2032 matches found
Talos IR trends Q4 2024: Web shell usage and exploitation of public-facing applications spike
Threat actors increasingly deployed web shells against vulnerable web applications and primarily exploited vulnerable or unpatched public-facing applications to gain initial access in Q4, a notable shift from previous quarters. The functionality of the web shells and targeted web applications...
Whatsup Gold, Observium and Offis vulnerabilities
Cisco Talos' Vulnerability Research team recently disclosed three vulnerabilities in Observium, three vulnerabilities in Offis, and four vulnerabilities in Whatsup Gold. These vulnerabilities exist in Observium, a network observation and monitoring system; Offis DCMTK, a collection of libraries a...
New TorNet backdoor seen in widespread campaign
Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor since as early as July 2024 targeting users, predominantly in Poland and Germany, based on the phishing email language. The actor has delivered different payloads, including Agent Tesla, Snake...
Seasoning email threats with hidden text salting
Cisco Talos observed an increase in the number of email threats leveraging hidden text salting also known as "poisoning" in the second half of 2024. Hidden text salting is a simple yet effective technique for bypassing email parsers, confusing spam filters, and evading detection engines that rely...
Everything is connected to security
Welcome to this week's edition of the Threat Source newsletter. Hello friends! Joe here again! I have just returned from the frozen northern tundra of Fargo, North Dakota. This was my first real visit to the frigid climates of the Midwest, and I have to say, they take cold to a new level. I was...
Find the helpers
Welcome to this week's edition of the Threat Source newsletter. "When I was a boy and I would see scary things in the news, my mother would say to me, 'Look for the helpers. You will always find people who are helping.'" ― Fred Rogers There's no world where following Mr. Roger's advice is wrong...
Slew of WavLink vulnerabilities
Lilith of Cisco Talos discovered these vulnerabilities. Forty-four vulnerabilities and sixty-three CVEs were discovered across ten .cgi and three .sh files, as well as the static login page, of the Wavlink AC3000 wireless router web application. The Wavlink AC3000 wireless router is one of the mo...
Microsoft Patch Tuesday for January 2025 — Snort rules and prominent vulnerabilities
Microsoft has released its monthly security update for January of 2025 which includes 159 vulnerabilities, including 12 that Microsoft marked as "critical." The remaining vulnerabilities listed are classified as "important." One notable critically rated vulnerability that has been patched this...
Do we still have to keep doing it like this?
Welcome to the first edition of the Threat Source newsletter for 2025. Upon returning to work this week from my Lindt chocolate reindeer coma, my first task was to write this newsletter. As I stared at a blank template hoping for inspiration to suddenly strike, I did what any security professiona...
Welcome to the party, pal!
Welcome to the final Threat Source newsletter of 2024. Watching "Die Hard" during the Christmas season has become a widely recognized tradition for many, despite ongoing debates about its classification as a Christmas movie. I know it isn't everyone's cup of tea. Whether you like the movie or not...
Acrobat out-of-bounds and Foxit use-after-free PDF reader vulnerabilities found
Cisco Talos' Vulnerability Research team recently disclosed three out-of-bounds read vulnerabilities in Adobe Acrobat Reader, and two use-after-free vulnerabilities in Foxit Reader. These vulnerabilities exist in Adobe Acrobat Reader and Foxit Reader, two of the most popular and feature-rich PDF...
Exploring vulnerable Windows drivers
This post is the result of research into the real-world application of the Bring Your Own Vulnerable Driver BYOVD technique along with Cisco Talos' series of posts about malicious Windows drivers. Some of this research was presented at the AVAR conference in Chennai at the beginning of December...
Something to Read When You Are On Call and Everyone Else is at the Office Party
Welcome to this week's edition of the Threat Source newsletter. The new head of the UK's National Cyber Security Centre, Richard Horne, recently remarked that there is a "clearly widening gap between, on the one hand, the threat and our exposure to it and, on the other, the defences that are in...
The evolution and abuse of proxy networks
As long as we've had the internet, users have tried to obfuscate how and what they are connecting to. In some cases, this is to work around restrictions put in place by governments or a desire to access content that is not otherwise available in a given region. This is why technologies like VPNs...
Microsoft Patch Tuesday for December 2024 contains four critical vulnerabilities
The Patch Tuesday for December of 2024 includes 72 vulnerabilities, including four that Microsoft marked as "critical." The remaining vulnerabilities listed are classified as "important." Microsoft assessed that exploitation of the four "critical" vulnerabilities is "less likely." CVE-2024-49112 ...
MC LR Router and GoCast unpatched vulnerabilities
Cisco Talos' Vulnerability Research team recently discovered two vulnerabilities in MC Technologies LR Router and three vulnerabilities in the GoCast service. These vulnerabilities have not been patched at time of this posting. For Snort coverage that can detect the exploitation of these...
