Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 3 and Nov. 10. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for November 3 to November 10

Cisco Talos has recently observed an increase in spam messages abusing a feature of quizzes created within Google Forms.

Thursday, November 9, 2023 08:11

*   Spammers are exploiting the "Release scores" feature of Google Forms quizzes to deliver email.
*   The emails originate from Google's own servers and consequently may have an easier time bypassing anti-spam protections and finding the victim's inbox.
*   Volumes of these messages hovered near noise levels but have recently spiked into the hundreds.

Cisco Talos has recently observed an increase in spam messages abusing a feature of quizzes created within Google Forms. In particular, spammers have discovered that they can create a new quiz in Google Forms, use the victim’s email address to respond to the quiz, and then abuse the “Release Scores” feature of the Google Form to deliver their spam to the victim. Because the spam messages emanate from Google itself, the messages have a good chance of landing in the victim’s inbox.

A histogram showing the volume of “Score released:” emails for the past two years.

Cisco Talos examined a recent spam campaign in which the Subject headers all contained the text, “Score released:”. During our investigation, we quickly realized these messages were being generated through a feature of Google Forms’ quizzes. Google Forms abuse has been present in spam attacks for several years, though our investigation showed that this particular feature of Google Forms quizzes was not very heavily abused to send spam until relatively recently.

**Google Forms’ quizzes**

In Google Forms, when creating a new form, an author can choose to “Make this a quiz.” Choosing to release grades “Later, after manual review,” enforces the collection of email addresses in the quiz.

An example Google Forms quiz is configured to release grades after manual review.

Elsewhere, under the settings for Responses, choosing “Responder input” allows a spammer to fill in their form using any victim’s email address.

An example form configured to allow responder-controlled values for email addresses.

Once the form is configured in this way, a link to the form can be obtained and accessed by the spammer. The spammer then fills out the form using the victim’s email address and submits it. Whether the question in the quiz is answered does not matter. Afterward, the fake quiz responses generated by the attacker can be viewed.

Quiz responses as seen by the Google Forms quiz owner.

Clicking the “Release scores” dialog in the upper right will prompt the form owner to “Send emails and release” the scores. The message delivered as part of the email can be customized to include any text or URL, and the message will then be delivered by Google using the “From:” address of the Google account that created the quiz. Because the email messages generated using this technique emanate from Google’s servers, they stand a good chance of being delivered to the victim’s inbox. 

**Google Forms quiz spam used in an elaborate cryptocurrency scam**

A recent example of one of these Google Forms quiz score release spam attacks appears below. 

An example of a recent spam campaign utilizing the “Release scores” feature of Google Forms quizzes.

When the victim clicks the “View” button in this email, they are directed to the fake form response generated by the spammer.

Clicking “View” on a “Scores released:” spam directs the victim to the spammer-generated form response.

In this particular form response, the spammer has provided a link “>>> GO TO THE SITE” which points to another Google Form that asks the victim to confirm their email address. At this stage of the attack, when an email address is entered into the second form, the victim is provided a form response containing a link to an external website: go-procoinwhu\[.\]top. 

After the victim “confirms” their email address they are presented with a link to a third party website.

The go-procoinwhu\[.\]top domain was created only just created on October 28, 2023, but it is already seeing a large uptick in the number of DNS queries requesting it.

Clicking the go-procoinwhu\[.\]top link in the Google Form response results in a 302 redirect from Cloudflare, which directs the victim to https://hdlgr\[.\]dudicyqehama\[.\]top/, which is also hosted by Cloudflare. This domain was also recently created (October 25, 2023), and exhibits a very similar DNS traffic pattern in Umbrella Investigate.

When the victim navigates to the dudicyqehama.top website, they are presented with an elaborate scam website that claims that the victim possesses more than 1.3 Bitcoin in their account as a result of “automatic cloud Bitcoin mining,” which the site claims is worth more than $46,000 USD. 

A malicious cryptocurrency-related website claims the victim has over 1.3 BTC. 

Once the victim clicks “Continue,” they are brought into the main website “login page.” The username and password are pre-filled into the login form, so the victim only needs to click the “Sign in” button. 

A fake login form for the scammer's website. The username/password are pre-filled into the form.

Once logged in, it is readily apparent that the website goes to great lengths to appear legitimate. The site even includes a group chat feature near the bottom where you can see various other users discussing cryptocurrency-related topics. As a logged-in user, the victim can even comment. Watching the text scroll by in the chat, it becomes apparent that they are recycling the same comments over and over, and these are not real users.

The scammer's website tries very hard to look legitimate. They even include a fake group chat.

When the victim attempts to claim their Bitcoin from the main site, they are redirected to what looks like a live chat with an agent named “Sophia.”

When the victim tries to claim their BTC they are directed to a “live” chat with an agent named “Sophia.”

Sophia chats with us for a moment before sending a form to fill out to collect the Bitcoin.

Sophia sends the victim a form to fill out to collect their BTC. 

The form asks the victim to fill in their name, email address and the cashout method the user prefers. 

The victim must fill out a form indicating how they wish to receive the money from the BTC they exchanged for USD.

Once the form has been filled out and submitted, the victim is again redirected back to the chat with Sophia, who proceeds to give us a button to kick off the currency exchange of BTC into USD.

Sophia finishes chatting with the victim and provides a button to facilitate the Currency Exchange.

Now, we can begin to see the end game for this particular scam. The victim is instructed that to claim the almost $48,000 USD, the victim must pay an “exchange fee” of 0.25%, or $64 USD.

To receive the USD from the converted BTC, the victim must pay an exchange fee of 0.25%.

When the victim clicks “Exchange Bitcoin,” they are presented with one last form where the victim is prompted to enter their name, email and phone number. 

A payment form from the scammers. They are asking for $64.

Clicking “Pay” brings up a QR code for the BTC wallet of the spammers. Fortunately, nobody has fallen for this scam and paid the attackers, as the connected Bitcoin wallet was empty as of November 6, 2023.

The BTC wallet the attackers are using to receive the “exchange fee.”

The amount of setup work necessary to conduct a spam attack such as this, combined with the extraordinary attention to detail put into the social engineering for the subsequent cryptocurrency scam, demonstrates just how far cybercriminals will go when it comes to separating victims from even a small amount of money. As is usually the case with scams such as this, when something sounds too good to be true, it often is.

**IOCs**

IOCs for this research can also be found in our GitHub repository here.

Spammers abuse Google Forms’ quiz to deliver scams

Given the increased geopolitical importance of cybersecurity, NIS2 is a logical step in creating more harmonized and stronger defense capabilities across the European Union.

Thursday, November 9, 2023 08:11

NIS2 is a European directive that includes new measures to ensure that organizations operating in the European Union (EU) have a high common level of network and infrastructure security. 

The "directive" outlines the goals all EU member states must achieve. However, each country will implement it in their own law with room for some national specifics to reach these goals. Directives are binding in terms of minimal requirements for what should be implemented.

For example, if the directive imposes fines for organizations who are not in compliance, states can decide to go beyond the minimum fine and impose higher penalties for entities in their jurisdiction. 

NIS2 is a successor of the NIS1 Directive, which is considered the first EU cybersecurity law. Since its implementation in 2018, NIS1 has proven to be essential for the implementation of the EU Cybersecurity Strategy but not sufficient in addressing the challenges posed by the current cybersecurity threat landscape. NIS2 broadens the scope of the legislation by including new sectors and types of organizations which need to comply and introducing higher requirements for their cybersecurity.

Given the increased geopolitical importance of cybersecurity, NIS2 is a logical step in creating more harmonized and stronger defense capabilities across the European Union.

**What is new in NIS2 as compared to NIS1?**

*   Stricter cybersecurity requirements.
*   Broader scope — wider range of sectors and entities affected.
*   Change of identification mechanism – from active identification to self-identification.
*   Added requirements for supply chain cybersecurity.
*   Stronger compliance supervision from the national authorities.
*   Clearly defined administrative fines in case of non-compliance.
*   Establishment of cybersecurity information-sharing arrangements between interested entities, e.g., a platform for the exchange, automatic tools and content.

**Who needs to conform with NIS2?**

If you operate in the European Union in one of the subsectors listed in the Annex of the Directive and your organization is of a certain size or falls under one of the exceptions under Articles 2 & 3, you must conform to NIS2.

**Entities in scope**

NIS2 applies to public or private entities which qualify as or exceed the ceilings for medium-sized enterprise as outlined in Recommendation 2003/361/EC: a “medium” entity is “an enterprise which employs 50 or more persons and whose annual turnover and/or annual balance sheet total does exceed EUR 10 million.”

Regardless of their size, this directive also applies to several exceptions listed under Article 2 of the directive. Member states may also apply this directive to specific entities/institutions. It is therefore important to double-check with national authorities.

**Essential vs. important entities**

NIS2 divides entities into two categories — “essential” and “important” — depending on the expected impact of an incident. Both types must comply with the same security measures, but “essential” organizations will always be proactively supervised by the government, and “important” entities will only be checked after a cybersecurity incident. In other words, the control of essential entities is stricter due to the possible more dire consequences if that organization is found to be non-compliant.

**What measures need to be implemented as per NIS2?**

NIS2 includes a list of 10 key elements that all companies must address in terms of cybersecurity. The exact implementation of these measures should consider state-of-the-art technology and, where applicable, relevant European and international standards at an appropriate and proportionate technical level, and the cost of implementation.

