These clinics offers pro-bono cybersecurity services — like incident response, general advice and ransomware defense — to community organizations, non-profits and small businesses that normally couldn’t afford to pay a private company for these same services.

Thursday, June 22, 2023 14:06

Welcome to this week’s edition of the Threat Source newsletter.

I recently stumbled upon news that the University of Texas at Austin is launching a new cybersecurity clinic run by faculty and students studying security and IT at the university. This clinic offers pro-bono cybersecurity services — like incident response, general advice and ransomware defense — to community organizations, non-profits and small businesses that normally couldn’t afford to pay a private company for these same services.

That news led me to another discovery: Clinics like these are actually more common than you’d think.

Though UT Austin’s clinic is one of the newest ones to exist in the U.S., similar programs at the University of California Berkeley and the University of Indiana have been around for four-plus years. And in 2021, several universities got together to create the Consortium of Cybersecurity Clinics. Today, that Consortium has 14 members who have similar clinics that offer similar, free, services.

Maybe this is old news to many readers, but it’s all new to me, and it also seems like a no-brainer.

The cybersecurity world is always discussing the skills gap that exists and a high burnout rate among defenders, leading to a dearth of security practitioners in the private and public sectors. These types of clinics can help solve that gap by giving students on-hands training and experience they can eventually take into the field while helping to support organizations that are often most at risk for falling victim to a cyber attack. Small organizations don’t have the traditional resources to build a security program, and if they’re hit with a ransomware attack, they’re also more likely to do whatever allows them to return to “normal” as soon as possible, which often means paying the ransom.

Universities have long used clinic methods to train future professionals in the medical and legal fields, so they already have the infrastructure and funding in place to support these types of programs.

Reading about these clinics reminded me of working at my collegiate newspaper. Although writing about a student government association isn’t as high stakes as trying to recover from a ransomware attack, I can confidently say that gaining real-world experience is far more valuable than anything you can learn in a classroom.

Working at the paper taught me how to be a better communicator, and how to treat people fairly and it just made me a better writer in general by getting reps in.

I’m somehow already two years removed from going back to college for a cybersecurity education, but I would have relished the opportunity to work in a clinic like this as opposed to reading another textbook or going through one more coding exercise.

I’m assuming I’m not the only person late to the party on these clinics, so I only hope this serves as a PSA to someone that these options exist for students and organizations.

**The one big thing**

Cisco Talos is monitoring recent reports of exploitation attempts against CVE-2023-34362, a SQL injection zero-day vulnerability in the MOVEit Transfer managed file transfer (MFT) solution that has been actively targeted since late May 2023. Successful exploitation could lead to remote code execution (RCE), allowing unauthenticated adversaries to execute arbitrary code to support malicious activity, such as disabling anti-virus solutions (AV) or deploying malware payloads. The Clop ransomware group has claimed responsibility for exploiting the vulnerability to deploy a previously unseen web shell, LemurLoot, to exfiltrate victims’ data and extort payments.

**Why do I care?**

The exploitation of this vulnerability has already affected many organizations across the globe, including the BBC, British Airways, the government of Nova Scotia and U.K. pharmacy chain Boots. This clearly has wide-reaching implications, and security researchers are already discovering other vulnerabilities in MOVEit, though those aren’t being exploited in the wild.

**So now what?**

Talos has a list of recommendations over on our blog that potential targets should take. First and foremost, though, users should implement the patch that Progress Software released for CVE-2023-34362. Additionally, Talos released new ClamAV signatures and Snort rules to detect and prevent the exploitation of the MOVEit vulnerabilities.

**Top security headlines of the week**

Microsoft identified that a **group of actors connected to Russia’s GRU is behind a recent wave of cyber attacks against Ukrainian government agencies and information technology vendors**. The same report linked this actor, now known as “Cadet Blizzard,” to a series of data-wiping attacks that took place right before Russia’s invasion of Ukraine last year. Cadet Blizzard also appears to target NATO member countries who are supporting Ukraine during the military conflict and sending aid to the country. The actor typically uses stolen credentials to gain access to targets’ internet servers on the perimeter of their network. Then, it uses web shells to maintain persistence and carry out a variety of malicious actions. Outside of the wiper campaign in 2022, Cade Blizzard is largely considered to be less successful than other GRU-connected threat actors. (Microsoft, Yahoo! News)

