Talos Takes

Joey Chen from Talos' Outreach team is here to tell us all about his research into the CoralRaider threat actor. He's helped write two posts on the recently discovered APT, disclosing new information about how this Vietnamese-based actor is targeting login credentials. After stealing those credentials, they go on to try and sell them on the dark web, or use them to try and brute force their way into more important accounts. Joey discusses what this actor is really after, and why they've been growing so quickly.

Hazel Burton steps in to host this week's episode as we cover the recent Cisco Talos Incident Response Quarterly Trends Report from the first quarter of this year. Hazel talks to different Talosians to find out why business email compromise is on the rise, how attackers are bypassing MFA, and more.

After a recent spike in brute force attempts targeting SSH and VPN services, we felt it was a good time to give listeners a lesson on brute force attacks. Nick Biasini joins host Jon Munshaw this week to discuss the basics of these methods, how administrators can protect their accounts, and other potential defense mechanisms (or whether to just take passwords out of the equation entirely).

Apple now must allow users to be able to sideload apps onto their phones or access third-party app stores, thanks to a law from the European Union that went into effect earlier this year. Terryn Valikodath from Cisco Talos Incident Response joins Jon this week to discuss the potential dangers that come with allowing users to sideload apps onto their devices, and how attackers may take advantage of this new opening.

Hazel Burton and Thorsten Rosendahl join Jon Munshaw on this week's episode to discuss the problem with threat actor "hydras." They recently wrote about the topic for the Talos blog, highlighting how law enforcement takedowns of these groups are closer to just disruptions or setbacks for these massive actors. They talk about what really needs to be done to stop ransomware actors and why RaaS is a breeding ground for "hydras."

Holger Unterbrink of Talos Outreach joins the show this week to discuss his recent Turla APT research. This Russian state-sponsored actor has been around for years but is regularly adding new tooling to its arsenal. Holger has new details about their latest tool, TinyTurlaNG, and insight into the types of organizations they're targeting.

Jon started noticing that Talos is finding more threat actors using Telegram nowadays for their communication and coordination, so he decided to bring Azim Khodjibaev on to ask him if he was just inventing this, or if it was a real trend. Turns out it's a real trend! Azim fills listeners in on why Telegram is becoming the app of choice for APTs to publish "news," threaten data leaks, and more.

Nick Biasini joins Jon this week to talk about passive security. He recently wrote about this topic for the Talos blog and joined Wendy Nather in discussing the merits of passive security versus active blocking. Nick defines what passive security is, exactly, and why it's not the way to go in the modern age.

Chetan Raghuprasad from the Talos Outreach team joins Talos Takes this week to talk to Jon about the GhostSec threat actor that he and a few colleagues wrote about for the Talos blog. GhostSec has teamed up with another ransomware group to carry out double extortion attacks all over the globe, with increasing frequency over the past year. They discuss what's unique about this particular RaaS model, where GhostSec came from, and the benefits of going in on a team-up.

Now more than ever, adversaries are logging in, not breaking in. They're stealing legitimate user credentials to hide undetected on a targeted network after acquiring said credentials in a variety of ways. Hazel Burton joins Jon Munshaw this week to discuss identity attacks, recommendations for avoiding them, and how QR code phishing plays into these tactics.

Gergana Karadzhova-Dangela and Thorsten Rosendahl, our resident experts on all things European Union cybersecurity law, join the show this week to talk about the impending NIS2 regulations. Don't worry, you've still got plenty of time to work on them, but this is a good place to get started even if you've never seen the phrase "NIS2" before. Find more of their writing on NIS2 here and here.

Reposted from the Cisco Security Stories feed: Meet Jeremy Maxwell, CISO of Veradigm, a healthcare IT company. Jeremy discusses how his organization proactively prepares for cybersecurity incidents within a highly regulated industry.

Chris Neal from Talos Outreach joins the show today to talk about his research into the ways adversaries are using malicious drivers on Windows to spread malware. He recently launched a new series on the Talos blog about the basics of drivers and how security researchers can reverse engineer them to learn more about attacker TTPs and develop new detection content. Chris discusses when he first spotted this type of attack, what advantages it presents for the attacker and the other aspects of the research he plans to dive into.

This week, we're bringing you the audio version of our recent Talos IR On Air video. Several Talos incident responders got together to recap the top threats and attacker trends of Q4 2023, as outlined in our full Quarterly Trends Report. Hear about why ransomware was up for the first time the entire year, and which sectors were being targeted most often.

