Syncro, a remote management and monitoring tool, emerges as an increasingly common tool for adversaries.
By Caitlin Huey.
Ransomware continued to be a top threat Cisco Talos Incident Response (Talos IR) responded to this quarter, with appearances from both previously seen and newly observed ransomware families. However, IR also observed

Thursday, January 26, 2023 04:01

Syncro, a remote management and monitoring tool, emerges as an increasingly common tool for adversaries.

_By_ _Caitlin Huey__._

Ransomware continued to be a top threat Cisco Talos Incident Response (Talos IR) responded to this quarter, with appearances from both previously seen and newly observed ransomware families. However, IR also observed a significant number of cases in which post-exploitation activities occurred where the actor’s motivation could not be determined. For example, phishing campaigns, our top initial-access vector this quarter, were equally as common and featured a variety of post-exploitation activities, including command execution to perform credential harvesting, red-teaming framework deployment and remote access tooling installation.

This quarter also featured several engagements where adversaries leveraged Syncro, a legitimate and full-featured remote access platform. Syncro was among many other remote access and management tools, including AnyDesk and SplashTop, that adversaries leveraged to establish and maintain remote access to compromised hosts. The use of Syncro to support a number of operations is consistent with a key finding from the Talos’ 2022 Year in Review, which reported that adversaries are increasingly relying on dual-use tools to stay undetected in victim environments.

**Targeting**

The telecommunications sector was the most targeted this quarter, closely followed by the education and manufacturing sectors, respectively. Telecommunications was a consistently top-targeted vertical in Talos IR engagements in 2022, apart from Q3, in which organizations in the education sector were most targeted.

**Ransomware**

Talos IR observed the BlackCat (ALPHV) ransomware, a ransomware family consistently seen in incidents throughout 2022, in a few engagements this quarter. This quarter also featured Royal ransomware, which had not previously been observed in Talos IR engagements. First emerging in early 2022 as a suspected Conti rebrand, Royal has been increasingly observed in attacks since September, according to public reporting.

This quarter Talos IR responded to an incident involving Royal ransomware. The group did not start posting victim data, which has been used as a means of extortion for over 50 companies globally spanning multiple business verticals, to their Tor leaks site until September 2022. In one Royal ransomware incident, Talos IR identified the affiliate(s) using red team frameworks such as Cobalt Strike and Mimikatz, and by performing mass uninstallation of security software across the environment. Talos IR also observed both the legitimate utility PsExec executing a shell on a remote share on one host, as well as AnyDesk service’s creation for persistence. The actor also used batch script files for persistence to perform various actions such as adding admin accounts using the “net user /add” command, executing commands to boot in Safe Mode and modifying the registry.

The emergence of Royal ransomware, as a suspected rebrand of Conti, which shut down its operations in June 2022, highlights the resilience of ransomware actors following the shut down and/or rebrand of high-profile groups. Royal’s appearance in an engagement this quarter coincided with increased public reporting on a malware downloader, dubbed BatLoader, which has delivered Cobalt Strike Beacon implants that distributed Royal ransomware. Researchers identified several attributes within the BatLoader attack chain that are similar to activity linked to Conti. The overlaps between the two include shared indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) such as the use of the Atera agent for remote access, as well as an IP address used by Conti affiliates in a campaign leveraging Log4j. While the exact relationship between Conti and BatLoader is still unknown, this nexus may suggest BatLoader’s potential for adoption by multiple ransomware operators/affiliates. Additionally, BatLoader’s incorporation of Royal as a primary ransomware payload likely indicates Royal rising in prominence as operators look to incorporate new threats and techniques to carry out financially motivated operations that will help them remain effective.

**Adversaries increasingly relying on Syncro**

Talos IR observed the Syncro remote management and monitoring (RMM) tool used in nearly 30 percent of engagements, a significant increase compared to previous quarters. Syncro is a commercially available RMM solution that advertises remote desktop access, remote registry editor, remote event viewer and more. Talos IR observed Syncro used as part of attack chains supporting multiple threats this quarter, including BatLoader. Syncro was also distributed in phishing campaigns to gain access to newly-compromised accounts. While the reason for Syncro’s increased usage is unknown, its use as a full-featured remote access platform for managed service providers (MSPs) and its ubiquity across enterprise environments likely makes it an attractive option.

First discovered in February 2022, BatLoader uses legitimate tools, like Syncro and the Atera remote access software, to maintain access to infected systems. Since October 2022, Talos has observed a general uptick in our endpoint telemetry and Talos IR investigations associated with BatLoader, which deploys a variety of secondary malware payloads including the Vidar information stealer and the commodity loader Ursnif/Gozi. In one BatLoader engagement, the initial access vector relied on phishing and/or search engine optimization (SEO) poisoning to lure users to download the malware from attacker-created websites. This is consistent with public reporting on typical BatLoader infections. After initial access was established, the BatLoader infection chain leveraged multiple PowerShell and batch scripts to download tools and components needed for subsequent stages of the attack.