The U.S. Department of Justice is adding a **new unit to its organization that will specifically focus on prosecuting state-sponsored threat groups** and individuals behind cyber attacks. The new National Security Cyber Section will be on the same footing as the organization’s three other sectors that also prosecute other types of crimes and terrorism. This new organization is “positioned to act quickly as soon as the FBI or an \[intelligence community\] partner identifies a cyber enabled threat and we will be in a position to support investigations and disruption,” according to a news release from the Department of Justice. The Department of Justice has taken a harder stance against cyber attacks in recent months and has specifically charged and arrested several high-profile threat actors during the Biden administration’s time in office. (Recorded Future, CyberScoop)

**U.S. President Joe Biden convened a group of AI experts and companies to discuss the dangers the new technologies pose to privacy, the U.S. economy and more,** this week. "My administration is committed to safeguarding America’s rights and safety, from protecting privacy to addressing bias and disinformation to making sure AI systems are safe before they are released," Biden said after the meeting. Vice President Kamala Harris is also expected to meet with civil rights leaders, consumer protection groups and AI experts to discuss the inherent biases in AI models and the rise of these technologies in mainstream culture. (NBC News, Politico)

**Can’t get enough Talos?**

*   Talos Takes Ep. #143: The hidden threat to the software supply chain you may not be thinking about
*   Threat Roundup (June 9 – 16, 2023)
*   No Password Required: Threat Researcher at Cisco Talos and a Veteran of the Highest-Profile Cyber Incidents Who Roasts His Own Coffee Beans
*   Cisco releases new security offerings at Cisco Live 2023
*   Video: How Talos’ open-source tools can assist anyone looking to improve their security resilience

**Upcoming events where you can find Talos**

**BlackHat (Aug. 5 - 10)**

Las Vegas, Nevada

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

Cybersecurity hotlines at colleges could go a long way toward filling the skills gap

A rundown of Talos open-source software tools, which anyone in the security community can download for free, and use for research, skills, training, or integration into existing security infrastructure.

Thursday, June 22, 2023 08:06

Cisco Talos’ remit is not just to protect our customers from cyber attacks. We also strive to make the internet a better and safer place.

That’s one of the reasons why we create and release open-source software, for free. These tools are available to anyone in the security community to enhance their skills or to use and develop within their security operations.

We currently have 27 tools, all of which are available to download on our website at talosintelligence.com/software and on GitHub.

Here are the categories that you can find our open-source tools in:

*   Detection and protection engines: Software suites that can work alone or be integrated into broader security systems.
*   Decrytors for decrypting various samples of malware or ransomware.
*   Professional tools for malware analysis and the discovery of vulnerabilities.

In a newly released video from Talos, Martin Lee, our EMEA lead for Strategic Planning and Communications, discusses these categories and how defenders can use our open-source tools:

**Snort**

Our most well-known open-source tool is Snort, which is a leading intrusion prevention and detection system. It is the same engine that is included in Cisco Secure Firewall.

Anyone can download Snort and use it in their security operations to protect against network attacks and/or develop their own network rules.

In this episode of ThreatWise TV, Cisco Talos researchers Brandon Stultz and Nick Mavis not only provide a great overview of Snort 3.0, they also touch on the type of vulnerabilities that tend to trigger the most Snort signatures:

Check out the range of Talos open-source tools available, and do keep the security community informed of how you’re developing them so that we can all learn from each other.

Video: How Talos’ open-source tools can assist anyone looking to improve their security resilience

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 9 and June 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for June 9 to June 16

The Clop ransomware group has claimed responsibility for exploiting the vulnerability to deploy a previously unseen web shell, LemurLoot.

Friday, June 16, 2023 14:06

*   Cisco Talos is monitoring recent reports of exploitation attempts against CVE-2023-34362, a SQL injection zero-day vulnerability in the MOVEit Transfer managed file transfer (MFT) solution that has been actively targeted since late May 2023.
*   Successful exploitation could lead to remote code execution (RCE), allowing unauthenticated adversaries to execute arbitrary code to support malicious activity, such as disabling anti-virus solutions (AV) or deploying malware payloads.
*   The Clop ransomware group has claimed responsibility for exploiting the vulnerability to deploy a previously unseen web shell, LemurLoot, to exfiltrate victims’ data and extort payments, and Microsoft has attributed these attacks to the same group, according to public reporting.
*   Two more vulnerabilities have since been found in MOVEit Transfer solutions, CVE-2023-35036 and CVE-2023-35708, although at this time, they are reportedly not being actively exploited.

**CVE-2023-34362 details and ongoing exploitation**

On May 31, the Progress Software Corporation released a security advisory warning customers of a vulnerability in internet-facing and on-premises instances of their MOVEit Transfer solution, which could lead to escalated privileges and potential unauthorized access to an environment. The vulnerability, CVE-2023-34362, has been actively exploited since May 27, but the threat actors may have begun experimenting to compromise it as early as 2021.