The measures in NIS2 are as follows:

*   Policies on risk analysis and information system security.
*   Incident handling.
*   Business continuity, such as backup management and disaster recovery, and crisis management.
*   Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.
*   Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.
*   Policies and procedures to assess the effectiveness of cybersecurity risk-management measures.
*   Basic cyber hygiene practices and cybersecurity training.
*   Policies and procedures regarding the use of cryptography and, where appropriate, encryption.
*   Human resources security, access control policies and asset management.
*   The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

**Incident reporting obligations**

NIS2 introduces strict incident reporting requirements, which are applicable to essential and important entities:

*   Within 24 hours of becoming aware of the incident, the entity must inform the national authority.
*   Within 72 hours of a more formal incident, and following an initial incident assessment, a second notification must be provided. It should include incident severity, impact and known indicators of compromise (IOCs).
*   Within a month of the formal incident notification, a final report must be submitted.

**Fines**

Essential and important entities face different administrative fines if they were to fail to meet the incident reporting obligations or general security requirements.

For “essential” entities, national laws must implement a certain level of administrative fines, notably a maximum of at least EUR 10,000,000, or 2% of the total worldwide annual turnover of the preceding fiscal year, whichever is higher.

For “important” entities, the maximum fine is of at least EUR 7,000,000 or at least 1.4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

**When will NIS2 take effect?**

The NIS2 Directive was published on Dec. 27, 2022, and each EU member state has until Oct. 17, 2024, to transpose the NIS2 Directive into its national legislation. Once the national laws are effective, organizations that are in scope need to comply.

NIS2 requires that entities have documentation and processes to handle incidents. One of the foundational documents for coordinating the response efforts is an Incident Response Plan.

A Cisco Talos Incident Response Retainer offers several services, such as the incident response plan and IR playbook development, which can help customers create the documentation required by NIS2. Moreover, the training and simulation services in the Talos retainer can support customers in putting new and existing processes to the test and improving the team’s overall knowledge in the cyber domain.

Next week, we’ll have more information on creating an incident response plan for your organization that complies with NIS2. We have summarized seven of the most common mistakes when starting to write a brand-new plan or reviewing an existing document, and we will share practical advice on how to avoid them.

What is NIS2, and how can you best prepare for the new cybersecurity requirements in the EU?

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 27 and Nov. 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for October 27 to November 3

The Arid Viper threat actor is actively trying to install spyware on targeted devices in the Middle East, using fake dating apps as lures.

Thursday, November 2, 2023 14:11

Windows CE — an operating system that, despite being out for 27 years, never had an official explanation for why it was called “CE” — finally reached its official end-of-life period this week. 

This was Microsoft’s first operating system for embedded and pocket devices, making an appearance on personal pocket assistants, some of the first BlackBerry-likes, laptops and more during its lifetime.  

In 2020, Microsoft announced a clear migration path for devices using Windows CE and warned of its impending end-of-life (meaning there’d be no more support, security patches, etc.) by telling users to run a container on top of Windows 10 IoT. 

However, Microsoft says it will continue license sales for Windows Embedded Compact 2013 (the last time Windows CE received a full version update until 2028). I’ve written before about the dangers of people thinking it’s cool to still run Windows 7, which was already a surprise to me, but then by reading more about Windows CE this week, I found that some of the most important hardware the U.S. relies on still use Windows CE: voting machines. 

A Windows CE phone was at the center of the “Hillary Clinton emails” drama during the 2016 presidential election, and since then, security researchers have found that some voting machines using Windows CE are vulnerable to various exploits.   

I found one DEF CON 25 attendee in 2017 who went to the conference’s first-ever “Voting Village” where researchers poked and prodded various voting systems, including the ExpressPoll 5000 voter registration system that used Windows CE 5.0. Needless to say, the ExpressPoll 5000 didn’t stand a chance. 

I couldn’t find any information on if there are still any ExpressPoll 5000s in the wild, but the Maryland State Board of Elections was still accepting the devices into their pool of devices that could be certified to be used in elections with an “acceptance test” as of 2016. 

Other Diebold voting machines used in the 2016 presidential election also ran outdated versions of Windows CE. (Vice News had a video segment on this topic that’s since been scrubbed from the internet, but there’s a great written recap of the segment here.)  

Again, there is no real proof that these systems are still being used in the wild. After the security concerns stemming from the 2016 election, the U.S. took a much tougher look at election security and continues to invest heavily in more secure voting machines, so there’s a possibility these devices are all now out of service, patched, or hopefully just buried in a ditch somewhere.  

But it does get to a larger point, that a lot of the technology our government relies on is \*old\*. Many voting systems used in the 2020 presidential election relied on Windows 7, which also is now at its end-of-life and isn’t receiving any security updates. Support for Windows 8.1 ended at the beginning of this year, and who knows what devices are floating out there still using versions of that OS, and Windows 10 will reach its end-of-life period in October 2025, so by the time we get to the 2028 election (I can’t even fathom that as a real year still), I suspect we’ll be seeing lots of stories of all the voting devices relying on that.  

**The one big thing **

The Arid Viper threat actor is actively trying to install spyware on targeted devices in the Middle East, using fake dating apps as lures. Although Arid Viper is believed to be based out of Gaza, Talos has no evidence indicating or refuting that this campaign is related in any way to the Israel-Hamas war. The malicious apps Arid Viper uses are very similar to other legitimate apps, so it’s fairly easy for an unsuspecting user to get hit.  

**Why do I care? **

Spyware is very dangerous no matter how you twist it, but in this particular case, Arid Viper’s spyware collects the target’s sensitive personal information off their devices and disables security notifications so the actor can install more malware. The use of spyware across the globe continues to be a major issue that governments have had a hard time reigning in (and sometimes the governments themselves are the ones using it). 

**So now what? **

Our blog post has more details on the malicious apps being used in this campaign, so potential targets know what to be on the lookout for. We also have several new IOCs available for defenders to add to their blocklists. Potentially sensitive targets like politicians, journalists or activists may want to enable “safe” modes on their mobile devices, which can help protect against all types of spyware.  

**Top security headlines of the week **

**U.S. President Joe Biden signed a sweeping Executive Order this week attempting to regulate the use of AI and put several privacy safeguards in place.** The order also calls on Congress to pass national AI privacy legislation. Under the new rules, leading AI developers will need to share safety test results and other information about their software with the government. The National Institute of Standards and Technology will also create new standards to ensure AI tools are safe and secure before they’re publicly released. Federal agencies will now also need to change the way they use AI, with the hopes that the private sector will follow suit. Federal benefits programs and contractors will need to ensure that any AI tools they rely on do not deepen any racial biases in their activities. However, privacy experts only view the Executive Order as a small first step that needs to be augmented by national legislation and enforcement. (AP News, ABC News) 

**The U.S. government is preparing for an influx of Iranian-backed cyber attacks in retaliation for the U.S.’ support of Israel in its war against Hamas.** FBI Director Christopher Wray told a Congressional committee this week that, “The cyber targeting of American interests and critical infrastructure that we already see conducted by Iran and non-state actors alike we can expect to get worse if the conflict expands.” New research also indicates that Iranian threat actors have carried out a range of cyber espionage activities across the Middle East, looking to collect sensitive intelligence and disrupt important services. There may be up 15 different hacking groups affiliated directly with, or serving as a proxy for, the Iranian Revolutionary Guard Corps or the Iranian Ministry of Intelligence. (Politico, The New York Times) 

**Cloud computing company Citrix is warning of the mass exploitation of a critical vulnerability in its NetScaler ADC/Gateway devices.** Known as “Citrix Bleed,” CVE-2023-4966 is an information disclosure vulnerability that could allow attackers to steal valid session tokens from internet-facing Netscaler devices running vulnerable software. Citrix disclosed the vulnerability on Oct. 10, warning users to update affected devices immediately. However, security researchers soon found that attackers had been exploiting the vulnerability since August. Researcher Kevin Beaumont reported on his personal social media channels that he found an estimated 20,000 instances of exploited Citrix devices where session tokens were stolen. (HelpNet Security, Ars Technica) 

**Can’t get enough Talos? **

*   Beers with Talos Ep. #140: Chicken Soup and Contact Centers 
*   Talos Takes Ep. #160: Patching 101 
*   Cisco Talos Incident Response On Air for Q3 2023 
*   Arid Viper Campaign Targets Arabic-Speaking Users 
*   Kazakhstan-based hackers targeting gov’t websites in Central Asia, Cisco says 

**Upcoming events where you can find Talos **

**Black Hat Middle East and Africa** **(Nov. 16)** 

Riyadh, Saudi Arabia 

> _Rami Atalhi from Talos Incident Response will discuss how generative AI affects red and blue teams in cybersecurity. Discover how generative AI creates a bridge between these teams, fostering teamwork and innovative strategies. Real-world cases will demonstrate how generative AI drives success, providing insights for building resilient cybersecurity plans._ 

**misecCON** **(Nov. 17)** 

Lansing, Michigan 

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 21d709b0593c19ad2798903ae02de7ecdbf8033b3e791b70d7595bca64b99721**   
**MD5:** af8a072f20c8e647f53eb735528f070d   
**Typical Filename:** Head Office.exe   
**Claimed Product:** Head Office   
**Detection Name:** Win.Dropper.Pykspa::100.sbx.vioc 

**SHA 256:** 032f2e845d2b9832c7845bc6a7de650ee2148891c8ee442fe3f3a8478e588dbe   
**MD5:** a5cc0738a563489458f6541c3d3dc722   
**Typical Filename:** wuauclt.exe   
**Claimed Product:** Microsoft® Windows® Operating System   
**Detection Name:** Win.Dropper.Vools::100.sbx.tg 

**SHA 256:** 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7    
**MD5:** 0e4c49327e3be816022a233f844a5731    
**Typical Filename:** aact.exe    
**Claimed Product:** AAct x86    
**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos 

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c      
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c      
**Typical Filename:** AAct.exe      
**Claimed Product:** N/A        
**Detection Name:** PUA.Win.Tool.Kmsauto::1201 

**SHA 256:** b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59   
**MD5:** 3b100bdcd61bb1da816cd7eaf9ef13ba   
**Typical Filename:** vt-upload-C6In1   
**Claimed Product:** N/A    
**Detection Name:** Backdoor:KillAV-tpd

You’d be surprised to know what devices are still using Windows CE

Knowing the common scams is an important step in using the platform safely. The following recommendations help players not fall into scams.

