Threat Source newsletter (Aug. 25, 2022) — Why aren't Lockdown modes the default setting on phones?

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

Russia’s invasion of Ukraine was once the most talked about story in the world. Six months into the conflict, modern attention spans have moved on to other news stories. But Ukraine Independence Day yesterday should serve as a reminder to everyone that the threats to Ukraine have not gone anywhere. 

The country still faces a physical conflict with Russia every day that seemingly has no easy end, and the barrage of cyber attacks is suspected to continue.  

As discussed in our livestream yesterday, Talos continues to see evolving cybersecurity threats in the region, including the most recent GoMet backdoor. And as Joe Marshall highlighted in his blog post last week, Ukraine’s agriculture industry — which is vital to the global food supply chain — remains vulnerable to kinetic and virtual attacks. Because there’s been no one major cyber attack against Ukraine since Russia’s invasion began, the larger public perception is that things haven’t been “that bad.” But state-sponsored actors have continually barraged Ukrainian government entities and critical infrastructure with a range of attacks, including the infamous Fancy Bear and Sandworm groups.  

Ukraine’s state nuclear power company also said last week that state-sponsored actors launched a three-hour attack on its websites. 

A three-hour distributed denial-of-service attack isn’t going to headline the nightly news, but that doesn’t mean they aren’t happening and making it harder for the Ukrainian government and critical infrastructure to operate. There are people who, six months into this, are still having to fend off cyber threats daily, sometimes just to keep the internet on or to make sure that week’s grain shipment goes out on time. 

While headlines come and go, it’s important to remember that there are some things always going on in the background that are bigger than newer headlines that distract us to talk about the newest trojan someone found on the Android store.  

The one big thing 

All Apple users should update their devices if they haven’t already. The company released updates for iOS, iPadOS and macOS last week, warning of two vulnerabilities that could have been exploited in the wild. CVE-2022-32894 is an out-of-bounds write issue in the operating systems’ kernel that an adversary could exploit to execute arbitrary code with kernel privileges and take control over the system. CVE-2022-32893 is an out-of-bounds write issue in WebKit that can also lead to arbitrary code execution. 

Why do I care? 

While Apple did not disclose any details of attacks potential exploiting these issues, it did say it was aware of a report that the issues “may have been actively exploited.” Apple says the vulnerabilities exist in iPhone 6s and later, all models of the iPad Pro, the iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later and iPod touch 7th generation. Any users of these devices should patch as soon as possible. 

So now what? 

Patch, patch and patch again if you’re using any Apple devices. 


Top security headlines from the week

The LockBit ransomware’s website was hit with a large distributed denial-of-service attack after threatening to leak documents belonging to a cybersecurity firm. At one point, the site displayed a warning that the ransomware gang plans to upload the targeted company’s stolen data to peer-to-peer networks. Talos’ own Azim Shukuhi first tweeted that a LockBit member told him the site's servers were receiving “400 requests a second from over 1,000 servers” in a possible “hack back” attack. DDoS attacks aim to disrupt a site’s operations by flooding it with traffic and messages, forcing it to essentially shut down for a period of time. (The Register, TechCrunch

Former Twitter Head of Security Peiter "Mudge" Zatko filed a complaint to the U.S. Securities and Exchange Commission alleging that Twitter is not doing enough to crack down on bot and spam accounts. Mudge is known for being involved with the “Cult of the Dead Cow” hacking group, one of the first groups of its kind in history. The testimony to the SEC also stated that too many Twitter employees have access to critical user data and the company was not actually deleting user data when it was asked to. The number of bot accounts on the social media site is central to a failed bid for Elon Musk to buy the company. (CNN, The Verge

The FBI is warning that threat actors are increasingly hijacking home IP addresses to disguise credential-stuffing attacks. An investigation from the FBI and their Australian counterparts uncovered two sites that contained more than 300,000 unique credentials that were for sale, warning they could be used in attacks against private companies. The actors are setting up proxies to disguise the flood of login attempts, and by using residential IP addresses, they can avoid usual detection techniques. (Cybersecurity Dive, FBI

Can’t get enough Talos? 

Upcoming events where you can find Talos 


Most prevalent malware files from Talos telemetry over the past week  

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name:  

MD5: 2c8ea737a232fd03ab80db672d50a17a    
Typical Filename: LwssPlayer.scr    
Claimed Product: 梦想之巅幻灯播放器    
Detection Name: Auto.125E12.241442.in02 

MD5: 7bdbd180c081fa63ca94f9c22c457376 
Typical Filename: c0dwjdi6a.dll 
Claimed Product: N/A  
Detection Name: Trojan.GenericKD.33515991 

MD5: a087b2e6ec57b08c0d0750c60f96a74c     
Typical Filename: AAct.exe     
Claimed Product: N/A       
Detection Name: PUA.Win.Tool.Kmsauto::1201  

MD5: 8c69830a50fb85d8a794fa46643493b2  
Typical Filename: AAct.exe  
Claimed Product: N/A   
Detection Name: PUA.Win.Dropper.Generic::1201  

Article Link: Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Threat Source newsletter (Aug. 25, 2022) — Why aren't Lockdown modes the default setting on phones?