As of late May, there were approximately 2,500 exposed MOVEit instances primarily located in the U.S., according to public reporting, highlighting its prevalence in enterprise environments.

**Vulnerability details**

The MOVEit Transfer vulnerability, CVE-2023-34362, covers multiple flaws that an attacker can chain together to achieve RCE with elevated privileges. The first part of the exploit chain uses SQL injection to obtain a sysadmin API token. That token can then be used to call a deserialization function that does not properly validate input, allowing for remote code execution.

A second vulnerability, CVE-2023-35036, was assigned and Progress Software released patches and an advisory addressing this issue. Patches for CVE-2023-35036 are meant to mitigate multiple parts of the successful exploit chain initially discovered to have been used during the exploitation of the first vulnerability, CVE-2023-34362.

On June 15, 2023, another vulnerability was identified, CVE-2023-35708. Progress Software is in the process of releasing installable patches for this issue although DLL drop-ins.

**Ongoing exploitation**

The Clop ransomware group released a public statement on their Tor data leak site on June 5, claiming responsibility for the attacks and threatening to publish victims’ data if the extortion demand is not paid. The group provided a deadline of June 14 for victims to initiate contact or else their company name would be posted on the data leak site as a warning. At this time, no data has been published but they have begun publicly naming and shaming affected companies.

  
In this activity, the Clop ransomware group exploited CVE-2023-34362 to install a previously unknown web shell now dubbed “LemurLoot”.

Written in C#, LemurLoot is designed to exfiltrate data and execute on systems running MOVEit Transfer. The web shell is deployed with a hardcoded, 36-character GUID-formatted value used to authenticate incoming connection requests from the threat actor. The authentication code value must be present in the “X-siLock-Comment” header field without which an HTTP 404 error code will be returned to the operator. If the value is correct, the web shell confirms it can accept taskings and connects to an attacker-controlled SQL server.

LemurLoot uses the header field “X-siLock-Step1’ to receive the commands from the operator. There are two well-defined commands: -1 and -2. The fields “X-siLock-Step2’ and  “X-siLock-Step3” are used to hold parameters to be used when no command has been defined.

**_Command “-1”:_** _LemurLoot retrieves Azure system settings from MOVEit Transfer and performs SQL queries to retrieve files._

**_Command “-2”:_** _LemureLoot deletes a user account with the LoginName and RealName set to "Health Check Service"._

For any other values of “X-siLock-Step1,” the web shell will open a file specified by the folder and file name in “X-siLock-Step2”, and “X-siLock-Step3” respectively and retrieve it for the operator.

If no values of “X-siLock-Step2” and “X-siLock-Step3” are specified, then the web shell creates the “Health Check Service” admin user and creates an active session.

**Recommendations  
**

Progress Software Corporation offers several mitigations for safeguarding against potential exploitation of this vulnerability and best practices for network security:

*   Please refer to the advisories for CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 to apply corresponding patches.
*   Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 until the patch can be applied.
*   Delete unauthorized files and user accounts and reset service account credentials.
*   Continuously monitor networks for early detection in the event of a compromise.
*   Update network firewall rules to only allow connections to the MOVEit Transfer infrastructure from known trusted IP addresses.
*   Update remote access policies to only allow inbound connections from known and trusted IP addresses, and use certificate-based access control.
*   Enable multi-factor authentication. Multi-factor authentication (MFA) protects MOVEit Transfer accounts from unverified users when a user's account password is lost, stolen, or compromised.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Cisco Talos is releasing the following Snort SIDs to protect against this threat:

*   61876 - 61879
*   61936
*   300582, 300583

The following ClamAV signatures have been released to detect malware artifacts related to this threat:

*   Win.Ransomware.Clop-6881304-0
*   Win.Ransomware.Clop-6887770-0

**IOCs  
****Webshell (LemurLoot)**

702421bcee1785d93271d311f0203da34cc936317e299575b06503945a6ea1e0  
9d1723777de67bc7e11678db800d2a32de3bcd6c40a629cd165e3f7bbace8ead  
9e89d9f045664996067a05610ea2b0ad4f7f502f73d84321fb07861348fdc24a  
d49cf23d83b2743c573ba383bf6f3c28da41ac5f745cde41ef8cd1344528c195  
b1c299a9fe6076f370178de7b808f36135df16c4e438ef6453a39565ff2ec272  
6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d  
48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a  
2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5  
e8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e

Active exploitation of the MOVEit Transfer vulnerability — CVE-2023-34362 — by Clop ransomware group

The information leak threats are certainly new, but the education and messaging from security evangelists (and even just anyone trying to educate an older or less security-savvy family member) doesn’t change.

Thursday, June 15, 2023 14:06

Welcome to this week’s edition of the Threat Source newsletter.

Talos’ recent blog post on the dangers posed by the newly released “.zip” top-level domain (TLD) recently outlined how threat actors could create real URLs that look like file names and trick users into clicking on their links. .Zip and other TLDs that share characters with filename extensions also opens the door to accidental information leaks.

But these are far from the first TLDs to be problematic for users, especially those who are less educated about the verbiage that makes the internet work as intended.

The same day .zip was released as a TLD for anyone to register, the Internet Corporation for Assigned Names and Numbers (ICANN) also made .mov available as a TLD. The tricks here are obvious — think of someone who would see a file named “WeddingVideo.mov” and just assume it was from their legitimate family member.

(As a side note, I very much want to own jon.dad now, as .dad is also a TLD released in this batch.)

Attackers have long used tricky URLs to lure victims, though. We’ve written several times about how typo-squatted domains are used in cyber attacks. This is when an adversary takes a legitimate URL like twitter.com and uses a slightly modified version to make it just close enough that it looks like the real thing, like tvitter\[.\]com or twltter\[.\]com. And there are a variety of ways any slight DNS misconfiguration (which goes beyond just typing the URL into a browser window) could lead to information leaks or phishing lures.

The ever-present .com is also a common TLD that gets used to stand up legitimate-looking names for actors.

As security researcher and content creator Bobby Rauch pointed out in this recent post on Medium, attackers have used legitimate websites to mask malicious URLs to avoid detection and suspicion from the target.

For example, they can insert the “@” operator in a website URL to send someone to a different website, even though it may look legitimate.

The URL https://google\[.\]com@bing\[.\]com actually takes the user to bing.com even though it looks like it will send them to Google initially. Regardless of the TLD used there, an attacker could leverage it to trick someone who isn’t savvy enough to examine each detail of a URL.

There are other TLDs that could easily be used in convincing phishing emails or lure documents: .media is a long-available TLD that could easily be worked into a seemingly legitimate-looking file, and I’m assuming I wasn’t the only person to ever assume that the .run TLD could double as a file extension for a Mac driver.

There are certain dangers that .zip and .mov URLs pose to users, but we’ve always known that everyone needs to quadruple-check the URL they plan on visiting. The information leak threats are certainly new, but the education and messaging from security evangelists (and even just anyone trying to educate an older or less security-savvy family member) doesn’t change.

**The one big thing**

June’s Patch Tuesday is the first in a while in which Microsoft’s security updates didn’t include a warning against a zero-day vulnerability. Each of the previous four months included at least one issue that attackers were actively exploited in the wild. Still, Microsoft disclosed almost 70 vulnerabilities across its suite of software and hardware, including several that are “more likely” to be exploited. Cisco Talos specifically discovered two vulnerabilities in Microsoft Excel that the company patched Tuesday. These are important-severity remote code execution vulnerabilities that are triggered if the targeted user opens an attacker-created file.

**Why do I care?**

It’s certainly good news that there are no new zero-days included in this week’s Patch Tuesday — we’ve had enough of those already this year across all software manufacturers. But there are multiple vulnerabilities that are critical and have a very high severity score of 9.8 out of 10 that should be patched immediately.

**So now what?**

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page. All Microsoft users should patch immediately or take appropriate mitigation steps as outlined in these advisories. Talos also released several Snort rules that can detect the exploitation of these vulnerabilities or block the attacker from taking malicious actions.

**Top security headlines of the week**

Progress Software released patches for several security vulnerabilities it discovered in its MOVEit file transfer software while researching a high-profile zero-day that has already led to multiple data breaches across the globe. The advisory for the new vulnerabilities states that they “could potentially be used by a bad actor to stage an exploit” but, currently, there is no evidence that they have been exploited in the wild. Security researchers have also published new proof of concept code to exploit CVE-2023-34362, the zero-day in MOVEit, which found that an attacker could exploit the issue to execute remote code on the targeted machine. It previously had only been identified as an SQL injection issue. Attackers have exploited CVE-2023-34362 to steal data from organizations using MOVEit, including the BBC, the Minnesota Department of Education and the Canadian province of Nova Scotia. (SecurityWeek, SC Media)

