Video explanation of the Jaguar Tooth vulnerabilities with Matt Olney, J.J. Cummings and Hazel Burton.

Tuesday, April 25, 2023 13:04

Cisco and Talos are continuing to track and research a series of ongoing cyber attacks and espionage targeting out-of-date and unpatched network hardware.

In this video, Hazel Burton interviews Matt Olney and J.J. Cummings from Talos to discuss the “Jaguar Tooth” campaign the U.K. government and other global intelligence agencies recently disclosed. J.J. and Matt were at the forefront of Talos’ research into these campaigns and have spent years providing advice to customers and users about the importance of network hygiene and resilience on the perimeter.

Jaguar Tooth is an example of a much broader trend of sophisticated adversaries targeting networking infrastructure to advance espionage objectives or pre-position for future destructive activity.

“What happened in this case, is that we had a series of incidents that we worked...and put some pieces together. What we were seeing multiple threat actors in sustained campaigns going after router infrastructure in a similar way,” Olney says in the video. “They were targeting different devices, but they were most successful in out-of-date hardware and end-of-life software.”

Watch the video above to learn more about Talos’ research into these campaigns, advice on steps to take if you believe you could be the target of one of these attacks, and a broader overview of the importance of network hygiene.

Organizations that fail to update their hardware and software will both be more likely to be a victim of unpatched security vulnerabilities but also will have fewer tools to combat adversaries. Cisco customers can check their version of software to see if any known vulnerabilities exist in it here. You can learn more about Cisco Trustworthy Technologies here. Several related resources, tools, and services can be found at The Trust Center here.

Video: Everything you need to know about ongoing state-sponsored attacks targeting network infrastructure across the globe

The issue could then allow the malicious actor to generate arbitrary logs which can trigger malicious commands to be run with elevated privileges.

Monday, April 24, 2023 10:04

_Tim Brown of Cisco Security Advisory EMEA discovered these vulnerabilities and contributed to this blog post._

A Cisco security researcher recently discovered two vulnerabilities in the IBM AIX Unix platforms that could be exploited to inject commands and logs into targeted systems with elevated privileges.

AIX is a more than 20-year-old set of operating systems for Unix that run on various IBM platforms.

TALOS-2023-1690 (CVE-2023-26286) is a vulnerability in AIX’s errlog() syscall functionality that can be triggered if an adversary sends a specially crafted syscall. This could then allow the malicious actor to generate arbitrary logs which can trigger malicious commands to be run with elevated privileges. An adversary could also exploit TALOS-2023-1690 to gain out-of-bounds memory access.

TALOS-2023-1691 (CVE-2023-28528) exists in AIX’s invscout setUID binary. In this case, the adversary could send a specially crafted command line argument to gain the ability to inject arbitrary commands.

While the vulnerability in invscout is relatively run-of-the mill, the vulnerability with errlog() is more notable. In this case, the malicious input is supplied by user via a non-privileged syscall resulting in the AIX kernel writing the data to a privileged device (/dev/error). From there, a privileged service (errdaemon) runs as root and reads from the device and misprocesses it, resulting in command execution and/or memory corruption. The vulnerability is notable for the following reasons:

*   The errlog() syscall does not limit who can access it, nor which kernel and user-land errors it can be used to raise.
*   The same configurable mechanism by which errdaemon handles events written to /dev/error, could also be used by adversaries to construct a persistence mechanism, with errdaemon being configured to perform malicious activities when an appropriately constructed message is logged by a user.

*   On systems where the errors are collected and fed to a SIEM or other network monitoring solution, this presents opportunities for detection beyond on-device telemetry, as can be seen with the related Snort rule.

Cisco Talos worked with IBM to ensure these vulnerabilities are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: IBM Corporation AIX, version 7.2. Talos tested and confirmed this version of AIX could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against the TALOS-2023-1690 vulnerability: 61154 and 61155. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Vulnerabilities in IBM AIX could lead to command injection with elevated privileges

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 14 and April 21. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for April 14 to April 21

Heading to San Francisco next week? Here are all the Talos and Cisco Secure talks and events you won't want to miss.

Thursday, April 20, 2023 14:04

Welcome to this week’s edition of the Threat Source newsletter.

We’re firing up the conference circuit again for 2023, kicking things off next week with the RSA Conference in San Francisco. Cisco has a ton of exciting announcements, keynotes and talks lined up for the week, but there are also plenty of Talos-focused events to take in.

We’ll be at our own booth giving “flash talks” throughout the conference and will generally be around to answer questions about Talos, provide service demos and talk about the latest security offerings from Cisco. In case you’re having a hard time finding the Cisco booth, use RSA’s map here. The main Talos team will be at North Expo N-5845 and Cisco Talos Incident Response will be at South Expo S-1027.

