Two vulnerabilities in this group — one in the Tinyroxy HTTP proxy daemon and another in the stb_vorbis.c file library — could lead to arbitrary code execution, earning both issues a CVSS score of 9.8 out of 10.

Wednesday, May 8, 2024 12:00

Cisco Talos’ Vulnerability Research team recently disclosed three zero-day vulnerabilities that are still unpatched as of Wednesday, May 8. 

Two vulnerabilities in this group — one in the Tinyroxy HTTP proxy daemon and another in the stb\_vorbis.c file library — could lead to arbitrary code execution, earning both issues a CVSS score of 9.8 out of 10. While we were unable to reach the maintainers, the Tinyroxy maintainers have since patched the issue.  

Another zero-day exists in the Milesight UR32L wireless router. 

These vulnerabilities have all been disclosed in adherence to Cisco’s third-party vulnerability disclosure timeline after the associated vendors did not meet the 90-day deadline for a patch or communication.  

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Use-after-free vulnerability in Tinyproxy daemon **

_Discovered by Dimitrios Tatsis._ 

The Tinyproxy HTTP proxy daemon contains a vulnerability that could lead to arbitrary code execution. 

Tinyproxy is meant to be used in smaller networking environments. It was originally released more than a dozen years ago.  

A use-after-free vulnerability, TALOS-2023-1889 (CVE-2023-49606), exists in the \`Connection\` header provided by the client. An adversary could make an unauthenticated HTTP request to trigger this vulnerability, setting off the reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. This issue has been patched, though Talos initially released it as a zero-day when no patch was available.

**Milesight UR32L firmware update vulnerability **

_Discovered by Francesco Benvenuto._ 

The Milesight UR32L wireless router contains a vulnerability that could force the device to implement any firmware update, regardless of its legitimacy.  

TALOS-2023-1852 (CVE-2023-47166) exists because the UR32L, an industrial cellular router, never checks the validity of the uploaded firmware. This could allow an adversary to upgrade the router with arbitrary firmware they created. 

Talos has previously covered how an adversary could chain together several other vulnerabilities in the UR32L to completely take over the device. Talos released 22 security advisories in July 2023, nine of which have a CVSS score greater than 8. 

_Discovered by Emmanuel Tacheau._ 

A heap-based buffer overflow vulnerability exists in the comment functionality of stb \_vorbis.c, an open-source, single-header file library used to decode Ogg Vorbis non-proprietary audio files. Ogg Vorbis is an open-source, patent- and royalty-free, general-purpose compressed audio format. 

TALOS-2023-1846 (CVE-2023-47212) is triggered if an adversary sends the target a specially crafted .ogg file, which can lead to an out-of-bounds write. With enough heap grooming, an adversary could use this vulnerability to achieve arbitrary code execution.

Talos discloses multiple zero-day vulnerabilities, two of which could lead to code execution

There are some classics on this list — the ever-present “Password” password, Passw0rd (with a zero, not an “O”) and “123456.”

Thursday, May 2, 2024 14:00

Brute force attacks are one of the most elementary cyber threats out there. Technically, anyone with a keyboard and some free time could launch one of them — just try a bunch of different username and password combinations on the website of your choice until you get blocked.  

Nick Biasini and I discussed some of the ways that organizations can defend against brute force attacks since detection usually doesn’t fall into the usual bucket (ex., there’s nothing an anti-virus program could detect running). But a good place to start just seems to be implementing strong password rules, because people, unsurprisingly, are still using some of the most obvious passwords that anyone, attacker or not, would guess. 

Along with our advisory on a recent increase in brute force attacks targeting SSH and VPN services Cisco Talos published a list of IP addresses associated with this activity, along with a list of usernames and passwords adversaries typically try to use to gain access to a network or service. 

There are some classics on this list — the ever-present “Password” password, Passw0rd (with a zero, not an “O”) and “123456.” This tells me that users still haven’t learned their lesson. It’s somewhat funny to think about some well-funded actor just being like, “Well, let me try to ‘hack’ into this machine by using ‘123456’” as if they’re in a parody movie, but if they already can guess a username based off someone’s real name, it’s not that unlikely that password is being used somewhere. 

A few other example passwords stood out to me: “Mart1x21,” because I can’t tell if this is just someone named “Martin” or a play on the month of March, and things like “Spring2024x21” and “April2024x21” because I appreciate the idea that someone using that weak of a password thinks that adding the extra three characters onto “April2024” is really going to throw an attacker off. 

Looking at this list got me thinking about what some potential solutions are to the internet’s password problem, and our ever-present battle to educate users and warn them about the dangers of using weak or default passwords. 

Going passwordless is certainly one option because if there just are no passwords to log in, there’s nothing text-based an attacker could just start guessing. 

The best solution I’ve seen recently is that the U.K. literally made a law requiring hardware and software manufacturers to implement stronger security standards. The Product Security and Telecommunications Infrastructure (PSTI) that went into effect last month contains a range of security protections companies must follow, but they now include mandatory password rules that will force users to change default passwords when registering for new accounts and stop them from using easy-to-guess passwords like “Admin” and “12345.”  

It would be great if users would just stop using these credentials on their own, but if attackers are still thinking that someone out there is using “Password” as their password, they probably are.  

**The one big thing **

For the first time in several quarters, business email compromise (BEC) was the most common threat in Cisco Talos Incident Response (Talos IR) engagements during the first quarter of 2024. BEC made up 46 percent of all engagements in Q1, a significant spike from Q4 2023, according to the latest Talos IR Quarterly Trends Report. Ransomware, which was the top-observed threat in the last quarter of 2023, decreased by 11 percent. Talos IR also observed a variety of threats in engagements, including data theft extortion, brute-force activity targeting VPNs, and the previously seen commodity loader Gootloader. 

**Why do I care? **

BEC is a tactic adversaries use to disguise themselves as legitimate members of a business and send phishing emails to other employees or third parties, often pointing to a malicious payload or engineering a scheme to steal money. The use of email-hiding inbox rules was the top-observed defense evasion technique, accounting for 21 percent of engagements this quarter, which was likely due to an increase in BEC and phishing within engagements. These are all valuable insights from the field provided in Talos IR’s full report. 

**So now what? **

There are some known indicators of compromise that customers can look for if they suspect The lack of MFA remains one of the biggest impediments for enterprise security. All organizations should implement some form of MFA, such as Cisco Duo. The implementation of MFA and a single sign-on system can ensure only trusted parties are accessing corporate email accounts, to prevent the spread of BEC. If you’d like to read about other lessons from recent Talos IR engagements, read the one-pager here or the blog post here. 

**Top security headlines of the week **

**The chief executive of UnitedHealth Group testified to U.S. Congress on Wednesday regarding the recent cyber attack against Change Healthcare.** Change’s operations went nearly completely dark for weeks earlier this year after a data breach, which likely resulted in millions of patients’ records and personal information being accessed. Lawmakers questioned whether UnitedHealth was too involved in the nation’s medical systems, as Change manages a third of all American patient records and processes more than 15 billion transactions a year at doctor’s offices, hospitals and other medical providers. As a result of the outage, some healthcare practitioners went more than a month without being paid, and many had to tap into their personal funds to keep offices open. UnitedHealth’s CEO told Congress the company was still working to figure out the full extent of the campaign and was talking to U.S. agencies about how to best notify individuals who were affected. The hearing has also generated a conversation around consolidation in the American healthcare industry and whether some groups are controlling too much of the patient base. (The New York Times, CNBC) 

**Vulnerabilities in a popular phone tracking app could allow anyone to view all users’ locations.** A security researcher recently found that iSharing, which allows users to see the exact location of a device, contains a vulnerability that prevented the app's servers from conducting proper checks of user data access. iSharing is advertised as an app for users who want to track friends' and family members’ locations or as an extra layer of security if their device were to be lost or stolen. The flaws also exposed users’ names, profile pictures, email addresses and phone numbers. The researcher who discovered the vulnerability was able to show a proof-of-concept exploitation almost immediately after creating a brand new account on the app. Representatives from the developers of iSharing told TechCrunch that the company’s logs did not show any signs of the vulnerability being exploited prior to the researcher’s disclosure. These types of apps can also be used as “stalkerware,” in which someone who knows a targeted user quietly downloads the app on a target’s phone, and then uses it to remotely track their location. (TechCrunch) 