In another incident, Talos IR identified legitimate accounts sending phishing emails with email subjects that translated from Arabic to “Staff Promotion.” The emails contained OneDrive and OneHub phishing links with a compressed Microsoft Windows Installer (MSI) file that would install Syncro. The adversary attempted to use Syncro to stay connected to the targeted user’s workstation. During analysis of the MSI file, multiple Syncro services were installed, including SyncroRecovery (SyncroLive) and SyncroOvermind. The adversary’s tactics appeared to focus on maintaining initial access through installation of Syncro. The lack of two-factor authentication (2FA) for email access allowed the adversary to perform phishing attacks, highlighting the need to ensure multi-factor authentication (MFA) across all critical assets.

Talos IR also observed Syncro installed as part of post-compromise behavior after successful phishing attacks established initial access. In a Qakbot engagement, a phishing email contained a malicious password-protected ZIP file that, when opened, contained an ISO file detected as Qakbot. The adversary was able to crack a weak password for a service account, then used the compromised account to deploy installers for remote access tools Syncro and SplashTop. Active Directory (AD) mapping tools such as ADFind and SharpHound were also identified when a compromised host attempted to access “SharpHound.exe” in the Downloads folder. Shortly after, the adversary created a new folder for the purpose of placing and staging additional tooling.

**Initial vectors**

This quarter, nearly 40 percent of engagements featured phishing emails used as a means to establish initial access, followed by user execution of a malicious document or link. In many engagements, valid accounts and/or accounts with weak passwords also helped facilitate initial access whereby the adversary leveraged compromised credentials. It is important to note that for the majority of incidents, Talos IR could not reasonably determine the initial vector because of logging deficiencies or a lack of visibility into the affected environment.

Talos IR continues to observe threats consistently seen across quarters, including attempts to take advantage of weaknesses or vulnerabilities in public-facing applications. In one engagement, the adversary entered the environment through an exposed Microsoft Remote Desktop Services (RDS) web application. After gaining access, the adversary took over service accounts via a successful Kerberoasting attack. Talos IR identified several script files that contained credentials for various user accounts, many of which had been hard-coded into the scripts themselves. ZIP files were also created shortly after the scripts, suggesting possible data staging activity. Talos IR believes the adversary was able to enter the environment using stolen credentials obtained through a previous phishing campaign against a user account, highlighting the need for user training and password reset policies, especially following suspected phishing attacks.

**Security weaknesses**

Lack of MFA remains one of the biggest impediments for enterprise security. Nearly 30 percent of engagements either had no MFA or only had it enabled on a handful of accounts and critical services. Talos IR frequently observes ransomware and phishing incidents that could have been prevented if MFA had been properly enabled on critical services, such as endpoint detection response (EDR) solutions or VPNs. To help minimize initial access vectors, Talos IR recommends disabling VPN access for all accounts that are not using two-factor authentication.

In all of the ransomware engagements that closed out this quarter, PsExec was used to facilitate lateral movement or execute the final ransomware executable. Talos IR recommends that organizations disable PsExec, as well as access to administrative shares, to limit lateral movement. Additionally, organizations should consider use of Microsoft AppLocker to block tools and files that have been consistently leveraged by adversaries. This helps to create another layer of enforcement for any known malicious or often-misused files.

**Top-observed MITRE ATT&CK techniques**

The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagement. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note, this is not an exhaustive list.

Key findings from the MITRE ATT&CK appendix include:

*   Legitimate remote access and management software, such as AnyDesk and TeamViewer, were leveraged in over 35 percent of engagements this quarter.
*   In every ransomware engagement this quarter, PsExec was used to facilitate lateral movement or execute the ransomware executable.
*   Phishing emails with malicious links and/or attachments were the top initial access vector this quarter, seen in nearly 40 percent of engagements. User execution of a malicious file or link would subsequently lead to a variety of malicious threats, including execution of commodity malware such as Qakbot.

