Lucene search

talosblogJonathan MunshawTALOSBLOG:340C6278FFC694179634A24F686CBFDF
HistoryOct 27, 2022 - 6:00 p.m.

Threat Source newsletter (Oct. 27, 2022): I thought we were already aware of supply chain attacks?

Jonathan Munshaw
supply chain attacks
cybersecurity awareness.





Threat Source newsletter Oct. 27, 2022: I thought we were already aware of supply chain attacks?

Welcome to this week's edition of the Threat Source newsletter.

There are plenty of jokes about whether we're "aware" of cybersecurity during National Cybersecurity Awareness Month. But now I'm wondering if people are aware of supply chain attacks.

I thought we hit the pinnacle of supply chain attacks in 2020 with the SolarWinds attack, when these types of attacks dominated headlines and defenders started shouting from the mountaintops about how important it is to be ready for supply chain attacks.

And then Kaseya came along a few months later when attackers found a different way to deploy malicious updates that were disguised as legitimate patches.

And still today, we're warning about the dangers of how prevalent supply chain attacks are and how everyone needs to be ready for this attacker technique. This leaves me wondering if Kaseya and SolarWinds weren't the breaking point – what is?

It seems like no matter how many times we see major ransomware attacks, even coming to the point of making it impossible for people to get gas, attackers are back again with another ransomware attack a few weeks later.

We still have several hurdles to overcome to fix the supply chain attack problem, as Jaeson Schultz from our Outreach team outlined in this recent post. But it's clear that these attacks aren't going anywhere, and neither are defenders' warnings.

As I wrote at the start of October, it can be easy to poke fun at Cybersecurity Awareness Month because it's impossible to define what it even means to be "aware" of cybersecurity. Clearly, there's still awareness to spread, though, and we keep needing to spread it in regard to supply chain attacks, ransomware and pretty much every other type of cyber attack.

The one big thing

For the first time since collecting such data, Cisco Talos Incident Response saw an equal number of ransomware and pre-ransomware engagements, making up nearly 40 percent of threats in the third quarter of 2022. It can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place. However, Talos IR assesses that the combination of Cobalt Strike and credential-harvesting tools like Mimikatz, paired with enumeration and discovery techniques, indicates a high likelihood that ransomware is the final objective.

Why do I care?

This data represents what Talos IR is actively seeing in the wild over the past few months and is likely representative of the broader threat landscape.

So now what?

A lack of MFA remains one of the biggest impediments to enterprise security. Nearly 18 percent of engagements either had no MFA or only had it enabled on a handful of accounts and critical services. Talos IR frequently observes ransomware and phishing incidents that could have been prevented if MFA had been properly enabled on critical services, such as endpoint detection and response (EDR) solutions. Talos IR recommends disabling VPN access for all accounts that are not using two-factor authentication.

Top security headlines of the week

The Biden administration is preparing to release updated guidelines and warnings around election security with a few days left before the midterm elections. A bulletin reportedly being drafted includes information on threats from Russia, China and other state-sponsored actors. Election workers and local officials are also having to deal with physical threats to polling workers and locations, all while the number of volunteers is dwindling. Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency released a PSA stating that malicious cyber activity is "unlikely to disrupt or prevent voting." (Politico, Axios, Voice of America)

Apple released security updates for its iOS and iPadOS operating systems this week, including fixes for a vulnerability that "may have been actively exploited." There are 20 vulnerabilities fixed in these updates in all. CVE-2022-42827 is the most notable vulnerability, which could allow an attacker to execute code with Kernel privileges via an attacker-controlled app. This is the third Kernel-related out-of-bounds memory vulnerability that Apple has patched in each of its previous security updates: CVE-2022-32894 and CVE-2022-32917. CVE-2022-32917 was known to be used in attacks in the wild. (Forbes, The Hacker News)

Two vulnerabilities in Microsoft's Mark of the Web (MoTW) security feature could allow an attacker to send JavaScript files that could bypass security blocks in place. Attackers are reportedly actively exploiting both issues, though Microsoft has yet to issue any formal fixes for the vulnerabilities, and there are no workarounds available. Mark of the Web protects users against files from untrusted sources, but the two vulnerabilities could allow the attackers to construct the files in a way that they are not appropriately marked by Windows. Attackers commonly use .js files as attachments or downloads that can run outside a web browser. (Dark Reading, Bleeping Computer)

Can't get enough Talos?

Upcoming events where you can find Talos

Click or Treat? How not to fall for a phishing attack this Halloween (Oct. 31)

BSides Lisbon (Nov. 10 - 11)
Cidade Universitaria, Lisboa, Portugal

Most prevalent malware files from Talos telemetry over the past week

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c **MD5: **a087b2e6ec57b08c0d0750c60f96a74c **Typical Filename:**AAct.exe **Claimed Product:**N/A Detection Name: PUA.Win.Tool.Kmsauto::1201

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934 **MD5:**93fefc3e88ffb78abb36365fa5cf857c **Typical Filename:**Wextract **Claimed Product:**Internet Explorer Detection Name:

SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 **MD5:**8c69830a50fb85d8a794fa46643493b2 **Typical Filename:**AAct.exe **Claimed Product:**N/A Detection Name: PUA.Win.Dropper.Generic::1201

SHA 256: 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681 **MD5:**f1fe671bcefd4630e5ed8b87c9283534 **Typical Filename:**KMSAuto Net.exe **Claimed Product:**KMSAuto Net Detection Name: PUA.Win.Tool.Hackkms::1201

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645 **MD5:**2c8ea737a232fd03ab80db672d50a17a **Typical Filename:**LwssPlayer.scr **Claimed Product: **梦想之巅幻灯播放器 Detection Name: Auto.125E12.241442.in02