There are also multiple vulnerabilities in AVideo, an open-source video broadcasting suite, that could lead to arbitrary code execution.

Wednesday, January 17, 2024 12:00

Cisco Talos’ Vulnerability Research team has disclosed dozens of vulnerabilities over the past month, including more than 30 advisories in GTKWave and a critical vulnerability in ManageEngine OpManager. 

Cisco ASIG also recently discovered an information disclosure vulnerability in DuoUniversalKeycloakAuthenticator, an authentication solution for Keycloak, an open-source identity and access management solution.  

There are also multiple vulnerabilities in AVideo, an open-source video broadcasting suite, that could lead to arbitrary code execution. 

All the vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**ManageEngine OpManager directory traversal vulnerability **

_Discovered by Marcin “Icewall” Noga._ 

A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager, a network management solution. 

TALOS-2023-1851 (CVE-2023-47211) can be exploited if an adversary sends a target a specially crafted HTTP request, which could allow them to create a file in any location outside of the default MiBs file’s location directory. This vulnerability has a critical severity score of 9.1 out of 10. 

This vulnerability arises if the adversary uses OpManager and navigates to Settings -> Tools -> MiB Browser and selects “Upload MiB.” The arbitrary file they could eventually create can only be one of a few file extensions, however, including .txt, .mib and .mi2. 

**Multiple vulnerabilities in GTKWave **

_Discovered by Claudio Bozzato._ 

Cisco Talos recently discovered multiple vulnerabilities in the GTKwave simulation tool, some of which could allow an attacker to execute arbitrary code on the targeted machine. 

GTKwave is a wave viewer used to run different FPGA simulations. It includes multiple versions to run on macOS, Linux, Unix and Microsoft machines. The open-source software analyzes trace files to look at the results of simulations run across different design implementations, or to analyze protocols captured with logic analyzers.  

Talos researchers found a wide array of security issues across this software that affect different functions in GTKwave, many of which are triggered if an attacker can trick the targeted user into opening a specially crafted malicious file. In all, Talos recently released 33 advisories that cover more than 80 CVEs. Many of these issues are caused by the reuse of vulnerable code across the software. Other vulnerabilities are often duplicated by the adversary sending different file types as the initial infection document. 

There are eight integer overflow vulnerabilities that could result in memory corruption, and eventually, arbitrary code execution: TALOS-2023-1812 (CVE-2023-38618, CVE-2023-38621, CVE-2023-38620, CVE-2023-38619, CVE-2023-38623, CVE-2023-38622), TALOS-2023-1816 (CVE-2023-35004), TALOS-2023-1822 (CVE-2023-35989), TALOS-2023-1798 (CVE-2023-36915, CVE-2023-36916), TALOS-2023-1777 (CVE-2023-32650), TALOS-2023-1824 (CVE-2023-39413, CVE-2023-39414), TALOS-2023-1790 (CVE-2023-35992) and TALOS-2023-1792 (CVE-2023-35128). 

The most common vulnerability type Talos researchers found in GTKWave were out-of-bounds write issues that could lead to arbitrary code execution. All the following vulnerabilities could be exploited if a target opened an attacker-created file: 

*   TALOS-2023-1804 (CVE-2023-37416, CVE-2023-37419, CVE-2023-37420, CVE-2023-37418, CVE-2023-37417) 
*   TALOS-2023-1805 (CVE-2023-37447, CVE-2023-37446, CVE-2023-37445, CVE-2023-37444, CVE-2023-37442, CVE-2023-37443) 
*   TALOS-2023-1810 (CVE-2023-37282) 
*   TALOS-2023-1811 (CVE-2023-36861) 
*   TALOS-2023-1813 (CVE-2023-38649, CVE-2023-38648) 
*   TALOS-2023-1817 (CVE-2023-39235, CVE-2023-39234) 
*   TALOS-2023-1819 (CVE-2023-34436) 
*   TALOS-2023-1823 (CVE-2023-38657) 
*   TALOS-2023-1826 (CVE-2023-39443, CVE-2023-39444) 

TALOS-2023-1807 (CVE-2023-37921, CVE-2023-37923, CVE-2023-37922) can also lead to remote code execution, but in this case, is caused by an arbitrary write issue. 

For a complete list of all the vulnerabilities Talos discovered in GTKWave, refer to our Vulnerability Reports page here. 

**DuoUniversalKeycloakAuthenticator for Keycloak **

_Discovered by Benjamin Taylor of Cisco ASIG._ 

An information disclosure vulnerability exists in the instipod DuoUniversalKeycloakAuthenticator for Keycloak. Keycloak is an open-source identity and access management solution, and DuoUniversalKeyAuthenticator allows Keycloak to push a Cisco Duo notification to the Duo app, asking the user to authenticate in.  

The Keycloak extension for Duo, after it detects that initial authentication has succeeded with Keycloak, redirects the user’s browser to the configured duosecurity.com endpoint, sending the username and password in question each time. 

TALOS-2023-1907 (CVE-2023-49594) indicates that this is unnecessary exposure of this data, potentially allowing an attacker to steal or view this information. 

**Multiple vulnerabilities in WWBN AVideo **

_Discovered by Claudio Bozzato._ 

WWBN AVideo contains multiple vulnerabilities that an attacker could exploit to carry out a range of malicious actions, including brute-forcing user credentials and forcing a targeted user to reset their password to something the attacker knows. 

AVideo is a web application, mostly written in PHP, that allows users to create audio and video sharing websites. Users can import videos from other sources, like YouTube, encode the videos and then make them shareable in various ways. 

There are multiple cross-site scripting vulnerabilities in AVideo that could allow an attacker to execute arbitrary JavaScript code on the targeted machine: 

*   TALOS-2023-1882 (CVE-2023-48730) 
*   TALOS-2023-1883 (CVE-2023-48728) 
*   TALOS-2023-1884 (CVE-2023-47861) 

An attacker could exploit these vulnerabilities by tricking a user into visiting a specially crafted web page. 

There are three other vulnerabilities — TALOS-2023-1869 (CVE-2023-47171), TALOS-2023-1881 (CVE-2023-49738) and TALOS-2023-1880 (CVE-2023-49864, CVE-2023-49863, CVE-2023-49862) — that could allow adversaries to read arbitrary files with an HTTP request targeting different parameters in AVideo’s “objects/aVideoEncoderReceiveImage.json.php” file. 

Talos researchers also discovered TALOS-2023-1896 (CVE-2023-49589), an insufficient entropy vulnerability that can allow an attacker to forge a password reset for an administrator account. This could allow an adversary to reset a user’s account, set a new password that only the adversary knows, and then log in with that account information. An adversary could also exploit TALOS-2023-1897 (CVE-2023-50172) to prevent AVideo from sending an email to the associated account’s email address alerting them of the password reset process, so exploitation becomes less evident. 

Similarly, TALOS-2023-1900 (CVE-2023-49599) can also be exploited using this method, but this vulnerability targets administrator accounts. 

The most serious vulnerability Talos discovered in AVideo is TALOS-2023-1886 (CVE-2023-47862), a local file inclusion vulnerability that could eventually lead to arbitrary code execution. This vulnerability has a severity score of 9.8 out of 10. TALOS-2023-1885 (CVE-2023-49715) is an unrestricted php file upload vulnerability that can also lead to code execution, but only when used in conjunction with a local file inclusion vulnerability like TALOS-2023-1886. 

TALOS-2023-1898 (CVE-2023-49810) could be exploited in AVideo by sending a specially crafted HTTP request. An adversary could exploit this vulnerability to bypass the CAPTCHA process when trying to log into the service, therefore making it easier for an attacker to attempt to brute force login credentials or password-guessing attacks.

Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024

One of the critical vulnerabilities patched Tuesday is CVE-2024-20674, a security bypass vulnerability in the Windows Kerberos authentication protocol.

Tuesday, January 9, 2024 13:58

Microsoft followed up one of the lightest recent Patch Tuesdays in December with another month of no zero-day vulnerabilities and only two critical issues.   

Many of the company’s monthly security updates in 2023 included vulnerabilities that were actively being exploited in the wild or had publicly available exploits already in circulation.   

The company started out 2024 by disclosing 48 vulnerabilities on Tuesday across its suite of products and services, 46 of which are considered of “important” severity. 

One of the critical vulnerabilities patched Tuesday is CVE-2024-20674, a security bypass vulnerability in the Windows Kerberos authentication protocol. An attacker could carry out a man-in-the-middle attack to exploit this vulnerability and spoof the Kerberos authentication server, therefore bypassing the authentication process. 

Because of Keberos’ presence on several of the most popular operating systems, Microsoft considers this vulnerability “more likely” to be exploited.  

The other critical issue is CVE-2024-20700, which can lead to remote code execution. This vulnerability in Windows Hyper-V can be exploited if an adversary wins a race condition. Also, they must first gain access to a restricted network before an exploit can work. 

There are two other remote code execution vulnerabilities that are worth mentioning, both of which Microsoft considers to be of “important” severity: CVE-2024-21307, which exists in Windows Remote Desktop Client, and CVE-2024-21318, which affects SharePoint Server. 

In the case of CVE-2024-21307, the vulnerability can be triggered if an authenticated user connects to a malicious remote desktop server where the remote desktop host server sends a specially crafted Server RDP Preconnection that targets the remote client's drive redirection virtual channel. This could lead to remote code execution on the victim's machine. 

CVE-2024-21318 is relatively easier for an attacker to hypothetically exploit, only requiring them to write and inject specific code to SharePoint Server.

The Windows Kernel also contains an elevation of privilege vulnerability, CVE-2024-20698, which could allow an attacker to gain SYSTEM privileges. There is little other information on how an attacker could exploit this vulnerability. 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 62847 – 62850 and 62854 – 62861. There are also Snort 3 rules 300797 – 300802.

Microsoft starts off new year with relatively light Patch Tuesday, no zero-days

Cisco Talos obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor.

Tuesday, January 9, 2024 04:00

*   Cisco Talos obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor.
*   Cisco Talos shared the key with our peers at Avast for inclusion in the Avast Babuk decryptor released in 2021. The decryptor includes all known private keys, allowing many users to recover their files once encrypted by different Babuk ransomware variants. 
*   Dutch Police, acting on threat intelligence supplied by Talos, identified, apprehended and the Dutch Prosecution Office prosecuted the threat actor behind Babuk Tortilla operations, demonstrating the power of cooperation between law enforcement agencies and commercial security organizations such as Talos and Avast.

In cooperation with Dutch Police and Avast, Cisco Talos recovered a decryptor for encrypted files from systems affected by the Babuk ransomware variant known as Tortilla. We first described the operations of Tortilla ransomware in a blog post in November 2021. 

Dutch Police used the intelligence provided by Talos to discover and apprehend the actor behind this malware. During the Amsterdam Police operation, Talos obtained and analyzed the decryptor, recovered the decryption key and shared the key with engineers from Avast Threat Labs in charge of development and maintenance of the decryptor for several other Babuk variants. 

The generic Avast Babuk decryptor was already used as the de facto industry standard Babuk decryptor by many affected users and it made perfect sense to be updated with the keys Talos recovered from the Tortilla decryptor. 

This way, the users can access programs such as NoMoreRansom to download the single decryptor containing all currently known Babuk keys and do not have to choose between competing decryptors for individual variants.

**Babuk source code is used as a basis of many ransomware variants**

Babuk ransomware emerged in 2021, gaining notoriety for its high-profile attacks on targeted industries, especially those in healthcare, manufacturing, logistics and public services, including critical infrastructure.

Babuk can be compiled for several hardware and software platforms. The compilation is configured through a ransomware builder. Windows and ARM for Linux are the most commonly used versions, but ESX and a 32-bit, older PE executable were also observed over time. 

Babuk ransomware is nefarious by its nature and while it encrypts the victim's machine, it interrupts the system backup process and deletes the volume shadow copies. The source code of the Babuk ransomware leaked in an underground forum in September 2021 by an alleged insider, opening the door for other cybercriminals to utilize and potentially enhance the ransomware and increase the threat level for businesses and organizations worldwide.

Talos recently analyzed the operations of the RA ransomware group and other groups basing their ransomware on the leaked Babuk source code, documenting 10 different actors using it. 

__Timeline of ransomware families leveraging leaked Babuk ransomware code.__

Cisco Talos discovered a Tortilla campaign in our product telemetry on Oct. 12, 2021, targeting vulnerable Microsoft Exchange servers and attempting to exploit the ProxyShell vulnerability to deploy the Babuk ransomware in the victim's environment. 

The actor used a specific infection chain technique where an intermediate unpacking module is hosted on a pastebin.com clone, pastebin.pl. The intermediate unpacking stage was downloaded and decoded in memory before the final payload embedded within the original sample was decrypted and executed.

**Babuk Tortilla decryptor is a standard decryptor provided by the threat actor**

The Babuk Tortilla decryptor obtained by Cisco Talos was likely created from the leaked Babuk source code and the generator. An actor wishing to utilize the ransomware toolkit has to generate a public/private key pair to be used in the operation. The key pair can also be generated per campaign but we have no indication of other keys used by the Tortilla actor. Instead, a single key pair is used to attack all their victims. 

The public key is deployed to the ransomware payload where it is used in the infection process to encrypt the per-file symmetric encryption/decryption key. That is then appended to the end of every encrypted file with the encryption marker and additional metadata. This allows the specific decryptor to recognize the fact that a file is encrypted and decrypt the symmetric key using the private key embedded in the body of the specially crafted decryptor tool created by the threat actor. 

__Recursive decryptor function for traversing file system is not efficient.__

The decryption process used by the original decryptor is rather slow due to the inefficiency of the routine used to traverse the file system. Although the decryptor supplied by the threat actor works, Cisco Talos made the decision to not share any executable code created by the threat actor, as it may expose production environments to untrusted code. The approach we took was to extract the private key from the decryptor and add the key to the list of keys supported by the Avast Babuk decryptor. 

**Generic Babuk decryptor helps users to recover their files**

The Avast Babuk decryptor is optimized for performance and allows users to recover their files very quickly if the Babuk variant uses one of the known private decryption keys. The initial decryptor was released in October 2021, and it has been actively supported by Avast Threat Labs’ engineers. 

Its simple user interface allows even users with minimal experience in ransomware recovery to easily understand its usage and purpose.

__Avast Babuk decryptor can be used to decrypt files encrypted by the Babuk Tortilla variant.__

Users affected by Tortilla ransomware operations can download the updated version of the Babuk decryptor from the NoMoreRansom decryptors page or the Avast decryptors download page. 

Cisco Talos would like to thank the Dutch Police and Avast for their cooperation and we look forward to working with them on other similar projects.

New decryptor for Babuk Tortilla ransomware variant released

In this video series, Talos’ Director of Threat Intelligence and Interdiction Matt Olney and Head of Outreach Nick Biasini share their insights on the most significant cybersecurity threats from the past year.

Monday, January 8, 2024 05:30

In this video series, Talos’ Director of Threat Intelligence and Interdiction Matt Olney and Head of Outreach Nick Biasini share their insights on the most significant cybersecurity threats from the past year.

From attacks on network infrastructure to the latest APT activities, as well as an update on our Ukraine Task Force, these short videos provide some great insights into the current cybersecurity threat environment.

You can learn more in the 2023 Talos Year in Review.

**The increased targeting of networking devices**

**Ransomware and extortion**

**The activities of Advanced Persistent Threat actors (APTs)**

**Ukraine Task Force update**

**Recommendations for defenders**

Video series discussing the major threat actor trends from 2023

Talos revealed that rebooting an iOS or Android device may not remove the Predator spyware produced by Intellexa. Intellexa knows if their customers intend to perform surveillance operations on foreign soil.

Thursday, December 21, 2023 11:00

_By Mike Gentile,_ _Asheer Malhotra_ _and_ _Vitor Ventura__._

**Editor’s note:** This blog post is a public version of a talk presented at LabsCon 2023 on Sept. 22, 2023. You can watch a recording of the talk here. Some of the intelligence presented at LabsCon was later confirmed by an Amnesty International blog post released on Oct. 6, 2023.

*   Cisco Talos has a new, in-depth analysis of timelines, operating paradigms and procedures adopted by spyware vendor Intellexa (previously known as Cytrox). 
*   Talos’ analysis revealed that rebooting an iOS or Android device may **_not_** always remove the Predator spyware produced by Intellexa. Persistence is an add-on feature provided by Intellexa for their implants and primarily depends on the licensing options chosen by a customer.
*   Intellexa knows if their customers intend to perform surveillance operations on foreign soil.
*   Two years after its first public exposure, Intellexa’s Predator/Nova spyware solution continues to be undetected by anti-virus solutions. Public reporting on Intellexa’s operations has had little to no impact on their ability to conduct and grow their business across the world.
*   Almost all publications on malicious operations conducted using Intellexa’s spyware consist primarily of malicious domains as indicators of compromise (IOCs). Talos assesses that the disclosure of such domains, managed by the customers, has little to no effect on Intellexa’s operations and enables them to preserve their malware implants due to a lack of technical disclosures. 
*   After many users patched against the exploit chains used by Intellexa as of December 2021, the spyware vendor started shipping a new exploit chain to at least one new customer in early 2022 that covered the same and more recent versions of the Android operating system.

In May 2023, Cisco Talos published the first ever in-depth technical report on Intellexa’s spyware solution named Alien and Predator, showing its inner workings and demonstrating the highly complex software architecture decisions required to make such spyware work properly on the Android operating system. This research also sheds light on several other aspects of the commercial spyware space, like plausible deniability, the impacts of widespread media exposure and recruitment issues.

During the LabsCon 2023 cyber threat intelligence conference, Talos presented the operational risks inherent to the commercial spyware landscape, using Intellexa as a use case.

This research delves into the history of the Alien/Predator line of implants, illustrating how a run-down spyware seller, Cytrox, was bought and transformed into an intelligence agency-grade spyware vendor: Intellexa.

**Implants’ persistence is an add-on in Intellexa’s offering**

Leaked commercial proposals from the Intellexa Alliance have shown that prices per infection are increasing every year, along with the capabilities of the company's technological solution. Rebooting the device is no longer a means to remove the implants from an infected device. 

In 2021, Predator spyware couldn’t survive a reboot on the infected Android system (it had it on iOS). However, by April 2022, that capability was being offered to their customers. Since then, no reports have been published detailing such a mechanism, as there is no reason to believe it has become obsolete. It still doesn’t survive a factory reset, but it is fair to assume that this specific capability will become available, literally breaking all trust in the device beyond recovery.

**Intellexa’s product development journey**

Cytrox was first created in North Macedonia in 2017, and at the time, built Android-based malware. In 2018, Cytrox was acquired by WiSpear and then in 2019 Nexa Technologies, WiSpear (and Cytrox) and Senpai Technologies teamed up to create the Intellexa Alliance, a commercial spyware company that, according to public reports, sells commercial spyware to multiple customers without regard for their potential targets and the spyware’s misuse. 

Senpai Technologies is a company specializing in OSINT and persona creation based out of Israel, while WiSpear, also based in Israel, specializes in Wi-Fi interception. Nexa Technologies (now called RB 42) is a French-based company whose main focus is remote surveillance and security services.

Immediately after the consolidation of all these firms under Intellexa in May 2019, the revamping of Predator began, which at the time, was their flagship spyware for Android. This can be confirmed on the artifacts left on the malware binary due to the use of static library compilation at build time.

By April 2020, the revamp was finished and the malware was ready to be deployed on Android. In May 2020, the developers began working on an iOS “solution” which we assess with medium confidence was a port of Alien/Predator from Android to iOS. Our assessment is based on the fact that the engine that drives the high-level components of the Predator system is similar, if not identical, to the point where some Android artifacts, detailed in the following sections, can be found on the iOS sample.

Evolution timeline

**Pricing model**

Building commercial spyware is a sophisticated and research-driven process. It involves meticulously circumventing, bypassing and exploiting security controls put in place by mobile applications/packages and Operating Systems such as Android and iOS. Combining such potent software into a package with zero or one-click zero-day exploits makes it a highly reliable offensive “solution” – and that is exactly what makes it expensive. As early as 2016, The New York Times reported that the NSO Group charged $650,000 for every 10 infections, with an additional $500,000 for initial setup. Multi-year deals between the NSO Group and Mexico were estimated to be around $15 million – and this was back in 2013.