The adventures of an extroverted cyber nerd and the people Talos helps to fight the good fight
Welcome to this week's edition of the Threat Source newsletter. I am unbelievably lucky to do the work that I do. My title is technically 'Senior Security Strategist'. It's a very fancy title, but basically: I get to research threats with my colleagues and friends to keep people safe here at Talo...
Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform
By Philippe Laulheret ClipSP clipsp.sys is a Windows driver used to implement client licensing and system policies on Windows 10 and 11 systems. Cisco Talos researchers have discovered eight vulnerabilities related to clipsp.sys ranging from signature bypass to elevation of privileges and sandbox...
Bidirectional communication via polyrhythms and shuffles: Without Jon the beat must go on
Welcome to this week's edition of the Threat Source newsletter. Bidirectional communication is foundational to a well-built team regardless of environment. It's critical in information security to be able to drive a conversation up the ladder and down and not lose the critical elements. One of th...
Malicious QR Codes: How big of a problem is it, really?
QR codes are disproportionately effective at bypassing most anti-spam filters, as most filters are not designed to recognize that a QR code is present in an image and decode the QR code. According to Cisco Talos' data, roughly 60% of all email containing a QR code is spam. Talos discovered two...
New PXA Stealer targets government and education sectors for sensitive information
Cisco Talos discovered a new information stealing campaign operated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia. We discovered a new Python program called PXA Stealer that targets victims' sensitive information, including credentials for...
November Patch Tuesday release contains three critical remote code execution vulnerabilities
The Patch Tuesday for November of 2024 includes 89 vulnerabilities, including four that Microsoft marked as "critical." The remaining vulnerabilities listed are classified as "important." Microsoft assessed that exploitation of the four "critical" vulnerabilities is "less likely." CVE-2024-43639 ...
Unwrapping the emerging Interlock ransomware attack
Cisco Talos Incident Response Talos IR recently observed an attacker conducting big-game hunting and double extortion attacks using the relatively new Interlock ransomware. Our analysis uncovered that the attacker used multiple components in the delivery chain including a Remote Access Tool RAT...
NVIDIA shader out-of-bounds and eleven LevelOne router vulnerabilities
Cisco Talos' Vulnerability Research team recently discovered five Nvidia out-of-bounds access vulnerabilities in shader processing, as well as eleven LevelOne router vulnerabilities spanning a range of possible exploits. For Snort coverage that can detect the exploitation of these vulnerabilities...
Threat actors use copyright infringement phishing lure to deploy infostealers
Cisco Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and...
Writing a BugSleep C2 server and detecting its traffic with Snort
In June 2024, security researchers published their analysis of a novel implant dubbed "MuddyRot"aka "BugSleep". This remote access tool RAT gives operators reverse shell and file input/output I/O capabilities on a victim's endpoint using a bespoke command and control C2 protocol. This blog will...
How LLMs could help defenders write better and faster detection
Most users will associate large language models LLMs like ChatGPT with answering basic questions or helping to write basics lines of text. But could these tools actually help defenders in the cybersecurity industry write more effective detection content? Several security researchers from across...
Talos IR trends Q3 2024: Identity-based operations loom large
Threat actors are increasingly conducting identity-based attacks across a range of operations that are proving highly effective, with credential theft being the main goal in a quarter of incident response engagements. These attacks were primarily facilitated by living-off-the-land binaries LoLBin...
Threat Spotlight: WarmCookie/BadSpace
WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns. WarmCookie, observed being used for initial access and persistence, offers a means for continuous long-term access to compromised environments and is used...
Highlighting TA866/Asylum Ambuscade Activity Since 2021
TA866 also known as Asylum Ambuscade is a threat actor that has been conducting intrusion operations since at least 2020. TA866 has frequently relied on commodity and custom tooling to facilitate post-compromise activities. These tools often perform specific functions and are deployed and used as...
Threat actor abuses Gophish to deliver new PowerRAT and DCRAT
Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor. The campaign involves modular infection chains that are either Maldoc or HTML-based infections and require the victim's intervention to trigger the infection chain...
Akira ransomware continues to evolve
Akira continues to cement its position as one of the most prevalent ransomware operations in the threat landscape, according to Cisco Talos' findings and analysis. Their success is partly due to the fact that they are constantly evolving. For example, after Akira already developed a new version o...
What I’ve learned in my first 7-ish years in cybersecurity
When I first interviewed with Joel Esler for my position at Cisco Talos, I remember when the time came for me to ask questions, one thing stood out. I asked what resources were available to me to learn about cybersecurity, because I was totally new to the space. His answer: The people. When I ask...
UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants
Cisco Talos has observed a new wave of attacks active since at least late 2023, from a Russian speaking group we track as "UAT-5647", against Ukrainian government entities and unknown Polish entities. UAT-5647 is also known as RomCom and is widely attributed to Russian speaking threat actors in...
