7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Welcome to this week's edition of the Threat Source newsletter.
I am back after more than three months away from Talos on parental leave. Having a baby really resets your expectations for "keeping up" with the world. From November through mid-January or so I had no idea what was going on with the outside world, I only cared about my daughter's feeding schedule and tried to squeeze in 30-minute naps where I could.
I've slowly started to re-introduce myself to social media and the news world at large over the past few weeks so my return to work wasn't so abrupt, and I missed quite a bit. There was a stretch there where I was only getting the latest headlines from Weekend Update on "Saturday Night Live."
My teammates Madison Burns and Bill Largent did a fantastic job filling in for me on the newsletter while I was out, but I figured it was worth taking the time to recap some major stories it seemed like I missed since Nov. 1.
Maybe our readers were also distracted during this period, it was the holidays after all and it's easy for stories to slip through the cracks while we all have so much going on. Here are a few major trends and storylines that stood out to me while I caught up on the top security stories of late 2022 and early 2023.
This month's Microsoft Patch Tuesday updates included three zero-day vulnerabilities that the company says are being actively used in attacks in the wild. CVE-2023-23376, CVE-2023-21715 and CVE-2023-21823 have all already been spotted in active attacks, according to Microsoft's monthly patch release. In all, Microsoft disclosed 73 vulnerabilities. Of these vulnerabilities, eight are classified as "critical," 64 are classified as "important" and one vulnerability is classified as "moderate."
The most severe of the issues disclosed Tuesday is CVE-2023-21823, a Windows graphics component remote code execution vulnerability. An attacker could exploit this vulnerability to gain System-level privileges. Outside of that, it's always important to update all Microsoft products anyway after a Patch Tuesday.
Users of any Microsoft products should apply these updates as soon as possible. Additionally, Talos released new Snort rules that detect attempts to exploit some of these vulnerabilities. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Several Russian nationals are facing new sanctions and have been unmasked as members of the Trickbot and Conti ransomware gangs. The actors are involved in various activities with these groups, ranging from developing ransomware code, to money laundering and managing command and control servers. The U.S. and U.K. governments also made a renewed push to unmask and name many of these actors, removing their anonymity and making it more difficult for them to operate in secrecy. Recent studies have shown that these types of sanctions are working to slow Russian state-sponsored ransomware attacks. (Wired, CPO Magazine)
While much of the headlines recently have centered around the infamous Chinese spy balloon and other unknown objects the U.S. military keeps shooting out of the sky, global government officials are warning that China's cyber attack capabilities are still the most pressing threat. Taiwan's government has already been the target of several high-profile defacement attacks in recent years, and the country recently established an entirely new government bureau to bolster its cyber security capabilities. The FBI's Director is also offering new services and olive branches to private security companies who are looking to combat China's growing surveillance and cyber capabilities. (Bloomberg, Wall Street Journal)
Social media site Reddit says it was the recent target of a "sophisticated and highly targeted phishing attack." The adversaries gained access to "documents, code and some internal business systems," though the company said no usernames or passwords are affected. Attackers duped a Reddit employee into approving a multi-factor authentication push notification, though the employee acted quickly and notified Reddit's security team immediately upon realizing their mistake. (Dark Reading, Reddit)
WiCyS** (March 16 - 18)**
Denver, CO
RSA** (April 24 - 27)**
San Francisco, CA
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934 **MD5:**93fefc3e88ffb78abb36365fa5cf857c **Typical Filename:**Wextract **Claimed Product:**Internet Explorer Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c **MD5:**a087b2e6ec57b08c0d0750c60f96a74c **Typical Filename:**AAct.exe **Claimed Product:**N/A Detection Name: PUA.Win.Tool.Kmsauto::1201
SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa **MD5:**df11b3105df8d7c70e7b501e210e3cc3 **Typical Filename:**DOC001.exe **Claimed Product:**N/A Detection Name: Win.Worm.Coinminer::1201
SHA 256: 36efad0617db0d45de00cc4f3cf49af7c2d6b5b15ca456d13703b5d366c58431 **MD5:**147c7241371d840787f388e202f4fdc1 **Typical Filename:**EKSPLORASI.EXE **Claimed Product:**N/A Detection Name: Win32.Generic.497796
SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645 **MD5:**2c8ea737a232fd03ab80db672d50a17a **Typical Filename:**LwssPlayer.scr **Claimed Product:**梦想之巅幻灯播放器 Detection Name: Auto.125E12.241442.in02