Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 7 and April 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for April 7 to April 14

Microsoft zero-days, dark web forum takedowns and Pentagon leaks on Discord in this week's newsletter.

Thursday, April 13, 2023 14:04

Welcome to this week’s edition of the Threat Source newsletter.

Law enforcement organizations across the globe notched a series of wins over the past few weeks against online forums for cybercriminals.

On March 23, the FBI announced it disrupted the online cybercriminal marketplace BreachForums, known for being a place where users could buy and sell stolen user information. They also arrested a 20-year-old suspected of being the site’s founder and main administrator.

Then last week we had “Operation Cookie Monster” in which several international agencies worked together to take down Genesis Market, a similar dark web forum, arresting dozens of suspected users and administrators.

These arrests and network operations are important in that they disrupted sites that were known for highly sensitive information and served as a place for some of the most prolific cyber criminals to make money. The U.S. Department of Justice estimated that Genesis Market was responsible for the sale of data on more than 1.5 million compromised computers around the world containing over 80 million account access credentials. And the U.K.’s National Crime Agency (NCA) said credentials were available for as little as 70 cents to hundreds of dollars depending on the stolen data available.

But the user base for these sites was also huge (after all, someone had to be buying those credentials). At the time of its takedown, BreachForums had 340,000 members, according to the FBI. And reporting on Operation Cookie Monster stated that Genesis Market had 59,000 registered users.

So while it’s great that these sites have been disrupted, I can’t help but assume that two more sites are going to pop up to service these cyber criminals. It’s impossible for any agency to arrest 340,000 people, so even if a handful of administrators are restricted from accessing the internet for a while, the other 339,000 people are going to be looking for a new home.

Some of the same agencies celebrated in March 2021 that they disrupted Emotet, one of the most infamous botnets ever. As anyone who follows security news will know, Emotet didn’t actually go anywhere and was recently rebooted as recently as last month, according to our research.

RaidForums, a forefather of BreachForums, was also disrupted in April 2022, along with the arrest of several administrators and accomplices.

All of this is not to discount the great strides made in the past few weeks in disrupting these marketplaces and taking them offline. But a lot of these headlines are sounding familiar to me after a few years, so it’s important to remember that we as a security community can’t take our foot off the gas and assume that because there were a few big wins that dark web forums are just going to go away forever.

**The one big thing**

Microsoft’s Patch Tuesday for April included another zero-day vulnerability in the Windows Common Log File System Driver. CVE-2023-28252, which could allow an attacker to obtain SYSTEM privileges, is actively being exploited in the wild, according to Microsoft. The U.S. Cybersecurity and Infrastructure Security Agency already added the vulnerability to its list of know exploited issues and urged federal agencies to patch it as soon as possible. Microsoft disclosed a similar zero-day issue in September that could also lead to the same privileges: CVE-2022-37969.

**Why do I care?**

Security researchers say that the vulnerability has already been exploited in Nokoyawa ransomware attacks, so it’s important to patch this issue as soon as possible. The Nokoyawa ransomware is known for targeting 64-bit Windows systems in double extortion attacks in which the actors encrypt targets’ files and then threaten to leak them unless the ransom is paid.

**So now what?**

Microsoft has a patch available, so all Windows users should update now if they haven’t already. Talos also has new Snort detection coverage available for CVE-2023-28252 and other vulnerabilities disclosed as part of Patch Tuesday.

**Top security headlines of the week**

**A trove of classified military documents and images leaked on several social media channels** over the past week, including potentially sensitive information on Russia’s invasion of Ukraine and China’s military plans. The images first surfaced in a Discord channel, eventually making their way onto the Telegram messaging app, the popular forum 4Chan and then broader social media sites like Twitter. The U.S. Department of Justice and the Pentagon have since launched a formal investigation into the leaks. Ukrainian officials have blamed Russian actors for the leaks, trying to cast doubt on the authenticity of the images, while Russia accused Western governments of trying to spread disinformation. (Bellingcat, New York Times)

**Apple released patches for two zero-day vulnerabilities** targeting current and older versions of iOS, iPadOS, macOS and Safari that attackers were exploiting in the wild. The vulnerabilities, CVE-2023-28206 and CVE-2023-28205, could lead to arbitrary code execution. CVE-2023-28206 specifically could allow an adversary to execute code with kernel privileges. Apple initially patched the issue in current iPhones and other devices and followed up a few days later with fixes for older hardware like the iPhone 8. This was the third instance of Apple patching a zero-day vulnerability since the start of the year. (SC Media, Security Week)

**The FBI warned users again this week against plugging their phones in public charging stations** at common spaces like airports, hotels and shopping centers. The agency stated that threat actors have found ways to use the public USB ports to “introduce malware and monitoring software onto devices." Instead, the Federal Communications Commission suggests users carry their own USB cables and charging blocks to plug directly into outlets rather than relying on or trusting a cable. However, the tweet from the FBI’s Denver office did not offer examples of any recent attacks that would have prompted a fresh warning. (Axios, NBC News)

**Can’t get enough Talos?**

*   How threat actors are using AI and other modern tools to enhance their phishing attempts
*   How do you hunt cybersecurity threats in a war zone? Like this
*   Cisco unveils latest security trends from Cisco Talos report at GISEC 2023
*   Researcher Spotlight: Giannis Tziakouris first learned how to fix his family’s PC, and now he’s fixing networks all over the globe