Fast forward five years to 2021, and another disclosure from The New York Times details the proposal brochure for Intellexa’s Predator framework offering their solution for a whopping 13.6 million Euros for:

*   20 concurrent infections.
*   One-click exploit for initial access.
*   Predator C2 and administrative hardware and software.
*   Project plans, documentation, etc.
*   12 months of warranty support.

Proposal (snipped) defining price and items

Leaked documents from 2022 show that the Nova platform, which is Intellexa’s data-gathering module, was priced at 8 million Euros in 2022. Price tags of 13.6 million or even 8 million Euros is a hefty sum. However, this reinforces the fact that commercial spyware such as those from Intellexa is neither for the common man nor for petty crimeware operators. These solutions are meant for customers with deep pockets and such expenses can only be incurred by state-sponsored agencies.

The pricing model also shows the technological evolution of the product. Based on the leaked proposal dates in July 2022, Intellexa had already incorporated boot survivability into the Android solution. It also increased the support for Android to 18 months. At this point, it is unclear if this is the direct result of Intellexa’s development and research capabilities, or if these are based on exploits acquired that ultimately would result in having such capabilities.

The original persistence mechanism on iOS was the exploitation of the original vulnerability during the boot process by loading the malicious HTML page stored locally. As such, the newly introduced Android persistence mechanism can simply be based on a similar method.

**Plausible deniability**

Intellexa’s commercial proposals are designed to create plausible deniability. These clauses extend from the infrastructure responsibilities to the delivery methods. This is a key aspect of Intellexa’s business model, the goal is to avoid a bad reputation and to claim they are not responsible for what their customers do with their “product” — they claim that they don’t even know who the victims are.

Proposal (snipped) defining responsibilities

The leaked proposals show that the infrastructure and anonymization are the responsibility of the customer. From a deniability point of view, this enables the claim that Intellexa doesn’t know _how_ victims are being targeted. From the operational risk perspective, such clauses also shield Intellexa from any responsibility in the event of a public exposure connecting malicious operations back to the vendor.

Delivery method method

The delivery of Intellexa’s supporting hardware is done at a terminal or airport. This delivery method is known as Cost Insurance and Freight (CIF), which is part of the shipping industry’s jargon (“Incoterms”). This mechanism allows Intellexa to claim that they have no visibility of where the systems are deployed and eventually located. This exact scenario was seen being put into practice when, according to a LighthouseReports

investigation

, Intellexa sold their solution to the Sudanese government.

Source: https://www.lighthousereports.com/investigation/flight-of-the-predator/

Even if we take into consideration the proposal’s terms such as, “Installation and configuration at customer designated facility…” and the “Standard training course ……,” it still does not mean that Intellexa might know where the hardware is located since everything can be done remotely or even without their personnel knowing where the customer’s “solution” is physically located.

Intellexa does have first-hand knowledge of if their software is being used to conduct surveillance operations targeting phone number prefixes other than their customers' country of origin and possibly their jurisdiction. This knowledge is a consequence of the licensing model. Any sale is limited to a single phone country code prefix, but for an additional fee, the customer can license the usage of the solution in additional countries without geographic limitations.

**Business risks****Human resources**

Commercial spyware companies don’t seem to have any kind of problem recruiting highly specialized human resources to develop their solutions. This was evidenced by the LinkedIn profiles of several highly specialized engineers. In one example, the NSO Group in June had just recruited new, highly specialized engineers from an intelligence military unit.

During the development of the iOS implant, Intellexa hired an iOS expert vulnerability researcher who had previously worked for the NSO Group. The timing of the hire indicates that the firm needed to integrate the implant with the exploit chain to deploy it reliably on iOS devices.

Snippet of the iOS security expert Curriculum Vitae

Such “experts” can be found working for and actively hunting for jobs regularly at other commercial spyware vendors too.  For example, a quick search by Talos showed that just in September 2023, the NSO group had hired another security researcher with the same research background:  

Example of employment history

And there are several examples like that. The highly skilled researchers will move from one company to another in the same line of business supplying a constant flow of human resources as needed.

**Target operating system support**

New operating system releases don’t seem to make a considerable impact on the Predator solution. Intellexa now supports OS versions going back 18 months on Android and 12 months on iOS from their last supported version, which may not be the latest. Google releases approximately one new version per year just like Apple. But, the Android OS may consist of beta versions months before general availability. This gives plenty of lead time to Intellexa and their exploit suppliers to develop new exploit chains to use as initial attack vectors. 

It is important to understand that the Alien/Predator implants themselves don’t need to change much between operating system releases. They are written to be as generic and modular as possible, and the modules that need to be specific to an OS version and/or capability are written in Python, which can easily be updated and deployed on the fly via a customer’s infrastructure. 

The components that are more sensitive to operating system updates are the initial access vectors and the persistence mechanisms. These capabilities often rely on exploits that can be patched or new mitigation techniques may render them useless. 

**Vulnerability exploits chain patching**

This is the most sensitive and least controlled part of any commercial spyware solution. Still, one may think that there is a high impact on the operational capability of a commercial spyware vendor, but the reality seems to prove the impact is low, or medium at most. 

Exploit brokers and exploit research companies, sell full or partial exploit chains as a subscription model where the customers are entitled to workable replacements if the purchased chain is patched.

The timeline of events shows that it took Intellexa, at most, six months (probably less) to obtain and integrate a new fully operational exploit chain into their solution, after their Android previous one was patched in Nov 2021. This is confirmed by the fact that, in May 2022, their platform was being shipped to a new customer in Sudan, according to the Lighthouse report.

Overall, this demonstrates that exposing the vulnerabilities used by commercial spyware vendors, although extremely important, does not impose much of a risk on them. In fact, that risk is transferred onto the exploit brokers and vendors.

This has caught the attention of the Biden-Harris administration, to the point that the Intellexa Alliance was added to the Entity List for “_...determination that the companies engaged in trafficking in cyber exploits used to gain access to information systems…_”  In practical terms, U.S.-based companies that deal in exploits cannot do business with the Intellexa galaxy of companies. This means that Intellexa will have to procure its exploits from companies in other regions, which for the time being, doesn’t seem to be a problem. However, if the United Kingdom and the European Union take similar actions, the market will become smaller, making it much harder for these companies to acquire their initial attack vector.

**The lack of impact from public exposure**

The public exposure of commercial spyware companies creates awareness and has gained the attention of governments and regulating bodies. Such disclosures have also been successful at attributing malicious operations conducted by regimes against human rights activists, journalists and civilian dissidents, indicating the lack of a moral compass of many of Intellexa’s “customers.” 