Thursday, November 2, 2023 07:11

*   Online video games often make use of in-game virtual currency and give players the ability to purchase, trade or sell items. While these features are often selling points for players and potential revenue streams for the companies that make them, they also inevitably draw bad actors and scams.
*   One of these games is “Roblox,” a highly popular gaming platform, especially among children. We curated a short list of scams that have been reported online, such as on user support forums, YouTube videos and scammer Discord channels, explaining how they work and providing advice on how to detect and avoid them.

Roblox is a gaming platform composed of “Experiences,” which is “Roblox’s” name for user-created 3-D worlds where players can interact with each other and their surroundings. The creator, which can be any user, builds the scenarios, the game logic, items and overall interactivity of the experience.

Roblox is free to play but contains an in-application currency called “Robux” that can be used to purchase clothes, weapons or other items for a user’s avatar, some of which exist in limited quantities and can be worth tens of thousands of real-world dollars. Items can also be traded for other items or Robux using a built-in trading system. This creates a potentially profitable market and even though trading for real money is prohibited by the terms of service, some users negotiate outside the platform and trade using real money.

Where there is a potential for profit there are also people trying to scam others. “Roblox” users can be targeted by scammers (known as “beamers” by “Roblox” players) who attempt to steal valuable items or Robux from other players. This can sometimes be made easier for the scammers because of “Roblox's” young user base. Nearly half of the game’s 65 million users are under the age of 13 who may not be as adept at spotting scams.

**How to identify scams**

Having knowledge of common scams and how they work is key to spotting them, even if you’ve never heard of a particular tactic before. The following are some of the most common scams that have been seen targetting “Roblox” users.

**Offering free Robux/phishing** 

The scammer sends a message using “Roblox’s” in-game chat or another messaging application, to the victim offering a way to earn free Robux. In the most common variation of this scam, the user receives a link to a web page containing “Roblox”-related themes or images. The site offers the victim free Robux and asks the victim to enter their username and password so that they can receive the Robux in their account. After inserting their username and password, instead of receiving the Robux, the scammer logs into the victim’s account and steals all Robux and valuable items.

**In-experience phishing** 

In Roblox, any user can create experiences, including scammers. In this case, the scammer creates a malicious experience that promises to deliver free Robux and prompts the victim to fill out a form with their username and password. The victim’s credentials are sent to an actor-controlled server, allowing the adversary to log in to the user’s account and steal all Robux and valuable items.

__source: https://roblox.fandom.com/wiki/Scam/Gallery?file=Reward\_scam.jpg__

**JavaScript method** 

The scammer asks the victims to copy and paste a link containing JavaScript code into the browser’s address bar. There are many variations that use this method. In one common variation, the scammer pretends to be developing an experience and asks the user to use their avatar image in the experience. To receive the details of the avatar automatically, the scammer asks the victim to copy and paste the link containing the JavaScript code into the browser’s address bar. That code then steals the victim’s session ID, allowing the scammer to use the platform to log in to the victim's account and transfer all items and Robux from the victim's account to the scammer’s account. 

**Bookmark method** 

The bookmark method is a variant of the JavaScript method. Instead of asking the victim to paste a link into the address bar, the victim is asked to drag and drop the bookmark into the bookmarks bar and then click on it. The bookmark contains JavaScript code that steals the victim’s session ID. 

source: https://www.reddit.com/r/robloxhackers/comments/11eofbr/possibly\_new\_roblox\_scam/

**API method** 

The scammer proposes a trade that is usually too good to be true to the victim. Then, the attacker says that before continuing with the trade, they would like to check if the victim’s items have not been stolen. To do this, they say, the victim must visit a special page in Roblox and insert an ID. They then give the victim the URL for a page that is actually part of the Roblox domain and contains the following form, among other things.

This page is part of the Roblox API documentation and is used by developers to test the API. While talking with the victim, the scammer creates a trade request that, if accepted, would transfer all the victim’s items to the scammer. The scammer then sends this ID to the victim and instructs him to insert the ID in the form and click “Try it out.” This will cause the user to accept a trade with the specified ID and transfer all their items and Robux to the scammer.

**HAR file method** 

The scammer offers to create a free GFX (a 3-D, realistic version of the victim’s avatar) under the pretext that they are learning to do this and could use the practice. If the victim accepts, the scammer says they need a file to complete the development and gives the victim a tutorial or video explaining how to obtain the file. The tutorial requests that the victim open their browser developer tools and save the network request as a HAR file, as shown below.

Once saved, the victim is instructed to send it to the scammer. This file contains the session ID of the victim, which allows the scammer to use the platform logged into the victim’s account and steal all items and Robux.