**Upcoming events where you can find Talos**

**RSA** **(April 24 - 27)**

San Francisco, CA

**Cisco Talos Incident Response: On Air** **(April 27)**

Virtual

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6  
**MD5:** 1e2a99ae43d6365148d412b5dfee0e1c  
**Typical Filename:** PDFpower.exe  
**Claimed Product:** PdfPower  
**Detection Name:** Win32.Adware.Generic.SSO.TALOS

**SHA 256:** f3d5815e844319d78da574e2ec5cd0b9dd0712347622f1122f1cb821bb421f8f  
**MD5:** a2d60b5c01a305af1ac76c95e12fdf4a  
**Typical Filename:** KMSAuto.exe  
**Claimed Product:** N/A  
**Detection Name:** W32.File.MalParent

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

Threat Source newsletter (April 13, 2023) — Dark web forum whac-a-mole

Talos also alerted Lenovo that the clock’s hardcoded root password is weak and easily guessed or cracked.

Thursday, April 13, 2023 10:04

_Kelly Leuschner and Thorsten Rosendahl discovered this vulnerability._

Cisco Talos researchers recently discovered a vulnerability in the Lenovo Smart Clock Essential that could allow an attacker to completely take over the device if they have access to the network the clock is connected to.

TALOS-2023-1692 (CVE-2023-0896) exists because the smart clock does not change its hardcoded credentials once it's set up and connected to the network. Therefore, an attacker could use a specially crafted command line argument to gain full control of the device using SSH or telnet if they already have network access.

Talos also alerted Lenovo that the clock’s hardcoded root password is weak and easily guessed or cracked. Even on low-end hardware, and with a basic dictionary, the brute force took less than a second.

The default username is “root” and the default password is “123456”.

The clock includes a built-in microphone to accept voice commands and connects to the popular Amazon Alexa smart home system and AI assistant.

The file system is accessible and offers enough room to install undesired software/services.

Cisco Talos worked with Lenovo to ensure that these issues are resolved and an update is available for affected users, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Lenovo Group Ltd. Smart Clock Essential, version 4.9.113. Talos tested and confirmed this version of the clock could be exploited by this vulnerability. Users should update to Lenovo Smart Clock Essential software version 90 or later to fix this vulnerability, according to Lenovo. (The version information can be checked in your Alexa App under “Devices.”)

The following Snort rule will detect exploitation attempts against this vulnerability: 61094. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Hard-coded password vulnerability could allow attacker to completely take over Lenovo Smart Clock

Tools like ChatGPT aren't making social engineering attacks any more effective, but it does make it faster for actors to write up phishing emails.

Thursday, April 13, 2023 00:04

*   Phishing attacks are increasingly more targeted and customized than in the past.
*   The proliferation of additional communications channels such as mobile devices and social media provides attackers with new avenues to phish users.
*   The technology behind phishing attacks evolves as necessary for cybercriminals to bypass content filters and successfully transmit and display the phishing content to the victims.
*   Artificial Intelligence (AI) apps provide attackers with the means to generate highly customized content that makes phishing lures even more convincing.

Cybercriminals often find it easier to trick users into compromising their own security rather than utilizing exploits or highly technical attacks to break into networks. Deceiving users to convince them into divulging sensitive information or take inappropriate actions is known as “social engineering” and this tactic can be extremely effective, regardless of whatever technological defenses have been deployed. As a result, social engineering has become a mainstay in cybercriminals’ arsenals.

Social engineering can take many forms. However, by far the most popular type of contemporary social engineering is phishing. Phishing is the practice of sending victims fraudulent communications that appear to come from a reputable source. It is most often performed through email though other communications platforms such as phone calls and text messages on mobile devices, social media, or chat rooms can also play host to phishing attacks.

The goal of a phishing attack is to steal sensitive data like credit card and/or login information or to install malware on the victim's machine. Phishing has evolved considerably over the past dozen-or-so years. We now have many different subtypes of phishing, including spear phishing (targeting specific users in phishing attacks), whaling (phishing specific high-profile users who have considerable resources or access privileges), smishing (phishing users via SMS messages), quishing (phishing using QR codes) and vishing (telephone-based phishing).

**Phishing attacks have become more targeted**

The earliest phishing attacks, such as those conducted via instant messaging applications like AOHell, intentionally cast a broad net, aiming to snare as many victims as possible. However, phishing in this way has become less effective over time. In order for a phishing attack to succeed, an attacker must first deliver their phishing messages to the victims, and sending a large volume of similar-looking phishing messages to a large number of recipients attracts a considerable amount of attention from security devices and personnel.

On the other hand, only sending a handful of phishing emails is orders of magnitude more difficult for network defenders to prevent. This is the idea behind spear phishing: Attackers narrow the phishing target pool down to a smaller desired group of victims who can be sent a more customized phishing attack. The smaller volume of email increases the odds the message will be successfully delivered to the users and will not be filtered out or flagged by network security devices, and customization raises the likelihood the recipient will view the email as legitimate.