Here are some of the other major events at RSA that we’re taking part in.

*   Brad Garnett, the head of Cisco Talos Incident Response, is joining the Cisco Secure Security Stories podcast for a live recording on Tuesday the 25th at 11 a.m. PT inside the Customer Lounge at the Marriott Marquis. Head up to the fifth floor and look for the Sierra K room! Brad will be discussing the latest trends and attacker TTPs his team is seeing in the field.
*   Cisco has a special sponsored talk on Wednesday the 26th from 9:40 – 10:30 a.m. PT with Nick Biasini, the head of Talos Outreach, and AJ Shipley, Cisco Secure’s vice president of product management for threat, detection and response. This session will analyze why industry partnerships are a must for security to win. Come meet A.J. and Nick in the Moscone South building, or if you can’t make it, a recording will be available for RSA attendees.
*   There will be two live Beers with Talos episodes on the 26th at 2 p.m. PT and the 27th at 9 a.m. PT. Join the BWT gang for gameshows, security hot takes and general debauchery. Both recording sessions will be in the Customer Lounge.
*   If you want a chance to meet the BWT hosts and some other special Talos guest, join us in the Customer Lounge on Wednesday at 4 p.m. PT for a meet-and-greet and networking session. This is an open session with Talos experts, Beers with Talos and members of the Cisco CISO Advisory panel.
*   The latest episode of ThreatWise TV from (now Talos’ own!) Hazel Burton also has a rundown of everything you can expect from Cisco and Talos at RSA. You can also read Cisco’s preview blog post here.

**The one big thing**

The UK’s National Cyber Security Center (NCSC) released a report this week on a sustained campaign by a Russian intelligence agency targeting a vulnerability in routers that Cisco published a patch for in 2017. This campaign, dubbed "Jaguar Tooth," is an example of a much broader trend of sophisticated adversaries targeting networking infrastructure to advance espionage objectives or pre-position for future destructive activity. While infrastructure of all types has been observed under attack, attackers have been particularly successful in compromising infrastructure with out-of-date software.

**Why do I care?**

In short, there are extremely sophisticated actors who are increasingly targeting network infrastructure devices from a variety of manufacturers. Talos and Cisco are concerned that insufficient awareness and patching, the reliance on end-of-life equipment and the necessity for always-on connectivity makes too many infrastructure devices easy prey. The results of these issues range from being an unwitting participant in criminal activity to events of true national security impact.

**So now what?**

Relying on out-of-date gear or utilizing out-of-date protocols and technologies will eventually cost your organization. Work with your vendor to give yourself the best chance of defending your environment. Talos’ blog also has a series of recommendations for defending and updating aging network infrastructure. For the specific Jaguar Tooth campaign, users who haven’t already should patch affected devices immediately.

**Top security headlines of the week**

**A 21-year-old was arrested for allegedly leaking sensitive Pentagon and Department of Defense documents and images on a Discord server.** The images eventually made their way onto other popular social media platforms in the public eye. The U.S. military is increasingly relying on Discord and other emerging social platforms for recruitment but has become a popular place for leakers to share secrets and other sensitive information. One of the other users on the Discord server where the most recent slate of images was leaked said the alleged leaker wanted to make sure “we know what’s going on with our tax dollars,” though the user who spoke to CNN was only 17 years old.  A 2021 report from the U.S. House of Representatives found that user moderation on platforms like Discord is not enough to prevent leaks, saying “the risks of relying too much on user moderation when the userbase may not have an interest in reporting problematic content.” (Washington Post, Slate, CNN)

The U.S. Cybersecurity and Infrastructure Security Agency **released new guidance for software manufacturers to adopt secure-by-design principles** and make the software more secure from the start of its lifecycle rather than being tacked on as later patches. Some of the major recommendations include having companies take ownership of the security implications of their products, embracing “radical transparency” toward security issues and ensuring there is support from company leadership to prioritize product security.  Other federal agencies from Australia, Canada, the United Kingdom, Germany, Netherlands and New Zealand published similar guidelines. (FedScoop, CISA)

**Montana is set to be the first U.S. state to ban downloads of the popular social media app TikTok,** citing security and data privacy concerns related to the app’s Chinese owners. The bill, which is set to be signed into law soon, is likely to spark a Constitutional debate around First Amendment freedom of speech protections and national digital privacy law. The state is likely to also face technical challenges around restricting downloads, and access to, the app. Company representatives from TikTok called the bill an "attempt to censor American voices” and “egregious government overreach.” A similar ban is being considered in U.S. Congress but faces a more uphill battle than in Montana’s Republican-controlled legislature. (Wired, Buzzfeed)

