RA Group also introduces a new wrinkle to double extortion attacks: the threat that it will sell the data on the dark web. Double extortion tactics are known for leaking stolen data, but the sale is a potentially new gambit.

Wednesday, June 14, 2023 08:06

It is no longer enough for ransomware actors to encrypt targets’ files, ask for money, and get out.

Over the past several years, these groups are increasingly relying on “double extortion” tactics to try and coax their victims into paying the requested ransom, or else they will leak stolen data to the internet.

In double extortion ransomware attacks, actors perform traditional ransomware actions of encrypting files and folders on a target’s machine. They leave behind a ransom note asking for a certain amount of money, in exchange for a decryption key that can return the target’s network and hardware back to normal working order.

Of course, there is never any guarantee that this decryption key will work appropriately, so Talos recommends several other ransomware mitigation methods to ensure backups are in place to help an organization recover quickly if they are hit with a ransomware attack.

Actors who use double extortion take this a step further, threatening to leak the target’s data to the public and on the dark web if the ransom is not paid. For some organizations, this puts troves of potentially sensitive data at risk of becoming public information, such as personally identifiable information (PII) or financial information that other bad actors may use in follow-on attacks or to steal someone’s identity.

**What is the end goal of double extortion attacks?**

Ransomware actors hope that by adding on the extra layer of pressure, it makes victims more likely to pay the requested ransom rather than trying to recover on their own.

Any data leaks could lead to legal troubles for the targeted organization, poor public relations and a loss of customer trust.

At the end of the day, ransomware groups are motivated by money. They will do whatever they can to make it more likely for the victim to pay up.

These groups are also increasingly embracing communication with victims to potentially negotiate payment and provide additional pressure on o the victim. Nick Biasini, the head of Talos Outreach, recently discussed these tactics in an episode of Talos Takes, where he summed up ransomware groups’ motivations by saying, “You can’t get a payday if you can’t start a conversation...once they have communication, they know they have a victim who’s potentially ready to play ball.”

**Notable example: RA Group**

RA Group, a new ransomware actor Cisco Talos recently discovered, explicitly uses double extortion tactics. It runs an actor-controlled website where it posts a list of possible victims and publicly threatens to publish the data it steals from targets.

RA Group claims to include the organization’s name, a list of stolen data and the file sizes of the data it stole and the URL of the website belonging to the victim organization. The ransom notes the actor leaves behind are customized for the victim and are told they have three days to pay the requested ransom or they risk all the stolen data being made public.

When the three-day mark is reached, RA Group says it will publish “sample files” to prove the legitimacy of its claims. The leak site states that “we will publish documents regularly and all documents will be released within one year.”

RA Group also introduces a new wrinkle to double extortion attacks: the threat that it will sell the data on the dark web. Double extortion tactics are known for leaking stolen data, but the sale is a potentially new gambit.

The group’s leak site is one of the first examples Talos has seen where it publicly threatens to sell the data to other bad actors during that one-year window. It explicitly tells anyone interested in purchasing the data to contact RA Group via qTox, an encrypted instant messaging platform.

This is potentially a new development in the ransomware landscape and a new way for threat actors to generate revenue from a successful attack.

Talos has researched several other threat actors who started using double extortion methods over the past three years, including UNC2447, Vice Society and Silence Group.

**Prevention**

To defend against double-extortion ransomware attacks, users and organizations should follow the classic advice for avoiding ransomware:

*   Using multi-factor authentication protocols such as Cisco Duo can prevent credential stealing, which often provides threat actors with an initial foothold on the targeted system.

*   Cisco Secure Endpoint and other Cisco Secure offerings provide many layers of protection to make any network more resilient. Cisco Secure and Talos have multiple engines, such as Snort, to detect and prevent initial infection, reconnaissance, lateral movement and file encryption.
*   Incident Response playbooks and plans can help all organizations prepare for a ransomware attack and outlines steps to take in the event of an attack. Cisco Talos Incident Response can assist in the creation and updating of these documents.
*   Perform frequent backups of all systems and important files, and verify those backups are stored in a secure, yet accessible, place. Targets of ransomware can restore operations quickly by restoring from a previous state using backups.
*   Provide cybersecurity training to all employees and users to ensure they’re aware of the dangers of various social engineering tactics and common attack vectors for threat actors.
*   For additional advice and information, refer to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Stop Ransomware website.

What does it mean when ransomware actors use “double extortion” tactics?

Microsoft disclosed these issues and patched them as part of June’s monthly security release for the company.

Tuesday, June 13, 2023 15:06

Cisco Talos recently discovered two vulnerabilities in the Microsoft Excel spreadsheet management software that could allow a malicious actor to execute arbitrary code on the targeted machine.

Microsoft disclosed these issues and patched them as part of June’s monthly security release for the company.

