9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Welcome to this week's edition of the Threat Source newsletter.
We're written a ton about Cisco Talos' support of Ukraine and our friends and allies there. Now, we encourage you to watch and listen to the folks who have been working hands-on there.
The latest episode of ThreatWise TV from Hazel Burton is the closest look yet at the team Talos assembled in the days after Russia invaded Ukraine to help defend critical infrastructure, intelligence partners and government agencies in Ukraine. You can watch the full documentary above, or over on YouTube here.
We have new research out on a never-before-seen threat actor called YoroTrooper that's carrying out a variety of espionage activity in Europe and Asia. This group has targeted several high-profile government organizations, including one in the European Union, stealing sensitive information such as login credentials, browser histories and cookies, system information and screenshots.
While YoroTrooper uses malware associated with other threat actors, such as PoetRAT and LodaRAT, we believe this is a new cluster of activity from an entirely new threat actor. YoroTrooper is clearly going after major targets and has already been successful, so everyone should be on the lookout for these attacks, but especially users and organizations in Commonwealth of Independent States (CIS) countries.
YoroTrooper creates malicious domains and spoofs commonly visited URLs that look like they belong to government agencies in the targeted countries to host its malware. So any time you go to open an email attachment or click on a link in an email, triple check to make sure it's really where you want to go, or that you can verify the sender. Additionally, the blog outlines a range of protections in Cisco Secure products that can defend and detect this group's actions.
The APLHV ransomware cartel claims to have successfully stolen data belonging to Amazon's Ring smart home company. The ransomware gang's dark website threatened to leak the data earlier this week, though it showed no evidence of a successful attack. Ring said on Tuesday that it had "no indications that Ring has experienced a ransomware event." ALPHV, which is known for the BlackCat malware, usually encrypts targets' data and threatens to leak the stolen information if the victim does not pay the requested ransom payment. Politico also reported this week that Ring will openly share recorded footage with local law enforcement, even if the camera's user declines to do so, sparking questions about who owns security footage on private property and whether users are compelled to share those recordings. (Vice, TechCrunch, Politico)
Sensitive information from D.C. Health Link – the online health insurance marketplace for Washington, D.C. – is reportedly for sale on the dark web, potentially affecting White House staff and members of Congress. An internal memo last week warned of a "significant data breach" that potentially exposed the personal information of thousands of federal employees and warned potential victims that their data may have been compromised. As many as 21 members from the U.S. House and Senate could be affected, all of whom get their insurance through the program. In all, 56,415 customers were affected, according to the exchange. (CBS News, Roll Call)
Microsoft released its monthly security update Tuesday, disclosing 83 vulnerabilities across the company's hardware and software line, including two issues that are actively being exploited in the wild, continuing a trend of zero-days appearing in Patch Tuesdays over the past few months. Two of the vulnerabilities included in March's security update have been exploited in the wild, according to Microsoft, including one critical issue. One of the zero-days included this month, CVE-2023-23397, is a privilege escalation vulnerability in Microsoft Outlook that could force a targeted device to connect to a remote URL and transmit the Windows account’s Net-NTLMv2 hash to an adversary. To trigger this vulnerability, a user doesn't even need to open the email or preview it, the vulnerability is triggered as soon as the email is retrieved by the targeted email server. (Cisco Talos, SecurityWeek)
WiCyS** (March 16 - 18)**
Denver, CO
RSA** (April 24 - 27)**
San Francisco, CA
SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725 **MD5:**d47fa115154927113b05bd3c8a308201 **Typical Filename:**mssqlsrv.exe **Claimed Product: **N/A Detection Name: Trojan.GenericKD.65065311
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934 **MD5:**93fefc3e88ffb78abb36365fa5cf857c **Typical Filename:**Wextract **Claimed Product:**Internet Explorer Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725 **MD5:**d47fa115154927113b05bd3c8a308201 **Typical Filename:**mssqlsrv.exe **Claimed Product:**N/A **Detection Name: **Trojan.GenericKD.65065311
SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1 **MD5:**3e10a74a7613d1cae4b9749d7ec93515 **Typical Filename:**IMG001.exe **Claimed Product:**N/A Detection Name: Win.Dropper.Coinminer::1201
SHA 256: de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423 **MD5:**954a5fc664c23a7a97e09850accdfe8e **Typical Filename:**teams15.exe **Claimed Product:**teams15 **Detection Name: **Gen:Variant.MSILHeracles.59885