A group of high-profile American investors is reportedly considering purchasing assets belonging to NSO Group, the Israeli tech firm behind the infamous Pegasus spyware. The potential buyers include a financier who’s long been involved in Hollywood movies and a family member behind the Wrigley’s gum brand. Security experts and journalists have wondered about the financial status of NSO Group after it was added to the U.S. Department of Commerce’s list that bans the U.S. government and American companies from doing business with them. Meanwhile, the NSO Group has also reportedly been paying high-profile lobbying groups in D.C. to try and convince Congress to move the company from the banned list. The materials used by the lobbying groups reportedly state that the NSO Group’s software has a new “human rights governance compliance program.” (The Guardian, Haaretz)

America’s top cybersecurity official warned of the dangers of cyber attacks from Chinese state-sponsored actors, warning that critical infrastructure would become a key target in the event of a military conflict with China. Jen Easterly, speaking at an appearance at the Aspen Institute this week, said that China’s cyber espionage and offensive capabilities are an “epoch-defining threat.” Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), said Chinese threat actors were also likely to carry out cyber attacks against American infrastructure, like oil pipelines and electrical grids, should the two countries ever get into a kinetic military conflict. National security experts have long warned about a U.S.-China conflict if China ever invaded Taiwan. "Given the formidable nature of the threat from Chinese state actors, given the size of their capability, given how much resources and effort they're putting into it, it's going to be very, very difficult for us to prevent disruptions from happening," Easterly said. (CNBC, Reuters)

**Can’t get enough Talos?**

*   Talos Takes Ep. #142: Horabot is here to do "horable" things to your email inbox
*   The Need to Know: What does it mean when ransomware actors use “double extortion” tactics?
*   Vulnerability Spotlight: Two remote code execution vulnerabilities disclosed in Microsoft Excel
*   Threat Roundup for June 2 - 9
*   ThreatWise TV: Snort trends

**Upcoming events where you can find Talos**

**BlackHat** **(Aug. 5 - 10)**

Las Vegas, Nevada

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** a8a6d67140ac6cfec88b748b8057e958a825224fcc619ed95750acbd1d7a4848  
**MD5:** 8cb26e5b687cafb66e65e4fc71ec4d63  
**Typical Filename:** dattService.exe  
**Claimed Product:** Datto Service Monito  
**Detection Name:** W32.Auto:a8a6d6.in03.Talos

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b  
**MD5:** f5e908f1fac5f98ec63e3ec355ef6279  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::tpd

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

URLs have always been a great hiding place for threat actors

RA Group also introduces a new wrinkle to double extortion attacks: the threat that it will sell the data on the dark web. Double extortion tactics are known for leaking stolen data, but the sale is a potentially new gambit.

Wednesday, June 14, 2023 08:06

It is no longer enough for ransomware actors to encrypt targets’ files, ask for money, and get out.

Over the past several years, these groups are increasingly relying on “double extortion” tactics to try and coax their victims into paying the requested ransom, or else they will leak stolen data to the internet.

In double extortion ransomware attacks, actors perform traditional ransomware actions of encrypting files and folders on a target’s machine. They leave behind a ransom note asking for a certain amount of money, in exchange for a decryption key that can return the target’s network and hardware back to normal working order.

Of course, there is never any guarantee that this decryption key will work appropriately, so Talos recommends several other ransomware mitigation methods to ensure backups are in place to help an organization recover quickly if they are hit with a ransomware attack.

Actors who use double extortion take this a step further, threatening to leak the target’s data to the public and on the dark web if the ransom is not paid. For some organizations, this puts troves of potentially sensitive data at risk of becoming public information, such as personally identifiable information (PII) or financial information that other bad actors may use in follow-on attacks or to steal someone’s identity.

**What is the end goal of double extortion attacks?**

Ransomware actors hope that by adding on the extra layer of pressure, it makes victims more likely to pay the requested ransom rather than trying to recover on their own.

Any data leaks could lead to legal troubles for the targeted organization, poor public relations and a loss of customer trust.

At the end of the day, ransomware groups are motivated by money. They will do whatever they can to make it more likely for the victim to pay up.

These groups are also increasingly embracing communication with victims to potentially negotiate payment and provide additional pressure on o the victim. Nick Biasini, the head of Talos Outreach, recently discussed these tactics in an episode of Talos Takes, where he summed up ransomware groups’ motivations by saying, “You can’t get a payday if you can’t start a conversation...once they have communication, they know they have a victim who’s potentially ready to play ball.”

**Notable example: RA Group**

RA Group, a new ransomware actor Cisco Talos recently discovered, explicitly uses double extortion tactics. It runs an actor-controlled website where it posts a list of possible victims and publicly threatens to publish the data it steals from targets.

