2032 matches found
Stopping ransomware before it starts: Lessons from Cisco Talos Incident Response
Over the past two and a half years January 2023 through June 2025, Cisco Talos Incident Response Talos IR has responded to numerous engagements that we classified as pre-ransomware incidents. Talos looked back to analyze what key security measures were credited with deterring ransomware deploymen...
From summer camp to grind season
Welcome to this week's edition of the Threat Source newsletter. This is the way the world ends This is the way the world ends This is the way the world ends Not with a bang but a whimper. - T.S. Eliot So this is how Summer Camp 2025 ends, not with a bang but a whimper. We've put the summer behind...
Link up, lift up, level up
Welcome to this week's edition of the Threat Source newsletter. As summer retreats into the rear-view mirror, I'd like to take a moment to reflect on one of my favorite things about the cybersecurity profession: the community. Earlier this month, I attended Black Hat USA 2025 and DEF CON 33 in...
Libbiosig, Tenda, SAIL, PDF XChange, Foxit vulnerabilities
Cisco Talos' Vulnerability Discovery & Research team recently disclosed ten vulnerabilities in BioSig Libbiosig, nine in Tenda AC6 Router, eight in SAIL, two in PDF-XChange Editor, and one in a Foxit PDF Reader. The vulnerabilities mentioned in this blog post have been patched by their respective...
Cherry pie, Douglas firs and the last trip of the summer
Welcome to this week's edition of the Threat Source newsletter. Diane, 2:01 p.m., August 21st. I've just returned from a remarkable journey through Seattle and the misty roads of the Olympic Peninsula. If you ever find yourself driving beneath those towering Douglas firs or dragged by your partne...
Russian state-sponsored espionage group Static Tundra compromises unpatched end-of-life network devices
Static Tundra is a Russian state-sponsored cyber espionage group linked to the FSB's Center 16 unit that has been operating for over a decade, specializing in compromising network devices for long-term intelligence gathering operations. The group actively exploits a seven-year-old vulnerability...
Ransomware incidents in Japan during the first half of 2025
In the first half of 2025, the number of ransomware attacks in Japan increased by approximately 1.4 times compared to the previous year. Ransomware attackers continue to primarily target small and medium-sized enterprises in Japan. The most affected industry remains manufacturing, unchanged from...
JJ Cummings: The art of controlling information
Welcome to the second episode of Humans of Talos, our ongoing video interview series that celebrates the people powering Cisco's threat intelligence efforts. In each episode, we dive deep into the personal journeys, motivations and lessons learned from the team members who help keep the internet...
UAT-7237 targets Taiwanese web hosting infrastructure
Cisco Talos discovered UAT-7237, a Chinese-speaking advanced persistent threat APT group active since at least 2022, which has significant overlaps with UAT-5918. UAT-7237 conducted a recent intrusion targeting web infrastructure entities within Taiwan and relies heavily on the use of open-source...
What happened in Vegas (that you actually want to know about)
Welcome to this week's edition of the Threat Source newsletter. Last week I flew 5,000 miles to Las Vegas for Black Hat USA. After navigating the casino carpet labyrinth and finding the only venue in Nevada that serves a proper English breakfast tea with milk lifesaver, I've decided Black Hat fee...
Malvertising campaign leads to PS1Bot, a multi-stage malware framework
Cisco Talos has observed an ongoing malware campaign that seeks to infect victims with a multi-stage malware framework, implemented in PowerShell and C, which we are referring to as "PS1Bot." PS1Bot features a modular design, with several modules delivered used to perform a variety of malicious...
Microsoft Patch Tuesday for August 2025 — Snort rules and prominent vulnerabilities
Microsoft has released its monthly security update for August 2025, which includes 111 vulnerabilities affecting a range of products, including 13 that Microsoft marked as "critical". In this month's release, Microsoft observed none of the included vulnerabilities being actively exploited in the...
ReVault! When your SoC turns against you… deep dive edition
For a high-level overview of this research, you can refer to our Vulnerability Spotlight. This is the in-depth version that shares many more technical details. In this post, we'll be covering the entire research process as well as providing technical explanations of the exploits behind the attack...
AI wrote my code and all I got was this broken prototype
Welcome to this week's edition of the Threat Source newsletter. Vulnerabilities within software are a persistent challenge. Software engineers inadvertently tend to make the same mistakes repeatedly, with the same entries appearing in the annual top 25 list of Common Weakness Enumerations each...
WWBN, MedDream, Eclipse vulnerabilities
Cisco Talos' Vulnerability Discovery & Research team recently disclosed seven vulnerabilities in WWBN AVideo, four in MedDream, and one in an Eclipse ThreadX module. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco 's...
ReVault! When your SoC turns against you…
Talos reported 5 vulnerabilities to Broadcom and Dell affecting both the ControlVault3 Firmware and its associated Windows APIs that we are calling "ReVault". 100+ models of Dell Laptops are affected by this vulnerability if left unpatched. The ReVault attack can be used as a post-compromise...
