2032 matches found
Attackers are impersonating a road toll payment processor across the U.S. in phishing attacks
My wife no stranger to weird types of scams recently received a fake text message from someone claiming to be New Jerseys E-ZPass program saying that she had an outstanding balance from highway tolls that she owed, prompting her to visit a site so she could pay and avoid additional fines. There w...
LilacSquid: The stealthy trilogy of PurpleInk, InkBox and InkLoader
By Anna Bennett, Nicole Hoffman, Asheer Malhotra, Sean Taylor and Brandon White. Cisco Talos is disclosing a new suspected data theft campaign, active since at least 2021, we attribute to an advanced persistent threat actor APT were calling "LilacSquid." LilacSquids victimology includes a diverse...
New Generative AI category added to Talos reputation services
Cisco Talos is preparing to release the first in a series of changes to our Web Categorization system, which is designed to simplify the verbiage we use. In mid-June, were adding a new "Generative AI" category that will apply to certain websites. The "Content Category" appears whenever a user...
Out-of-bounds reads in Adobe Acrobat; Foxit PDF Reader contains vulnerability that could lead to SYSTEM-level privileges
Cisco Talos Vulnerability Research team has helped to disclose and patch more than 20 vulnerabilities over the past three weeks, including two in the popular Adobe Acrobat Reader software. Acrobat, one of the most popular PDF readers currently available, contains two out-of-bounds read...
Apple and Google are taking steps to curb the abuse of location-tracking devices — but what about others?
Since the advent of products like the Tile and Apple AirTag, both used to keep track of easily lost items like wallets, keys and purses, bad actors and criminals have found ways to abuse them. These adversaries can range from criminals just looking to do something illegal for a range of reasons,...
From trust to trickery: Brand impersonation over the email attack vector
Cisco recently developed and released a new feature to detect brand impersonation in emails when adversaries pretend to be a legitimate corporation. Talos has discovered a wide range of techniques threat actors use to embed and deliver brand logos via emails to their victims. Talos is providing n...
Rounding up some of the major headlines from RSA
While I one day wish to make it to the RSA Conference in person, Ive never had the pleasure of making the trek to San Francisco for one of the largest security conferences in the U.S. Instead, I had to watch from afar and catch up on the internet every day like the common folk. This at least give...
Talos releases new macOS open-source fuzzer
Cisco Talos has developed a fuzzer that enables us to test macOS software on commodity hardware. Fuzzer utilizes a snapshot-based fuzzing approach and is based on WhatTheFuzz framework. Support for VM state extraction was implemented and WhatTheFuzz was extended to support the loading of VMWare...
Only one critical vulnerability included in May’s Microsoft Patch Tuesday; One other zero-day in DWN Core
After a relatively hefty Microsoft Patch Tuesday in April, this months security update from the company only included one critical vulnerability across its massive suite of products and services. In all, Mays slate of vulnerabilities disclosed by Microsoft included 59 total CVEs, most of which ar...
Talos joins CISA to counter cyber threats against non-profits, activists and other at-risk communities
Cisco Talos is delighted to share updates about our ongoing partnership with the U.S. Cybersecurity and Infrastructure Security Agency CISA to combat cybersecurity threats facing civil society organizations. Talos has partnered with CISA on several initiatives through the Joint Cyber Defense...
A new alert system from CISA seems to be effective — now we just need companies to sign up
One of the great cybersecurity challenges organizations currently face, especially smaller ones, is that they dont know what they dont know. Its tough to have your eyes on everything all the time, especially with so many pieces of software running and IoT devices extending the reach of networks...
Talos discloses multiple zero-day vulnerabilities, two of which could lead to code execution
Cisco Talos Vulnerability Research team recently disclosed three zero-day vulnerabilities that are still unpatched as of Wednesday, May 8. Two vulnerabilities in this group -- one in the Tinyroxy HTTP proxy daemon and another in the stbvorbis.c file library -- could lead to arbitrary code...
What can we learn from the passwords used in brute-force attacks?
Brute force attacks are one of the most elementary cyber threats out there. Technically, anyone with a keyboard and some free time could launch one of them -- just try a bunch of different username and password combinations on the website of your choice until you get blocked. Nick Biasini and I...
Vulnerabilities in employee management system could lead to remote code execution, login credential theft
Cisco Talos Vulnerability Research team has disclosed more than a dozen vulnerabilities over the past three weeks, five in a device that allows employees to check in and out of their shifts, and another that exists in an open-source library used in medical device imaging files. The Peplink Smart...
Cisco Talos at RSAC 2024
With RSAC just a week away, Cisco Talos is gearing up for another year of heading to San Francisco to share in some of the latest major cybersecurity announcements, research and news. Weve pulled together the highlights, so you dont miss out on all things Talos. Tuesday, May 7 Joe Marshall will b...
James Nutland studies what makes threat actors tick, growing our understanding of the current APT landscape
If state-sponsored actors are after one thing, its to spread fear and uncertainty across the internet. Theres always money to be made targeting individual businesses and organizations, but for James Nutlands work, its always about the bigger picture. And his background in studying counterterroris...
The private sector probably isn’t coming to save the NVD
I wrote last week about the problems arising from the massive backlog of vulnerabilities at the U.S. National Vulnerability Database. Thousands of CVEs are still without analysis data, and the once-reliable database of every single vulnerability thats disclosed and/or patched is now so far behind...
Talos IR trends: BEC attacks surge, while weaknesses in MFA persist
Business email compromise BEC was the top threat observed by Cisco Talos Incident Response Talos IR in the first quarter of 2024, accounting for nearly half of engagements, which is more than double what was observed in the previous quarter. The most observed means of gaining initial access was t...
ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices
Updated 2024-04-25 16:57 GMT with minor wording corrections regarding the targeting of other vendors. ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the...
Suspected CoralRaider continues to expand victimology using three information stealers
By Joey Chen, Chetan Raghuprasad and Alex Karkins. Cisco Talos discovered a new ongoing campaign since at least February 2024, operated by a threat actor distributing three famous infostealer malware, including Cryptbot, LummaC2 and Rhadamanthys. Talos also discovered a new PowerShell command-lin...
What’s the deal with the massive backlog of vulnerabilities at the NVD?
The National Vulnerability Database is usually the single source of truth for all things related to security vulnerabilities. But now, theyre facing an uphill battle against a massive backlog of vulnerabilities, some of which are still waiting to be analyzed, and others that still have an...
Could the Brazilian Supreme Court finally hold people accountable for sharing disinformation?
If youre a regular reader of this newsletter, you already know about how strongly I feel about the dangers of spreading fake news, disinformation and misinformation. And honestly, if youre reading this newsletter, I probably shouldnt have to tell you about that either. But one of the things that...
OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal
During a threat-hunting exercise, Cisco Talos discovered documents with potentially confidential information originating from Ukraine. The documents contained malicious VBA code, indicating they may be used as lures to infect organizations. The results of the investigation have shown that the...
Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials
Cisco Talos would like to acknowledge Anna Bennett and Brandon White of Cisco Talos and Phillip Schafer, Mike Moran, and Becca Lynch of the Duo Security Research team for their research that led to the identification of these attacks. Cisco Talos is actively monitoring a global increase in...
The internet is already scary enough without April Fool’s jokes
I feel like over the past several years, the "holiday" that is April Fools Day has really died down. At this point, there are few headlines you can write that would be more ridiculous than something youd find on a news site any day of the week. And there are so many more serious issues that are...
Vulnerability in some TP-Link routers could lead to factory reset
Cisco Talos Vulnerability Research team has disclosed 10 vulnerabilities over the past three weeks, including four in a line of TP-Link routers, one of which could allow an attacker to reset the devices settings back to the factory default. A popular open-source software for internet-of-things Io...
April’s Patch Tuesday includes 150 vulnerabilities, 60 which could lead to remote code execution
In one of the largest Patch Tuesdays in years, Microsoft disclosed 150 vulnerabilities across its software and product portfolio this week, including more than 60 that could lead to remote code execution. Though Aprils monthly security update from Microsoft is the largest since at least the start...
Starry Addax targets human rights defenders in North Africa with new malware
Cisco Talos is disclosing a new threat actor we deemed "Starry Addax" targeting mostly human rights activists associated with the Sahrawi Arab Democratic Republic SADR cause with a novel mobile malware. Starry Addax conducts phishing attacks tricking their targets into installing malicious Androi...
There are plenty of ways to improve cybersecurity that don’t involve making workers return to a physical office
As my manager knows, Im not the biggest fan of working in a physical office. Im a picky worker -- I like my workspace to be borderline frigid, I hate dark mode on any software, and I want any and all lighting cranked all the way up. So, know that Im biased going into this, but I also cant get ove...
CoralRaider targets victims’ data and social media accounts
Cisco Talos discovered a new threat actor were calling "CoralRaider" that we believe is of Vietnamese origin and financially motivated. CoralRaider has been operating since at least 2023, targeting victims in several Asian and Southeast Asian countries. This group focuses on stealing victims...
Adversaries are leveraging remote access tools now more than ever — here’s how to stop them
Remote system management/desktop access tools such as AnyDesk and TeamViewer have grown in popularity since 2020. While there are many legitimate uses for this software, adversaries are also finding ways to use them for command and control in their campaigns. There is no easy way to effectively...
Enter the substitute teacher
Welcome to this weeks threat source newsletter with Jon out, youve got me as your substitute teacher. Im taking you back to those halcyon days of youth and that moment when you found out that you had a sub that day, will I be the teacher that just rolls in the TV cart and delivers the single...
“Pig butchering” is an evolution of a social engineering tactic we’ve seen for years
Whether you want to call them "catfishing," "pig butchering" or just good old-fashioned "social engineering," romance scams have been around forever. I was first introduced to them through the MTV show "Catfish," but recently they seem to be making headlines as the term "pig butchering" enters th...
