By Jon Munshaw.
The one big thing
Why do I care?Our researchers discovered a fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, that’s freely available and can generate new implants with custom configurations with ease. This increases the likelihood of wider adoption of this framework by malicious actors. If you’re a defender of any kind, you want to stay up on the latest tools attackers are likely to use. And since Cobalt Strike is already one of the most widely used out there, it’s safe to assume any evolution of it is going to draw some interest.
So now what?Organizations must be diligent against such easily available tools and frameworks that can be misused by a variety of threat actors. In-depth defense strategies based on a risk analysis approach can deliver the best results in the prevention of this framework. Talos also released Snort rule 60275 and ClamAV signature Win.Trojan.Manjusaka-9956281-1 to detect the use of Manjusaka.
Other news of note
Everything from convenience stores to government websites in Taiwan saw an uptick in cyber attacks this week after U.S. House Speaker Nancy Pelosi visited the country this week. She was the U.S.’ highest-ranking official to visit there in more than 20 years. However, many of the attacks appeared to be from low-skilled attackers and some could even be attributed to a normal uptick in traffic from a busy news day. China could still retaliate for the visit with a cyber attack against Taiwan or the U.S., as the Chinese government has voiced its displeasure over Pelosi’s actions and launched several kinetic warfare exercises. (Reuters, Washington Post)
The U.S. Cybersecurity and Infrastructure Security Agency is warning that attackers are actively exploiting a critical vulnerability in Atlassian Confluence disclosed last week. CISA added CVE-2022-26138, a hardcoded password vulnerability in the Questions for Confluence app, to its list of Known Exploited Vulnerabilities on Friday. Adversaries can exploit this vulnerability to gain total access to data in on-premises Confluence Server and Confluence Data Center platforms. U.S. federal agencies have three weeks to patch for the issue under CISA’s new guidance. (Dark Reading, Bleeping Computer)
North Korean state-sponsored actors continue to be active, recently adding a new Gmail attack to its arsenal. The infamous SharpTongue group uses the SHARPEXT malware to target organizations in the U.S., Europe and South Korea that work on nuclear weapons and other topics that North Korea sees as relevant to its national security. SHARPEXT installs a Google Chrome extension that allows the attackers to bypass users’ Gmail multi-factor authentication and passwords, eventually entering the inbox and reading and downloading email and attachments. Other North Korean actors continue to use fake LinkedIn applications to apply for remote jobs, hoping to eventually steal cryptocurrency and fund the country’s weapons program. (Ars Technica, Bloomberg)
Can’t get enough Talos?
- Talos Takes Ep. #106: The top attacker trends from the past quarter
- Beers with Talos Ep. #124: There's no such thing as "I have nothing to hide"
- BlackHat — A poem
- Vulnerability Spotlight: Vulnerabilities in Alyac antivirus program could stop virus scanning, cause code execution
- Vulnerability Spotlight: How misusing properly serialized data opened TCL LinkHub Mesh Wi-Fi system to 17 vulnerabilities
- Researcher Spotlight: You should have been listening to Lurene Grenier years ago
- Manjusaka, a new attack tool similar to Sliver and Cobalt Strike
Upcoming events where you can find Talos
Las Vegas, Nevada
Las Vegas, Nevada
Las Vegas, Nevada
Most prevalent malware files from Talos telemetry over the past week
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg