2032 matches found
9 vulnerabilities found in VPN software, including 1 critical issue that could lead to remote code execution
Cisco Talos has disclosed 17 vulnerabilities over the past two weeks, including nine that exist in a popular VPN software. Attackers could exploit these vulnerabilities in the SoftEther VPN solution for individual and enterprise users to force users to drop their connections or execute arbitrary...
Kazakhstan-associated YoroTrooper disguises origin of attacks as Azerbaijan
Cisco Talos assesses with high confidence that YoroTrooper, an espionage-focused threat actor first active in June 2022, likely consists of individuals from Kazakhstan based on their use of Kazakh currency and fluency in Kazakh and Russian. The actor also appears to have a defensive interest in t...
Attacks on web applications spike in third quarter, new Talos IR data shows
Quarterly threat report: Telecommunications and education are most-targeted verticals There was a notable increase in threats to web applications, accounting for 30 percent of the engagements Cisco Talos Incident Response Talos IR responded to in the third quarter of 2023, compared to 8 percent t...
Threat Roundup for October 13 to October 20
Today, Talos is publishing a glimpse into the most prevalent threats weve observed between Oct. 13 and Oct. 20. As with previous roundups, this post isnt meant to be an in-depth analysis. Instead, this post will summarize the threats weve observed by highlighting key behavioral characteristics,...
More helpful resources for users of all skill levels to help you Take a Security Action
Welcome to this weeks edition of the Threat Source newsletter. I continue to be saddened by all the conflict in Israel and Gaza thats still ongoing. Ill be back with a "normal" newsletter next week, as unfortunately, there doesnt seem to be a peaceful solution coming any time soon. In the meantim...
What is Cracktivator software?
Cisco Talos coined the term "Cracktivator software" to reference counterfeit or modified software for pirated versions of Windows applications. One of our teammates, James Nutland, led the research to look into cracked versions of the Microsoft Windows operating system and other Microsoft...
Why logging is one of the most overlooked aspects of incident response, and how Cisco Talos IR can help
By Rami Altalhi and David Roman. Logs are fundamental to strengthening an organizations digital defenses. Many logs within an organization contain records related to computer security. These computer security logs are generated by many sources, including security software, workstations, servers,...
Snapshot fuzzing direct composition with WTF
Cisco Talos has developed a custom fuzzer using the popular snapshot fuzzer "WTF" which targets Direct Composition in Windows. Talos vulnerability research team used Protocol Buffers developed by Google to serialize and deserialize test cases. The Bochscpu backend of WTF was patched and other...
Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities
Updates Nov. 02: Identified a third version of the BadCandy implant. Added expected response from the new version of the implant against one of the HTTP requests used to check for infected device. Nov. 1: Observed increase in exploitation attempts since the publication of the proofs-of-concept PO...
Top resources for Cybersecurity Awareness Month
Welcome to this weeks edition of the Threat Source newsletter. I didnt feel like I wanted to write anything special or witty this week given the current events in Israel and the Gaza Strip, but I will certainly advocate for any assistance readers would like to provide to the various organizations...
What to know about the HTTP/2 Rapid Reset DDoS attacks
Cisco Talos is actively tracking the novel distributed denial-of-service DDoS attacks cloud services provider Cloudflare disclosed earlier this week. The techniques described in Cloudflares blog post resulted in a record-breaking DDoS attack and could facilitate much larger attacks in the future...
10 zero-day vulnerabilities in industrial cell router could lead to code execution, buffer overflows
Cisco Talos recently disclosed 11 vulnerabilities, 10 of which are zero-days without a patch in an industrial cellular router. Attackers could exploit these vulnerabilities in the Yifan YF325 to carry out a variety of attacks, in some cases gaining the ability to execute arbitrary shell commands ...
Microsoft patches 12 critical vulnerabilities, nine of which are in Layer 2 Tunneling Protocol
Microsoft disclosed 104 vulnerabilities in its extensive range of software and services, the most in a single Patch Tuesday since July. What is most notable is that this batch of vulnerabilities includes 12 that are considered "critical," nine of which are remote code execution vulnerabilities in...
How looking at decades of spam led Jaeson Schultz from Y2K to the metaverse and cryptocurrency
At this point in his career, Jaeson Schultz has seen nearly every type of online scam there is to see. From fake bomb threats at schools, to "sextortion" campaigns, cryptocurrency mining, metaverse and more of the 2010s, to the earliest type of spam emails in the 1990s that promised to protect...
Is it bad to have a major security incident on your résumé? (Seriously I don’t know)
Welcome to this weeks edition of the Threat Source newsletter. Its Cybersecurity Awareness Month, which means its time to hug your nearest defender -- theyre probably tired, could be facing burnout or just have had too much coffee today. What makes the cybersecurity landscape even more fraught...
Qakbot-affiliated actors distribute Ransom Knight malware despite infrastructure takedown
The threat actors behind the Qakbot malware have been conducting a campaign since early August 2023 in which they have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails. Notably, this activity appeared to begin before the FBI seized Qakbot infrastructure in la...