One of the vulnerabilities, TALOS-2023-1730 (CVE-2023-32029), exists in the FreePhisxdb function of Excel. An attacker could exploit this vulnerability by tricking the targeted user into opening a specially crafted file. Then, they can manipulate the heap to gain the ability to execute arbitrary code.

TALOS-2023-1734 (CVE-2023-33133) works similarly, but in this case, causes an out-of-bounds read that turns into an out-of-bounds write, which in turn, could lead to memory corruption and, finally, arbitrary code execution.

Microsoft noted that although these vulnerabilities are listed as “remote code execution,” the attack itself is carried out locally. Both vulnerabilities have a CVSS severity score of 7.8 out of 10 and are considered to be “less likely” to be exploited, according to Microsoft.

Cisco Talos worked with Microsoft to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Microsoft Office Excel 2019 Plus, version 16.0.16130.20218. Talos tested and confirmed this version of Excel could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 61503, 61504, 61574 and 61575. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall or Snort.org.

Two remote code execution vulnerabilities disclosed in Microsoft Excel

For the first time in four months, none of the vulnerabilities Microsoft disclosed this Patch Tuesday have been exploited in the wild.

Tuesday, June 13, 2023 14:06

Microsoft released its monthly security update Tuesday, disclosing 69 vulnerabilities across its suite of products and software. Five of these vulnerabilities are considered to be critical, 45 of them are listed as being high severity, 17 of them are medium severity and two are of low severity.

For the first time in four months, none of the vulnerabilities Microsoft disclosed this Patch Tuesday have been exploited in the wild. June is also closer to an average month for Microsoft’s security update after only disclosing 40 vulnerabilities last month, which was nearly a three-year low.

Cisco Talos discovered two vulnerabilities in Microsoft Excel that the company patched Tuesday. These are important-severity remote code execution vulnerabilities that are triggered if the targeted user opens an attacker-created file.

Three critical vulnerabilities — CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015 — in the Windows Pragmatic General Multicast (PGM) server environment with a severity score of 9.8 could lead to remote code execution. In a Windows Pragmatic General Multicast (PGM)  server environment where the Windows message queuing service is running, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code. Microsoft has advised users to refer to a setting, standard configuration, or general best practice existing in a default state that could reduce the severity of exploitation of this vulnerability.

CVE-2023-29357 is an elevation of privilege vulnerability in Microsoft SharePoint Server that also has a severity score of 9.8. An attacker who successfully exploits this vulnerability could gain administrator-level privileges. They could have access to spoof the JSON Web Token \[JWT\] authentication tokens and use them to execute a network attack that bypasses the authentication and allows them to gain access to the privileges of an authenticated user. The attacker requires no user interaction to exploit this vulnerability. Microsoft has advised that customers should apply all updates offered for the SharePoint Enterprise server. On-premises customers can enable the AMSI feature, which protects them from this vulnerability.

Talos would also like to highlight a few high-severity vulnerabilities that Microsoft considers “more likely” to be exploited.

A high-severity remote code execution vulnerability, CVE-2023-28310, exists in Microsoft Exchange Server. An authenticated attacker on the same intranet as the Exchange Server can achieve remote code execution via a PowerShell remote session.

CVE-2023-29358, an elevation of privilege vulnerability in the Windows graphics device interface (GDI), is a use-after-free vulnerability in the Win32k kernel driver. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

CVE-2023-29361 could also allow an attacker to gain SYSTEM privileges if they exploit a use-after-free issue in the Windows Cloud Files Mini Filter Driver.

Microsoft Exchange server contains a high-severity remote code execution vulnerability, CVE-2023-32031, with a severity score of 8.8. An attacker successfully exploiting this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call.

Another elevation of privilege vulnerability, though only considered "important," CVE-2023-29371, exists in the Windows Win32k kernel driver. An attacker could modify a curve without updating the cCurves values, which leads to an out-of-bounds write in win32kfull when the curves’ edges get processed, ultimately giving them system privileges.

One medium-severity worth noting is CVE-2023-29352, a security feature bypass vulnerability in Windows Remote Desktop. An attacker who successfully exploited this vulnerability could bypass certificate validation during a remote desktop connection by creating a validly signed “.RDP” file to bypass warning prompts when executed.

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their rule set by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 61907 - 61911, 61915, 61916, 61933  - 61935 and 61937 - 61939. The Snort 3 rules released for these vulnerabilities are 300592, 300593, 300595 and 300600.

Microsoft discloses 5 critical vulnerabilities in June's Patch Tuesday, no zero-days

As a result of user applications increasingly registering actual “.zip” files as URLs, these filenames may trigger unintended DNS queries or web requests, thereby revealing possibly sensitive or internal company data in a file’s name to any actor monitoring the associated DNS server

Tuesday, June 13, 2023 08:06

*   Google’s recent offering of the “.zip” top-level domain (TLD) has led security researchers and likely threat actors to register numerous domains for red teaming and phishing attacks, respectively, causing new challenges for organizations and cybersecurity professionals.
*   As a result of user applications increasingly registering actual “.zip” files as URLs, these filenames may trigger unintended DNS queries or web requests, thereby revealing possibly sensitive or internal company data in a file’s name to any actor monitoring the associated DNS server.
*   Leaked filenames can be extremely valuable to advanced adversaries who may use this information in a variety of ways, including in lures masquerading as internal company documents and archives for social engineering and infecting targets.

