Welcome to this week’s edition of the Threat Source newsletter.
We’re written a ton about Cisco Talos’ support of Ukraine and our friends and allies there. Now, we encourage you to watch and listen to the folks who have been working hands-on there.
The latest episode of ThreatWise TV from Hazel Burton is the closest look yet at the team Talos assembled in the days after Russia invaded Ukraine to help defend critical infrastructure, intelligence partners and government agencies in Ukraine. You can watch the full documentary above, or over on YouTube here.
The one big thing
We have new research out on a never-before-seen threat actor called YoroTrooper that’s carrying out a variety of espionage activity in Europe and Asia. This group has targeted several high-profile government organizations, including one in the European Union, stealing sensitive information such as login credentials, browser histories and cookies, system information and screenshots.
Why do I care?
While YoroTrooper uses malware associated with other threat actors, such as PoetRAT and LodaRAT, we believe this is a new cluster of activity from an entirely new threat actor. YoroTrooper is clearly going after major targets and has already been successful, so everyone should be on the lookout for these attacks, but especially users and organizations in Commonwealth of Independent States (CIS) countries.
So now what?
YoroTrooper creates malicious domains and spoofs commonly visited URLs that look like they belong to government agencies in the targeted countries to host its malware. So any time you go to open an email attachment or click on a link in an email, triple check to make sure it’s really where you want to go, or that you can verify the sender. Additionally, the blog outlines a range of protections in Cisco Secure products that can defend and detect this group’s actions.
Top security headlines of the week
The APLHV ransomware cartel claims to have successfully stolen data belonging to Amazon’s Ring smart home company. The ransomware gang’s dark website threatened to leak the data earlier this week, though it showed no evidence of a successful attack. Ring said on Tuesday that it had “no indications that Ring has experienced a ransomware event.” ALPHV, which is known for the BlackCat malware, usually encrypts targets’ data and threatens to leak the stolen information if the victim does not pay the requested ransom payment. Politico also reported this week that Ring will openly share recorded footage with local law enforcement, even if the camera’s user declines to do so, sparking questions about who owns security footage on private property and whether users are compelled to share those recordings. (Vice, TechCrunch, Politico)
Sensitive information from D.C. Health Link — the online health insurance marketplace for Washington, D.C. — is reportedly for sale on the dark web, potentially affecting White House staff and members of Congress. An internal memo last week warned of a "significant data breach” that potentially exposed the personal information of thousands of federal employees and warned potential victims that their data may have been compromised. As many as 21 members from the U.S. House and Senate could be affected, all of whom get their insurance through the program. In all, 56,415 customers were affected, according to the exchange. (CBS News, Roll Call)
Microsoft released its monthly security update Tuesday, disclosing 83 vulnerabilities across the company’s hardware and software line, including two issues that are actively being exploited in the wild, continuing a trend of zero-days appearing in Patch Tuesdays over the past few months. Two of the vulnerabilities included in March’s security update have been exploited in the wild, according to Microsoft, including one critical issue. One of the zero-days included this month, CVE-2023-23397, is a privilege escalation vulnerability in Microsoft Outlook that could force a targeted device to connect to a remote URL and transmit the Windows account's Net-NTLMv2 hash to an adversary. To trigger this vulnerability, a user doesn’t even need to open the email or preview it, the vulnerability is triggered as soon as the email is retrieved by the targeted email server. (Cisco Talos, SecurityWeek)
Can’t get enough Talos?
- Talos Takes Ep. #130: There’s not actually more spam during tax season, just different spam
- Researcher Spotlight: How David Liebenberg went from never having opened Terminal to hunting international APTs
- YoroTrooper cyberspies target CIS energy orgs, EU embassies
- YoroTrooper Espionage Campaigns Target CIS, EU Countries
- Updated Prometei botnet evades defenses, mines Monero
Upcoming events where you can find Talos
WiCyS (March 16 - 18)
Denver, CO
RSA (April 24 - 27)
San Francisco, CA
Most prevalent malware files from Talos telemetry over the past week
SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725
MD5: d47fa115154927113b05bd3c8a308201
Typical Filename: mssqlsrv.exe
Claimed Product: N/A
Detection Name: Trojan.GenericKD.65065311
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725
MD5: d47fa115154927113b05bd3c8a308201
Typical Filename: mssqlsrv.exe
Claimed Product: N/A
Detection Name: Trojan.GenericKD.65065311
SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1
MD5: 3e10a74a7613d1cae4b9749d7ec93515
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::1201
SHA 256: de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423
MD5: 954a5fc664c23a7a97e09850accdfe8e
Typical Filename: teams15.exe
Claimed Product: teams15
Detection Name: Gen:Variant.MSILHeracles.59885
Article Link: Threat Source newsletter (March 16, 2023) — A deep dive into Talos' work in Ukraine