factor authentication.** Using any type of MFA will ensure bad actors aren’t using any leaked credentials to log into other devices, so even if they have a complete set of usernames and passwords, you can still deny their login.  
*   **Initiate a fraud alert** **to credit reporting agencies.** Of course, this only applies to users who live in the U.S. (though I’m sure other countries have something similar; I can only confidently write about the process in the U.S.). This will let potential lenders know that you may be the victim of fraudulent activity so they will take extra steps to ensure it’s actually you filling out a credit application.  
*   **If a company responsible for exposing your information offers you free credit monitoring, take advantage of it.** We’ll be covering what identity monitoring does for users in tomorrow morning’s episode of Talos Takes, so stay tuned! 
*   **Set up a unique passcode needed to make changes to certain accounts.** AT&T is specifically advising customers to set up a passcode needed to prevent any significant account changes, such as porting phone numbers to another carrier.  

**The one big thing **

Speaking of data breaches, adversaries know that users and companies are concerned about this threat, too, and they’re leveraging that in phishing attacks and scams. Talos researchers recently observed an ongoing cryptocurrency heist scam since as early as January 2024, leveraging hybrid social engineering techniques such as vishing and spear phishing, impersonating individuals and legitimate authorities to compromise the victims by psychologically manipulating their trust with social skills. Impersonating investigation officers of CySEC (Cyprus Securities and Exchange Commission), the scammers in this campaign are using a lure theme of refunding a fake seized amount from a fraudulent trading activity in Opteck trading platform to compromise the victims. 

**Why do I care? **

This particular campaign seems to be successful, as wallets connected to the group have received tens of thousands of U.S. dollars in the Ethereum cryptocurrency. But this is also evidence of a broader trend on the threat landscape: Attackers are going to be using data breaches as a threat and lure going forward. Users who are afraid of their data being leaked may be more likely to click on a phishing email or lure document that claims to have information on a leak. Or they may be more open to clicking on a link claiming to lead to “free” identity monitoring.  

**So now what? **

The significance of data breaches is facilitating the adversaries in their scam campaigns providing them the information needed to execute fraudulent activities, causing extensive financial, reputational, and psychological damage to individuals and organizations. So, creating security awareness in public is a preliminary responsibility of the organizations and security community. It empowers individuals to protect themselves and supports organizational security efforts. By fostering a culture of security awareness, the risks associated with data breaches and scam campaigns can be reduced. 

**Top security headlines of the week **

**Trend Micro’s Zero Day Initiative publicly called out Microsoft for not crediting their researchers for a recently disclosed vulnerability.** Security researchers at ZDI say they first informed Microsoft of the vulnerability in May and hadn’t heard anything about it again until it showed up in July’s Patch Tuesday, Microsoft’s monthly security update. The ZDI blog post has generated additional conversations in the security community about the pros and cons of coordinated vulnerability disclosure and existing problems with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) CVD program. There is also still uncertainty on the exact nature of the vulnerability, CVE-2024-38112. The initial discoverers say it is a remote code execution vulnerability that should be considered critical, though when Microsoft disclosed it, it came with a lower CVSS score and identified it as a spoofing vulnerability. “CVD doesn’t work if the only ones coordinating are the researchers. While these are Microsoft examples, there are multiple occasions from various vendors where ‘coordination’ simply means ‘You tell us everything you know about this bug, and maybe something will happen,’” Trend Micro wrote in their blog post. (Zero Day Initiative, The Register) 

**A data breach unmasked the company behind the spyware mSpy and a list of its customers.** According to the data leak site Have I Been Pwned?, unknown attackers stole millions of customer support tickets, eventually leaking 142GB of data. The leaked information includes personal details of customers, emails to mSpy’s support team and email attachments. mSpy promotes itself as a phone surveillance app that can track users’ children or employees. However, it is often used to monitor people without their consent, like most spyware. The stolen data includes customer and user emails to mSpy support via the third-party software Zendesk. Leaked emails include targets who did not wish to have the spyware tracking their device, including journalists, and even U.S. law enforcement agents looking to file subpoenas or legal demands with the company. Once installed on an infected device, mSpy can monitor keystrokes, review text messages, track users’ locations, scrape their social media accounts and view the target’s sent and received photos. (TechCrunch, PC World) 

**The Iranian APT MuddyWater added a new backdoor to its malware arsenal known as BugSleep.** Security researchers say the malware “partially replaces” the actor’s traditional use of legitimate remote monitoring tools. MuddyWater is known for its connections to Iran’s Ministry of Intelligence and Security (MOIS). The group’s most recent campaign included sending phishing emails that invite targets to attend online classes and webinars to 10 different Israeli companies. Some versions of BugSleep come with a custom malware loader that injects the backdoor into the active processes of several well-known software, including Microsoft Edge, Google Chrome and Microsoft OneDrive, so taht it can remain undetected. Talos has reported on several MuddyWater campaigns over the past few years against entities spread throughout the U.S.A, Europe, Middle East and South Asia. Their campaigns are primarily designed to either steal sensitive information or execute ransomware on a targeted network. (The Register, Bleeping Computer) 

**Can’t get enough Talos? **

*   Cisco Talos Report Reveals Critical Insights in Ransomware Trends 
*   Cisco Talos analyzes attack chains, network ransomware tactics 
*   Cisco Talos: Top Ransomware TTPs Exposed 
*   Talos Takes Ep. #190: What we learned from studying the TTPs of the 14 most active ransomware groups 

**Upcoming events where you can find Talos **

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d  
**MD5:** fd743b55d530e0468805de0e83758fe9  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** W32.File.MalParent

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe  
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a  
**Typical Filename:** nYzVlQyRnQmDcXk  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a  
**MD5:** 200206279107f4a2bb1832e3fcd7d64c  
**Typical Filename:** lsgkozfm.bat  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201

It's best to just assume you’ve been involved in a data breach somehow

Even if a threat actor isn’t successful in some widespread breach that makes international headlines, even smaller-scale threats and actors are just hoping to cause chaos.

Thursday, July 11, 2024 14:00

With the 2024 Olympics’ Opening Ceremony only two weeks away now, there is one thing that’s an absolute guarantee of one thing happening during the traditionally unpredictable games: Cyber attacks. 

Every time there is a new Olympic Games, there’s a renewed discussion about how threat actors, hacktivists and state-sponsored groups are all gearing up to try to disrupt the games in some way. The Opening Ceremony at the 2018 Olympic Games in South Korea was disrupted by a major cyber attack called Olympic Destroyer, briefly pausing ticket-taking operations and taking down several Olympics-related websites. 

And for this year’s Summer Games, France faces an “unprecedented level of threat,” according to the head of the country’s cybersecurity agency.  

That’s because, in our modern day, there is just simply so much to protect. Ninety-nine percent of modern communication occurs over a network at this point, especially when you’re talking about an international event. That means protecting individual inboxes, mail servers, third-party messaging apps, virtual meetings and more. 

Each attendee of the games is going to bring in their own devices, too, and connect to whatever public network the Olympics stands up at the arenas or fields where competitions are taking place. That’s tens of thousands of new potential entry points for threat actors. 

There are also domains, subdomains, hosts, web applications and third-party cloud resources that the Games rely on, all with their own attack surfaces. 

A study from Outpost24 earlier this year found that the security for all these factors is stronger than when Russia hosted the 2018 FIFA World Cup, which came with a similar set of circumstances and popularity to the Olympics.  

Even if a threat actor isn’t successful in some widespread breach that makes international headlines, even smaller-scale threats and actors are just hoping to cause chaos.  

Last month, a fake AI-generated movie trailer seemed to show famous actor Tom Cruise condemning the International Olympic Committee in a fake documentary for Netflix. That made its rounds on Telegram, along with many threats around terrorist attacks in the hope of scaring attendees away and making the Games seem under-attended. 

Other actors are just looking to spread general misinformation, capitalizing on recent protests and elections in France to, in their mind, sow chaos in an already chaotic time for the country. 

France has been preparing for the bevy of threats with hundreds of penetration tests, tabletop exercises and, of course, partnering with Cisco to protect the Olympic Games.  

**The one big thing **

Based on a comprehensive review of more than a dozen prominent ransomware groups, Talos identified several commonalities in tactics, techniques and procedures (TTPs), along with several notable differences and outliers. Talos’ studies indicate that the most prolific ransomware actors prioritize gaining initial access to targeted networks, with valid accounts being the most common mechanism. Phishing for credentials often precedes these attacks, a trend observed across all incident response engagements, consistent with our 2023 Year in Review report. Over the past year, many groups have increasingly exploited known and zero-day vulnerabilities in public-facing applications, making this a prevalent initial access vector. 

