2033 matches found
The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter
Since the discovery of the widespread VPNFilter malware in 2018, Cisco Talos researchers have been researching vulnerabilities in small and home office SOHO and industrial routers. During that research, Talos has worked with vendors to report and mitigate these vulnerabilities, totaling 141...
Every company has its own version of ChatGPT now
Welcome to this weeks edition of the Threat Source newsletter. When I first started poking at ChatGPT a few months ago, I quickly learned that it wasnt quite ready to take my job yet and wasnt staying up to date on wrestling. Since ChatGPT went viral, several other companies have released their o...
Incident Response trends Q2 2023: Data theft extortion rises, while healthcare is still most-targeted vertical
Cisco Talos Incident Response Talos IR responded to a growing number of data theft extortion incidents that did not involve encrypting files or deploying ransomware, a 25 percent increase since last quarter and the most-observed threat in the second quarter of 2023. In this type of attack, threat...
What might authentication attacks look like in a phishing-resistant future?
By Thorsten Rosendahl and Tiago Pereira, with contributions from Matthew Miller. The industry has come a long way in terms of improving how we make user authentication more secure. From the most basic concept of relying on usernames and passwords for authentication to enabling multi-factor...
The federal government’s cybersecurity policies are falling into place just in time to be stalled again
Welcome to this weeks edition of the Threat Source newsletter. Last week, the Biden administration released its formal roadmap for its national cybersecurity initiative meant to encourage greater investment in cybersecurity and strengthen the U.S.s critical infrastructure security and more. The...
Memory corruption vulnerability in Microsoft Edge; MilesightVPN and router could be taken over
Since the beginning of July, Cisco Talos has published 40 vulnerability advisories affecting a range of software and hardware, including the Microsoft Edge browser. In our new series called "Vulnerability Roundup," well be recapping the vulnerabilities we recently disclosed to provide readers wit...
Why are there so many malware-as-a-service offerings?
Whether known as commodity malware or "as-a-service," threat actors have long been turning to their fellow adversaries in the hopes of selling off their tools and opening a new stream of revenue. When used legitimately, as-a-service software is when a third-party company offers its software to...
Implementing an ISO-compliant threat intelligence program
Implementing a threat intelligence program that meets the definition of threat intelligence control as described in ISO/IEC 27002:2022 -- a set of standards set forth by the International Organization for Standardization -- is not onerous. The ISO/IEC 27002 standard describes a non-exhaustive lis...
QR codes are relevant again for everyone from diners to threat actors
Welcome to this weeks edition of the Threat Source newsletter. Although we can probably largely consider the COVID-19 pandemic "over," many relics from the peak of lockdown and concerns over the virus are still around in mid-2023. Its still impossible to get a doctors appointment quickly, but man...
Uncovering weaknesses in Apple macOS and VMWare vCenter: 12 vulnerabilities in RPC implementation
Cisco Talos discovered 12 memory corruption vulnerabilities in MSRPC implementations on Apple macOS and VMWare vCenter. - Seven vulnerabilities affect Apple macOS only. - Two vulnerabilities affect VMWare vCenter. - Three vulnerabilities affect both. For more on these individual vulnerabilities,...
Malicious campaigns target government, military and civilian entities in Ukraine, Poland
Cisco Talos has discovered a threat actor conducting several campaigns against government entities, military organizations and civilian users in Ukraine and Poland. We judge that these operations are very likely aimed at stealing information and gaining persistent remote access. The activity we...
Microsoft discloses more than 130 vulnerabilities as part of July’s Patch Tuesday, four exploited in the wild
Microsoft released its monthly security update Tuesday, disclosing the most vulnerabilities as part of Patch Tuesday in more than a year. The company released details of more than 130 vulnerabilities, the most in a month since April 2022, 10 of which are considered to be critical. The remaining...
Undocumented driver-based browser hijacker RedDriver targets Chinese speakers and internet cafes
Cisco Talos has identified multiple versions of an undocumented malicious driver named "RedDriver," a driver-based browser hijacker that uses the Windows Filtering Platform WFP to intercept browser traffic. RedDriver has been active since at least 2021. RedDriver utilizes HookSignTool to forge it...
Old certificate, new signature: Open-source tools forge signature timestamps on Windows drivers
Cisco Talos has observed threat actors taking advantage of a Windows policy loophole that allows the signing and loading of cross-signed kernel mode drivers with signature timestamp prior to July 29, 2015. Actors are leveraging multiple open-source tools that alter the signing date of kernel mode...
Gergana Karadzhova-Dangela wants to send the ladder back down to the next generation of incident responders
Gergana Karadzhova-Dangela is used to being with users during some of their toughest moments. Today, she spends much of her time responding to active cybersecurity incidents with Cisco Talos Incident Response, helping customers work through active attacks, many of which put personal data or...
Threat Roundup for June 30 to July 7
Today, Talos is publishing a glimpse into the most prevalent threats weve observed between June 30 and July 7. As with previous roundups, this post isnt meant to be an in-depth analysis. Instead, this post will summarize the threats weve observed by highlighting key behavioral characteristics,...