**More locations for phishing**

The proliferation of mobile devices and social media applications has provided phishers with multiple vehicles besides email in which to conduct their attacks. Phishers have been known to use applications such as LinkedIn, Instagram, Facebook, Telegram, Discord, Twitter and other social media apps to transmit phishing messages to victims. We also now regularly receive phishing messages transmitted over SMS and even using QR codes.  

A phishing link to “metamask.lc” is tweeted in reply to a tweet from the real @MetaMask Twitter account.‌ ‌

An example of an SMS phish using a link shortener to hide the true destination URL.

Not all phishing happens online. Some phishers now take a hybrid approach where phishing emails are transmitted, but rather than containing a link to a phishing website or malware, the email contains a phone number that the victim is meant to call where the victim can then be further socially engineered over the telephone.

**Evasion tactics help bypass security devices and fool users**

Security devices are constantly monitoring the network for signs of phishing content and then marking the content as fraudulent or even discarding phishing messages altogether. Today, a successful cybercriminal must find ways around the anti-phishing security technology in place. There are several ways today’s cybercriminals attempt this:

*   Placing text information or links inside images.
*   Using large attachments that cannot be scanned due to their size.
*   HTML smuggling.
*   Using various attachment file types (.doc, .one, .lnk, password-protected .zip).
*   Hiding phishing links behind link-shortening services.
*   Varying the phishing message content by including hidden garbage text pulled from books.
*   Using links to lookalike domain names, known as typosquatting, or domain names that have specially crafted subdomains, ex. www.office.com.login.evilbadguy.com.
*   Transmitting messages from compromised legitimate accounts.
*   Using the browser-in-the-browser technique.

**More convincing phishing lures**

Contemporary phishing lures tend to fall into two basic categories. Many phishing messages attempt to replicate transactional messages, for example, an invoice or receipt for a purchase. Other phishing messages tend to target victims who are eager for news about specific topics, such as current events, natural disasters or the latest celebrity gossip.

With readily accessible open-source information and publicly available breach data, there can be a substantial trove of sensitive information concerning individuals/groups that is freely available online to attackers who are motivated enough to search. This information can be used to customize phishing emails and make phishing content even more relevant to the victims.

To aid in customizing phishing content, attackers are increasingly turning to AI apps such as ChatGPT that can be used to generate phishing content that sounds quite convincing. Fortunately, the designers of ChatGPT have built some guardrails so that attackers cannot simply ask ChatGPT to generate a phishing lure.

However, by phrasing the question a little differently, ChatGPT will help generate convincing content for use in phishing attacks.

Over the past few years, we have seen how some attackers, such as those behind Emotet, have leveraged existing email threads to compel targets to open attachments or click links. Using AI applications similar to ChatGPT, those malicious emails could be customized based on the context of those prior threads.

Voice cloning is another piece of AI technology that is expected to play a role in future phishing attacks. Deepfake technology has already progressed to the point that users can be fooled by a familiar voice over the telephone and once deepfake tools become more widely available, we expect attackers to deploy this as an additional mechanism to phish users.

**Protecting users from today’s phishing attacks**

Of course, as phishing content becomes easier to generate and customize to a specific victim, it becomes increasingly harder to defend. Educating users about how to recognize a phishing attack can be helpful. Additionally, deploying multi-factor authentication such as Cisco Duo is a solid defense that can thwart phishing attacks. Understanding regular network traffic patterns using products like Cisco Secure Network Analytics can help your network security personnel recognize unusual activity that could be related to a successful phishing attack. It is also a good idea to have your email delivered through a secure gateway such as Cisco Secure Email that can scan the email contents for phishing, malware and other email-based attacks. DNS security products such as Cisco Umbrella can help prevent users from navigating to or downloading content from phishing domains.

How threat actors are using AI and other modern tools to enhance their phishing attempts

April is the third month in a row in which at least one of the vulnerabilities Microsoft released in a Patch Tuesday had been exploited in the wild prior to disclosure.

Tuesday, April 11, 2023 15:04

Microsoft released its monthly round of security updates and patches today, continuing its trend of fixing zero-day vulnerabilities on Patch Tuesday.

April's security update includes one vulnerability that’s actively being exploited in the wild. There are also eight critical vulnerabilities and the remaining 90 are considered “important.”

CVE-2023-28252, an elevation of privilege vulnerability in the Windows Common Log File System Driver, is actively being exploited in the wild, according to Microsoft, though proof of concept code is not currently available. An adversary could exploit this vulnerability to gain SYSTEM privileges.

The U.S. Cybersecurity and Infrastructure Security Agency already added the vulnerability to its list of know exploited issues and urged federal agencies to patch it as soon as possible.

Microsoft disclosed a similar zero-day issue in September that could also lead to the same privileges: CVE-2022-37969. April is the third month in a row in which at least one of the vulnerabilities Microsoft released in a Patch Tuesday had been exploited in the wild prior to disclosure.

Two of the critical vulnerabilities Microsoft also patched are in the Layer 2 Tunneling Protocol: CVE-2023-28219 and CVE-2023-28220. An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution on the RAS server machine. These vulnerabilities do not require any user interaction to be exploited, but the adversary would need to win a race condition to be successful.