**Why do I care? **

Key findings indicate that many of the most prominent groups in the ransomware space prioritize establishing initial access and evading defenses in their attack chains, highlighting these phases as strategic focal points. Within the past year, many groups have exploited critical vulnerabilities in public-facing applications, becoming a prevalent attack vector, which we addressed later, indicating an increased need for appropriate security controls and patch management. Ransomware actors also continue to apply a significant focus to defense evasion tactics to increase dwell time in victim networks. 

**So now what? **

Our blog post includes several recommendations for how potential targets can protect against the TTPs these groups use. That includes consistently applying patches and updates to all systems and software to address vulnerabilities promptly and reduce the risk of exploitation and implement strong password policies that require complex, unique passwords for each account. Additionally, enforce multi-factor authentication (MFA) to add an extra layer of security. 

**Top security headlines of the week **

**Apple IDs are being targeted in a new SMS-based phishing scam.** Security researchers say that adversaries are sending text messages to iPhone users in the U.S. disguised to look like they’re from Apple but actually intended to steal their Apple login credentials. The phishing messages are made to seem more legitimate with a fake CAPTCHA for users to complete. They are then directed to a malicious web page that looks like an older iCloud login page, where the targeted user is asked to enter their Apple ID. Apple IDs are valuable for attackers because they could allow them to log into the target’s iPhones and iPads, provide access to personal information, and allow the attacker to make unauthorized purchases. Apple warned users that they should be implementing MFA on their devices to ensure an adversary can’t use their credentials on an unknown device, or using Face ID or Touch ID to log into their devices. iPhone users are unlikely to ever receive text messages from Apple asking for their ID, but if they do, they should manually visit the desired website rather than clicking on a link in the message. (CBS News, Forbes) 

**A newly discovered spyware may have been spying on military members across the Middle East for more than five years.** The tool, called GuardZoo, appears to be created by Houthi-aligned actors in Yemen. GuardZoo is a custom Android surveillance tool that’s used to steal potentially valuable information and military intelligence, including documents, photos and data relating to troop locations. Infection of GuardZoo begins with a malicious link sent in a WhatsApp message. These phishing links lead to one of a variety of fake apps outside of the Google Play store, disguising themselves as a range of services including an app for reading the Quran, device location tracking, and other themes relating to the Yemen Armed Forces and Saudi Arabia’s Armed Forces Command and Staff College. GuardZoo managed to fly under the radar for several years because it was a modified version of the previously known Dendroid remote access trojan. Once on a device, GuardZoo immediately disables local logging and exfiltrates all of the victim’s files from the past seven years that are KMZ, WPT, RTE or TRK files, all of which relate to GPS and mapping apps. (Dark Reading, SC Media) 

**The Australian government blamed a Chinese state-sponsored actor for being behind a series of cyber attacks and data breaches dating back to 2022.** The group, known as APT40, is allegedly the perpetrator behind the theft of usernames and passwords from two unnamed Australian networks two years ago. A newly released report from the Australian Cyber Security Centre said APT40 conducts malicious cyber operations for China’s Ministry of State Security, the main agency in China in charge of foreign intelligence. The report says that the actor tries to steal sensitive information by infecting older, and sometimes even inactive, computers that are still connected to sensitive networks. Chinese authorities immediately denied the accusations. Intelligence agencies in Canada, New Zealand, the U.S. and the U.K. co-authored the report. New Zealand’s government previously accused APT40 of targeting its parliamentary services and counsel office in 2021 and stealing sensitive information. (NBC News, Voice of America) 

**Can’t get enough Talos? **

*   Upstream’s 2024 Global Automotive Cybersecurity Report (featuring contributions from Cisco Security)
*   Hidden between the tags: Insights into spammers’ evasion techniques in HTML Smuggling 
*   How do cryptocurrency drainer phishing scams work? 
*   15 vulnerabilities discovered in software development kit for wireless routers 
*   Largest Patch Tuesday in 3 months includes 5 critical vulnerabilities 
*   Cisco Talos details latest tactics employed by prolific ransomware groups 
*   Ransomware Groups Prioritize Defense Evasion for Data Exfiltration 

**Upcoming events where you can find Talos **

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** 8a366b1d30dd4d03ad8c5c18d0fb978d00d16f5f465bd59db6e09b034775c3ec   
**MD5:** 4fca837855b3bced7559889adb41c4b7   
**Typical Filename:** UIHost32.exe   
**Claimed Product:** McAfee WebAdvisor   
**Detection Name:** Trojan.Miner.ED 

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** 484c74d529eb1551fc2ddfe3c821a7a87113ce927cf22d79241030c2b4a4aa74  
**MD5:** dc30cfd21bbb742c10e3621d5b506780  
**Typical Filename:** KMS-R@1nHook.exe  
**Claimed Product:** N/A  
**Detection Name:** W32.File.MalParent

Checking in on the state of cybersecurity and the Olympics

Data breaches have become one of the most crucial threats to organizations across the globe, and they’ve only become more prevalent and serious over time.

Thursday, July 11, 2024 06:00

*   Data breaches have become one of the most crucial threats to organizations across the globe, and they’ve only become more prevalent and serious over time.  
*   A data breach occurs when unauthorized individuals gain access to sensitive, protected or confidential data. This stolen data can include personal information, financial records, intellectual property, and other critical information.  
*   Stolen data is a valuable commodity in the cybercriminal world and, once acquired through data breaches, is often sold on underground markets.  
*   A recent cryptocurrency-related scam Cisco Talos discovered highlights how data breaches are being increasingly leveraged in these types of campaigns, preying on targets’ fears around their information being out in the wild. 

Over the years, data breaches have played a pivotal role in facilitating various forms of cyber-attacks.  Adversaries are leveraging on stolen data to execute more sophisticated and damaging attacks to materialize their malicious intents. The significance of data breaches extends far beyond the immediate loss of data with the implications for security, reputation and financial stability of individuals and organizations. 

**Active scam campaign likely leveraging on stolen data  **

Cisco Talos observed an ongoing cryptocurrency heist scam since as early as January 2024, leveraging hybrid social engineering techniques such as vishing and spear phishing, impersonating individuals and legitimate authorities to compromise the victims by psychologically manipulating their trust with social skills.  

Impersonating investigation officers of CySEC (Cyprus Securities and Exchange Commission), the scammers in this campaign are using a lure theme of refunding a fake seized amount from a fraudulent trading activity in Opteck trading platform to compromise the victims. 

Opteck is a trading platform founded in 2011 and provides binary options trading solutions for its customers. In 2017, Opteck’s database was sold on raidforums by adversaries and even today, we still see users’ Opteck login credentials being sold on Russian dark markets, indicating the likelihood of a data breach. That same year, CySEC (Cyprus Securities and Exchange Commission) flagged Opteck as non-complaint and had suspended its license until they took action to rectify the issues. The scammers are likely leveraging the stolen data in the dark web and the news to create a more convincing lure for this campaign. 

CySEC issued other warnings in November 2022 that fraudsters are impersonating their officers and making fake offers to assist investors with compensation claims for the dealings that they may have had with the sanctioned firms.   

Since January 2024, Talos has been observing that the scammer, impersonating certified investigation officers of CySEC, is attempting to contact a potential victim who is or was once a user of the Opteck trading platform. The scammers, after getting connected to a potential victim over the phone, introduces them as the investigation officers of CySEC, confirming that the potential victim was once an Opteck trading platform user. Then, they attempt to get the potential victim into a conversation, explaining a fake story of a fraudulent activity that Opteck was involved in and misusing potential victim’s cryptocurrency investments. The scammer also tried to assure the potential victims that their phone call was for refunding an amount they had seized, claiming that the amount belongs to the potential victim. 

To convince the victims, scammers send an email impersonating the identities of the CySEC officers by misusing the CySEC investigating officers’ names in the CySEC’s Public Register of Certified Persons documentation from CySEC official website.  In one instance, the scammer had created a fake business card and embedded it in the phishing email to make the phishing email appear legitimate.  

Sample 1 of the phishing email. 

Sample 2 of the phishing email.

Upon compromising the victim and gaining their confidence, the scammer sends another email asking the victims’ bank statement as part of regulatory compliance verifications.  

Phishing email sample 3.

They will also send a follow-up email to the victim, explaining the fake refund process that includes an identity verification stage and after that they will engage the victims in a 20-minute telephonic conversation and assisting them in withdrawing funds.  

Phishing email sample 4.

We observed that when a victim engages in a phone conversation with the scammer, first they will create a cryptocurrency wallet in the Coinbase platform and send the wallet ID to the victim, assuring that they will give him 816 USDT as a wallet activation amount, which will be available 12 hours after activation.  

In case of any errors performed by a victim, the scammer demands the victim transfer some specified ETH to another cryptocurrency wallet ID belonging to the scammer, which they are calling an AML wallet in this campaign. They also advise the victims that a representative from Coinbase would contact them. 

