SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: SolarMarker tries to take victims around the galaxy
Description: Cisco Talos has observed new activity from Solarmarker a highly modular .NET-based information stealer and keylogger. A previous staging module, “d.m,” used with this malware has been replaced by a new module dubbed “Mars.” Another previously unreported module named “Uranus” has been identified. Organizations should be particularly concerned about the modular nature and information stealing capabilities of this malware family. Using its staging DLL, the malware can then execute whichever payload module they choose, some of which may be previously undiscovered.
The modules already observed make potential victims vulnerable to having sensitive information stolen, including employees' browser usage, such as if they enter their credit card number or other personal
information. These attackers may also look to steal login credentials, which could then be used for lateral movement into other systems or to access and steal even more enticing data, such as a customer or patient medical information database.
Title: Microsoft warns of NTLM relay attacks
Description: Microsoft released an advisory last week with a workout for recently discovered NTLM relay attacks. A tool, called PetitPotam, works against servers that enable NTLM authentication and Active Directory Certificate Services. An attacker could use this tool to abuse the Microsoft Encrypting File System Remote Protocol to authenticate to another server. An adversary could carry out this attack without any prior authentication. Microsoft and other security researchers advise disabling NTLM authentication on domain controllers. Users could also disable NTLM on any AD CS servers and NTLM for IIS AD CS servers.