DDoS attacks want to make sure you haven’t forgotten about them
Welcome to this weeks edition of the Threat Source newsletter. Distributed denial-of-service attacks DDoS have been around since before I even knew how to turn a computer on. These types of attacks, I feel, have the same vibe as the term "computer virus" -- something we used to talk about in the...
Taking over Milesight UR32L routers behind a VPN: 22 vulnerabilities and a full chain
Cisco Talos discovered 17 vulnerabilities 63 CVEs in the Milesight UR32L router and five vulnerabilities six CVEs in the Milesight MilesightVPN remote access solution software. An attacker could exploit the vulnerabilities discovered to completely compromise the UR32L and MilesightVPN. This post...
The growth of commercial spyware based intelligence providers without legal or ethical supervision
Attackers have long used commercial products developed by legitimate companies to compromise targeted devices. These products are known as commercial spyware. Commercial spyware operations mainly target mobile platforms with zero- or one-click zero-day exploits to deliver spyware. This threat...
New video provides a behind-the-scenes look at Talos ransomware hunters
Welcome to this weeks edition of the Threat Source newsletter. AI-generated art is causing drama across the internet over the past few months, from Marvel TV show opening credits scenes to predatory YouTubers who claim YOU can make millions by having AI tools create childrens books for you. There...
How Talos IR’s Purple Team can help you prepare for the worst-case scenario
Purple Team exercises are included within the Cisco Talos Incident Response Retainer service and our experts can help your organization find security holes before the bad guys can. As your trusted advisor, our purple team, which is a combination of both red and blue teams, emulates one joint atta...
Vulnerability Spotlight: Use-after-free condition in Google Chrome WebGL
Cisco Talos recently discovered an exploitable use-after-free vulnerability in Google Chromes Web Graphics Library WebGL. Google Chrome is a cross-platform web browser -- and Chromium is the open-source version of the browser that both Google and other software developers use as the basis to buil...
Threat Roundup for June 16 to June 23
Today, Talos is publishing a glimpse into the most prevalent threats weve observed between June 16 and June 23. As with previous roundups, this post isnt meant to be an in-depth analysis. Instead, this post will summarize the threats weve observed by highlighting key behavioral characteristics,...
Cybersecurity hotlines at colleges could go a long way toward filling the skills gap
Welcome to this weeks edition of the Threat Source newsletter. I recently stumbled upon news that the University of Texas at Austin is launching a new cybersecurity clinic run by faculty and students studying security and IT at the university. This clinic offers pro-bono cybersecurity services --...
Video: How Talos’ open-source tools can assist anyone looking to improve their security resilience
Cisco Talos remit is not just to protect our customers from cyber attacks. We also strive to make the internet a better and safer place. Thats one of the reasons why we create and release open-source software, for free. These tools are available to anyone in the security community to enhance thei...
Threat Roundup for June 9 to June 16
Today, Talos is publishing a glimpse into the most prevalent threats weve observed between June 9 and June 16. As with previous roundups, this post isnt meant to be an in-depth analysis. Instead, this post will summarize the threats weve observed by highlighting key behavioral characteristics,...
Active exploitation of the MOVEit Transfer vulnerability — CVE-2023-34362 — by Clop ransomware group
Cisco Talos is monitoring recent reports of exploitation attempts against CVE-2023-34362, a SQL injection zero-day vulnerability in the MOVEit Transfer managed file transfer MFT solution that has been actively targeted since late May 2023. Successful exploitation could lead to remote code executi...
URLs have always been a great hiding place for threat actors
Welcome to this weeks edition of the Threat Source newsletter. Talos recent blog post on the dangers posed by the newly released ".zip" top-level domain TLD recently outlined how threat actors could create real URLs that look like file names and trick users into clicking on their links. .Zip and...
What does it mean when ransomware actors use “double extortion” tactics?
It is no longer enough for ransomware actors to encrypt targets files, ask for money, and get out. Over the past several years, these groups are increasingly relying on "double extortion" tactics to try and coax their victims into paying the requested ransom, or else they will leak stolen data to...
Two remote code execution vulnerabilities disclosed in Microsoft Excel
Cisco Talos recently discovered two vulnerabilities in the Microsoft Excel spreadsheet management software that could allow a malicious actor to execute arbitrary code on the targeted machine. Microsoft disclosed these issues and patched them as part of Junes monthly security release for the...
Microsoft discloses 5 critical vulnerabilities in June's Patch Tuesday, no zero-days
Microsoft released its monthly security update Tuesday, disclosing 69 vulnerabilities across its suite of products and software. Five of these vulnerabilities are considered to be critical, 45 of them are listed as being high severity, 17 of them are medium severity and two are of low severity. F...
".Zip" top-level domains draw potential for information leaks
Googles recent offering of the ".zip" top-level domain TLD has led security researchers and likely threat actors to register numerous domains for red teaming and phishing attacks, respectively, causing new challenges for organizations and cybersecurity professionals. As a result of user...