Protecting major events: An incident response blueprint
Ensuring the cybersecurity of major events -- whether it's sports, professional conferences, expos, inter-government meetings or other gatherings -- is a complex and time-intensive task. It requires a comprehensive approach and collaboration among various stakeholders, including vendors,...
What NIST’s latest password standards mean, and why the old ones weren’t working
Say goodbye to the days of using the "@" symbol to mean "a" in your password or replacing an "S" with a "$." The U.S. National Institute of Standards and Technology NIST recently announced new guidelines for the ways website and organizations should handle password creation and management that wi...
Ghidra data type archive for Windows driver functions
While reverse-engineering Windows drivers with Ghidra, it is common to encounter a function or data type that is not recognized during disassembly. This is because Ghidra does not natively include the majority of the definitions for data types and functions used by Windows drivers. Thankfully,...
Vulnerability in popular PDF reader could lead to arbitrary code execution; Multiple issues in GNOME project
Cisco Talos' Vulnerability Research team recently disclosed six new security vulnerabilities across a range of software, including one in a popular PDF reader that could lead to arbitrary code execution. Foxit PDF Reader, one of the most popular alternatives to Adobe Acrobat, contains a memory...
Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities
The largest Microsoft Patch Tuesday since July includes two vulnerabilities that have been exploited in the wild and three other critical issues across the company's range of hardware and software offerings. October's monthly security update from Microsoft includes fixes for 117 CVEs, the most in...
CISA is warning us (again) about the threat to critical infrastructure networks
Government-run water systems and other critical infrastructure are still at risk from state-sponsored actors, according to a renewed warning from the U.S. Cybersecurity and Infrastructure Security Agency. CISA released an advisory last week on the matter of days after a small water treatment...
Threat actor believed to be spreading new MedusaLocker variant since 2022
Cisco Talos has discovered a financially motivated threat actor, active since 2022, recently observed delivering a MedusaLocker ransomware variant. Intelligence collected by Talos on tools regularly employed by the threat actor allows us to see an estimate of the amount and countries of origin of...
Are hardware supply chain attacks “cyber attacks?”
The recent attacks in the Middle East triggering explosions on pagers has raised new fears around physical hardware supply chain attacks. In cybersecurity, we typically consider supply chain attacks to target software, in which adversaries infect a legitimate tool with a malicious, fake update th...
Simple Mail Transfer Pirates: How threat actors are abusing third-party infrastructure to send spam
Attackers are abusing normal features of legitimate web sites to transmit spam, such as the traditional method of verifying the creation of a new account. This web infrastructure and its associated email infrastructure is otherwise used for legitimate purposes, which makes blocking these messages...
Talos discovers denial-of-service vulnerability in Microsoft Audio Bus; Potential remote code execution in popular open-source PLC
Cisco Talos' Vulnerability Research team recently disclosed two vulnerabilities in Microsoft products that have been patched by the company over the past two Patch Tuesdays. One is a vulnerability in the High-Definition Audio Bus Driver in Windows systems that could lead to a denial of service,...
Talk of election security is good, but we still need more money to solve the problem
Last week, six Secretaries of State testified to U.S. Congress about the current state of election security ahead of November's Presidential election. Some of the same topics came up as usual -- disinformation campaigns, influence from foreign actors, and the physical protection of poll workers o...
We can try to bridge the cybersecurity skills gap, but that doesn’t necessarily mean more jobs for defenders
I have written about the dreaded " cybersecurity skills gap" more times than I can remember in this newsletter, but I feel like it's time to revisit this topic again. That's because the White House announced a new initiative last week for the U.S. government called the " Service for America"...
Vulnerability in Acrobat Reader could lead to remote code execution; Microsoft patches information disclosure issue in Windows API
Cisco Talos' Vulnerability Research team discovered two vulnerabilities have been disclosed and fixed over the past few weeks. Talos discovered a time-of-check time-of-use vulnerability in Adobe Acrobat Reader, one of the most popular PDF readers currently available, and an information disclosure...
Four zero-days included in group of 79 vulnerabilities Microsoft discloses, including one with 9.8 severity score
Microsoft disclosed four vulnerabilities that are actively being exploited in the wild as part of its regular Patch Tuesday security update this week in what's become a regular occurrence for the company's patches in 2024. Two of the zero-day vulnerabilities, CVE-2024-38226 and CVE-2024-38014,...
DragonRank, a Chinese-speaking SEO manipulator service provider
Key Takeaways Cisco Talos is disclosing a new threat called "DragonRank" that primarily targets countries in Asia and a few in Europe, operating PlugX and BadIIS for search engine optimization SEO rank manipulation. DragonRank exploits targets' web application services to deploy a web shell and...
The 2024 Threat Landscape State of Play
As we head into the final furlong of 2024, we caught up with Talos' Head of Outreach Nick Biasini to ask him what sort of year it's been so far in the threat landscape. In this video, Nick outlines his two major areas of concern. He also focusses on one state-sponsored actor that has been...