By Jon Munshaw.
The one big thing
Why do I care?
This framework provides attackers with an easy method of carrying out a variety of malicious actions, such as executing remote shellcode and taking screenshots without the target noticing. The fact that Alchimist and its associated trojan, Insekt, are targeting all forms of operating systems means anyone could be a target.So now what?
Endpoint security teams should implement layered security defense, be constantly vigilant in monitoring the privileged operations in their environments and detect any unauthorized programs attempting to gain root privileges. Network security teams should be looking for any unusual traffic to their organizations' environment and be cautious about suspicious artifacts downloaded to their network. Having controlled download and file execution policies on the endpoints and servers can effectively protect organizational assets from threats.
Top security headlines from the week
The Qakbot access-as-a-service group is active again after a few months of being relatively quiet, this time using several different second-stage payloads to allow other groups to execute follow-on attacks. Qakbot-infected systems have seen the group use Brute Ratel, a simulation platform commonly used by penetration testers, the Emotet botnet and Cobalt Strike. Black Basta is one such group that’s been spotted acquiring access to targeted systems via Qakbot. In that group’s case, it uses Brute Ratel to move laterally to other systems on the network and execute various malicious payloads. (Dark Reading, Decipher)
Australia is becoming an increasingly popular target for threat actors, including several high-profile companies that were recently hit with cyber attacks. A new study found there was an 81 percent increase in cybersecurity incidents in Australia between July 2021 and June 2022, with most of that jump coming in 2022. The Australian government is already looking at new cybersecurity standards and laws, including new rules forcing cyber attack targets to notify banks faster if there is a data breach, specifically highlighting a recent breach at Optus, one of the country’s largest telecommunications companies. Medibank, a massive health insurance company, was also hit with a cyber attack this week, although it said there is currently no evidence of sensitive information or customer data being affected. (Computer Weekly, Reuters, Bloomberg)
Social media and online advertising platforms have been slow to adopt new rules and regulations around fake news and disinformation related to birth control and abortion care. Several months removed from the Supreme Court’s ruling overturning Roe v. Wade, there are still massive amounts of misleading advertising, fake news links and incorrect information floating around on online platforms without any flags. Abortion rights advocates say that this issue has only gotten worse since the ruling. A new study from the Institute for Strategic Dialogue states that sites like TikTok, YouTube and Meta have allowed disinformation and misinformation about abortion care rights and laws to be monetized and spread. (Axios, Institute for Strategic Dialogue)
Can’t get enough Talos?
- Talos Takes Ep. #117: Tips for kickstarting your cybersecurity career
- The benefits of taking an intent-based approach to detecting Business Email Compromise
- Threat Roundup for Oct. 7 - 14
- Researchers detail new C2 attack framework targeting Windows, macOS and Linux
- Talos EMEA Threat Update (Oct. 2022): An overview of the current ransomware landscape
- Intent-based approach leverages neural networks to deliver targeted classifications to BECs
Upcoming events where you can find Talos
Virtual
Most prevalent malware files from Talos telemetry over the past week
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg