• Why Don’t You Go Dox Yourself?
    by Zoe Lindsey (Security - Cisco Blogs) on October 7, 2022 at 12:00 pm

    This step-by-step dox guide makes protecting yourself online easy, accessible, and maybe even fun.

  • Threat Source newsletter (Oct. 6, 2022) — Continuing down the Privacy Policy rabbit hole
    by Jon Munshaw (Cisco Talos Intelligence Group - Comprehensive Threat Intelligence) on October 6, 2022 at 6:00 pm

    By Jon Munshaw. Welcome to this week’s edition of the Threat Source newsletter. As I wrote about last week, I’ve been diving a lot into apps’ privacy policies recently. And I was recently made aware of a new type of app I never knew existed — family trackers. There are countless mobile apps for parents to track their children or other family members based on their location, phone usage, and even driving speed. As an anxious soon-to-be-parent, this sounds intriguing to me — it’d be a supped-up version of Find my Friends on Apple devices so I’d never have to ask my teenager (granted, I’m many years away from being at that stage of my life) when they were coming home or where they were. Just as with all other types of mobile apps, there are pitfalls, though.  Life360, one of the most popular of these types of apps and even tells users what their maximum driving speed was on a given trip, was found in December 2021 to be selling precise location data on its users, potentially affecting millions of people. Once that precise location data is out there, there is no telling who could eventually get a hold of it. Even if Life360 doesn’t intend to let adversaries see this information, they don’t have direct control over how those third parties handle the information once it’s sold off. The app’s current and updated privacy policy states that it "may also share location information with our partners, such as Cuebiq and its Partners, for tailored advertising, attribution, analytics, research and other purposes.” However, users do have the ability to opt out of this inside the app. There is hardware that offers this same type of tracking. Jealous, angry or paranoid spouses and parents have used Apple’s AirTags in the past to unknowingly track people, eventually to the point that Apple had to address the issue directly and provide several updates to AirTags’ security and precise location alerts to make it easier for users to find potentially unwanted AirTags on their cars or personal belongings.  This is truthfully just an area of concern I had never considered before. Many parents would do anything for their children’s safety, which is certainly understandable. But just like personal health apps, we need to consider the security trade-offs here, too. As we’ve said before, no one truly has “nothing to hide,” especially when it comes to minors or vulnerable populations. I’m not saying using any of these apps is inherently wrong, or that AirTags do not have their legitimate purposes. But any time we welcome this software and hardware into our homes and on our devices, it’s worth considering what sacrifices we might be making elsewhere.  The one big thing Microsoft warned last week of the exploitation of two recently disclosed vulnerabilities collectively referred to as "ProxyNotShell," affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers. Why do I care? Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The Hafnium threat actor exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was one of the four attacks they saw most often last year.  So now what?While no fixes or patches are available yet, Microsoft has provided mitigations for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. While Microsoft continues to update their mitigations, some security researchers posit they can be bypassed. Talos has released several Snort rules to detect the exploitation of these vulnerabilities and associate malware families used in these attacks.  Top security headlines from the weekMore than 2 million Australians’ personal information is at risk after a data breach at telecommunications giant Optus. More than 1.2 million customers have had at least one ID number from a current and valid form of identification, along with other personal data, according to an update from the company’s CEO. Adding to the confusion, the company told many residents in New South Wales that it would need to replace their driver’s license, only to later backtrack to say that would not be the case for everyone affected. Optus says it enlisted a third party to complete a thorough review of the compromise to identify security gaps and any other potential fallout. (ABC News, Nine News) The Vice Society ransomware group leaked more than 500 GB worth of data on employees and students at the unified Los Angeles School District after the district refused to pay a requested extortion payment after a ransomware attack several weeks ago. Officials said the leak was less extensive than originally expected and limited to attendance and academic records from 2013 - 2016. The district declined to pay the ransom because there was no guarantee that the actors would not leak the information anyway. Threat actors have commonly targeted the education sector with ransomware attacks as the school year started and their networks were particularly vulnerable. (Axios, Los Angeles Times) The infamous Lazarus Group threat actor continues to ramp up its activity, recently exploiting open-source software and Dell hardware to target companies all over the globe. A recent report from Microsoft found that the group was impersonating contributors to open-source projects and injecting malicious updates for that software to users. In a separate campaign, the APT also used an exploit in a Dell firmware driver to deliver a Windows rootkit targeting an aerospace company and high-profile journalist in Belgium. Lazarus Group is known for operating with North Korean state interests, often stealing cryptocurrency or finding other ways to earn money. (Bleeping Computer, Security Affairs)  Can’t get enough Talos? Developer account body snatchers pose risks to the software supply chainResearcher Spotlight: Globetrotting with Yuri KramarzThreat Roundup for Sept. 23 - 30Talos Takes Ep. #115: An "insider threat" doesn't always have to know they're a threatCobalt Strike malware campaign targets job seekersGovernment, Union-Themed Lures Used to Deliver Cobalt Strike PayloadsUpcoming events where you can find Talos Cisco Security Solution Expert Sessions (Oct. 11 & 13)Virtual GovWare 2022 (Oct. 18 - 20)Sands Expo & Convention Centre, Singapore Conference On Applied Machine Learning For Information Security  (Oct. 20 - 21)Sands Capital Management, Arlington, Virginia Most prevalent malware files from Talos telemetry over the past week  SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 MD5: 8c69830a50fb85d8a794fa46643493b2 Typical Filename: AAct.exe Claimed Product: N/A  Detection Name: PUA.Win.Dropper.Generic::1201 SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  MD5: 93fefc3e88ffb78abb36365fa5cf857c  Typical Filename: Wextract  Claimed Product: Internet Explorer  Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  SHA 256: 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681 MD5: f1fe671bcefd4630e5ed8b87c9283534 Typical Filename: KMSAuto Net.exe Claimed Product: KMSAuto Net  Detection Name: PUA.Win.Tool.Hackkms::1201 SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c    MD5: a087b2e6ec57b08c0d0750c60f96a74cTypical Filename: AAct.exe    Claimed Product: N/A      Detection Name: PUA.Win.Tool.Kmsauto::1201 SHA 256: 63d543945e33b4b6088dc34d0550213dc73ea6acce248d8353c63039e8fa284f  MD5: a779d230c944ef200bce074407d2b8ff Typical Filename: mediaget.exe Claimed Product: MediaGet Detection Name: W32.File.MalParent 

  • Cyber Chat – What Jurassic World Can Teach About Multi-Factor Authentication
    by Jennifer Bean (Veeam Software Official Blog) on October 6, 2022 at 1:06 pm

    My family and I have recently started a weekly dinner and a movie routine, where we base the dinner menu around the characters or premise of the movie. For us, we’re counting down to an upcoming family trip, but I’m hoping to keep up this fun routine even after our trip. The excitement of the kids picking an envelope as we all watch with excitement to see which movie we will be watching that week — and the same anticipation from mom and dad to see what type of food they will need to prepare in the coming days. Oh, the fun of family traditions… but now to the security part of this story.  The post Cyber Chat – What Jurassic World Can Teach About Multi-Factor Authentication appeared first on Veeam Software Official Blog.

  • Employee Volunteer Program Supports Youth Globally
    by Mary Kate Schmermund (Security - Cisco Blogs) on October 6, 2022 at 12:00 pm

    Cisco’s employee volunteer program provides employees with paid time to contribute to their communities including supporting youth locally and globally.

  • Cyber Chat – Welcome to Cybersecurity Awareness Month
    by Jennifer Bean (Veeam Software Official Blog) on October 5, 2022 at 2:51 pm

    The other day, I was watching a local junior high school soccer match. One team was advancing down the field as the forward was calling out to his teammates where to go and who to cover. The other team was all crowded together just trying to get the ball. One team was focused on their strategy, while the other team was focused on one short term goal — get the ball. It probably isn’t hard to guess which team came out the victor in that game. The team focused on their short-term goal lost focus on their fundamentals — they didn’t think about what they would do if they got the ball or if their short-term goal wasn’t met and suddenly the ball was in the open field without any defenders helping the goalie. The post Cyber Chat – Welcome to Cybersecurity Awareness Month appeared first on Veeam Software Official Blog.

  • Service Providers: The Veeam difference in BaaS for public cloud
    by Michael Loos (Veeam Software Official Blog) on October 5, 2022 at 2:23 pm

    Being a managed service provider offering Backup up as a Service (BaaS) for AWS, Microsoft Azure and Google Cloud can be daunting. You may end up trying to decipher the best solution just by combing through marketplace ads and descriptions. Deciding what’s needed and what’s not needed is crucial to ensure that you provide a cost-effective and efficient backup system that’s not only good for your customer but (let’s be honest) good for you as well. The post Service Providers: The Veeam difference in BaaS for public cloud appeared first on Veeam Software Official Blog.

  • Veeam’s Take On Google Cloud Next 2022: Reasons Why You Should Attend
    by Jo-Anne Bourne (Veeam Software Official Blog) on October 4, 2022 at 2:32 pm

    The countdown is on! Google Cloud Next is only seven days away! If you haven’t already registered, why haven’t you? Here’s five reasons why you should attend Google Cloud Next 2022. The post Veeam’s Take On Google Cloud Next 2022: Reasons Why You Should Attend appeared first on Veeam Software Official Blog.

  • Developer account body snatchers pose risks to the software supply chain
    by Jaeson Schultz (Cisco Talos Intelligence Group - Comprehensive Threat Intelligence) on October 4, 2022 at 12:51 pm

    By Jaeson Schultz.Over the past several years, high-profile software supply chain attacks have increased in frequency. These attacks can be difficult to detect and source code repositories became a key focus of this research.Developer account takeovers present a substantial risk to the software supply chain because attackers who successfully compromise a developer account could conceal malicious code in software packages used by others.Talos analyzed several of the major software repositories to assess the level of developer account security, focusing specifically on whether developer accounts could be recovered by re-registering expired domain names and triggering password resets.Many software repositories have already begun taking steps to enhance the security of developer accounts. Talos has identified additional areas where the security of developer accounts could be improved. Talos worked with vulnerable repositories to resolve issues that we found. Software supply chain attacks, once the exclusive province of sophisticated state-sponsored attackers, have been gaining popularity recently among a broader range of cyber criminals. Attackers everywhere have realized that software supply chain attacks can be very effective, and can result in a large number of compromised victims. Software supply chain attacks more than tripled in 2021 when compared with 2020. Why are software supply chain attacks so effective? Organizations that possess solid cyber defenses may be difficult to attack directly. However, these same organizations are likely vulnerable to a software supply chain attack because they still regularly run/build software obtained from vendors who are trusted.Rather than attacking an entire software repository itself, or identifying an unpatched vulnerability in a software package, compromising the software supply chain can be as simple as attacking the accounts of the package developers and maintainers. Most software repositories track the identities of their software developers using those developers' email addresses. If a cybercriminal somehow gains access to a developer's email account, the attacker can theoretically generate password reset emails at these software repositories and take over the account belonging to that developer. Once inside, an attacker could then publish malicious updates to the code maintained by that developer, affecting every other piece of software that uses that library from then on. Cisco Talos examined several frequently used code repositories. We looked specifically at the security afforded to developer accounts, and how difficult it would be for an attacker to take over a developer account. While some repositories had stringent security in place, others did not. Fortunately, worked with the managers of these repositories to resolve the major issues we found.Risks in the software supply chainRe-inventing the wheel is typically not a good idea. This holds true for many things, including developing software. Much software written today depends on third-party packages and software libraries to facilitate necessary functionality contained in the program. Utilizing third-party libraries and packages, especially open source, also speeds up development and lowers costs. Popular software packages have also become attractive targets for attackers. The more popular a software library is, the more external software will be using that library, and thus, the larger the potential attack surface. Compromising a software library can potentially compromise every other piece of software that relies on that software library for its functionality. This is the risk inherent in the software supply chain.With the exception of language-agnostic repositories like GitHub, most software repositories tend to be language specific. For example, JavaScript authors rely mostly on NPM, Python developers have PyPI, Perl programmers can often be found using packages obtained via CPAN, and so on. Each software repository sets its own rules when it comes to developers' accounts. Additionally, as many programmers are aware, some programming languages make a better choice for solving certain types of problems. For example, embedded systems drivers are more commonly written in C instead of Perl, while parsing text is more commonly done in Perl or Python, rather than C. This means that the process of writing programs that integrate third-party libraries into the code will also be different for each language. It is difficult to imagine a developer integrating a third-party library into a system-level driver written in C without carefully reviewing the related code and testing it for speed and functionality. However, when developing a feature-rich Perl proof-of-concept application or a web-based JavaScript application, this might not always be the case. A programmer in those instances might conceivably import a package first and ask questions later. This means some software repositories will carry more risk than others when it comes to malware hiding in the source code.NPMNode Package Manager is a JavaScript software repository and has been the subject of some "independent" security audits recently. There has been a lot of discussion online, especially concerning the security of the developer accounts there, and how easy it is to take over these accounts by re-registering expired email domains.There are more than 2 million packages in the NPM repository. Conveniently, an NPM package called "all-the-package-names" contains a list of all packages in the NPM repository. Each individual package at NPM has associated metadata, such as a text description of the package, a link to the package tarball, and a list of the package maintainers. Most importantly, the list of package maintainers has the developer's username and email address.Iterating through all the package names, and extracting the email addresses, then further extracting the domain names from those email addresses, provides the raw data necessary to find developer accounts associated with expired domains. Once an expired domain is found, it can be re-registered and theoretically used to take over the NPM developer account. But does it work this way in practice?Although we found a couple thousand expired developer account domain names, we could not recover the associated developer accounts. It appears the "couple things in place to protect against [account takeover]" that NPM administrator @MylesBorins mentioned in his tweet above are working as planned.Stale metadata helps foil attackersNPM provides developers with the ability to update the email address associated with their accounts. When a developer decides to switch email addresses, only the future package/version's metadata will contain the new email address. NPM does not retroactively update old metadata associated with a package that was previously published. This means that, even though someone looking to take over an NPM developer account might find package metadata indicating a developer with an expired email domain, it could simply be that the developer has updated their NPM account to a new email address. This was the case in May 2022, when a security researcher claimed to have taken over the NPM package "foreach" by re-registering the email domain belonging to the NPM developer. Unbeknownst to the security researcher, the developer in question had actually updated their NPM account to use their Gmail address instead. So if any password recovery attempts were made, they would have failed — NPM would have generated and sent the password reset emails to the new Gmail account on file, which is still under the original developer's control.PyPIPyPI is the Python Package Index and currently contains almost 400,000 projects. Developers at PyPI have email addresses associated with their accounts, however, PyPI does not display the email address publicly by default. This is an option that the developer must explicitly choose to enable. Many developers are, of course, eager to interact with others who are running their code, so it is no surprise that large numbers of developers enable this feature. PyPI accounts do not come with MFA enabled by default, so this is something else a developer would have to choose to enable. However, in July 2020 PyPi announced that it was rolling out mandatory MFA to "critical projects," a.k.a. the top 1% of the projects at PyPi (based on the number of downloads).A list of all PyPI packages is available online. Many of these packages contain a mailto: link containing an email address. There is also a list of maintainers of the package. For developers that expose their email addresses publicly, it's found on the user's public profile page. It is a relatively simple process to scrape the email addresses associated with PyPI projects. PyPI reveals whether an email address is associated with an account (but it probably should not).Account takeovers have been a problem at PyPI in the past. As recently as May 14, 2022, an attacker managed to take over a developer account and replaced the "ctx" package, adding malicious code that stole the user's environment variables, base64-encoded them and transmitted the data back to the attacker's C2 server. Fortunately, the changes made by the admins over at PyPI seem to be moving account security in the right direction.CPANThe Comprehensive Perl Archive Network (CPAN) contains more than 200,000 Perl modules. CPAN also provides an index of all the module authors.The individual module authors each have their own "homepage" that lists their contributed modules. For anyone who wants to reach out to the dev, CPAN includes the author's email address. A motivated attacker can easily scrape the CPAN website for a list of all author IDs and use those to scrape the email address belonging to the developers. A whois search on the email domain of the developer email addresses provides us with a list of developer accounts that are vulnerable to account takeover. From there, all that is required is standing the domain up somewhere and running a mail server. Triggering a password reset provides us with the magic link to get into the developer's account.Talos has reached out to the admins at CPAN and provided them with a list of the vulnerable developer accounts we found. CPAN has disabled these accounts.NuGetNuGet is a software repository for .NET developers. The NuGet "gallery" contains more than 317,000 packages. Fortunately, registered developers at NuGet have their email addresses hidden by default. There is an option to allow users to contact you, using a form on the NuGet website that does not disclose the email address of the developer. Developers have the option of adding their Twitter handle, and many developers do. If an attacker wishes to attack NuGet developers en masse, they would have a very difficult time assembling a list of developer email addresses.RubyGemsRubyGems is a software repository for Ruby developers. There are currently approximately 172,000 gems (packages) in the repository. Developer email addresses are hidden from the public by default. Even unchecking the "Hide email in public profile" check box has no discernable effect, and the email address remains hidden. Some gems have "maintainers" files to indicate the contact email addresses of the developers, but this is not consistent across gems. Recently, the RubyGems team announced that they are enforcing MFA for top developer accounts. ConclusionThe software supply chain attack problem is not likely to go away anytime soon. It is unreasonable to ask organizations to vet every piece of software that runs in their environment. Some amount of trust in software vendors and suppliers will always be necessary. However, that doesn't mean that defenders are helpless against these types of attacks.Organizations should analyze what software is required on various internal systems. Many times, there may be opportunities to segment a group of systems running a particular piece of software from the rest of the internal network. This way, any compromise that occurs as a result of a software supply chain attack will be limited in scope. Obviously, there are limitations to this approach. All parties in the software supply chain need to take more responsibility for security. For example, it would be far safer for software repositories to stop publishing or releasing any information related to a developer's email address. Yes, this is arguably a bit of security-by-obscurity, but it forces attackers to go elsewhere to correlate the email account of a developer with the particular software package in question, and greatly enhances the security of the repository. If a repository wishes to publish a developer's email address, it could instead give each developer an email address at the domain of the repository itself (ex., @npmjs.com, @cpan.org, etc.).Forcing MFA on the most popular package maintainers also seems to be a sensible remedy that is currently being pursued by several repositories. However, security is always a delicate balance. If you sacrifice too much usability in the pursuit of security, developers may rebel, as was the case with PyPI developer "untitaker." One sure-fire countermeasure against developer account takeover via expired domain registration is code signing. This is really the best way to be sure that the code you use has not been tampered with since it was last signed, and is indeed from a developer you trust. An attacker who gets control of a developer's expired domain name would have no way to recover the code signing keys belonging to that developer and no way to impersonate that developer.

  • The Upcoming UK Telecoms (Security) Act Part One: What, Why, Who, When and How
    by Richard Archdeacon (Security - Cisco Blogs) on October 3, 2022 at 4:31 pm

    The Telecoms Security Requirements (TSRs) are rapidly approaching. Here, we outline what they mean for UK firms, and what they can do to prepare.

  • Researcher Spotlight: Globetrotting with Yuri Kramarz
    by Jon Munshaw (Cisco Talos Intelligence Group - Comprehensive Threat Intelligence) on October 3, 2022 at 2:00 pm

    From the World Cup in Qatar to robotics manufacturing in east Asia, this incident responder combines experience from multiple arenas By Jon Munshaw. Yuri “Jerzy” Kramarz helped secure everything from the businesses supporting the upcoming World Cup in Qatar to the Black Hat security conference and critical national infrastructure. He’s no stranger to cybersecurity on the big stage, but he still enjoys working with companies and organizations of all sizes in all parts of the world. “What really excites me is making companies more secure,” he said in a recent interview. “That comes down to a couple things, but it’s really about putting a few solutions together at first and then hearing the customer’s feedback and building from there.” Yuri is a senior incident response consultant with Cisco Talos Incident Response (CTIR) currently based in Qatar. He walks customers through various exercises, incident response plan creation, recovery in the event of a cyber attack and much more under the suite of offerings CTIR has. Since moving from the UK to Qatar, he is mainly focused on preparing various local entities in Qatar for the World Cup slated to begin in November. Qatar estimates more than 1.7 million people will visit the country for the international soccer tournament, averaging 500,000 per day at various stadiums and event venues. For reference, the World Bank estimates that 2.9 million people currently live in Qatar. This means the businesses and networks in the country will face more traffic than ever and will no doubt draw the attention of bad actors looking to make a statement or make money off ransomware attacks. “You have completely different angles in preparing different customers for defense during major global events depending on their role, technology and function,” Kramarz said.  In every major event, there were different devices, systems and networks interconnected to provide visitors and fans with various hospitality facilities that could be targeted in a cyber attack. Any country participating in the event needs to make sure they understand the risks associated with it and consider various adversary activities that might play out to secure these facilities. Kramarz has worked in several different geographic areas in his roughly 12-year security career, including Asia, the Middle East, Europe and the U.S. He has experience leading red team engagements (simulating attacks against targets to find potential security weaknesses) in traditional IT and ICS/OT environments, vulnerability research and blue team defense. The incident response field has been the perfect place for him to put all these skills to use. He joined Portcullis Security in 2011 as a security consultant and eventually moved throughout Cisco after it acquired Portcullis in 2015. As a red teamer, he had to develop exploits and think about the potential paper trail those exploits would leave behind — after all, it was his job to show where current security structures had failed. “Every time I would try to design a payload, I’d have to forensically understand what fingerprints are left on the system,” he said. “So effectively I had to do incident response for a decade before I joined CTIR.” That breadth of experience also helps because CTIR is platform-agnostic. He often must access and leverage other companies’ technology and software, such as during the Black Hat conference earlier this year when he was part of a Cisco team that set up and defended the on-site network in Las Vegas. “We had to check all the different technology stacks to make sure we could stop adversaries before they became a problem,” he said. “From there, we moved to use those technologies to detect what’s happening in real-time … and then we used [Cisco] SecureX to unify some of the response capability. By default, you pretty much must learn about every piece of technology that’s out there to provide an effective incident response as we can’t wait days or weeks to deploy something during an emergency.” Yuri is used to working in different time zones at different hours of the day, too. His favorite incident response to an engagement call came around midnight one night when he was on call — a large conglomerate was under attack and the adversaries deployed ransomware. He was part of the CTIR team who immediately responded to identify and eradicate the ransomware attack. CTIR eventually successfully brought systems back online.  “And from there, we built a great relationship with the customer that’s been ongoing since then,” he said. Yuri enjoys golfing in his free time.Although incident response can lead to these kinds of late nights, Yuri said he’s thankful that Cisco Talos offers him the flexibility to work different hours and take time off when he needs it. Golf is his current outlet for relaxation, and it gives him something mutual to talk to people about regardless of what country they’re in. While not out on the green he likes to contribute to several open-source projects. Since coming into the incident response field, he’s had to flex his interpersonal skills more than ever because CTIR places such an emphasis on making IR a team sport. “The way I try to carry myself is to be happy and to look at my reflection every morning and say, ‘I’m doing the best I can for my customer,’” Kramarz said. “If I put my signature on a report, I want to make sure I’m proud of it.” Once the World Cup wraps up, Yuri said he will carry on focusing on securing critical infrastructure and operational technology. It’s a unique challenge, he said, because a lot of the technology can be more than 20 or 30 years old, and each customer is going to need a unique solution to their problems.  “One time during an incident in a different country, we had to look at physical manuals in binders from a decade before to figure out how the affected device actually worked and how someone could hack it, as only several of the devices had ever even been produced,” he said. “We know how to acquire evidence on the standard operating systems out there such as Unix or Windows, and we have the tools of the trade to help us with that. We often don’t get that in ICS/OT environment, so innovation is a key in this field.” If your organization would like to work with Yuri or one of his fellow CTIR team members, you can reach out to them here. Talos Incident Response offers a range of proactive services for security teams, including hands-on tabletop exercises, a state-of-the-art cyber range for training and much more.   

  • Demonstrating Trust and Transparency in Mergers and Acquisitions
    by Jason Button (Security - Cisco Blogs) on October 3, 2022 at 12:00 pm

    The importance of demonstrating security transparency and trust during the mergers and acquisition process.

  • Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server
    by Unknown (Cisco Talos Intelligence Group - Comprehensive Threat Intelligence) on September 30, 2022 at 9:16 pm

    Cisco Talos has released new coverage to detect and prevent the exploitation of two recently disclosed vulnerabilities collectively referred to as "ProxyNotShell," affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers. While no fixes or patches are available yet, Microsoft has provided mitigations for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. Cisco Talos is closely monitoring the recent reports of exploitation attempts against these vulnerabilities and strongly recommends users implement mitigation steps while waiting for security patches for these vulnerabilities. Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The Hafnium threat actor exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was one of the four attacks they saw most often last year.Vulnerability details and ongoing exploitationExploit requests for these vulnerabilities look similar to previously discovered ProxyShell exploitation attempts:autodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.comSuccessful exploitation of the vulnerabilities observed in the wild leads to preliminary information-gathering operations and the persistence of WebShells for continued access to compromised servers. Open-source reporting indicates that webShells such as Antsword, a popular Chinese language-based open-source webshell, SharPyShell an ASP.NET-based webshell and China Chopper have been deployed on compromised systems consisting of the following artifacts:C:\inetpub\wwwroot\aspnet_client\Xml.ashxC:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorEE.aspxC:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashxC:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspxThis activity is consistent with what is typically observed when attackers begin leveraging vulnerabilities in unpatched or vulnerable systems exposed to the internet.Initial reporting observed the download and deployment of additional malicious artifacts and implants on the infected systems using certutil, however these TTPs may change as more threat actors start exploiting the vulnerabilities followed by their own set of post-exploitation activities.CoverageWays our customers can detect and block this threat are listed below.Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.Cisco Talos is releasing SID 60642 to protect against CVE-2022-41040. In addition we are releasing SIDs 60637-60641 to protect against malicious activity observed during exploitation of CVE-2022-41082. The existing SIDs 27966-27968, 28323, 37245, and 42834-42838 provide additional protection for the malicious activity observed during exploitation of CVE-2022-41082.The following ClamAV signatures have been released to detect malware artifacts related to this threat:Asp.Backdoor.AntSword-9972727-1Asp.Backdoor.Awen-9972728-0Asp.Backdoor.AntSword-9972729-0IOCsIPs and URLs125[.]212[.]220[.]485[.]180[.]61[.]1747[.]242[.]39[.]9261[.]244[.]94[.]8586[.]48[.]6[.]6986[.]48[.]12[.]6494[.]140[.]8[.]4894[.]140[.]8[.]113103[.]9[.]76[.]208103[.]9[.]76[.]211104[.]244[.]79[.]6112[.]118[.]48[.]186122[.]155[.]174[.]188125[.]212[.]241[.]134185[.]220[.]101[.]182194[.]150[.]167[.]88212[.]119[.]34[.]11137[.]184[.]67[.]33206[.]188[.]196[.]77hxxp://206[.]188[.]196[.]77:8080/themes.aspx

  • Threat Roundup for September 23 to September 30
    by William Largent (Cisco Talos Intelligence Group - Comprehensive Threat Intelligence) on September 30, 2022 at 8:46 pm

    Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 23 and Sept. 30. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files. The most prevalent threats highlighted in this roundup are: Threat Name Type Description Win.Virus.Parite-9970689-0 Virus Parite is a polymorphic file infector. It infects executable files on the local machine and on network drives. Win.Malware.Zusy-9970856-0 Malware Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information. Win.Dropper.Remcos-9970861-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. Win.Malware.Emotet-9970880-0 Malware Emotet is currently one of the most widely distributed and active malware families. It is a highly modular threat that can deliver a wide variety of payloads. The botnet is commonly delivered via Microsoft Office documents with macros sent as attachments to malicious emails. Win.Dropper.TrickBot-9970890-0 Dropper TrickBot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution such as VB scripts. Win.Dropper.XtremeRAT-9971238-0 Dropper XtremeRAT is a remote access trojan active since 2010 that allows the attacker to eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs. Win.Dropper.Kuluoz-9971090-0 Dropper Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that downloads and executes follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations. Win.Dropper.Shiz-9971537-0 Dropper Shiz is a remote access trojan that allows an attacker to access an infected machine in order to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site. Win.Packed.Fareit-9971247-1 Packed The Fareit trojan is primarily an information stealer with functionality to download and install other malware. Threat Breakdown Win.Virus.Parite-9970689-0 Indicators of Compromise IOCs collected from dynamic analysis of 29 samples Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED Value Name: HideFileExt 29 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED Value Name: Hidden 29 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CABINETSTATE Value Name: fullpath 29 <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: LanguageList 1 <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @explorer.exe,-7001 1 Files and or directories created Occurrences %TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 29 File Hashes 0536b9760519d832e0c5ff072cad054ef2ae43dbe57330d48c609aeb75e6ae43 0fb870a5615c6c24fa559ae795c3366d80a97622fe2efac880330772344a9760 10308179aec9cf03dfe7fcd95aba9f1da191f70406d653157ea3746e63423c93 15e5fc751dbee4b99c094bbfd15d5b4c3655e0a8a34af84cb4773f2bcd265db8 16048c5e4b000118579343bcf188dbb5bcc0d313bd144a08a76423a7ff990c58 1a16bf0852508c3742325cd1b25c6fa9f9580e42017f273ff81d41edea8bd579 23c44b2d663dcb0224e7a2dcbd9a179923baf1c1d95f221f0435eef3fa6c7913 264dfb45197cb3e37d2054313e54c5549dd53f9d6cbc4a7cf9963b8275e59811 3605daf57520cfe6759abc471cb9a55ff4a6b99711ee3718ce6db3438b63a7e0 39139ac00356189a53c9122b4efa10a9e5ca42b25656cc794d4199d5a0e6003a 3a19cc265b1767563c293cfe5dfd8083a1cb72e37625bd243538f210594bd9bf 51f14dad750e0a93bdf69200d726c8f929a6e903dc837fefc5b2efdf7b33493e 530e290a3e9383bc016d666d4829f2ca2c256f5f32e8c84e71346f1d4a65302a 58950830c787ae1768a8d5aab290270b089b04e61d39e6b82a7daf51696fea03 5b0d897a5c748d58c536b19b0d16b3262cc238d65ac41d22f4552d1a2a0ea966 66fe640d820e530e4554251bcb07177a4f2fdea28fc13beb588898a0374fd20d 714ced6bb466961048291a1f89355892490a10bd6e206a256b2e3b97bf1fec55 7dbd9b1e5792f9085af025e526f331e00c878b2adc2e0d8c4a2c5dba4d79a32b 8c8c7b2a40fcdff745e87d060daac5798bda65e8e1568dd46e69d703a5adace3 933768be5d22750f182e69c91630a6f7af6f5db309ba61f83d5547c9a8865273 95463bf7d0d934880a1292e479f56d69596e43062eb18265ef43905702551af0 a1af5ed894006b1690455b12e58c117725a5274e7fc6f8410af119429171372d a9a2deaa34de9ebc68523c18ad02f8a27aae60818fda1583440df25f336f61c2 aedea0e8e6ee4e36191b3e67dcc71e169ea9c1419b5ad4a062f3f2d37a99f3a3 c000e844ca7377e4f3a8e4bfdf0962897effa1622660e8b48d190e2820ff4429 *See JSON for more IOCs Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Malware.Zusy-9970856-0 Indicators of Compromise IOCs collected from dynamic analysis of 13 samples Registry Keys Occurrences <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: LanguageList 8 <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @explorer.exe,-7001 8 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\APPLICATIONDESTINATIONS Value Name: MaxEntries 1 IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 47[.]111[.]103[.]192 13 Domain Names contacted by malware. Does not indicate maliciousness Occurrences os[.]ieycc[.]com 13 Files and or directories created Occurrences \Client.txt 13 %TEMP%\Tomato.ini 13 %APPDATA%\testing.dat 13 \TEMP\1E0F0E0A120B156B155B15E0C0F160E0D160A.exe 1 \TEMP\1F0F0D0C120A156D155E15E0A0E160B0C160F.exe 1 \TEMP\1F0B0B0A120E156C155E15D0A0F160D0E160D.exe 1 \TEMP\1C0B0F0A120C156F155C15E0B0A160F0E160D.exe 1 \TEMP\1B0C0D0C120A156E155C15C0E0D160D0B160E.exe 1 \TEMP\1B0F0A0D120F156E155C15F0C0E160E0F160A.exe 1 \TEMP\1E0F0B0A120F156F155E15D0B0E160B0D160E.exe 1 \TEMP\1D0D0C0E120C156D155F15A0A0E160C0C160A.exe 1 \TEMP\1E0D0C0D120F156E155C15F0A0E160D0C160F.exe 1 \TEMP\1C0B0C0B120D156E155E15A0E0F160B0D160D.exe 1 \TEMP\1E0C0F0F120A156A155B15A0F0A160E0D160A.exe 1 \TEMP\1E0C0A0A120B156F155D15A0E0F160B0A160A.exe 1 \TEMP\1E0B0C0D120C156C155A15D0D0D160B0D160C.exe 1 File Hashes 015c6d06fe9aaa4844b5e008796cbb854cf6765c2ca398f596dd2fceeceb6c95 0de5af728d4834e450386979efd9681bd54bfeb65f687cccd621f3a20331c050 43d5fb959a8c848030537e37f0d0638bc57bb83652dba85ee2e868a17f1d10ef 568bc0b8c2e914ca7cb2f62bfd82839c584d14d3d47b96ea34703b9d024c78ec 7539e13bb8b001f08742f38c29b42135a2b414e2ba095cf3bf74f38db78f3e0f 80459aa210f4e16b123a27b47c1191872b79a6c6a8751613ad1b649a0f1f3426 974e745bbf32ea7bf0bcff7bd04e3b13f8f3c9cf8a79d01f34658729c793e333 aa22f56078cf431f2587ea270f428fff6d4eee5b08d542b40b89a9712e14e5b3 acf7e8303fd53c63b778a611773267ecf001225772bee1fccbd2a2370ad6e658 ae24b008cb2dc1855367cd814581f1092d9899a77e982f8fc746409c29afbaaa b13513bd0c731f688fe25804c6dd74a3126d0494549368c8d692bd85d2024e5f e35cb24702c24b57edf8f1439a1409b6c8c0f97bc30a90a3c396fdd0f3c38f84 f9501ffa9e293c88c61e0071fdc5b7ce2d00e1c8bc20a564ab906dfb9565e4c7 Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Dropper.Remcos-9970861-0 Indicators of Compromise IOCs collected from dynamic analysis of 42 samples IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 172[.]98[.]192[.]37 42 Domain Names contacted by malware. Does not indicate maliciousness Occurrences www[.]djapp[.]info 42 Files and or directories created Occurrences %TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 42 %APPDATA%\Microsoft\Windows\Cookies\NFIM9G9G.txt 10 %TEMP%\FltFD54.exe 1 %TEMP%\FltFAC5.exe 1 %TEMP%\FltFF0C.exe 1 %TEMP%\FltA28D.exe 1 %TEMP%\FltE1AD.exe 1 %TEMP%\FltFAB6.exe 1 %TEMP%\Flt593A.exe 1 %TEMP%\FltF8C2.exe 1 %TEMP%\Flt4F6E.exe 1 %TEMP%\FltFB71.exe 1 %TEMP%\FltA461.exe 1 %TEMP%\FltFD74.exe 1 %TEMP%\Flt23BD.exe 1 %TEMP%\Flt8A88.exe 1 %TEMP%\FltBC04.exe 1 %TEMP%\FltF633.exe 1 %TEMP%\FltB040.exe 1 %TEMP%\Flt6184.exe 1 %TEMP%\Flt540D.exe 1 %TEMP%\Flt5D82.exe 1 %TEMP%\FltBD3A.exe 1 %TEMP%\tnf5FD1.exe 1 %TEMP%\FltC777.exe 1 *See JSON for more IOCs File Hashes 00cda027a316d979f614cd747e8eea14fcc1f7a144b5eb5fc385ea3b52ada9ac 04a7c806cd6404d5547bf136331733e970364c0090c705b0002170ca7fa59882 06a0c6a86e47342846759164e0a7da0087e5926d1bdf48b64ad106b6e53951a4 0d103909b0c3e6ac0021b1aa8bbd17b50d1f94ccfb6011a1b70609b6a45668fe 0d503f2d89c74456f441b95033f1f7f1b5f8c9b9ef338c177beb7e22c3844cb8 13d63a2102b3685464c7f32f95fb4ed6287f51db1da590f7141ad36d2ec0fe00 16de9b5489c9bc4900f94a6939e4a5124caee0ce2ac4dcd938850385c35ecd94 16e1726e22af546ae83bf70500135f69e1f3805c2c49752b6098c07f0815307a 1bb3b038b6da9ca30bf12a24ab4e0361ff60c6375bed74492ac37652e2ecd3da 23f59e71fd7d520a50ae1aaea2c026ae2f05a85d6bf1f24301ceac52e713157b 24d621a695ef4fae5b296bc2bb6071cc90b9c56415f70464797e69080b6a7e75 2635c53ba6293fe95e539dfd0f480835ceb7b47c6971a3024ae8443893eca176 2c65cccfb66e0773395cd78f4c742f03cdf3d482357278cf53cd47ea87f62f04 2d82667b13cc3acb398ae87a83674ce3a334867e82d20b4fd809a14d10323084 2e53c50fd916da51599be464f226b09f28d70fe323cb292c115b9723d402ddde 3457b58ade09a9a581003687d9bd904c6200dcc96aafbb24450c371a165c96d8 3832ee4b74d72c5b4e8299cc9e20248145ff74a7364ebfeb2baa9ee60c0a00d8 38ff5081e308b00e57028e3ad749ae4dccf165796a073fafacd6e6cbad31cc21 3e278b7296bcb58b47e8d60ee9a7f44c548a6d790cdf45fcdff6bc526c395a93 3f4fa0de7c9e2b18b0e16b1cbd72dcc279d5ab6b727992a158ed4bced8663f87 40318b04af3f4761f989d5725e61fc41bd034990e3a86478c897466416632c44 4126cae93a6d1471fbf37ef4a73347ed4fa136486fe7229b06721db5d50ed27c 479e0fa51921d000d9ae53beb96c8d88b3e90ba563b7595db6d015fe0c41beea 50532f85c712a7ba7e79ba23130a568fdfcfde7c3bdbcec90edea02aacef7f9b 535e141dc2b44bdafa9fd3ef6c3355413bd7837c5bfc398c608ea49e150b7727 *See JSON for more IOCs Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella WSA Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Malware.Emotet-9970880-0 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{B11CF2E2-C0C2-7860-F12E-428101DCB963} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{B11CF2E2-C0C2-7860-F12E-428101DCB963}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{7E6AEF51-F5A7-48A0-B175-FE26B30A3B42} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{7E6AEF51-F5A7-48A0-B175-FE26B30A3B42}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{39D7DE2A-54FC-2744-D7AC-675623A7BCA2} 25 Mutexes Occurrences {24d07012-9955-711c-e323-1079ebcbe1f4} 25 {bf18992f-6351-a1bd-1f80-485116c997cd} 25 {dbad1190-816b-947c-9b01-53ef739d7edb} 25 {ed099f6b-73d9-00a3-4493-daef482dc5ca} 20 Files and or directories created Occurrences %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 25 %System32%\Tasks\Ryddmbivo 25 %APPDATA%\<random, matching '[a-z0-9]{3,7}'> 25 %System32%\8452\eudcedit.exe 1 %APPDATA%\F9NSFA\MRT.exe 1 %APPDATA%\EoXbu\BdeUISrv.exe 1 %System32%\9450\VSSVC.exe 1 %System32%\7744\ComputerDefaults.exe 1 %APPDATA%\RAQ9\calc.exe 1 %System32%\9936\psr.exe 1 %APPDATA%\Q7e9\rekeywiz.exe 1 %System32%\5094\WindowsAnytimeUpgrade.exe 1 %APPDATA%\U6yhd\DeviceDisplayObjectProvider.exe 1 %System32%\5022\msra.exe 1 %APPDATA%\EtXM\fvenotify.exe 1 %System32%\1402\ddodiag.exe 1 %APPDATA%\bsPEU\wbengine.exe 1 %System32%\6726\StikyNot.exe 1 %APPDATA%\Kal6bb\sethc.exe 1 %System32%\6787\ie4uinit.exe 1 %APPDATA%\Y74EoZ\Dxpserver.exe 1 %System32%\7651\rrinstaller.exe 1 %APPDATA%\aF7U\WerFault.exe 1 %System32%\6604\DeviceDisplayObjectProvider.exe 1 %APPDATA%\rmluRRx\MRT.exe 1 *See JSON for more IOCs File Hashes 0be6c8c9f6626f0cbc875a04f81d65ec51646285f607fc23610ced0698d2d356 0e00806596a0084133b662804d645e485a94d42b50e7634608bfc572bc6f99bc 10d50610dc069e961878c8d2be79f7ba638125c2f0229086f27d2261f7ef7074 209494092b65fdebe368f90fdf69cd878f931fb334c059611ccabe84301887e2 24273a46f41c978ebd1b7014cd43c05d7273e638fa539e21adf9b16fcd6d7fa4 270234993c0381d55e1d5615099a692a0e11139d6d5b353f625ac6197cc5fadd 2ce15b1bfa8a577f79da8bbcf2159bf3661aed963cdbbb59ddbf333da4bb52ea 370de40215ce6a4e8f27e33d7a6edcd9cc4c86dc39aa86246d02308f556ff39e 5239bbf6672c93344f21741c4016ea154db5f6aa3989514244de6c55532f54d4 5341a8e7076ea8dbba28ed69ec1130f361c7e90505afbb191f639d6b8295a3e7 634295ad711f68679e6471766d8ca49454c7276348211b6d99a5539e314e7ddb 64c51179f273e00dcb08ddf0c401a3e7c6b4441421f4a0f907bc32f4aaf54191 65c0c35adfcd488cde26d72ba39dd77052f0d6f54c40d10003d824ce1079a630 670db2f68e0bb350f98d1f0ea9624e45536473bb9f1552270be89d87aba17ed9 77c9d7eb923718013ec2145d35a18f17b326655e226b6f252ca6967b0837b39a 8ded5e3631dcd94576d1770289b38005c95c1456588157fd01ea6191c7bcaf1a 91c351ad5a31c40ccf05069b4dde6d0d8e2ff7e78118ca4d110bfe8fcef7d5b6 96e1d30dda3746847269a2707bf4261deadf3d146d1e9df5bd163743ef6b0902 9cebaa66b09ae6043e137c87fece4f2f55a3ae9cbbbb64414e0202a6d3db8932 9d019b660a52484961f7d540d3fe62da22c2c09be968474a614f9dd94ae8c7e5 a2074b34223a80ea0a46784e03ab9e09f86deb98c470c10b2999692fe19777b3 a81460aa2b31719c28672cc624c8fd83e3cbde9d4fc59fb1c55a0713b22a031b a8e2070710eb026f8d9aa46032576b1d474171ea11bb6d2cff97cc9e2069a3af ae65c3182b13c9012b1fc98d483a3c1c7bfd82193d1cd14b1e2a0572458530b1 ae8b637375e736db787d31a4081f2f39ce25908f3276807e43a6eceb4e511377 *See JSON for more IOCs Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Dropper.TrickBot-9970890-0 Indicators of Compromise IOCs collected from dynamic analysis of 10 samples Registry Keys Occurrences <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: LanguageList 3 <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @explorer.exe,-7001 3 <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000 2 Mutexes Occurrences Global\VLock 3 Global\683173c1-3af4-11ed-9660-001517635527 1 IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 104[.]18[.]115[.]97 2 91[.]83[.]88[.]51 1 92[.]63[.]102[.]64 1 195[.]133[.]144[.]237 1 34[.]160[.]111[.]145 1 195[.]133[.]196[.]130 1 Domain Names contacted by malware. Does not indicate maliciousness Occurrences obyavlenie[.]lisx[.]ru 10 icanhazip[.]com 2 ipecho[.]net 1 Files and or directories created Occurrences %APPDATA%\winapp\Modules 3 %System32%\Tasks\services update 3 %APPDATA%\winapp\client_id 3 %APPDATA%\winapp\group_tag 3 %APPDATA%\winapp 3 %APPDATA%\winapp\24ae736c30cacc5f26f34e07c47ca97c.exe 1 %APPDATA%\winapp\0g5d59dff6a3d3g20046c0ga554f8f9ef8d3e2c767g46c2592d53d6c604df5g9.exe 1 %APPDATA%\winapp\39g7366fcac6cdd0a64ag077e5ga30354aggg87d682e9cd06940033777cefaf2.exe 1 File Hashes 0a9fd6d744cc4fa8e08eee7c95c58d6cb9cb995a249597bdc8beba4ab5fdd921 0f4c49cee6a2c2f10036b0fa443e8e9de8c2d1b757f36b1491c42c6b503ce4f9 14bf94de8b881459e2f6f49051b1411da60e3526251751048bdde18f99d93f1e 29f7266ebab5bcc0a53af077d4fa20243afff87c681d9bc06930022777bdeae1 42162ca740023f144cf1f5efc8f9680f5db0ac16e0cf9eeb88f57275a5bbd38e 489d8e1c47548164a35abb21dbe155972aa09e6c65c0fd7456baf79d3ffb3539 7820f15d39888555e5d2189015d13491d58e2c345921064777155febcaf9b88e 8c1326a8e1f6c781441f3a5da6fe962337a03b9a3ffd93495e933e051d24f4a0 eac3e3c5636e62a6865ff6e048875506d16ed22ffd8caca23529407eb94a2478 f3395ab28c54a61118784d205926e7122ff7735d92d992c22db9dd63fd3a8e28 Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Dropper.XtremeRAT-9971238-0 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples Registry Keys Occurrences <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 16 <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> Value Name: InstalledServer 16 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: HKLM 15 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: HKCU 15 <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> Value Name: ServerStarted 6 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{T88RCWLO-A2V2-4LXR-TJ24-W4CWO446W6OJ} 5 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{T88RCWLO-A2V2-4LXR-TJ24-W4CWO446W6OJ} Value Name: StubPath 5 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{424A7MGK-RCMT-8C4V-40EM-XW7BLA8PVRC7} 5 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{424A7MGK-RCMT-8C4V-40EM-XW7BLA8PVRC7} Value Name: StubPath 5 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5K3TI7P5-LW5S-LR18-4174-DG7KKUL703V7} 3 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5K3TI7P5-LW5S-LR18-4174-DG7KKUL703V7} Value Name: StubPath 3 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2} 2 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2} Value Name: StubPath 2 Mutexes Occurrences XTREMEUPDATE 16 <random, matching [a-zA-Z0-9]{5,9}EXIT> 15 <random, matching [a-zA-Z0-9]{5,9}>PERSIST 11 <random, matching [a-zA-Z0-9]{5,9}> 6 zZgdeZ8P 5 Q6gWX0 5 Q6gWX0PERSIST 5 Global\<random guid> 4 Domain Names contacted by malware. Does not indicate maliciousness Occurrences profesorjedi11[.]myftp[.]biz 10 profesorjedi3[.]myftp[.]biz 3 clarityz[.]no-ip[.]biz 2 dynamic[.]no-ip[.]biz 2 cooempresas1[.]ddns[.]net 1 Files and or directories created Occurrences %TEMP%\x.html 15 %SystemRoot%\SysWOW64\System32 10 %APPDATA%\Microsoft\Windows\<random, matching '[a-zA-Z0-9]{5,9}'>.dat 6 %APPDATA%\Microsoft\Windows\<random, matching '[a-zA-Z0-9]{5,9}'>.cfg 6 %SystemRoot%\SysWOW64\Sistem32 5 %APPDATA%\Microsoft\Windows\zZgdeZ8P.cfg 5 %SystemRoot%\SysWOW64\System32\crrsc.exe 5 %APPDATA%\Microsoft\Windows\zZgdeZ8P.dat 5 %APPDATA%\Microsoft\Windows\Q6gWX0.cfg 5 %SystemRoot%\SysWOW64\Sistem32\crrsc.exe 5 %APPDATA%\Microsoft\Windows\Q6gWX0.dat 5 %SystemRoot%\SysWOW64\System32\csrrs.exe 3 %SystemRoot%\SysWOW64\System32\csrss.exe 2 %SystemRoot%\SysWOW64\Drivers\System.exe 1 File Hashes 02bbfb5be9238a07f4bbc310640558187fffe927b6c61aef277f25e556b42976 034fd97c565ab91825e7d810d5e629f00bb25f54ac1ed7f1846e7f1c23d1ecd2 104a08c153d9d099bad368fc405a2888a153bfaa1cf33f99f43fbc1b97d0282f 1a7fa38a87b8d63bdef718b54626476dd952673e010877eb0412041a227ae587 1b70089136743505bd03a024ed1d6faca2a618397aecf14eceafed7e708c42ef 1d281e8cd1c5e451d069a2df9eed854f4bfa28e91881e7e2bfea2be0cfd6e2d0 2a4841ab8656fedadeb5dcc16821ca4789ba29a1df607c72f73fe6de8c55f965 4a5a09ce229c5f06f96114b0c55b1b2a645b75ab6e5f1f3df524efc9e6b549df 4e960f7a51969cc989219642701cb327e7713462eff60866099fb16632e1c636 521f339fe84053ddc608a8f1faf2774ea1f6fa1ee3ad252f642967f27c2ebb2e 52f4aba104b5caadff9baa7eb92e4ff21c176ff183a59f0283555de081e74c9a 53743558915afca3fcf12a83095ed8448502c37ac0ce847268bd34ff2b17eaef 54d8e6f9d64d480ad1381ddcd730d786be7b94b34154fa9ae6a46fc06670732a 58432dc37d6e18bf7f719c42d1a955374dc04c737ec433384fa61ea7c895ce8a 5f0a9ba0fc1146512ec06df04fb3eedcaaf67df5534d2895bdee7d39dbb767d4 6aeceda58114f30d5286bf84e92bfc293d5fb1ed4648c29d9e6ba6e229ad6c0a 73711c78caf84f57df3e54a7e0d47dc5b91c73d521e6e5de2da31694c7a2cd1d 747ae8b9f401e6f92381039c80d98f2fbff9f1c94ab1479c23e9bd67714208b5 7d56d2784dafc2edb6f002e66504b3222f899712167f5d67878e576adf5bfff4 87365c8be5e1df23024d4f06108ca715ca6960fab1db19241af01dc249049b34 95774b16ad3920dee24ad1211ad677003bace3db07e351dcfa92ea8c9fb0de4d 9811dc1790865ba850a085b86faf45d12e6d18de3746fba1f79e7d5bc07b81e6 9fc0af5f00d92876795d06cadc1ec27ce789be7d4396cca1a4d39c10a1a13cee cf6bf580a1c08b6d4c8e4b73c65a156dd87e6157b358a22f58e6c4e741a62088 d2dd951900f73760709d95358434a8d382363f78cbd78a4476e361225b2fdb90 *See JSON for more IOCs Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Dropper.Kuluoz-9971090-0 Indicators of Compromise IOCs collected from dynamic analysis of 26 samples Registry Keys Occurrences <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 26 <HKCU>\SOFTWARE\HLUAPPSN Value Name: simfbhec 2 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: fihacxpj 2 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: rtvamnqd 1 <HKCU>\SOFTWARE\UTLRUTMU Value Name: jqusubuo 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: kilanrco 1 <HKCU>\SOFTWARE\AUBBBWXT Value Name: ibmqpuls 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: opoiitvt 1 <HKCU>\SOFTWARE\BWCRDATG Value Name: qmiabusl 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: mwxoukfx 1 <HKCU>\SOFTWARE\BTTXALDX Value Name: micawbbp 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: jtqieuec 1 <HKCU>\SOFTWARE\BBWAIJEJ Value Name: lmpebxqp 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: emgsvrci 1 <HKCU>\SOFTWARE\MNSVSFDT Value Name: jkxkagel 1 <HKCU>\SOFTWARE\MBJFFRTQ Value Name: bgmxnfso 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: akpgniqk 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: hrcgucbt 1 <HKCU>\SOFTWARE\NTKIGTHP Value Name: etduinsg 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: pjecpkuu 1 <HKCU>\SOFTWARE\NHSATHPS Value Name: mxopsxdc 1 <HKCU>\SOFTWARE\HPEDSDSE Value Name: vfkeebww 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: icccipkm 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: ilxotnrg 1 <HKCU>\SOFTWARE\AFTNNBRU Value Name: kchufmmw 1 Mutexes Occurrences aaAdministrator 26 abAdministrator 26 IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 69[.]64[.]36[.]244 21 16[.]156[.]201[.]237 17 110[.]77[.]220[.]66 15 5[.]249[.]139[.]132 15 85[.]12[.]29[.]251 13 5[.]175[.]166[.]35 13 130[.]60[.]202[.]71 11 198[.]57[.]165[.]46 10 Files and or directories created Occurrences %LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 26 File Hashes 01e772c69c3d96d7da41baf1b4630a9b93cda39bd4b5b0234f1de2a818788965 0507e74fa55bfb2a725358b0e5d2a3ad82d95a15b8dda89eda0892276855c6e0 0575881e5f371494a9b928ea409bce3fc15b35f4a6fc47f5b3ccc267e6428d05 13830d13f9538029311649ec0b7d2b70afd36d0d38432550c973123429eb940b 14b22ef72fd4f36063c344d7358e32d9529010b303b09bcc11f562bf2d4981a7 1f226936fa8a2ae6ff457619b2883377cbe741decadc705095d4527a7ae9a4d8 21f96423b4b10c910ef1ae4f584ed1e49944f2166c41aac0d9f53ad042933f89 25c31d64ed3db07f502aee95703ec407b34dff5a3fdc34bf2b3b64250f2ec0e2 3578e19cbb128d0b2b7fb009c8041deed69144c0e20e6c58c18967a2abcc0c1b 422f405e2d70ed3bd58f6e9c4ef7d1a4ed8b912fc8acde5cab9068f34fc55f09 46b398648a6f022657c1a7a6bf0dae147562f354b34fa9b82103d8566b01c771 4cc31dc0d33247799cb383ede808dea70ab9081847e46b2ce95e2c054cd97011 576ed58a06ae914ae06a711af19b30a9f02ece2d435f84b7bea71fedc19dd995 5bad5333dcfea5b33727b34cde45b54d36cbf01d3fb0a1a915de8df1569b4fb1 5e3329e3193099fe8e09922ac85a7ab3e8ae89f0ae4f0f7a93fb30aacc7726e3 5e398a7762fe420158605cfb72bc309197c7c9346fc43a5cc8ccb0a14db25483 66b43dd194bf97f705c361ad1cc82a0f5c1afca7b03d57f99a3011cdefdc536f 6da9fe76f563ff6265b8971b601fb5037a93011fb16294b5ee7564f332d554ed 6ed6b8dececdaf3ee4ce0072d309125c5cef6e3ffef23f48baa3b0d3763462be 7c42e9ea360ccfb28b41c3490b305dcace56fea64e858ac3cde0984f6c9f3d07 816c6679de23475fe46588ce4380091c985ad689210fbf4daea6ca383f423465 8379ba1a2904b162411009fbe1bc4c94efd1ccf72ab38989dffb2077c1a0ec74 86e574bcb8a28b933731a83f9166c23c717a9840dfdecffde9130e9a2d598e08 8e39459d72319dc5e7f184b363ac8d7e3a486fbc6e02f9ad2273d0b0502a188d 8e5f994ccd02d59bc203efd3ff130575c4d9c170599592dd45696b87c4f4b420 *See JSON for more IOCs Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Dropper.Shiz-9971537-0 Indicators of Compromise IOCs collected from dynamic analysis of 27 samples Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: internat.exe 27 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: ProxyEnable 27 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP Value Name: UNCAsIntranet 27 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP Value Name: AutoDetect 27 <HKLM>\SOFTWARE\MICROSOFT Value Name: 67497551a 27 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS Value Name: load 27 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS Value Name: run 27 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: userinit 27 <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON Value Name: 98b68e3c 27 <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON Value Name: userinit 27 <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON Value Name: System 27 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS Value Name: run 27 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: userinit 27 <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159\SHELL Value Name: KnownFolderDerivedFolderType 1 Mutexes Occurrences Global\674972E3a 27 Global\MicrosoftSysenterGate7 27 internal_wutex_0x<random, matching [0-9a-f]{8}> 27 internal_wutex_0x000004b4 26 internal_wutex_0x0000043c 26 internal_wutex_0x000004dc 25 internal_wutex_0x000000e0 1 internal_wutex_0x0000038c 1 internal_wutex_0x00000448 1 internal_wutex_0x000006a0 1 IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 204[.]79[.]197[.]200 15 13[.]107[.]21[.]200 12 45[.]33[.]23[.]183 8 173[.]255[.]194[.]134 6 72[.]14[.]178[.]174 6 72[.]14[.]185[.]43 6 45[.]56[.]79[.]23 5 45[.]33[.]2[.]79 5 45[.]33[.]30[.]197 5 45[.]33[.]18[.]44 4 45[.]79[.]19[.]196 3 198[.]58[.]118[.]167 3 85[.]94[.]194[.]169 2 96[.]126[.]123[.]244 1 45[.]33[.]20[.]235 1 Domain Names contacted by malware. Does not indicate maliciousness Occurrences kevopoxecun[.]eu 27 rycaropynar[.]eu 27 lyxemoxyquf[.]eu 27 puzoxyvojyc[.]eu 27 fotaqizymig[.]eu 27 cidufitojex[.]eu 27 puvacigakog[.]eu 27 xuboninogyt[.]eu 27 cicezomaxyz[.]eu 27 dixyjohevon[.]eu 27 fokisohurif[.]eu 27 volugomymet[.]eu 27 maganomojer[.]eu 27 jefecajazif[.]eu 27 qedylaqecel[.]eu 27 nojotomipel[.]eu 27 gahoqohofib[.]eu 27 rytifaquwer[.]eu 27 kepujajynib[.]eu 27 lyrosajupid[.]eu 27 tuwaraqidek[.]eu 27 pumebeqalew[.]eu 27 cinycekecid[.]eu 27 divulewybek[.]eu 27 vocijekyqiv[.]eu 27 *See JSON for more IOCs Files and or directories created Occurrences %TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 27 %TEMP%\F1A0.tmp 1 %TEMP%\8350.tmp 1 %TEMP%\6709.tmp 1 %TEMP%\5ABC.tmp 1 %TEMP%\DF95.tmp 1 File Hashes 03ceb23a35bcd7170f8e2293c15aa444406959d789fda9ff9e412cf7a3a6ad90 0a00f10084231e3abf745b456d522c27a284cd17e5824a91026e6511a0073792 0a9d1eec9b14e840863b4948703b4c1a50b8d1c16d6cd6c0191ed55e82864ea3 0aa380118e812371de65b56f760676f611ddda8a7dd422ed1e62214c2a8303d1 0b38f48ffc49f1b53724384bd894702bcf49f2d68c1b84e4e0eeb931d572d294 0b8cfcf3c71b18b73ec50c68115b5d7538eab4d21168272d547e4b6316ed592a 0d8afb797e2ce9f712f3b5fb22317ec97cd8ea55b85855ffb33f362f45e3b706 10d952070cca8a50175e4193e23e798484f215faa6ac8261b37caebb4ae4c22a 16487b9aabc544819f3e1843e196d8e6b982b15ae95b9b599af310c0f4a0763e 1751820a0b3e9669c512077ef08caa8cc8bd7cba8bb54eb97c574ba6dfa09d2d 1bafc4ef3a634e29c71f52e5b0f3ea6ab3cd55e25ef9623d8d21302a13ac4833 21c50af5ea57cf75b6bcf6e74b8008b335a440d4f4fd8499d2abc287116a0100 2473d34831b6fef2e985c045c3a00880d05aceeeac10edf1f09ff38a1cbc44af 2602a1096a4eec7291145b4570c1a0e814c03fba18d3d76d1b82f6e0dacaecf8 2656072242b6777473e258b7f0fc7777cda688fe95f0050f375ffeb12f000c28 2856afa65f2c7f0a23be68ce6899f24a9d3e12fa4f3b00644562e1ecdc06eed1 28b92d2ad7b6c9865a5eda3ca5435cbcd7b24fd0b48ed61c9c7b87af542b88ed 29bc8c64d83b59592ced9e79fd8e242344fedaa9bff3d385ce5372de7e035b4b 2a812fc2558cfe90756a59a8d79ec8da9e14d7fec59cd9bbc5189a67a86629eb 2e7fe1b9448cb0cca242f4b72fd956f21ad262587b88135045bc07a010cec102 3047c7b03f084dc15ddbca4044a0fb2376af8b3799e4316194de8ef1474e1bf8 321f58c68fead768a8465532821b62ec741482135b0a5460d48838433cde6133 32b2f95694db2d96de89e4f8644cbdf68229903053c066499141b323d4acca1a 34beb6169472ea58264460d2673a70128474e9bdb62fe998e5c22f9a4fa61a8c 350596b9f1a539dddfd73cb4d10c605ec8cc8ed227bd2f33f31fddd6f190e7d8 *See JSON for more IOCs Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella WSA Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Packed.Fareit-9971247-1 Indicators of Compromise IOCs collected from dynamic analysis of 13 samples Registry Keys Occurrences <HKCU>\SOFTWARE\WINRAR 13 <HKCU>\SOFTWARE\WINRAR Value Name: HWID 13 IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 168[.]144[.]38[.]105 13 File Hashes 1acb437594832fbf922ea62142314c31026f4345dfd31cf843acb52eca1aec92 1cc621b3d1a8db17783e813726cee6309e7802110a6d93779b7096e723023628 39b43b15aeb0a1aff4ca35928a2dd25aa6439c2faa24721424a749cd5b376153 57e6addd9c1c9f9367c48020e1f004a26cd6b361c6145ec97e554fd991ca5925 6bc8e9d23757833faff22d586d92d2274283e5bbe400bf07fdd2c5a070f39bd2 84238de8af6828ea6864308ce0ea0f0e798c31c2e105c3b7bf0f238732738d78 8f1566be038140548e9c1350a9ae28d95c1b70b8f79c0ba3ba094ffec8b530c2 914e1a2a9ca34ba6b66795165ea9e57d2817f3aa23ed662a565c9ad6c6476459 a9b1fb4abbebe49a65998d688a02819d8bdc3eeeebad496b94b5f6b27ff4e49b b7f64dd2cb3cb310bfbbd54e29b4f9c03e94bd474ab487e403aec3357350307a c6c1fcd270017f81a8113545eb42471f98700eb162ccbd4272b54de6435c4971 f4fd5a689233ea0c7c0d1599f14b68554f5c07f0c12c86981e0eef4be06940be fb2a62eecd3f1a04e0633f43d472229ef3994de0a212da08d21c9fea8577016e Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK

  • Defend your organization from ransomware attacks with Cisco Secure Endpoint
    by Nirav Shah (Security - Cisco Blogs) on September 28, 2022 at 12:00 pm

    Learn how Cisco Secure Endpoint defends your organization from ransomware attacks.

  • Cyber Insurance and the Attribution Conundrum
    by Martin Lee (Security - Cisco Blogs) on September 27, 2022 at 12:00 pm

    Claiming on cyber insurance policies is soon to depend on attack attribution. What does this mean for CISOs and insurers?

News

  • Why Don’t You Go Dox Yourself?
    by Zoe Lindsey (Security - Cisco Blogs) on October 7, 2022 at 12:00 pm

    This step-by-step dox guide makes protecting yourself online easy, accessible, and maybe even fun.

  • Threat Source newsletter (Oct. 6, 2022) — Continuing down the Privacy Policy rabbit hole
    by Jon Munshaw (Cisco Talos Intelligence Group - Comprehensive Threat Intelligence) on October 6, 2022 at 6:00 pm

    By Jon Munshaw. Welcome to this week’s edition of the Threat Source newsletter. As I wrote about last week, I’ve been diving a lot into apps’ privacy policies recently. And I was recently made aware of a new type of app I never knew existed — family trackers. There are countless mobile apps for parents to track their children or other family members based on their location, phone usage, and even driving speed. As an anxious soon-to-be-parent, this sounds intriguing to me — it’d be a supped-up version of Find my Friends on Apple devices so I’d never have to ask my teenager (granted, I’m many years away from being at that stage of my life) when they were coming home or where they were. Just as with all other types of mobile apps, there are pitfalls, though.  Life360, one of the most popular of these types of apps and even tells users what their maximum driving speed was on a given trip, was found in December 2021 to be selling precise location data on its users, potentially affecting millions of people. Once that precise location data is out there, there is no telling who could eventually get a hold of it. Even if Life360 doesn’t intend to let adversaries see this information, they don’t have direct control over how those third parties handle the information once it’s sold off. The app’s current and updated privacy policy states that it "may also share location information with our partners, such as Cuebiq and its Partners, for tailored advertising, attribution, analytics, research and other purposes.” However, users do have the ability to opt out of this inside the app. There is hardware that offers this same type of tracking. Jealous, angry or paranoid spouses and parents have used Apple’s AirTags in the past to unknowingly track people, eventually to the point that Apple had to address the issue directly and provide several updates to AirTags’ security and precise location alerts to make it easier for users to find potentially unwanted AirTags on their cars or personal belongings.  This is truthfully just an area of concern I had never considered before. Many parents would do anything for their children’s safety, which is certainly understandable. But just like personal health apps, we need to consider the security trade-offs here, too. As we’ve said before, no one truly has “nothing to hide,” especially when it comes to minors or vulnerable populations. I’m not saying using any of these apps is inherently wrong, or that AirTags do not have their legitimate purposes. But any time we welcome this software and hardware into our homes and on our devices, it’s worth considering what sacrifices we might be making elsewhere.  The one big thing Microsoft warned last week of the exploitation of two recently disclosed vulnerabilities collectively referred to as "ProxyNotShell," affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers. Why do I care? Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The Hafnium threat actor exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was one of the four attacks they saw most often last year.  So now what?While no fixes or patches are available yet, Microsoft has provided mitigations for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. While Microsoft continues to update their mitigations, some security researchers posit they can be bypassed. Talos has released several Snort rules to detect the exploitation of these vulnerabilities and associate malware families used in these attacks.  Top security headlines from the weekMore than 2 million Australians’ personal information is at risk after a data breach at telecommunications giant Optus. More than 1.2 million customers have had at least one ID number from a current and valid form of identification, along with other personal data, according to an update from the company’s CEO. Adding to the confusion, the company told many residents in New South Wales that it would need to replace their driver’s license, only to later backtrack to say that would not be the case for everyone affected. Optus says it enlisted a third party to complete a thorough review of the compromise to identify security gaps and any other potential fallout. (ABC News, Nine News) The Vice Society ransomware group leaked more than 500 GB worth of data on employees and students at the unified Los Angeles School District after the district refused to pay a requested extortion payment after a ransomware attack several weeks ago. Officials said the leak was less extensive than originally expected and limited to attendance and academic records from 2013 - 2016. The district declined to pay the ransom because there was no guarantee that the actors would not leak the information anyway. Threat actors have commonly targeted the education sector with ransomware attacks as the school year started and their networks were particularly vulnerable. (Axios, Los Angeles Times) The infamous Lazarus Group threat actor continues to ramp up its activity, recently exploiting open-source software and Dell hardware to target companies all over the globe. A recent report from Microsoft found that the group was impersonating contributors to open-source projects and injecting malicious updates for that software to users. In a separate campaign, the APT also used an exploit in a Dell firmware driver to deliver a Windows rootkit targeting an aerospace company and high-profile journalist in Belgium. Lazarus Group is known for operating with North Korean state interests, often stealing cryptocurrency or finding other ways to earn money. (Bleeping Computer, Security Affairs)  Can’t get enough Talos? Developer account body snatchers pose risks to the software supply chainResearcher Spotlight: Globetrotting with Yuri KramarzThreat Roundup for Sept. 23 - 30Talos Takes Ep. #115: An "insider threat" doesn't always have to know they're a threatCobalt Strike malware campaign targets job seekersGovernment, Union-Themed Lures Used to Deliver Cobalt Strike PayloadsUpcoming events where you can find Talos Cisco Security Solution Expert Sessions (Oct. 11 & 13)Virtual GovWare 2022 (Oct. 18 - 20)Sands Expo & Convention Centre, Singapore Conference On Applied Machine Learning For Information Security  (Oct. 20 - 21)Sands Capital Management, Arlington, Virginia Most prevalent malware files from Talos telemetry over the past week  SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 MD5: 8c69830a50fb85d8a794fa46643493b2 Typical Filename: AAct.exe Claimed Product: N/A  Detection Name: PUA.Win.Dropper.Generic::1201 SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  MD5: 93fefc3e88ffb78abb36365fa5cf857c  Typical Filename: Wextract  Claimed Product: Internet Explorer  Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  SHA 256: 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681 MD5: f1fe671bcefd4630e5ed8b87c9283534 Typical Filename: KMSAuto Net.exe Claimed Product: KMSAuto Net  Detection Name: PUA.Win.Tool.Hackkms::1201 SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c    MD5: a087b2e6ec57b08c0d0750c60f96a74cTypical Filename: AAct.exe    Claimed Product: N/A      Detection Name: PUA.Win.Tool.Kmsauto::1201 SHA 256: 63d543945e33b4b6088dc34d0550213dc73ea6acce248d8353c63039e8fa284f  MD5: a779d230c944ef200bce074407d2b8ff Typical Filename: mediaget.exe Claimed Product: MediaGet Detection Name: W32.File.MalParent 

  • Cyber Chat – What Jurassic World Can Teach About Multi-Factor Authentication
    by Jennifer Bean (Veeam Software Official Blog) on October 6, 2022 at 1:06 pm

    My family and I have recently started a weekly dinner and a movie routine, where we base the dinner menu around the characters or premise of the movie. For us, we’re counting down to an upcoming family trip, but I’m hoping to keep up this fun routine even after our trip. The excitement of the kids picking an envelope as we all watch with excitement to see which movie we will be watching that week — and the same anticipation from mom and dad to see what type of food they will need to prepare in the coming days. Oh, the fun of family traditions… but now to the security part of this story.  The post Cyber Chat – What Jurassic World Can Teach About Multi-Factor Authentication appeared first on Veeam Software Official Blog.

  • Employee Volunteer Program Supports Youth Globally
    by Mary Kate Schmermund (Security - Cisco Blogs) on October 6, 2022 at 12:00 pm

    Cisco’s employee volunteer program provides employees with paid time to contribute to their communities including supporting youth locally and globally.

  • Cyber Chat – Welcome to Cybersecurity Awareness Month
    by Jennifer Bean (Veeam Software Official Blog) on October 5, 2022 at 2:51 pm

    The other day, I was watching a local junior high school soccer match. One team was advancing down the field as the forward was calling out to his teammates where to go and who to cover. The other team was all crowded together just trying to get the ball. One team was focused on their strategy, while the other team was focused on one short term goal — get the ball. It probably isn’t hard to guess which team came out the victor in that game. The team focused on their short-term goal lost focus on their fundamentals — they didn’t think about what they would do if they got the ball or if their short-term goal wasn’t met and suddenly the ball was in the open field without any defenders helping the goalie. The post Cyber Chat – Welcome to Cybersecurity Awareness Month appeared first on Veeam Software Official Blog.

  • Service Providers: The Veeam difference in BaaS for public cloud
    by Michael Loos (Veeam Software Official Blog) on October 5, 2022 at 2:23 pm

    Being a managed service provider offering Backup up as a Service (BaaS) for AWS, Microsoft Azure and Google Cloud can be daunting. You may end up trying to decipher the best solution just by combing through marketplace ads and descriptions. Deciding what’s needed and what’s not needed is crucial to ensure that you provide a cost-effective and efficient backup system that’s not only good for your customer but (let’s be honest) good for you as well. The post Service Providers: The Veeam difference in BaaS for public cloud appeared first on Veeam Software Official Blog.

  • Veeam’s Take On Google Cloud Next 2022: Reasons Why You Should Attend
    by Jo-Anne Bourne (Veeam Software Official Blog) on October 4, 2022 at 2:32 pm

    The countdown is on! Google Cloud Next is only seven days away! If you haven’t already registered, why haven’t you? Here’s five reasons why you should attend Google Cloud Next 2022. The post Veeam’s Take On Google Cloud Next 2022: Reasons Why You Should Attend appeared first on Veeam Software Official Blog.

  • Developer account body snatchers pose risks to the software supply chain
    by Jaeson Schultz (Cisco Talos Intelligence Group - Comprehensive Threat Intelligence) on October 4, 2022 at 12:51 pm

    By Jaeson Schultz.Over the past several years, high-profile software supply chain attacks have increased in frequency. These attacks can be difficult to detect and source code repositories became a key focus of this research.Developer account takeovers present a substantial risk to the software supply chain because attackers who successfully compromise a developer account could conceal malicious code in software packages used by others.Talos analyzed several of the major software repositories to assess the level of developer account security, focusing specifically on whether developer accounts could be recovered by re-registering expired domain names and triggering password resets.Many software repositories have already begun taking steps to enhance the security of developer accounts. Talos has identified additional areas where the security of developer accounts could be improved. Talos worked with vulnerable repositories to resolve issues that we found. Software supply chain attacks, once the exclusive province of sophisticated state-sponsored attackers, have been gaining popularity recently among a broader range of cyber criminals. Attackers everywhere have realized that software supply chain attacks can be very effective, and can result in a large number of compromised victims. Software supply chain attacks more than tripled in 2021 when compared with 2020. Why are software supply chain attacks so effective? Organizations that possess solid cyber defenses may be difficult to attack directly. However, these same organizations are likely vulnerable to a software supply chain attack because they still regularly run/build software obtained from vendors who are trusted.Rather than attacking an entire software repository itself, or identifying an unpatched vulnerability in a software package, compromising the software supply chain can be as simple as attacking the accounts of the package developers and maintainers. Most software repositories track the identities of their software developers using those developers' email addresses. If a cybercriminal somehow gains access to a developer's email account, the attacker can theoretically generate password reset emails at these software repositories and take over the account belonging to that developer. Once inside, an attacker could then publish malicious updates to the code maintained by that developer, affecting every other piece of software that uses that library from then on. Cisco Talos examined several frequently used code repositories. We looked specifically at the security afforded to developer accounts, and how difficult it would be for an attacker to take over a developer account. While some repositories had stringent security in place, others did not. Fortunately, worked with the managers of these repositories to resolve the major issues we found.Risks in the software supply chainRe-inventing the wheel is typically not a good idea. This holds true for many things, including developing software. Much software written today depends on third-party packages and software libraries to facilitate necessary functionality contained in the program. Utilizing third-party libraries and packages, especially open source, also speeds up development and lowers costs. Popular software packages have also become attractive targets for attackers. The more popular a software library is, the more external software will be using that library, and thus, the larger the potential attack surface. Compromising a software library can potentially compromise every other piece of software that relies on that software library for its functionality. This is the risk inherent in the software supply chain.With the exception of language-agnostic repositories like GitHub, most software repositories tend to be language specific. For example, JavaScript authors rely mostly on NPM, Python developers have PyPI, Perl programmers can often be found using packages obtained via CPAN, and so on. Each software repository sets its own rules when it comes to developers' accounts. Additionally, as many programmers are aware, some programming languages make a better choice for solving certain types of problems. For example, embedded systems drivers are more commonly written in C instead of Perl, while parsing text is more commonly done in Perl or Python, rather than C. This means that the process of writing programs that integrate third-party libraries into the code will also be different for each language. It is difficult to imagine a developer integrating a third-party library into a system-level driver written in C without carefully reviewing the related code and testing it for speed and functionality. However, when developing a feature-rich Perl proof-of-concept application or a web-based JavaScript application, this might not always be the case. A programmer in those instances might conceivably import a package first and ask questions later. This means some software repositories will carry more risk than others when it comes to malware hiding in the source code.NPMNode Package Manager is a JavaScript software repository and has been the subject of some "independent" security audits recently. There has been a lot of discussion online, especially concerning the security of the developer accounts there, and how easy it is to take over these accounts by re-registering expired email domains.There are more than 2 million packages in the NPM repository. Conveniently, an NPM package called "all-the-package-names" contains a list of all packages in the NPM repository. Each individual package at NPM has associated metadata, such as a text description of the package, a link to the package tarball, and a list of the package maintainers. Most importantly, the list of package maintainers has the developer's username and email address.Iterating through all the package names, and extracting the email addresses, then further extracting the domain names from those email addresses, provides the raw data necessary to find developer accounts associated with expired domains. Once an expired domain is found, it can be re-registered and theoretically used to take over the NPM developer account. But does it work this way in practice?Although we found a couple thousand expired developer account domain names, we could not recover the associated developer accounts. It appears the "couple things in place to protect against [account takeover]" that NPM administrator @MylesBorins mentioned in his tweet above are working as planned.Stale metadata helps foil attackersNPM provides developers with the ability to update the email address associated with their accounts. When a developer decides to switch email addresses, only the future package/version's metadata will contain the new email address. NPM does not retroactively update old metadata associated with a package that was previously published. This means that, even though someone looking to take over an NPM developer account might find package metadata indicating a developer with an expired email domain, it could simply be that the developer has updated their NPM account to a new email address. This was the case in May 2022, when a security researcher claimed to have taken over the NPM package "foreach" by re-registering the email domain belonging to the NPM developer. Unbeknownst to the security researcher, the developer in question had actually updated their NPM account to use their Gmail address instead. So if any password recovery attempts were made, they would have failed — NPM would have generated and sent the password reset emails to the new Gmail account on file, which is still under the original developer's control.PyPIPyPI is the Python Package Index and currently contains almost 400,000 projects. Developers at PyPI have email addresses associated with their accounts, however, PyPI does not display the email address publicly by default. This is an option that the developer must explicitly choose to enable. Many developers are, of course, eager to interact with others who are running their code, so it is no surprise that large numbers of developers enable this feature. PyPI accounts do not come with MFA enabled by default, so this is something else a developer would have to choose to enable. However, in July 2020 PyPi announced that it was rolling out mandatory MFA to "critical projects," a.k.a. the top 1% of the projects at PyPi (based on the number of downloads).A list of all PyPI packages is available online. Many of these packages contain a mailto: link containing an email address. There is also a list of maintainers of the package. For developers that expose their email addresses publicly, it's found on the user's public profile page. It is a relatively simple process to scrape the email addresses associated with PyPI projects. PyPI reveals whether an email address is associated with an account (but it probably should not).Account takeovers have been a problem at PyPI in the past. As recently as May 14, 2022, an attacker managed to take over a developer account and replaced the "ctx" package, adding malicious code that stole the user's environment variables, base64-encoded them and transmitted the data back to the attacker's C2 server. Fortunately, the changes made by the admins over at PyPI seem to be moving account security in the right direction.CPANThe Comprehensive Perl Archive Network (CPAN) contains more than 200,000 Perl modules. CPAN also provides an index of all the module authors.The individual module authors each have their own "homepage" that lists their contributed modules. For anyone who wants to reach out to the dev, CPAN includes the author's email address. A motivated attacker can easily scrape the CPAN website for a list of all author IDs and use those to scrape the email address belonging to the developers. A whois search on the email domain of the developer email addresses provides us with a list of developer accounts that are vulnerable to account takeover. From there, all that is required is standing the domain up somewhere and running a mail server. Triggering a password reset provides us with the magic link to get into the developer's account.Talos has reached out to the admins at CPAN and provided them with a list of the vulnerable developer accounts we found. CPAN has disabled these accounts.NuGetNuGet is a software repository for .NET developers. The NuGet "gallery" contains more than 317,000 packages. Fortunately, registered developers at NuGet have their email addresses hidden by default. There is an option to allow users to contact you, using a form on the NuGet website that does not disclose the email address of the developer. Developers have the option of adding their Twitter handle, and many developers do. If an attacker wishes to attack NuGet developers en masse, they would have a very difficult time assembling a list of developer email addresses.RubyGemsRubyGems is a software repository for Ruby developers. There are currently approximately 172,000 gems (packages) in the repository. Developer email addresses are hidden from the public by default. Even unchecking the "Hide email in public profile" check box has no discernable effect, and the email address remains hidden. Some gems have "maintainers" files to indicate the contact email addresses of the developers, but this is not consistent across gems. Recently, the RubyGems team announced that they are enforcing MFA for top developer accounts. ConclusionThe software supply chain attack problem is not likely to go away anytime soon. It is unreasonable to ask organizations to vet every piece of software that runs in their environment. Some amount of trust in software vendors and suppliers will always be necessary. However, that doesn't mean that defenders are helpless against these types of attacks.Organizations should analyze what software is required on various internal systems. Many times, there may be opportunities to segment a group of systems running a particular piece of software from the rest of the internal network. This way, any compromise that occurs as a result of a software supply chain attack will be limited in scope. Obviously, there are limitations to this approach. All parties in the software supply chain need to take more responsibility for security. For example, it would be far safer for software repositories to stop publishing or releasing any information related to a developer's email address. Yes, this is arguably a bit of security-by-obscurity, but it forces attackers to go elsewhere to correlate the email account of a developer with the particular software package in question, and greatly enhances the security of the repository. If a repository wishes to publish a developer's email address, it could instead give each developer an email address at the domain of the repository itself (ex., @npmjs.com, @cpan.org, etc.).Forcing MFA on the most popular package maintainers also seems to be a sensible remedy that is currently being pursued by several repositories. However, security is always a delicate balance. If you sacrifice too much usability in the pursuit of security, developers may rebel, as was the case with PyPI developer "untitaker." One sure-fire countermeasure against developer account takeover via expired domain registration is code signing. This is really the best way to be sure that the code you use has not been tampered with since it was last signed, and is indeed from a developer you trust. An attacker who gets control of a developer's expired domain name would have no way to recover the code signing keys belonging to that developer and no way to impersonate that developer.

  • The Upcoming UK Telecoms (Security) Act Part One: What, Why, Who, When and How
    by Richard Archdeacon (Security - Cisco Blogs) on October 3, 2022 at 4:31 pm

    The Telecoms Security Requirements (TSRs) are rapidly approaching. Here, we outline what they mean for UK firms, and what they can do to prepare.

  • Researcher Spotlight: Globetrotting with Yuri Kramarz
    by Jon Munshaw (Cisco Talos Intelligence Group - Comprehensive Threat Intelligence) on October 3, 2022 at 2:00 pm

    From the World Cup in Qatar to robotics manufacturing in east Asia, this incident responder combines experience from multiple arenas By Jon Munshaw. Yuri “Jerzy” Kramarz helped secure everything from the businesses supporting the upcoming World Cup in Qatar to the Black Hat security conference and critical national infrastructure. He’s no stranger to cybersecurity on the big stage, but he still enjoys working with companies and organizations of all sizes in all parts of the world. “What really excites me is making companies more secure,” he said in a recent interview. “That comes down to a couple things, but it’s really about putting a few solutions together at first and then hearing the customer’s feedback and building from there.” Yuri is a senior incident response consultant with Cisco Talos Incident Response (CTIR) currently based in Qatar. He walks customers through various exercises, incident response plan creation, recovery in the event of a cyber attack and much more under the suite of offerings CTIR has. Since moving from the UK to Qatar, he is mainly focused on preparing various local entities in Qatar for the World Cup slated to begin in November. Qatar estimates more than 1.7 million people will visit the country for the international soccer tournament, averaging 500,000 per day at various stadiums and event venues. For reference, the World Bank estimates that 2.9 million people currently live in Qatar. This means the businesses and networks in the country will face more traffic than ever and will no doubt draw the attention of bad actors looking to make a statement or make money off ransomware attacks. “You have completely different angles in preparing different customers for defense during major global events depending on their role, technology and function,” Kramarz said.  In every major event, there were different devices, systems and networks interconnected to provide visitors and fans with various hospitality facilities that could be targeted in a cyber attack. Any country participating in the event needs to make sure they understand the risks associated with it and consider various adversary activities that might play out to secure these facilities. Kramarz has worked in several different geographic areas in his roughly 12-year security career, including Asia, the Middle East, Europe and the U.S. He has experience leading red team engagements (simulating attacks against targets to find potential security weaknesses) in traditional IT and ICS/OT environments, vulnerability research and blue team defense. The incident response field has been the perfect place for him to put all these skills to use. He joined Portcullis Security in 2011 as a security consultant and eventually moved throughout Cisco after it acquired Portcullis in 2015. As a red teamer, he had to develop exploits and think about the potential paper trail those exploits would leave behind — after all, it was his job to show where current security structures had failed. “Every time I would try to design a payload, I’d have to forensically understand what fingerprints are left on the system,” he said. “So effectively I had to do incident response for a decade before I joined CTIR.” That breadth of experience also helps because CTIR is platform-agnostic. He often must access and leverage other companies’ technology and software, such as during the Black Hat conference earlier this year when he was part of a Cisco team that set up and defended the on-site network in Las Vegas. “We had to check all the different technology stacks to make sure we could stop adversaries before they became a problem,” he said. “From there, we moved to use those technologies to detect what’s happening in real-time … and then we used [Cisco] SecureX to unify some of the response capability. By default, you pretty much must learn about every piece of technology that’s out there to provide an effective incident response as we can’t wait days or weeks to deploy something during an emergency.” Yuri is used to working in different time zones at different hours of the day, too. His favorite incident response to an engagement call came around midnight one night when he was on call — a large conglomerate was under attack and the adversaries deployed ransomware. He was part of the CTIR team who immediately responded to identify and eradicate the ransomware attack. CTIR eventually successfully brought systems back online.  “And from there, we built a great relationship with the customer that’s been ongoing since then,” he said. Yuri enjoys golfing in his free time.Although incident response can lead to these kinds of late nights, Yuri said he’s thankful that Cisco Talos offers him the flexibility to work different hours and take time off when he needs it. Golf is his current outlet for relaxation, and it gives him something mutual to talk to people about regardless of what country they’re in. While not out on the green he likes to contribute to several open-source projects. Since coming into the incident response field, he’s had to flex his interpersonal skills more than ever because CTIR places such an emphasis on making IR a team sport. “The way I try to carry myself is to be happy and to look at my reflection every morning and say, ‘I’m doing the best I can for my customer,’” Kramarz said. “If I put my signature on a report, I want to make sure I’m proud of it.” Once the World Cup wraps up, Yuri said he will carry on focusing on securing critical infrastructure and operational technology. It’s a unique challenge, he said, because a lot of the technology can be more than 20 or 30 years old, and each customer is going to need a unique solution to their problems.  “One time during an incident in a different country, we had to look at physical manuals in binders from a decade before to figure out how the affected device actually worked and how someone could hack it, as only several of the devices had ever even been produced,” he said. “We know how to acquire evidence on the standard operating systems out there such as Unix or Windows, and we have the tools of the trade to help us with that. We often don’t get that in ICS/OT environment, so innovation is a key in this field.” If your organization would like to work with Yuri or one of his fellow CTIR team members, you can reach out to them here. Talos Incident Response offers a range of proactive services for security teams, including hands-on tabletop exercises, a state-of-the-art cyber range for training and much more.   

  • Demonstrating Trust and Transparency in Mergers and Acquisitions
    by Jason Button (Security - Cisco Blogs) on October 3, 2022 at 12:00 pm

    The importance of demonstrating security transparency and trust during the mergers and acquisition process.

  • Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server
    by Unknown (Cisco Talos Intelligence Group - Comprehensive Threat Intelligence) on September 30, 2022 at 9:16 pm

    Cisco Talos has released new coverage to detect and prevent the exploitation of two recently disclosed vulnerabilities collectively referred to as "ProxyNotShell," affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers. While no fixes or patches are available yet, Microsoft has provided mitigations for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. Cisco Talos is closely monitoring the recent reports of exploitation attempts against these vulnerabilities and strongly recommends users implement mitigation steps while waiting for security patches for these vulnerabilities. Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The Hafnium threat actor exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was one of the four attacks they saw most often last year.Vulnerability details and ongoing exploitationExploit requests for these vulnerabilities look similar to previously discovered ProxyShell exploitation attempts:autodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.comSuccessful exploitation of the vulnerabilities observed in the wild leads to preliminary information-gathering operations and the persistence of WebShells for continued access to compromised servers. Open-source reporting indicates that webShells such as Antsword, a popular Chinese language-based open-source webshell, SharPyShell an ASP.NET-based webshell and China Chopper have been deployed on compromised systems consisting of the following artifacts:C:\inetpub\wwwroot\aspnet_client\Xml.ashxC:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorEE.aspxC:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashxC:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspxThis activity is consistent with what is typically observed when attackers begin leveraging vulnerabilities in unpatched or vulnerable systems exposed to the internet.Initial reporting observed the download and deployment of additional malicious artifacts and implants on the infected systems using certutil, however these TTPs may change as more threat actors start exploiting the vulnerabilities followed by their own set of post-exploitation activities.CoverageWays our customers can detect and block this threat are listed below.Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.Cisco Talos is releasing SID 60642 to protect against CVE-2022-41040. In addition we are releasing SIDs 60637-60641 to protect against malicious activity observed during exploitation of CVE-2022-41082. The existing SIDs 27966-27968, 28323, 37245, and 42834-42838 provide additional protection for the malicious activity observed during exploitation of CVE-2022-41082.The following ClamAV signatures have been released to detect malware artifacts related to this threat:Asp.Backdoor.AntSword-9972727-1Asp.Backdoor.Awen-9972728-0Asp.Backdoor.AntSword-9972729-0IOCsIPs and URLs125[.]212[.]220[.]485[.]180[.]61[.]1747[.]242[.]39[.]9261[.]244[.]94[.]8586[.]48[.]6[.]6986[.]48[.]12[.]6494[.]140[.]8[.]4894[.]140[.]8[.]113103[.]9[.]76[.]208103[.]9[.]76[.]211104[.]244[.]79[.]6112[.]118[.]48[.]186122[.]155[.]174[.]188125[.]212[.]241[.]134185[.]220[.]101[.]182194[.]150[.]167[.]88212[.]119[.]34[.]11137[.]184[.]67[.]33206[.]188[.]196[.]77hxxp://206[.]188[.]196[.]77:8080/themes.aspx

  • Threat Roundup for September 23 to September 30
    by William Largent (Cisco Talos Intelligence Group - Comprehensive Threat Intelligence) on September 30, 2022 at 8:46 pm

    Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 23 and Sept. 30. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files. The most prevalent threats highlighted in this roundup are: Threat Name Type Description Win.Virus.Parite-9970689-0 Virus Parite is a polymorphic file infector. It infects executable files on the local machine and on network drives. Win.Malware.Zusy-9970856-0 Malware Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information. Win.Dropper.Remcos-9970861-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. Win.Malware.Emotet-9970880-0 Malware Emotet is currently one of the most widely distributed and active malware families. It is a highly modular threat that can deliver a wide variety of payloads. The botnet is commonly delivered via Microsoft Office documents with macros sent as attachments to malicious emails. Win.Dropper.TrickBot-9970890-0 Dropper TrickBot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution such as VB scripts. Win.Dropper.XtremeRAT-9971238-0 Dropper XtremeRAT is a remote access trojan active since 2010 that allows the attacker to eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs. Win.Dropper.Kuluoz-9971090-0 Dropper Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that downloads and executes follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations. Win.Dropper.Shiz-9971537-0 Dropper Shiz is a remote access trojan that allows an attacker to access an infected machine in order to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site. Win.Packed.Fareit-9971247-1 Packed The Fareit trojan is primarily an information stealer with functionality to download and install other malware. Threat Breakdown Win.Virus.Parite-9970689-0 Indicators of Compromise IOCs collected from dynamic analysis of 29 samples Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED Value Name: HideFileExt 29 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED Value Name: Hidden 29 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CABINETSTATE Value Name: fullpath 29 <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: LanguageList 1 <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @explorer.exe,-7001 1 Files and or directories created Occurrences %TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 29 File Hashes 0536b9760519d832e0c5ff072cad054ef2ae43dbe57330d48c609aeb75e6ae43 0fb870a5615c6c24fa559ae795c3366d80a97622fe2efac880330772344a9760 10308179aec9cf03dfe7fcd95aba9f1da191f70406d653157ea3746e63423c93 15e5fc751dbee4b99c094bbfd15d5b4c3655e0a8a34af84cb4773f2bcd265db8 16048c5e4b000118579343bcf188dbb5bcc0d313bd144a08a76423a7ff990c58 1a16bf0852508c3742325cd1b25c6fa9f9580e42017f273ff81d41edea8bd579 23c44b2d663dcb0224e7a2dcbd9a179923baf1c1d95f221f0435eef3fa6c7913 264dfb45197cb3e37d2054313e54c5549dd53f9d6cbc4a7cf9963b8275e59811 3605daf57520cfe6759abc471cb9a55ff4a6b99711ee3718ce6db3438b63a7e0 39139ac00356189a53c9122b4efa10a9e5ca42b25656cc794d4199d5a0e6003a 3a19cc265b1767563c293cfe5dfd8083a1cb72e37625bd243538f210594bd9bf 51f14dad750e0a93bdf69200d726c8f929a6e903dc837fefc5b2efdf7b33493e 530e290a3e9383bc016d666d4829f2ca2c256f5f32e8c84e71346f1d4a65302a 58950830c787ae1768a8d5aab290270b089b04e61d39e6b82a7daf51696fea03 5b0d897a5c748d58c536b19b0d16b3262cc238d65ac41d22f4552d1a2a0ea966 66fe640d820e530e4554251bcb07177a4f2fdea28fc13beb588898a0374fd20d 714ced6bb466961048291a1f89355892490a10bd6e206a256b2e3b97bf1fec55 7dbd9b1e5792f9085af025e526f331e00c878b2adc2e0d8c4a2c5dba4d79a32b 8c8c7b2a40fcdff745e87d060daac5798bda65e8e1568dd46e69d703a5adace3 933768be5d22750f182e69c91630a6f7af6f5db309ba61f83d5547c9a8865273 95463bf7d0d934880a1292e479f56d69596e43062eb18265ef43905702551af0 a1af5ed894006b1690455b12e58c117725a5274e7fc6f8410af119429171372d a9a2deaa34de9ebc68523c18ad02f8a27aae60818fda1583440df25f336f61c2 aedea0e8e6ee4e36191b3e67dcc71e169ea9c1419b5ad4a062f3f2d37a99f3a3 c000e844ca7377e4f3a8e4bfdf0962897effa1622660e8b48d190e2820ff4429 *See JSON for more IOCs Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Malware.Zusy-9970856-0 Indicators of Compromise IOCs collected from dynamic analysis of 13 samples Registry Keys Occurrences <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: LanguageList 8 <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @explorer.exe,-7001 8 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\APPLICATIONDESTINATIONS Value Name: MaxEntries 1 IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 47[.]111[.]103[.]192 13 Domain Names contacted by malware. Does not indicate maliciousness Occurrences os[.]ieycc[.]com 13 Files and or directories created Occurrences \Client.txt 13 %TEMP%\Tomato.ini 13 %APPDATA%\testing.dat 13 \TEMP\1E0F0E0A120B156B155B15E0C0F160E0D160A.exe 1 \TEMP\1F0F0D0C120A156D155E15E0A0E160B0C160F.exe 1 \TEMP\1F0B0B0A120E156C155E15D0A0F160D0E160D.exe 1 \TEMP\1C0B0F0A120C156F155C15E0B0A160F0E160D.exe 1 \TEMP\1B0C0D0C120A156E155C15C0E0D160D0B160E.exe 1 \TEMP\1B0F0A0D120F156E155C15F0C0E160E0F160A.exe 1 \TEMP\1E0F0B0A120F156F155E15D0B0E160B0D160E.exe 1 \TEMP\1D0D0C0E120C156D155F15A0A0E160C0C160A.exe 1 \TEMP\1E0D0C0D120F156E155C15F0A0E160D0C160F.exe 1 \TEMP\1C0B0C0B120D156E155E15A0E0F160B0D160D.exe 1 \TEMP\1E0C0F0F120A156A155B15A0F0A160E0D160A.exe 1 \TEMP\1E0C0A0A120B156F155D15A0E0F160B0A160A.exe 1 \TEMP\1E0B0C0D120C156C155A15D0D0D160B0D160C.exe 1 File Hashes 015c6d06fe9aaa4844b5e008796cbb854cf6765c2ca398f596dd2fceeceb6c95 0de5af728d4834e450386979efd9681bd54bfeb65f687cccd621f3a20331c050 43d5fb959a8c848030537e37f0d0638bc57bb83652dba85ee2e868a17f1d10ef 568bc0b8c2e914ca7cb2f62bfd82839c584d14d3d47b96ea34703b9d024c78ec 7539e13bb8b001f08742f38c29b42135a2b414e2ba095cf3bf74f38db78f3e0f 80459aa210f4e16b123a27b47c1191872b79a6c6a8751613ad1b649a0f1f3426 974e745bbf32ea7bf0bcff7bd04e3b13f8f3c9cf8a79d01f34658729c793e333 aa22f56078cf431f2587ea270f428fff6d4eee5b08d542b40b89a9712e14e5b3 acf7e8303fd53c63b778a611773267ecf001225772bee1fccbd2a2370ad6e658 ae24b008cb2dc1855367cd814581f1092d9899a77e982f8fc746409c29afbaaa b13513bd0c731f688fe25804c6dd74a3126d0494549368c8d692bd85d2024e5f e35cb24702c24b57edf8f1439a1409b6c8c0f97bc30a90a3c396fdd0f3c38f84 f9501ffa9e293c88c61e0071fdc5b7ce2d00e1c8bc20a564ab906dfb9565e4c7 Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Dropper.Remcos-9970861-0 Indicators of Compromise IOCs collected from dynamic analysis of 42 samples IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 172[.]98[.]192[.]37 42 Domain Names contacted by malware. Does not indicate maliciousness Occurrences www[.]djapp[.]info 42 Files and or directories created Occurrences %TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 42 %APPDATA%\Microsoft\Windows\Cookies\NFIM9G9G.txt 10 %TEMP%\FltFD54.exe 1 %TEMP%\FltFAC5.exe 1 %TEMP%\FltFF0C.exe 1 %TEMP%\FltA28D.exe 1 %TEMP%\FltE1AD.exe 1 %TEMP%\FltFAB6.exe 1 %TEMP%\Flt593A.exe 1 %TEMP%\FltF8C2.exe 1 %TEMP%\Flt4F6E.exe 1 %TEMP%\FltFB71.exe 1 %TEMP%\FltA461.exe 1 %TEMP%\FltFD74.exe 1 %TEMP%\Flt23BD.exe 1 %TEMP%\Flt8A88.exe 1 %TEMP%\FltBC04.exe 1 %TEMP%\FltF633.exe 1 %TEMP%\FltB040.exe 1 %TEMP%\Flt6184.exe 1 %TEMP%\Flt540D.exe 1 %TEMP%\Flt5D82.exe 1 %TEMP%\FltBD3A.exe 1 %TEMP%\tnf5FD1.exe 1 %TEMP%\FltC777.exe 1 *See JSON for more IOCs File Hashes 00cda027a316d979f614cd747e8eea14fcc1f7a144b5eb5fc385ea3b52ada9ac 04a7c806cd6404d5547bf136331733e970364c0090c705b0002170ca7fa59882 06a0c6a86e47342846759164e0a7da0087e5926d1bdf48b64ad106b6e53951a4 0d103909b0c3e6ac0021b1aa8bbd17b50d1f94ccfb6011a1b70609b6a45668fe 0d503f2d89c74456f441b95033f1f7f1b5f8c9b9ef338c177beb7e22c3844cb8 13d63a2102b3685464c7f32f95fb4ed6287f51db1da590f7141ad36d2ec0fe00 16de9b5489c9bc4900f94a6939e4a5124caee0ce2ac4dcd938850385c35ecd94 16e1726e22af546ae83bf70500135f69e1f3805c2c49752b6098c07f0815307a 1bb3b038b6da9ca30bf12a24ab4e0361ff60c6375bed74492ac37652e2ecd3da 23f59e71fd7d520a50ae1aaea2c026ae2f05a85d6bf1f24301ceac52e713157b 24d621a695ef4fae5b296bc2bb6071cc90b9c56415f70464797e69080b6a7e75 2635c53ba6293fe95e539dfd0f480835ceb7b47c6971a3024ae8443893eca176 2c65cccfb66e0773395cd78f4c742f03cdf3d482357278cf53cd47ea87f62f04 2d82667b13cc3acb398ae87a83674ce3a334867e82d20b4fd809a14d10323084 2e53c50fd916da51599be464f226b09f28d70fe323cb292c115b9723d402ddde 3457b58ade09a9a581003687d9bd904c6200dcc96aafbb24450c371a165c96d8 3832ee4b74d72c5b4e8299cc9e20248145ff74a7364ebfeb2baa9ee60c0a00d8 38ff5081e308b00e57028e3ad749ae4dccf165796a073fafacd6e6cbad31cc21 3e278b7296bcb58b47e8d60ee9a7f44c548a6d790cdf45fcdff6bc526c395a93 3f4fa0de7c9e2b18b0e16b1cbd72dcc279d5ab6b727992a158ed4bced8663f87 40318b04af3f4761f989d5725e61fc41bd034990e3a86478c897466416632c44 4126cae93a6d1471fbf37ef4a73347ed4fa136486fe7229b06721db5d50ed27c 479e0fa51921d000d9ae53beb96c8d88b3e90ba563b7595db6d015fe0c41beea 50532f85c712a7ba7e79ba23130a568fdfcfde7c3bdbcec90edea02aacef7f9b 535e141dc2b44bdafa9fd3ef6c3355413bd7837c5bfc398c608ea49e150b7727 *See JSON for more IOCs Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella WSA Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Malware.Emotet-9970880-0 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{B11CF2E2-C0C2-7860-F12E-428101DCB963} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{B11CF2E2-C0C2-7860-F12E-428101DCB963}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{7E6AEF51-F5A7-48A0-B175-FE26B30A3B42} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{7E6AEF51-F5A7-48A0-B175-FE26B30A3B42}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{39D7DE2A-54FC-2744-D7AC-675623A7BCA2} 25 Mutexes Occurrences {24d07012-9955-711c-e323-1079ebcbe1f4} 25 {bf18992f-6351-a1bd-1f80-485116c997cd} 25 {dbad1190-816b-947c-9b01-53ef739d7edb} 25 {ed099f6b-73d9-00a3-4493-daef482dc5ca} 20 Files and or directories created Occurrences %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 25 %System32%\Tasks\Ryddmbivo 25 %APPDATA%\<random, matching '[a-z0-9]{3,7}'> 25 %System32%\8452\eudcedit.exe 1 %APPDATA%\F9NSFA\MRT.exe 1 %APPDATA%\EoXbu\BdeUISrv.exe 1 %System32%\9450\VSSVC.exe 1 %System32%\7744\ComputerDefaults.exe 1 %APPDATA%\RAQ9\calc.exe 1 %System32%\9936\psr.exe 1 %APPDATA%\Q7e9\rekeywiz.exe 1 %System32%\5094\WindowsAnytimeUpgrade.exe 1 %APPDATA%\U6yhd\DeviceDisplayObjectProvider.exe 1 %System32%\5022\msra.exe 1 %APPDATA%\EtXM\fvenotify.exe 1 %System32%\1402\ddodiag.exe 1 %APPDATA%\bsPEU\wbengine.exe 1 %System32%\6726\StikyNot.exe 1 %APPDATA%\Kal6bb\sethc.exe 1 %System32%\6787\ie4uinit.exe 1 %APPDATA%\Y74EoZ\Dxpserver.exe 1 %System32%\7651\rrinstaller.exe 1 %APPDATA%\aF7U\WerFault.exe 1 %System32%\6604\DeviceDisplayObjectProvider.exe 1 %APPDATA%\rmluRRx\MRT.exe 1 *See JSON for more IOCs File Hashes 0be6c8c9f6626f0cbc875a04f81d65ec51646285f607fc23610ced0698d2d356 0e00806596a0084133b662804d645e485a94d42b50e7634608bfc572bc6f99bc 10d50610dc069e961878c8d2be79f7ba638125c2f0229086f27d2261f7ef7074 209494092b65fdebe368f90fdf69cd878f931fb334c059611ccabe84301887e2 24273a46f41c978ebd1b7014cd43c05d7273e638fa539e21adf9b16fcd6d7fa4 270234993c0381d55e1d5615099a692a0e11139d6d5b353f625ac6197cc5fadd 2ce15b1bfa8a577f79da8bbcf2159bf3661aed963cdbbb59ddbf333da4bb52ea 370de40215ce6a4e8f27e33d7a6edcd9cc4c86dc39aa86246d02308f556ff39e 5239bbf6672c93344f21741c4016ea154db5f6aa3989514244de6c55532f54d4 5341a8e7076ea8dbba28ed69ec1130f361c7e90505afbb191f639d6b8295a3e7 634295ad711f68679e6471766d8ca49454c7276348211b6d99a5539e314e7ddb 64c51179f273e00dcb08ddf0c401a3e7c6b4441421f4a0f907bc32f4aaf54191 65c0c35adfcd488cde26d72ba39dd77052f0d6f54c40d10003d824ce1079a630 670db2f68e0bb350f98d1f0ea9624e45536473bb9f1552270be89d87aba17ed9 77c9d7eb923718013ec2145d35a18f17b326655e226b6f252ca6967b0837b39a 8ded5e3631dcd94576d1770289b38005c95c1456588157fd01ea6191c7bcaf1a 91c351ad5a31c40ccf05069b4dde6d0d8e2ff7e78118ca4d110bfe8fcef7d5b6 96e1d30dda3746847269a2707bf4261deadf3d146d1e9df5bd163743ef6b0902 9cebaa66b09ae6043e137c87fece4f2f55a3ae9cbbbb64414e0202a6d3db8932 9d019b660a52484961f7d540d3fe62da22c2c09be968474a614f9dd94ae8c7e5 a2074b34223a80ea0a46784e03ab9e09f86deb98c470c10b2999692fe19777b3 a81460aa2b31719c28672cc624c8fd83e3cbde9d4fc59fb1c55a0713b22a031b a8e2070710eb026f8d9aa46032576b1d474171ea11bb6d2cff97cc9e2069a3af ae65c3182b13c9012b1fc98d483a3c1c7bfd82193d1cd14b1e2a0572458530b1 ae8b637375e736db787d31a4081f2f39ce25908f3276807e43a6eceb4e511377 *See JSON for more IOCs Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Dropper.TrickBot-9970890-0 Indicators of Compromise IOCs collected from dynamic analysis of 10 samples Registry Keys Occurrences <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: LanguageList 3 <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @explorer.exe,-7001 3 <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000 2 Mutexes Occurrences Global\VLock 3 Global\683173c1-3af4-11ed-9660-001517635527 1 IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 104[.]18[.]115[.]97 2 91[.]83[.]88[.]51 1 92[.]63[.]102[.]64 1 195[.]133[.]144[.]237 1 34[.]160[.]111[.]145 1 195[.]133[.]196[.]130 1 Domain Names contacted by malware. Does not indicate maliciousness Occurrences obyavlenie[.]lisx[.]ru 10 icanhazip[.]com 2 ipecho[.]net 1 Files and or directories created Occurrences %APPDATA%\winapp\Modules 3 %System32%\Tasks\services update 3 %APPDATA%\winapp\client_id 3 %APPDATA%\winapp\group_tag 3 %APPDATA%\winapp 3 %APPDATA%\winapp\24ae736c30cacc5f26f34e07c47ca97c.exe 1 %APPDATA%\winapp\0g5d59dff6a3d3g20046c0ga554f8f9ef8d3e2c767g46c2592d53d6c604df5g9.exe 1 %APPDATA%\winapp\39g7366fcac6cdd0a64ag077e5ga30354aggg87d682e9cd06940033777cefaf2.exe 1 File Hashes 0a9fd6d744cc4fa8e08eee7c95c58d6cb9cb995a249597bdc8beba4ab5fdd921 0f4c49cee6a2c2f10036b0fa443e8e9de8c2d1b757f36b1491c42c6b503ce4f9 14bf94de8b881459e2f6f49051b1411da60e3526251751048bdde18f99d93f1e 29f7266ebab5bcc0a53af077d4fa20243afff87c681d9bc06930022777bdeae1 42162ca740023f144cf1f5efc8f9680f5db0ac16e0cf9eeb88f57275a5bbd38e 489d8e1c47548164a35abb21dbe155972aa09e6c65c0fd7456baf79d3ffb3539 7820f15d39888555e5d2189015d13491d58e2c345921064777155febcaf9b88e 8c1326a8e1f6c781441f3a5da6fe962337a03b9a3ffd93495e933e051d24f4a0 eac3e3c5636e62a6865ff6e048875506d16ed22ffd8caca23529407eb94a2478 f3395ab28c54a61118784d205926e7122ff7735d92d992c22db9dd63fd3a8e28 Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Dropper.XtremeRAT-9971238-0 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples Registry Keys Occurrences <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 16 <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> Value Name: InstalledServer 16 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: HKLM 15 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: HKCU 15 <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> Value Name: ServerStarted 6 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{T88RCWLO-A2V2-4LXR-TJ24-W4CWO446W6OJ} 5 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{T88RCWLO-A2V2-4LXR-TJ24-W4CWO446W6OJ} Value Name: StubPath 5 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{424A7MGK-RCMT-8C4V-40EM-XW7BLA8PVRC7} 5 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{424A7MGK-RCMT-8C4V-40EM-XW7BLA8PVRC7} Value Name: StubPath 5 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5K3TI7P5-LW5S-LR18-4174-DG7KKUL703V7} 3 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5K3TI7P5-LW5S-LR18-4174-DG7KKUL703V7} Value Name: StubPath 3 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2} 2 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2} Value Name: StubPath 2 Mutexes Occurrences XTREMEUPDATE 16 <random, matching [a-zA-Z0-9]{5,9}EXIT> 15 <random, matching [a-zA-Z0-9]{5,9}>PERSIST 11 <random, matching [a-zA-Z0-9]{5,9}> 6 zZgdeZ8P 5 Q6gWX0 5 Q6gWX0PERSIST 5 Global\<random guid> 4 Domain Names contacted by malware. Does not indicate maliciousness Occurrences profesorjedi11[.]myftp[.]biz 10 profesorjedi3[.]myftp[.]biz 3 clarityz[.]no-ip[.]biz 2 dynamic[.]no-ip[.]biz 2 cooempresas1[.]ddns[.]net 1 Files and or directories created Occurrences %TEMP%\x.html 15 %SystemRoot%\SysWOW64\System32 10 %APPDATA%\Microsoft\Windows\<random, matching '[a-zA-Z0-9]{5,9}'>.dat 6 %APPDATA%\Microsoft\Windows\<random, matching '[a-zA-Z0-9]{5,9}'>.cfg 6 %SystemRoot%\SysWOW64\Sistem32 5 %APPDATA%\Microsoft\Windows\zZgdeZ8P.cfg 5 %SystemRoot%\SysWOW64\System32\crrsc.exe 5 %APPDATA%\Microsoft\Windows\zZgdeZ8P.dat 5 %APPDATA%\Microsoft\Windows\Q6gWX0.cfg 5 %SystemRoot%\SysWOW64\Sistem32\crrsc.exe 5 %APPDATA%\Microsoft\Windows\Q6gWX0.dat 5 %SystemRoot%\SysWOW64\System32\csrrs.exe 3 %SystemRoot%\SysWOW64\System32\csrss.exe 2 %SystemRoot%\SysWOW64\Drivers\System.exe 1 File Hashes 02bbfb5be9238a07f4bbc310640558187fffe927b6c61aef277f25e556b42976 034fd97c565ab91825e7d810d5e629f00bb25f54ac1ed7f1846e7f1c23d1ecd2 104a08c153d9d099bad368fc405a2888a153bfaa1cf33f99f43fbc1b97d0282f 1a7fa38a87b8d63bdef718b54626476dd952673e010877eb0412041a227ae587 1b70089136743505bd03a024ed1d6faca2a618397aecf14eceafed7e708c42ef 1d281e8cd1c5e451d069a2df9eed854f4bfa28e91881e7e2bfea2be0cfd6e2d0 2a4841ab8656fedadeb5dcc16821ca4789ba29a1df607c72f73fe6de8c55f965 4a5a09ce229c5f06f96114b0c55b1b2a645b75ab6e5f1f3df524efc9e6b549df 4e960f7a51969cc989219642701cb327e7713462eff60866099fb16632e1c636 521f339fe84053ddc608a8f1faf2774ea1f6fa1ee3ad252f642967f27c2ebb2e 52f4aba104b5caadff9baa7eb92e4ff21c176ff183a59f0283555de081e74c9a 53743558915afca3fcf12a83095ed8448502c37ac0ce847268bd34ff2b17eaef 54d8e6f9d64d480ad1381ddcd730d786be7b94b34154fa9ae6a46fc06670732a 58432dc37d6e18bf7f719c42d1a955374dc04c737ec433384fa61ea7c895ce8a 5f0a9ba0fc1146512ec06df04fb3eedcaaf67df5534d2895bdee7d39dbb767d4 6aeceda58114f30d5286bf84e92bfc293d5fb1ed4648c29d9e6ba6e229ad6c0a 73711c78caf84f57df3e54a7e0d47dc5b91c73d521e6e5de2da31694c7a2cd1d 747ae8b9f401e6f92381039c80d98f2fbff9f1c94ab1479c23e9bd67714208b5 7d56d2784dafc2edb6f002e66504b3222f899712167f5d67878e576adf5bfff4 87365c8be5e1df23024d4f06108ca715ca6960fab1db19241af01dc249049b34 95774b16ad3920dee24ad1211ad677003bace3db07e351dcfa92ea8c9fb0de4d 9811dc1790865ba850a085b86faf45d12e6d18de3746fba1f79e7d5bc07b81e6 9fc0af5f00d92876795d06cadc1ec27ce789be7d4396cca1a4d39c10a1a13cee cf6bf580a1c08b6d4c8e4b73c65a156dd87e6157b358a22f58e6c4e741a62088 d2dd951900f73760709d95358434a8d382363f78cbd78a4476e361225b2fdb90 *See JSON for more IOCs Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Dropper.Kuluoz-9971090-0 Indicators of Compromise IOCs collected from dynamic analysis of 26 samples Registry Keys Occurrences <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 26 <HKCU>\SOFTWARE\HLUAPPSN Value Name: simfbhec 2 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: fihacxpj 2 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: rtvamnqd 1 <HKCU>\SOFTWARE\UTLRUTMU Value Name: jqusubuo 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: kilanrco 1 <HKCU>\SOFTWARE\AUBBBWXT Value Name: ibmqpuls 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: opoiitvt 1 <HKCU>\SOFTWARE\BWCRDATG Value Name: qmiabusl 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: mwxoukfx 1 <HKCU>\SOFTWARE\BTTXALDX Value Name: micawbbp 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: jtqieuec 1 <HKCU>\SOFTWARE\BBWAIJEJ Value Name: lmpebxqp 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: emgsvrci 1 <HKCU>\SOFTWARE\MNSVSFDT Value Name: jkxkagel 1 <HKCU>\SOFTWARE\MBJFFRTQ Value Name: bgmxnfso 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: akpgniqk 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: hrcgucbt 1 <HKCU>\SOFTWARE\NTKIGTHP Value Name: etduinsg 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: pjecpkuu 1 <HKCU>\SOFTWARE\NHSATHPS Value Name: mxopsxdc 1 <HKCU>\SOFTWARE\HPEDSDSE Value Name: vfkeebww 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: icccipkm 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: ilxotnrg 1 <HKCU>\SOFTWARE\AFTNNBRU Value Name: kchufmmw 1 Mutexes Occurrences aaAdministrator 26 abAdministrator 26 IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 69[.]64[.]36[.]244 21 16[.]156[.]201[.]237 17 110[.]77[.]220[.]66 15 5[.]249[.]139[.]132 15 85[.]12[.]29[.]251 13 5[.]175[.]166[.]35 13 130[.]60[.]202[.]71 11 198[.]57[.]165[.]46 10 Files and or directories created Occurrences %LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 26 File Hashes 01e772c69c3d96d7da41baf1b4630a9b93cda39bd4b5b0234f1de2a818788965 0507e74fa55bfb2a725358b0e5d2a3ad82d95a15b8dda89eda0892276855c6e0 0575881e5f371494a9b928ea409bce3fc15b35f4a6fc47f5b3ccc267e6428d05 13830d13f9538029311649ec0b7d2b70afd36d0d38432550c973123429eb940b 14b22ef72fd4f36063c344d7358e32d9529010b303b09bcc11f562bf2d4981a7 1f226936fa8a2ae6ff457619b2883377cbe741decadc705095d4527a7ae9a4d8 21f96423b4b10c910ef1ae4f584ed1e49944f2166c41aac0d9f53ad042933f89 25c31d64ed3db07f502aee95703ec407b34dff5a3fdc34bf2b3b64250f2ec0e2 3578e19cbb128d0b2b7fb009c8041deed69144c0e20e6c58c18967a2abcc0c1b 422f405e2d70ed3bd58f6e9c4ef7d1a4ed8b912fc8acde5cab9068f34fc55f09 46b398648a6f022657c1a7a6bf0dae147562f354b34fa9b82103d8566b01c771 4cc31dc0d33247799cb383ede808dea70ab9081847e46b2ce95e2c054cd97011 576ed58a06ae914ae06a711af19b30a9f02ece2d435f84b7bea71fedc19dd995 5bad5333dcfea5b33727b34cde45b54d36cbf01d3fb0a1a915de8df1569b4fb1 5e3329e3193099fe8e09922ac85a7ab3e8ae89f0ae4f0f7a93fb30aacc7726e3 5e398a7762fe420158605cfb72bc309197c7c9346fc43a5cc8ccb0a14db25483 66b43dd194bf97f705c361ad1cc82a0f5c1afca7b03d57f99a3011cdefdc536f 6da9fe76f563ff6265b8971b601fb5037a93011fb16294b5ee7564f332d554ed 6ed6b8dececdaf3ee4ce0072d309125c5cef6e3ffef23f48baa3b0d3763462be 7c42e9ea360ccfb28b41c3490b305dcace56fea64e858ac3cde0984f6c9f3d07 816c6679de23475fe46588ce4380091c985ad689210fbf4daea6ca383f423465 8379ba1a2904b162411009fbe1bc4c94efd1ccf72ab38989dffb2077c1a0ec74 86e574bcb8a28b933731a83f9166c23c717a9840dfdecffde9130e9a2d598e08 8e39459d72319dc5e7f184b363ac8d7e3a486fbc6e02f9ad2273d0b0502a188d 8e5f994ccd02d59bc203efd3ff130575c4d9c170599592dd45696b87c4f4b420 *See JSON for more IOCs Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Dropper.Shiz-9971537-0 Indicators of Compromise IOCs collected from dynamic analysis of 27 samples Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: internat.exe 27 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: ProxyEnable 27 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP Value Name: UNCAsIntranet 27 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP Value Name: AutoDetect 27 <HKLM>\SOFTWARE\MICROSOFT Value Name: 67497551a 27 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS Value Name: load 27 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS Value Name: run 27 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: userinit 27 <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON Value Name: 98b68e3c 27 <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON Value Name: userinit 27 <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON Value Name: System 27 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS Value Name: run 27 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: userinit 27 <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159\SHELL Value Name: KnownFolderDerivedFolderType 1 Mutexes Occurrences Global\674972E3a 27 Global\MicrosoftSysenterGate7 27 internal_wutex_0x<random, matching [0-9a-f]{8}> 27 internal_wutex_0x000004b4 26 internal_wutex_0x0000043c 26 internal_wutex_0x000004dc 25 internal_wutex_0x000000e0 1 internal_wutex_0x0000038c 1 internal_wutex_0x00000448 1 internal_wutex_0x000006a0 1 IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 204[.]79[.]197[.]200 15 13[.]107[.]21[.]200 12 45[.]33[.]23[.]183 8 173[.]255[.]194[.]134 6 72[.]14[.]178[.]174 6 72[.]14[.]185[.]43 6 45[.]56[.]79[.]23 5 45[.]33[.]2[.]79 5 45[.]33[.]30[.]197 5 45[.]33[.]18[.]44 4 45[.]79[.]19[.]196 3 198[.]58[.]118[.]167 3 85[.]94[.]194[.]169 2 96[.]126[.]123[.]244 1 45[.]33[.]20[.]235 1 Domain Names contacted by malware. Does not indicate maliciousness Occurrences kevopoxecun[.]eu 27 rycaropynar[.]eu 27 lyxemoxyquf[.]eu 27 puzoxyvojyc[.]eu 27 fotaqizymig[.]eu 27 cidufitojex[.]eu 27 puvacigakog[.]eu 27 xuboninogyt[.]eu 27 cicezomaxyz[.]eu 27 dixyjohevon[.]eu 27 fokisohurif[.]eu 27 volugomymet[.]eu 27 maganomojer[.]eu 27 jefecajazif[.]eu 27 qedylaqecel[.]eu 27 nojotomipel[.]eu 27 gahoqohofib[.]eu 27 rytifaquwer[.]eu 27 kepujajynib[.]eu 27 lyrosajupid[.]eu 27 tuwaraqidek[.]eu 27 pumebeqalew[.]eu 27 cinycekecid[.]eu 27 divulewybek[.]eu 27 vocijekyqiv[.]eu 27 *See JSON for more IOCs Files and or directories created Occurrences %TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 27 %TEMP%\F1A0.tmp 1 %TEMP%\8350.tmp 1 %TEMP%\6709.tmp 1 %TEMP%\5ABC.tmp 1 %TEMP%\DF95.tmp 1 File Hashes 03ceb23a35bcd7170f8e2293c15aa444406959d789fda9ff9e412cf7a3a6ad90 0a00f10084231e3abf745b456d522c27a284cd17e5824a91026e6511a0073792 0a9d1eec9b14e840863b4948703b4c1a50b8d1c16d6cd6c0191ed55e82864ea3 0aa380118e812371de65b56f760676f611ddda8a7dd422ed1e62214c2a8303d1 0b38f48ffc49f1b53724384bd894702bcf49f2d68c1b84e4e0eeb931d572d294 0b8cfcf3c71b18b73ec50c68115b5d7538eab4d21168272d547e4b6316ed592a 0d8afb797e2ce9f712f3b5fb22317ec97cd8ea55b85855ffb33f362f45e3b706 10d952070cca8a50175e4193e23e798484f215faa6ac8261b37caebb4ae4c22a 16487b9aabc544819f3e1843e196d8e6b982b15ae95b9b599af310c0f4a0763e 1751820a0b3e9669c512077ef08caa8cc8bd7cba8bb54eb97c574ba6dfa09d2d 1bafc4ef3a634e29c71f52e5b0f3ea6ab3cd55e25ef9623d8d21302a13ac4833 21c50af5ea57cf75b6bcf6e74b8008b335a440d4f4fd8499d2abc287116a0100 2473d34831b6fef2e985c045c3a00880d05aceeeac10edf1f09ff38a1cbc44af 2602a1096a4eec7291145b4570c1a0e814c03fba18d3d76d1b82f6e0dacaecf8 2656072242b6777473e258b7f0fc7777cda688fe95f0050f375ffeb12f000c28 2856afa65f2c7f0a23be68ce6899f24a9d3e12fa4f3b00644562e1ecdc06eed1 28b92d2ad7b6c9865a5eda3ca5435cbcd7b24fd0b48ed61c9c7b87af542b88ed 29bc8c64d83b59592ced9e79fd8e242344fedaa9bff3d385ce5372de7e035b4b 2a812fc2558cfe90756a59a8d79ec8da9e14d7fec59cd9bbc5189a67a86629eb 2e7fe1b9448cb0cca242f4b72fd956f21ad262587b88135045bc07a010cec102 3047c7b03f084dc15ddbca4044a0fb2376af8b3799e4316194de8ef1474e1bf8 321f58c68fead768a8465532821b62ec741482135b0a5460d48838433cde6133 32b2f95694db2d96de89e4f8644cbdf68229903053c066499141b323d4acca1a 34beb6169472ea58264460d2673a70128474e9bdb62fe998e5c22f9a4fa61a8c 350596b9f1a539dddfd73cb4d10c605ec8cc8ed227bd2f33f31fddd6f190e7d8 *See JSON for more IOCs Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella WSA Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Packed.Fareit-9971247-1 Indicators of Compromise IOCs collected from dynamic analysis of 13 samples Registry Keys Occurrences <HKCU>\SOFTWARE\WINRAR 13 <HKCU>\SOFTWARE\WINRAR Value Name: HWID 13 IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 168[.]144[.]38[.]105 13 File Hashes 1acb437594832fbf922ea62142314c31026f4345dfd31cf843acb52eca1aec92 1cc621b3d1a8db17783e813726cee6309e7802110a6d93779b7096e723023628 39b43b15aeb0a1aff4ca35928a2dd25aa6439c2faa24721424a749cd5b376153 57e6addd9c1c9f9367c48020e1f004a26cd6b361c6145ec97e554fd991ca5925 6bc8e9d23757833faff22d586d92d2274283e5bbe400bf07fdd2c5a070f39bd2 84238de8af6828ea6864308ce0ea0f0e798c31c2e105c3b7bf0f238732738d78 8f1566be038140548e9c1350a9ae28d95c1b70b8f79c0ba3ba094ffec8b530c2 914e1a2a9ca34ba6b66795165ea9e57d2817f3aa23ed662a565c9ad6c6476459 a9b1fb4abbebe49a65998d688a02819d8bdc3eeeebad496b94b5f6b27ff4e49b b7f64dd2cb3cb310bfbbd54e29b4f9c03e94bd474ab487e403aec3357350307a c6c1fcd270017f81a8113545eb42471f98700eb162ccbd4272b54de6435c4971 f4fd5a689233ea0c7c0d1599f14b68554f5c07f0c12c86981e0eef4be06940be fb2a62eecd3f1a04e0633f43d472229ef3994de0a212da08d21c9fea8577016e Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK

  • Defend your organization from ransomware attacks with Cisco Secure Endpoint
    by Nirav Shah (Security - Cisco Blogs) on September 28, 2022 at 12:00 pm

    Learn how Cisco Secure Endpoint defends your organization from ransomware attacks.

  • Cyber Insurance and the Attribution Conundrum
    by Martin Lee (Security - Cisco Blogs) on September 27, 2022 at 12:00 pm

    Claiming on cyber insurance policies is soon to depend on attack attribution. What does this mean for CISOs and insurers?