**Double trade** 

The scammer approaches the victim proposing two trades. One trade is good for the scammer and one is good for the victim. The victim comes out with a clear advantage from this trade. The scammer puts the condition that the victim either accepts both trades or rejects both trades. However, while they chat, the scammer removes some Robux from their account, making the trade that favors the victim fail for lack of Robux in the attacker's account. When the victim accepts both trades, only the bad trade goes through, making it a bad deal for the victim.

**Malware installation** 

This method is as simple as requesting the victim to install some software or a browser extension as a way to receive free Robux or to help the scammer perform some development that is of interest to the victim. The installed software is malware, designed to steal the victim’s session ID, which allows the scammer to use the platform logged in to the victim’s account and steal all items and Robux.

**5 ways to avoid being scammed**

Knowing the common scams is an important step in using the platform safely. The following recommendations help players not fall into scams:

*   **If it seems too good to be true, it is:** This is probably the most important recommendation. If a stranger or a website is claiming to offer free currency or free items, it is almost certainly a scam.
*   **Don't open links or download files sent by unknown sources:** These links can be phishing or malware delivery lures. If you don't know the other player, it’s generally a good idea to not open the link.
*   **Be suspicious of requests to perform unusual actions**: Some scams rely on the user performing more or less technical actions. These are a good indicator that it may be a scam. For example:
    *   Copy-pasting into the browser address bar.
    *   Creating and clicking in bookmarks.
    *   Opening browser developer tools.
*   **Be suspicious of unusual trades**: When trading some attention to some red flags, such as:
    *   Trades that are conducted outside the platform.
    *   Trades where the trader creates unusual rules such as double trades.
    *   Requests to perform actions on the web browser during a trade negotiation, such as using the API form.
*   **Use the platform’s built-in security features**: Roblox takes security seriously and provides security guides and several features to increase security. For example:
    *   Enable multi-factor authentication.
    *   Configure account privacy.
    *   Configure who, if anyone, can trade with the player.
    *   Configure the trade quality filter to help avoid suspicious trades.
    *   Enable a mandatory PIN to change settings.
    *   Exploring and using these can help better protect minors. The following links contain additional information and guidance:

https://corporate.roblox.com/parents/ 

https://en.help.roblox.com/hc/en-us/articles/203313380-Keep-Your-Account-Safe

Attackers use JavaScript URLs, API forms and more to scam users in popular online game “Roblox”

Since April 2022, Cisco Talos has been tracking a malicious campaign operated by the espionage-motivated Arid Viper advanced persistent threat (APT) group targeting Arabic-speaking Android users.

Arid Viper disguising mobile spyware as updates for non-malicious Android applications

New YoroTrooper research, the latest on the Cisco IOS vulnerability, and more.

Thursday, October 26, 2023 14:10

Coming from the newspaper and media industry, I’m no stranger to wanting to write catchy headlines. I’m certainly at fault for throwing together a story about so-and-sos house sold for X million dollars.  

But recently I’ve been wondering if those “big numbers” for cybersecurity are helpful at all, even though they might generate clicks to a news organization. 

I saw several media outlets had reported on a new estimate from commercial insurance market Lloyd's of London that a cyber attack on any international global payments systems could cost $3.5 trillion globally, hurting many major world economies. 

At face value, that seems bad, and it’s a number that’s sure to come up with board rooms or any place decision-makers meet to discuss cybersecurity. 

It likely catches the eye of readers at home who are skimming newspaper headlines (if you’re like my dad and one of the last people who still reads physical newspapers).  

But what use is actually throwing these types of numbers out there? It reminds me of the discussion around climate change or any other problem that seems larger than life. I tend to not dwell on the worst-case scenario reports that always come out and make headlines because I feel these have a tendency to make people feel defeated — like there is no purpose in trying to make a difference because the problem is so overwhelming that one individual contribution won’t matter anyway, so then we all sit by and do nothing. 

If every time there is a major cyber attack, and we shame the targeted company by pointing out how many millions of dollars they lost, it’s just another form of public shaming that I’ve written about before that can lead to a stigma around disclosing cyber attacks. 

That Lloyd’s of London report is far from the first of its kind, these kinds of numbers pop up all the time, especially at the end of the calendar year when outlets want to write stories about how much cyber attacks cost consumers that year (there were estimates ranging from $7 billion to $10 billion in 2022). 

To me, numbers like this only contribute to fear, uncertainty and doubt (FUD) in the cybersecurity space. A small business owner who sees cybersecurity as a trillion-dollar problem to be solved by world governments isn’t going to see implementing a better password on their store’s wireless router as anything that’s going to help, because the global economy is in a bad place anyway if one day everyone’s point-of-sale systems go down at once. 

I’m sure many of these reports and estimates are created in good faith by experts who know what they’re talking about, and on a grand scale, yes, it’s important to know how serious of a problem this is for everyone, no matter where you live in the world. 

But I think we’d all be better served spending time talking about ways to get easy cybersecurity wins rather than losing sleep over a global hack that may or may not ever happen. 