**Can’t get enough Talos?**

*   Talos Takes Ep. #134: How to best prepare for, and respond to, supply chain attacks
*   Cisco urges users to keep its network hardware up-to-date
*   Threat Roundup for April 7 – 14
*   Vulnerability Spotlight: Hard-coded password vulnerability could allow attacker to completely take over Lenovo Smart Clock

**Upcoming events where you can find Talos**

**RSA** **(April 24 - 27)**

San Francisco, CA

**Cisco Talos Incident Response: On Air** **(April 27)**

Virtual

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6  
**MD5:** 1e2a99ae43d6365148d412b5dfee0e1c  
**Typical Filename:** PDFpower.exe  
**Claimed Product:** PdfPower  
**Detection Name:** Win32.Adware.Generic.SSO.TALOS

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** 4ad8893f8c7cab6396e187a5d5156f04d80220dd386b0b6941251188104b2e53  
**MD5:** cdd331078279960a1073b03e0bb6fce4  
**Typical Filename:** mediaget.exe  
**Claimed Product:** MediaGet  
**Detection Name:** W32.DFC.MalParent

Threat Source newsletter (April 20, 2023) — Preview of Cisco and Talos at RSA

This campaign, dubbed "Jaguar Tooth," is an example of a much broader trend of sophisticated adversaries targeting networking infrastructure to advance espionage objectives or pre-position for future destructive activity.

Tuesday, April 18, 2023 11:04

Cisco is deeply concerned by an increase in the rate of high-sophistication attacks on network infrastructure — that we have observed and have seen corroborated by numerous reports issued by various intelligence organizations — indicating state-sponsored actors are targeting routers and firewalls globally. We have spoken about infrastructure security for a long time. However, while working with network infrastructure in various parts of the world, we have observed both espionage and obvious targeting to support future destructive attacks. While working with our partners, we have experienced the operational barriers that slow and sometimes stop security teams from properly securing network infrastructure. In this report, we are sharing both our observations of top-tier attackers and their activities on network devices, and recommendations and resources to help you improve your network infrastructure resilience.

**Background**

Recently, the UK’s National Cyber Security Center (NCSC) released a report on a sustained campaign by a Russian intelligence agency targeting a vulnerability in routers that Cisco had published a patch for in 2017. This campaign, dubbed "Jaguar Tooth," is an example of a much broader trend of sophisticated adversaries targeting networking infrastructure to advance espionage objectives or pre-position for future destructive activity. While infrastructure of all types has been observed under attack, attackers have been particularly successful in compromising infrastructure with out-of-date software.

Because of the large presence of Cisco network infrastructure around the world, any sustained attack against network infrastructure would likely target Cisco equipment, but attacks are by no means limited to Cisco hardware. In reporting on Russian intelligence contracting documents, samples of which were recently shared with Cisco Talos, it was shown that any infrastructure brand would be targeted, with one scanning component targeting almost 20 different router and switch manufacturers (see the image below). Looking at past research, in 2018 Talos looked into the VPNFilter threat, also believed to be of Russian origin, which showed a well-developed capability targeting Asus, Huawei, Linksys, MikroTik, Netgear, QNAP, TP-LINK, Ubiquiti, and Upvel devices.

Russia is not alone in its actions. CISA has reported on Chinese adversaries targeting network equipment from a similarly broad set of manufacturers. These are certainly not the only campaigns targeting network equipment, nor the only actors. It is reasonable to conclude that any sufficiently capable national intelligence operation would develop and use the capability to compromise the communications infrastructure of their preferred targets.

Talos investigations are consistent with these findings. We have observed traffic manipulation, traffic copying, hidden configurations, router malware, infrastructure reconnaissance and active weakening of defenses by adversaries operating on networking equipment. Given the variety of activities we have seen adversaries engage in, they have shown a very high level of comfort and expertise working within the confines of compromised networking equipment.

Our assessment is clear, that national intelligence agencies and state-sponsored actors across the globe have attacked network infrastructure as a target of primary preference. Route/switch devices are stable, infrequently examined from a security perspective, are often poorly patched and provide deep network visibility. They are the perfect target for an adversary looking to be both quiet and have access to important intelligence capability as well as a foothold in a preferred network.