One of the most severe issues is CVE-2023-21554, a remote code execution vulnerability in the Microsoft Message queuing system. Microsoft considers exploitation of this vulnerability to be “more likely,” and it received a CVSS severity score of 9.8 out of 10. Users who want to check to see if they’re being targeted by the exploitation of this vulnerability can run a check to see if there’s a service named “Message Queuing” on their machine, and if TCP port 1801 is listening on the machine.

CVE-2023-28231, a remote code execution vulnerability on the DHCP server service, is also considered “more likely” to be exploited. An attacker could exploit this vulnerability by sending a specially crafted RCP call to the targeted DHCP server. However, the adversary first must gain access to the restricted network.

There are four other critical vulnerabilities, though Microsoft considers them “less likely” to be exploited:

*   CVE-2023-28232: Windows Point-to-Point Tunneling Protocol remote code execution vulnerability

*   CVE-2023-28240: Windows Network Load Balancing remote code execution vulnerability    
    CVE-2023-28250: Windows Pragmatic General Multicast (PGM) remote code execution vulnerability
*   CVE-2023-28291: Raw Image Extension remote code execution vulnerability

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 61606, 61607 and 61613 - 61620. There are also Snort 3 rules 300496, 300499 and 300500.

Microsoft Patch Tuesday for April 2023 — Snort rules and prominent vulnerabilities

As a senior incident responder, Giannis helps Cisco Talos Incident Response customers secure and respond to security incidents across the world.

Monday, April 10, 2023 07:04

Giannis Tziakouris had a problem growing up: He kept breaking his PC.

He loved experimenting on his family’s home computer, but things didn’t always go as planned. That’s when his dad told him he had to learn how to fix the PC and get it back up and running, or he’d revoke Giannis’ computer access.

Giannis took up the challenge and decided to lean into his information technology education. While he was still in high school, he started taking Cisco CCNA exams and eventually enrolled at the University of Birmingham in the U.K., receiving a master’s and Ph.D. in computer security.

Now, he spends every day helping others fix their computers on certainly a larger level than his home PC. As a senior incident responder, Giannis helps Cisco Talos Incident Response customers secure and respond to security incidents across the world.

This ranges from planning proactive services such as Cyber Range trainings and tabletop exercises, to responding to active cyber-attacks. He is currently based in the United Arab Emirates supporting customers globally after spending several years assisting customers in the Asia-Pacific region out of Singapore.

Giannis said he most enjoys delivering Threat Hunting service to customers, during which he practices networking, disk and memory forensics to identify threats in their environment.

“It’s exciting because we can see various TTPs being leveraged in different environments, even some zero-day threats,” he said.

Prior to working in incident response, Giannis was in one of the few roles that could be considered more high-stakes than emergency IR, working with the International Criminal Police Organization (Interpol) as a lead digital crime analyst.

He helped with active investigations into criminal enterprises with Interpol member countries involving illegal firearms trades and narcotics sales, as well as crimes against vulnerable communities. He used his cybersecurity background to lead darknet and cryptocurrency-related investigations to track and profile bad actors.

With Interpol, Giannis said he learned that he enjoyed working under pressure and taking on new challenges every day, which is what eventually attracted him to incident response.

“\[With Talos IR\], there are no two days that are the same,” he said. “You are not working with specific tools or people. We’re playing with different technologies, and it’s extremely challenging.”

As Brad Garnett, Giannis’ team leader, stated several times, incident response requires teamwork and soft people skills along with the technical and cybersecurity knowledge necessary to be successful in the field. While Giannis acquired his technical skills through his education, he developed his soft skills as he started as a university teaching assistant and then at Interpol.

“Cybercrime is global — it knows no boundaries,” he said. “For some techies, communication can be a challenge in a business environment. As part of Interpol, I dealt with stakeholders from a diverse set of cultures and countries. It’s similar at Talos where we need to communicate with various global stakeholders to efficiently solve urgent issues at hand.”

Regardless of the geographic area where the customer comes from, Giannis said most organizations have similar security concerns. Most defenders are still asking many questions about ransomware, info-stealers and state-sponsored actors, he said, and more recently there’s a rising interest in how defenders and network managers can use AI tools to simplify their operations.

Outside of his day-to-day duties with IR, Giannis says he’s even working on an AI tool that can assist defenders to perform more accurate detections in security operation centers.

For him, Giannis said it’s the people that really make or break any security operation, and he urges teamwork and trust among all the customers he works with. Talos IR exemplifies this too, he said, by building a team that works well together and leaves room for a flexible work schedule and time to unwind in a business that has historically led to employee burnout. In his free time, Giannis likes to scuba dive because “it’s extremely peaceful when you’re down there.”

“An organization is nothing more than your employees,” he said. “I have amazing colleagues whom I enjoy working with and learning from, as well. If you don’t have that, it can be very tough \[in incident response\].”

If your organization would like to work with Giannis or one of his fellow Talos IR team members, you can reach out to them here. Talos Incident Response offers a range of proactive services for security teams, including hands-on tabletop exercises, a state-of-the-art cyber range for training and much more.

Researcher Spotlight: Giannis Tziakouris first learned how to fix his family’s PC, and now he’s fixing networks all over the globe

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 31 and April 7. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for March 31 to April 7

Be prepared to discuss difficult topics with potential new third-party software vendors, such as incident notification requirements, access to logs during a security incident and who the important emergency contacts are.

