2032 matches found
TinyTurla-NG in-depth tooling and command and control analysis
Cisco Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT. New findings from Talos illustrate the inner workings of the command and control C2 scripts deployed on the compromised WordPress servers utilized in the compromise we previously disclosed...
How CVSS 4.0 changes (or doesn’t) the way we see vulnerability severity
Finding, managing and patching security vulnerabilities on any network, no matter the size, is a tall task. In the first week of 2024 alone, there were 621 new common IT security vulnerabilities and exposures CVEs disclosed worldwide, covering a range of applications, software and hardware that...
Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns
Google Cloud Run is currently being abused in high-volume malware distribution campaigns, spreading several banking trojans such as Astaroth aka Guildma, Mekotio and Ousaban to targets across Latin America and Europe. The volume of emails associated with these campaigns has significantly increase...
Why the toothbrush DDoS story fooled us all
Ill be the first to admit that, like many people on the internet last week, I got caught up in the toothbrush distributed denial-of-service attack that wasnt. I had a whole section on it written up in last weeks newsletter, and then I came across Graham Cluleys blog post debunking the whole thing...
TinyTurla Next Generation - Turla APT spies on Polish NGOs
Cisco Talos has identified a new backdoor authored and operated by the Turla APT group, a Russian cyber espionage threat group. This new backdoor were calling "TinyTurla-NG" TTNG is similar to Turlas previously disclosed implant, TinyTurla, in coding style and functionality implementation. Talos...
How are attackers using QR codes in phishing emails and lure documents?
Though QR codes were once on the verge of extinction, many consumers are used to seeing them in the wild for ordering at restaurants, or as mainstays on storefront doors informing customers how they can sign up for a newsletter or score a sweet deal. The use of QR codes saw a resurgence during th...
First Microsoft Patch Tuesday zero-day of 2024 disclosed as part of group of 75 vulnerabilities
Microsoft followed up one of the lightest recent Patch Tuesdays in January with a large release of vulnerabilities on Tuesday, although still far from numbers seen in the past. In all, Februarys security update from Microsoft includes 75 vulnerabilities, three of which are considered critical...
Spyware isn’t going anywhere, and neither are its tactics
Private and public efforts to curb the use of spyware and activity of other "mercenary" groups have heated up over the past week, with the U.S. government taking additional action against spyware users and some of the worlds largest tech companies calling out international governments to do more...
New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization
By Jungsoo An, Wayne Lee and Vanja Svajcer. Cisco Talos discovered a new, stealthy espionage campaign that has likely persisted since at least March 2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family we have named...
How are user credentials stolen and used by threat actors?
Youve no doubt heard the phrase, "Attackers dont hack anyone these days. They log on." By obtaining or stealing valid user account details, an attacker can gain access to a system, remain hidden, and then elevate their privileges to "log in" to more areas of the network. Unfortunately, the use of...
The many ways electric cars are vulnerable to hacks, and whether that matters in a real-world
Id hate to be labeled a "car guy" now mentioning my new electric car in the lede of two newsletters in a row, but I couldnt resist. Id been reading headlines for years about how electric cars most notably Tesla were vulnerable to a range of security vulnerabilities, even some that could allow bad...
OAS Engine Deep Dive: Abusing low-impact vulnerabilities to escalate privileges
Open Automation Software recently released patches for multiple vulnerabilities in their OAS Engine. Cisco Talos publicly disclosed these issues after working with Open Automation Software to ensure that patches were available for users. Now that a fix has been released with Version 19, we want t...
Why is the cost of cyber insurance rising?
I just bought an electric car last week, so Ive been shopping for new car insurance policies that could offer me a discount for ditching gas. Were all familiar with the boring process of entering the same information 10 times over into 10 different companies websites trying to see who comes out t...
IR Q4 2023 trends: Significant increase in ransomware activity found in engagements, while education remains one of the most-targeted sectors
First time ransomware was the top threat in 2023, according to Q4 2023 Talos Incident Response report Ransomware, including pre-ransomware activity, was the top observed threat in the fourth quarter of 2023, accounting for 28 percent of engagements, according to Cisco Talos Incident Response Talo...
What to do with that fancy new internet-connected device you got as a holiday gift
Welcome to 2024! The Threat Source newsletter is back after our winter break. When I wasnt spending my downtime chasing around my toddler, one of my main projects was to upgrade the internet connection at my house. My ISP started offering Gigabit speeds and a 60 GHz connection, which was appealin...
Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers
Drivers have long been of interest to threat actors, whether they are exploiting vulnerable drivers or creating malicious ones. Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system. Real-world examples can be found in our previous...
Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024
Cisco Talos Vulnerability Research team has disclosed dozens of vulnerabilities over the past month, including more than 30 advisories in GTKWave and a critical vulnerability in ManageEngine OpManager. Cisco ASIG also recently discovered an information disclosure vulnerability in...
