Joe, Hazel, Bill and Dave break down Talos’ Year in Review 2024 and discuss how and why cybercriminals have been leaning so heavily on attacks that are routed in stealth in simplicity.

The team also provide insights into some of the topics of the report, including the top-targeted vulnerabilities of the year, network-based attacks, adversary toolsets, identity attacks, multi-factor authentication (MFA) abuse, ransomware and AI-based attacks. 

Listen below:

For the full report, head to blog.talosintelligence.com/2024yearinreview

Cisco Talos Blog – ​Read More

• Cisco Talos is actively tracking an ongoing campaign targeting users in Ukraine with malicious LNK files, which run a PowerShell downloader, since at least November 2024. 
• The file names use Russian words related to the movement of troops in Ukraine as a lure. 
• The PowerShell downloader contacts geo-fenced servers located in Russia and Germany to download the second stage Zip file containing the Remcos backdoor. 
• The second stage payload uses DLL side loading to execute the Remcos payload. 
• Talos assesses with medium confidence that this activity is associated with the Gamaredon threat actor group. 

 

Phishing campaign using the invasion of Ukraine as a theme 

The invasion of Ukraine is a common theme used by the Gamaredon group in their phishing campaigns and this campaign continues the use of this technique. The actor distributes LNK files compressed inside ZIP archives, usually disguising the file as an Office document and using names that are related to the invasion.  

Although Talos was not able to pinpoint the exact method by which these files are distributed, it is likely that Gamaredon continues to send phishing e-mails with either the ZIP file directly attached to it or containing a URL link to download the file from a remote host.  

Below are some examples of file names used in this campaign: 

Original Name	Translation
3079807576 (Шашило О.В)/ШАШИЛО Олександр Віталійович.docx.lnk	3079807576 (Shashilo O.V)/SHASHILO Oleksandr Vitaliyovich.docx.lnk
3151721177 (Рибак С.В)/РИБАК Станіслав Вікторович.docx.lnk	3151721177 (Rybak S.V)/RYBAK Stanislav Viktorovich.docx.lnk
3407607951 (Жолоб В.В)/ЖОЛОБ Владислав Вікторович.docx.lnk	3407607951 (Zholob V.V)/ZHOLOB Vladislav Viktorovich.docx.lnk
3710407173 (Гур’єв П.А)/ГУР’ЄВ Павло Андрійович.docx.lnk	3710407173 (Gur’ev P.A)/GUR’EV Pavlo Andriyovich.docx.lnk
Вероятное расположение узлов связи, установок РЭБ и расчетов БПЛА противника. ЮГ КРАСНОАРМЕЙСКА.docx.lnk	Probable location of communication nodes, electronic warfare installations and enemy UAV calculations. SOUTH OF THE RED ARMY.docx.lnk
ГУР’ЄВ Павло Андрійович.docx.lnk	GUR’EV Pavlo Andriyevich.docx.lnk
Координаты взлетов противника за 8 дней (Красноармейск).xlsx.lnk	Coordinates of enemy takeoffs for 8 days (Krasnoarmeysk).xlsx.lnk
Позиции противника запад и юго-запад.xlsx.lnk	Positions of the enemy west and southwest.xlsx.lnk
РИБАК Станіслав Вікторович.docx.lnk	RYBAK Stanislav Viktorovich.docx.lnk
ШАШИЛО Олександр Віталійович.docx.lnk	SHASHILO Oleksandr Vitaliyevich.docx.lnk

The translation for these names shows the intent of this campaign in using a war-related theme. We can see some of the files use names of Russian or Ukrainian agents, as well as names alluding to troop movements in the region of conflict. 

These files contain metadata indicating only two machines were used in creating the malicious shortcut files. As we mentioned in a previous blog Gamaredon tends to use a short list of machines when creating the LNK files for their campaigns and the ones used in this campaign were previously seen by Talos in incidents related to this threat group. 

The LNK files contain PowerShell code used to download and execute the next stage payload, as well as a decoy file which is shown to the user after the infection occurs as a way to disguise the compromise.  

The PowerShell code uses the cmdlet Get-Command to indirectly execute the functions to download and execute the payload, which could be an attempt to bypass string-based detection by antivirus solutions.  

The servers used in this campaign are based out of Germany and Russia, and at the time of our assessment, all of them return HTTP error 403 when attempting to download the payload files.  

That indicates that either the files were taken offline, or access to the file is being restricted. Gamaredon is known to restrict access to their payload servers only to victims located in Ukraine. We have found evidence in public sample databases that these servers were still hosting the files for specific regions while returning access denied errors in our tests, like this sample available in the “Any.run” public sandbox: 

• https://app.any.run/tasks/f9dc0beb-b125-478d-9091-739d2e3325be 

Network infrastructure associated with Campaign 

The servers used in this campaign are mostly hosted in two Internet Service Providers (ISP): GTHost and HyperHosting: 

IP	ASN	ISP
146[.]185[.]233[.]96	63023	gthost
146[.]185[.]233[.]101	63023	gthost
146[.]185[.]239[.]45	63023	gthost
80[.]66[.]79[.]91	60602	hyperhosting
80[.]66[.]79[.]195	60602	hyperhosting
81[.]19[.]131[.]95	63023	ispipoceanllc
80[.]66[.]79[.]159	60602	hyperhosting
80[.]66[.]79[.]200	60602	hyperhosting
80[.]66[.]79[.]155	60602	hyperhosting
146[.]185[.]239[.]51	63023	gthost
146[.]185[.]233[.]90	63023	gthost
146[.]185[.]233[.]97	63023	gthost
146[.]185[.]233[.]98	63023	gthost
146[.]185[.]239[.]47	63023	gthost
146[.]185[.]239[.]56	63023	gthost
146[.]185[.]239[.]33	63023	gthost
146[.]185[.]239[.]60	63023	gthost

 

These servers are used to distribute the payload and the decoy document, but Talos found evidence of at least one server being used as the Command and Control (C2) server for the Remcos backdoor. 

We have also found evidence of an interesting artifact in the DNS resolution for some of these servers. Even though all the communication with these servers is done directly via the IP address, the reverse DNS record for some of these IPs show an invalid entry that is quite unique: 

Figure: Reverse DNS resolution for Gamaredon’s campaign. Modeled using Crime Mapper (by @UK_Daniel_Card) 

While this doesn’t necessarily mean the attackers manually changed these records, it did help uncover at least two additional IPs matching the characteristics of the other servers in this campaign: 

  

DLL sideloading used to load Remcos backdoor 

Gamaredon has previously been known to use custom scripts and tools in their attack chains, but Talos has observed the use of Remcos backdoor as an alternative tool in their campaigns. 

Once the ZIP payload is downloaded from the servers, it is extracted to the %TEMP% folder and executed. The binary which is executed is a clean application which in turn loads the malicious DLL via DLL sideloading method. This file is actually a malicious loader which decrypts and executes the final Remcos payload from encrypted files found within the ZIP. 

The PowerShell files we observed downloading the ZIP files contain hints of various applications being abused for DLL side loading, and they contain a mix of clean and malicious files: 

• DefenderUpdate/DPMHelper.exe 
• DefenderUpdate/DZIPR.exe 
• DefenderUpdate/IDRBackup.exe 
• DefenderUpdate/IUService.exe 
• DefenderUpdate/madHcCtrl.exe 
• DefenderUpdate/palemoon.exe 
• Drvx64/Compil32.exe 
• Drvx64/IsCabView.exe 
• Drvx64/TiVoDiag.exe 
• Drvx64/WiseTurbo.exe 
• SecurityCheck/Mp3tag.exe 
• SysDrive/AcroBroker.exe 
• SysDrive/DPMHelper.exe 
• SysDrive/IsCabView.exe 
• SysDrive/palemoon.exe 
• SysDrive/SbieSvc.exe 
• SysDrive/steamerrorreporter64.exe 
• SysDrive/TiVoDiag.exe 
• SysDrive/vmhost.exe 

We can see in the previously mentioned sample downloaded by “Any.run” that it contains the clean application TivoDiag.exe, as well as two DLLs. The file “mindclient.dll” is the malicious DLL which is loaded by “TivoDiag.exe” during execution. 

The payload binary is a typical Remcos backdoor which is injected into Explorer.exe. It communicates with the C2 server 146[.]185[.]233[.]96 on port 6856: 

Coverage 

Ways our customers can detect and block this threat are listed below. 

 

 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

Snort SIDs for this threat:  

Snort 2: 64707, 64708 

Snort 3:  301171 

Indicators of Compromise 

IOCs for this threat can be found in our GitHub repository here.    