**Campaign observations**

We’d like to share a non-exhaustive list of the sorts of activities we have observed actors take on various infrastructure devices. Our analysis for this set of actors is that they were (depending on the incident) either engaging in espionage or establishing a foothold for follow-on actions in support of any number of strategic goals, which may include destructive attacks. While these activities span several different incidents and campaigns, they demonstrate the technical capability of the actor. So, in brief, we have seen the following actor behaviors across different infrastructure platforms at critical infrastructure facilities:

*   The creation of Generic Router Encapsulation (GRE) tunnels and the hijacking of DNS traffic, giving the actor the ability to observe and control DNS resolution
*   Modifying memory to reintroduce vulnerabilities that had been patched so the actor has a secondary path to access
*   Modification of configurations to move the compromised device into a compromised state to allow the actor to execute additional exploits to further access
*   Installation of malicious software into an infrastructure device that provides additional capabilities to the actor, including:
    *   Masking of certain configurations so that they can’t be shown by normal commands
    *   Bypassing of ACLs so that traffic can’t be blocked properly by the router
    *   Allowing for authenticated access to devices outside of the normal SSH/Telnet methods
    *   Modular design allowing for easy updating as new capabilities are needed or developed
    *   Capability to corrupt and disable the infrastructure device
    *   Redirection of actor-defined traffic to actor-controlled infrastructure
*   Creation of hub-and-spoke VPNs designed to allow the siphoning of targeted traffic from network segments of interest through the VPN
*   The capture of network traffic for future retrieval, frequently limited to specific IPs or protocols
*   A variety of logic to allow network packets to enable and disable certain capabilities
*   The use of infrastructure devices to deliver attacks or maintain C2 in various campaigns

Additionally, we have seen traditional enterprise attacks explicitly targeting the environments that support infrastructure devices such as TACACS+ servers, enterprise management servers and jump hosts. Further, we have seen espionage activity on enterprise networks specifically searching for network data such as credentials, network diagrams, contracts with network customers and configuration information.

In short, there are extremely sophisticated actors who are increasingly targeting network infrastructure devices from a variety of manufacturers. We are concerned that insufficient awareness and patching, the reliance on end-of-life equipment and the necessity for always-on connectivity makes too many infrastructure devices easy prey. The results of these issues range from being an unwitting participant in criminal activity to events of true national security impact.

**Guard the creds**

The Jaguar Tooth attacks are actually a sequence of attacks, the first looks for poorly selected SNMP community strings. Once a community string is found, the attacker exploits CVE-2017-6742, which was first announced on June 29, 2017, after which a software patch was made available to all customers. But even unpatched, a well-selected SNMP community string stops this attack in its tracks. It should also be noted that if you are not using SNMP v3, even well-chosen credentials are transmitted in the clear, and are subject to capture. NETCONF (Network Configuration Protocol) and RESTCONF are modern network management protocols designed to offer better security and functionality than their older counterpart, SNMP. NETCONF typically runs over SSH, while RESTCONF runs over HTTPS. Both SSH and HTTPS provide strong encryption and secure authentication mechanisms, ensuring the confidentiality, integrity, and authenticity of the data being exchanged. SNMP, particularly its older versions (v1 and v2c), lacks proper encryption and authentication, which makes it more vulnerable to cyber attacks.

In other incidents, we have observed well-positioned adversaries with preexisting access to internal environments targeting TACACS+/RADIUS servers to obtain credentials. This gives them the benefit of understanding the controls enforced by the credential server, as well as allowing their traffic to look “normal” by using jump servers and employing other techniques that a typical network administrator would use.

Many of the exploits we’ve seen used in the wild are post-compromise exploits, meaning the attacker had some form of credential to get them to the place where they could then launch the exploit and get deeper access to the device. Our recommendations are to select complex passwords and community strings, to utilize multifactor authentication where possible, to require encryption when configuring and monitoring devices and to lockdown and aggressively monitor credential systems like TACACS+ and any jump hosts.

**Stay modern, stay real**

Network infrastructure is built to last, and in today’s always-on world, it’s sometimes impossible to find a patch window. But recent reports – and our own investigations – show that it is critical to update both the hardware and the software that runs your network. This is true not just because patching eliminates known vulnerabilities, but upgrades also introduce new security capabilities and controls that weren’t previously available.

Cisco has introduced a number of technologies and protocols over time that has improved the security of its products. Some of these advances can be obtained by software upgrade, while others require more modern networking equipment. For example, in order to combat certain supply chain attacks, Cisco has introduced a series of technologies. These technologies include hardware improvements such as the Trust Anchor Module and software changes like Secure Boot. Organizations that fail to update their hardware and software will both be more likely to be a victim of unpatched security vulnerabilities but also will have fewer tools to combat adversaries. Cisco customers can check their version of software to see if any known vulnerabilities exist in it here. You can learn more about Cisco Trustworthy Technologies here. Several related resources, tools, and services can be found at The Trust Center here.

**Know your world and enforce it**

An organization that both understands the configurations that it is running and monitors for departures from that understanding have a high probability of discovering adversaries early in the campaign. For example, an unauthorized GRE tunnel or static VPN, discovered by NetFlow analysis, would be grounds for an investigation. Additionally, monitoring for connections to edge routers from unknown external IPs would also uncover some of the activity that we’ve observed. Even basic configuration monitoring and alerting on modifications would help in many cases.

Authentication, authorization, and accounting (AAA) tools are another area where policy enforcement can be useful. We’ve seen actors take unusual action on routers that would show up in AAA logs and ideally could be denied by the correct AAA configuration. One example would be attempts to suppress logging by issuing _“no aaa accounting”_ configuration commands. Attempts to disable any feature of AAA should be both logged and denied by the AAA system.

Asking organizations to monitor their environment for unusual changes in behavior or configurations is one of the hardest recommendations we are making. It will take a combination of a well-documented network infrastructure environment, network engineering and talented security operations to build a monitoring environment tuned to your implementation. While there are many technologies to support you, the excellence in your network engineering and security team, and their willingness to collaborate, will be a large factor in whether or not you are successful.

**If you need us, call us**

Responding to incidents involving specialized hardware can be challenging. If you suspect that a Cisco product has been compromised, please reach out to TAC for assistance. If you suspect there is a vulnerability in a Cisco product, please reach out to PSIRT. You can find out how to contact TAC for general questions here. To report or obtain support for a suspected vulnerability, you can contact Cisco’s PSIRT here.

**TL; DR recommendations**

*   Select complex passwords and community strings, avoid default credentials
*   Use multi-factor authentication
*   Encrypt all monitoring and configuration traffic (SNMPv3, HTTPS, SSH, NETCONF, RESTCONF)
*   Lockdown and aggressively monitor credential systems like TACACS+ and any jump hosts
*   Do not run end-of-life hardware and software
*   Maintain current software
*   Utilize AAA to deny configuration changes of key protections
*   Monitor syslog and AAA logs for unusual activities
*   Monitor your environment for unusual changes in behavior or configuration
*   Contact Cisco TAC or PSIRT if you need assistance with a security incident involving Cisco products

**Conclusion**

If your network isn’t secure, then nothing on that network can be properly secured. We know that there is a myriad of operational realities that make it difficult to maintain a fully defensible network infrastructure. However, given the risks and outcomes that compromised network infrastructure bring, these obstacles must be overcome for organizations to truly secure their environment. Regardless of the context, aging infrastructure is a risk. Relying on out-of-date gear or utilizing out-of-date protocols and technologies will eventually cost your organization. Work with your vendor to give yourself the best chance of defending your environment.

State-sponsored campaigns target global network infrastructure

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 7 and April 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for April 7 to April 14

Microsoft zero-days, dark web forum takedowns and Pentagon leaks on Discord in this week's newsletter.

Thursday, April 13, 2023 14:04

Welcome to this week’s edition of the Threat Source newsletter.

Law enforcement organizations across the globe notched a series of wins over the past few weeks against online forums for cybercriminals.

On March 23, the FBI announced it disrupted the online cybercriminal marketplace BreachForums, known for being a place where users could buy and sell stolen user information. They also arrested a 20-year-old suspected of being the site’s founder and main administrator.

Then last week we had “Operation Cookie Monster” in which several international agencies worked together to take down Genesis Market, a similar dark web forum, arresting dozens of suspected users and administrators.

These arrests and network operations are important in that they disrupted sites that were known for highly sensitive information and served as a place for some of the most prolific cyber criminals to make money. The U.S. Department of Justice estimated that Genesis Market was responsible for the sale of data on more than 1.5 million compromised computers around the world containing over 80 million account access credentials. And the U.K.’s National Crime Agency (NCA) said credentials were available for as little as 70 cents to hundreds of dollars depending on the stolen data available.

But the user base for these sites was also huge (after all, someone had to be buying those credentials). At the time of its takedown, BreachForums had 340,000 members, according to the FBI. And reporting on Operation Cookie Monster stated that Genesis Market had 59,000 registered users.

So while it’s great that these sites have been disrupted, I can’t help but assume that two more sites are going to pop up to service these cyber criminals. It’s impossible for any agency to arrest 340,000 people, so even if a handful of administrators are restricted from accessing the internet for a while, the other 339,000 people are going to be looking for a new home.

Some of the same agencies celebrated in March 2021 that they disrupted Emotet, one of the most infamous botnets ever. As anyone who follows security news will know, Emotet didn’t actually go anywhere and was recently rebooted as recently as last month, according to our research.

RaidForums, a forefather of BreachForums, was also disrupted in April 2022, along with the arrest of several administrators and accomplices.

All of this is not to discount the great strides made in the past few weeks in disrupting these marketplaces and taking them offline. But a lot of these headlines are sounding familiar to me after a few years, so it’s important to remember that we as a security community can’t take our foot off the gas and assume that because there were a few big wins that dark web forums are just going to go away forever.

