Welcome to this week's threat source newsletter with Jon out, you've got me as your substitute teacher.

I'm taking you back to those halcyon days of youth and that moment when you found out that you had a sub that day, will I be the teacher that just rolls in the TV cart and delivers the single greatest blast of freedom that you can have in a classroom, or will I be the teacher that strolls into your 4th grade class and is appalled that you aren't already conversant in Dostoevsky? Neither. Today I will be the old wizened oracle offering advice and attempting to answer one of the most asked questions I receive at public speaking engagements. So pull up a desk and don't make that high pitched sound with a wet finger on the basket underneath the seat, because I know the old magicks.

The number one question that I field after public speaking is "Why did they let you out of your cage to talk to normal people?" and honestly, I don't really have an answer I just hope that no one notices. The next question is invariably a variation of "How did you become a threat hunter?", "How do I get a job in cyber security?", "How do I get a gig within Talos?" The answer is simply - be curious. Intellectual curiosity is the key. I'll take it a step further when talking specifically about Talos and quote Walt Whitman (via Ted Lasso) and say, "Be curious, not judgmental" because being a positive part of the culture is as important as the deep arcane knowledge and skills that you need to get your foot in the door at Talos.

There are a lot of paths that you can take in security and the various skill sets along each path vary but curiosity will carry you through each one. A lot of people will tell you to follow your passion and I will vehemently disagree; I will say to follow your aptitude. As you learn and grow within the field, you'll find that some things come easily, don't fight the wind in that scenario be the willow. If you are extremely early in your journey, find the helpers. There are tons of super helpful people, sites, and resources available to get you started and finding them is easy if you are curious. Attend a BSides or local security group like AHA. Install Snort and start learning what traffic looks like on the wire and create custom signatures. Install Kali and break things, in your own environment please. Combine the two and see where it will take you. If you are further along in your journey and are interested in taking the next step from analyst to malware research or reverse engineering, you can start with hasherezade's 1001 nights and see if you have the aptitude to follow that path. Don't be afraid to try something and fail. Don't expect to be good from the start. Don't be afraid to ask questions and admit that you don't know something - the most important things I've picked up usually come from "I don't know, could you teach me?".

In the end there are truly almost as many paths as there are people doing the jobs. It's crazy how varied the backgrounds on our teams are but curiosity is rampant.

The one big thing

The one big thing is that clearly, I'm substituting, and all is normal in the security world. Vulns continue to be exploited, security vendors continue to be consolidated, and everything is as it was in the world. THISISFINEDOTGIF.

Why do I care?

Because it's what keeps us up at night. That and a warm cup of Liber-Tea.

So now what?

Now we deliver Managed Democracy on Hell Divers 2 - together.

Top security headlines of the week

A newly discovered vulnerability baked into Apple's M-series of chips allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations, academic researchers have revealed in a paper published Thursday. (Ars Technica, Wired

Metasploit has announced the release of Metasploit Framework 6.4 which features several improvements and a new feature for Windows Meterpreter that allows for searching a process's memory for user-specified needles with support for regular expressions. (Rapid 7)

Can't get enough Talos?

• Cisco Closes $28B Splunk Deal: 5 Big AI, Security And Partner Things To Know
• Beers With Talos: The old people episode
• Dissecting a complex vulnerability and achieving arbitrary code execution in Ichitaro Word

Upcoming events where you can find Talos

Botconf** (April 23 - 26)**

Nice, Cote d'Azur, France

> This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants.

CARO Workshop 2024** (May 1 - 3)**

Arlington, Virginia

> Over the past year, we've observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

RSA** (May 6 - 9)**

San Francisco, California

Most prevalent malware files from Talos telemetry over the past week

SHA 256: 7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5 **MD5:**ff1b6bb151cf9f671c929a4cbdb64d86 **Typical Filename:**endpoint.query **Claimed Product:**Endpoint-Collector Detection Name: W32.File.MalParent

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 **MD5:**2915b3f8b703eb744fc54c81f4a9c67f **Typical Filename:**VID001.exe **Claimed Product:**N/A Detection Name: Win.Worm.Coinminer::1201

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 **MD5:**7bdbd180c081fa63ca94f9c22c457376 **Typical Filename:**c0dwjdi6a.dll **Claimed Product: **N/A Detection Name: Trojan.GenericKD.33515991

SHA 256: 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647 **MD5:**bbcf7a68f4164a9f5f5cb2d9f30d9790 **Typical Filename: **bbcf7a68f4164a9f5f5cb2d9f30d9790.vir **Claimed Product: **N/A Detection Name: Win.Dropper.Scar::1201

SHA 256: e38c53aedf49017c47725e4912fc7560e1c8ece2633c05057b22fd4a8ed28eb3 **MD5:**c16df0bfc6fda86dbfa8948a566d32c1 **Typical Filename:**CEPlus.docm **Claimed Product:**N/A **Detection Name: **Doc.Downloader.Pwshell::mash.sr.sbx.vioc