As you've probably seen by now, Talos released our 2023 Year in Review report last week. It's an extremely comprehensive look at the top threats, attacker trends and malware families from the past year with never-before-seen Cisco Talos telemetry.
We have podcasts, long-form videos and even Reddit AMAs to keep you covered and make it easy to digest our major takeaways from the report. Or, just kick back with a cup of coffee and read the full report – your choice!
With this being the last Threat Source newsletter of the calendar year, I figured I'd do a Year in Review of my own. I don't have the data or first-hand research to back any of these statements up, this is purely just vibes-based or things I've discovered about myself and my cybersecurity habits over the past year, so while you may not be able to deploy any of these things on your firewall, I hope they serve as good advice to anyone thinking about the security landscape heading into the new year.
Cisco Talos recently discovered a new campaign conducted by the Lazarus Group we're calling "Operation Blacksmith," employing at least three new DLang-based malware families, two of which are remote access trojans (RATs), where one of these uses Telegram bots and channels as a medium of command and control (C2) communications. Our latest findings indicate a definitive shift in the tactics of the infamous North Korean state-sponsored actor.
This particular activity can be attributed to Andariel, a spinoff of the Lazarus Group. They're actively exploiting the Log4shell vulnerability in Log4j, which is virtually everywhere. The hope is that most people have patched since the ubiquitous vulnerability was discovered in late 2021, but telemetry indicates there are many vulnerable instances still out there. Once infected, Andariel looks to install other malware loaders on the targeted machines and executes remote code that allows them to learn about the details of the system.
Talos' blog outlines the numerous ways Cisco Secure products have protections in place to defend against Operation Blacksmith and other activities from Lazarus Group.
Hundreds of Windows and Linux devices from a range of manufacturers are vulnerable to a newly discovered attack called "LogoFAIL." The attack involves an adversary executing malicious firmware during the machines' boot-up sequences, which means it's difficult for traditional detection methods to block, or for users to even notice that it's happening. The researchers who discovered this exploit wrote in their full paper that, once the attacker uses LogoFAIL to execute remote code during the Driver Execution Environment phase, it's "game over for platform security." Although there is no indication this type of attack has been used in the wild, it is being tracked through several CVEs. Potentially affected users should update to the latest version of UEFI by updating their firmware, including new patches from AMI, Intel, Insyde, Phoenix and Lenovo. Users can also lock down their machine's EFI System Partition (ESP) so adversaries can't access it, which is necessary to carry out LogoFAIL. (ArsTechnica, ZDNet)
The U.K. publicly charges Russia's intelligence agency, the FSB, of a yearslong cyber espionage campaign targeting British government officials and other high-profile public citizens. The U.K. Foreign Office said the FSB conducted "sustained unsuccessful attempts to interfere in U.K. political processes" over several years, including stealing information relating to the country's national elections in 2019. The alleged campaigns involved trying to breach emails belonging to politicians, journalists, activists and academics, and fake social media profiles set up to impersonate the target's contacts. One MP in British parliament said their emails had been stolen. Several individuals belonging to a group known as Star Blizzard have been sanctioned for their connections to these activities. (BBC, Politico)
**Several major hardware and software vendors released their last patches of the calendar year this week.**Microsoft disclosed four critical vulnerabilities as part of its regular Patch Tuesday, three of which could lead to remote code execution. However, the total number of vulnerabilities included in December's Patch Tuesday, 33, was the lowest in a single month since December 2019. Meanwhile on Monday, Apple released patches for its major pieces of hardware, disclosing security issues in iPhones, Macs and more. One of the vulnerabilities in macOS, CVE-2023-42914, is a kernel issue with the potential to allow apps to break out of their sandboxes. Additionally, the U.S. Cybersecurity and Infrastructure Security Agency released an advisory that attackers are actively exploiting a vulnerability in Adobe ColdFusion, which potentially poses a threat to government agencies. CVE-2023-26360 is an improper access control issue that could lead to arbitrary code execution. (Dark Reading, Talos, Security Boulevard)
NIS2 Directive: Why Organizations Must Act Now to Ensure Compliance and Security** (Jan. 11, 2024, 10 a.m. GMT)**
Virtual
> _The NIS2 Directive is a crucial step toward securing Europe's critical infrastructure and essential services in an increasingly interconnected world. Organizations must act now to prepare for the new requirements, safeguard their operations, and maintain a robust cybersecurity posture. Gergana Karadzhova-Dangela from Cisco Talos Incident Response and other Cisco experts will talk about how organizations can best prepare for the coming regulations. _
SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725 **MD5:**d47fa115154927113b05bd3c8a308201 **Typical Filename:**mssqlsrv.exe **Claimed Product:**N/A Detection Name: Trojan.GenericKD.65065311
SHA 256: 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf **MD5:**2cfc15cb15acc1ff2b2da65c790d7551 **Typical Filename:**rcx4d83.tmp **Claimed Product:**N/A Detection Name: Win.Dropper.Pykspa::tpd
SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 **MD5:**2915b3f8b703eb744fc54c81f4a9c67f **Typical Filename:**VID001.exe **Claimed Product: **N/A Detection Name: Win.Worm.Coinminer::1201
SHA 256:5a6b089b1d2dd66948f24ed2d9464ce61942c19e98922dd77d36427f6cded634
MD5: 05436c22388ae10b4023b8b721729a33 **Typical Filename:**BossMaster.txt **Claimed Product:**N/A Detection Name: PS1.malware.to.talos
SHA 256: 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa **MD5:**9403425a34e0c78a919681a09e5c16da **Typical Filename:**vincpsarzh.exe **Claimed Product:**N/A Detection Name: Win.Dropper.Scar::tpd