Threat Source newsletter (March 16, 2023) — A deep dive into Talos' work in Ukraine

Welcome to this week's edition of the Threat Source newsletter.

We're written a ton about Cisco Talos' support of Ukraine and our friends and allies there. Now, we encourage you to watch and listen to the folks who have been working hands-on there.

The latest episode of ThreatWise TV from Hazel Burton is the closest look yet at the team Talos assembled in the days after Russia invaded Ukraine to help defend critical infrastructure, intelligence partners and government agencies in Ukraine. You can watch the full documentary above, or over on YouTube here.

The one big thing

We have new research out on a never-before-seen threat actor called YoroTrooper that's carrying out a variety of espionage activity in Europe and Asia. This group has targeted several high-profile government organizations, including one in the European Union, stealing sensitive information such as login credentials, browser histories and cookies, system information and screenshots.

Why do I care?

While YoroTrooper uses malware associated with other threat actors, such as PoetRAT and LodaRAT, we believe this is a new cluster of activity from an entirely new threat actor. YoroTrooper is clearly going after major targets and has already been successful, so everyone should be on the lookout for these attacks, but especially users and organizations in Commonwealth of Independent States (CIS) countries.

So now what?

YoroTrooper creates malicious domains and spoofs commonly visited URLs that look like they belong to government agencies in the targeted countries to host its malware. So any time you go to open an email attachment or click on a link in an email, triple check to make sure it's really where you want to go, or that you can verify the sender. Additionally, the blog outlines a range of protections in Cisco Secure products that can defend and detect this group's actions.

Top security headlines of the week

The APLHV ransomware cartel claims to have successfully stolen data belonging to Amazon's Ring smart home company. The ransomware gang's dark website threatened to leak the data earlier this week, though it showed no evidence of a successful attack. Ring said on Tuesday that it had "no indications that Ring has experienced a ransomware event." ALPHV, which is known for the BlackCat malware, usually encrypts targets' data and threatens to leak the stolen information if the victim does not pay the requested ransom payment. Politico also reported this week that Ring will openly share recorded footage with local law enforcement, even if the camera's user declines to do so, sparking questions about who owns security footage on private property and whether users are compelled to share those recordings. (Vice, TechCrunch, Politico)

Sensitive information from D.C. Health Link – the online health insurance marketplace for Washington, D.C. – is reportedly for sale on the dark web, potentially affecting White House staff and members of Congress. An internal memo last week warned of a "significant data breach" that potentially exposed the personal information of thousands of federal employees and warned potential victims that their data may have been compromised. As many as 21 members from the U.S. House and Senate could be affected, all of whom get their insurance through the program. In all, 56,415 customers were affected, according to the exchange. (CBS News, Roll Call)

Microsoft released its monthly security update Tuesday, disclosing 83 vulnerabilities across the company's hardware and software line, including two issues that are actively being exploited in the wild, continuing a trend of zero-days appearing in Patch Tuesdays over the past few months. Two of the vulnerabilities included in March's security update have been exploited in the wild, according to Microsoft, including one critical issue. One of the zero-days included this month, CVE-2023-23397, is a privilege escalation vulnerability in Microsoft Outlook that could force a targeted device to connect to a remote URL and transmit the Windows account’s Net-NTLMv2 hash to an adversary. To trigger this vulnerability, a user doesn't even need to open the email or preview it, the vulnerability is triggered as soon as the email is retrieved by the targeted email server. (Cisco Talos, SecurityWeek)

Can't get enough Talos?

• Talos Takes Ep. #130: There's not actually more spam during tax season, just different spam
• Researcher Spotlight: How David Liebenberg went from never having opened Terminal to hunting international APTs
• YoroTrooper cyberspies target CIS energy orgs, EU embassies
• YoroTrooper Espionage Campaigns Target CIS, EU Countries
• Updated Prometei botnet evades defenses, mines Monero

Upcoming events where you can find Talos

WiCyS** (March 16 - 18)**

Denver, CO

RSA** (April 24 - 27)**

San Francisco, CA

Most prevalent malware files from Talos telemetry over the past week

SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725 **MD5:**d47fa115154927113b05bd3c8a308201 **Typical Filename:**mssqlsrv.exe **Claimed Product: **N/A Detection Name: Trojan.GenericKD.65065311

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934 **MD5:**93fefc3e88ffb78abb36365fa5cf857c **Typical Filename:**Wextract **Claimed Product:**Internet Explorer Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725 **MD5:**d47fa115154927113b05bd3c8a308201 **Typical Filename:**mssqlsrv.exe **Claimed Product:**N/A **Detection Name: **Trojan.GenericKD.65065311

SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1 **MD5:**3e10a74a7613d1cae4b9749d7ec93515 **Typical Filename:**IMG001.exe **Claimed Product:**N/A Detection Name: Win.Dropper.Coinminer::1201

SHA 256: de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423 **MD5:**954a5fc664c23a7a97e09850accdfe8e **Typical Filename:**teams15.exe **Claimed Product:**teams15 **Detection Name: **Gen:Variant.MSILHeracles.59885