Thursday, April 6, 2023 14:04

Welcome to this week’s edition of the Threat Source newsletter.

It seems like we can’t go a full calendar year without a major supply chain attack. In late 2020 we had the SolarWinds incident (which, doesn’t that somehow seem like five years ago but also yesterday?), then the REvil ransomware group infiltrating the Kaseya VSA software in the summer of 2021 and last week we had another attack targeting the 3CX Desktop Softphone application.

For now, the adversaries behind the 3CX supply chain attack seem mainly focused on infiltrating cryptocurrency-related companies and exchanges to steal money. But we’ve still yet to see the full scale of this attack — the 3CX website claims to have over 600,000 customers and 12 million daily users. In the company’s latest update on the security incident, 3CX said the “incident was carried out by a highly experienced and knowledgeable hacker.”

So even though we’ve been talking about the importance of defending against supply chain attacks for three years now, I felt like this was a good place to round up all the information Talos has available on preparing for and preventing supply chain attacks. Here are a few tips with some handy links:

*   If your organization is specifically affected by the 3CX supply chain attack, Cisco Secure and Talos have a range of detection available across the Cisco portfolio. 3CX also has instructions for uninstalling the affected desktop application on its website.
*   Be prepared to discuss difficult topics with potential new third-party software vendors, such as incident notification requirements, access to logs during a security incident and who the important emergency contacts are. Talos Incident Response has a full list of these questions in this blog.
*   Take an inventory of the SaaS applications your organization uses and document their business use case and relevant access authorizations. Nick Biasini and I talk about the importance of asset management in this episode of Talos Takes right after the SolarWinds incident.
*   Implement a zero-trust approach to security so that your organization verifies every access attempt. This also means only assigning the appropriate rights to each user on a network that they need to do their job.
*   Create an incident response plan and/or playbook so your organization is ready to respond in the event of a supply chain attack. Cisco Talos Incident Response can help with that.

**The one big thing**

The developer of the Typhon Reborn information stealer recently released an updated version (V2) that includes significant updates to its codebase and improved capabilities. Most notably, the new version features additional anti-analysis and anti-virtual machine (VM) capabilities to evade detection and make analysis more difficult.

**Why do I care?**

Once on an infected machine, the stealer can harvest and exfiltrate sensitive information and uses the Telegram API to send stolen data to attackers. This can include highly sensitive data, such as login information to cryptocurrency wallets and exchanges, VPN clients and email and messaging clients. The latest version of the stealer is available on dark web forums for a relatively low price in comparison to other information stealers, so Talos researchers suspect this malware will pop up in cyber attacks going forward.

**So now what?**

The Talos blog has a full rundown of the Cisco Secure detection capabilities in place to prevent the execution of this malware and alert users if it’s on their network.

**Top security headlines of the week**

While the proposed “RESTRICT Act” in U.S. Congress is widely known as the “TikTok ban,” it would **actually do much more than restrict the popular social media app in the U.S.** Critics of the bill say, if passed, it would give the Executive Branch greater control over the online marketplace and potentially restrict the sale of other software that could be viewed as potentially dangerous like VPNs that consumers use to encrypt and route their traffic. The White House is in favor of the bill, saying that it would protect American national security by restricting data collection from foreign governments. However, the language of the bill only says it would restrict software from countries identified as a “foreign adversary,” which currently includes China, Cuba, Iran, North Korea, Russia and Venezuela. (Vice, The Electronic Frontier Foundation)

International law enforcement agencies **seized several domain names tied to Genesis Market,** a popular cybercrime store, on Wednesday, while also arresting some of its alleged administrators. Genesis Market was known to sell access to stolen passwords and other data. Customers who purchased this information could load the victim’s authentication cookies into their web browser to access their online accounts without needing a password and sometimes bypass multi-factor authentication. Arrest warrants were reportedly out for several individuals involved in the marketplace in the U.S., Canada and Europe. During a series of raids this week, the UK's National Crime Agency (NCA) arrested 24 people who are suspected users of the site. (BBC News, Krebs on Security)

**Online alcohol recovery startups Monument and Tempest were mistakenly sharing users’ health information** and data with third-party advertisers for years without their consent, according to a data breach notification filed with California’s attorney general. Monument, which acquired Tempest last year, assists customers in dealing with and recovering from alcohol abuse, including offering online counseling, an anonymous forum and the ability to prescribe medication. The company said in the filing that they were mistakenly sharing information through third-party ad tracking systems such as those from Google and Meta. The data shared with advertisers included patients’ photos, the answers to online questionnaires about their health and alcohol use, personally identifiable information (PII) and their insurance providers. (TechCrunch, The Verge)

**Can’t get enough Talos?**

*   Talos Takes Ep. #133: The defensive and offensive implications of ChatGPT and AI
*   Vulnerability Spotlight: Buffer overflow vulnerability in ADMesh library
*   Threat Roundup for March 24 - 31
*   Vulnerability Spotlight: Vulnerability in ManageEngine OpManager could lead to XXE attack
*   Typhon Reborn Stealer Malware Resurfaces with Advanced Evasion Techniques