**Adversaries are hiding malware in GitHub comments, disguising malicious code as URLs associated with Microsoft repositories, and making the files appear trustworthy.** Although some security researchers view this as a vulnerability, Microsoft maintains that it is merely a feature of using GitHub. While adversaries have so far mainly abused this feature to mirror Microsoft URLs, it could theoretically be used to create convincing lures on any GitHub repository. When a user leaves a comment in GitHub, they can attach a file, which is then uploaded to GitHub’s CDN and associated with the related project using a unique URL. GitHub automatically generates the link to download that attachment after adding the file to an unsaved comment, allowing threat actors to attach malware to any repository without the administrators knowing. This method has already been abused to distribute the Readline information-stealing trojan by attaching comments to Microsoft’s GitHub-hosted repositories for “vcpkg” and “STL.” The malicious URL will even still work if the poster deletes the comment, allowing them to reuse the GitHub-generated URL. (Bleeping Computer, Dark Reading) 

**Can’t get enough Talos? ** 

*   Cisco Talos at RSAC 2024 
*   Cisco Zero-Days Anchor 'ArcaneDoor' Cyber-Espionage Campaign 
*   Governments issue alerts after 'sophisticated' state-backed actor found exploiting flaws in Cisco security boxes 
*   Vulnerabilities in employee management system could lead to remote code execution, login credential theft 
*   Researcher Spotlight: James Nutland studies what makes threat actors tick, growing our understanding of the current APT landscape 

**Upcoming events where you can find Talos**

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**ISC2 SECURE Europe** **(May 29)** 

_Amsterdam, Netherlands_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will participate in a panel on “Using ECSF to Reduce the Cybersecurity Workforce and Skills Gap in the EU.” Karadzhova-Dangela participated in the creation of the EU cybersecurity framework, and will discuss how Cisco has used it for several of its internal initiatives as a way to recruit and hire new talent._  

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_  

**Most prevalent malware files from Talos telemetry over the past week **

_This section will be on a brief hiatus while we work through some technical difficulties._

What can we learn from the passwords used in brute-force attacks?

Talos also recently helped to responsibly disclose and patch other vulnerabilities in the Foxit PDF Reader and two open-source libraries that support the processing and handling of DICOM files.

Wednesday, May 1, 2024 12:00

Cisco Talos’ Vulnerability Research team has disclosed more than a dozen vulnerabilities over the past three weeks, five in a device that allows employees to check in and out of their shifts, and another that exists in an open-source library used in medical device imaging files. 

The Peplink Smart Reader contains several vulnerabilities, including one issue that could allow an adversary to obtain the administrator’s login credentials and the MD5-hashed version of their password. 

Talos also recently helped to responsibly disclose and patch other vulnerabilities in the Foxit PDF Reader and two open-source libraries that support the processing and handling of DICOM files. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Code execution, information disclosure vulnerabilities in Peplink Smart Reader **

_Discovered by Matt Wiseman._ 

The Peplink Smart Reader is an internet-connected device associated with the PepXIM Time-Logging and Security System. Companies’ employees use this device to check in and out of their shifts, allowing administrators to keep track of time cards and pay. It also can control access to certain buildings, and even public transportation. 

There are two information disclosure vulnerabilities, TALOS-2023-1863 (CVE-2023-43491) and TALOS-2023-1865 (CVE-2023-45209), that are triggered if an adversary sends a specially crafted HTTP message to the targeted device.  

If successful, the attacker could eventually view the active administrator’s username and MD5-hased password. And in the case of TALOS-2023-1865, it goes a step further, potentially allowing the adversary to view wireless network credentials, network configuration details and SNMP configuration details. 

With those credentials (or admin credentials obtained by other means), an adversary could exploit TALOS-2023-1868 (CVE-2023-40146), a privilege escalation vulnerability in the Smart Reader. An adversary could execute a specially crafted command line argument to cause a limited-shell escape and execute unblocked, default busybox functionality to eventually gain access to an uninhibited root shell. 

TALOS-2023-1866 (CVE-2023-45744) is also triggered by a specially crafted HTTP request, but in this case, could allow an adversary to manipulate certain configuration settings on the device. 

The most serious of the issues Talos discovered in the Smart Reader is TALOS-2023-1867 (CVE-2023-39367), a command injection vulnerability that could allow an attacker to execute arbitrary commands. This vulnerability has a 9.1 CVSS score out of 10. An authenticated attacker can leverage this vulnerability to execute arbitrary commands on the device with root privileges and elevate their access to the vulnerable system. 

**Silicon Labs Gecko Platform invalid pointer dereference vulnerability **

_Discovered by Kelly Patterson._ 

An invalid pointer dereference vulnerability exists in the HTTP server header parsing functionality of the Silicon Labs Gecko Platform.  

The Gecko Platform SDK is the collection of Silicon Labs’ wireless software development kits and Gecko Platform into an integrated package. It allows users to develop applications inside Silicon Labs’ internet-of-things software ecosystem. 

TALOS-2024-1945 (CVE-2023-51391) is triggered if an adversary sends the target a specially crafted network packet, which could lead to a denial-of-service condition. 

_Discovered by Emmanuel Tacheau._ 

There is an incorrect type conversion vulnerability in OFFIS DCMTK, an open-source library often used to manage, store and convert DICOM files. DICOM is the commonly used file type to transfer, send and store medical imaging files, such as X-rays and ultrasounds.  

Hospitals and companies use DCMTK for various purposes, ranging from product testing to being a building block for research projects, prototypes and commercial products. 

TALOS-2024-1957 (CVE-2024-28130) could allow an adversary to execute arbitrary code on the targeted machine if they trick the user into opening a specially crafted file.  

_Discovered by Emmanuel Tacheau._ 

Another open-source library for handling DICOM files, Grassroots DiCoM, contains three out-of-bounds writer vulnerabilities.  

TALOS-2024-1944 (CVE-2024-25569) and TALOS-2024-1935 (CVE-2024-22373) can be triggered if an adversary tricks the target into opening a specially crafted, malicious DICOM file, eventually allowing them to read out-of-bounds memory. 

TALOS-2024-1924 (CVE-2024-22391) works in the same way, but in this case, causes a heap-based buffer overflow, leading to memory corruption.  

**Three vulnerabilities in Foxit PDF Reader could lead to arbitrary code execution **

_Discovered by KPC._ 

Three vulnerabilities exist in Foxit PDF Reader that could allow an adversary to execute arbitrary code on the targeted machine. 

Foxit PDF Reader is one of the most popular pieces of PDF-reading software currently available and aims to have feature parity with Adobe Acrobat Reader. It also includes a browser plugin to allow users to open files in their web browsers.  

TALOS-2024-1959 (CVE-2024-25648) and TALOS-2024-1958 (CVE-2024-25938) are use-after-free vulnerabilities that can be triggered if an attacker tricks a user into opening a malicious, specially crafted PDF. This could also work if the user has the browser plugin enabled and the adversary tricks them into opening an attacker-controlled webpage. These vulnerabilities could lead to a use-after-free issue, potentially leading to memory corruption and arbitrary code execution. 

There is also a type confusion vulnerability, TALOS-2024-1963 (CVE-2024-25575), that could also lead to memory corruption and arbitrary code execution.

Vulnerabilities in employee management system could lead to remote code execution, login credential theft

With RSAC just a week away, Cisco Talos is gearing up for another year of heading to San Francisco to share in some of the latest major cybersecurity announcements, research and news.

Tuesday, April 30, 2024 08:00

With RSAC just a week away, Cisco Talos is gearing up for another year of heading to San Francisco to share in some of the latest major cybersecurity announcements, research and news.  

We’ve pulled together the highlights, so you don’t miss out on all things Talos.  