Microsoft starts off new year with relatively light Patch Tuesday, no zero-days
Microsoft followed up one of the lightest recent Patch Tuesdays in December with another month of no zero-day vulnerabilities and only two critical issues. Many of the companys monthly security updates in 2023 included vulnerabilities that were actively being exploited in the wild or had publicly...
New decryptor for Babuk Tortilla ransomware variant released
Cisco Talos obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor. Cisco Talos shared the key with our peers at Avast for inclusion in the Avast Babuk decrypto...
Video series discussing the major threat actor trends from 2023
In this video series, Talos Director of Threat Intelligence and Interdiction Matt Olney and Head of Outreach Nick Biasini share their insights on the most significant cybersecurity threats from the past year. From attacks on network infrastructure to the latest APT activities, as well as an updat...
Intellexa and Cytrox: From fixer-upper to Intel Agency-grade spyware
By Mike Gentile, Asheer Malhotra and Vitor Ventura. Editors note: This blog post is a public version of a talk presented at LabsCon 2023 on Sept. 22, 2023. You can watch a recording of the talk here. Some of the intelligence presented at LabsCon was later confirmed by an Amnesty International blo...
Year in Malware 2023: Recapping the major cybersecurity stories of the past year
If there is anything the cybersecurity world learned in 2023, its that you can never count any bad guy out. Botnets kept coming back from the dead, ransomware actors found new ways to make money through data theft extortion and threat actors and malware who have been around for more than a decade...
A personal Year in Review to round out 2023
As youve probably seen by now, Talos released our 2023 Year in Review report last week. Its an extremely comprehensive look at the top threats, attacker trends and malware families from the past year with never-before-seen Cisco Talos telemetry. We have podcasts, long-form videos and even Reddit...
Recommendations that defenders can use from Talos’ Year in Review Report
The Talos Year in Review is available now and contains a wealth of insights about how the threat landscape has shifted in 2023. With new ransomware strains emerging from leaked source code, commodity loaders adding more reconnaissance measures to their belts, and geopolitical events influencing A...
Microsoft releases lightest Patch Tuesday in three years, no zero-days disclosed
Microsofts monthly security update released Tuesday is the companys lightest in four years, including only 33 vulnerabilities. Perhaps more notable is that there are no zero-day vulnerabilities included in Decembers Patch Tuesday, a rarity for Microsoft this year. The companys regular set of...
Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang
Cisco Talos recently discovered a new campaign conducted by the Lazarus Group were calling "Operation Blacksmith," employing at least three new DLang-based malware families, two of which are remote access trojans RATs, where one of these uses Telegram bots and channels as a medium of command and...
Video: Talos 2023 Year in Review highlights
In this video, experts from across Cisco Talos came together to discuss the 2023 Talos Year in Review. We chat about whats new, whats stayed the same, and how the geopolitical environment has affected the threat landscape. This video was recorded live on social media: Read the 2023 Cisco Talos Ye...
Cybersecurity considerations to have when shopping for holiday gifts
As I wrote about last week, there are holiday shopping-related scams already popping up all over the place. But another aspect of security that many shoppers dont consider this time of year is the security of the products theyre buying, even through a legitimate online marketplace. This is a...
Remote code execution vulnerabilities found in Buildroot, Foxit PDF Reader
Cisco Talos has disclosed 10 vulnerabilities over the past two weeks, including nine that exist in a popular online PDF reader that offers a browser plugin. Attackers could exploit these vulnerabilities in the Foxit PDF Reader to carry out a variety of malicious actions, but most notably could ga...
Beers with Talos episode 141: The TurkeyLurkey Man wants YOU to read Talos' Year in Review report
In this episode the Beers with Talos team, led by special guest Dave Liebenberg, set out to save Thanksgiving. The TurkeyLurkey man is the hero that everybody needs, but perhaps dont deserve. For fans and opposers of Daves Ranksgiving list, youll be pleased to know hes back with a whole new order...
The malware, attacker trends and more that shaped the threat landscape in 2023
The 2023 Cisco Talos Year in Review is now available to download. Once again, the Talos team has meticulously combed through a massive amount of data to analyze the major trends that have shaped the threat landscape in 2023. Global conflict influenced a lot of these trends, altering the tactics a...
Project PowerUp – Helping to keep the lights on in Ukraine in the face of electronic warfare
As Russias invasion of Ukraine entered its first winter in late 2022, nearly half of Ukraines energy infrastructure had been destroyed, leaving millions without power. The resulting energy deficit has exacerbated something that hasnt had much media attention: The effects of electronic GPS jammers...
$19 Stanely cups, fake Amazon Prime memberships all part of holiday shopping scams circulating
I know Im a little late to the party to hit the prime SEO for Black Friday, Cyber Monday and holiday shopping. But if I know the readers of this newsletter, everyone is far from done with their holiday shopping already after a few days. I also know Im far from the only person to warn consumers...
New SugarGh0st RAT targets Uzbekistan government and South Korea
Cisco Talos recently discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan RAT we dubbed "SugarGh0st." We found evidence suggesting the threat actor is targeting the Uzbekistan Ministry of Foreign Affairs and users in South Korea. We...