**Upcoming events where you can find Talos**

**RSA** **(April 24 - 27)**

San Francisco, CA

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6  
**MD5:** 1e2a99ae43d6365148d412b5dfee0e1c  
**Typical Filename:** PDFpower.exe  
**Claimed Product:** PdfPower  
**Detection Name:** Win32.Adware.Generic.SSO.TALOS

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423  
**MD5:** 954a5fc664c23a7a97e09850accdfe8e  
**Typical Filename:** teams15.exe  
**Claimed Product:** teams15  
**Detection Name:** Gen:Variant.MSILHeracles.59885

**SHA 256:** c74e7421f2021b46ee256e5f02d94c1bce15da107c8c997c611055412de1ac1  
**MD5:** 2d16d0af6183803a79d9ef5c744286c4  
**Typical Filename:** nano\_download.php  
**Claimed Product:** Web Companion Installer  
**Detection Name:** W32.1C74E7421F-100.SBX.VIOC

Threat Source newsletter (April 6, 2023) — Another friendly reminder about supply chain attacks

Ichitaro uses the ATOK input method (IME) and uses the proprietary .jtd file extension. It’s the second most-popular word processing system in Japan behind only Microsoft word.

Wednesday, April 5, 2023 11:04

_A Cisco Talos researcher discovered these vulnerabilities._

Cisco Talos recently discovered four vulnerabilities in Ichitaro, a popular word processing software in Japan produced by JustSystems that could lead to arbitrary code execution.

Ichitaro uses the ATOK input method (IME) and uses the proprietary .jtd file extension. It’s the second most-popular word processing system in Japan behind only Microsoft word.

Talos discovered four vulnerabilities that could allow an attacker to gain the ability to execute arbitrary code on the targeted machine. TALOS-2022-1673 (CVE-2022-43664) can trigger the reuse of freed memory by the attacker, which can lead to further memory corruption and potentially result in arbitrary code execution after the target opens an attacker-created malicious file. TALOS-2023-1722 (CVE-2023-22660) has a similar effect, though in this case, it’s caused by a buffer overflow condition.

There are two other memory corruption vulnerabilities that can also be triggered if the target opens a specially crafted, malicious document — TALOS-2022-1687 (CVE-2023-22291) and TALOS-2022-1684 (CVE-2022-45115) — which could also lead to code execution.

Cisco Talos worked with JustSystems to ensure these vulnerabilities are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Ichitaro 2022, version 1.0.1.57600. Talos tested and confirmed this version of the word processor could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against this vulnerability:  
61011, 61012, 61091, 61092, 61163, 61164, 61393 and 61394. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Vulnerabilities in popular Japanese word processing software could lead to arbitrary code execution, other issues

The stealer is for sale on dark web forums for $59 a month, or $540 for a lifetime subscription, which is relatively inexpensive compared to other infostealers.

*   The developer of the Typhon Reborn information stealer released version 2 (V2) in January, which included significant updates to its codebase and improved capabilities.
*   Most notably, the new version features additional anti-analysis and anti-virtual machine (VM) capabilities to evade detection and make analysis more difficult.
*   We assess Typhon Reborn 2 will likely appear in future attacks, as we have already observed samples in the wild and multiple purchases of the malware.
*   The stealer is currently offered on underground forums for $59 per month but also offers a lifetime subscription for $540, which is inexpensive compared to competing infostealers.
*   The stealer can harvest and exfiltrate sensitive information and uses the Telegram API to send stolen data to attackers.

**Typhon Reborn V2 release  
**

Typhon is an information stealer first publicly reported in mid-2022. It steals sensitive information, such as cryptocurrency wallet data, from a variety of applications and uses a “file grabber” to collect a predefined list of file types, then exfiltrates them via Telegram. Since its initial arrival, it has undergone continuous development, with Typhon Reborn being released just several months later in late 2022. The malware’s developer announced the release of Typhon Reborn V2 on Jan. 31, 2023 on the popular Russian language dark web forum XSS. Samples uploaded to public repositories indicate that the new version of Typhon Reborn has been in the wild since December 2022.

_Post announcing Typhon Reborn V2 release._

In the latest version, the malware developer claimed to have refactored the codebase and significantly improved existing capabilities present within the malware, which Cisco Talos independently confirmed. It is available for $59 per month or a lifetime subscription for $540, which is inexpensive compared to competing infostealers. Analysis of the cryptocurrency wallet from which the attacker collects payments suggests that multiple adversaries have purchased access to the stealer, making it likely that it will be used in attacks moving forward.

**Notable changes in Typhon Reborn V2**

The code in Version 2 of Typhon Reborn was heavily modified compared to Version 1, based on our analysis.

_Code changes between Typhon Reborn V1 and V2._

For example, Version 2 has significantly more anti-analysis and anti-virtualization capabilities, as evidenced by comparing the anti-analysis routines present in each version. For example, the developer made several changes to the logic that prevents the malware from infecting systems that match predefined criteria. That includes heavily expanding this list of criteria to include present usernames, CPUIDs, applications and processes present on the system, debugger/emulation checks, and geolocation data for countries that attackers may wish to avoid.

_Anti-analysis routine comparison between Typhon Reborn versions._

Finally, in Typhon Reborn V2 samples that we analyzed, the developer appeared to have removed the functionality that establishes persistence across reboots. Instead, V2 simply terminates itself after data exfiltration.