**Tuesday, May 5**  

Joe Marshall will be presenting on Project Power Up alongside Tara Vasyliv of NPC UKRENERGO on how Talos has helped to protect Ukraine’s power grid from disruptive electronic warfare. Reserve your seat for the 8:30 a.m. session here. 

Nick Biasini will be giving a lighting talk at the Cisco Booth N-5845 in the North Hall at 3:30 p.m. on the good, the bad and the ugly of ransomware in 2024.  

**Wednesday, May 6**  

Nicole Hoffman will be signing her children’s book, “The Mighty Threat Intelligence Warrior,” at 12:30 p.m. in the RSA Bookstore located in Moscone South, Esplanade Level.  

**Thursday, May 7**  

Hoffman will be out again, this time hosting a session on applying past lessons learned in hopes of a better future for identify threat detection at 9:40 a.m. in Moscone West 3022. Reserve a seat for the session here.  

And you can always follow along all week on X and LinkedIn for the latest updates.

Cisco Talos at RSAC 2024

Nutland says he goes into every engagement or new project with a completely open mind and a blank slate — using his background investigating terror operations to find out as much as he can about a particular adversary’s operation.

Monday, April 29, 2024 08:00

If state-sponsored actors are after one thing, it’s to spread fear and uncertainty across the internet. 

There’s always money to be made targeting individual businesses and organizations, but for James Nutland’s work, it’s always about the bigger picture. And his background in studying counterterrorism and interpersonal social dynamics provides him a unique perspective on APTs’ goals and methods. 

Nutland, an analyst with Cisco Talos’ Threat Intelligence and Interdiction team, didn’t begin his journey into cybersecurity through the traditional pathways. Instead, he went to college to obtain his bachelor’s degree in social psychology, particularly interested in social engineering, eventually obtaining his master’s in counterterrorism from the University of East London. 

That may sound like a degree someone gets to serve on a physical battlefield, but as Nutland puts it, security research and counterterrorism carry some of the same throughlines. 

“It’s providing you a set of skills you can then use in multiple modalities,” he said. “It’s the analysis, the eagerness to delve into the unknown, to assess swathes of noisy information, picking out the pieces to establish different threads to try and establish patterns and hopefully attribution — it’s that kind of analytical investigative thinking that really helps for threat hunting.” 

Nutland (right) speaking at MITRE ATT&CK Con last year.

Nutland’s technical experience comes from his undergraduate days when he started working in tech support for his college. Eventually, he got into system administration work after he moved to the U.S. during the peak of the COVID-19 pandemic.  

After various roles protecting both business and academic environments, Nutland decided to apply to Talos essentially on a whim after seeing a job listing whilst researching IOCs on the Talos intelligence center. In his current role, he conducts regular threat hunting and analysis campaigns to learn more about broader trends in the security landscape and state-sponsored threat actors. His work recently led to the disclosure of a campaign targeting Mexico users with tax-themed lure documents called “TimbreStealer,” and he participates in Cisco Talos Incident Response’s Intel-on-Demand service.  

Nutland says he goes into every engagement or new project with a completely open mind and a blank slate — using his background investigating terror operations to find out as much as he can about a particular adversary’s operation.  

“With my academic background, I’m very inquisitive. That’s proven to be a good asset,” he said. “I have a good understanding of the content and presentation of intelligence sought after in security management and operations. It’s great providing this intelligence, but providing actionable intelligence for security teams, understanding what’s required for that, it’s integral for many of the products we produce.” 

Recently, Nutland says he’s been focusing more on tracking prominent and burgeoning ransomware threat actors, as well as researching dark web activities where threat actors are leveraging obfuscated channels for their communication. Social media sites have gotten better about blocking this type of activity, he said, which has pushed them to decentralized communication platforms. He’s also tracking dark web sites that are used for obtaining ransom payments, spreading propaganda and trying to radicalize other users. 

Nutland’s work has also been crucial in Talos’ support of Ukraine during Russia’s invasion. He worked on several victim notifications for the Ukraine Task Force and discovered the malicious use of a defense evasion tool, which can wipe traces and logs of any USB devices that may have been connected to hardware and certain user activity on the host.  

“I initially saw a suspicious specific set of commands that were being run related to the executable, that I was able to track across multiple potential Ukrainian victims which Ukrainian organizations are now looking to crack down on,” Nutland said. 

In all his roles so far in his career, Nutland said he’s experienced various forms of imposter syndrome throughout his career, as many do. He said he often found himself questioning decisions, or feeling like other teammates were more qualified for his role. But at Talos, his managers have encouraged him to turn over every rock and go into every situation, curious and open. That’s allowed him to overcome that imposter syndrome and become a sponge, learning everything he could about a particular topic and becoming an expert in his own right. 

This culminated in a presentation to more than 300 people at the MITRE ATT&CKcon 4.0 in October, where he and his teammate, Nicole Hoffman, gave a talk about how threat actors can use the ATT&CK framework to track adversary activity. 

“Here are these titans of threat intelligence at a world-renowned convention. And here’s me, recently employed at Talos, and with incredible imposter syndrome,” Nutland said. “But there were about 300 people in the room, and Nicole and I knocked it out of the park. I never thought I’d be doing that.” 

Outside of the office, Nutland enjoys playing rugby, and he even was recently able to play a scrimmage against the Colombian National Team, a particular highlight for his career outside of cybersecurity.

James Nutland studies what makes threat actors tick, growing our understanding of the current APT landscape

Plus, new details emerge on the Scattered Spider cybercrime network and ArcaneDoor.

Thursday, April 25, 2024 14:00

I wrote last week about the problems arising from the massive backlog of vulnerabilities at the U.S. National Vulnerability Database.  

Thousands of CVEs are still without analysis data, and the once-reliable database of every single vulnerability that’s disclosed and/or patched is now so far behind, it could take up to 100 days for the National Institute of Standards and Technology (NIST) to catch up, and that would be assuming no new vulnerabilities are disclosed during that period. 

While the U.S. government and NIST try to sort out a potential solution, and hopefully await more funding and restructuring, NIST says it’s hoping to launch a consortium to help either rebuild the NVD or create a replacement.  

Other security experts have floated the idea of other companies or organizations creating a brand-new solution of their own. The main problem with that is, what’s in it for them?  

What works about the NVD is that it’s funded by the U.S. government, so the money is always coming in to help fund the workforce and at least gives MITRE and the other private companies who contribute to the NVD motivation to keep working on it. 

To start up a whole new database of \*every\* CVE out there would take countless man-hours, and then what at the end? Would the company or person(s) who created it start charging for access? 

Several open-source solutions have_man-hours_ popped up over the past few weeks, such as “NVD Data Overrides,” which “is meant to provide additional data that is currently missing from NVD.” However, these types of volunteer projects still can’t assign CVSS scores, because only the NVD is authorized to hand out official NVD CVSS scores. 

This brings up another problem for private companies that may want to develop a solution: Do they want to play referee?  

Sometimes, when there’s a disagreement on how severe a vulnerability is and what severity score to assign it, the NVD will weigh in and provide their own, independently calculated CVSS score. Who really wants to be the “bad guy” to get between a massive tech company like Microsoft or Apple and a security researcher saying a vulnerability is a 9.5 out of 10 CVSS? 

I absolutely give major credit to any volunteers or open-source developers who are working on their own solutions for essentially nothing — but how long can we expect them to keep maintaining these databases? 

Unfortunately, I don’t have a great answer for this, either. I’m far from an expert on vulnerability management, nor do I have any connections to the federal government. But I do feel the onus is on the government to come up with a solution, and potentially provide incentives for companies and researchers to participate in this new proposed consortium because I don’t see the incentives there for the private sector to come up with their own solution.  

**The one big thing **

ArcaneDoor is a new campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Talos and Cisco PSIRT recently identified a previously unknown actor, now tracked as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center. This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor. UAT4356 deployed two backdoors as components of this campaign, “Line Runner” and “Line Dancer,” which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement.   

**Why do I care? **

Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications. In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations — critical infrastructure entities that are likely strategic targets of interest for many foreign governments. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective. 