**The one big thing**

Microsoft’s Patch Tuesday for April included another zero-day vulnerability in the Windows Common Log File System Driver. CVE-2023-28252, which could allow an attacker to obtain SYSTEM privileges, is actively being exploited in the wild, according to Microsoft. The U.S. Cybersecurity and Infrastructure Security Agency already added the vulnerability to its list of know exploited issues and urged federal agencies to patch it as soon as possible. Microsoft disclosed a similar zero-day issue in September that could also lead to the same privileges: CVE-2022-37969.

**Why do I care?**

Security researchers say that the vulnerability has already been exploited in Nokoyawa ransomware attacks, so it’s important to patch this issue as soon as possible. The Nokoyawa ransomware is known for targeting 64-bit Windows systems in double extortion attacks in which the actors encrypt targets’ files and then threaten to leak them unless the ransom is paid.

**So now what?**

Microsoft has a patch available, so all Windows users should update now if they haven’t already. Talos also has new Snort detection coverage available for CVE-2023-28252 and other vulnerabilities disclosed as part of Patch Tuesday.

**Top security headlines of the week**

**A trove of classified military documents and images leaked on several social media channels** over the past week, including potentially sensitive information on Russia’s invasion of Ukraine and China’s military plans. The images first surfaced in a Discord channel, eventually making their way onto the Telegram messaging app, the popular forum 4Chan and then broader social media sites like Twitter. The U.S. Department of Justice and the Pentagon have since launched a formal investigation into the leaks. Ukrainian officials have blamed Russian actors for the leaks, trying to cast doubt on the authenticity of the images, while Russia accused Western governments of trying to spread disinformation. (Bellingcat, New York Times)

**Apple released patches for two zero-day vulnerabilities** targeting current and older versions of iOS, iPadOS, macOS and Safari that attackers were exploiting in the wild. The vulnerabilities, CVE-2023-28206 and CVE-2023-28205, could lead to arbitrary code execution. CVE-2023-28206 specifically could allow an adversary to execute code with kernel privileges. Apple initially patched the issue in current iPhones and other devices and followed up a few days later with fixes for older hardware like the iPhone 8. This was the third instance of Apple patching a zero-day vulnerability since the start of the year. (SC Media, Security Week)

**The FBI warned users again this week against plugging their phones in public charging stations** at common spaces like airports, hotels and shopping centers. The agency stated that threat actors have found ways to use the public USB ports to “introduce malware and monitoring software onto devices." Instead, the Federal Communications Commission suggests users carry their own USB cables and charging blocks to plug directly into outlets rather than relying on or trusting a cable. However, the tweet from the FBI’s Denver office did not offer examples of any recent attacks that would have prompted a fresh warning. (Axios, NBC News)

**Can’t get enough Talos?**

*   How threat actors are using AI and other modern tools to enhance their phishing attempts
*   How do you hunt cybersecurity threats in a war zone? Like this
*   Cisco unveils latest security trends from Cisco Talos report at GISEC 2023
*   Researcher Spotlight: Giannis Tziakouris first learned how to fix his family’s PC, and now he’s fixing networks all over the globe

**Upcoming events where you can find Talos**

**RSA** **(April 24 - 27)**

San Francisco, CA

**Cisco Talos Incident Response: On Air** **(April 27)**

Virtual

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6  
**MD5:** 1e2a99ae43d6365148d412b5dfee0e1c  
**Typical Filename:** PDFpower.exe  
**Claimed Product:** PdfPower  
**Detection Name:** Win32.Adware.Generic.SSO.TALOS

**SHA 256:** f3d5815e844319d78da574e2ec5cd0b9dd0712347622f1122f1cb821bb421f8f  
**MD5:** a2d60b5c01a305af1ac76c95e12fdf4a  
**Typical Filename:** KMSAuto.exe  
**Claimed Product:** N/A  
**Detection Name:** W32.File.MalParent

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

Threat Source newsletter (April 13, 2023) — Dark web forum whac-a-mole

Talos also alerted Lenovo that the clock’s hardcoded root password is weak and easily guessed or cracked.

Thursday, April 13, 2023 10:04

_Kelly Leuschner and Thorsten Rosendahl discovered this vulnerability._

Cisco Talos researchers recently discovered a vulnerability in the Lenovo Smart Clock Essential that could allow an attacker to completely take over the device if they have access to the network the clock is connected to.

TALOS-2023-1692 (CVE-2023-0896) exists because the smart clock does not change its hardcoded credentials once it's set up and connected to the network. Therefore, an attacker could use a specially crafted command line argument to gain full control of the device using SSH or telnet if they already have network access.

Talos also alerted Lenovo that the clock’s hardcoded root password is weak and easily guessed or cracked. Even on low-end hardware, and with a basic dictionary, the brute force took less than a second.

The default username is “root” and the default password is “123456”.

The clock includes a built-in microphone to accept voice commands and connects to the popular Amazon Alexa smart home system and AI assistant.

The file system is accessible and offers enough room to install undesired software/services.