**The one big thing **

New Talos research shows that the YoroTrooper threat actor is likely operating out of Kazakhstan. Our latest blog post on this group outlines how they’re still expanding their spam operations and using Azerbaijan-related false flags to throw researchers off their scent. The threat actor also uses online exchanges, such as alfachange\[.\]com, which converts money from Kazakhstani Tenge to Bitcoin via their Visa and Mastercard cards. 

**Why do I care? **

YoroTrooper’s targeting appears to be focused on Commonwealth of Independent States (CIS) countries, and the operators have compromised multiple state-owned websites and accounts belonging to government officials of these countries between May and August 2023. Any organization that falls into that category should certainly be on the lookout, but since this actor has continued to operate for so long, it’s impossible to say where they’d pivot next. Talos believes that, in addition to commodity and custom malware, YoroTrooper continues to rely heavily on phishing emails that direct victims to credential harvesting sites. 

**So now what? **

Talos has an exhaustive list of new indicators of compromise that you can run against your network to check for any YoroTrooper activity. A new round of Snort rules and ClamAV signatures can also detect this activity, along with the many information-stealing malware that YoroTrooper tends to use in its campaigns.  

**Top security headlines of the week **

**AI tools like ChatGPT are getting increasingly good at writing malicious code and spam emails, two new studies found.** An internal study at IBM found that employees who were targeted with ChatGPT-written spam emails were just as likely to click on them as ones written by humans. The leader of the experiment said it only took her team about five minutes to get ChatGPT to write the spam email in question, despite workarounds in place to keep users from exploiting the chat bot for these types of uses. A separate study at the University of Sheffield released last week also found that, by asking ChatGPT and other AI applications for a certain series of prompts, they produced malicious code. When executed, that code would leak confidential database information, interrupt a database's normal service, or destroy it. That study specifically focused on Text-to-SQL systems, which is AI that allows users to search databases by asking questions in plain language. (Axios, TechXplore) 

**The alleged leader of the Ragnar Locker ransomware gang was arrested in Paris earlier this month.** Eleven law enforcement agencies teamed up to find the suspected developer and take down infrastructure associated with Ragnar Locker. Five additional suspects were interviewed in Spain and Latvia. Authorities seized the group’s leak site, as well, posting a takedown notice for victims, though no resources appear to be available yet for anyone looking to negotiate with the attackers or who are currently infected with Ragnar Locker. Ragnar Locker has been active since 2019, targeting the energy sector, hospitals, airports, and more. It utilized double extortion tactics, threatening to leak any stolen data if the ransom isn’t paid. For example, this resulted in the reveal of several video games under development by Capcom. (Dark Reading, CPO Magazine) 

**Attackers breached the network of software firm Okta, stealing access tokens and sitting on the company’s customer support platform for at least two weeks.** Okta said the attack only affected a few customers, but password management service 1Password said this week it was the target of a follow-on attack using the stolen tokens. However, 1Password said no customer login information was affected. Okta provides identity and login tools like multi-factor authentication and single sign-on to major companies across the globe. The disclosure from Okta came weeks after major cyber attacks on MGM Resorts and Caesar’s Entertainment, in which adversaries tricked Okta multi-factor authentication administrators into resetting requirements, which provided them easier access to the targeted networks at those casinos and hotels. (Krebs on Security, Ars Technica) 

**Can’t get enough Talos? **

*   Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities 
*   Attacks on web applications spike in third quarter, new Talos IR data shows 
*   The Need to Know: What is cracktivator software? 
*   9 vulnerabilities found in VPN software, including 1 critical issue that could lead to remote code execution 
*   Talos Takes Ep. #159: What happens when you actually click the "report spam" button?  

**Upcoming events where you can find Talos **

**Black Hat Middle East and Africa** **(Nov. 16)** 

Riyadh, Saudi Arabia 

> _Rami Atalhi from Talos Incident Response will discuss how generative AI affects red and blue teams in cybersecurity. Discover how generative AI creates a bridge between these teams, fostering teamwork and innovative strategies. Real-world cases will demonstrate how generative AI drives success, providing insights for building resilient cybersecurity plans._ 

**misecCON** **(Nov. 17)** 

Lansing, Michigan 

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59   
**MD5:** 3b100bdcd61bb1da816cd7eaf9ef13ba   
**Typical Filename:** vt-upload-C6In1   
**Claimed Product:** N/A    
**Detection Name:** Backdoor:KillAV-tpd 

**SHA 256:** 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5   
**MD5:** 8c80dd97c37525927c1e549cb59bcbf3     
**Typical Filename:** Eternalblue-2.2.0.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Exploit.Shadowbrokers::5A5226262.auto.talos 

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934    
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c    
**VirusTotal:** Typical Filename: Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg 

**SHA 256:** 744c5a6489370567fd8290f5ece7f2bff018f10d04ccf5b37b070e8ab99b3241   
**MD5:** a5e26a50bf48f2426b15b38e5894b189   
**Typical Filename:** a5e26a50bf48f2426b15b38e5894b189.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Generic::1201 

**SHA 256: 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab**   
**MD5:** 4c648967aeac81b18b53a3cb357120f4   
**Typical Filename:** yypnexwqivdpvdeakbmmd.exe   
**Claimed Product:** N/A    
**Detection Name:** Win.Dropper.Scar::1201

How helpful are estimates about how much cyber attacks cost?