**So now what? **

There are some known indicators of compromise that customers can look for if they suspect they may have been targeted in this campaign. First, organizations should look for any flows to/from ASA devices to any of the IP addresses present in the IOC list provided at the bottom of this blog. This is one indication that further investigation is necessary. Potential targets can also follow the steps detailed in the Cisco ASA Forensic Investigation Procedures for First Responders. When following these procedures, first responders should NOT attempt to collect a core dump or reboot the device if they believe that the device has been compromised, based on the lina memory region output. Talos also released some Snort signatures to detect the activity on the wire including access attempts. Snort Signatures 63139, 62949 and 45575 have been released to detect the implants or associated behaviors. 

**Top security headlines of the week **

**A previously known Windows print spooler bug is still being actively exploited, according to Microsoft.** The company’s threat research team recently disclosed that APT28, a well-known Russian state-sponsored actor, is exploiting the vulnerability to deliver a previously unknown malware called “GooseEgg.” Microsoft disclosed and patched CVE-2022-38028 in October 2022, but APT28 may have been exploiting it as far back as 2020. The actor’s exploitation involved modifying a JavaScript constraints file in the printer spooler and executing it with SYSTEM-level permissions. The new research prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2022-38028 to its Known Exploited Vulnerabilities (KEV) catalog. If installed, GooseEgg can load other applications with System-level permissions and allow the adversary to execute remote code on the targeted device or deploy other backdoors. Another set of print spooler vulnerabilities, called PrintNightmare, made headlines in July 2021, though no one reported active exploitation of that vulnerability at the time. (SC Magazine, Security Week) 

**A new investigation revealed how members of the group Scattered Spider are partnering with Russian state-sponsored actors to carry out ransomware attacks.** Scattered Spider is made up of younger individuals based out of the U.S., U.K. and Canada. They are primarily English speakers who have been blamed for several notable ransomware attacks, including one against MGM Casinos that disrupted operations at several casinos and hotels last year. The group specializes in social engineering, more recently using LinkedIn to steal employee information and use that to infiltrate corporate networks. Members, some as young as teenagers, are connecting over the dark web and online forums like Discord and use their advanced knowledge of Western civilization to provide crucial details to Russian actors. The “60 Minutes” investigation also included new details about The Community (aka “The Comm,” the online collection of hackers who like to brag about their recent cybercrimes, often through Telegram. (CBS News) 

**The U.S. government has re-upped a law that expands government surveillance by opening the door for private companies to partner with the government on these types of activities.** The controversial Foreign Intelligence Surveillance Act (FISA) was re-approved just hours after it lapsed. The White House and proponents in U.S. Congress argued that the powers granted in Section 702 of the FISA helps prevent the spread of terrorism and cyber attacks and that any lapse in those powers would harm the government’s ability to gather crucial intelligence. However, privacy advocates say that the FISA is an overreach, and provides too much power for private companies to potentially spy on consumers. The bill also includes a new definition of “electronic communications service provider,” which could allow the U.S. government to force Big Tech companies and telecommunications providers to hand over users’ data if requested. (NBC News, TechCrunch) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #180: What are the dangers of enabling sideloading and third-party apps? 
*   Suspected CoralRaider continues to expand victimology using three information stealers 
*   Brute-force attacks surge worldwide, warns Cisco Talos    
*   Cisco Warns of Massive Surge in Password-Spraying Attacks on VPNs 
*   Rare Computer Virus Detected in Ukrainian Network, Confidential Document Potentially Compromised 

**Upcoming events where you can find Talos **

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_  

**Most prevalent malware files from Talos telemetry over the past week **

_This section will be on a brief hiatus while we work through some technical difficulties._ _Several open-source solutions have_

The private sector probably isn’t coming to save the NVD

Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information.

Thursday, April 25, 2024 08:00

Business email compromise (BEC) was the top threat observed by Cisco Talos Incident Response (Talos IR) in the first quarter of 2024, accounting for nearly half of engagements, which is more than double what was observed in the previous quarter.  

The most observed means of gaining initial access was the use of compromised credentials on valid accounts, which accounted for 29 percent of engagements. The high number of BEC attacks likely played a significant role in valid accounts being the top attack vector this quarter. Weaknesses involving multi-factor authentication (MFA) were observed within nearly half of engagements this quarter, with the top observed weakness being users accepting unauthorized push notifications, occurring within 25 percent of engagements.  

There was a slight decrease in ransomware this quarter, accounting for 17 percent of engagements. Talos IR responded to new variants of Phobos and Akira ransomware for the first time this quarter. 

Manufacturing was the most targeted vertical this quarter, closely followed by education, a continuation from Q4 2024 where manufacturing and education were also two of the most targeted verticals. There was a 20 percent increase in manufacturing engagements from the previous quarter. 

The manufacturing sector faces unique challenges due to its inherently low tolerance for operational downtime. This quarter, Talos IR observed a wide range of threat activity targeting manufacturing organizations including financially motivated attacks, such as BEC and ransomware, and some brute force activity targeting virtual private network (VPN) infrastructure. The use of compromised credentials on valid accounts was the top observed attack vector within attacks targeting the manufacturing sector this quarter, which represents a change from the previous quarter when the top attack vector observed in these types of engagements was exploiting vulnerabilities in public-facing applications.   

**Watch discussion on the report's biggest trends**

**Surge in BEC **

Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information. BEC attacks can have many motivations, often financially driven, aimed at tricking organizations into transferring funds or sensitive information to malicious actors.  

BEC offers adversaries the advantage of impersonating trusted contacts to facilitate internal spearphishing attacks that can bypass traditional external defenses and increase the likelihood of deception, widespread malware infections and data theft. 

In one engagement, adversaries performed a password-spraying attack and MFA exhaustion attacks against several employee accounts. There was a lack of proper MFA implementation across all the impacted accounts, leading to the adversaries gaining access to at least two accounts using single-factor authentication. The organization detected and disrupted the attack before adversaries could further their access or perform additional post-compromise activities.    

In another cluster of activity, several employees received spear-phishing emails that contained links that, when clicked, led to a redirection chain of web pages ultimately landing on a legitimate single sign-on (SSO) prompt that was pre-populated with each victim’s email address. The attack was unsuccessful because none of the employees interacted with the email, which was likely due to multiple red flags. For example, the email was unexpected and sent from an external email address, and there was small text within the email that referred to the email as a fax, which was all indicators of a phishing attempt. 

**Ransomware trends **

Ransomware accounted for 17 percent of engagements this quarter, an 11 percent decrease from the previous quarter. Talos IR observed new variants of Akira and Phobos ransomware for the first time this quarter. 

**Akira **

Talos IR responded to an Akira ransomware attack for the first time this quarter in an engagement where affiliates deployed the latest ESXi version, “Akira\_v2,” as well as a Windows-based variant of Akira named “Megazord.” These new Akira variants are written in the Rust programming language, which is a notable change from the previously used C++ and Crypto++ programming languages.  

Talos IR could not determine how initial access was gained, which is common because ransomware attacks often involve multi-stage attack strategies that add additional complexity during the investigation process. Once inside the network, the adversaries began collecting credentials from the memory of the Local Security Authority Subsystem Service (LSASS) and the New Technology Directory Services Directory Information Tree (NTDS.dit) database, where Active Directory data is stored, and leveraged Remote Desktop Protocol (RDP) for lateral movement. Prior to encryption, Megazord ransomware began executing several commands to disable tools and impair defenses, including “net stop” and “taskkill.” Akira\_v2 appended the file extension “.akiranew” during encryption, while Megazord ransomware appended the file extension “.powerranges”.   

First discovered in early 2023, Akira operates as a ransomware-as-a-service (RaaS) model and employs a double extortion scheme that involves exfiltrating data before encryption. Akira affiliates are known to heavily target small- to medium-sized businesses within several verticals primarily located within the U.S. but have targeted organizations within the U.K., Canada, Iceland, Australia and South Korea. Akira affiliates are notorious for leveraging compromised credentials and exploiting vulnerabilities as a means of gaining initial access, such as the SQL injection vulnerability, tracked as CVE-2021-27876, affecting certain versions of Zoho ManageEngine ADSelfService Plus, and the vulnerability, tracked as CVE-2023-27532, affecting certain versions of Veeam’s Backup & Replication (VBS) software.    