What is threat hunting?
Many organizations are curious about the idea of threat hunting, but what does this really entail? What should you be hunting for? And what do you need to put in place to threat hunt properly? Four experienced security professionals from across Cisco recently sat down to discuss the basics of...
Vulnerabilities in Adobe Acrobat, Microsoft Excel could lead to arbitrary code execution
Cisco Talos Vulnerability Research team recently worked with Adobe and Microsoft to patch multiple vulnerabilities in the Acrobat and Excel software, respectively, that could lead to arbitrary code execution. Talos also disclosed six vulnerabilities in the Weston Embedded µC-HTTP HTTP server...
A deep dive into Phobos ransomware, recently deployed by 8Base group
Cisco Talos has recently observed an increase in activity conducted by 8Base, a ransomware group that uses a variant of the Phobos ransomware and other publicly available tools to facilitate their operations. Most of the groups Phobos variants are distributed by SmokeLoader, a backdoor trojan. Th...
Understanding the Phobos affiliate structure and activity
Cisco Talos recently identified the most prolific Phobos variants, common affiliate tactics, techniques and procedures TTPs, and characteristics of the Phobos affiliate structure, based on observed Phobos activity and analysis of over 1,000 Phobos samples from VirusTotal dating back to 2019. We...
We all just need to agree that ad blockers are good
I dont think this is a particularly bold take -- but Im not afraid to say that ad blockers are good! Ever since I started using one sometime in 2016, my experience of using the internet has improved exponentially. I can finally easily find a recipe for dinner on a random influencers blog, get a...
7 common mistakes companies make when creating an incident response plan and how to avoid them
Cisco Talos recently covered the basics of NIS2, a new set of requirements for cybersecurity and security incident disclosures set to take effect next year in the European Union. As part of these new guidelines, organizations with operations in the EU must have up-to-date "incident handling"...
Microsoft discloses only three critical vulnerabilities in November’s Patch Tuesday update, three other zero-days
Microsofts monthly security update released Tuesday only includes three critical vulnerabilities, an unusually small number based on previous months Patch Tuesdays. In all, this set of vulnerabilities Microsoft patched includes 57 vulnerabilities, 54 of which are considered "important." This is t...
A new video series, Google Forms spam and the various gray areas of cyber attacks
I found the juxtaposition of stories on the Talos blog over the past week-plus kind of funny. On one hand, we had a massive story about Arid Viper, a Middle Eastern threat actor spreading spyware, one of the most dangerous types of malware out there right now, operating out of Gaza no less. Then,...
Threat Roundup for November 3 to November 10
Today, Talos is publishing a glimpse into the most prevalent threats weve observed between Nov. 3 and Nov. 10. As with previous roundups, this post isnt meant to be an in-depth analysis. Instead, this post will summarize the threats weve observed by highlighting key behavioral characteristics,...
Spammers abuse Google Forms’ quiz to deliver scams
Spammers are exploiting the "Release scores" feature of Google Forms quizzes to deliver email. The emails originate from Googles own servers and consequently may have an easier time bypassing anti-spam protections and finding the victims inbox. Volumes of these messages hovered near noise levels...
What is NIS2, and how can you best prepare for the new cybersecurity requirements in the EU?
NIS2 is a European directive that includes new measures to ensure that organizations operating in the European Union EU have a high common level of network and infrastructure security. The "directive" outlines the goals all EU member states must achieve. However, each country will implement it in...
Threat Roundup for October 27 to November 3
Today, Talos is publishing a glimpse into the most prevalent threats weve observed between Oct. 27 and Nov. 3. As with previous roundups, this post isnt meant to be an in-depth analysis. Instead, this post will summarize the threats weve observed by highlighting key behavioral characteristics,...
You’d be surprised to know what devices are still using Windows CE
Windows CE -- an operating system that, despite being out for 27 years, never had an official explanation for why it was called "CE" -- finally reached its official end-of-life period this week. This was Microsofts first operating system for embedded and pocket devices, making an appearance on...
Attackers use JavaScript URLs, API forms and more to scam users in popular online game “Roblox”
Online video games often make use of in-game virtual currency and give players the ability to purchase, trade or sell items. While these features are often selling points for players and potential revenue streams for the companies that make them, they also inevitably draw bad actors and scams. On...
Arid Viper disguising mobile spyware as updates for non-malicious Android applications
Since April 2022, Cisco Talos has been tracking a malicious campaign operated by the espionage-motivated Arid Viper advanced persistent threat APT group targeting Arabic-speaking Android users. In this campaign, the actors leverage custom mobile malware, also known as Android Package files APKs, ...
How helpful are estimates about how much cyber attacks cost?
Coming from the newspaper and media industry, Im no stranger to wanting to write catchy headlines. Im certainly at fault for throwing together a story about so-and-sos house sold for X million dollars. But recently Ive been wondering if those "big numbers" for cybersecurity are helpful at all, ev...