RA Group claims to include the organization’s name, a list of stolen data and the file sizes of the data it stole and the URL of the website belonging to the victim organization. The ransom notes the actor leaves behind are customized for the victim and are told they have three days to pay the requested ransom or they risk all the stolen data being made public.

When the three-day mark is reached, RA Group says it will publish “sample files” to prove the legitimacy of its claims. The leak site states that “we will publish documents regularly and all documents will be released within one year.”

RA Group also introduces a new wrinkle to double extortion attacks: the threat that it will sell the data on the dark web. Double extortion tactics are known for leaking stolen data, but the sale is a potentially new gambit.

The group’s leak site is one of the first examples Talos has seen where it publicly threatens to sell the data to other bad actors during that one-year window. It explicitly tells anyone interested in purchasing the data to contact RA Group via qTox, an encrypted instant messaging platform.

This is potentially a new development in the ransomware landscape and a new way for threat actors to generate revenue from a successful attack.

Talos has researched several other threat actors who started using double extortion methods over the past three years, including UNC2447, Vice Society and Silence Group.

**Prevention**

To defend against double-extortion ransomware attacks, users and organizations should follow the classic advice for avoiding ransomware:

*   Using multi-factor authentication protocols such as Cisco Duo can prevent credential stealing, which often provides threat actors with an initial foothold on the targeted system.

*   Cisco Secure Endpoint and other Cisco Secure offerings provide many layers of protection to make any network more resilient. Cisco Secure and Talos have multiple engines, such as Snort, to detect and prevent initial infection, reconnaissance, lateral movement and file encryption.
*   Incident Response playbooks and plans can help all organizations prepare for a ransomware attack and outlines steps to take in the event of an attack. Cisco Talos Incident Response can assist in the creation and updating of these documents.
*   Perform frequent backups of all systems and important files, and verify those backups are stored in a secure, yet accessible, place. Targets of ransomware can restore operations quickly by restoring from a previous state using backups.
*   Provide cybersecurity training to all employees and users to ensure they’re aware of the dangers of various social engineering tactics and common attack vectors for threat actors.
*   For additional advice and information, refer to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Stop Ransomware website.

What does it mean when ransomware actors use “double extortion” tactics?

Microsoft disclosed these issues and patched them as part of June’s monthly security release for the company.

Tuesday, June 13, 2023 15:06

Cisco Talos recently discovered two vulnerabilities in the Microsoft Excel spreadsheet management software that could allow a malicious actor to execute arbitrary code on the targeted machine.

Microsoft disclosed these issues and patched them as part of June’s monthly security release for the company.

One of the vulnerabilities, TALOS-2023-1730 (CVE-2023-32029), exists in the FreePhisxdb function of Excel. An attacker could exploit this vulnerability by tricking the targeted user into opening a specially crafted file. Then, they can manipulate the heap to gain the ability to execute arbitrary code.

TALOS-2023-1734 (CVE-2023-33133) works similarly, but in this case, causes an out-of-bounds read that turns into an out-of-bounds write, which in turn, could lead to memory corruption and, finally, arbitrary code execution.

Microsoft noted that although these vulnerabilities are listed as “remote code execution,” the attack itself is carried out locally. Both vulnerabilities have a CVSS severity score of 7.8 out of 10 and are considered to be “less likely” to be exploited, according to Microsoft.

Cisco Talos worked with Microsoft to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Microsoft Office Excel 2019 Plus, version 16.0.16130.20218. Talos tested and confirmed this version of Excel could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 61503, 61504, 61574 and 61575. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall or Snort.org.

Two remote code execution vulnerabilities disclosed in Microsoft Excel

For the first time in four months, none of the vulnerabilities Microsoft disclosed this Patch Tuesday have been exploited in the wild.

Tuesday, June 13, 2023 14:06

Microsoft released its monthly security update Tuesday, disclosing 69 vulnerabilities across its suite of products and software. Five of these vulnerabilities are considered to be critical, 45 of them are listed as being high severity, 17 of them are medium severity and two are of low severity.

For the first time in four months, none of the vulnerabilities Microsoft disclosed this Patch Tuesday have been exploited in the wild. June is also closer to an average month for Microsoft’s security update after only disclosing 40 vulnerabilities last month, which was nearly a three-year low.

Cisco Talos discovered two vulnerabilities in Microsoft Excel that the company patched Tuesday. These are important-severity remote code execution vulnerabilities that are triggered if the targeted user opens an attacker-created file.