**Top-level domains and file extensions**

As a result of Google’s announced sale of new TLDs that are also popular file extension formats, there is an increased risk with the deployment of the “.zip” domain that threat actors will develop new vectors for compromising victims. In early May 2023, Google released eight new TLDs, marketing the “.zip” domain as a way of letting an audience know that a domain’s owner is “fast, efficient, and ready to move.” However, the move presents serious concern that domains using the “.zip” filename format could be confused with legitimate filenames, and vice versa, compounding the problem of users recognizing potential phishing attempts.

_Google Domains page_ _for the new “.zip” TLD showing prices to acquire a new domain._

In a very short period of time, the general availability of the “.zip” TLD has led to a suspiciously high volume of domains being registered that resemble a wide variety of internal company filenames. Owning and controlling these domains can benefit attackers by leaking filenames via automatic DNS resolutions or using these domains as launch points for potential exploits and malware artifacts. Cisco’s Umbrella telemetry and open-source research indicate that many of these domains may be used for malicious attacks in the future.

Aggregate data for new domains registered under the TLDs offered by Google since May 3, 2023, shows that “.zip” is the most popular extension by a large margin:

_Domaintools statistics_ _of new domains registered for each new TLD offered by Google since May 3, 2023, show the “.zip” TLD outpacing all others._

The significantly greater popularity of the “.zip” TLD is likely due to the fact that “.zip” is a common file format used in phishing attacks and malware delivery. Security researchers have already highlighted several recently registered “.zip” TLDs with domain names commonly used in phishing attacks:

_A_ _list of domains_ _likely registered by security researchers or possible threat actors, likely with the intention to use as phishing domains._

_Security research group VX-Underground_ _showing an example_ _of a domain that can be used for phishing._

**How URLs based on filenames can leak information**

Talos assesses that domains employing “.zip” and similar TLDs increase the likelihood of sensitive information disclosures through unintended DNS queries or web requests. With the availability of the new “.zip” TLDs, messaging applications like Telegram or internet browsers began reading strings ending in “.zip” as URLs and automatically hyperlinking them. This is especially problematic in chat applications, which sometimes trigger a DNS or web request to show a thumbnail of the linked page. For example, the following chat application changed what was meant to be the name of a file “update\[.\]exe\[.\]zip” to a hyperlink pointing to the URL “https\[://\]update.exe\[.\]zip”:

_Chat application changing a filename to a URL._

In this case, even mentioning a valid filename in a chat could trigger a DNS lookup and leak internal filenames to whoever controls that domain’s DNS server. In other cases, if the user searches for a “.zip” file that doesn’t exist in Windows Explorer, the application will search online for the file and may reach the domain instead.

_Researcher_ _disclosing an issue with Windows Explorer_ _opening “.zip” files as a URL._

In an information leak scenario, a malicious user in control of a “.zip” domain’s DNS server filters requests by the network of the companies they’re targeting and collects internal filenames, providing possible leverage during an actual attack. MITRE even describes some of these activities in the ATT&CK Framework as part of the Reconnaissance Tactics, like T1589 and T1591, which describe techniques to gather information about a target user and the corporation itself.

**Observations in the wild**

When Google announced its offering in early May 2023, Talos began monitoring telemetry data for occurrences of “.zip” usage in URLs. We observed a wealth of filenames being queried against various “.zip” domain names containing all kinds of information. For example, Cisco Umbrella DNS data reveals many filenames that could indicate phishing attempts, like the domain “secure-access-4a907q5xsg5q5354\[.\]fbmsg\[.\]xyz\[.\]zip”, as well as many file names similar to the ones used in malware campaigns (e.g., “report\_<random\_numbers>\[.\]pdf\[.\]zip”).

_Snippet of Cisco Umbrella DNS data showing queries for “.zip” domains in a 24-hour period._

Our data shows occurrences of real filename resolutions containing potentially internal and sensitive information, such as project names, personally identifiable information (PII), geography and order or contract names and numbers – basically anything that can be used in an effective lure by threat actors in a future attack, judging from DNS query data.

Filename

Possible information leaked 

Expressvpn\_windows\_12.49.0.4\_release.\*\*\*.zip

Old versions of applications in use inside the corporate network

Hsbc\_tradinghub\_equity\_orders\_20230511.\*\*\*.zip

Potential business relationships

Sx\_corporateaction\_id000xxxxxxx\_0.\*\*\*.zip

Employee/User ID

Djsb\_labour\_market\_data\_-\_employment\_data\_summary\_sa4\_2018.\*\*\*.zip

Corporate information

fitbitcofceva\_000xxxxxxx\_20230303\_xxxxxxxxxx.\*\*\*.zip

Personal user identification information

Examples of filenames found in DNS query data. Some information has been obfuscated to avoid showing potential identifying information.

