By Jon Munshaw.
The one big thing
The MustangPanda threat actor is breaking with what many would think to be protocol, and recently started targeting Russian organizations. MustangPanda has long thought to be a Chinese state-sponsored actor. Thus far in Russia’s invasion of Ukraine, China has been slow to criticize Russia and hasn’t taken part in many of the Western-backed sanctions levied against Russia over the past few months. This seems to break MustangPanda’s attack pattern, but also illustrates that this longstanding actor isn’t going anywhere.Why do I care?
Over the years, Mustang Panda has evolved their tactics and implants to target a wide range of entities spanning multiple governments in three continents, including the European Union, the U.S., Asia and pseudo allies such as Russia. By using summit- and conference-themed lures in Asia and Europe, this attacker aims to gain as much long-term access as possible to conduct espionage and information theft.
So now what?
We’ll keep following MustangPanda’s choice of targets, especially as a continued wave of big game hunting ransomware attacks continues. They’ve shown that pretty much no one is off limits. We have new Snort rules available to protect users against the download and execution of their signature PlugX malware, plus many other forms of protection against their attacks and known exploits.
Other news of note
A critical vulnerability in F5’s BIG-IP software is being exploited actively in the wild, taking the security community by storm. BIG-IP is a line of appliances that act as load balancers, firewalls, and can inspect and encrypt data going in and out of networks. This particular vulnerability has a severity score of 9.8 out of 10, but what’s more notable is that there are more than 16,000 instances of this software discoverable online, and it’s used by some of the world’s largest companies. This software has a close proximity to network perimeters and often looks at the decrypted version of HTTPS-protected traffic, so if an attacker exploits this, it opens several avenues for further attacks. (Talos blog, ZDNet, Ars Technica)
Multiple Western governments publicly blamed Russian state-sponsored actors for launching a cyber attack against an American satellite communications company in the weeks leading up to Russia’s invasion of Ukraine. The E.U., U.K. and U.S. all released separate reports saying attackers hit the European networks belonging to Viasat, just as the invasion started on Feb. 24. A statement from the U.S. State Department said “The activity disabled very small aperture terminals in Ukraine and across Europe” that, “among other things, support wind turbines and provide Internet services to private citizens.” (State Department, NBC News)
Microsoft released more than 70 vulnerabilities as part of its weekly security update. May’s Patch Tuesday includes fixes for seven “critical” flaws, as well as a zero-day vulnerability that affects all supported versions of Windows. There’s also a vulnerability in the Magnitude Simba Amazon Redshift ODBC Driver that affects the Windows self-hosted integration runtime service. Adobe also issued five security bulletins on Tuesday, covering 18 vulnerabilities across Adobe CloudFusion, InDesign, Character Animator, Framemaker and other software. However, none of these issues have been actively exploited in the wild, according to Adobe. (Talos blog, Adobe)
Can’t get enough Talos?
- Celebrating 20 years of ClamAV
- Bitter APT adds Bangladesh to their targets
- Vulnerability Spotlight: Vulnerability in Alyac antivirus program could stop virus scanning, cause denial of service
- Talos Incident Response added to German BSI Advanced Persistent Threat response list
- Threat Roundup for April 29 - May 6
Upcoming events where you can find Talos
NorthSec 2022 (May 19 – 20, 2022)
Montreal, Canada
REcon (June 3 – 5, 2022)
Montreal, Canada
RSA 2022 (June 6 – 9, 2022)
San Francisco, California
Cisco Live U.S. (June 12 – 16, 2022)
Las Vegas, Nevada
Most prevalent malware files from Talos telemetry over the past week
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991
SHA 256: 1b94aaa71618d4ecba665130ae54ef38b17794157123675b24641dc85a379426
MD5: a841c3d335907ba5ec4c2e070be1df53
Typical Filename: chip 1-click installer.exe
Claimed Product: chip 1-click installer
Detection Name: Win.Trojan.Generic::ptp.cam
SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa
MD5: df11b3105df8d7c70e7b501e210e3cc3
Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201
0 Comments