New details on TinyTurla’s post-compromise activity reveal full kill chain
Cisco Talos is providing an update on its two recent reports on a new and ongoing campaign where Turla, a Russian espionage group, deployed their TinyTurla-NG TTNG implant. We now have new information on the entire kill chain this actor uses, including the tactics, techniques and procedures TTPs...
Netgear wireless router open to code execution after buffer overflow vulnerability
Cisco Talos Vulnerability Research team recently disclosed three vulnerabilities across a range of products, including one that could lead to remote code execution in a popular Netgear wireless router designed for home networks. There is also a newly disclosed vulnerability in a graphics driver f...
Dissecting a complex vulnerability and achieving arbitrary code execution in Ichitaro Word
Cisco Talos disclosed several vulnerabilities in JustSystems Ichitaro Word Processor last year. These vulnerabilities were complex and were discovered through extensive reverse engineering. CVE-2023-35126 and its peers CVE-2023-34366, CVE-2023-38127, and CVE-2023-38128 were each assessed as...
The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions
In ancient Greek mythos, the mighty Hercules faced a seemingly insurmountable challenge when he encountered the Lernaean Hydra. This fearsome serpent had a terrifying ability: For every head that Hercules severed, two more would spring forth, creating a never-ending cycle of regrowth and renewal...
Not everything has to be a massive, global cyber attack
Some of my Webex rooms recently have been blowing up with memes about blaming Canada or wild speculation that a state-sponsored actor is carrying out some sort of major campaign. After a widespread outage of cellular service with AT&T and other carriers a few weeks ago, people were sure it was so...
Threat actors leverage document publishing sites for ongoing credential and session token theft
Cisco Talos Incident Response Talos IR has observed the ongoing use of legitimate digital document publishing DDP sites for phishing, credential theft and session token theft during recent incident response and threat intelligence engagements. Hosting phishing lures on DDP sites increases the...
Another Patch Tuesday with no zero-days, only two critical vulnerabilities disclosed by Microsoft
For the second month in 2024, there are no actively exploited vulnerabilities included in this months security update from Microsoft. Marchs Patch Tuesday is relatively light, containing 60 vulnerabilities -- only two labeled "critical." Last months Patch Tuesday included more than 70 security...
You’re going to start seeing more tax-related spam, but remember, that doesn’t actually mean there’s more spam
Its that time of the year when not only do you have to be worried about filing your federal taxes in the U.S., you must also be on the lookout for a whole manner of tax-related scams. These are something that pop up every year through email, texts, phone calls and even physical mail -- phony...
The 3 most common post-compromise tactics on network infrastructure
Weve been discussing networking devices quite a lot recently and how Advanced Persistent Threat actors APTs are using highly sophisticated tactics to target aging infrastructure for espionage purposes. Some of these attacks are also likely prepositioning the APTs for future disruptive or...
Badgerboard: A PLC backplane network visibility module
Analysis of the traffic between networked devices has always been of interest since devices could even communicate with one another. As the complexity of networks grew, the more useful dedicated traffic analysis tools became. Major advancements have been made over the years with tools like Snort ...
GhostSec’s joint ransomware operation and evolution of their arsenal
Cisco Talos observed a surge in GhostSec, a hacking groups malicious activities since this past year. GhostSec has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware. The GhostSec and Stormous ransomware groups are jointly conducting double extortion...
Heather Couk is here to keep your spirits up during a cyber emergency, even if it takes the “Rocky” music
"Gotta Fly Now" is more closely associated with corporate hype videos or conferences with thousands of attendees in a mid-market citys convention center than it is from its origins in the "Rocky" movies. But Heather Couk thinks its useful in incident response calls, too. Couk, an incident respons...
Why Apple added protection against quantum computing when quantum computing doesn’t even exist yet
Apple released a new update for nearly all its devices that provides an all-new type of encryption for its iMessages to the point that, in theory, iMessages are now protected against attacks from quantum computers. This is a little tricky because, as weve covered before, quantum computers dont...
Multiple vulnerabilities in Adobe Acrobat Reader could lead to remote code execution
Cisco Talos has disclosed more than 30 vulnerabilities in February, including seven in Adobe Acrobat Reader, one of the most popular PDF editing and reading software currently available. Adversaries could exploit these vulnerabilities to trigger the reuse of a previously freed object, thus causin...
Stop running security in passive mode
As we begin a new year, we wanted to address one of the biggest issues we consistently see in our investigations: passive security. Incident response engagements are an important part of our work and the intelligence-gathering process and their associated reports can be a treasure trove of tactic...
TimbreStealer campaign targets Mexican users with financial lures
Cisco Talos has discovered a new campaign operated by a threat actor distributing a previously unknown malware were calling "TimbreStealer." This threat actor was observed distributing TimbreStealer via a spam campaign using Mexican tax-related themes starting in at least November 2023. The threa...
TikTok’s latest actions to combat misinformation shows it’s not just a U.S. problem
When we talk about the term "fake news," most people likely picture a certain person who made the term infamous. And when we talk about misinformation and disinformation, many will remember the "Russian troll farms" that popped up during the 2016 U.S. presidential election and were unmasked and...