By impersonating a Coinbase representative, the scammer advises the victim to pay them 10% of the fake refund amount as Coinbase legal insurance fees to their so-called AML wallet in USDT or ETH.  When a victim agrees and pays the insurance fees, the scammer again demands the victim pay another amount as part of a negotiation process for another wallet ID in ETH, assuring that the victims will get 50% of the fake refund amount to their Coinbase wallet.  

Finally, when a victim agrees and pays the negotiation amount with an intention to get the fake refund into the Coinbase wallet, the scammer continues the conversation by advising the victims to wait for the funds get transferred, which never actually happens, leading to the theft of victim's cryptocurrencies. 

**Scammer’s efforts seemed lucrative  **

The campaign seemed lucrative till date according to the scammer's cryptocurrency wallets transactions and balances. We found four Ethereum wallets addresses that they have used to steal the victim’s cryptocurrency based on our analysis of the phishing emails.  

Analyzing the transactions of scammer’s wallets in blockchain we discovered that the transaction volume and Ethereum received during the campaign period is equivalent to several thousands of USD.  

Approximate ETH equivalent in USD 

0xdAd61Dd932f3D3B1E38BB5c1a2766901487B6B1e 

0x9f24ed5587424f50a4bb1d57a03914c2b5215ae2 

0xdAD9C378Bc0Eb7Ee17F92770a64eC80eef32caE2 

0xdC9060786AA19977Aa0AdbDa247437682B324D2a 

Talos also observed that scammers have multi-chain portfolios that allow them to spread their stolen cryptocurrency assets across multiple blockchain networks.  

A sample showing routing of stolen cryptocurrency funds.

**Scammer’s phishing infrastructure **

The scammer in this campaign has used several domains that resemble the legitimate domain of CySEC “cysec.gov.cy” as the phishing domains created in Sarek, a domain registration service provider.  

The phishing domains’ name server (NS) and start of authority (SOA) records were configured to point to the domain name servers of njalla, a “privacy as a service” provider.  

The mail exchange (MX) records of the domains were configured with the mail servers on mail.protection.outlook.com, indicating that the phishing emails are routed through Microsoft’s email protection services.  

The text records for the domains indicates that the actor’s mail server includes the SPF (Sender Policy Framework) rules defined by “spf.protection.outlook.com,” meaning that any IP addresses allowed by Microsoft’s Outlook protection service are also allowed to send emails on behalf of the actor’s domain. We also observed a few ms=msXXXXXXXX values defined in the TXT records. The ms record is usually used for the domain validation procedure by Microsoft Office 365 and its existence indicates a rightful owner of the domain. The actor is using these values to likely validate their phishing domains in Microsoft office 365. 

**Security awareness, a mainstay in effective cybersecurity **

Humans are considered as the weakest link or a low hanging fruit by the adversaries, as they attempt to trick them with various social engineering techniques, very often to gain access to their environment or perform fraudulent financial activities. And the significance of data breaches is facilitating the adversaries in their scam campaigns providing them the information needed to execute fraudulent activities, causing extensive financial, reputational, and psychological damage to individuals and organizations.  

So, creating security awareness in public is a preliminary responsibility of the organizations and security community. It empowers individuals to protect themselves and supports organizational security efforts. By fostering a culture of security awareness, the risks associated with data breaches and scam campaigns can be reduced.

Impact of data breaches is fueling scam campaigns

Talos researchers discovered these vulnerabilities in the Jungle SDK while researching other vulnerabilities in the LevelOne WBR-6013 wireless router.

Wednesday, July 10, 2024 12:00

Cisco Talos’ Vulnerability Research team recently discovered 15 vulnerabilities in the Realtek rtl819x Jungle software development kit used in some small and home office wireless routers.

This SDK uses the discontinued, open-source Boa as its web server. Talos researchers discovered these vulnerabilities in the Jungle SDK while researching other vulnerabilities in the LevelOne WBR-6013 wireless router, which are also covered in this blog post. 

Realtek has patched these issues in the SDK, all in adherence to Cisco’s third-party vulnerability disclosure policy, while LevelOne has declined to release a fix.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website. 

**Multiple vulnerabilities in Realtek rtl819x Jungle SDK**

_Discovered by Francesco Benvenuto and Kelly Patterson._

The Realtek rtl819x Jungle software development kit contains 15 vulnerabilities, some of which could lead to arbitrary execution. The SDK uses Boa — a deprecated, open-source software — as a webserver. 

The LevelOne WBR-6013, a small and home office (SOHO) wireless router, uses Jungle as its SDK.

Multiple stack-based buffer overflow vulnerabilities arise if an adversary sends a specially crafted set of HTTP requests to the targeted device:

*   TALOS-2023-1875 (CVE-2023-49073)
*   TALOS-2023-1876 (CVE-2023-48270)
*   TALOS-2023-1878 (CVE-2023-49595)
*   TALOS-2023-1895 (CVE-2023-50243, CVE-2023-50244)
*   TALOS-2023-1891 (CVE-2023-45215)
*   TALOS-2023-1892 (CVE-2023-47856)
*   TALOS-2023-1893 (CVE-2023-50239, CVE-2023-50240)
*   TALOS-2023-1894 (CVE-2023-41251)
*   TALOS-2023-1903 (CVE-2023-50330)
*   TALOS-2023-1904 (CVE-2023-49867)

Another vulnerability, TALOS-2024-1911 (CVE-2024-21778), is a heap-based buffer overflow issue that exists if an adversary sends a specially crafted .dat. An attacker could exploit this vulnerability to execute arbitrary code.

Two other issues – TALOS-2023-1877 (CVE-2023-45742) and TALOS-2023-1899 (CVE-2023-50381, CVE-2023-50383, CVE-2023-50382) -- can also lead to arbitrary code execution, but in these cases, are caused by a series of malicious HTTP requests.

TALOS-2023-1872 (CVE-2023-47677) could allow an attacker to carry out a cross-site request forgery attack if they send a specially crafted network packet to the targeted device. This vulnerability could force an authenticated user to submit requests to the device. 

And finally, TALOS-2023-1874 (CVE-2023-34435) could allow an adversary to update the device to a new version of its firmware without the user knowing, potentially allowing them to deploy a malicious update.

**Vulnerabilities in LevelOne router could lead to remote code execution**

_Discovered by Francesco Benvenuto._

The LevelOne WBR-6013 wireless router contains two vulnerabilities that could lead to remote code execution.

TALOS-2023-1871 (CVE-2023-46685) is a hardcoded password vulnerability in the router’s telnetd service. A text file contains the hash of the users’ passwords, which an adversary could access and then use to completely take over a device. 

This router also uses Boa as a web server, which by default has the ‘/boafrm/formSysCmd’ API. While there is no LevelOne documentation about this API's existence, an adversary could still reach the API to execute arbitrary commands in the device. An adversary could send a specially crafted network packet to exploit TALOS-2023-1873 (CVE-2023-49593).

LevelOne has declined to release a patch for these issues.

**Grandstream GXP2135 command injection vulnerability**

_Discovered by Matthew Bernath._

The Grandstream GXP2135 voice-over-IP phone contains a command injection vulnerability that could lead to arbitrary command execution. 

TALOS-2024-1978 (CVE-2024-32937) exists if an adversary sends a specially crafted network packet to the targeted device. The attacker could manipulate the vulnerable configuration on the device by authenticating to a web server first, or by carrying out an adversary-in-the-middle attack to configure the device’s ACS.

15 vulnerabilities discovered in software development kit for wireless routers

Talos is releasing a new list of CyberChef recipes that enable faster and easier reversal of encoded JavaScript code contained in the observed HTML attachments.

Wednesday, July 10, 2024 08:00

*   Cisco Talos has spotted several malicious email campaigns over the past few months that disguise JavaScript code within HTML email attachments, a technique commonly known as “HTML Smuggling.”
*   Cisco Talos has noticed that some industry verticals were targeted more than others by email threats using the HTML smuggling technique during the observed time window. For example, companies in the human resources, insurance and healthcare domains were targeted the most, while legal, supply chain and e-commerce companies were among those targeted the least. 
*   A wide range of evasion techniques has been identified from the senders of these emails, finding ways to get around email gateways and even more advanced detections. These techniques range from various encoding mechanisms to encryption and obfuscation. 
*   These adversaries use simple methods to increase their chances of success, like playing around with email attachments, as well as more advanced techniques by combining different evasion methods or employing a single evasion method multiple times. 
*   Talos is releasing a new list of CyberChef recipes that enable faster and easier reversal of encoded JavaScript code contained in the observed HTML attachments. This may assist in creating automation to process and identify such emails for more effective long-term security measures. 

**Introduction to HTML smuggling **

HTML smuggling is a technique used by attackers to embed encoded or encrypted JavaScript code within HTML attachments or web pages. This technique has been used extensively in spear phishing email campaigns over the past few months. HTML smuggling is quite effective in bypassing perimeter security controls such as email gateways and web proxies for two main reasons: It abuses the legitimate features of HTML5 and JavaScript, and it leverages different forms of encoding and encryption. 