Three critical vulnerabilities — CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015 — in the Windows Pragmatic General Multicast (PGM) server environment with a severity score of 9.8 could lead to remote code execution. In a Windows Pragmatic General Multicast (PGM)  server environment where the Windows message queuing service is running, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code. Microsoft has advised users to refer to a setting, standard configuration, or general best practice existing in a default state that could reduce the severity of exploitation of this vulnerability.

CVE-2023-29357 is an elevation of privilege vulnerability in Microsoft SharePoint Server that also has a severity score of 9.8. An attacker who successfully exploits this vulnerability could gain administrator-level privileges. They could have access to spoof the JSON Web Token \[JWT\] authentication tokens and use them to execute a network attack that bypasses the authentication and allows them to gain access to the privileges of an authenticated user. The attacker requires no user interaction to exploit this vulnerability. Microsoft has advised that customers should apply all updates offered for the SharePoint Enterprise server. On-premises customers can enable the AMSI feature, which protects them from this vulnerability.

Talos would also like to highlight a few high-severity vulnerabilities that Microsoft considers “more likely” to be exploited.

A high-severity remote code execution vulnerability, CVE-2023-28310, exists in Microsoft Exchange Server. An authenticated attacker on the same intranet as the Exchange Server can achieve remote code execution via a PowerShell remote session.

CVE-2023-29358, an elevation of privilege vulnerability in the Windows graphics device interface (GDI), is a use-after-free vulnerability in the Win32k kernel driver. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

CVE-2023-29361 could also allow an attacker to gain SYSTEM privileges if they exploit a use-after-free issue in the Windows Cloud Files Mini Filter Driver.

Microsoft Exchange server contains a high-severity remote code execution vulnerability, CVE-2023-32031, with a severity score of 8.8. An attacker successfully exploiting this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call.

Another elevation of privilege vulnerability, though only considered "important," CVE-2023-29371, exists in the Windows Win32k kernel driver. An attacker could modify a curve without updating the cCurves values, which leads to an out-of-bounds write in win32kfull when the curves’ edges get processed, ultimately giving them system privileges.

One medium-severity worth noting is CVE-2023-29352, a security feature bypass vulnerability in Windows Remote Desktop. An attacker who successfully exploited this vulnerability could bypass certificate validation during a remote desktop connection by creating a validly signed “.RDP” file to bypass warning prompts when executed.

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their rule set by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 61907 - 61911, 61915, 61916, 61933  - 61935 and 61937 - 61939. The Snort 3 rules released for these vulnerabilities are 300592, 300593, 300595 and 300600.

Microsoft discloses 5 critical vulnerabilities in June's Patch Tuesday, no zero-days

As a result of user applications increasingly registering actual “.zip” files as URLs, these filenames may trigger unintended DNS queries or web requests, thereby revealing possibly sensitive or internal company data in a file’s name to any actor monitoring the associated DNS server

Tuesday, June 13, 2023 08:06

*   Google’s recent offering of the “.zip” top-level domain (TLD) has led security researchers and likely threat actors to register numerous domains for red teaming and phishing attacks, respectively, causing new challenges for organizations and cybersecurity professionals.
*   As a result of user applications increasingly registering actual “.zip” files as URLs, these filenames may trigger unintended DNS queries or web requests, thereby revealing possibly sensitive or internal company data in a file’s name to any actor monitoring the associated DNS server.
*   Leaked filenames can be extremely valuable to advanced adversaries who may use this information in a variety of ways, including in lures masquerading as internal company documents and archives for social engineering and infecting targets.

**Top-level domains and file extensions**

As a result of Google’s announced sale of new TLDs that are also popular file extension formats, there is an increased risk with the deployment of the “.zip” domain that threat actors will develop new vectors for compromising victims. In early May 2023, Google released eight new TLDs, marketing the “.zip” domain as a way of letting an audience know that a domain’s owner is “fast, efficient, and ready to move.” However, the move presents serious concern that domains using the “.zip” filename format could be confused with legitimate filenames, and vice versa, compounding the problem of users recognizing potential phishing attempts.

_Google Domains page_ _for the new “.zip” TLD showing prices to acquire a new domain._

In a very short period of time, the general availability of the “.zip” TLD has led to a suspiciously high volume of domains being registered that resemble a wide variety of internal company filenames. Owning and controlling these domains can benefit attackers by leaking filenames via automatic DNS resolutions or using these domains as launch points for potential exploits and malware artifacts. Cisco’s Umbrella telemetry and open-source research indicate that many of these domains may be used for malicious attacks in the future.