However, exposing regimes conducting these operations seems to have little effect on these companies’ abilities to make money. It may increase the costs by making them buy or create new exploit chains but these vendors appear to have seamlessly acquired new exploit chains, enabling them to remain in business by jumping from one set of exploits to another as a means of initial access. A majority of public disclosures in the commercial spyware space focus on the political aspects of the operations along with listing malicious domains and infrastructure but fail to tear open the inner workings of the malware themselves. The domains and infrastructure exposed in a disclosure are owned and operated by spyware customers themselves, often in silos, meaning that exposing one operation typically may have no impact on all the other customers. However, the risk of exposure will always be primarily based on the efforts put by the customer into their anonymization chain.

Such disclosures may have a substantial impact on the regimes (“customer”), but they fail to impose costs on the spyware vendor themselves. What is needed is the public disclosure of technical analyses of the mobile spyware and tangible samples enabling public scrutiny of the malware. Such public disclosures will not only enable greater analyses and drive detection efforts but also impose development costs on vendors to constantly evolve their implants.

Intellexa and Cytrox: From fixer-upper to Intel Agency-grade spyware

Relive Talos' top stories from the past year as we recap the top malware and other threats that came our way.

Tuesday, December 19, 2023 08:00

If there is anything the cybersecurity world learned in 2023, it’s that you can never count any bad guy out. 

Botnets kept coming back from the dead, ransomware actors found new ways to make money through data theft extortion and threat actors and malware who have been around for more than a decade find ways to stay relevant. 

Since it seems like there's a new security threat every day making headlines, we like to take a step back at the end of every year to look back at the top stories in cybersecurity that Talos covered this year, including new research from Talos and the stories that were most interesting to readers. 

*   After Microsoft blocked macros by default in Office documents, attackers needed to find a new file format for their lure documents that could execute malware or malicious code without users noticing. To start off 2023, adversaries shifted toward Shell Link (LNK) files, which provide security researchers the opportunity to capitalize on information that can be provided by LNK metadata. We used this data to uncover new information about the Qakbot botnet and Gamaredon threat actor, and previously unknown connections between multiple threat actors. 
    

*   Attackers deployed the “MortalKombat” ransomware and Laplas Clipper malware together in a campaign primarily looking to generate revenue by forcing users into paying the requested ransom. The encryption screen and ransom note associated with this campaign used images from the “Mortal Kombat” video game series — hence the name. Our research found these adversaries targeting everyone from individual users to massive organizations. 
    

*   The operators behind the Prometei botnet continued to level up their operations, adding new functions and anti-detection methods. Talos reported on what we identified as “version 3” of the botnet in March, including an alternative C2 domain generating algorithm (DGA), a self-updating mechanism, and a bundled version of the Apache Webserver with a web shell that’s deployed onto victim hosts. At the time of writing, the botnet had over 10,000 compromised machines. 
    
*   In other botnet news, the infamous Emotet malware came back online after a relatively quiet period, this time deploying malicious Microsoft Word documents as lures. Emotet is famous for going through brief periods of inactivity, often spanning months, and then re-appearing. Its newest efforts involved infection chains that Talos had not observed the operators using before. 
    
*   Talos discovers a new threat actor we called “YoroTrooper” targeting government and energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States (CIS). YoroTrooper’s activities seem largely centered around trying to steal sensitive information from these groups. We’d continued to follow this group for the remainder of the year, writing about their malware and TTPs multiple times in 2023.  
    

*   Although it was released earlier in the year, Talos disclosed a newly discovered “V2” version of the Typhon Reborn information-stealing malware. The updated version features additional anti-analysis and anti-virtual machine (VM) capabilities to evade detection and make analysis more difficult. At the time, we predicted that Typhon Reborn would appear in future cyber attacks. 
    
*   A large-scale attack on global network infrastructure known as “Jaguar Tooth” goes public, including extensive reporting from Talos and Cisco. In this campaign, state-sponsored actors targeted older networking devices like wireless routers, including Cisco devices. The UK’s National Cyber Security Centre (NCSC) also released a report on a sustained campaign by a Russian intelligence agency targeting a vulnerability in routers that Cisco had published a patch for in 2017. These ongoing discussions about defending network infrastructure and ensuring organizations use up-to-date devices eventually led to Cisco and other partners co-founding the new Network Resilience Coalition in July. 
    

*   A new phishing-as-a-service tool called “Greatness” appears in the wild, offering attackers the ability to pay a subscription fee for their infrastructure. Greatness allows users to send spam emails, pointing targets to convincing Microsoft 365 login pages. The “as-a-service" model for threat actors had long been around, but the trend received increased attention in 2022 as several large ransomware groups shifted to new affiliate models, which offered their services and code to anyone who wanted to use it for a fee. 
    
*   With the help of our partners at The Citizen Lab, Talos revealed new details about the “ALIEN” and “PREDATOR” mobile spyware suites. Many groups that we called “mercenary spyware” groups use these tools to create spyware, software that is considered illegal in many countries and is often used to target at-risk individuals like politicians and activists. 
    
*   Talos revealed a new threat actor we called “RA Group” targeting users globally, including companies in manufacturing, wealth management, insurance providers and pharmaceuticals. RA Group uses a modified version of the Babuk ransomware, which was leaked online in September 2021. 
    

*   Talos discloses the details of a botnet that’s been active for nearly three full years, “Horabot.” The actor delivers a known banking trojan and spam tool onto victim machines, specifically targeting Spanish-speaking users in North and South America. At the time, Talos believed the actor behind this botnet was located in Brazil. 
    
*   A month after the .zip top-level domain was released for the public to register, our researchers noticed attackers using it in scams designed to get users to leak sensitive information. As a result of user applications increasingly registering “.zip” files as URLs, these filenames may trigger unintended DNS queries or web requests, thereby revealing possibly sensitive or internal company data in a file’s name to any actor monitoring the associated DNS server. 
    

*   We discovered multiple versions of an undocumented malicious driver named “RedDriver,” a driver-based browser hijacker that uses the Windows Filtering Platform (WFP) to intercept browser traffic. Our research indicates that RedDriver has been active since at least 2021. This attack primarily targets Chinese-speaking users, and we suspected the creators of RedDriver are also native Chinese speakers. 
    
*   An unnamed actor started targeting government agencies in Ukraine and Poland, looking to steal sensitive information and setting up a backdoor for potential future attacks. Ukraine’s Computer Emergency Response Team (CERT-UA) attributed attacks, first spotted in July, to the threat actor group UNC1151, as a part of the GhostWriter operational activities allegedly linked to the Belarusian government. 
    

*   Talos’ Vulnerability Research team disclosed dozens of vulnerabilities that affect several small and home office (SOHO) routers. That team spent years on this research in the wake of the massive VPNFilter attack. Adversaries could chain together many of these vulnerabilities to directly access or those an adversary could chain together to gain elevated access to the devices. 
    
*   A new attacker appeared to use a variant of the Yashma ransomware likely to target multiple geographic areas by mimicking WannaCry characteristics. The actor, apparently of Vietnamese origins, was targeting users in targets Bulgaria, China, Vietnam and other countries since at least June. The new wrinkle to this ransomware attack is that the adversary asks the target to download the ransom note via their publicly available GitHub, rather than including some strings in the binary. 
    