**Phobos **

Talos IR has previously observed variants of Phobos ransomware, such as “Faust,” but this quarter, Talos IR responded to an engagement with the “BackMyData” variant of Phobos ransomware. The adversaries leveraged Mimikatz to dump credentials from Active Directory. The adversary also installed several tools in the NirSoft product suite designed to recover passwords, such as PasswordFox and ChromePass, for additional credential enumeration. 

The adversaries used PsExec to access the domain controller before setting a registry key to permit remote desktop connections. Shortly after, the adversaries also modified the firewall to allow remote desktop connections using the Windows scripting utility, netsh. The remote access tool AnyDesk was downloaded to enable remote access as a means of persistence in the environment. Talos IR assessed with high confidence that Windows Secure Copy (WinSCP) and Secure Shell (SSH) were likely used to exfiltrate staged data. Adversaries also relied on PsExec to execute commands, such as deleting volume shadow copies, as a precursor to deploying the ransomware executable. After encryption, the ransomware appended the file extension “.fastbackdata”.   

A notable finding was the persistent use of the “Users/\[username\]/Music” directory as a staging area for data exfiltration to host malicious scripts, tools and malware, a common technique used by numerous ransomware affiliates to evade detection and remain persistent in the environment. Talos IR also identified a digitally signed executable, “HRSword,” developed by Beijing Huorong Network Technology. It is a tool the affiliate used during the attack for potential secure file deletion and as a defensive measure to disable endpoint protection tools, which Phobos affiliates were previously using, according to public reporting.   

Phobos ransomware first emerged in late 2018 and shared many similarities with the Crysis and Dharma ransomware families. Unlike other ransomware families, there are many variants of Phobos ransomware, such as Eking, Eight, Elbie, Devos and Faust. There is little information known about the business model leveraged by the Phobos ransomware operation. In November 2023, Cisco Talos analyzed over a thousand samples of Phobos ransomware to learn more about the affiliate structure and activity, which revealed that Phobos may operate a RaaS model due to the hundreds of contact emails and IDs associated with Phobos campaigns, indicating the malware has a dispersed affiliate base. Talos assessed with moderate confidence that the Phobos ransomware operation is actively managed by a central authority, as there is only one private key capable of decryption in all observed campaigns. 

**Other observed threats  **

Talos IR responded to an attack where adversaries were attempting to brute force several Cisco Adaptive Security Appliances (ASAs). Although the adversaries were unsuccessful in their attack, this activity is in line with the recently observed trend affecting VPN services. 

Cisco Talos has recently seen an increase in malicious activity targeting VPN services, web application authentication interfaces, and Secure Shell (SSH) globally. Since at least March 18, Cisco has observed scanning and brute force activity sourcing from The Onion Router (TOR) exit nodes and other anonymous tunnels and proxies. 

Depending on the target environment, a successful attack could result in unauthorized access to a target network, possibly leading to account lockouts and denial-of-service (DoS) conditions. The brute force attempts include a combination of generic usernames and valid usernames unique to specific organizations. The activity seems indiscriminate and has been observed across multiple industry verticals and geographic regions. 

**Initial vectors **

The most observed means of gaining initial access was the use of compromised credentials on valid accounts, accounting for 29 percent of engagements, a continuation of a trend from the previous quarter when valid accounts were also a top attack vector. 

**Security weaknesses **

For the first time, users accepting unauthorized MFA push notifications was the top observed security weakness, accounting for 25 percent of engagements this quarter. The lack of proper MFA implementation closely followed, accounting for 21 percent of engagements, a 44 percent decrease from the previous quarter. 

Users must have a clear understanding of the appropriate business response protocols when their devices are overwhelmed with an excessive volume of push notifications. Talos IR recommends organizations educate their employees about the specific channels and points of contact for reporting these incidents. Prompt and accurate reporting enables security teams to quickly identify the nature of the issue and implement the necessary measures to address the situation effectively. Organizations should also consider implementing number-matching in MFA applications to provide an additional layer of security to prevent users from accepting malicious MFA push notifications. 

Talos IR recommends implementing MFA on all critical services including all remote access and identity access management (IAM) services. MFA will be the most effective method for the prevention of remote-based compromises. It also prevents lateral movement by requiring all administrative users to provide a second form of authentication. Organizations can set up alerting for single-factor authentication to quickly identify potential gaps. 

**Top observed MITRE ATT&CK techniques **

The table below represents the MITRE ATT&CK techniques observed in this quarter’s IR engagements and includes relevant examples and the number of times seen. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic based on the way they were leveraged. Please note, this is not an exhaustive list. 

Key findings from the MITRE ATT&CK framework include:  

*   Remote access software, such as SplashTop and AnyDesk, were used in 17 percent of engagements this quarter, a 20 percent decrease from the previous quarter.  
*   The use of email hiding rules was the top observed defense evasion technique, accounting for 21 percent of engagements this quarter.   
*   Scheduled tasks were leveraged by adversaries the most this quarter for persistence, accounting for 17 percent of engagements this quarter, a 33 percent increase from the previous quarter.  
*   The abuse of remote services, such as RDP, SSH, SMB and WinRM, more than doubled this quarter compared to the previous quarter, accounting for nearly 60 percent of engagements. 

Reconnaissance 

Example 

T1589.001 Gather Victim Identity Information: Credentials 

Adversaries may gather credentials that can be used during their attack.  

T1598.003 Phishing for Information: Spearphishing Link 

Adversaries may send a spearphishing email with a link to a credential harvesting page to collect credentials for their attack. 

Resource Development 

Example 

T1586.002 Compromise Accounts: Email Accounts 

Adversaries may compromise email accounts that can be used during their attack for malicious activities, such as internal spearphishing. 

T1583.001 Acquire Infrastructure: Domains 

Adversaries may acquire domains that can be used for malicious activities, such as hosting malware. 

T1608.001 Stage Capabilities: Upload Malware 

Adversaries may upload malware to compromised domains to make it accessible during their attack.  

T1583.008 Acquire Infrastructure: Malvertising 

Adversaries may purchase online advertisements, such as Google ads, that can be used distribute malware to victims. 

T1608.004 Stage Capabilities: Drive-by Target 

Adversaries may prepare a website for drive-by compromise by inserting malicious JavaScript.  

Initial Access 

Example 

T1078 Valid Accounts 

Adversaries may use compromised credentials to access valid accounts during their attack. 

T1566 Phishing 

Adversaries may send phishing messages to gain access to target systems. 

T1189 Drive-by Compromise 

Victims may infect their systems with malware over browsing, providing an adversary with access.  

T1190 Exploit in Public-Facing Application 

Adversaries may exploit a vulnerability to gain access to a target system. 

T1566.002 Phishing: Spearphishing Link 

Adversaries may send phishing emails with malicious links to lure victims into installing malware.  

Execution 

Example 

T1059.001 Command and Scripting Interpreter: PowerShell 

Adversaries may abuse PowerShell to execute commands or scripts throughout their attack. 

T1059.003 Command and Scripting Interpreter: Windows Command Shell 

Adversaries may abuse Windows Command Shell to execute commands or scripts throughout their attack. 

T1569.002 System Services: Service Execution 

Adversaries may abuse Windows service control manager to execute commands or payloads during their attack. 

Persistence 

Example 

T1053.005 Scheduled Task / Job: Scheduled Task 

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for recurring execution of malware or malicious commands. 

T1574.002 Hijack Execution: DLL Side-Loading 

Adversaries may execute their own malicious code by side-loading DLL files into legitimate programs.  

Privilege Escalation 

Example 

T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 

Adversaries may bypass UAC mechanisms to elevate their permissions on a system. 

Defense Evasion 

Example 

T1564.008 Hide Artifacts: Email Hiding Rules 

Adversaries may create inbox rules to forward certain incoming emails to a folder to hide them from the inbox owner. 