Threat actors start by sending one or more emails with URLs or HTML attachments to their targets. When the recipient clicks on the URL or opens the attachment, the browser decodes and runs all encoded JavaScript code automatically, which will eventually download and deliver the malware to the victim’s device, or alternatively, redirect the user to the final phishing page. In some cases, the code for the malware is embedded in the HTML attachment, and the JavaScript code simply reconstructs and runs it without needing additional downloads. 

**Reversing the HTML attachments **

Security researchers should continuously monitor changes in threat actors’ techniques and update their detection logic and/or processes to make sure customers stay protected. Reverse engineering tools could be helpful for several reasons because they help security analysts better understand attackers’ techniques, especially those that are used to help them stay under the radar. They could be used to update the logic in detection rules or feature extraction processes for more advanced detection solutions that rely on machine learning.  

By sharing the insights gained from reverse engineering with the broader cybersecurity community, organizations can contribute to collective threat intelligence efforts, helping others to prepare for and defend against similar attacks. 

CyberChef is a powerful open-source web application developed by Government Communications Headquarters (GCHQ) that facilitates the decoding and decryption of JavaScript code in HTML attachments. It provides a variety of modules (or functions) for decoding and decryption that can be combined to build up a “recipe.” These recipes can then be exported in different formats and loaded later to be used elsewhere. A snippet of an HTML attachment is shown below.  

A snippet of an HTML attachment with base64-encoded string within a script tag. 

This attachment contains an encoded string in JavaScript that can be decoded using a base64-decoding function. The URL is defanged to avoid being opened by the readers by mistake.  

An encoded string and its decoded equivalent using the “From Base64” function in CyberChef. 

Talos is releasing new recipes that security researchers can use to reverse encoded and/or encrypted JavaScript code in HTML attachments. Alternatively, these recipes could be integrated into automated feature extraction processes to improve the detection of emails containing HTML attachments. We will also share recipes that are not referenced in this blog post but have been used frequently to reverse HTML attachments. The combinations captured by these recipes show which evasion techniques threat actors use most often. 

**A dive into evasion techniques **

Talos has been closely monitoring email campaigns that leverage HTML smuggling over the past several months. Various evasion techniques have been identified, which threat actors use to bypass email gateways, ranging from different encoding mechanisms to encryption. In some instances, evasion techniques are chained together, but in others, a single method is employed multiple times to increase the challenge of detection. Additionally, obfuscation has been applied to the encoded JavaScript code to further complicate their detection. 

**Playing around with attachments **

Talos has witnessed various attempts by threat actors to manipulate email attachments to take advantage of software engineering oversights and evade detection systems. 

One common technique involves using alternative or similar file extensions for attachments to bypass message filtering mechanisms. For example, XHTML, an older and stricter version of HTML that follows XML syntax, has been frequently used in HTML smuggling. SHTML, an extension of HTML that allows for the inclusion of dynamic content, has also been used in the wild. 

Instead of using alternative file extensions, a frequent pattern has been identified where dots are added to the end of HTML file extensions (e.g., “html.”, “htm.”, “htm…”). This attempt aims to bypass email parsers that rely on the Content-Type header to determine the type of an email attachment. By adding at least one dot to the end of the file extension, the Content-Type of an email attachment changes from text/html to application/octet-stream (see the examples below). 

The Content-Type of the HTML attachment of an example email. 

The Content-Type of the ”htm.” attachment of an example email. 

In some cases, the attachment’s file extension is repeated multiple times, or the attachment lacks any file extension (see the examples below). We have also observed attempts to combine different file extensions (e.g., “.pdf.html” or “xls.html”), which may confuse the file type identification logic of the detection code. This can affect how files are passed to downstream modules for further assessment.

An example email with ”.html .html” file extension.

A snippet of the HTML attachment of the above email with JavaScript code. 

An example email with an HTML attachment that lacks the file extension.

A snippet of the HTML attachment of the above email with JavaScript code.

Other popular techniques frequently observed include enclosing HTML attachments in ZIP archives and attaching multiple similar HTML attachments to a single email. The latter method has been identified as an attempt to increase the chances of success. The following email provides an example in which multiple SHTML attachments with identical content have been attached to a spear phishing email. The goal of the threat actors is to offer multiple employment benefits and trick the victim into engaging with any one of them. The more attractive these benefits are to an employee, the higher the chance of success for the attackers.

A spearphishing example email with multiple SHTML attachments.

A snippet of the SHTML attachment of the above email with JavaScript code, and the decoded phishing URL.

**Obfuscation **

Code obfuscation is used extensively in HTML smuggling attacks to make their detection more challenging and expensive. One of the most popular techniques that is often applied to JavaScript code is identifier renaming, which changes the key identifiers of the code such as variable and function names to some meaningless strings. This technique is popular because it’s offered by most free and open-source obfuscators and doesn’t change the logic of the code. Two examples are provided below. In the first example, the phishing URL is an array of integers and is stored in an obfuscated variable, which is then decoded on the fly, followed by a “click” method that redirects the victim to the phishing page.

A spear phishing example email with obfuscated JavaScript within HTML attachment.

A snippet of the HTML attachment of the above email with JavaScript variables that are obfuscated via identifier renaming method, and the decoded phishing URL.

In the second example, the function name is also obfuscated. Here, an obfuscated string is initially decoded through a series of replacements. Subsequently, the decoded string is passed to the “eval” method, which executes it.

An example email with obfuscated JavaScript within HTML attachment.

A snippet of the HTML attachment of the above email with JavaScript variables and functions that are obfuscated via the identifier renaming method.

**Using a single evasion technique multiple times **

The following case provides an example in which one of our customers received an email with an "html." attachment in October 2023. In this instance, threat actors leveraged the base64 encoding method twice, a technique also known as double encoding, to evade detection systems that likely rely on single-stage decoding procedures before analyzing scripts. 

A spear phishing example email with an HTML attachment that contains double encoded JavaScript string variables.

The content of the HTML attachment is shown in the figure below. This attachment contains four hidden input fields. Hidden input fields are not visible on the webpage, but they can still hold values that are sent to the server when the form is submitted. Initially, the JavaScript code retrieves the values of these hidden input fields. It then uses the "substr" method to extract substrings from the values and concatenates them. Finally, two URLs are generated from these hidden fields on the fly (the values of the hidden fields and next variables can be decoded via this recipe: Base64\_Decode\_DecimalUnicode2String\_Base64\_Decode recipe). 

A snippet of the HTML attachment of the above email with double encoded JavaScript string variables.

The final phishing page (https\[:\]//dompr\[.\]arrogree\[.\]park/login.php), constructed on the fly and stored in the 'trc' variable, is automatically shown to the victim once the HTML page is fully loaded, using the 'onload' method. As soon as the user enters the credentials, the 'SFiegrt' method will send them to another remote server (https\[:\]//cpsvr\[.\]hiominsa\[.\]com/POST/genofcatch.php) using an asynchronous HTTP POST request.

A snippet of the HTML attachment of the above email with double-encoded JavaScript string variables and the decoded URLs.

**Chaining different evasion techniques**

Talos has observed continuous efforts to combine different encoding and/or encryption techniques in HTML attachments by email campaigns to evade detection. In addition, threat actors typically obfuscate the embedded JavaScript code to increase their chances of success.

In the example below, you can find an email with an "htm" attachment that was sent to one of our customers in December 2023.

A spear phishing example email with an HTML attachment that combines identifier renaming obfuscation, base64 encoding and Caesar encryption to bypass detection.

The embedded JavaScript code is shown in the figure below. This email was clearly tailored for a specific recipient (see the masked email address).

A snippet of the HTML attachment of the above email with obfuscated JavaScript variables and a base64-encoded string variable. 

The script block contains an obfuscated variable named '\_0x5da6a8' that holds a base64-encoded string. When decoded (via the Base64\_Decode\_2 recipe), it yields the main JavaScript code, which includes the final phishing URL and the de-obfuscation function. The de-obfuscation function takes the "link" string variable as input, iterates over its characters, converts each character to its Unicode equivalent, subtracts five from the decimal value of each character, converts the resulting decimal value back to a Unicode character, and converts the Unicode value back to a string. Under the hood, this function effectively replicates the functionality of a Caesar cipher decryption method (see the Caesar\_Decrypt recipe).

The decoded JavaScript code of the above base64-encoded string variable, the Caesar decryption function, and the phishing URL.

So, threat actors have used encoding, Caesar encryption and obfuscation altogether in this case to evade detection.

The example email below shows how threat actors have combined encoding and AES encryption in an HTML attachment to evade detection. 

A spear phishing example email with an HTML attachment that combines base64 encoding and AES encryption to bypass detection.

A snippet of the HTML attachment of the above email with a base64-encoded input field that is hidden.