*   The U.S. Department of Health and Human Services (HHS) released a warning to the healthcare industry about Rhysida ransomware activity. Rhysida appears to have first popped up back in May, with several high-profile compromises posted on their leak site since then, causing the U.S. government to release a specific warning alerting hospital systems and doctor’s offices about the activity. Talos released several new Snort rules to detect the Rhysida ransomware and details on the actor’s TTPs, including a new ransom note in which they pose as a legitimate cybersecurity company.  
    
*   Talos discloses new information about the infamous Lazarus Group APT, including several new RATs they’re using in the wild. The North Korean state-sponsored actor targeted internet infrastructure and healthcare entities in Europe and the United States with what we called “QuietRAT.” Additional research into the group found that Lazarus Group is increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.  
    
*   SapphireStealer, an open-source information stealer, is disclosed after Talos observed the malware across public malware repositories with increasing frequency since its initial public release in December 2022. We assessed with moderate confidence that multiple entities are using SapphireStealer, who have improved and modified the original code base separately, extending it to support additional data exfiltration mechanisms leading to the creation of several variants. 
    

*   Talos discovered a new malware family we called “HTTPSnoop” being deployed against telecommunications providers in the Middle East. HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint. We also discovered a sister implant called “PipeSnoop,” which can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint. Both tools are believed to be created and owned by the ShroudedSnooper threat actor, which built the intrusion set.  
    
*   Our researchers spot threat actors abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware on infected machines. These attacks specifically target graphic designers or other artists who use computers with exceptionally large graphics cards — thus making them more valuable for cryptocurrency mining.  
    

*   Cloudflare and other internet hosting providers reported what was considered the largest distributed denial-of-service attack ever. Though the actual attack occurred earlier in the year, the official disclosure came in October, including details of a vulnerability in the HTTP/2 protocol that the attackers exploited. Talos released an advisory about these attacks, urging users to patch immediately and releasing new Snort rules to detect the exploitation of CVE-2023-44487. 
    
*   YoroTrooper, which Talos initially reported on earlier in the year, started using new TTPs, including new obfuscation techniques and the use of commodity malware. The actor is likely operating out of Kazakhstan, but these new tactics were made to look as if their lure documents came from the government of Azerbaijan.  
    
*   Arid Viper, a threat actor believed to be based out of Gaza, is disclosed. The APT used malicious apps designed as software for the Android operating system to collect sensitive information from targets and deploy additional malware onto infected devices. Although Arid Viper is believed to be based out of Gaza, Cisco Talos has no evidence indicating or refuting that this campaign is related in any way to the Israel-Hamas war, which also began in October. 
    

*   Talos identified the most prolific Phobos variants, common affiliate tactics, techniques and procedures (TTPs), and characteristics of the Phobos affiliate structure. Our researchers looked at observed Phobos activity and analyzed more than 1,000 Phobos samples from VirusTotal dating back to 2019. We found that the 8Base group was increasingly deploying variants of Phobos via the SmokeLoader backdoor. We also found indications that Phobos could be available as a pay-for ransomware-as-a-service model. 
    
*   Talos discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.” We found evidence suggesting the threat actor is targeting the Uzbekistan Ministry of Foreign Affairs and users in South Korea. SugarGh0st is believed to be a variant of the infamous Gh0st RAT, a years-old malware of Chinese origin. SugarGh0st is believed to be targeting users in Uzbekistan and South Korea. 
    

*   Talos releases the details of Project PowerUp, an effort from multiple teams across Cisco to create a new, bespoke hardware device used to protect Ukraine’s power grid. The modified IoT switches allow the country’s power grid to be protected against GPS-jamming attacks, which traditionally tried to disrupt the way timing on the network worked. CNN first wrote about these efforts, and Joe Marshall, Talos’ researcher who spearheaded the project, wrote a firsthand account for the Talos blog.  
    

For further analysis of the threat landscape trends in 2023, download your copy of the Talos Year in Review.

Year in Malware 2023: Recapping the major cybersecurity stories of the past year

Everyone's New Year's Resolution should be to stop using passwords altogether.

Thursday, December 14, 2023 14:00

As you’ve probably seen by now, Talos released our 2023 Year in Review report last week. It’s an extremely comprehensive look at the top threats, attacker trends and malware families from the past year with never-before-seen Cisco Talos telemetry. 

We have podcasts, long-form videos and even Reddit AMAs to keep you covered and make it easy to digest our major takeaways from the report. Or, just kick back with a cup of coffee and read the full report — your choice! 

With this being the last Threat Source newsletter of the calendar year, I figured I’d do a Year in Review of my own. I don’t have the data or first-hand research to back any of these statements up, this is purely just _vibes_\-based or things I’ve discovered about myself and my cybersecurity habits over the past year, so while you may not be able to deploy any of these things on your firewall, I hope they serve as good advice to anyone thinking about the security landscape heading into the new year. 

*   **Do as I say, not as I do.** Before my daughter was born, I wrote in this newsletter about how I was skeptical about posting her face online and entering her personal data into various platforms while she’s so young and unable to even understand what a phone is. As soon as she was old enough to smile, I folded quickly. I’ll admit that I’ve posted her face all over Instagram, supplied her information to Gerber to enter her into the annual Gerber Baby competition (she came up short behind Maddie, apparently) and given personal information to who knows what sites while I was randomly trying to get answers to my first-time parent questions at 2 a.m. when she was getting her first tooth. None of these things are particularly smart in the long run, but as an unbiased observer, I can confidently say her cuteness on the internet only makes it a better place. 
*   **Just assume your passwords are going to get out there.** Several major password management services were hit with data breaches this year. And there were countless headlines about how brute-forcing password guesses led to others. The basic idea of a password manager is that your login information is inherently safer than just using the same password repeatedly, writing them down on a physical sheet of paper, or just hoping you remember each time you log in. At this point, I think it’s just safe to say that passwords are not your safest option. Passkeys and a passwordless approach to security are becoming increasingly popular, so where you can enroll in that, do it. Or if a traditional username and password combination is your only option, change that password as often as you can and make sure you have multi-factor authentication enabled to whatever password management service you use.  
*   **It’s time to get off Twitter.** Or X, whatever you want to call it. This platform has fully jumped the shark at this point and is rife with misinformation. The company has completely torn down any internal teams it has dedicated to fighting fake news or scams and searching for literally anything will surface misleading information, outright lies or offensive content. I miss the days when I could go to Twitter and search for a topic to get updates on a particular news item. I’m writing this on Dec. 13, and in the “Trending” sidebar on Twitter, I saw that “#cyberattack” was trending. Naturally, I wanted to see if there was an event going on I should be aware of, for obvious reasons. Instead, my results in the “Top” section included some word salad about the Bank of England targeting its own country’s critical infrastructure, a nonsensical clip from commentator Dan Bongino about woke leftists showing a cyber pandemic in a new movie, and a shocking amount of conspiracy theories about said new movie “Leave the World Behind.” It reminds me of the Michael Bluth line from “Arrested Development” when he grabs the bag out of the fridge that says, “Dead Dove DO NOT EAT.” 
*   **Don’t ever assume a threat is gone forever.** Over the past year, many major threat actors and malware operators that were once thought removed showed they could find a way back. The story of the FBI’s takedown of the Qakbot botnet was a major headline in August, and anyone who read the basic coverage would have thought, “Cool, don’t need to worry about those guys anymore!” However, subsequent research from Talos and other security firms found that remnants of Qakbot are still around, specifically services dedicated to sending spam. Trickbot, a major threat actor known for big game hunting, recently switched up its tactics and is actively targeting organizations in Ukraine, despite its developer being arrested and pleading guilty to several U.S. federal charges. And Emotet, which is known for its various stops-and-starts, is relatively quiet right now but was briefly active again earlier this year. This is not to say that these law enforcement server takedowns and arrests aren’t working — anything we can do to make the bad guys’ lives harder is a win in the end — but it’s continued proof that we can never really count any threat out.  