Tactic 

Technique 

Example 

Initial Access (TA0001) 

T1078 Valid Accounts  

Adversary leveraged stolen or compromised credentials  

Reconnaissance (TA0043) 

T1592 Gather Victim Host Information 

Text file contains details about host 

Persistence (TA0003) 

T1136 Create Account 

Created a user to add to the local administrator’s group 

Execution (TA0002) 

T1059.001 Command and Scripting Interpreter: PowerShell  

Executes PowerShell code to retrieve information about the client's Active Directory environment 

Discovery (TA0007) 

T1046 Network Service Scanning   

Use a network or port scanner utility  

Credential Access (TA0006) 

T1003 OS Credential Dumping 

Deploy Mimikatz and publicly available password lookup utilities 

Privilege Escalation (TA0004)  

T1484 Domain Policy Modification   

Modify GPOs to execute malicious files  

Lateral Movement (TA0008) 

T1021.001 Remote Desktop Protocol  

Adversary made attempts to move laterally using Windows Remote Desktop 

Defense Evasion (TA0005) 

T1027 Obfuscated Files or Information 

Use base64-encoded PowerShell scripts 

Command and Control (TA0011) 

T1219 Remote Access Software   

Remote access tools found on the compromised system   

Impact (TA0040) 

T1486 Data Encrypted for Impact  

Deploy Hive ransomware and encrypt critical systems 

Exfiltration (TA0010) 

T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol  

Use WinSCP for potential exfiltration of system information   

Collection (TA0009) 

T1560.001 Archive Collected Data: Archive via Utility  

Adversary leveraged xcopy on Windows to copy files  

Software/Tool 

S0002 Mimikatz 

Use Mimikatz to obtain account logins and passwords

Quarterly Report: Incident Response Trends in Q4 2022

One of the most closely watched security startups continues to build bank because its platform appeals to both developers and security pros.

Developers, security professionals, and investors all find something to like about Snyk and its developer security platform, which helps organizations mitigate their risk of exposure to software supply chain attacks.

After closing $196.5 million in Series G investment late last month, Snyk on Tuesday said it secured an additional $25 million from ServiceNow. ServiceNow's investment brings the total amount Snyk has secured to $1.4 billion since 2020.

During those three years, the company behind the developer security platform has been adding on customers. Snyk claims its revenues last year grew 100%, with net revenue retention growing 130%. Snyk reports that it closed out 2022 with over 2,300 customers who remediated more than 5.1 million vulnerabilities. Identity verification provider Veriff ranked Snyk first in an analysis of security startups based on funding amounts, number of investors, employee counts, Twitter following, and the uniqueness of the product portfolio.

**Integrating Snyk With ServiceNow**

Following this investment, ServiceNow will embed Snyk's open source software component analysis (SCA) and intelligence tools into ServiceNow's Vulnerability Response. While Snyk can boost ServiceNow's vulnerability detection capabilities, its developer-focused tools can bring Snyk to more DevSecOps organizations.

"Snyk's vision is all the way from code to cloud, and cloud is really code," Snyk chief product officer Manoj Nair says. "We get people to build security in from the start, rather than putting firewalls and scanners and all that after the fact to catch what's wrong."

ServiceNow VP and general manager of security products Lou Fiorello envisions the Snyk platform extending his company's vulnerability detection capabilities. "This significantly furthers ServiceNow's ability to provide a single view into vulnerabilities across the enterprise technology environment, driving workflows to better prioritize and expedite vulnerability management," Fiorello said in a statement.

**Appealing to Developers and Security Professionals**

Founded in 2015, Snyk has stood out amid escalating growth in software supply chain attacks. Snyk's Developer Security Platform helps organizations reduce the risk of an attack by letting those who build container-based applications generate software bills of materials (SBOMs) during the development process.

"Snyk has been successful at building security tools that the developers like," says Enterprise Strategy Group senior analyst Melinda Marks. Marks emphasizes that developers find especially appealing Snyk's tools to test open source code using SCA and to scan infrastructure as code.

"Snyk was a pioneer in the developer-first security category," she adds. "It's very easy for developers to use while giving security teams visibility and control for setting policies and related functions."

The ServiceNow announcement is significant, Marks adds, given how many large enterprises use ServiceNow for IT service management. ServiceNow says it serves 80% of Fortune 500 companies and approximately 7,400 enterprise customers.

**Recent Security Moves**

Organizations are increasingly looking at how to efficiently make SBOMs, especially in light of software supply chain attacks, vulnerabilities such as Log4j, and government mandates. In November, Snyk released an update to make it easier to automatically generate SBOMs during the software build process. Snyk added a "developer-first" API and command-line interface (CLI) to create SBOMs, which the company says provides broader visibility into customers' complete software supply chains.

Snyk also released an SBOM Checker, a free tool that scans SBOMs for vulnerabilities. Snyk also has added Bomber Integration, which scans SBOMs with the open-source Bomber application, testing them against its open source Snyk Vulnerability Database.

In November, Snyk Cloud — the outgrowth of the company's acquisition of Fugue last year — went live. Snyk Cloud has a common policy engine designed to ensure organizations' cloud applications are secure before deploying them.

"Snyk Cloud will help you secure your cloud environment with common policies for infrastructure code and cloud deployments," Nair said during the November launch event. "Taking a code-centric approach to find and fix cloud issues is something that we were fundamentally focused on."