We're talking about vulnerabilities this week with Jerry Gamblin from Cisco Vulnerability Management. Jerry joins the show to talk about the release of CVSS 4.0 this year — the newest method the security community will use to score the severity of certain vulnerabilities. Jerry discusses what makes this scoring system different from previous iterations if it changes how he views the term "severe" and how that fits into Cisco's overall vulnerability management processes.

In this special edition of the show, we're bringing you the audio version of our Year in Review livestream. Recorded at the end of December, this stream included Hazel Burton, Nick Biasini and Laurie Varner from Cisco Talos Incident Response recapping the year that was in cybersecurity. They covered the highlights of our 2023 Year in Review report, their personal takeaways from the past year, and trends to watch for heading into the new year.

We're back from holiday break with the first new Talos Takes episode of 2024! We're continuing our dive into Talos' Year in Review report with Lexi DiSchola, one of the many researchers who helped put this report together. She discusses why we believe the telecommunications sector was the most-targeted industry in 2023, advice for companies in that space, and other popular targets for attackers.

Jon apologizes for how he sounds in this episode, he was having mic troubles we discovered only during post-production. But outside of that, we continue the series of episodes recapping 2023 with our Year in Review report. This week, Aliza Johnson from the Talos Threat Intelligence & Interdiction team comes on the show to talk about data theft extortion. She shares why her team saw such a spike in this type of activity in 2023, what can be done to stop it, and which ransomware actors are pivoting to this tactic.

To celebrate the launch of our 2023 Year in Review report, we're doing a series of episodes highlighting several of our key takeaways from the past year. First up, we have David Liebenberg from our Threat Intelligence team to discuss Chinese state-sponsored actors. This is an area David's been studying for many years now and actively researches. He'll discuss the latest Chinese APTs to step onto the scene and trends he's seeing from that area of the world.

Joe Marshall, a central figure in the story of how Cisco Talos and other teams within Cisco worked together to protect the Ukrainian power grid, joins the show this week. He recaps a recent CNN story highlighting the new piece of equipment he and a group of volunteers worked on together to ensure the clocks that power the Ukrainian electric grid can withstand GPS disruption in the face of Russian cyber attacks and kinetic warfare.

Guilherme Venere from Talos Outreach joins the show this week to talk about his research into the 8Base threat actor and its use of a variant of the Phobos ransomware. He recently published several works on the many variants of Phobos that exist in the wild, and why 8Base has been so successful using it for years now.

Tiago Pereira from Talos Outreach joins the program this week to talk about his research into the different types of scams that appear in the online game "Roblox." Many underage users are at risk of being targeted by malicious users looking to steal their money, in-game items or even install malware on their devices.

This week is a special edition of Talos Takes. We have the audio version of Talos Incident Response's recent On Air stream, where they discussed the top attacker trends they're seeing in the field. Talos' incident responders discuss the malware they're seeing most often in infections, how attackers are shifting their tactics, and what other defenders can learn from these findings.

Jerry Gamblin from Cisco Kenna joins this week's episode to talk about all things patching. If you're the average user, you probably don't think about patching much because many of them happen automatically in the background. However many admins and users can unknowingly fall behind when it comes to protecting themselves against the latest vulnerabilities.

Everyone is tired of getting spam emails at this point, and it can feel exhausting always to click that "report spam" button just to get another phony email a few hours later. But we're here to assure you that reporting and filtering spam really does help in the long run! Nick Biasini joins the show this week to discuss all things spam for Cybersecurity Awareness Month.

To continue our Cybersecurity Awareness Month series, Harpreet Singh from Talos Incident Response joins Jon to talk about password managers. They discuss the upside of using a third-party service like 1Password or LastPass, the potential dangers of using built-in browser password managers like Google Chrome and Safari, and other good password hygiene advice.

All of October, we'll be covering broad security-related topics for Cybersecurity Awareness Month. First up, we address the basics of implementing MFA in any environment, why any type of MFA is better than no MFA, the pitfalls of certain types of authentication, and whether going passwordless is the future.

Hazel Burton takes over as guest host for this episode as she talks to Nate Pors from Cisco Talos Incident Response. Nate was part of Talos IR's team that helped Veradigm, a healthcare technology company, prevent a Qakbot ransomware attack. Nate and his team recently wrote about this experience for the Talos blog, and Veradigm's CISO even joined the Cisco Security Stories podcast recently to discuss his company's relationship with Talos IR. Nate discusses how his team's pre-existing relationship with Veradigm helped them respond quickly and effectively. If you've ever wanted to hear a play-by-play of a security event, this is your chance.