What is the dark web?
Most users interact with the internet through the web, and many of the threat actors we write about operate on the "dark web." Broadly speaking, the dark web is a small portion of the "deep web," where the deep web represents most of the Web. We know, its confusing -- lets walk through an example...
Threat Roundup for September 22 to September 29
Today, Talos is publishing a glimpse into the most prevalent threats weve observed between Sept. 22 and Sept. 29. As with previous roundups, this post isnt meant to be an in-depth analysis. Instead, this post will summarize the threats weve observed by highlighting key behavioral characteristics,...
The security pitfalls of social media sites offering ID-based authentication
Welcome to this weeks edition of the Threat Source newsletter. Since Elon Musk first started talking about purchasing Twitter/X around this time last year, one of his main sticking points has been how many bot accounts are on the platform and how that potentially affects advertising revenue and...
10 new vulnerabilities disclosed by Talos, including use-after-free issue in Google Chrome
Cisco Talos disclosed 10 vulnerabilities over the past two weeks affecting a range of software, including the popular Google Chrome web browser. Attackers could exploit these vulnerabilities to carry out a variety of attacks, in some cases gaining the ability to execute remote code on the targete...
ICS protocol coverage using Snort 3 service inspectors
With more devices on operational technology OT networks now getting connected to wide-reaching IT networks, it is more important than ever to have effective detection capabilities for ICS protocols. However, there are a few issues that usually arise when creating detection for ICS protocol traffi...
What’s the point of press releases from threat actors?
Welcome to this weeks edition of the Threat Source newsletter. As a former reporter, Ive seen my fair share of press releases. But one from a threat actor was definitely a new one for me last week. ALPHV aka BlackCat publicly took credit for a massive cyber attack against MGM, a resort, gambling...
New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants
Cisco Talos recently discovered a new malware family were calling "HTTPSnoop" being deployed against telecommunications providers in the Middle East. HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to liste...
Turns out even the NFL is worried about deepfakes
Welcome to this weeks edition of the Threat Source newsletter. Im at the point in the calendar year where Im a sponge for NFL content. I couldnt be happier to escape from my six-month American football-free slumber and am ready to watch games three days a week and listen to NFL podcasts or read...
How Cisco Talos IR helped a healthcare company quickly resolve a Qakbot attack
Partnership and proactive measures reduce resolution time from weeks to mere hours. Healthcare is one of the most popular targets for threat actors, as evidenced by the fact that it was the most-targeted sector in each of Cisco Talos Incident Responses past two Quarterly Trends Reports. But if...
Microsoft Patch Tuesday for September 2023 — Unusually low 5 critical vulnerabilities included in Microsoft Patch Tuesday, along with two zero-days
Microsoft disclosed 65 vulnerabilities across its suite of products and software Tuesday, only five of which are considered critical, which is very low compared to Microsofts usual security updates. However, there are two issues disclosed and patched this month that have already been exploited in...
You can try to hide your firmware from Kelly Patterson, but she’ll find it (and break it)
How her work illustrates the difference Talos vulnerability research team makes When Kelly Patterson first learned how to code by making small programs in her high school class, she preferred breaking her creations to building them. Shed make a game and then spend double the time debugging that...
A secondhand account of the worst possible timing for a scammer to strike
Welcome to this weeks edition of the Threat Source newsletter. Up until last week, I had never considered the timing of a scam to be important. Im so used to just swiping away emails or text messages at random times during the day that Id never considered what would happen if an adversary happene...
Cybercriminals target graphic designers with GPU miners
Cybercriminals are abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware on infected machines. This activity has been ongoing since at least November 2021. The attacker uses Advanced Installer to package other legitimate...
Eight vulnerabilities in Open Automation Software Platform could lead to information disclosure, improper authentication
Cisco Talos recently disclosed eight vulnerabilities in the engine configuration functionality in Open Automations Software Platform. OAS Platform is commonly found in industrial operations and enterprise environments. It allows various devices, including PLCs, servers, files, databases and...
New open-source infostealer, and reflections on 2023 so far
Welcome to this weeks edition of the Threat Source newsletter. Im covering for Jon this week whilst he takes some well-deserved holiday. Whats on my mind this week? Well, apart from a new horror film that I just read about called "Slotherhouse" where the killer is, um, a sloth I predict nothing b...
SapphireStealer: Open-source information stealer enables credential and data theft
SapphireStealer, an open-source information stealer, has been observed across public malware repositories with increasing frequency since its initial public release in December 2022. Information-stealing malware like SapphireStealer can be used to obtain sensitive information, including corporate...
What's in a name? Strange behaviors at top-level domains creates uncertainty in DNS
Google introduced the new ".zip" Top Level Domain TLD on May 3, 2023, igniting a firestorm of controversy as security organizations warned against the confusion that was certain to occur. When clicking on a name that ends in ".zip" are people intending to open an archive file or an internet URL?...