Snyk Gets Nod of Approval With ServiceNow Strategic Investment

Don't make perfect the enemy of good in vulnerability management. Context is key — prioritize vulnerabilities that are actually exploitable. Act quickly if the vulnerability is on a potential attack path to a critical asset.

The widespread vulnerability that first appeared in Apache Log4j in 2021 will continue to be exploited, potentially even in worse ways than we've seen to date. The more worrisome aspect of these threats is that there's a good chance they'll continue to be exploited months or years into the future.

The Department of Homeland Security's Cyber Safety Review board debuted in 2021, and in 2022 released its inaugural safety report (PDF). In it, the board called Log4j an "endemic vulnerability," chiefly because there isn't a comprehensive "customer list" for Log4j, making keeping up with vulnerabilities a near-impossible task. One federal Cabinet department even spent 33,000 hours on its Log4j response.

And many organizations and security solutions on the market fail to identify the difference between exploitability and vulnerability — leaving an opportunity for attackers to carry out malicious activity.

**Exploitability vs. Vulnerability**

One of the key issues with cybersecurity today is understanding the difference between vulnerabilities and their severity. When it comes to measuring exploitability versus a vulnerability, there's a big difference between whether a security threat is exploitable within your business or if it's just "vulnerable" and cannot hinder the business or reach a critical asset. Security teams spend too much time not understanding the difference between the two and fix each vulnerability as it comes, instead of prioritizing those that are exploitable.

Every company has thousands of common vulnerabilities and exposures (CVEs), many of which score high on the Common Vulnerability Scoring System (CVSS), so it's impossible to fix them all. To combat this, the hope is that risk-based vulnerability management (RBVM) tools will make prioritization easier by clarifying what is exploitable.

However, security prioritization approaches that combine CVSS scores with RBVM threat intel don't provide optimal results. Even after filtering and looking just at what is exploitable in the wild, security teams still have too much to handle because the list is long and unmanageable. And just because a CVE doesn't have an exploit today doesn't mean that it won't have one next week.

In response, companies have been adding predictive risk AI, which can help users understand if a CVE might be exploited in the future. This still isn't enough and leads to too many issues to fix. Thousands of vulnerabilities will still show to have an exploit, but many will have other sets of conditions that have to be met to actually exploit the problem.

For example, with Log4j, the following parameters need to be identified:

*   Does the vulnerable Log4j library exist?
*   Is it loaded by a running Java application?
*   Is the JNDI lookup enabled?
*   Is Java listening to remote connections, and is there a connection for other machines?

If the conditions and parameters aren't met, the vulnerability isn't critical and shouldn't be prioritized. And even if a vulnerability could be exploitable on a machine, so what? Is that machine extremely critical, or maybe it isn't connected to any critical or sensitive assets?

It's also possible the machine isn't important yet it can enable an attacker to continue toward critical assets in stealthier ways. In other words, context is key — is this vulnerability on a potential attack path to the critical asset? Is it enough to cut off a vulnerability at a chokepoint (an intersection of multiple attack paths) to stop the attack path from reaching a critical asset?

Security teams hate vulnerability processes and their solutions, because there are more and more vulnerabilities — nobody can ever fully wipe the slate clean. But if they can focus on what can create _damage_ to a critical asset, they can have a better understanding of where to start.

**Combating Log4j Vulnerabilities**

The good news is that proper vulnerability management can help reduce and fix the exposure to Log4j-centric attacks by identifying where the risk of potential exploitation exists.

Vulnerability management is an important aspect of cybersecurity and is necessary for ensuring the security and integrity of systems and data. However, it's not a perfect process and vulnerabilities can still be present in systems despite best efforts to identify and mitigate them. It's important to regularly review and update vulnerability management processes and strategies to ensure that they are effective and that vulnerabilities are being addressed in a timely manner.

The focus of vulnerability management should not only be on the vulnerabilities themselves, but also on the potential risk of exploitation. It is important to identify the points where an attacker may have gained access to the network, as well as the paths they may take to compromise critical assets. The most efficient and cost-effective way to mitigate the risks of a particular vulnerability is to identify the connections between vulnerabilities, misconfigurations, and user behavior that could be exploited by an attacker, and to proactively address these issues before the vulnerability is exploited. This can help to disrupt the attack and prevent damage to the system.

You should also do the following:

*   **Patch:** Identify all your products that are vulnerable to Log4j. This can be done manually or by using open source scanners. If a relevant patch is released for one of your vulnerable products, patch the system ASAP.
*   **Workaround:** On Log4j versions 2.10.0 and above, in the Java CMD line, set the following: log4j2.formatMsgNoLookups=true
*   **Block:** If possible, add a rule to your Web application firewall to block: "jndi:"

Perfect security is an unachievable feat, so there's no sense making perfect the enemy of good. Instead, focus on prioritizing and locking down potential attack paths that continuously improve security posture. Identifying and being realistic about what actually is vulnerable versus what is exploitable can help do this, since it will allow the ability to strategically funnel resources toward critical areas that matter the most.