Threat Roundup for June 2 to June 9
Today, Talos is publishing a glimpse into the most prevalent threats weve observed between June 2 and June 9. As with previous roundups, this post isnt meant to be an in-depth analysis. Instead, this post will summarize the threats weve observed by highlighting key behavioral characteristics,...
Now’s not the time to take our foot off the gas when it comes to fighting disinformation online
Welcome to this weeks edition of the Threat Source newsletter. In the wake of the 2016 and 2020 presidential elections, it seemed like big tech companies were taking the fight against disinformation seriously. Social media outlets set up new fact-checking procedures and got more aggressive about...
Adversaries increasingly using vendor and contractor accounts to infiltrate networks
Cisco Talos Incident Response Talos IR has repeatedly observed attackers targeting and using compromised vendor and contractor accounts VCAs during recent emergency response engagements. While high-profile software supply chain compromise events garner significant media attention e.g., the recent...
How Joe Marshall helps defend everything from electrical grids to grain co-ops across multiple continents
Joe Marshall was a security practitioner before he even knew it. Marshall started his career in information technology as a systems administrator. On the surface, he jokes that he was a "white-collar plumber" -- fixing IT issues as they arose, handing out new credentials and asking users if they...
Threat Roundup for May 26 to June 2
Today, Talos is publishing a glimpse into the most prevalent threats weve observed between May 26 and June 2. As with previous roundups, this post isnt meant to be an in-depth analysis. Instead, this post will summarize the threats weve observed by highlighting key behavioral characteristics,...
Cybersecurity for businesses of all sizes: A blueprint for protection
One of the primary reasons why cybersecurity remains a complex undertaking is the increased sophistication of modern cyber threats. As the internet and digital technologies continue to advance, so do the methods and tools cybercriminals use. This means that even the most secure systems are...
Legislation alone isn’t enough to stop spyware
Welcome to this weeks edition of the Threat Source newsletter. The use of spyware continues to make headlines across the globe. While primarily used by authoritarian regimes to track potentially sensitive subjects like political opponents or activists, governments from all over the world are guil...
New Horabot campaign targets the Americas
Cisco Talos has observed a threat actor deploying a previously unidentified botnet program Talos is calling "Horabot," which delivers a known banking trojan and spam tool onto victim machines in a campaign that has been ongoing since at least November 2020. The threat actor appears to be targetin...
Threat Roundup for May 19 to May 26
Today, Talos is publishing a glimpse into the most prevalent threats weve observed between May 19 and May 26. As with previous roundups, this post isnt meant to be an in-depth analysis. Instead, this post will summarize the threats weve observed by highlighting key behavioral characteristics,...
Memory corruption vulnerability in Mitsubishi PLC could lead to DoS, code execution
Cisco Talos recently discovered a memory corruption vulnerability in the Mitsubishi MELSEC iQ-F FX5U programmable logic controller that is caused by a buffer overflow condition. The iQ-F FX5U is one offering in Mitsubishis MELSEC PLC line of hardware that comes with a built-in processor, power...
What is a web shell?
Editors note: The Need to Know is a new series from Talos, which focuses on cybersecurity terms, threats, tools and tactics that are discussed in our broader threat research. Think of this as a living encyclopedia of security terms and trends. Cisco Talos Incident Response recently released our...
It’s apparently hip to still be using Windows 7
Welcome to this weeks edition of the Threat Source newsletter. As a longtime macOS user, I must admit Im behind the times when it comes to Microsoft Windows. Since buying a Steam Deck, Ive actually come to learn more about Linux and the Proton compatibility layer than I ever did about Windows. Bu...
Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware
We would like to thank The Citizen Lab for their cooperation, support and inputs into this research. Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco Talos has new details of a...
It’s really OK to take a break sometimes, especially in security
Welcome to this weeks edition of the Threat Source newsletter. You probably already know this by now, but May is Mental Health Awareness Month across the globe. Many people will apply this time of reflection and education to their personal lives -- its easy to discuss anxiety, depression and othe...
Newly identified RA Group compromises companies in U.S. and South Korea with leaked Babuk source code
Cisco Talos recently discovered a new ransomware actor called RA Group that has been operating since at least April 22, 2023. The actor is swiftly expanding its operations. To date, the group has compromised three organizations in the U.S. and one in South Korea across several business verticals,...
Threat Roundup for May 5 to May 12
Today, Talos is publishing a glimpse into the most prevalent threats weve observed between May 5 and May 12. As with previous roundups, this post isnt meant to be an in-depth analysis. Instead, this post will summarize the threats weve observed by highlighting key behavioral characteristics,...
Threat Source newsletter (May 11, 2023) — So much for that ransomware decline
Welcome to this weeks edition of the Threat Source newsletter. I wrote a few weeks ago about how, between the public and private sectors, the security community was making some strides in fighting back against ransomware. Reports indicate that revenue for ransomware actors was down in 2022, and...
Vulnerability Spotlight: Authentication bypass, use-after-free vulnerabilities found in a library for the µC/OS open-source operating system
Kelly Leuschner of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered two vulnerabilities in a library for µC/OS, an open-source operating system developed by Micrium. µC/OS is an embedded operating system that supports TCP/IP, USB, CAN bus and Modbus. The two...