**Dissecting Typhon Reborn V2**

In Typhon Reborn V2, the malware complicates analysis via string obfuscation by using Base64 encoding and applying the XOR function to various strings. During execution, the malware decodes the Base64, generating a UTF-8 character-encoded string that is then deobfuscated using an XOR key stored in the malware’s configuration or hard-coded into DecryptString(). The XOR key used is based on the mode passed when the function is called each time. The resulting string is then decoded from Base64 again, creating a plain text string to continue the operation.

_String deobfuscation functionality._

The malware’s operations are determined by a series of parameters stored in the malware’s configuration that dictate what information should be collected, keys used for string deobfuscation and geolocations where the malware should not execute.

_Typhon Reborn V2 configuration parameters._

**Anti-analysis and sandbox evasion**

When Typhon Reborn V2’s main() method is executed, it checks the malware configuration to determine if anti-analysis has been enabled. If it is enabled, the malware will attempt to conduct a series of anti-analysis checks to determine if it is being executed in an analysis or sandbox environment.

_Anti-analysis checks._

If any of the checks fail, the malware will call a SelfRemove() class to self delete, by creating a batch file in the temp directory with the following contents.

    chcp 65001
    TaskKill /F /IM [MALWARE_PID]
    Timeout /T 2 /Nobreak
    

This batch file is then executed via the Windows command processor, thus terminating the malware’s execution.

_Self-removal functionality._

The overall execution flow of the various anti-analysis checks is shown below.

_Anti-analysis process flow._

The malware uses Windows Management Instrumentation (WMI) to retrieve information about the Graphics Processing Unit (GPU) on the system.

SELECT * FROM Win32_VideoController

It then checks the returned value to determine if it contains the string vmware svga.

Then, it makes an HTTP request to the following URL to determine if the system is located in a network associated with a hosting provider, colocation facility, or data center environment. The API returns either a “True” or “False” response based on the location of the system which is used to determine the type of environment in which the system is located.

hxxp://ip-api[.]com/line/?fields=hosting

Then, it checks for the presence of the following DLLs associated with common security products that may be installed.

*   SbieDLL.dll (Sandboxie)
*   SxIn.dll (360 Total Security)
*   Sf2.dll (Avast)
*   Snxhk.dll (Avast)
*   cmdvrt32.dll (Comodo Internet Security)

It also retrieves the system manufacturer and model via WMI using the following query:

Select * from Win32_ComputerSystem

The retrieved information is checked to determine if it contains the following hypervisor-related strings.

*   VIRTUAL
*   vmware
*   VirtualBox

The malware also uses WMI to collect information about the system’s video controller.

SELECT * FROM Win32_VideoController

This information is then checked to determine if it contains the strings VMware or VBox.

Next, the malware uses CheckRemoteDebuggerPresent to determine if the process is being debugged.

The malware then obtains the current system time, initiates a short (10ms) sleep, then obtains the system time again. It compares the delta between the two times to what is expected during normal operations to determine if the process is being run in a debugging session.

The command line argument used to initially launch the malware is then obtained to determine if the sample was executed using the file name detonate.exe or if the argument -–detonate was passed when initiating execution.

The malware also checks the Windows Registry (SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall) to determine if any subkeys reference the following common analysis tools:

*   dnSpy
    

*   PDFStreamDumper
    

*   Ghidra
    

*   Wireshark
    

*   Autoruns
    

*   x64dbg
    

*   HashCalc
    

*   Process Hacker
    

  

*   FileInsight
    

*   Process Monitor
    

  

Next, WMI is queried to obtain the ProcessorId (CPUID) for the system using the following query.

Select ProcessorId From Win32_Processor

The CPUID is then checked against the following list of CPUIDs under which the malware will not execute:

*   4AB2DFCCF4
*   BFEBFBFF000906E9
*   078BFBFF000506E3
*   078BFBFF00000F61
*   178BFBFF00830F10
*   0F8BFBFF000306C1

The malware also determines the user account context under which the malware is executing and will terminate if the username matches the following values:

*   IT-ADMIN
    

*   sand box
    

*   Abby
    

*   Paul Jones
    

*   maltest
    

*   WDAGUtilityAccount
    

*   WALKER
    

*   malware
    

*   Frank
    

*   Sandbox
    

*   virus
    

*   fred
    

*   timmy
    

*   John Doe
    

*   JOHN-PC
    

*   tim
    

*   Emily
    

*   Lisa
    

*   vboxuser
    

*   CurrentUser
    

*   John
    

*   sandbox
    

*   test
    

  

*   Peter Wilson
    

*   TVM
    

  

The malware then obtains the list of currently running processes on the system and checks the executable path associated with them against the following list of executable file names associated with common analysis tools.

*   ollydbg.exe
    

*   idaq64.exe
    

*   processhacker.exe
    

*   immunitydebugger.exe
    

*   tcpview.exe
    

*   wireshark.exe
    

*   autoruns.exe
    

*   dumpcap.exe
    

*   de4dot.exe
    

*   hookexplorer.exe
    

*   ilspy.exe
    

*   lordpe.exe
    

*   dnspy.exe
    

*   petools.exe
    

*   autorunsc.exe
    

*   resourcehacker.exe
    

*   filemon.exe
    

*   x32dbg.exe
    

*   procmon.exe
    

*   x64dbg.exe
    

*   regmon.exe
    

*   fiddler.exe
    

*   idaq.exe
    

  

It then attempts to test internet connectivity by making an HTTP request to http://www.google.com.