**What users can do**

Many cybersecurity professionals currently recommend that companies completely block “.zip” domains at their firewalls. Although this tactic may be currently sufficient since the usage of the “.zip” TLD is not yet widespread, that may not be the case in the future. As more companies begin adopting “.zip” domains, blocking an entire TLD would not be feasible. In any case, SOC operators will need to be aware of the risks of information leaks and phishing attempts using these domains and will have to adapt their tools to monitor for such events.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. Cisco’s Umbrella customers may use wildcards in destination lists to block the “.zip” TLD and open specific domains on a case-by-case situation depending on their users' needs. More information about this can be found in Umbrella documentation.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  
The following Snort SIDs are applicable to this threat: **61861 - 61864.**

".Zip" top-level domains draw potential for information leaks

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 2 and June 9. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for June 2 to June 9

YouTube released a statement that “we will stop removing content that advances false claims that widespread fraud, errors, or glitches occurred in the 2020 and other past US Presidential elections.”

Thursday, June 8, 2023 14:06

Welcome to this week’s edition of the Threat Source newsletter.

In the wake of the 2016 and 2020 presidential elections, it seemed like big tech companies were taking the fight against disinformation seriously. Social media outlets set up new fact-checking procedures and got more aggressive about banning or blocking pages and profiles that spread disinformation around elections.

Now I’m worried we’re already moving backward with another presidential election just around the corner (somehow).

In November, Twitter laid off a huge swath of its staff that heavily affected the teams tasked with keeping misinformation and fake news off the platform. Google reportedly laid off several experts on the matter at YouTube, leaving only one person solely in charge of the platform’s misinformation policy worldwide.

Then last week, YouTube announced it was changing its policy on removing videos that spread misinformation about the results of the 2020 election. Politicians and online personalities have repeatedly tried to spread lies that the presidential election that year was rigged in favor of U.S. President Joe Biden, despite there not being any concrete evidence of voter fraud. The former administration was also doing plenty to sow distrust around mail-in ballots prior to the election.

YouTube’s misinformation policies states that it reserves the right to remove any content from the platform that is “Content advancing false claims that widespread fraud, errors, or glitches occurred in certain past elections to determine heads of government.”

It specifically lists the 2021 German federal election and the 2014, 2018, and 2022 Brazilian Presidential elections as examples of where they are looking for this type of content. Weirdly, the U.S. presidential elections aren’t named anywhere, and instead, YouTube released a statement that “we will stop removing content that advances false claims that widespread fraud, errors, or glitches occurred in the 2020 and other past US Presidential elections.”

The company said that “In the current environment, we find that while removing this content does curb some misinformation, it could also have the unintended effect of curtailing political speech without meaningfully reducing the risk of violence or other real-world harm.”

These types of reversals are likely the result of a few things — companies are currently cutting the sizes of their workforce after staffing up during the COVID-19 pandemic, and these misinformation-fighting teams seem like an easy line item to cut now that we’re three years removed from the 2020 election. It also seems like these false claims around the election have largely “blown over” among the general public, so there is not nearly as much pressure on these outlets to enforce these rules as there may have been in the immediate aftermath of the attempted insurrection on the U.S. Capitol in January 2021.

This sets up history to repeat itself during the 2024 election cycle. People start spreading lies and sowing doubt about the outcome of the election before any ballots are even cast, we all get upset and pressure these companies into doing something, and then a few years later when no one is looking, they can make cuts in these areas.

As Talos has written about previously, there are several facets to disinformation campaigns. There is no one-size-fits-all solution that will just make our fake news problem go away. But giving up on many of those solutions just a few years into trying them is not the answer, either.

**The one big thing**

Cisco Talos Incident Response is reporting increased attacks utilizing stolen vendor or other third-party account credentials. These are accounts created for third-party workforce members – employees of external partner organizations that maintain physical or virtual access to an organization’s environment. Attackers are stealing these login credentials to carry out software supply chain attacks and quietly sitting on targeted networks, which can often be overlooked when major supply chain attacks involving phony updates dominate the headlines.

**Why do I care?**

These accounts are frequently leveraged for initial access and then used to move laterally through the organization’s network, especially when the victim hasn’t deployed multi-factor authentication (MFA). Since VCAs are usually given elevated permissions, theft of these credentials will often result in widespread damage to victim assets and could even be used to move along the initial victim’s supply chain. Any organization that works with an outside third party for things from software to support is at risk of falling victim to this type of threat.

**So now what?**

Talos’ blog outlines several steps organizations can take to protect against the worst-case scenario. One of the easiest steps an IT or infosec team can take to protect their VCAs is to disable them when they’re not needed. Or adopt the principle of least privilege across the network for all accounts, whether they’re a vendor or not.