**The one big thing **

Cisco Talos recently discovered a new campaign conducted by the Lazarus Group we’re calling “Operation Blacksmith,” employing at least three new DLang-based malware families, two of which are remote access trojans (RATs), where one of these uses Telegram bots and channels as a medium of command and control (C2) communications. Our latest findings indicate a definitive shift in the tactics of the infamous North Korean state-sponsored actor. 

**Why do I care? **

This particular activity can be attributed to Andariel, a spinoff of the Lazarus Group. They’re actively exploiting the Log4shell vulnerability in Log4j, which is virtually everywhere. The hope is that most people have patched since the ubiquitous vulnerability was discovered in late 2021, but telemetry indicates there are many vulnerable instances still out there. Once infected, Andariel looks to install other malware loaders on the targeted machines and executes remote code that allows them to learn about the details of the system.  

**So now what? **

Talos’ blog outlines the numerous ways Cisco Secure products have protections in place to defend against Operation Blacksmith and other activities from Lazarus Group. 

**Top security headlines of the week **

**Hundreds of Windows and Linux devices from a range of manufacturers are vulnerable to a newly discovered attack called “LogoFAIL.”** The attack involves an adversary executing malicious firmware during the machines’ boot-up sequences, which means it’s difficult for traditional detection methods to block, or for users to even notice that it’s happening. The researchers who discovered this exploit wrote in their full paper that, once the attacker uses LogoFAIL to execute remote code during the Driver Execution Environment phase, it’s “game over for platform security.” Although there is no indication this type of attack has been used in the wild, it is being tracked through several CVEs. Potentially affected users should update to the latest version of UEFI by updating their firmware, including new patches from AMI, Intel, Insyde, Phoenix and Lenovo. Users can also lock down their machine’s EFI System Partition (ESP) so adversaries can’t access it, which is necessary to carry out LogoFAIL. (ArsTechnica, ZDNet) 

**The U.K. publicly charges Russia’s intelligence agency, the FSB, of a yearslong cyber espionage campaign targeting British government officials and other high-profile public citizens.** The U.K. Foreign Office said the FSB conducted "sustained unsuccessful attempts to interfere in U.K. political processes” over several years, including stealing information relating to the country’s national elections in 2019. The alleged campaigns involved trying to breach emails belonging to politicians, journalists, activists and academics, and fake social media profiles set up to impersonate the target’s contacts. One MP in British parliament said their emails had been stolen. Several individuals belonging to a group known as Star Blizzard have been sanctioned for their connections to these activities. (BBC, Politico) 

**Several major hardware and software vendors released their last patches of the calendar year this week.** Microsoft disclosed four critical vulnerabilities as part of its regular Patch Tuesday, three of which could lead to remote code execution. However, the total number of vulnerabilities included in December’s Patch Tuesday, 33, was the lowest in a single month since December 2019. Meanwhile on Monday, Apple released patches for its major pieces of hardware, disclosing security issues in iPhones, Macs and more. One of the vulnerabilities in macOS, CVE-2023-42914, is a kernel issue with the potential to allow apps to break out of their sandboxes. Additionally, the U.S. Cybersecurity and Infrastructure Security Agency released an advisory that attackers are actively exploiting a vulnerability in Adobe ColdFusion, which potentially poses a threat to government agencies. CVE-2023-26360 is an improper access control issue that could lead to arbitrary code execution. (Dark Reading, Talos, Security Boulevard) 

**Can’t get enough Talos? **

*   Network Infrastructure Is A Prime Target For Cyber Threats 
*   North Korean hackers using Log4J vulnerability in global campaign 
*   Video: Talos 2023 Year in Review highlights 
*   CCQ explores cybersecurity strategies for managing and responding to industrial incidents 
*   CW39 Houston: Protect Yourself from Cyber Attack 
*   Lazarus exploit Log4Shell vulnerability to deliver novel RAT malware 

**Upcoming events where you can find Talos **

**NIS2 Directive: Why Organizations Must Act Now to Ensure Compliance and Security** **(Jan. 11, 2024, 10 a.m. GMT)** 

Virtual 

> _The NIS2 Directive is a crucial step toward securing Europe’s critical infrastructure and essential services in an increasingly interconnected world. Organizations must act now to prepare for the new requirements, safeguard their operations, and maintain a robust cybersecurity posture. Gergana Karadzhova-Dangela from Cisco Talos Incident Response and other Cisco experts will talk about how organizations can best prepare for the coming regulations._  

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725   
**MD5:** d47fa115154927113b05bd3c8a308201    
**Typical Filename:** mssqlsrv.exe   
**Claimed Product:** N/A     
**Detection Name:** Trojan.GenericKD.65065311 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd  

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f    
**Typical Filename:** VID001.exe    
**Claimed Product:** N/A    
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** 5a6b089b1d2dd66948f24ed2d9464ce61942c19e98922dd77d36427f6cded634   
**MD5:** 05436c22388ae10b4023b8b721729a33   
**Typical Filename:** BossMaster.txt   
**Claimed Product:** N/A   
**Detection Name:** PS1.malware.to.talos 

**SHA 256:** 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa   
**MD5:** 9403425a34e0c78a919681a09e5c16da   
**Typical Filename:** vincpsarzh.exe   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd

A personal Year in Review to round out 2023

The 2023 Talos Year in Review is full of insights on how the threat landscape has evolved. But what does that mean for defenders? This blog contains recommendations on how to gain more visibility across your network.

Thursday, December 14, 2023 07:21

The Talos Year in Review is available now and contains a wealth of insights about how the threat landscape has shifted in 2023. With new ransomware strains emerging from leaked source code, commodity loaders adding more reconnaissance measures to their belts, and geopolitical events influencing APT activity, there’s a lot to dissect.