Backdoors & Breaches: How Talos is helping humanitarian aid NGOs prepare for cyber attacks
In 2023, Talos collaborated with NetHope and Cisco Crisis Response to create a customized Backdoors & Breaches expansion deck for international humanitarian organizations, addressing their unique cybersecurity challenges. The new expansion deck helps NGOs with constrained budgets improve proactiv...
The Booker Prize Longlist and Hacker Summer Camp
Welcome to this week's edition of the Threat Source newsletter. This week the Booker Prize Longlist was released and it featured several books I've read this year a couple that are on my TBR To Be Read, a couple that I had not heard of, and a couple that make me scratch my head and question why...
Using LLMs as a reverse engineering sidekick
This research explores how large language models LLMs can complement, rather than replace, the efforts of malware analysts in the complex field of reverse engineering. LLMs may serve as powerful assistants to streamline workflows, enhance efficiency, and provide actionable insights during malware...
IR Trends Q2 2025: Phishing attacks persist as actors leverage compromised valid accounts to enhance legitimacy
Phishing remained the top method of initial access this quarter, appearing in a third of all engagements - a decrease from 50 percent last quarter. Threat actors largely leveraged compromised internal or trusted business partner email accounts to deploy malicious emails, bypassing security contro...
Cisco Talos at Black Hat 2025: Briefings, booth talks and what to expect
Cisco Talos is back at Black Hat with new research, threat detection overviews and opportunities to connect with our team. Whether you're interested in what we're seeing in the threat landscape, detection engineering or real-world incident response, here's where and how to find us: Visit us at th...
Insights from Talos IR: Navigating NIS2 technical implementation
When the NIS2 Directive arrived in 2023, organizations across Europe began preparing for enhanced cybersecurity requirements. Many focused on obligations such as rapid incident notifications and comprehensive security policies. However, while the directive provided the "what," it left the "how"...
BRB, pausing for a "Sanctuary Moon" marathon
Welcome to this week's edition of the Threat Source newsletter. Yesterday, Cisco Talos debuted the first Humans of Talos episode, where I interviewed Hazel Burton, a face and voice you're probably familiar with. In our conversation, Hazel shared not just the story of how she found her way onto th...
Bloomberg Comdb2 null pointer dereference and denial-of-service vulnerabilities
Cisco Talos' Vulnerability Discovery & Research team recently disclosed five vulnerabilities in Bloomberg Comdb2. Comdb2 is an open source, high-availability database developed by Bloomberg. It supports features such as clustering, transactions, snapshots, and isolation. The implementation of the...
Unmasking the new Chaos RaaS group attacks
Cisco Talos Incident Response Talos IR recently observed attacks by Chaos, a relatively new ransomware-as-a-service RaaS group conducting big-game hunting and double extortion attacks. Chaos RaaS actors initiated low-effort spam flooding, escalating to voice-based social engineering for access,...
Meet Hazel Burton
Welcome to the first episode of Humans of Talos, a new video interview series that shines a spotlight on team members across Talos. Featuring their personal stories, career journeys and unique perspectives, you'll get an inside look into what it's like to work in our organization and the people w...
ToolShell: Details of CVEs affecting SharePoint servers
Update 2025/07/22: Microsoft has released a security update for Sharepoint Enterprise Server 2016. The update, with the ID KB5002760, is available in the following link . Cisco Talos is aware of the ongoing exploitation of CVE-2025-53770 and CVE-2025-53771 in the wild. These are path traversal...
This is your sign to step away from the keyboard
Welcome to this week's edition of the Threat Source newsletter. Burnout is a real issue for people in cybersecurity. We protect the systems that allow modern life to function. Our hours are long, our sense of responsibility real and occasionally heavy. Everyone notices when we have a bad day and ...
MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities
In April 2025 Cisco Talos identified a Malware-as-a-Service MaaS operation that utilized Amadey to deliver payloads. The MaaS operators used fake GitHub accounts to host payloads, tools and Amadey plug-ins, likely as an attempt to bypass web filtering and for ease of use. Several operator tactics...
Talos IR ransomware engagements and the significance of timeliness in incident response
Cisco Talos routinely responds to ransomware engagements where the impact could have been mitigated or wholly prevented if the victim organization had initiated remediation efforts earlier in the attack lifecycle. The significance of early intervention in ransomware attacks is particularly...
Patch, track, repeat
Welcome to this week's edition of the Threat Source newsletter. We've made it halfway through 2025 already! It's been a while since I last wrote about CVEs and how free support for Windows 10 will end on October 14, 2025, leaving you with no more security fixes. While the CVE system remains the...
Asus and Adobe vulnerabilities
Cisco Talos' Vulnerability Discovery & Research team recently disclosed two vulnerabilities each in Asus Armoury Crate and Adobe Acrobat products. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco 's third-party vulnerability...
Microsoft Patch Tuesday for July 2025 — Snort rules and prominent vulnerabilities
Microsoft has released its monthly security update for July 2025, which includes 132 vulnerabilities affecting a range of products, including 14 that Microsoft marked as "critical." In this month's release, Microsoft observed none of the included vulnerabilities being actively exploited in the...