T1070.004 Indicator Removal: File Deletion 

Adversaries may delete files to cover their tracks during the attack.  

T1218.011 System Signed Binary Proxy Execution: Rundll32 

Adversaries may abuse the Windows utility rundll32.exe to execute malware.  

T1112 Modify Registry 

Adversaries may modify the registry to maintain persistence on a target system.  

T1562.010 Impair Defenses: Downgrade Attack 

Adversaries may downgrade a program, such as PowerShell, to a version that is vulnerable to exploits. 

Credential Access 

Example 

T1621 Multi-Factor Authentication Request Generation 

Adversaries may generate MFA push notifications causing an MFA exhaustion attack. 

T1003.005 OS Credential Dumping: NTDS 

Adversaries may dump the contents of the NTDS.dit file to access credentials that can be used for lateral movement. 

T1003.001 OS Credential Dumping: LSASS 

Adversaries may dump the contents of LSASS to access credentials that can be used for lateral movement 

T1003.002 OS Credential Dumping: Service Account Manager 

Adversaries may dump the contents of the service account manager to access credentials that can be used for lateral movement. 

T1110.002 Brute Force: Password Cracking 

Adversaries may use brute force account passwords to compromise accounts. 

Discovery 

Example 

T1069.001 Permission Groups Discovery: Local Groups 

Adversaries may attempt to discover local permissions groups with commands, such as “net localgroup.”  

T1069.002 Permission Groups Discovery: Domain Groups 

Adversaries may attempt to discover domain groups with commands, such as “net group /domain.” 

T1201 Password Policy Discovery 

Adversaries may attempt to discover information about the password policy within a compromised network with commands, such as “net accounts.” 

Lateral Movement 

Example 

T1021.001 Remote Services: Remote Desktop Protocol 

Adversaries may abuse valid accounts using RDP to move laterally in a target environment.  

T1534 Internal Spearphishing 

Adversaries may abuse a compromised email account to send internal spearphishing emails to move laterally. 

T1021.002 Remote Services: SMB / Windows Admin Shares 

Adversaries may abuse valid accounts using SMB to move laterally in a target environment. 

T1021.004 Remote Services: SSH 

Adversaries may abuse valid accounts using SSH to move laterally in a target environment. 

T1021.001 Remote Services: Windows Remote Management 

Adversaries may abuse valid accounts using WinRM to move laterally in a target environment. 

Collection 

Example 

T1114.002 Email Collection: Remote Email Collection 

Adversaries may target a Microsoft Exchange server to collect information.  

T1074.001 Data Staged: Local Data Staging 

Adversaries may stage collected data in preparation for exfiltration. 

T1074 Data Staged 

Adversaries may stage collected data in preparation for exfiltration. 

Command and Control 

Example 

T1105 Ingress Tool Transfer 

Adversaries may transfer tools from an external system to a compromised system. 

T1219 Remote Access Software  

Adversaries may abuse remote access software, such as AnyDesk, to establish an interactive C2 channel during their attack.  

Exfiltration 

Example 

T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage 

Adversaries may exfiltrate data to a cloud storage provider, such as Dropbox.  

Impact 

Example 

T1486 Data Encrypted for Impact 

Adversaries may use ransomware to encrypt data on a target system.  

T1490 Inhibit System Recovery 

Adversaries may disable system recovery features, such as volume shadow copies.  

T1657 Financial Theft 

Adversaries may commit financial fraud during the attack.

Talos IR trends: BEC attacks surge, while weaknesses in MFA persist

ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns.

ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices

Talos also discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus products and download the final payload into the victims’ host.

_By Joey Chen, Chetan Raghuprasad and Alex Karkins._ 

*   Cisco Talos discovered a new ongoing campaign since at least February 2024, operated by a threat actor distributing three famous infostealer malware, including Cryptbot, LummaC2 and Rhadamanthys.
*   Talos also discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus products and download the final payload into the victims’ host.
*   This campaign uses the Content Delivery Network (CDN) cache domain as a download server, hosting the malicious HTA file and payload. 
*   Talos assesses with moderate confidence that the threat actor CoralRaider operates the campaign. We observed several overlaps in tactics, techniques, and procedures (TTPs) of CoralRaider’s Rotbot campaign, including the initial attack vector of the Windows Shortcut file, intermediate PowerShell decryptor and payload download scripts, the FoDHelper technique used to bypass User Access Controls (UAC) of the victim machine.  

**Victimology and actor infrastructure**

The campaign affects victims across multiple countries, including the U.S., Nigeria, Pakistan, Ecuador, Germany, Egypt, the U.K., Poland, the Philippines, Norway, Japan, Syria and Turkey, based on our telemetry data and OSINT information. Our telemetry also disclosed that some affected users were from Japan’s computer service call center organizations and civil defense service organizations in Syria. The affected users were downloading files masquerading as movie files through the browser, indicating the possibility of a widespread attack on users across various business verticals and geographies.

We observe that this threat actor is using a Content Delivery Network (CDN) cache to store the malicious files on their network edge host in this campaign, avoiding request delay. The actor is using the CDN cache as a download server to deceive network defenders. 

CDN edge URLs 

Information Stealer

hxxps\[://\]techsheck\[.\]b-cdn\[.\]net/Zen90

Cryptbot

hxxps\[://\]zexodown-2\[.\]b-cdn\[.\]net/Peta12

Cryptbot

hxxps\[://\]denv-2\[.\]b-cdn\[.\]net/FebL5

Cryptbot, Rhadamanthys

hxxps\[://\]download-main5\[.\]b-cdn\[.\]net/BSR\_v7IDcc

Rhadamanthys

hxxps\[://\]dashdisk-2\[.\]b-cdn\[.\]net/XFeb18

Cryptbot

hxxps\[://\]metrodown-3\[.\]b-cdn\[.\]net/MebL1

Cryptbot

hxxps\[://\]metrodown-2\[.\]b-cdn\[.\]net/MebL1

Cryptbot, LummaC2

hxxps\[://\]metrodown-2\[.\]b-cdn\[.\]net/SAq2

LummaC2

Talos discovered that the actor is using multiple C2 domains in the campaign. The DNS requests for the domains during our analysis period are shown in the graph, indicating the campaign is ongoing. 

**Tactics, techniques and procedures overlap with other campaigns **

Talos assesses with moderate confidence that threat actor CoralRaider is likely operating this campaign based on several overlaps in the TTPs used and the targeted victims’ geography of this campaign with that of the CoralRaider’s Rotbot campaign. We spotted that the PowerShell scripts used in the attack chain of this campaign to decrypt the PowerShell scripts of further stages and the downloader PowerShell script are similar to those employed in the Rotbot’s campaign.

PowerShell decryptor script of Rotbot campaign (left) and new unknown campaign (right).

String decrypt and download routine of Rotbot campaign (Left) and new unknown campaign (right).

The Powershell script did not appear in any public repository or article, indicating the threat actor likely developed these PowerShell scripts. Pivoting on the PowerShell argument embedded in the LNK file showed us that such arguments are not popular and likely specific to the actor and the campaign.  

.(gp -pa 'HKLM:\\SOF\*\\Clas\*\\Applications\\msh\*e').('PSChildName')

**Multi-stage infection chain to deliver the payload **

The infection chain starts when a victim opens the malicious shortcut file from a ZIP file downloaded using the drive-by download technique, according to our telemetry. The threat actor is likely delivering malicious links to victims through phishing emails.

The Windows shortcut file has an embedded PowerShell command running a malicious HTA file on attacker-controlled CDN domains. HTA file executes an embedded Javascript, which decodes and runs a PowerShell decrypter script. PowerShell decrypter script decrypts the embedded PowerShell Loader script and runs it in the victim’s memory. The PowerShell Loader executes multiple functions to evade the detections and bypass UAC, and finally, it downloads and runs one of the payloads, Cryptbot, LummaC2 or Rhadamanthys information stealer.