What happens when the hackers become the hacked? Black Hat is one of the largest cybersecurity conferences in the world, and Talos had a hand in defending the on-site network for the past few years. Yuri Kramarz from Talos Incident Response worked in Black Hat's Network Operations Center this year to help defend Black Hat's network and attendees who connected to the network while attending the conference in August in Las Vegas. He joins Talos Takes this week to discuss what he's learned from the past few years working in the NOC, what types of threats Black Hat faces, and the lessons learned he now takes back into the field with customers. You can also read his reflections on working in the NOC in 2022 here.

Cisco Talos has recently written about malware families that go open-source, sometimes of their own volition, and sometimes because of leaks. In the case of SapphireStealer, we still don't really know why someone posted this malware to GitHub, but now that it's out there, we can't put it back in a box. Edmund Brumaghin, who assisted with Talos' research and blog post on SapphireStealer, joins Talos Takes this week to discuss this information-stealer. Edmund talks about the goals that someone has by making malware open-source, how that affects detection and what makes SapphireStealer unique among infostealers.

North Korea's infamous APT group is back on the scene, this time with two new remote access trojans. By now, you've probably heard of Lazarus Group and all the annoying things they do to steal sensitive information, make money for North Korea's missile program, etc. But we have an update on their current tactics and payloads they're sending around the globe. Asheer Malhotra from Talos Outreach joins Talos Takes this week to discuss the two new RATs he and his team discovered, why Lazarus Group is still creating new tools, and how their use of older, open-source software has made tracking them ever-so-slightly easier.

Everything about the modern workplace is different now from the start of the COVID-19 pandemic. Many companies are embracing the remote work lifestyle, while others are stuck in a hybrid model or pushing employees to come back to the office. With that in mind, we felt like it was a good time to check in on the incident response process for companies who have to deal with working remotely and those who prefer to conduct business in person. Yuri Kramarz and Gergana Karadzhova-Dangela from Cisco Talos Incident Response join the show this week to discuss how they handle onsite incident response versus engagements that need to be done remotely. There are drawbacks and benefits of both models, so it's up to the individual customer and specific circumstances to determine how a responder can best approach the event in question.

The stereotypical "hacker" who looks to do good in the world probably involves a Guy Fawkes mask and black hoodie. But hacktivism has become much more than that, especially since Russia invaded Ukraine. On the heels of a newly released overview on hacktivism, Lexi DiScola from the Talos Threat Intelligence and Interdiction team joins Talos Takes this week to discuss these actors. While not just anyone is likely a target for hacktivists, Talos has seen groups become more brazen and start looking to make money off their operations.

Cisco Talos Incident Response observed data theft extortion more than any other type of cyber attack last quarter. So why has it become so popular? And what makes it different from ransomware? Jacob Finn from the Talos Threat Intelligence and Interdiction Team joins Jon this week to discuss the basics of data theft extortion. He just worked on an overview of this threat for Talos researchers and works closely with Talos IR on their quarterly trends reports. Jacob discusses why threat actors are choosing data theft extortion over ransomware and how this makes defense and detection more difficult. For more on this topic, read our one-page overview here.

Hazel Burton and Jon Munshaw use this week to look back on the top threats and cybersecurity trends so far in 2023 and the rest of the year. Hazel recently compiled Talos' Half-Year in Review, recapping the top stories that Talos has been following so far this year. She and Jon talk about what stood out from the report, what our researchers have been thinking about up to this point, and what we'll be discussing come December.

We're back with the audio version of our quarterly Cisco Talos Incident Response On Air stream. Join the Talos IR team as they recap the past quarter's top trends, including talking about malware they're seeing in the wild, tactics that attackers are using most often to break into networks, and much more. They discuss why healthcare continues to be a popular target for bad actors, and how adversaries are pivoting away from ransomware and instead opting for data theft and extortion. If you prefer a video version, watch it over on YouTube here.

When Martin Lee first told Jon about ISO 27001 and 27002, Jon had to immediately Google whatever this combination of letters and numbers meant. Turns out there are international standards for cybersecurity, just like they have for selling lightbulbs and installing electrical outlets — who knew? Martin recently wrote about these standards for the Talos blog, outlining a list of recommendations for any organization looking to build a threat intelligence program from the ground up. Jon interviewed him about what these standards are, exactly, what they mean for companies looking to implement these standards, and why they recently included threat intelligence.