Cisco Talos Blog – ​Read More

AirTags are a popular tracking device used by anyone from forgetful key owners to those with malicious intent, such as jealous spouses and car thieves. Using AirTags for spying is simple: a tag is discreetly placed on the target to allow their movements to be conveniently monitored using Apple Find My. We’ve even added protection from AirTag-based tracking to our products for Android.

But a recent study by security researchers has surprisingly found that remote tracking doesn’t even depend on buying an AirTag or ever being physically near the target. If you manage to sneak special malware onto someone’s Windows, Android, or Linux device (like a computer or phone), it could use the device’s Bluetooth to send out a signal that nearby Apple devices would think is coming from an AirTag. Essentially, for Apple devices, the infected phone or computer effectively becomes an oversized AirTag – trackable via the Find My network, which boasts over a billion Apple phones and tablets.

Anatomy of the attack

The attack exploits two features of the Find My technology.

Firstly, this network uses end-to-end encryption – so participants don’t know whose signals they’re relaying. To exchange information, an AirTag and its owner’s phone rely on a pair of cryptographic keys. When a lost AirTag broadcasts its “callsigns” via Bluetooth, Find My network “detectors” (that is, any Apple device with Bluetooth and internet access, regardless of who owns it) simply transmit AirTag’s geolocation data to Apple servers. The data is encrypted with the lost AirTag’s public key.

Then, any device can ask for the encrypted location data from the server. And because it’s encrypted, Apple doesn’t know who the signal belongs to, or which device asked for it. The crucial point here is that one can only decrypt the data and find out both whose AirTag it is and its exact location by having the corresponding private key. Therefore, this data is only useful to the owner of the smartphone paired with this AirTag.

Another feature of Find My is that detectors don’t verify whether the location signal indeed originated with an Apple device. Any devices that support Bluetooth Low Energy (BLE) can broadcast it.

To exploit these features, the researchers came up with the following method:

1. They install malware on a computer, phone, or some other device running Android, Windows, or Linux, and check the Bluetooth adapter address.
2. The attackers’ server receives the information and uses powerful video cards to generate a pair of encryption keys specific to the device’s Bluetooth address and compatible with Apple’s Find My
3. The public key is sent back to the infected device, and the malware then starts transmitting a Bluetooth message that mimics AirTag signals and includes this key.
4. Any nearby Apple device connected to the internet receives the Bluetooth message and relays it to the Find My
5. The attackers’ server uses the private key to request the location of the infected device from Find My and decrypt the data.

How well does the tracking work?

The more Apple devices nearby and the slower the victim’s movement, the better the accuracy and speed of the location tracking. In typical urban environments like homes or offices, the location is typically pinpointed within six to seven minutes and with an accuracy of around three meters. Even in extreme situations, such as being on an airplane, tracking can still occur because internet access is now widely available on flights. The researchers obtained 17 geolocation points throughout a 90-minute flight, allowing them to reconstruct the aircraft’s flight path quite accurately.

Naturally, the success of the attack hinges on whether the victim can be infected with malware, and the details are slightly different depending on the platform. On Linux devices, the attack only requires infecting the victim’s gadget due to the specific Bluetooth implementation. By contrast, Android and Windows employ Bluetooth address randomization, meaning the attacker needs to infect two nearby Bluetooth devices: one as the tracking target (the one that mimics an AirTag), and another to obtain its adapter address.

The malicious application needs Bluetooth access, but this isn’t hard to get. Many common app categories – like media players, file sharing tools, and even payment apps – often have legitimate reasons to request it. It’s likely that a convincing and functional bait application will be created for this type of attack, or even that an existing application will be trojanized. The attack requires neither administrative permissions nor root access.

Importantly, we’re not just talking about phones and computers: the attack is effective across a range of devices – including smart TVs, virtual-reality glasses, and other household appliances – as Android and Linux are common operating systems in many of them.

Another key part of the attack involves calculating cryptographic keys on the server. Due to the complexity of this operation – which requires leasing hardware with modern video cards – the cost of generating a key for a single  victim is estimated at around $2.2. For this reason, we find mass-tracking scenarios that target, say, visitors inside a shopping center, to be unlikely. However, targeted attacks at this price point are accessible to virtually anyone, including scammers or nosy co-workers and spouses.

