NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Masslogger steals users’ credentials from Outlook, Chrome
Description: Cisco Talos recently discovered a campaign utilizing a variant of the Masslogger trojan designed to retrieve and exfiltrate user credentials from multiple sources such as Microsoft Outlook, Google Chrome and instant messengers. The actor employs a multi-modular approach that starts with the initial phishing email and carries through to the final payload. The adversaries behind this campaign likely do this to evade detection. But it can also be a weakness, as there are plenty of opportunities for defenders to break the killchain. While most of the public attention seems to be focused on ransomware attacks, big game hunting and APTs, it is important to keep in mind that crimeware actors are still active and can inflict significant damage to organizations by stealing users' credentials. The credentials themselves have value on the dark web and actors sell them for money or use them in other attacks.
References: https://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html
Snort SID: 57141-57154
Title: Gamaredon APT spreads rapidly, looking to steal and sell information
Description: Gamaredon is a threat actor, active since at least 2013, that has long been associated with pro-Russian activities in several reports throughout the years. It is extremely aggressive and is usually not associated with high-visibility campaigns, Cisco Talos sees it is incredibly active and we believe the group is on par with some of the most prolific crimeware gangs. Gamaredon has been exposed several times in multiple threat intelligence reports, without any significant effects on their operations. Their information-gathering activities can almost be classified as a second-tier APT, whose main goal is to gather information and share it with their units, who will eventually use that information to perform the end goal. Recently, Cisco Talos researchers discovered four different campaigns using different initial infection vectors and final payloads.
Reference: https://blog.talosintelligence.com/2021/02/gamaredonactivities.html
Snort SIDs: 57194 – 57196
ClamAV: Lnk.Malware.Gamaredon-7448135-3