As can be seen from the HTML attachment snippet, there is a base64-encoded string in this file. This string is first decoded using the 'atob' method (or the Base64\_Decode\_1 recipe). Once decoded, it yields a JSON string with four keys (a-d), as shown below. The value of the 'a' key is the encrypted string, which is decrypted on the fly. The values of the 'b' and 'd' keys are the passphrase and salt, respectively, for the PBKDF2 key derivation function used to create the decryption key. The value of the 'c' key is the Initialization Vector (IV) for the AES decryption function.  

The decoded JSON string is obtained from the encoded input field in the above HTML attachment. 

With the above values, the decryption key is derived on the fly (using the Derive\_Key\_PBKDF2 recipe). Then, with this key and the IV parameter, the value of 'a' is decrypted (using the Base64\_Decode\_AES\_CBC\_Decrypt recipe) to retrieve the URL, as shown below. Note that the inner URL is in HEX format (which can be decoded using the Hex\_Decode recipe).  

The final phishing URL is obtained from AES decryption.

Once this URL is created, a fetch request with a POST method is sent to it, with a JSON body containing "{ "lettuce": "friendliness" }". Then, the response from the fetch request is read as text. The text is decrypted again by calling the pea function, and finally, the second decrypted result is written to the document using "document.write", replacing all current content. The walkthrough above gives an idea of how threat actors combine different evasion techniques and how challenging it is for defenders to detect such threats.

**HTML smuggling in the wild **

The number of unique emails that used HTML smuggling between Oct. 1, 2023, and May 31, 2024.

The above chart indicates that we observed a peak in the number of emails leveraging this technique on Feb. 2, 2024, particularly those employing advanced encoding and obfuscation in their HTML attachments. The subsequent pie chart shows that our American customers were targeted significantly more than our European customers by email threats utilizing this technique. 

The percentage of emails that used HTML smuggling against customers in different geographical regions.

We noticed that some industry verticals were targeted more than others by email threats using the HTML smuggling technique during the observed time window. For example, companies in the human resources, insurance and healthcare domains were targeted the most, while legal, supply chain and e-commerce companies were among those targeted the least.

The number of convictions for email threats that used HTML smuggling across different industry verticals.

Our observation shows that the ".shtml" file extension, followed by ".htm" and ".html", were the most used in email threats that leveraged the HTML smuggling technique. The fourth and fifth most widely used file extensions were ".htm...." and ".xhtml". The other file extensions we found interesting included ".pdf.shtml", ".pdf.htm", and ".xlsx.html". We have identified these as potential techniques to exploit software engineering oversights and bypass detection mechanisms.

Top HTML attachment file extensions observed in email campaigns that used HTML smuggling.

**How to protect against email threats that use HTML Smuggling? **

As outlined earlier, HTML smuggling poses significant challenges to traditional security solutions and rule-based detection engines. The extensive deployment of encoding, encryption, and obfuscation renders the detection of emails utilizing this technique challenging, necessitating enhancements in various aspects of defense. Several of these areas are detailed below.

**Multi-layered defense **

Swiftly blocking an attack minimizes its potential impact on our customers' business operations. Thus, it is advantageous to neutralize threats at initial stages, such as at the email gateway and web filtering level. However, if a message passes through these perimeter security controls and lands in a user’s inbox, retrospective detections and endpoint protection controls should either detect these messages at later stages and pull them out of the user’s inbox or prevent the execution of such malicious JavaScript on the victim’s device. 

**Improved security engineering**

Despite typically having insufficient information about the architecture and inner workings of commercial security solutions, threat actors occasionally exploit software engineering oversights to bypass detection mechanisms. A notable instance of this is their manipulation of email attachments to evade scrutiny. Therefore, monitoring these evasion techniques and revising the code accordingly could improve the efficacy of existing detection engines significantly. Talos monitors changes in adversaries’ techniques precisely and makes sure our customers stay protected.  

**Advanced detection methods **

The HTML smuggling technique enables emails to effectively evade traditional perimeter security measures, including email gateways and presents significant detection challenges for rule-based systems. Consequently, the deployment of more sophisticated message processing and security solutions is imperative. Additionally, enhancing endpoint security measures to prevent the execution of such scripts on user devices is essential.  

Talos continuously monitors the changes in attackers' techniques and updates our detection capabilities to ensure our customers stay protected. Learn more about Cisco Security Email Threat Defense here.

**Indicators of compromise (IOCs)**

Indicators of compromise (IOCs) associated with this blog post can be found here.

Hidden between the tags: Insights into spammers’ evasion techniques in HTML Smuggling

Based on a comprehensive review of more than a dozen prominent ransomware groups, we identified several commonalities in TTPs, along with several notable differences and outliers.

Wednesday, July 10, 2024 06:00

Given the recent slate of massive ransomware attacks that have disrupted everything from hospitals to car dealerships, Cisco Talos wanted to take a renewed look at the top ransomware players to see where the current landscape stands. 

Based on a comprehensive review of more than a dozen prominent ransomware groups, we identified several commonalities in tactics, techniques and procedures (TTPs), along with several notable differences and outliers.  

Talos’ studies indicate that the most prolific ransomware actors prioritize gaining initial access to targeted networks, with valid accounts being the most common mechanism. Phishing for credentials often precedes these attacks, a trend observed across all incident response engagements, consistent with our 2023 Year in Review report. Over the past year, many groups have increasingly exploited known and zero-day vulnerabilities in public-facing applications, making this a prevalent initial access vector. 

**Watch: Discussion of latest ransomware trends**

The AlphV/Blackcat and Rhysida groups stood out with the broadest range of TTPs, demonstrating significant tactical diversity. Conversely, groups like BlackBasta, LockBit and Rhysida not only encrypted data and defaced victim systems to maximize impact. Distinctively, the Clop ransomware group primarily focused on extortion through data theft rather than typical encryption tactics and is one of the only actors to exploit zero-day vulnerabilities. 

Our findings are based on a comprehensive analysis of 14 ransomware groups between 2023 and 2024. We selected the ransomware groups based on volume of attacks, impact on customers, and atypical threat actor behavior. Our research includes data from the actors’ public leak sites, Cisco Talos Incident Response (Talos IR), Talos internal tracking efforts and open-source reporting.

During this research period, Talos IR was actively engaged in responding to a considerable number of ransomware attacks heavily targeting the United States. These attacks spanned a broad spectrum of industries, notably impacting the manufacturing and information sectors, employing various techniques to encrypt data and demand ransoms, with their activities resulting in significant levels of financial losses and business disruption. 

Over the past year, we have witnessed major shifts in the ransomware space with the emergence of multiple new ransomware groups, each exhibiting unique goals, operational structures and victimology. The diversification highlights a shift toward more boutique-targeted cybercriminal activities, as groups such as Hunters International, Cactus and Akira carve out specific niches, focusing on distinct operational goals and stylistic choices to differentiate themselves. 

**An advanced arsenal: Notable TTPs employed by ransomware actors **

Utilizing the MITRE ATT&CK framework as a baseline, we identified the primary TTPs utilized by major ransomware threat actors over the past three years which involved a detailed examination of each TTP, its execution methods, and relevant sub-techniques, that highlight unique TTPs not previously emphasized in MITRE’s top ATT&CK techniques. 

Key findings indicate that many of the most prominent groups in the ransomware space prioritize establishing initial access and evading defenses in their attack chains, highlighting these phases as strategic focal points. Within the past year, many groups have exploited critical vulnerabilities in public-facing applications, becoming a prevalent attack vector, which we addressed later, indicating an increased need for appropriate security controls and patch management.  

Echoing a trend identified in our Talos Year in Review report, our data supported the conclusion that ransomware actors continue to apply a significant focus to defense evasion tactics to increase dwell time in victim networks. Typical popular defense evasion methods include the disablement and modification of security software such as anti-virus programs, endpoint detection solutions, or security features in the operating system to prevent the detection of the ransomware payload. Adversaries will also often obfuscate malicious software by packing and compressing the code, eventually unpacking itself in memory when executed. They’ll also modify the system registry to disable security alerts, configure the software to execute at startup, or block certain recovery options for users. 

The most prevalent credential access technique Talos IR engagements have seen in 2023 and 2024 is the dumping of LSASS memory contents. Ransomware threat actors were seen often targeting the Local Security Authority Subsystem Service (LSASS) to extract authentication credentials by dumping memory. This technique involves accessing the LSASS process' memory to retrieve plaintext passwords, hashed passwords, and other authentication tokens stored in memory. This tactic is particularly effective because it exploits the normal functioning of a legitimate system process. 

We also identified a trend in command and control (C2) activities indicating continued use of commercially available tools by affiliates, such as AnyDesk and ScreenConnect remote monitoring and management (RMM) applications, indicating a threat actor preference for readily accessible, legitimate technologies in maintaining influence over compromised systems. Abusing often trusted applications allows actors to blend in with corporate network traffic and reduce resource development costs without needing to develop distinct custom C2 mechanisms.  