Aggregate data for new domains registered under the TLDs offered by Google since May 3, 2023, shows that “.zip” is the most popular extension by a large margin:

_Domaintools statistics_ _of new domains registered for each new TLD offered by Google since May 3, 2023, show the “.zip” TLD outpacing all others._

The significantly greater popularity of the “.zip” TLD is likely due to the fact that “.zip” is a common file format used in phishing attacks and malware delivery. Security researchers have already highlighted several recently registered “.zip” TLDs with domain names commonly used in phishing attacks:

_A_ _list of domains_ _likely registered by security researchers or possible threat actors, likely with the intention to use as phishing domains._

_Security research group VX-Underground_ _showing an example_ _of a domain that can be used for phishing._

**How URLs based on filenames can leak information**

Talos assesses that domains employing “.zip” and similar TLDs increase the likelihood of sensitive information disclosures through unintended DNS queries or web requests. With the availability of the new “.zip” TLDs, messaging applications like Telegram or internet browsers began reading strings ending in “.zip” as URLs and automatically hyperlinking them. This is especially problematic in chat applications, which sometimes trigger a DNS or web request to show a thumbnail of the linked page. For example, the following chat application changed what was meant to be the name of a file “update\[.\]exe\[.\]zip” to a hyperlink pointing to the URL “https\[://\]update.exe\[.\]zip”:

_Chat application changing a filename to a URL._

In this case, even mentioning a valid filename in a chat could trigger a DNS lookup and leak internal filenames to whoever controls that domain’s DNS server. In other cases, if the user searches for a “.zip” file that doesn’t exist in Windows Explorer, the application will search online for the file and may reach the domain instead.

_Researcher_ _disclosing an issue with Windows Explorer_ _opening “.zip” files as a URL._

In an information leak scenario, a malicious user in control of a “.zip” domain’s DNS server filters requests by the network of the companies they’re targeting and collects internal filenames, providing possible leverage during an actual attack. MITRE even describes some of these activities in the ATT&CK Framework as part of the Reconnaissance Tactics, like T1589 and T1591, which describe techniques to gather information about a target user and the corporation itself.

**Observations in the wild**

When Google announced its offering in early May 2023, Talos began monitoring telemetry data for occurrences of “.zip” usage in URLs. We observed a wealth of filenames being queried against various “.zip” domain names containing all kinds of information. For example, Cisco Umbrella DNS data reveals many filenames that could indicate phishing attempts, like the domain “secure-access-4a907q5xsg5q5354\[.\]fbmsg\[.\]xyz\[.\]zip”, as well as many file names similar to the ones used in malware campaigns (e.g., “report\_<random\_numbers>\[.\]pdf\[.\]zip”).

_Snippet of Cisco Umbrella DNS data showing queries for “.zip” domains in a 24-hour period._

Our data shows occurrences of real filename resolutions containing potentially internal and sensitive information, such as project names, personally identifiable information (PII), geography and order or contract names and numbers – basically anything that can be used in an effective lure by threat actors in a future attack, judging from DNS query data.

Filename

Possible information leaked 

Expressvpn\_windows\_12.49.0.4\_release.\*\*\*.zip

Old versions of applications in use inside the corporate network

Hsbc\_tradinghub\_equity\_orders\_20230511.\*\*\*.zip

Potential business relationships

Sx\_corporateaction\_id000xxxxxxx\_0.\*\*\*.zip

Employee/User ID

Djsb\_labour\_market\_data\_-\_employment\_data\_summary\_sa4\_2018.\*\*\*.zip

Corporate information

fitbitcofceva\_000xxxxxxx\_20230303\_xxxxxxxxxx.\*\*\*.zip

Personal user identification information

Examples of filenames found in DNS query data. Some information has been obfuscated to avoid showing potential identifying information.

**What users can do**

Many cybersecurity professionals currently recommend that companies completely block “.zip” domains at their firewalls. Although this tactic may be currently sufficient since the usage of the “.zip” TLD is not yet widespread, that may not be the case in the future. As more companies begin adopting “.zip” domains, blocking an entire TLD would not be feasible. In any case, SOC operators will need to be aware of the risks of information leaks and phishing attempts using these domains and will have to adapt their tools to monitor for such events.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. Cisco’s Umbrella customers may use wildcards in destination lists to block the “.zip” TLD and open specific domains on a case-by-case situation depending on their users' needs. More information about this can be found in Umbrella documentation.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  
The following Snort SIDs are applicable to this threat: **61861 - 61864.**

".Zip" top-level domains draw potential for information leaks

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 2 and June 9. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key