A message from Bruce the mechanical shark
Welcome to this week's edition of the Threat Source newsletter. Hi, I'm Bruce, the 25-foot mechanical star of "Jaws." This summer marks 50 years since my 4 minutes of screentime kept people out of the water for decades. Maybe this Fourth of July weekend you're planning to sea-shanty your way to a...
PDFs: Portable documents, or perfect deliveries for phish?
Cisco recently developed and released an update to its brand impersonation detection engine for emails. This new update enhances detection coverage and includes a wider range of brands that are delivered using PDF payloads or attachments. A significant portion of email threats with PDF payloads...
Getting a career in cybersecurity isn’t easy, but this can help
Welcome to this week's edition of the Threat Source newsletter. Happy summer, friends! I hope everyone is staying cool and/or warm. I am fresh back from an exhaustive but great time in San Diego at Cisco Live U.S. It was so good to see colleagues, meet new friends and pet many therapy dogs in the...
Decrement by one to rule them all: AsIO3.sys driver exploitation
Introduction Armoury Crate and AI Suite are applications used to manage and monitor ASUS motherboards and related components such as the processor, RAM or the increasingly popular RGB lighting. These types of applications often install drivers in the system, which are necessary for direct...
Cybercriminal abuse of large language models
Cybercriminals are continuing to explore artificial intelligence AI technologies such as large language models LLMs to aid in their criminal hacking activities. Some cybercriminals have resorted to using uncensored LLMs or even custom-built criminal LLMs for illicit purposes. Advertised features ...
A week with a "smart" car
Welcome to this week's edition of the Threat Source newsletter. June 9 was Whit Monday -- a bank holiday here in Germany -- so I decided to take the whole week off. It turned out to be the perfect opportunity to try out a brand new car. Little did I know, I was about to get a crash course in mode...
When legitimate tools go rogue
Late one Tuesday night, Elena's phone buzzed with an alert from her company's SIEM. Her team had set up a rule to flag when certain system tools -- whoami, nltest and nslookup--were run one after another in quick succession. That exact pattern had just triggered on a computer in the Finance...
Famous Chollima deploying Python version of GolangGhost RAT
In May 2025, Cisco Talos identified a Python-based remote access trojan RAT we call "PylangGhost," used exclusively by a North Korean-aligned threat actor. PylangGhost is functionally similar to the previously documented GolangGhost RAT, sharing many of the same capabilities. In recent campaigns,...
Know thyself, know thy environment
Welcome to this week's edition of the Threat Source newsletter. This week, I'm coming to you from Cisco Live in San Diego where I've just talked to a room that some of you may have been in, so writing this feels a bit surreal. It's really hard to try and write a cogent newsletter with all that's...
catdoc zero-day, NVIDIA, High-Logic FontCreator and Parallel vulnerabilities
Cisco Talos' Vulnerability Discovery & Research team recently disclosed three zero-day vulnerabilities in catdoc, as well as vulnerabilities in Parallel, NVIDIA and High-Logic FontCreator 15. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, in adheren...
Microsoft Patch Tuesday for June 2025 — Snort rules and prominent vulnerabilities
Update 6/12/2025: Microsoft released an additional CVE CVE-2025-32717 . Details and SIDs have been reflected to include this additional vulnerability. Microsoft has released its monthly security update for June 2025, which includes 66 vulnerabilities affecting a range of products, including 10 th...
Everyone's on the cyber target list
Welcome to this week's edition of the Threat Source newsletter. I've discovered that being a rent guarantor for someone is an involved experience. While I'm glad that I can help out a loved one secure a better rental property, the process of verifying my identity and ability to cover any missed...
Newly identified wiper malware “PathWiper” targets critical infrastructure in Ukraine
Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling "PathWiper". The attack was instrumented via a legitimate endpoint administration framework, indicating that the attackers likely had access to the...
A new author has appeared
Welcome to this week's edition of the Threat Source newsletter. In the words of Game Changer host Sam Reich, "And your host, me! I've been here the whole time!" Okay, maybe it's not the whole time, but for the past three months, I've been settling into my role here at Cisco Talos. Editing blogs,...
Cybercriminals camouflaging threats as AI tool installers
Cisco Talos has discovered new threats, including the ransomware CyberLock, LuckyGh0$t, and a newly-discovered malware we call "Numero," all of which masquerade as legitimate AI tool installers. CyberLock ransomware, developed using PowerShell, primarily focuses on encrypting specific files on th...
Scarcity signals: Are rare activities red flags?
By Darin Smith and John Arneson Cisco Talos reviewed six months of network connection telemetry logs spanning June 1, 2024 - Dec. 31, 2024, containing 3,220,829 log events and 742 unique base domains, to explore if domains that PowerShell rarely contacts are more likely to be malicious. Key...
Ghosted by a cybercriminal
Welcome to this week's edition of the Threat Source newsletter. Talos recently published research into how threat actors are increasingly teaming up across the attack chain. Each group handles a slice of the operation, passing the breach along like a relay baton. It's a concerning trend -- one th...