Attackers could exploit these vulnerabilities in the SoftEther VPN solution for individual and enterprise users to force users to drop their connections or execute arbitrary code on the targeted machine.

Wednesday, October 25, 2023 12:10

Cisco Talos has disclosed 17 vulnerabilities over the past two weeks, including nine that exist in a popular VPN software.  

Attackers could exploit these vulnerabilities in the SoftEther VPN solution for individual and enterprise users to force users to drop their connections or execute arbitrary code on the targeted machine.  

Talos’ Vulnerability Research team also found a cross-site scripting (XSS) vulnerability in the Peplink Surf series of home and wireless routers that could allow an attacker to manipulate HTML elements into executing arbitrary JavaScript. However, this vulnerability is not considered to be particularly serious, with a CVSS severity score of only 3.4 out of 10. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**SoftEther VPN client **

_Discovered by Lilith >\_>._ 

The SoftEther VPN client contains multiple vulnerabilities that could lead to a variety of conditions, including allowing an adversary to cause a denial of service or execute arbitrary code on the targeted machine. SoftEther is an open-source, cross-platform, multi-protocol VPN managed as part of an academic project at the University of Tsukuba in Japan. 

Four of the vulnerabilities Talos disclosed last week exist when an adversary sends a specific set of packets to the targeted device, and can cause the software to crash entirely, leading to a denial of service: 

*   TALOS-2023-1736 (CVE-2023-22325) 
*   TALOS-2023-1741 (CVE-2023-23581) 
*   TALOS-2023-1737 (CVE-2023-22308) 
*   TALOS-2023-1743 (CVE-2023-25774) 

The most serious of these issues is TALOS-2023-1735 (CVE-2023-27395), a vulnerability in the VPN that could lead to a heap-based buffer overflow, potentially allowing an attacker to execute arbitrary code. This vulnerability is considered critical, with a CVSS score of 9.0 out of 10.  

Two other vulnerabilities — TALOS-2023-1755 (CVE-2023-32634) and TALOS-2023-1754 (CVE-2023-27516) — could allow an adversary to gain unauthorized access to the VPN session by viewing the default RPC server credentials. This opens the door for the attackers to install certificates and carry out man-in-the-middle attacks or dump the VPN’s authentication settings and further compromise the endpoint connected to the VPN session. 

A man-in-the-middle attack could also be used to exploit TALOS-2023-1768 (CVE-2023-31192) and TALOS-2023-1753 (CVE-2023-32275), which leads to the disclosure of sensitive information in certain packets. 

**JustSystems Ichitaro word processor remote code execution vulnerabilities **

_Discovered by a Cisco Talos researcher._ 

Talos researchers recently found four vulnerabilities in the JustSystems Ichitaro word processor that could lead to arbitrary code execution, albeit with varying paths. 

Ichitaro is one of the most popular word processing systems in the Japanese market and utilizes the ATOK input method. An adversary could exploit these vulnerabilities by tricking the targeted user into opening a specially crafted, malicious file in the program. 

The vulnerabilities all exist in various parsers in the software: 

*   TALOS-2023-1758 (CVE-2023-34366) 
*   TALOS-2023-1808 (CVE-2023-38127) 
*   TALOS-2023-1809 (CVE-2023-38128) 
*   TALOS-2023-1825 (CVE-2023-35126) 

**XSS, command injection vulnerabilities in SOHO router **

_Discovered by Matt Wiseman._ 

A stored cross-site scripting vulnerability exists in the Peplink Surf line of small and home office (SOHO) wireless routers that can lead to the execution of arbitrary JavaScript in another user’s browser. 

An attacker could trigger TALOS-2023-1781 (CVE-2023-34354) or TALOS-2023-1782 (CVE-2023-35194 and CVE-2023-35193) by making an authenticated HTTP request. 

The Surf routers also contain three vulnerabilities that could allow an attacker to execute arbitrary commands in the context of the router’s operating system. To exploit TALOS-2023-1778 (CVE-2023-34356), TALOS-2023-1779 (CVE-2023-28381) and TALOS-2023-1780 (CVE-2023-27380), an attacker first needs to be authenticated on the device and then make a specially crafted HTTP request.

9 vulnerabilities found in VPN software, including 1 critical issue that could lead to remote code execution

Cisco Talos assesses with high confidence that YoroTrooper, an espionage-focused threat actor first active in June 2022, likely consists of individuals from Kazakhstan based on their use of Kazakh currency and fluency in Kazakh and Russian.

Source

TALOS