Log4j Vulnerabilities Are Here to Stay — Are You Prepared?

Some predictions about impending security challenges, with a few tips for proactively addressing them.

Cloud transformation has become a strategic advantage for many organizations, providing convenience, cost savings, and near-permanent uptimes compared with on-premises infrastructure. At the same time, the move to cloud has also increased the attack surface, resulting in an uptick in criminal activity targeting cloud environments. As we roll into 2023, fears about a potential recession and a corresponding desire to cut costs are renewing urgency to move to the public cloud.

For organizations to successfully secure cloud environments, they must understand the critical risks that can be exploited by attackers to infiltrate cloud environments. As with legitimate activity in the cloud, attackers continue to evolve their approaches, so the challenges faced in 2023 will be different than those faced in 2022 and prior. Here are my top 2023 predictions.

**Multicloud Environments Will Continue to Compound Security Challenges**

Multicloud offers numerous benefits, from avoiding vendor lock-in to reliability, agility, and cost-efficiency. At the same time, however, it brings additional layers of complexity, particularly regarding security management. According to a recent report, 78% of organizations deploy applications on more than three public clouds.

Moreover, the number of services available from the top three public cloud providers (Amazon Web Services, Azure, and Google) is expected to surpass 1,000, up from 750 today. In an effort to embrace agility and innovation, security practitioners will need to find ways to support these news services as soon as they are available.

With each cloud provider's unique capabilities enhanced and expanded almost daily, organizations will have to invest in automated tools that map new services to security and compliance frameworks, like NIST, CIS, and others.

**Securing Developer Environments Will Become the Most Critical Component**

The continuous growth and diversity of application deployments are creating an extensive attack surface for malicious actors. We have seen cybersecurity incidents like SolarWinds, Kaseya, and Spring4Shell significantly impact organizations.

On the other hand, we also see issues like Log4j, which recently demonstrated how many organizations can be impacted due to software vulnerabilities. Hence, we expect securing developer environments will become one of the most critical components for organizations in 2023.

**DevSecOps Tool Sprawl Will Begin to Consolidate**

According to Gartner, of those organizations that have implemented a DevSecOps pipeline for cloud security, "these organizations have manually stitched together DevSecOps with 10 or more disparate security tools — some old and some new — each with siloed responsibility and view of application risk."

Recognizing the overhead with managing so many tools, and the challenges with achieving consistent policies across cloud providers and services, information security teams will increasingly standardize on broader platforms, such as cloud-native application protection platforms, at the expense of point products, such as cloud security posture management, infrastructure-as-code scanners, and cloud workload protection platforms.

**Focused Approach for Data Protection**

Monitoring data across multicloud environments has been an unsolved problem for a couple of years for most organizations. When production workloads are moved between multiple public cloud environments, it becomes difficult to track data or access permissions. Tools for cloud service providers have limitations to secure data in multicloud environments.

In 2023, organizations need to adopt new tool sets and new mindsets, and make a greater effort to detect, classify, and enforce policies to secure sensitive data. We expect data protection to be at the center of the cloud security strategy to avoid increasingly high-profile, complex cyberattacks and data breaches.

**Do More With Less**

The current economic climate is pointing toward a trend of tighter budgets in 2023. To combat this challenge, leaders will be consolidating tools, processes, and expertise with a more collaborative approach. We'll see wider use of cross-functional teams with even greater ROI focus to boost efficiency and reduce complexity.

**Cybersecurity Hiring Will Remain a Challenge**

According to the (ISC)2 2022 Cybersecurity Workforce Study, there is a shortage of 3.4 million cybersecurity workers worldwide. With limited staff, we expect security leaders to emphasize security automation with risk-based prioritization.

**How to Stay Safe in 2023**

Based on our experience of investigating attacks and related incidents, we believe that security leaders need to focus on the following tactics and techniques:

*   Cloud security approach and strategy: With the prevalence of large-scale cloud-native deployments, adopting a more modern, agile, and integrated cybersecurity approach is mission-critical.

*   Select the right tooling: Shifting to robust security with the right solutions and level of expertise, over security layers and threat intelligence.

*   Prioritizing visibility: Gain insight and control over the complex cloud environment covering threats, risks, and vulnerabilities in the cloud.

*   Data security in focus: Secure data in large, dispersed environments with strategic integrated data protection and DLP approach.

*   Threat intelligence, advanced correlation, and machine-learning techniques: Use a combination of advanced techniques to stay ahead of bad actors and proactively reduce risk.

*   Automate and maintain continuous compliance standards.

*   Team collaboration: Distribute and delegate security responsibilities using automation across the organization.