Years into these games’ histories, attackers are still creating “Fortnite” and “Roblox”-related scams
Welcome to this weeks edition of the Threat Source newsletter. I have no idea how "Fortnite" keeps coming up in this newsletter, but here we are again. Even though the game/metaverse has never been bigger, it had been a while since I had heard about "V-Bucks" scams. V-Bucks are the in-game virtua...
Lazarus Group's infrastructure reuse leads to discovery of new malware
In the Lazarus Groups latest campaign, which we detailed in a recent blog, the North Korean state-sponsored actor is exploiting CVE-2022-47966, a ManageEngine ServiceDesk vulnerability to deploy multiple threats. In addition to their "QuiteRAT" malware, which we covered in the blog, we also...
Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT
Cisco Talos discovered the North Korean state-sponsored actor Lazarus Group targeting internet backbone infrastructure and healthcare entities in Europe and the United States. This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same...
Three vulnerabilities in NVIDIA graphics driver could cause memory corruption
Piotr Bania of Cisco Talos discovered the vulnerabilities mentioned in this post. Cisco Talos recently disclosed three vulnerabilities in the shader functionality of the NVIDIA D3D10 driver that works with NVIDIAs graphics cards. The driver is vulnerable to memory corruption if an adversary sends...
Generating FLIRT signatures for Nim and other non-C programming languages
Adversaries are increasingly writing malware in programming languages such as Go, Rust, or Nim, because they present challenges to investigators using reverse-engineering tools designed to work best against the C family of languages. Its often difficult for reverse engineers examining non-C...
Recapping the top stories from Black Hat and DEF CON
Welcome to this weeks edition of the Threat Source newsletter. I had a significant amount of FOMO last week seeing everyone out in Vegas. I was happy to not get conference crud sickness, but it seems like I missed a great time otherwise. But, as anyone who works with me could guess, I was followi...
The rise of AI-powered criminals: Identifying threats and opportunities
AIs influence is growing across the security space, bringing with it major implications for cybercriminals and defenders. The recent adoption of AI has raised significant concerns for cybersecurity due to the many ways that criminals can use AI for disruption and profit. Defenders and law...
Reflecting on supply chain attacks halfway through 2023
Welcome to this weeks edition of the Threat Source newsletter. Between the Talos Takes episode last week and helping my colleague Hazel with the Half-Year in Review, I realized how much I had already forgotten about 2023 already. Its been a whirlwind, personally and professionally, and I think it...
Out-of-bounds write vulnerabilities in popular chemistry software; Foxit PDF Reader issues could lead to remote code execution
Cisco Talos recently worked with two vendors to patch multiple vulnerabilities in a favored software library used in chemistry laboratories and the Foxit PDF Reader, one of the most popular PDF reader alternatives to Adobe Acrobat. Attackers could exploit these vulnerabilities to carry out a...
What is commercial spyware?
Weve talked quite a bit about spyware recently, with very good reason. Recently, concerns have grown regarding the rapid growth of commercial spyware tools, and the way in which they are being used against their intended victims. This Need to Know article talk about the broader effects of spyware...
What Cisco Talos knows about the Rhysida ransomware
Cisco Talos is aware of the recent advisory published by the U.S. Department of Health and Human Services HHS warning the healthcare industry about Rhysida ransomware activity. As weve discussed recently, there has been huge growth in the ransomware and extortion space, potentially linked to the...
Six critical vulnerabilities included in August’s Microsoft security update
Microsoft disclosed 73 vulnerabilities across its suite of products and software Tuesday, including six that are considered "critical." One of the vulnerabilities, which Microsoft considers to be only of "moderate" severity, has been actively exploited in the wild. The company has had to address...
Code leaks are causing an influx of new ransomware actors
Ransomware gangs are consistently rebranding or merging with other groups, as highlighted in our 2022 Year in Review, or these actors work for multiple ransomware-as-a-service RaaS outfits at a time, and new groups are always emerging. This trend is already continuing this year. Since 2021, there...
New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware
Cisco Talos discovered an unknown threat actor, seemingly of Vietnamese origin, conducting a ransomware operation that began at least as early as June 4, 2023. This ongoing attack uses a variant of the Yashma ransomware likely to target multiple geographic areas by mimicking WannaCry...
Previewing Talos at BlackHat 2023
Welcome to this weeks edition of the Threat Source newsletter. The time has come once again for all of us well, not me specifically but lots of other Talos people to descend on Las Vegas for Hacker Summer Camp. Cisco Talos will be well-represented at BlackHat and DEF CON over the course of the ne...
Half-Year in Review: Recapping the top threats and security trends so far in 2023
From new ransomware groups, a growing mercenary space, espionage campaigns, supply chain attacks, and new "as a service" tools popping up, theres a lot to talk about already in the first half of 2023. Here are the main threats weve covered on our blog up until the end of June 2023. The timeline i...
The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter
Since the discovery of the widespread VPNFilter malware in 2018, Cisco Talos researchers have been researching vulnerabilities in small and home office SOHO and industrial routers. During that research, Talos has worked with vendors to report and mitigate these vulnerabilities, totaling 141...