Cisco Talos worked with Lenovo to ensure that these issues are resolved and an update is available for affected users, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Lenovo Group Ltd. Smart Clock Essential, version 4.9.113. Talos tested and confirmed this version of the clock could be exploited by this vulnerability. Users should update to Lenovo Smart Clock Essential software version 90 or later to fix this vulnerability, according to Lenovo. (The version information can be checked in your Alexa App under “Devices.”)

The following Snort rule will detect exploitation attempts against this vulnerability: 61094. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Hard-coded password vulnerability could allow attacker to completely take over Lenovo Smart Clock

Tools like ChatGPT aren't making social engineering attacks any more effective, but it does make it faster for actors to write up phishing emails.

Thursday, April 13, 2023 00:04

*   Phishing attacks are increasingly more targeted and customized than in the past.
*   The proliferation of additional communications channels such as mobile devices and social media provides attackers with new avenues to phish users.
*   The technology behind phishing attacks evolves as necessary for cybercriminals to bypass content filters and successfully transmit and display the phishing content to the victims.
*   Artificial Intelligence (AI) apps provide attackers with the means to generate highly customized content that makes phishing lures even more convincing.

Cybercriminals often find it easier to trick users into compromising their own security rather than utilizing exploits or highly technical attacks to break into networks. Deceiving users to convince them into divulging sensitive information or take inappropriate actions is known as “social engineering” and this tactic can be extremely effective, regardless of whatever technological defenses have been deployed. As a result, social engineering has become a mainstay in cybercriminals’ arsenals.

Social engineering can take many forms. However, by far the most popular type of contemporary social engineering is phishing. Phishing is the practice of sending victims fraudulent communications that appear to come from a reputable source. It is most often performed through email though other communications platforms such as phone calls and text messages on mobile devices, social media, or chat rooms can also play host to phishing attacks.

The goal of a phishing attack is to steal sensitive data like credit card and/or login information or to install malware on the victim's machine. Phishing has evolved considerably over the past dozen-or-so years. We now have many different subtypes of phishing, including spear phishing (targeting specific users in phishing attacks), whaling (phishing specific high-profile users who have considerable resources or access privileges), smishing (phishing users via SMS messages), quishing (phishing using QR codes) and vishing (telephone-based phishing).

**Phishing attacks have become more targeted**

The earliest phishing attacks, such as those conducted via instant messaging applications like AOHell, intentionally cast a broad net, aiming to snare as many victims as possible. However, phishing in this way has become less effective over time. In order for a phishing attack to succeed, an attacker must first deliver their phishing messages to the victims, and sending a large volume of similar-looking phishing messages to a large number of recipients attracts a considerable amount of attention from security devices and personnel.

On the other hand, only sending a handful of phishing emails is orders of magnitude more difficult for network defenders to prevent. This is the idea behind spear phishing: Attackers narrow the phishing target pool down to a smaller desired group of victims who can be sent a more customized phishing attack. The smaller volume of email increases the odds the message will be successfully delivered to the users and will not be filtered out or flagged by network security devices, and customization raises the likelihood the recipient will view the email as legitimate.

**More locations for phishing**

The proliferation of mobile devices and social media applications has provided phishers with multiple vehicles besides email in which to conduct their attacks. Phishers have been known to use applications such as LinkedIn, Instagram, Facebook, Telegram, Discord, Twitter and other social media apps to transmit phishing messages to victims. We also now regularly receive phishing messages transmitted over SMS and even using QR codes.  

A phishing link to “metamask.lc” is tweeted in reply to a tweet from the real @MetaMask Twitter account.‌ ‌

An example of an SMS phish using a link shortener to hide the true destination URL.

Not all phishing happens online. Some phishers now take a hybrid approach where phishing emails are transmitted, but rather than containing a link to a phishing website or malware, the email contains a phone number that the victim is meant to call where the victim can then be further socially engineered over the telephone.

**Evasion tactics help bypass security devices and fool users**

Security devices are constantly monitoring the network for signs of phishing content and then marking the content as fraudulent or even discarding phishing messages altogether. Today, a successful cybercriminal must find ways around the anti-phishing security technology in place. There are several ways today’s cybercriminals attempt this:

*   Placing text information or links inside images.
*   Using large attachments that cannot be scanned due to their size.
*   HTML smuggling.
*   Using various attachment file types (.doc, .one, .lnk, password-protected .zip).
*   Hiding phishing links behind link-shortening services.
*   Varying the phishing message content by including hidden garbage text pulled from books.
*   Using links to lookalike domain names, known as typosquatting, or domain names that have specially crafted subdomains, ex. www.office.com.login.evilbadguy.com.
*   Transmitting messages from compromised legitimate accounts.
*   Using the browser-in-the-browser technique.