**Top security headlines of the week**

Threat actors are **actively exploiting a zero-day exploit in Progress Software's MOVEit Transfer app** to steal data from a wide range of companies and organizations, including the government of Nova Scotia and British Airways. Microsoft reported that the attacks can be attributed to the CLOP ransomware group, along with follow-on attacks that are the result of the attackers infiltrating Zellis, a U.K. payroll company. The MOVEit vulnerability, CVE-2023-34362, could allow an attacker to gain access to the software’s database, and then infer information about the structure of said database and execute SQL statements that could alter the database or delete information. Progress issued a patch for the vulnerability last week but said it had been exploited as early as May. Staff at the affected companies have been warned that personal data could be at risk, including U.K. national insurance numbers and bank account details. (Dark Reading, BBC)

**Google released an emergency patch for its Chrome web browser to fix a high-severity zero-day vulnerability.** As of Tuesday afternoon, only limited details about CVE-2023-3079 were available. Google says it’s a type confusion vulnerability in the V8 JavaScript engine that Chrome and other Chromium-based browsers like Microsoft Edge use. Google’s Threat Analysis Group said that a commercial spyware vendor has already leveraged the vulnerability. This is the third zero-day vulnerability Google has disclosed in Chrome this year. (SecurityWeek, PCMag)

**Microsoft Outlook’s mobile app and web app experienced intermittent outages on Monday and Tuesday,** with a hacktivist claiming responsibility for a distributed denial-of-service attack. Microsoft said the issue stemmed from technical errors in the product, but a group known as Anonymous Sudan says it was behind the disruptions, claiming responsibility while saying it was protesting the U.S.’s involvement in Sudanese affairs. The group said on its Telegram channel that it would “continue to target large US companies, government and infrastructure.” Anonymous Sudan was also behind recent DDoS attacks against Swedish airline SAS and nine hospitals in Denmark. (The Register, Bleeping Computer)

**Can’t get enough Talos?**

*   Researcher Spotlight: How Joe Marshall helps defend everything from electrical grids to grain co-ops across multiple continents
*   Cybersecurity for businesses of all sizes: A blueprint for protection
*   Talos Takes Ep. #141: The Predator spyware and more "mercenary" groups
*   Horabot campaign targeted businesses for more than two years before finally being discovered
*   Horabot Campaign Targets Spanish-Speaking Users in the Americas

**Upcoming events where you can find Talos**

**Discover Cyber Workshop for Women (June 8)**

Doha, Qatar

**REcon** **(June 9 - 11)**

Montreal, Canada

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** a8a6d67140ac6cfec88b748b8057e958a825224fcc619ed95750acbd1d7a4848  
**MD5:** 8cb26e5b687cafb66e65e4fc71ec4d63  
**Typical Filename:** dattService.exe  
**Claimed Product:** Datto Service Monito  
**Detection Name:** W32.Auto:a8a6d6.in03.Talos

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 7c8e1dba5c1b84a08636d9e6f225e1e79bb346c176e0ee2ae1dfec18953a1ce2  
**MD5:** 3e0fb82ed8ea6cd7d1f1bb9dca5f2bdc  
**Typical Filename:** PDFShark.exe  
**Claimed Product:** PDFShark  
**Detection Name:** Win.Dropper.Razy::95.sbx.tg

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

Now’s not the time to take our foot off the gas when it comes to fighting disinformation online

The software supply chain has become a key security focus for many organizations, but the risks associated with supply chain attacks are often misunderstood.

Tuesday, June 6, 2023 08:06

*   Cisco Talos Incident Response (Talos IR) has repeatedly observed attackers targeting and using compromised vendor and contractor accounts  (VCAs) during recent emergency response engagements.
*   While high-profile software supply chain compromise events garner significant media attention (e.g., the recent disclosure of supply chain attacks via the 3CX Desktop Softphone application), abuse of third-party workforce accounts is often overlooked.
*   VCAs typically have expanded privilege and access. They may be glossed over during account audits because of increased trust placed in the third party.
*   Organizations should increase prevention and detection capabilities around VCAs.

The software supply chain has become a key security focus for many organizations, but the risks associated with supply chain attacks are often misunderstood. High-profile incidents like those reported by 3CX and MSI routinely grab headlines, continuing a trajectory of big-name security events that involve one specific aspect of the supply chain – software.

Successful software-focused supply chain attacks can give an adversary access to dozens or even hundreds of victims, but they are resource-intensive and require an extensive understanding of the target environment, the build process, and the software itself. The inherently broad scope of a software supply chain attack also eliminates the ability for adversaries to strategically target victims. Attacks with higher victim counts create increased awareness within the cybersecurity community, which means the attackers are more likely to eventually be discovered and stopped.

Other aspects of the supply chain offer greater ease of exploitation and could still result in the opportunity to pivot between victim organizations. While the industry focuses on identifying and addressing software-focused supply chain attacks, Talos IR has seen more incidents involving the abuse of compromised VCAs.

**Adversaries view vendor accounts as an attractive supply chain entry point**

VCAs are accounts created for third-party workforce members – employees of external partner organizations that maintain physical or virtual access to an organization’s environment.

VCAs are particularly attractive to adversaries before and after initial access is gained. During one investigation, Talos IR observed an adversary gaining access to an organization using a low-privilege user account, then later authenticating successfully using two other accounts: a service account used to deploy software across the organization and a third-party vendor account.

Both accounts had Domain Admin or comparable privileges. Talos IR observed that the adversary authenticated to the service account first, but the vendor account was used almost exclusively thereafter. Why?

There are a few reasons adversaries may favor VCAs over other accounts with comparable privileges.

Vendors may remotely access the environment intermittently or at unusual times, making it difficult for the information security team to establish an activity baseline for those accounts. How would an organization detect a time-of-day authentication anomaly if their contracted development team had members around the world working their own unique shifts? What about for a contractor who only connects remotely a few times a month based on their schedule? Or one that only logs in for ad hoc troubleshooting?

Geolocation anomalies can be difficult to detect as well. If the organization hires a freelance consultant who prefers the travel-and-work lifestyle, that account may be seen authenticating from many different geographic regions. Similarly, in large organizations, how easy is it to keep track of who is on vacation or is traveling for business, or who has relocated to a different area (temporarily or permanently)?

Privilege levels are another attractive aspect. VCA privileges are usually based on the vendor’s role, but these accounts usually have elevated privileges – think Domain Admin. In some cases, such as Electronic Health Record (EHR) or core banking applications, the VCA might even have access to manage systems and data that no one in the organization’s IT and infosec department shares.

Adversary activity may be camouflaged by other legitimate vendor activity. Technology vendors commonly perform tasks involving command line execution, modification of configuration files, and complex debugging and troubleshooting. Even under scrutiny, these tasks bear similarities to typical adversary activity. As evidenced by the incident mentioned previously where the adversary chose to leverage a VCA over a service account, it’s much easier to hide in the noise if you take over an account that is regularly used for system administration activities.

**Lessons learned from IR engagements involving VCAs**

Over the past several years, Talos IR has repeatedly observed adversaries abusing VCAs in different ways during incident response engagements. These accounts are frequently leveraged for initial access and then used to move laterally through the organization’s network, especially when the victim hasn’t deployed multi-factor authentication (MFA). Since VCAs are usually given elevated permissions, theft of these credentials will often result in widespread damage to victim assets and could even be used to move along the initial victim’s supply chain.

VCA credential theft doesn’t always involve compromise of a username/password set. In at least one engagement, Talos IR observed an adversary leverage a stolen public key to breach the targeted organization. This demonstrates that, although adversaries tend to focus on obtaining valid usernames and passwords, they have willingly used other authentication methods in the name of easy access. Organizations with VCAs should consider this a key takeaway – protect keys and other authentication mechanisms with the same vigilance as protecting user account credentials. All organizations should have procedures in place to rotate these keys and revoke access for keys that may have been compromised.

As previously noted, VCA abuse is often used to achieve elevated permissions and expand access. In multiple engagements, Talos IR found that adversaries gained initial access through low-privilege accounts, but quickly pivoted to using VCAs to expand access and maximize impact.

Access and impact are often correlated, as demonstrated by two ransomware incidents investigated by Talos IR. In the first incident, the adversary gained access to a public-facing web server in the context of the web server service account. Privilege escalation attempts failed, pivot attempts failed, and the effects of the ransomware were limited to a selection of web server directories on a single server. In the second incident, the adversary compromised a VCA and modified the Active Directory Default Domain Policy, so domain-connected systems executed a ransomware binary from the domain’s SYSVOL folder. The adversary used this elevated access to detonate a ransomware binary on the victim’s ESXi host, affecting multiple virtual systems in the host’s datastore. The severity of the latter incident highlights the need for strict access controls around VCAs and the potential effects if they are compromised.

**Strategies to protect against and reduce the impact of VCA abuse**

Understanding and acknowledging the level of risk your VCAs present is the first step in mitigating this threat. The challenge then becomes how to properly secure them. Fortunately, there are several strategies an organization can use to protect VCAs and mitigate the impact of a compromised VCA.

Some of the following recommendations are made with more than prevention in mind. They also enable incident responders to quickly understand the scope of which systems may be impacted by a compromised VCA, especially when your Active Directory is out of commission. It’s a good idea to audit VCAs and general user accounts, as permissions creep is all too common and problematic in an incident.

**Disable VCAs when they’re not needed**

One of the easiest steps an IT or infosec team can take to protect their VCAs is to disable them when they’re not needed. This might seem like common sense but it’s the type of activity that many organizations struggle to implement consistently, especially as vendors come and go. A dependable process should be established for vendors and contractors to access active accounts only when needed. Once this process is set up, conduct periodic audits to confirm that it is being followed.

There are limitations associated with this approach. If a vendor needs consistent access every one or two days, it’s probably not worth it to disable the account and then re-enable it multiple times per week. In situations like this, consider some of the other recommendations instead.

**Validate logging and enforce security monitoring**

Evaluate logging configurations, specifically around VCAs to ensure you have visibility into everything they do. Create alerts to identify suspicious or anomalous VCA activity. If a VCA accesses a system it shouldn’t need to access, you should know about it immediately.

**Implement least privilege access**

Effective access control is a common challenge in enterprise environments, and VCAs are no exception. Think about this concept in the context of physical security. If an HVAC vendor enters a high-security facility to perform maintenance, they won’t be allowed to roam around, peering in office windows and rattling door knobs. They’ll be given direct access to the specific set of rooms they need to do their job and nothing more. The same restrictions should apply for VCAs. Limit what they can access at the network or application layer. If they are supporting a specific application or product, only allow them to access those applications on the systems and ports you would expect.

Taking this concept a step further, isolate VCAs as much as possible via your network and security architecture. Isolating VCAs allows stronger security controls to be configured around these accounts and streamlines implementation of more aggressive remediation actions during incident response. Isolation can be achieved through a variety of means including, but not limited to, Network Access Control (NAC), network segmentation and Active Directory groups. Penetration tests and red team engagements can be used to better understand the extent of VCA access, and the potential effects of a compromised VCA.

**Include VCAs in remote access health checks**

You work hard to be sure your end user workstations are hardened and protected with a variety of host-based controls. Don’t let a vendor using an unrecognized, unpatched and unprotected personal device be the reason for a long and costly incident. Deploy and configure health checking and/or trusted device configurations for remote devices, either through integrated operating system functions or third-party tools. This is a great practice for the entire workforce but is particularly relevant for vendors who may not be using company-owned assets. Ask your vendors to share their security and compliance documentation to help understand security practices and baselines in their organization. Your organization is only as safe as the least protected system accessing your resources.

**Use a jump box or dedicated vendor access application**

One of the best ways to enforce vendor security requirements is to create a single point of entry through a jump box or dedicated vendor access application. This approach allows multiple security functions to be implemented through a single, specialized system (or group of systems). For example, a vendor access application can grant vendors access to the systems required to accomplish their tasks and nothing more. It can ensure proper logging and monitoring of activities performed by a vendor while connected. It can also provide system health checking capabilities, and some may even provide a degree of proxying or sandboxing of files transferred into or out of the organization’s environment using the VCA.

Adversaries are going to continue to abuse VCAs. It’s an established and effective way to obtain privileged access using accounts that blend in with other administrative accounts. If you’re reading this and you know you have a VCA with a customer, talk to them about it. Ensuring that your customers are prepared and protected before a supply chain attack might be the greatest value-add you can offer.

Adversaries increasingly using vendor and contractor accounts to infiltrate networks

Marshall is a senior security strategist for Talos’ Strategic Communications team, specifically focusing on industrial control systems.

Monday, June 5, 2023 07:06

Joe Marshall was a security practitioner before he even knew it.

Marshall started his career in information technology as a systems administrator. On the surface, he jokes that he was a “white-collar plumber” — fixing IT issues as they arose, handing out new credentials and asking users if they had tried turning something off and back on again.

But while he served in these roles across multiple companies for about 10 years, he became familiar with cybersecurity almost by accident.

“When you’re in IT or sysadmin, it’s not just ‘something’s broke, I’m here to fix it,’” Marshall said. “You have to create accounts, worry about password securities, updating critical patches — you don’t think of yourself as a security practitioner but that’s actually what you’re doing every day.”

His work today, though, is a far cry from having to provide hands-on support for someone’s broken email system.

Marshall is a senior security strategist for Talos’ Strategic Communications team, specifically focusing on industrial control systems. He spends most of his days talking to customers, users and industry leaders informing them about the latest security threats facing large industrial systems — think grain co-ops, electrical grids, manufacturing facilities and water pipelines.

He first got into the ICS space by working as a cybersecurity architect for Exelon, one of the largest public utility companies in the U.S. Prior to his time at Exelon, Marshall jokes that he knew nothing about ICS or operational technology, but he soon found that these systems had more in common with the systems he was used to working with.

“IT and OT \[operational technology\] is 95% one and the same, it’s just how they’re deployed and managed,” Marshall said.

Prior to joining the Strategic Communications team, Marshall also spent time with Talos Outreach publishing new research, and for several years led his own team of researchers who were specifically tasked with finding vulnerabilities and new security threats in ICS systems, internet-of-things devices and other products that are vital to critical infrastructure.

Marshall speaking at Cisco Live U.S. 2022.