**Typical attack chain of ransomware actors: Insights from the top 14 groups **

In the first phase of a ransomware attack, adversaries work to gain initial access to the target network, using a combination of social engineering, network scanning and open-source research to learn about their victims, identify possible access vectors, and customize their initial access attempts. Adversaries may send emails containing malicious attachments or URL links that will execute malicious code on the target system, deploying the actors' tools and malware, and exploiting multi-factor authentication (MFA). There are many ways adversaries hope to bypass MFA, whether because of poor implementation or because they already have valid account credentials. Most notably, we have seen an increasing number of ransomware affiliates attempting to exploit vulnerabilities or misconfigurations in internet-facing systems, such as in legacy or unpatched software.   

Then, these actors will look to establish long-term access, ensuring that their operations will be successful even if their initial intrusion is discovered and remediated.  Attackers often use automated malware persistence mechanisms, such as AutoStart execution upon system boot, or modify registry entries. Remote access software tools and create local, domain and/or cloud accounts can also be deployed to establish secondary credentialed access. 

Upon establishing persistent access, threat actors will then attempt to enumerate the target environment to understand the network’s structure, locate resources that can support the attack, and identify data of value that can be stolen in double extortion. Using various local utilities and legitimate services, they exploit weak access controls and elevate privileges to the administrator level to progress further along the attack chain. Ransomware actors continue this cycle of persistence to escalate privileges and compromise additional hosts. We have observed the popular use of many network scanner utilities in conjunction with local operating system tools and utilities (living-off-the-land binaries) like Certutil, Wevtutil, Net, Nltes and Netsh to blend in with typical operating system functions, exploit trusted applications and processes, and aid in malware delivery.  

In the shifting focus to a double extortion model, many adversaries collect sensitive or confidential information to send to an external adversary-controlled resource or over some C2 mechanism. File compression and encryption utilities WinRAR and 7-Zip have been used to conceal files for the unauthorized transfer of data, while adversaries often exfiltrate files using the previously mentioned legitimate RMM tools. Custom data exfiltration tools have been developed and used by the more mature RaaS operations, offering custom tooling such as Exbyte (BlackByte) and StealBit (LockBit) to facilitate data theft.  

At this point, adversaries are ready to stage the ransomware payload and begin encryption. Steps they may take to prepare for the attack include customizing the code for specific objectives (e.g., ignoring certain file types/locations), embedding the ransomware in the environment, testing delivery mechanisms, and ensuring that the ransomware relates to and receiving instructions from the attacker's C2 server, which contains the encryption key. The adversary will then begin encrypting the network and notifying the victim that they have been breached. If the goal is pure data theft extortion, then this phase is skipped.   

**Ransomware actor’s exploitation of vulnerable applications (CVEs)   **

Analysis of Talos IR engagements focusing on the exploitation of critical vulnerabilities in public-facing applications by ransomware actors uncovered three vulnerabilities for their repeated exploitation: CVE-2020-1472, CVE-2018-13379 and CVE-2023-0669. Exploitation of these and other critical vulnerabilities can provide initial access and lead to privilege escalation by the threat actors.  

**_CVE-2020-1472 ("Zerologon")_   **

CVE-2020-1472, known as "Zerologon," exploits a flaw in the Netlogon Remote Protocol (MS-NRPC), allowing attackers to bypass authentication mechanisms and change computer passwords within a domain controller's Active Directory. Ransomware actors leverage this vulnerability to gain initial access to networks without requiring authentication, quickly escalating privileges to domain administrator levels. This access enables them to manipulate security policies, and potentially disable security defenses, facilitating unobstructed lateral movement and attack progression.   

**_CVE-2018-13379 (Fortinet FortiOS SSL VPN vulnerability)_   **

The path traversal vulnerability in Fortinet's FortiOS SSL VPN, identified as CVE-2018-13379, allows unauthenticated attackers to access system files through specially crafted HTTP requests. Ransomware groups have exploited this vulnerability to obtain sensitive information, such as VPN session tokens, which can be used to gain unauthorized access to the network. With access secured, attackers will then advance through the attack chain moving laterally within the network, exploiting further vulnerabilities or weak configurations, deploying ransomware, and exfiltrating data.   

**_CVE-2023-0669 (GoAnywhere MFT vulnerability)_   **

Discovered in January 2023, CVE-2023-0669 affects the GoAnywhere Managed File Transfer (MFT) software, allowing remote attackers to execute arbitrary code on the server without requiring authentication. This critical vulnerability enables actors to deploy ransomware payloads directly to servers or use the compromised server as a pivot for further internal reconnaissance and lateral movement. The ability to execute arbitrary code enables attackers to manipulate systems, create backdoors and disable security controls.   

Volt Typhoon, a People’s Republic of China-affiliated threat actor, was recently documented actively targeting U.S. critical infrastructure, with an attack chain involving exploitation of known or zero-day vulnerabilities. Volt Typhoon has been observed infiltrating IT systems of critical infrastructure organizations across the U.S., including territories like Guam exploiting vulnerabilities in multiple products including a server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure, CVE-2023-46805 and CVE-2024-21887.

Talos also recently reported on a complex campaign targeting Cisco Adaptive Security Appliances (ASA), exemplifying further state-sponsored actors targeting critical vulnerability exploits in perimeter network devices. Cisco's PSIRT and Talos Threat Intelligence and Interdiction identified the previously unknown actor UAT4356, who employed bespoke tooling for sophisticated espionage activities, leveraging two vulnerabilities, CVE-2024-20353 and CVE-2024-20359, as part of this campaign.

The security of public-facing applications continues to be an area of significance due to organizations' continued reliance of scalable software applications, integral for day-to-day business operations, posing a significant impact on organizational security and data integrity. The exploitation of these vulnerabilities can lead to severe disruptions, financial losses and reputational damage.  

**Mitigation recommendations **

**Regular patch management:** Consistently apply patches and updates to all systems and software to address vulnerabilities promptly and reduce the risk of exploitation. 

**Strict password policy and MFA:** Implement strong password policies that require complex, unique passwords for each account. Additionally, enforce multi-factor authentication (MFA) to add an extra layer of security. 

**System and environment hardening:** Apply best practices to harden all systems and environments, minimizing attack surfaces by disabling unnecessary services and features. 

**Network separation and client network authentication:** Segment your network using VLANs or similar technologies to isolate sensitive data and systems, preventing lateral movement in case of a breach. In addition to utilizing network access control mechanisms such as 802.1X to authenticate devices before granting network access, ensuring only authorized device connections. 

**Monitoring and endpoint detection and response:** Implement a Security Information and Event Management (SIEM) system to continuously monitor and analyze security events, in addition to the deployment of EDR/XDR solutions on all clients and servers to provide advanced threat detection, investigation, and response capabilities 

**Principle of least privilege:** Adopt a least-privilege approach, ensuring that users and systems have only the minimal level of access necessary to perform their functions, thereby limiting potential damage from compromised accounts. 

**Minimize IT exposure to the internet:** Reduce your IT systems' exposure to the Internet by limiting the number of public-facing services and ensuring robust protections for any necessary external interfaces.

Inside the ransomware playbook: Analyzing attack chains and mapping common TTPs

This is the largest Patch Tuesday since April, when Microsoft patched 150 vulnerabilities.

Tuesday, July 9, 2024 14:01

Microsoft released its monthly security update on Tuesday, disclosing 142 vulnerabilities across its suite of products and software. Of those, there are five critical vulnerabilities, and every other security issue disclosed this month is considered "important."

This is the largest Patch Tuesday since April when Microsoft patched 150 vulnerabilities.

Of the critical vulnerabilities, two are considered more likely to be exploited:

CVE-2024-38023, a remote code execution vulnerability in Microsoft SharePoint server, where an authenticated attacker with Site Owner permissions can use the vulnerability to execute arbitrary code in the context of SharePoint server.

CVE-2024-38060, a remote code execution vulnerability in Microsoft Windows Codecs Library that can be exploited by an authenticated attacker who uploads a specially crafted malicious TIFF file.

There are three other critical vulnerabilities listed in this advisory. All three (CVE-2024-38074, CVE-2024-38076 and CVE-2024-38077) are remote code execution vulnerabilities in Windows Remote Desktop Licensing Service. In all of them, an attacker could send a specially crafted network packet which could cause remote code execution. In the case of CVE-2024-38077, the adversary does not need to be authenticated.

All the remaining vulnerabilities are considered important. Of these, CVE-2024-38080 is particularly relevant because Microsoft has acknowledged that it’s already being exploited in the wild. An adversary could exploit this elevation of privilege vulnerability in Windows Hyper-V to gain System privileges.

Cisco Talos' Vulnerability Research team discovered another elevation of privilege vulnerability, CVE-2024-38062, in the kernel-mode driver. An adversary could also exploit this vulnerability to gain System privileges. Microsoft considers the complexity of this attack to be "low," though it's "less likely" to be exploited.