**More convincing phishing lures**

Contemporary phishing lures tend to fall into two basic categories. Many phishing messages attempt to replicate transactional messages, for example, an invoice or receipt for a purchase. Other phishing messages tend to target victims who are eager for news about specific topics, such as current events, natural disasters or the latest celebrity gossip.

With readily accessible open-source information and publicly available breach data, there can be a substantial trove of sensitive information concerning individuals/groups that is freely available online to attackers who are motivated enough to search. This information can be used to customize phishing emails and make phishing content even more relevant to the victims.

To aid in customizing phishing content, attackers are increasingly turning to AI apps such as ChatGPT that can be used to generate phishing content that sounds quite convincing. Fortunately, the designers of ChatGPT have built some guardrails so that attackers cannot simply ask ChatGPT to generate a phishing lure.

However, by phrasing the question a little differently, ChatGPT will help generate convincing content for use in phishing attacks.

Over the past few years, we have seen how some attackers, such as those behind Emotet, have leveraged existing email threads to compel targets to open attachments or click links. Using AI applications similar to ChatGPT, those malicious emails could be customized based on the context of those prior threads.

Voice cloning is another piece of AI technology that is expected to play a role in future phishing attacks. Deepfake technology has already progressed to the point that users can be fooled by a familiar voice over the telephone and once deepfake tools become more widely available, we expect attackers to deploy this as an additional mechanism to phish users.

**Protecting users from today’s phishing attacks**

Of course, as phishing content becomes easier to generate and customize to a specific victim, it becomes increasingly harder to defend. Educating users about how to recognize a phishing attack can be helpful. Additionally, deploying multi-factor authentication such as Cisco Duo is a solid defense that can thwart phishing attacks. Understanding regular network traffic patterns using products like Cisco Secure Network Analytics can help your network security personnel recognize unusual activity that could be related to a successful phishing attack. It is also a good idea to have your email delivered through a secure gateway such as Cisco Secure Email that can scan the email contents for phishing, malware and other email-based attacks. DNS security products such as Cisco Umbrella can help prevent users from navigating to or downloading content from phishing domains.

How threat actors are using AI and other modern tools to enhance their phishing attempts

April is the third month in a row in which at least one of the vulnerabilities Microsoft released in a Patch Tuesday had been exploited in the wild prior to disclosure.

Tuesday, April 11, 2023 15:04

Microsoft released its monthly round of security updates and patches today, continuing its trend of fixing zero-day vulnerabilities on Patch Tuesday.

April's security update includes one vulnerability that’s actively being exploited in the wild. There are also eight critical vulnerabilities and the remaining 90 are considered “important.”

CVE-2023-28252, an elevation of privilege vulnerability in the Windows Common Log File System Driver, is actively being exploited in the wild, according to Microsoft, though proof of concept code is not currently available. An adversary could exploit this vulnerability to gain SYSTEM privileges.

The U.S. Cybersecurity and Infrastructure Security Agency already added the vulnerability to its list of know exploited issues and urged federal agencies to patch it as soon as possible.

Microsoft disclosed a similar zero-day issue in September that could also lead to the same privileges: CVE-2022-37969. April is the third month in a row in which at least one of the vulnerabilities Microsoft released in a Patch Tuesday had been exploited in the wild prior to disclosure.

Two of the critical vulnerabilities Microsoft also patched are in the Layer 2 Tunneling Protocol: CVE-2023-28219 and CVE-2023-28220. An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution on the RAS server machine. These vulnerabilities do not require any user interaction to be exploited, but the adversary would need to win a race condition to be successful.

One of the most severe issues is CVE-2023-21554, a remote code execution vulnerability in the Microsoft Message queuing system. Microsoft considers exploitation of this vulnerability to be “more likely,” and it received a CVSS severity score of 9.8 out of 10. Users who want to check to see if they’re being targeted by the exploitation of this vulnerability can run a check to see if there’s a service named “Message Queuing” on their machine, and if TCP port 1801 is listening on the machine.

CVE-2023-28231, a remote code execution vulnerability on the DHCP server service, is also considered “more likely” to be exploited. An attacker could exploit this vulnerability by sending a specially crafted RCP call to the targeted DHCP server. However, the adversary first must gain access to the restricted network.

There are four other critical vulnerabilities, though Microsoft considers them “less likely” to be exploited:

*   CVE-2023-28232: Windows Point-to-Point Tunneling Protocol remote code execution vulnerability

*   CVE-2023-28240: Windows Network Load Balancing remote code execution vulnerability    
    CVE-2023-28250: Windows Pragmatic General Multicast (PGM) remote code execution vulnerability
*   CVE-2023-28291: Raw Image Extension remote code execution vulnerability

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 61606, 61607 and 61613 - 61620. There are also Snort 3 rules 300496, 300499 and 300500.