All this experience has given him a greater appreciation for public utilities across the country and the workers who ensure that everyone has basic needs delivered to their home like water and electricity. He’s gotten hands-on at site visits and conferences with electrical grids responsible for serving thousands of households and has even become familiar with the agricultural industry, speaking with grain co-ops and farmers who are asking about threats to their OT processes that help them process their various products.

“I’m never coming in with sunshine and smiles saying, ‘everything’s cool, nothing to worry about,’” Marshall said. “That would be doing a disservice. I'm coming in to tell them how they can make their processes more resilient. To do that means you, as the presenter need to do your homework. You need to understand the basics of crops or how, say, a dairy farm works and what technology stack they’re working with.”

That’s specifically come into play in Ukraine, where Marshall has spent time on the ground with defenders and infrastructure managers to help strengthen the security of the country’s power grid and agricultural supply chain. This has become even more important during Russia’s invasion of Ukraine, during which Russian military forces have launched kinetic and cyber attacks against critical infrastructure.

Marshall said he is always in contact with friends and colleagues there, providing advice to improve their cyber defenses.

“It’s different when you’re looking at Ukraine because every day, there are so many tragedies that occur. I’ve been there. When you see a building that you’ve been in, or you know your friends are in, and you see it get hit with a missile, it rocks you,” he said.

Knowing how devastating cyber attacks can be on critical infrastructure around the world is “pretty sobering knowledge,” Marshall said, but he actively tries to avoid catastrophizing or always putting worst-case scenarios out into the world. Despite many headlines around the dangers of cyber attacks on the U.S. power grid, Marshall jokes that critters like snakes and squirrels have caused more power outages in modern history than cyber attacks.

“Have more faith in the resiliency of your critical infrastructure,” he said. “You have so many smart people talking every day about how to make our infrastructure more resilient and more powerful. Never fear, you have smart people working on it. Even if you’ve lost power, people are working to bring it back.”

Given the high-stakes environments he often works in, Marshall said he tries to unplug and step away from work frequently to decompress and step back — often by playing video games or practicing playing the banjo. Marshall is a proponent of talk therapy and encourages everyone in the security community to reach out to their support systems to avoid burnout.

“We're constantly sitting on knowledge that no one else knows about, and you’re constantly thinking about what the consequences could be,” he said. “Humans are humans, and we all have different thresholds that we crack under. If your cup is very full, and something pours in, something has to pour out.”

Outside of Talos, Marshall also works with the non-governmental organization NetHope, which helps other non-profits embrace and adapt to new technologies. He specifically is working with electric utilities in Ukraine to make their grids and networks more resilient and hopes one day “we can reinvent the way grid resiliency is thought of.”

He likes to embrace the fun side of security, too. Marshall led the team that created  “Advanced Persistent Thirst,” a kegerator that currently resides in Talos’ Fulton, Maryland office. Marshall’s team the keg several years ago that had several interconnected ICS devices. He and his team brought it to different security conferences, offering a job interview (and even hiring them) to anyone who could hack into the kegerator to make it dispense beer.

Even if he’s introducing ideas around cybersecurity with a keg, pun or meme in a presentation, Marshall said his goal is to always make whoever is listening “a better student of the game.”

“People are going to be your biggest and best asset. Technology is not going to solve your woes alone,” he said. “Having smart people and letting them do smart stuff and getting out there, is hands down the biggest leap you can make.”

How Joe Marshall helps defend everything from electrical grids to grain co-ops across multiple continents

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 26 and June 2. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for May 26 to June 2

Developing a robust cybersecurity practice involves implementing multiple layers of security measures that are interconnected and continually monitored, including training and awareness programs to ensure that employees follow best practices.

Friday, June 2, 2023 08:06

One of the primary reasons why cybersecurity remains a complex undertaking is the increased sophistication of modern cyber threats. As the internet and digital technologies continue to advance, so do the methods and tools cybercriminals use. This means that even the most secure systems are vulnerable to attacks. Detecting and preventing these attacks require constant vigilance and adaptation. The human element of security only makes this more complex, rendering well-secured systems vulnerable to compromise due to human error or negligence, such as weak passwords or falling victim to social engineering attacks.

Developing a robust cybersecurity practice involves implementing multiple layers of security measures that are interconnected and continually monitored, including training and awareness programs to ensure that employees follow best practices. Even with best practices in place, the potential for threats from cybercriminals remains a constant concern. To assist companies in their journey for cybersecurity, Cisco Talos Incident Response has a new paper that outlines what businesses with a burgeoning security program need for a robust foundation and logging architecture for businesses, even those with limited resources.

This paper focuses on key areas of cybersecurity aiming at the holistic protection of IT environments, including their comprising endpoints, networks, cloud services and physical security. The paper also poses a set of essential questions that, when answered at the strategic level, can increase the resilience and security of a business.

The advice we outline in this paper may not be for every organization — much of this depends on budgeting, human resources and the maturity of your security operations. However, we hope businesses of all sizes can find advice in any of these sections that could help them address gaps in organizational security or potential areas of investment.