From a defender’s point of view, what does that mean heading into 2024? Do you need to consistently shift tactics too, to stay one threat ahead? 

The thing is, we will never be “done” with cybersecurity. There will always be new threat actor groups. New strains. New tactics. And even if the defender community dismantles a botnet, like for example the takedown of Qakbot in August, it doesn’t mean the group behind it will cease to operate. We’ll never reach that scenario in the game of Battleship when you’ve found the final target and smugly mutter, “This is your last boat.”

There’s two ways of looking at that. You can either say, “What’s the point?” Or “We know we’ll probably get hit at some point. What can we do to ensure we eradicate the threat as quickly as possible?” So much of cybersecurity is about balancing and reducing risk. Knowing what risks you can accept, and what risks you absolutely can’t. 

That base visibility is key. As we at Talos commonly say, whomever knows the network best, owns the network.

For example, Veradigm, a healthcare IT organization that the Cisco Talos Incident Response (Talos IR) team has been working alongside for many years to proactively assess and constantly improve their security posture, recently detected an intrusion and potential information-stealing attack. Luckily, their preparedness coupled with their Talos IR partnership enabled them to swiftly pinpoint the issues before bad actors could execute their plan.

The key to Veradigm’s successful response? Visibility across the network, having a clear plan, and being able to answer these four questions as quickly as possible:

·      How did they get in?

·      Are they still in?

·      What did they do?

·      How could they get in again?

Veradigm has also participated in multiple Talos IR tabletop exercises to stress test processes and adjust as needed to respond and succeed more quickly.

Aligned to that, experts from across Cisco recently sat down to discuss proactive threat hunting in general, and the benefits this type of activity can have to help organizations find vulnerabilities and weak points that hadn't been spotted before. Check out the discussion below:

One of the newer cross-regional trends we observed this year (and wrote about in the 2023 Year in Review) is an increase in the targeting of network devices, from both APTs and cybercriminals. The intent can differ between these disparate adversaries: the former is more driven by espionage and secondary target selection while the latter aims more for financial gain.

Both groups rely on exploiting recently disclosed vulnerabilities as well as weak/default credentials. This is one of the reasons why use of valid accounts was a top MITRE ATT&CK technique observed this year, and consistently a top weakness in Talos Incident Response engagements.

Patching isn't easy, and isn't necessarily without risk. It all comes back to that balance again.

We got a question on the Reddit AMA thread that we ran earlier this week, about the difficulties of patching network infrastructure. I thought my colleague Lexi DiScola's response was such a good one I wanted to highlighted it here.

The question was, "Eventually these \[networking\] devices may get patched, but not without a significant planned downtime, ranting from org leaders, and/or hesitation from the networking team (if there is one). Especially in larger orgs, where the number of devices may be in the hundreds or thousands. What have you observed to be the biggest barriers to patch management that you see regarding network devices?"

Here was Lexi's answer:

> "One of the biggest barriers in securing these devices is that they are often not prioritized by security teams - whether that be for the reasons you listed, and/or because there is a lack of awareness around the significant level of access they can enable. As there is often limited monitoring of these devices, security teams may not even realize they are being leveraged as initial access vectors during large scale intrusions. This lack of awareness is further highlighted by the fact that many of these devices are vulnerable due to organizations using default passwords and configurations, vulnerabilities that are often quickly remediated in other network infrastructure. We recommend organizations improve monitoring and defensive measures for these devices, patch security flaws, remediate insecure default configurations, and improve employee awareness."

In terms of other recommendations based on the trends in the Year in Review Report? Well, if you thought you were about to read a blog about security recommendations without the mention of multi-factor authentication, I’m sorry to break it to you, because that’s about to happen. MFA really is one of the best things you can do to limit your threat surface.

In this episode of the Talos Takes podcast, we address the basics of implementing MFA in any environment, why any type of MFA is better than no MFA, the pitfalls of certain types of authentication, and whether going passwordless is the future. 

Read the full Year in Review below (no form filling necessary!):

Recommendations that defenders can use from Talos’ Year in Review Report

The company’s regular set of advisories has included a vulnerability that’s been actively exploited in the wild in 10 months this year.

Tuesday, December 12, 2023 14:45

Microsoft’s monthly security update released Tuesday is the company’s lightest in four years, including only 33 vulnerabilities. 

Perhaps more notable is that there are no zero-day vulnerabilities included in December’s Patch Tuesday, a rarity for Microsoft this year. The company’s regular set of advisories has included a vulnerability that’s been actively exploited in the wild in 10 months this year.  

However, there are four critical vulnerabilities that Microsoft released patches, three of which could lead to remote code execution. The remainder of this month’s vulnerabilities are considered “important.” Thirty-three vulnerabilities are the lowest number included in a Patch Tuesday since December 2019.  

Two of the critical vulnerabilities are CVE-2023-35630 and CVE-2023-35641, which exist in the Internet Connection Sharing (ICS) service on certain versions of Windows 10, 11 and Windows Server. An attacker could exploit these vulnerabilities to execute code on the targeted machine by modifying an option -> length field in a DHCPv6 DHCPV6\_MESSAGE\_INFORMATION\_REQUEST input message. However, this attack is limited to systems connected to the same network segment as the attacker. 

Another critical remote code execution vulnerability is CVE-2023-35628, which exists in the Windows MSHTML Platform. The MSHTML platform is used in different web browsers, including Microsoft Edge, and other web applications through its WebBrowser control.  

An adversary could exploit this vulnerability by sending a specially crafted email that triggers automatically when the Microsoft Outlook client retrieves and processes it. This means the vulnerability could be triggered before the user even opens the email in the Preview Pane. Alternatively, an attacker could also put a malicious hyperlink in an email and trick the user into clicking on the link.  

There are also a few vulnerabilities Microsoft considers “important” that Talos would like to highlight because of their specific attack vectors.   

There is an information disclosure vulnerability (CVE-2023-35636) in Microsoft Outlook that could lead to the leaking of NTLM hashes. Attackers commonly use NTLM hashes in follow-on attacks, such as pass-the-hash. An adversary could exploit this vulnerability by tricking the user into opening a specially crafted file, such as a lure document attached to a phishing email, or a file hosted on an attacker-controlled page they trick the user into opening in their web browser. 

Windows Media also contains a remote code execution vulnerability that can be triggered if the user opens a specially crafted file. CVE-2023-21740 is considered “low” complexity by Microsoft, and because it’s in Windows Media Player, a potential attack vector could be ripped movies, episodes of television shows or home videos that could serve as convincing lures for targets.  

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 62762 - 62771, 62786 and 62787. There are also Snort 3 rules 300774, 300777, 300778, 300780, 300781, 300784 and 300787.

Microsoft releases lightest Patch Tuesday in three years, no zero-days disclosed

Our latest findings indicate a definitive shift in the tactics of the North Korean APT group Lazarus Group.