Multicloud Security Challenges Will Persist in 2023

In this section, we provide an overview of the general threat landscape throughout 2022 and major trends based on telemetry sets gathered across Talos.

Tuesday, January 24, 2023 09:01

While our ongoing support to Ukraine and response to the Log4j vulnerabilities were two of our most comprehensive and impactful efforts in 2022, we also dealt with a multitude of other threats as the security community faced an expanding set of adversaries and malware. In January, we identified several emerging trends that we expected would affect or dominate the threat landscape in 2022, many of which ultimately played out as significant events this year. In this section, we provide an overview of the general threat landscape throughout 2022 and major trends based on telemetry sets gathered across Talos, including:

*   Behavioral indicators from Secure Malware Analytics.
*   Snort and ClamAV alerts .
*   Behavioral Protections (BPs) from Cisco Secure Endpoint.
*   Case studies from CTIR engagements.

Visit the Year in Review page for the full report, with topic summary reports, livestreams, podcasts, and other content starting December 14th.  New content will be added with each topic summary release through February.  You can access the full 2022 Cisco Talos Year in Review report directly here:

Threat Landscape Topic Summary Report: Cisco Talos Year in Review 2022

Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections).  Supported versions that are affected are 12.1 and  12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVE-2023-21850: Oracle Critical Patch Update Advisory - January 2023

In 2022, multiple high-profile vulnerabilities like Log4j and OpenSSL provided important takeaways for future public reporting.

As we pass the first anniversary of the Log4j vulnerability disclosure, it's a timely reminder that when a vulnerability is serious, it deserves our utmost attention. Organizations taking vulnerability disclosure more seriously is a net positive for the industry, especially because patching is so vital for basic cyber hygiene and accountability.

But, when a vulnerability is overblown or overpromoted, it can misguide the security community and distract from other more serious incidents — or cause other serious problems, like alert fatigue.

As public vulnerability disclosure becomes more commonplace for researchers, vendors, and the broader security community, the question of "when to panic or not panic?" is important. Here are some key lessons for approaching vulnerability management.

**1\. Distinguish Between Noise and Necessity**

For security experts and the media alike, it's imperative to determine when something is critical and when an issue might be overblown. According to research, the Log4j vulnerability Log4Shell could potentially impact 72% of organizations, and it was coined an "endemic vulnerability" by the US Cybersecurity and Infrastructure Security Agency.

Months later, the Text4Shell vulnerability was disclosed. Media and researchers alike wondered if it was "the next Log4Shell." But the vulnerability was proven to have a much lower impact and was much less severe.

This is one example of a gray area between ensuring something is well-broadcast and its actual impact. Being able to make this distinction can help prevent alert fatigue, which has been associated with security staff burnout and is costly to a company due to direct expenditures spent responding to these alerts, including initial triage.

In another case, if a vulnerability is originally thought to be more severe, it could be overblown. For example, a vulnerability in OpenSSL disclosed in December generated significant attention due to the ubiquity of OpenSSL inside many products to enable Transport Layer Security (TLS).

This one may have been overhyped because of the last significant vulnerability in the software in 2014: Heartbleed. Given this past, when it was announced that the new vulnerability's severity level was critical, people were understandably concerned.

But the hype around the latest OpenSSL vulnerability turned out to be kind of a non-event. At the time of release, the two CVEs (common vulnerabilities and exposures) were downgraded from critical to high. This hype wound up being a distraction because it actually led to a more complicated ConnectWise vulnerability being under-covered. The ConnectWise vulnerability had the potential to be more harmful and impact nearly 5,000 servers.

**2\. Communicate and Mitigate Risk**

Communicating risk will always have to be a collaborative effort because it happens in so many channels. Organizations post on their own websites and forums, the government issues bulletins, and the InfoSec community is particularly active on social media — researchers sometimes "scoop" vendors before they can release details about the vulnerability or mitigations themselves.

Often, there exists an educational gap between deeply technical security researchers and IT professionals and the broader business community. This disconnect results in organizations not knowing the right steps to take when a vulnerability is publicly disclosed.

**3\. Follow the Data**

The Common Vulnerability Scoring System provides a qualitative measure of the severity of cybersecurity vulnerabilities, and ratings can range from 0 to 10. It is one resource that can help us compare the vulnerability at hand to the rate of "noise" in the community. Leaning on data and hard numbers can help ensure we're paying attention to what really matters.

There are other risk-scoring models to help organizations prioritize vulnerabilities. To address the specific needs of cyber-insurance underwriting, Coalition offers the Coalition Exploit Scoring System (CESS) to help organizations prioritize vulnerability mitigation. CESS is powered by a set of machine learning models that assign severity scores to vulnerabilities based on multiple features — the description, social mentions, incident data, honeypot exploitation, and similarity to previous vulnerabilities — and measures the potential, or how likely it is, that attackers will actually exploit the CVE. This way, organizations can prioritize responses and resources according to their threat level.