The malware again obtains the execution environment to determine if its filename matches the following list:

*   detonate
*   virus
*   test
*   malware
*   maltest

Next, the malware checks the Programs subdirectory under the Windows Start Menu for the presence of the following analysis tools:

*   dnspy
    

*   x86dbg
    

*   detect it easy
    

*   ghidra
    

*   die
    

*   ida
    

*   procmon
    

*   fiddler
    

*   process monitor
    

*   scylla
    

*   process hacker
    

*   winhex
    

*   ilspy
    

*   hxd
    

*   x64dbg
    

*   de4dot
    

It then attempts to locate wine_get_unix_file_name to determine if Wine is being used in an analysis environment.

Next, it checks the SYSTEM_CODEINTEGRITY_INFORMATION structure to determine if unsigned or test-signed drivers are allowed on the system (CODEINTEGRITY_OPTION_ENABLED, CODEINTEGRITY_OPTION_TESTSIGN).

The malware also checks the SYSTEM_KERNEL_DEBUGGER_INFORMATION structure to determine if kernel mode debugging is enabled (KernelDebuggerEnabled).

Then, the malware checks various system DLLs for the presence of instructions that may indicate that the environment is instrumented for analysis.

The malware also features two geolocation avoidance mechanisms. The first one allows for the specification of a list of countries in the malware’s config that the attacker does not want to infect systems in. The malware uses the IP-API service to determine where the system is located and compares it against the user-supplied list.

_IP geolocation check._

If the system is located in one of these countries, the malware calls the SelfRemove() functionality previously described.

The malware also contains a RunAntiCIS() feature that specifically avoids infecting systems located in Commonwealth of Independent States (CIS) countries.

_CIS country avoidance._

**System and network data collection**

If the victim’s environment passes all the malware’s anti-analysis checks, Typhon Reborn V2 begins collecting and exfiltrating sensitive information. First, the malware creates a randomly named subdirectory under %LOCALAPPDATA%, then the malware begins generating stealer logs that will ultimately be staged in that subdirectory for exfiltration.

To generate the logs, the malware retrieves survey information about the infected system and writes it to the stealer log. It collects a variety of system information including user data, system data and network information, using various mechanisms such as WMI queries, environment variables, and registry keys. The malware uses api[.]ipify[.]org to obtain the public IP of the infected system. This information is saved in the malware’s working directory (UserData.txt) along with a text file (BuildID.txt) containing the Telegram channel for the malware’s developer. A list of installed software is also generated using WMI and saved (InstalledSoftwares.txt). A list of hard drives present within the system is also saved (Drive Info.txt).

The malware also captures screenshots from infected systems saved in the same directory as the stealer logs.

_Screenshot capture._

The stealer also collects saved Wi-Fi network information and stores it (Wifi Passwords.txt) using the following system commands:

cmd.exe /C  chcp 65001 && netsh wlan show profile | findstr All

cmd.exe /C timeout /t 5 /nobreak > nul && netsh wlan show profile name=<PROFILE_NAME> key=clear | findstr Key

It also attempts to scan for available wireless networks and stores information about them (Available Networks.txt).

cmd.exe /C timeout /t 5 /nobreak > nul && netsh wlan show networks mode=bssid

A list of currently running processes and process executable paths is collected and saved as well (Running Processes.txt).

**Application data collection**

Once basic system information has been collected and saved, the stealer begins iterating through specific applications and collecting data based on the malware’s configuration. The stealer currently supports collecting passwords, tokens, and other sensitive information from the applications shown below.

_Typhon Reborn V2 Application Support._

**Gaming clients**

Typhon Reborn V2 can steal data from additional applications, including various gaming clients. However, this functionality was never actually called from the main() method of the malware in the latest version analyzed.

The malware also contains a FileGrabber() feature that is used to collect and exfiltrate files of interest from victim environments. It iterates through all drives detected on the system and attempts to determine whether any are removable storage devices, network storage locations or optical drives.

_Drive enumeration._

Each drive that meets this criterion has its root directory added to a list of target directories. The malware then iterates through all of the target directories, copying contents that match the parameters in the malware’s configuration to the malware’s working directory.

The two parameters Config.GrabberSize and Config.GrabberFileExtensions defined in the malware’s configuration determine the operation of the file collection capability.

_File grabber configuration parameters._

**Data exfiltration**

Once the stealer has finished collecting information from infected systems, the data is stored in a compressed archive and exfiltrated via HTTPS using the Telegram API. First, the malware sends an overview log containing survey information and basic statistics related to the data collected.

_Stealer log transmission._

Then, the malware sends another Telegram message containing the data being exfiltrated from the infected system.

_Data exfiltration._

Once the data has been successfully transmitted to the attacker, the archive is then deleted from the infected system. The malware then calls SelfRemove.Remove() to terminate execution.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following Snort SIDs are applicable to this threat: 61532-61533, 300476.

**Orbital Queries**

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here.

**Indicators of Compromise (IOCs)**

IOCs for this research can also be found at our Github repository here