**Windows Shortcut file to execute the malicious HTA file**

Windows shortcut file runs a PowerShell command to download and run an HTML application file on the victim’s machine. The threat actor has used “gp,” a PowerShell command alias for Get-ItemProperty, to read the registry contents of the application classes registry key and gets the executable name “mshta.exe.” Using mshta.exe, the PowerShell instance executes the remotely hosted malicious HTA file on the victim’s machine. 

**Obfuscated HTA runs embedded PowerShell decrypter  **

The malicious HTML application file is heavily obfuscated and has a Javascript that decodes and executes a function using the String fromCharCode method. The decoded function then executes an embedded PowerShell decryptor script. 

The decryptor PowerShell script has a block of AES-encrypted string. Using the AES decryptor function, it generates an AES key of 256 bytes from a base64 encoded string “RVRVd2h4RUJHUWNiTEZpbkN5SXhzUWRHeFN4V053THQ=” and the IV “AAAAAAAAAAAAAAAA.” With the key and IV, it decrypts and executes the next stage of the PowerShell Loader script. 

**PowerShell loader downloads and runs the payload**

The PowerShell loader script is modular and has multiple functions to perform a sequence of activities on the victim’s machine. Initially, it executes a function that drops a batch script in the victim machine’s temporary folder and writes its contents, which includes the PowerShell command to add the folder “ProgramData” of the victim machine to the Windows Defender exclusion list. 

The dropped bath script is executed through a living-off-the-land binary (LoLBin) “FoDHelper.exe” and a Programmatic Identifiers (ProgIDs) registry key to bypass the User Access Controls (UAC) in the victim’s machine. Fodhelper is a Windows feature, an on-demand helper binary that runs by default with high integrity. Usually, when the FodHelper is run, it checks for the presence of the registry keys listed below. If the registry keys have commands assigned, the FodHelper will execute them in an elevated context without prompting the user. 

HKCU:\Software\Classes\ms-settings\shell\open\command

HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute

HKCU:\Software\Classes\ms-settings\shell\open\command\(default)

Windows Defender, by default, detects if there are attempts to write to the registry keysHKCU:\Software\Classes\ms-settings\shell\open\command and to evade this detection, the threat actor uses the programmatic identifier (ProgID). In Windows machines, a programmatic identifier (ProgID ) is a registry entry that can be associated with a Class ID (CLSID ), which is a globally unique serial number that identifies a COM (Component Object Model) class object. The Windows Shell uses a default ProgID registry key called CurVer, which is used to set the default version of a COM application. 

In this campaign, the threat actor abuses the “CurVer” registry key feature by creating a custom ProgID “ServiceHostXGRT” registry key in the software classes registry and assigns the Windows shell to execute a command to run the batch script. 

Registry Key

"HKCU\\Software\\Classes\\ServiceHostXGRT\\Shell\\Open\\command"

Value

%temp%\\r.bat 

The script configures the ProgID ServiceHostXGRT in the CurVer registry subkey of HKCU\Software\Classes\ms-settings\CurVer, which will get translated to HKCU:\Software\Classes\ms-settings\shell\open\command. After modifying the registry settings, the PowerShell script runs FoDHelper.exe, executing the command assigned to the registry key HKCU:\Software\Classes\ms-settings\shell\open\command and executing the dropped batch script. Finally, it deletes the configured registry keys to evade detection. 

The batch script adds the folder “C:\\ProgramData” to the Windows Defender exclusion list. The PowerShell loader script downloads the payload and saves it in the “C:\\ProgramData” folder as “X1xDd.exe.”

After downloading the payload to the victim’s machine, the PowerShell loader executes another function that overwrites the previously dropped batch file with the new instructions to run the downloaded payload information stealer through the Windows start command. It again uses the same FoDHelper technique to run the batch script’s second version, which we explained earlier in this section.  

**Actor’s choice of three payloads in the same campaign **

Talos discovered that the threat actor delivered three famous information stealer malware as payloads in this campaign, including CryptBot, LummaC2 and Rhadamanthys. These information stealers target victims’ information, such as system and browser data, credentials, cryptocurrency wallets and financial information. 

**CryptBot**

CryptBot is a typical infostealer targeting Windows systems discovered in the wild in 2019 by GDATA. It is designed to steal sensitive information from infected computers, such as credentials from browsers, cryptocurrency wallets, browser cookies and credit cards, and creates screenshots of the infected system. 

Talos has discovered a new CryptBot variant distributed in the wild since January 2024. The goal of the new CryptBot is the same, with some new innovative functionalities. The new CryptBot is packed with different techniques to obstruct malware analysis. A few new CryptBot variants are packed with VMProtect V2.0.3-2.13; others also have VMProtect, but with unknown versions. The new CryptBot attempts to steal sensitive information from infected machines and modifies the configuration changes of the stolen applications. The list of targeted browsers, applications and cryptocurrency wallets by the new variant of CryptBot is shown below.

We observed the new CryptBot variant also includes password manager application databases and authenticator application information in its stealing list to steal the cryptocurrency wallets that have two-factor authentication enabled. 

CryptBot is aware that the target applications in the victim’s environment will have different versions, and their database files will have different file extensions. It scans the victim’s machine for database files’ extensions of the targeted applications for harvesting credentials. 

**LummaC2 **

Talos discovered that the actor is delivering a new variant of LummaC2 malware as an alternative payload in this campaign. LummaC2 is a notorious information stealer that attempts to harvest information from victims’ machines. Based on the report posted by outpost24 and other external security reports, LummaC2 has already been confirmed to be sold on the underground market for years. 

The threat actor has modified LummaC2’s information stealer capability and obfuscated the malware with a custom algorithm. The obfuscation algorithm is saved in another section inside the malware shown below.

The new version of LummaC2 also presents the same signature of the alert message displayed to the user during its execution. 

The C2 domains are encrypted with a symmetric algorithm, and we found that the actor has nine C2 servers that the malware will attempt to connect to one by one. Analyzing various samples of the new LummaC2 variant, we spotted that each will use a different key to encrypt the C2.   

Talos has compiled the list of nine C2 domains the new LummaC2 variant attempts to connect in this campaign. 

Encrypted strings

Decrypted Strings

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphB+VXagKwrRr7BjLA71GNEZ8E8/0K2otQ==

peasanthovecapspll\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphBpVXqwOAHAo75nPQT3Hc4I6EZ+x+u0rVjB

gemcreedarticulateod\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphB9VXShLxDMqLFmPATgC8Ma+U14zKy0oBnC/kf0

secretionsuitcasenioise\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphBtXHa6JwfKqbxwOh79B8wb+UF0jbavqkc=

claimconcessionrebe\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphBiWXaxIwjMs6Z0Ox/1BsUM8UZ/2qyz60TZ+Vg=

liabilityarrangemenyit\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphBjX3O2ORDAtKx0MAjiDcwE9U9mxq7ptl/e5g==

modestessayevenmilwek\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphB6Qn6yJAPJoqxwKB77BsAM8kB51K/ptl/e5g==

triangleseasonbenchwj\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphBtRXunPxbAtLRwPQ78DssH/U1yyqSrqRnC/kf0

culturesketchfinanciall\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphB9X3GyIhHLs7Z7Lh74AcYM+Ep/xuu0rVjB

sofahuntingslidedine\[.\]shop

LummaC2’s first step in its exfiltration phase is its connection to the C2 server. The malware will exit the process if it does not receive the “OK” message as a response from any of the nine C2 servers. The second step will be exfiltrating information from infected machines. The basic stealing functionality is the same as the previous version, with the addition of victims’ discord credentials to exfiltrate. 

**Rhadamanthys**

The last payload we found in this campaign is Rhadamanthys malware, a famous infostealer appearing in the underground forum advertisement in September 2022. The Rhadamanthys malware has been evolving till now, and its authors have released a new version, V0.6.0, on Feb. 15, 2024. However, the Rhadamanthys variant we found in this campaign is still v0.5.0.

The threat actor uses a Python executable file as a loader to execute the Rhadamanthys malware into memory. After decompiling the Python executable file, Python scripts load the Rhadamanthys malware in two stages. The first stage is a simple Python script that replaces the binary code from 0 to 9 and decodes the second stage. 