Think of the CESS score as a percentile regarding severity and likelihood of exploitation. Our threshold of deeming an exploit "critical" is 0.7 or 70%. For example, CESS ranked the new OpenSSL vulnerability as 0.66 in our percentile scale, with a 1.0 being 100%. Our threshold for significance to notify policyholders is 0.7 or 70%. This slight 0.4 decile difference is actually really helpful in understanding the thousands of vulnerabilities that exist and helps cut through the noise of the hundreds publicized daily. Coalition uses CESS to prioritize which vulnerabilities policyholders should address first based on a two-pronged data approach: which vulnerabilities are the most severe and which are most likely to be exploited. Other security organizations will likely implement similar data-driven risk-scoring systems.

**How Vendors Fit In**

Vendors have a role to play in ensuring customers have a trusted source, whether communicating vulnerability severity scores or providing a balanced perspective with clear mitigation advice and updates. Vulnerability management is twofold, and the onus to resolve issues is just as much on the vendor side to communicate them properly as on the organization side to patch them efficiently.

All organizations have a responsibility when it comes to incident response and vulnerability management. Spending time educating on the technicality of how a vulnerability works and the potential exposure around technologies vulnerabilities often target can go a long way in seeing trouble before it starts.

Not everything is the "next Heartbleed" or "next Log4shell," but having the right resources in place can ensure we are ready for new security challenges without being distracted by the newest shiny object.

3 Lessons Learned in Vulnerability Management

State-sponsored or state-aligned advanced persistent threats (APTs) adapted to the changing geopolitical landscape in 2022. Cisco Talos observed several offensive cyber campaigns linked to several groups stemming from Russia, Iran, China, North Korea, and countries in the Indian subcontinent...

Tuesday, January 10, 2023 09:01

State-sponsored or state-aligned advanced persistent threats (APTs) adapted to the changing geopolitical landscape in 2022. Cisco Talos observed several offensive cyber campaigns linked to several groups stemming from Russia, Iran, China, North Korea, and countries in the Indian subcontinent. These groups engaged in a variety of malicious activities, including espionage, intellectual property theft, and deploying destructive malware. Major trends observed include:

*   Delivering new, custom malware and updated variants of previously known malware.
*   Exploiting publicly known vulnerabilities, such as Log4j utilities.
*   Updating tooling and behavior patterns to evade discovery.
*   Increasing APT activity in our Cisco Talos Incident Response (CTIR) engagements, including the Iran state-sponsored MuddyWater group and several China affiliated APTs.

Visit the Year in Review page for the full report, with topic summary reports, livestreams, podcasts, and other content starting December 14th.  New content will be added with each topic summary release through February.  You can access the full 2022 Cisco Talos Year in Review report directly here:

APT Topic Summary Report: Cisco Talos Year in Review 2022

Happy New Year and welcoem to this week's edition of the Threat Source newsletter. 
We can’t tell if it’s the fog from Lurene’s deadly eggnog or dare we say pure rest and relaxation but we’re still digging out of our

Thursday, January 5, 2023 14:01

Happy New Year and welcome to this week's edition of the Threat Source newsletter.

We can’t tell if it’s the fog from Lurene’s deadly eggnog or dare we say pure rest and relaxation but we’re still digging out of our inboxes, trying to remember logins, and circle back on all the things we prolonged into 2023. With that we’re keeping this week’s newsletter light as we all ease back into the flow of things.

**The one big thing**

Last month Talos released our Year in Review report, a comprehensive report covering Talos’ work for the 2022 year. The initial report launched December 14th with an additional Ukraine Topic Summary Report on the same day. To discuss the initial report and Ukraine section Talos held a livestream with key contributors to the report, which can be viewed here.

**Why do I care?**

We expect this data-driven story will shed some light on Cisco’s (and the security community’s) most notable successes and remaining challenges. Through the upcoming weeks, we will be highlighting different aspects of this story, including our efforts in Ukraine, the disastrous Log4j vulnerabilities, adversarial use of offensive frameworks and software native to the victim’s machine, shifts in the ransomware landscape, the ever-present threat of commodity loaders/trojans, as well as an overview of some of the advanced persistent threats (APTs) we are most concerned with. Throughout the story, one key theme is clear: _adversaries are adapting to shifts in the geopolitical landscape, actions from law enforcement, and the efforts of defenders. Defenders will need to track and address these shifts in behavior to remain resilient._

**So now what?**

While yes, we’ve moved into another new year the Talos 2022 Year in Review is the gift that keeps on giving. If you’ve yet to read the report, you can catch the cliff notes version in our four part livestream series covering the full report and corresponding topics. Join us January 10th at 12pm ET for our next livestream 2022 Year in Review: APTs on our Talos LinkedIn or Twitter page.