Apple’s response

The company patched the Find My network vulnerability in December 2024 in iOS 18.2, visionOS 2.2, iPadOS 17.7.3 (for older devices) and 18.2 (for newer ones), watchOS 11.2, tvOS 18.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2, and macOS Sequoia 15.2. Unfortunately, as is often the case with Apple, the details of the updates have not been disclosed. The researchers emphasize that this tracking method will remain technically feasible until all Apple users update to at least the above versions, though fewer devices will be able to report a tracked device’s location. And it’s not impossible that the Apple patch could be defeated by another engineering trick.

How to protect yourself from the attack

• Turn off Bluetooth when you’re not using it if your device has the option.
• When installing apps, stick to trusted sources only. Verify that the app has been around for a long time, and has many downloads and a high rating in its latest version.
• Only grant Bluetooth and location access to apps if you’re certain you need those features.
• Regularly update your device: both the OS and main apps.
• Make sure you have comprehensive malware protection enabled on all your devices. We recommend Kaspersky Premium.

Besides this rather unusual and as-yet-unseen-in-the-wild tracking method, there are numerous other ways your location and activities can be tracked. What methods are being used to spy on you? Read these for the details:

• How smartphones build a dossier on you
• Webcam stalking: fact or fiction?
• How to protect yourself from Bluetooth stalking and more
• How millions of Kia cars could be tracked
• Run for your data: privacy settings in jogging apps
• I know how you drove last summer

… and other posts.

Kaspersky official blog – ​Read More

It’s a rare company these days that doesn’t boast about using artificial intelligence (AI). And often no explanation is forthcoming as to why AI is needed or, more importantly, how it’s implemented — just the mere presence of AI, it seems, is enough to make a product more valuable, innovative and high-tech. Kaspersky advocates a different approach: we don’t just say “we use AI”, but explain exactly how we deploy machine learning (ML) and AI technologies in our solutions. It’d take too long to list all our AI technologies in a single post given that we have an entire expertise center — Kaspersky AI Technology Research — that deals with all aspects of AI. So my sole focus here will be on those technologies that make life easier for SIEM analysts working with the Kaspersky Unified Monitoring and Analysis Platform.

SIEM AI Asset Risk Scoring

In traditional systems, one of the most resource-intensive tasks of the SIEM analyst is prioritizing alerts — especially if the system has just been installed and works out of the box with default correlation rules not yet fine-tuned to the infrastructure of a specific company. Big data analytics and AI systems can help here. Armed with SIEM AI Asset Risk Scoring, monitoring and response teams can prioritize alerts and prevent potential damage. The module assesses asset risks by analyzing historical data and prioritizing incoming alerts, allowing to speed up triage and generate hypotheses that can be used for proactive searches.

Based on information about activated correlation rule chains, SIEM AI Asset Risk Scoring lets you build patterns of normal activity on endpoints. Then, by comparing daily activity with these patterns, the module identifies anomalies (for example, sudden traffic spikes or multiple service requests) that may signal a real incident and prompt the analyst to take a deeper look into these alerts. This way, the problem is detected early, before any damage is done.

AI-Powered OSINT IoCs

Analysts working with the Kaspersky Unified Monitoring and Analysis Platform also have the option to use additional contextual information from open sources through the Kaspersky Threat Intelligence Portal. After the latest update, the portal now provides access to threat intelligence collected using a generative AI model.

It works as follows: let’s say you’ve found a suspicious file during a threat hunt. You can take this file’s hash and look it up on the site, and if someone else has already encountered it during an incident investigation and published something about it, the technology will instantly show you indicators of compromise (IoC) and key facts about the threat. Without such an automation system, it can take the analyst many hours to find and review this information — especially if there are lots of materials and they’re written in different languages. Our system, built on an internal LLM model, can automate this process: it analyzes all reports and mentions of the threat whatever the language, extracts the essence, and presents a summary: the nature of the threat, the date it was detected first, cybercriminal groups associated with it, industries most often targeted using the file, and so on. This saves the analyst an enormous amount of time on searching and researching.

What’s more, the analyst has access to other Kaspersky Threat Intelligence data, including information generated using AI technologies and big data analytics. Our threat intelligence databases are continuously updated with the results of manual APT research, live data from the darknet, information from the Kaspersky Security Network, and regular analysis of new malware. All of these technologies help users minimize the potential damage from cyber-incidents and reduce the Mean Time to Respond (MTTR) and the Mean Time to Detect (MTTD).

 

We continue to improve the usability and performance of our SIEM system, with a focus on deploying AI to free information security employees from even more routine tasks. Follow updates of the Kaspersky Unified Monitoring and Analysis Platform on the official product page.

Kaspersky official blog – ​Read More