Several other “important” vulnerabilities could lead to remote code execution and are identified by Microsoft as being “more likely” to be exploited.

CVE-2024-38021 is a remote code execution vulnerability in Microsoft Office. An attacker could craft a malicious link that bypasses the Protected View Protocol, leading to the leaking of local NTLM credentials and remote code execution.

CVE-2024-38024 is a remote code execution vulnerability in Microsoft SharePoint Server. An adversary could exploit this issue by uploading a specially crafted file to the targeted SharePoint Server and crafting specialized API requests to trigger the deserialization of a file's parameters, leading to arbitrary code execution in the context of the SharePoint server. However, this attacker would need to have Site Owner permissions or higher.

CVE-2024-38094 is another vulnerability in SharePoint servers. Adversaries with Site Owner permissions can use this vulnerability to inject arbitrary code and execute code in the context of a SharePoint server.

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.  

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their rule set by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.  

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63687 - 63690, 63693, 63694 and 63697 - 63700. There are also Snort 3 rules 300958 - 300961.

Largest Patch Tuesday in 3 months includes 5 critical vulnerabilities

In recent months, a surge in cryptodrainer phishing attacks has been observed, targeting cryptocurrency holders with sophisticated schemes aimed at tricking them into divulging their valuable credentials.

Tuesday, July 9, 2024 08:00

_By_ _Teoderick Contreras_ _and_ _Jose Hernandez_ _of Splunk, with contributions from the Splunk Threat Research Team._  

Cryptodrainer scams have emerged as a significant threat in the cryptocurrency ecosystem, targeting unsuspecting individuals with the promise of easy profits while covertly siphoning their digital assets.  

Initially, cryptodrainer scams primarily manifested as fraudulent investment schemes, promising high returns on investments in dubious projects or fake initial coin offerings (ICOs). These scams exploited the speculative nature of cryptocurrency markets, luring investors with the allure of quick riches and revolutionary technology. However, instead of delivering on their promises, scammers absconded with investors' funds. 

An example of a cryptodraining scam spread on a Jamaican news outlet’s X account in 2023 after the account was hacked. 

Cryptodrainer phishing scams targeting cryptocurrency holders have become increasingly sophisticated, with scammers employing social engineering techniques to trick users into divulging their private keys or login credentials. These stolen assets were then swiftly drained from victims' wallets, often leaving them with little recourse for recovery. 

In recent months, a surge in cryptodrainer phishing attacks has been observed, targeting cryptocurrency holders with sophisticated schemes aimed at tricking them into divulging their valuable credentials. These tactics involve deceptive URLs, carefully crafted to resemble legitimate cryptocurrency platforms, enticing unsuspecting users to input their sensitive login information. 

One particularly concerning trend is the emergence of phishing campaigns proliferating across various social media platforms, including X (Twitter). In these instances, compromised accounts, likely hijacked by cybercriminals, are used as unwitting conduits to deliver the malicious URLs to a wider audience. The compromised accounts lend an air of legitimacy to the fraudulent scheme, thereby increasing the likelihood of unsuspecting users falling victim to the scam. 

These types of platforms have long been rife for abuse and scams. Cisco Talos has previously highlighted how various aspects of “Web 3” such as the metaverse and smart contracts have been abused to trick users into emptying their cryptocurrency wallets. Malicious Google Forms documents have also been used as an attack vector for these scams.  

**Anatomy of a crytodrainer attack **

Splunk researchers used the Splunk Attack Analyzer to gain insights into the anatomy of this phishing campaign, which we believe follows the same general infection method and attack pattern of cryptodrainer scams. 

Below are a few examples of phishing website pages designed to mimic legitimate cryptocurrency platforms, enticing users to disclose their cryptocurrency login credentials. 

Phishing site web pages. 

Splunk expanded our repository of potential cryptodrainer phishing URLs using the Attack Analyzer. One such example is _hxxp\[://\]nfts-manta\[.\]network/_, a site identified and flagged as a phishing site by several anti-virus products, according to VirusTotal. 

A phishing site in VirusTotal. 

Splunk Attack Analyzer also provides a comprehensive overview, including the landing page screenshot of the phishing site, potential URL link redirections, detections and related artifacts, facilitating further in-depth analysis. 

A screenshot of Splunk Attack Analyzer. 

Upon accessing this phishing site, users are prompted to connect their cryptocurrency wallets to purportedly claim tokens. A common method observed for wallet connection involves scanning a QR code using a mobile phone. This QR code may seemingly link to the desired cryptocurrency wallet app, offering the illusion of a seamless login process. In reality, this action grants the phishing site access to the user's login credentials, enabling the unauthorized draining of their cryptocurrency wallet. 

A phishing website posing as Manta, a cryptocurrency application.

A QR code displayed on the Manta phishing site. 

**Why should you care? **

Understanding and staying vigilant against cryptodrainer scams is important for safeguarding your financial well-being and data security.  

These scams, often executed through phishing tactics, pose significant risks to individual's finances and personal information if they are invested at all in cryptocurrency.  

By remaining informed about the tactics employed by scammers, you can take proactive measures to protect yourself and prevent potential financial losses. Additionally, spreading awareness about these scams helps mitigate their impact by empowering others to recognize and avoid falling victim to fraudulent schemes.  

Here are a few tips for spotting possible cryptocurrency scams like the ones outlined above: 

*   Carefully consider and thoroughly research before registering for, or investing, in any cryptocurrency that promises quick and significant returns. High-reward opportunities often come with high risks, and many such promises may be scams. As always, if it seems too good to be true, it probably is. 
*   Always verify the legitimacy of the website before providing your personal information or registering your cryptocurrency accounts or wallet. Look for signs of credibility such as secure URLs (https), professional design and positive reviews from trusted sources. 
*   Ensure that your security products are consistently updated to detect and block known malicious websites that employ these deceptive tactics. Regular updates provide the latest protection against evolving threats and scams in the cryptocurrency space. 

By following these guidelines, you can better protect yourself from the risks associated with investing in cryptocurrencies and engaging with online platforms. 

**Coverage **

The following Splunk SOAR playbooks integrate with Splunk Attack Analyzer and other sandbox tools, allowing users and admins to easily triage and identify this type of activity in a given environment. 

Accepts URL link, domain or vault\_id (hash) to be detonated using Splunk Attacker (SAA) API connector. This playbook produces a normalized output for each user and device. 

Leverages Splunk technologies to determine if a .eml or .msg file in the vault is malicious, whether or not it contained suspect URLs or Files, and who may have interacted with the IoCs (emails, URLs or files). 

Automatically dispatches input playbooks with the 'sandbox' tag. This will produce a merge report and indicator tag for each input. 

Below is a list of other IOCs related to cryptodrainer scams.  

    hxxps://123-bti[.]pages[.]dev/ 
    hxxps://giveaway-omnicat[.]pages[.]dev/ 
    hxxps://visit-ait[.]pages[.]dev/ 
    hxxps://enrol-manta[.]network/ 
    hxxp://nfts-manta[.]network/ 
    hxxp://nftbonus-manta[.]network/ 
    hxxps://sea-manta[.]network/ 
    hxxps://sale-starknet[.]io/ 
    hxxps://gain-manta[.]pages[.]dev/ 
    hxxps://frame-343[.]pages[.]dev/ 
    hxxps://gainsatoshi[.]pages[.]dev/ 
    hxxps://visit-dymension[.]pages[.]dev/ 
    hxxps://manta11[.]pages[.]dev/ 
    hxxps://explore-satoshi[.]pages[.]dev/ 
    hxxps://governance-mantanetwork[.]pages[.]dev/ 
    hxxps://accept-satoshivmio[.]pages[.]dev/ 
    hxxps://preregistration-satoshivmio[.]pages[.]dev/ 
    hxxps://receive-altlayerio[.]pages[.]dev/ 
    hxxps://bonus-8u0[.]pages[.]dev/ 
    hxxps://reveal-manta[.]pages[.]dev/ 
    hxxp://acquire-satoshivm[.]io/ 
    hxxps://farcana123[.]pages[.]dev/ 
    hxxps://enlist-jup[.]app/ 
    hxxps://distributedymension[.]pages[.]dev/ 
    hxxps://visit-lineabuild[.]pages[.]dev/ 
    hxxps://1-67c[.]pages[.]dev/ 
    hxxps://registryzetachain[.]pages[.]dev/ 
    hxxps://gratitude-satoshivm[.]pages[.]dev/ 
    hxxps://whitelist-woo[.]pages[.]dev/ 
    hxxps://join-jupapp[.]pages[.]dev/ 
    hxxps://million-satoshivmio[.]pages[.]dev/ 
    hxxps://achieve-altlayer[.]pages[.]dev/ 
    hxxps://follow-satoshivm[.]io/

How do cryptocurrency drainer phishing scams work?