**Top security headlines of the week**

The not-so-bad-guys? The LockBit ransomware group apologies for attacking the Hospital for Sick Children (SickKids) after one of its members violated their rules by attacking a healthcare organization. In their apology, LockBit stated the member is blocked and no longer in their affiliate program and offered a free decryptor for the hospital to recover impacted files. (Bleeping Computer)

Meta was fined over $4 million for breaching the EU’s General Data Protection Regulation (GDPR) personal data laws on Facebook and Instagram according to Ireland’s Data Protection Commission. In a statement the commission stated Meta breached “it’s obligations in relation to transparency” and “for its processing of personal data for the purpose of behavioral advertising”. (SecurityWeek)

All was not calm over the holidays as PyTorch has recently identified a malicious dependency under the same name as the framework’s ‘torchtriton’ library. PyTorch admins are urging users who recently installed PyTorch-nightly to uninstall the framework with the counterfeit ‘torchtriton’ dependency. (SC Media)

**Can’t get enough Talos?**

2022 Year in Review Report

Beers with Talos

Talos Takes

Ukraine Topic Summary

2022 Year in Review: Ukraine livestream on demand

**Upcoming events where you can find Talos**

CactusCon (Jan 27-28)

Mesa, AZ

Cisco Live Amsterdam (Feb 6-10)

Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256: 1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d

MD5: 26f927fb7560c11e509f0b8a7e787f79

Typical Filename: Iris QuickLinks.exe

Claimed Product: Iris QuickLinks

Detection Name: W32.DFC.MalParent

SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725

MD5: d47fa115154927113b05bd3c8a308201

Typical Filename: excel.exe

Claimed Product: N/A

Detection Name: W32.00AB15B194-95.SBX.TG

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5:   93fefc3e88ffb78abb36365fa5cf857c

Typical Filename: Wextract

Claimed Product:  
Internet Explorer

Detection Name: W32.File.MalParent

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5:  2915b3f8b703eb744fc54c81f4a9c67f

Typical Filename: VID001.exe

Claimed Product: N/A

Detection Name: Simple\_Custom\_Detection

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa

MD5:  df11b3105df8d7c70e7b501e210e3cc3

Typical Filename: DOC001.exe

Claimed Product: n/a

Detection Name: Win.Worm.Coinminer::1201

Threat Source newsletter (Jan. 5, 2023): Digging out of our inboxes

DevOps platform advises customers to revoke API tokens

John Leyden 05 January 2023 at 14:38 UTC

DevOps platform advises customers to revoke API tokens

Developers are being urged to rotate secrets and API tokens following the discovery of a breach at popular DevOps platform CircleCI.

CircleCI, which offers a platform for continuous integration and continuous delivery of software development projects, admitted a “security incident” on Wednesday (January 4).

The vendor has launched an investigation which remains ongoing. In the meantime, and as a precaution, it is urging its software developer customers to take “preventative measures” to protect the integrity of software development projects.

RECOMMENDED Finding the next Log4j – OpenSSF’s Brian Behlendorf on pivoting to a ‘risk-centred view’ of open source development

Customers should immediately “rotate any and all secrets stored in CircleCI”, whether they are stored in project environment variables or in contexts. In addition, software development teams that rely on CircleCI should review systems logs dating back to December 21 for signs of compromise.

Lastly, in cases where software development projects use Project API tokens, software developers should invalidate existing project API tokens and replace them with freshly minted credentials.

**‘Confident’**

The nature of the apparent breach is currently unclear. However, in a statement on the incident, CircleCI said it is “confident that there are no unauthorized actors active in our systems” (perhaps implying that malign parties did have some access to its systems until the breach was detected).

CircleCI concluded by promising to keep customers “in the loop” about how its investigation was progressing.

“While we are actively investigating this incident, we are committed to sharing more details with customers in the coming days,” the vendor said.

The Daily Swig asked CircleCI to comment on the circumstances of the breach, what additional precautions it is taking to prevent a repeat of the incident, and any lessons it has learned. We’ll update this story as and when CircleCI responds to our query or publishes a post-mortem on the incident.

**All change**

The episode is likely to be most inconvenient for software development teams that are in the habit of storing configuration files and secrets directly on CircleCI. It is more secure, albeit less straightforward, for calls to be made to fetch secrets from elsewhere.

Precisely what secrets need to be changed up has become a topic of discussion on CircleCI support forums.

In response to queries about whether SSH keys, Jira and Slack integration tokens, and webhook secrets also need to be changed as well as contexts and environment variables, a CircleCI employee implied that a complete re-up was in order.

“At this time, we recommend rotating SSH Keys and all tokens or secrets,” they said.

DON’T MISS Fill out our reader survey to be in with a chance of winning Burp Suite swag

Tag

#log4j