In the second stage, the Python script uses the Windows API to allocate a memory block and inject Rhadamanthys malware into the process. We spotted that the threat actor is developing the Python script with the intention of including the functionality of executing a shellcode. 

Analyzing the final executable file showed us that the malware unpacks the loader module with the custom format having the magic header “XS” and performs the process injection. The custom loader module in XS format is similar to that of a Rhadamanthys sample analyzed by the researcher at Check Point. The malware selects one of the listed processes as the target process for process injection from a hardcoded list in the binary:

*   "%Systemroot%\\\\system32\\\\dialer.exe"
*   "%Systemroot%\\\\system32\\\\openwith.exe"

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SID for this threat is 63218 - 63225 and 300867 - 300870.

ClamAV detections are also available for this threat:

Lnk.Downloader.CoralRaider-10027128-0

Txt.Tool.CoralRaider-10027140-0

Html.Downloader.CoralRaider-10027220-0

Win.Infostealer.Lumma-10027222-0

Win.Infostealer.Rhadamanthys-10027293-0

Win.Infostealer.Rhadamanthys-10027294-0

Win.Infostealer.Cryptbot-10027295-0

Win.Infostealer.Cryptbot-10027296-0

Win.Infostealer.Cryptbot-10027297-0

Win.Infostealer.Cryptbot-10027298-0

Win.Infostealer.Cryptbot-10027299-0

Win.Infostealer.Cryptbot-10027300-0

Win.Infostealer.Cryptbot-10027301-0

Win.Infostealer.Cryptbot-10027302-0

Win.Infostealer.Cryptbot-10027303-0

Win.Infostealer.Cryptbot-10027305-0

**Indicators of Compromise**

Indicators of Compromise associated with this threat can be found here.

Suspected CoralRaider continues to expand victimology using three information stealers

Given the state of the NVD and vulnerability management, we felt it was worth looking at the current state of the NVD, how we got to this point, what it means for security teams, and where we go from here.

Friday, April 19, 2024 08:00

The National Vulnerability Database is usually the single source of truth for all things related to security vulnerabilities.  

But now, they’re facing an uphill battle against a massive backlog of vulnerabilities, some of which are still waiting to be analyzed, and others that still have an inaccurate or altogether missing severity score.  

As of April 9, 5,799 CVEs that have been published since Feb. 15, 2024, remain unanalyzed. 

As the backlog piles up, it’s unclear how, or when, the NVD is going to get back to its regular cadence of processing, scoring and analyzing vulnerabilities that are submitted to the U.S. government repository. At its current pace, the NVD is analyzing about 2.9 percent of all published CVEs it's been sent, well behind its pace in previous years. If there were no new CVEs submitted today, it could take the NVD more than 91 days to empty that backlog and get caught up. 

Given the state of the NVD and vulnerability management, we felt it was worth looking at the current state of the NVD, how we got to this point, what it means for security teams, and where we go from here. 

**What is the NVD? **

The U.S.’s National Vulnerability Database provides the most comprehensive list of CVEs anywhere. This tracks security vulnerabilities in hardware and software and distributes that list to the public for anyone to use.  

This data enables organizations and large networks to automate vulnerability management, take appropriate security steps when a new vulnerability is discovered, important references and metrics that indicate how serious a particular vulnerability is.  

The U.S. National Institute of Standards and Technology (NIST) has managed the NVD since 2000, when it was started as the Internet Category of Attack toolkit. It eventually morphed into the NVD, which passed the 150,000-vulnerability mark in 2021.  

In addition to simply listing the CVEs that are regularly disclosed, the NVD scores vulnerabilities using the CVSS system, which often differ from the initial severity score that’s assigned by the researcher that discovers the vulnerability, or the company or organization behind the affected product or software. 

Since the creation of I-CAT, no other organization or private company has as comprehensive of a list of vulnerabilities as the NVD, nor do they offer it for free like NIST does.  

**Why is the backlog a problem? **

On the surface, it may seem like the fact that the NVD has been slow to analyze CVEs isn’t all that bad, considering security issues are still being disclosed and patched every day (think: Microsoft Patch Tuesday). 

However, the lack of a single source of CVEs augmented information is detrimental to administrators, security researchers and users, and security experts are warning that the issue needs to be addressed quickly, or an alternative needs to be adopted.  

With the NVD being a collection of all this information, it’s up to the individual vendors to responsibly disclose and release vulnerabilities discovered in their products, which puts the onus on administrators to track that information down. If someone who handles patch management for a network was relying on the NVD for their information, that list is likely outdated at this point, and instead, they need to visit each individual vendor to find out what vulnerabilities were recently disclosed in their products, and how large of a risk they present.  

On any given network, that could be dozens to even hundreds of vendors, and while massive companies like Apple and Microsoft have easy-to-access security and vulnerability information, smaller open-source projects may not have the same resources that administrators need.  

The NVD is also the most trusted source for severity scores. Their calculations are generally what most users see when they read a security advisory. But without their input, it’s on the researcher or vendor to assign a score, instead. Under that system, there is no guarantee that a company may not want to score their vulnerability higher so it does not seem as serious, while researchers may want to bump up the severity of the issue they find so they are credited with discovering a higher-severity issue.  

As Talos has discussed before, a CVSS score is not the only metric worth relying on when patching, but it does play a major role in how the public views vulnerabilities and whether they’re likely to be exploited in the wild. According to Talos’ 2023 Year in Review report, eight of the 10 most-exploited CVEs last year received a severity score of 9.3 or higher. Any sense of uncertainty around CVSS scores can leave administrators scratching their heads and without a “north star” for patch management. 

The recent xz Utility vulnerability that was luckily prevented before any attackers could exploit it still does not have a Common Weakness Enumeration (CWE) assigned to it as of April 10 because of the backlog. Had an exploit for this been used, defenders would be missing crucial context and information for defending against this backdoor. 

**How did this backlog develop? **

NIST has been relatively vague about why the agency has been slow to process new vulnerabilities. The first sign of trouble came in February, when NIST released a statement that a “growing backlog of vulnerabilities” had developed because of “an increase in software and, therefore, vulnerabilities, as well as a change in interagency support.” 

NIST’s budget was cut by about 12 percent after the recent package of funding bills passed by U.S. Congress, as well. 

The agency also said in February that additional NIST staff were being shifted around to address the backlog, and at the recent VulnCon and Annual CNA Summit, the NVD program director promised that NIST was developing a consortium to help address the issues with the NVD.  

The total number of vulnerabilities disclosed continues to increase every year, driven by larger amounts of software on the market and increased visibility into security concerns and research. Last year, there were 28,961 CVEs disclosed, according to the CVE Program, an increase of 15 percent from 2022. The last time there were fewer CVEs assigned in a year compared to the year prior was in 2016. 

**What are some potential solutions? **

NIST has continued to publicly support the NVD and says it's preparing to revitalize the database. But it’s unclear what short- or long-term solutions or alternatives exist. 

Jerry Gamblin, a principal threat detection and response engineer for Cisco Vulnerability Management, said there has yet to be a company or organization willing to take on the monstrous task of tracking and scoring \*every\* CVE, especially for free.  

Other vulnerability catalogs exist like the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog, but the KEV only lists vulnerabilities that have actively been exploited in the wild. 

In short — all the potential alternatives are imperfect. 

“We can get the data from anywhere, and AI data could even help, but people just need to decide,” Gamblin said. “Is there going to be just one source of data? And who is the source of truth for this data? Who owns this data?” 

A private company like MITRE could step up to create its own solution, but it’d likely want to charge for access to that database. Any non-profit organization who also wants to step up would also likely need a massive influx of money and manpower to address the sheer volume of CVEs that come in every day. 

And while NIST says the consortium is in the works, there’s no timetable for how long it could take for that to be established, and which private companies would be involved.  

For now, it’s best to stick to tried-and-true patching strategies that have worked for years. Software, like Cisco Vulnerability Management, which has not been affected by the NVD backlog, can also assist in automating the patching process and prioritizing which vulnerabilities to patch first.

Source

TALOS