A report in March found that 72% of cryptocurrency projects had died since 2020, with crypto trading platform FTX’s downfall taking out many of them in one fell swoop.

Thursday, June 27, 2024 14:00

AI has since replaced “cryptocurrency” and “blockchain” as the cybersecurity buzzwords everyone wants to hear. 

We're not getting as many headlines about cryptocurrency miners, the security risks or promises of the blockchain, or non-fungible tokens being referenced on “Saturday Night Live.” 

A report in March found that 72% of cryptocurrency projects had died since 2020, with crypto trading platform FTX’s downfall taking out many of them in one fell swoop. This, in turn, means there are fewer instances of cryptocurrency mining malware being deployed in the wild — if cryptocurrencies aren’t as valuable, the return on investment for adversaries just isn’t there.  

But that still hasn’t stopped bad actors from using the cryptocurrency and blockchain spaces to carry out other types of scams that have cost consumers millions of dollars, as a few recent incidents highlight. 

In place of major cryptocurrencies, many bad faith actors are creating “memecoins,” which are cryptocurrencies usually themed around a particular internet meme or character meant to quickly generate hype. The most famous example, Dogecoin, themed after the “Doge” meme, was 72% below its peak value as of Wednesday. 

At one point, Dogecoin was at least worth something, which is more than can be said for most other memecoins launched today. Cryptocurrency news site CoinTelegraph found that one in six newly launched meme-themed cryptocurrencies are outright scams, primarily centered around getting users to spend real-world money to invest in currency before the creator just takes off with their funds. 

And 90% of the memecoins they studied contained at least one security vulnerability that could leave users open to abuse or theft. 

Singer Jason Derulo is even facing allegations that his “JASON” memecoin on the Solana blockchain platform is a scam after it hit a market cap of $5 million on June 23, and then the value fell almost immediately later that day. Separately, someone hacked rapper 50 Cent’s Twitter account to promote the “$GUINT” memecoin. Upon regaining control of his account, 50 Cent said that whoever committed the scam made $3 million in 30 minutes, with consumers putting money into the memecoin thinking it was legitimate, before the creator took off with the money almost immediately, leaving users unable to access their funds. 

Another popular scam still going around in this space is called the “rug pull,” where a cryptocurrency or NFT developer starts to hype up a new project to attract investor funds, only to completely shut down the project days or weeks later, taking investors’ assets with them. 

Blockfence, a Web3 security firm, found a collection of these scammers earlier this year, claiming they had stolen the equivalent of $32 million from more than 42,000 people across multiple rug pull scams. Unmoderated social media platforms have been rife for abuse for these types of scams, with semi-anonymous users with large followings finding it fairly easy to get a large amount of interest in whatever their latest “project” is in a short amount of time.  

The last example, I’m still not sure if it’s a scam yet. A new video game called “Banana” recently blew up on the Steam online store, even though it’s barely a video game. Users can open the game at fixed intervals and click a button to receive a “banana” in their Steam account. Some of these bananas, usually different artists' renderings of an image of the fruit, are extraordinarily rare and can be re-sold on Steam’s internal marketplace for real-world money. 

Some of these bananas have sold for more than $1,000, but most of the basic ones are only worth a few cents. To me, this looks and smells like an NFT. A former cryptocurrency scammer was once even connected to the project before the creators parted ways with him.  

I have no way of knowing any of this for sure, but there doesn’t seem to be any safeguards in place to ensure the creators of the game could rig it for themselves and give only themselves or close friends copies of the rarer items. And I’m not fully sure what the endgame is for the developers, since “Banana” is free to download and “play.”  

Thankfully, I’m not getting as many questions as I used to about NFTs and “the crypto” from extended family members. But just because it’s disappeared from mainstream consciousness doesn’t mean scammers have forgotten about this space, too. 

**The one big thing **

Cisco Talos recently discovered an ongoing campaign from SneakyChef, a newly discovered threat actor using SugarGh0st malware. SneakyChef uses lures that are scanned documents of government agencies, most of which are related to various countries’ Ministries of Foreign Affairs or embassies. Talos recently revealed SneakyChef’s continuing campaign targeting government agencies across several countries in EMEA and Asia, delivering the SugarGh0st malware, however, we found a new malware we dubbed “SpiceRAT” was also delivered in this campaign.   

**Why do I care? **

SneakyChef has already targeted more than a dozen government ministries across the Eastern Hemisphere. Based on the lure documents Talos discovered the actor using, like targets for the campaign could include the Ministries of Foreign Affairs from Angola, India, Kazakhstan, Latvia, and Turkmenistan and the Saudi Arabian embassy in Abu Dhabi. This actor doesn’t seem to be deterred by much, either, as their actions have largely continued in the same manner since Talos first disclosed the existence of SugarGh0st several years ago, using the same TTPs and C2.  

**So now what? **

Talos could not find any of the lure documents used in the wild, so they were very likely stolen through espionage and slightly modified. This could make it more difficult to spot lure documents and spam emails, so users should pay closer attention to the sender’s email address if they are suspicious of any messages. We also released OSQueries, Snort rules and ClamAV signatures that can detect and block SneakyChef’s activities and the SpiceRAT malware.  

**Top security headlines of the week **

**A cyber attack that is stalling communication and sales at car dealerships around the U.S. is unlikely to be restored by the end of the month.** CDK Global, the victim of the campaign, reportedly told customers that they should prepare alternative methods for preparing month-end financial statements. Car dealerships use CDK to conduct sales, process financial information, and look up vehicles’ warranties and recalls. The outage is affecting more than 60 percent of Audi dealerships in the U.S. and about half of Volkswagen’s locations, forcing them to switch to pen-and-paper transactions and contracts or to drop sales altogether. One sales manager of an affected dealership told CNN it could take “months to correct, if not years,” the financial fallout of the outage. CDK first disclosed two back-to-back cyber attacks last week, both of which occurred on June 19. There are already two class action lawsuits against CDK, with plaintiffs alleging that the breach may have exposed customers’ and employees’ names, addresses, social security numbers and other financial information. (Reuters, CNN) 

**The list of victims resulting from a data breach at cloud storage provider Snowflake continues to grow.** Australian ticket sales platform Tiketek informed customers this week of a potential data breach, though it was not immediately clear if it was connected to Snowflake. Retailer Advance Auto Parts also said this week that said employee and applicant data — including social security numbers and other government identification information — were stolen during the breach. Clothing chain Neiman Marcus also filed regulatory documents in Maine and Vermont disclosing that the personal information of more than 64,000 people was potentially accessed because of the Snowflake breach. This information could include names, contact information, dates of birth and gift card numbers for the retailer. Security researchers at Mandiant first estimated that as many as 165 Snowflake customers could be affected. Snowflake says that internal investigations found that the breach was not caused by “a vulnerability, misconfiguration, or breach of Snowflake’s platform." (The Register, The Record by Recorded Future) 

**Adversaries quickly started exploiting another vulnerability in the MOVEit file transfer software, just hours after it was disclosed.** The high-severity vulnerability, CVE-2024-5806, could allow an attacker to authenticate to the file-transfer platform as any valid user with the accompanying privileges. The vulnerability exists because of an improper authentication issue in MOVEit’s SFTP module, which Progress, the creator of the software, says “can lead to authentication bypass in limited scenarios.” A different vulnerability in MOVEit was targeted in a rash of Clop ransomware attacks that eventually affected more than 160 victims, including the state of Maine, the University of California Los Angeles, and British Airways. Managed file transfer software (MFT) like MOVEit are popular targets for threat actors because they contain large amounts of sensitive information, which adversaries will steal and then use to extort victims. The Shadowserver Foundation posted on Twitter on Tuesday that they began seeing exploitation attempts shortly after details emerged about CVE-2024-5806. (Dark Reading, SecurityWeek) 

**Can’t get enough Talos? **

*   Cisco Talos: How Threat Actors Target MFA 
*   MFA plays a rising role in major attacks, research finds 
*   SpiceRAT: Cisco Talos Sound Alarm Over New Trojan 
*   Hack your water and electricity! Myth or Reality? 
*   Multiple vulnerabilities in TP-Link Omada system could lead to root access 
*   Talos Takes Ep. #188: Everything we know about denial-of-service attacks in 2024 

**Upcoming events where you can find Talos **

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** 484c74d529eb1551fc2ddfe3c821a7a87113ce927cf22d79241030c2b4a4aa74  
**MD5:** dc30cfd21bbb742c10e3621d5b506780  
**Typical Filename:** KMS-R@1nHook.exe  
**Claimed Product:** N/A  
**Detection Name:** W32.File.MalParent

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202  
**MD5:** e4acf0e303e9f1371f029e013f902262  
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe  
**Claimed Product:** FileZilla  
**Detection Name:** W32.Application.27hg.1201