Asheer Malhotra is back to talk to Jon Munshaw about spyware and mercenary groups. Asheer recently helped publish Talos research on Mercenary Groups and why they're so dangerous in particular. We briefly touched on this topic in a past episode on the Predator/Alien spyware tag team, but this time we're getting into the broader field of what Mercenary groups are, exactly, and what makes them so dangerous. Asheer talks about recent steps governments have taken to curb the sale of spyware and why the "average" user should care about this topic, even though they're unlikely to ever be a target.

We decided to have a web navigation extravaganza this week! Guilherme Venere and Jaeson Schultz from Talos Outreach have both long been researching the ways in which bad actors try to damage users' inherent trust in the internet. Most internet users interact with the web by typing in a URL or domain name into their web browser (i.e., google.com) expecting that will take them to the right place. But attackers have found various ways to mess with that series of handshakes that must take place. Guilherme and Jaeson talk to Jon about their past years of research into typosquatting domains, new TLDs that open up the door to data leaks, DNS manipulation and more. Additional reading:".Zip" top-level domains draw potential for information leaksDNS Hijacking Abuses Trust In Core Internet ServiceSea Turtle keeps on swimming, finds new victims, DNS hijacking techniquesSecurity implications of misconfigurationsDomain dumpster diving

Aliza Johnson from Talos Threat Intelligence and Interdiction team joins Jon Munshaw this week for a Talos Takes episode on the MOVEit zero-day vulnerability (that's since been patched) making headlines recently. Talos published an advisory last week on everything we know so far about the exploitation of this vulnerability and the group behind it, Clop. Aliza discusses where things stand right now, what Clop is doing once they gain access via this vulnerability and what Talos recommends for mitigation strategies for potentially affected customers.

Cisco Talos Incident Response recently discovered an uptick in malicious actors compromising vendor and third-party accounts to sneak into targeted networks. Many enterprises have vendor and contractor accounts that need to access their network for a variety of things — IT support, cybersecurity, etc. — but these accounts are often monitored less than those belonging to full-time employees. Craig Jackson, who recently co-authored a blog post on this threat, joins Talos Takes this week to talk about vendor and contractor account (VCA) takeover and how they fit into the broader threat of supply chain attacks.

We're joined this week by Chetan Raghuprasad to discuss a new botnet he recently discovered and researched. Horabot can completely hijack a target's Outlook mailbox to steal their contact list and then send even more spam to targets. It's the perfect business email compromise tool for attackers that comes with a side of banking trojan. Chetan talks to Jon about this malware family's abilities, where it came from and what the actors behind it are hoping to achieve. For more, read Chetan's full blog post.

Despite governments' best efforts, spyware is still running rampant on the threat landscape. These types of tracking malware are used to target high-profile individuals like politicians, activists, journalists and more — and even sometimes for jealous exes to track their former partners. Asheer Malhotra, who recently dissected the Predator spyware, joins Talos Takes this week to talk about Predator and its associated tool, Alien. Asheer shares new technical details about this spyware and discusses why "mercenary" spyware groups are on the rise.If listeners suspect their system(s) may have been compromised by commercial spyware, please consider notifying Talos’ research team at [email protected] to assist in furthering the community’s knowledge of these threats.

Hazel Burton is our special guest host this week of Talos Takes, featuring a very special guest: Talos Vice President Matt Watchinski! Matt and Hazel have a conversation for Mental Health Awareness Month, especially as it relates to the cybersecurity industry. They share tips on how to balance work and life (when it seems like cybersecurity is starting to permeate every aspect of our lives) and how to deal with failure. Join us for this incredibly candid conversation!

Talos researchers recently discovered a new ransomware group called "RA Group." This week, Nick Biasni joins Jon to discuss this new threat actor and the modified Babuk ransomware they've already used in attacks against a wide range of companies in the U.S. and South Korea. Nick talks about the group's use of source code that's already been leaked, where they could be headed next and what this group may signal for the larger ransomware landscape. Other helpful links:Threat Source newsletter (May 11, 2023) — So much for that ransomware declineTalos Takes Ep. #71 (includes more details about the "double extortion" tactics of ransomware)

Tiago Pereira from Talos Outreach joins the show this week to talk about his recent discovery of a new phishing-as-a-service tool called "Greatness." Since everything else is "as-a-service" nowadays, it's only fitting that attackers have figured out how to monetize easy phishing tools, too. Tiago discusses what makes Greatness unique, why it's going after business targets specifically, and why it creates such convincing fake Office 365 login pages.

This week's episode is longer than usual, but we wanted to bring you the Cisco Talos Incident Response On Air livestream from last week for anyone who missed it. For anyone who prefers a video version, you can watch the recording here.In this discussion, researchers from Talos IR and the Talos Threat Intelligence and Interdiction team cover the top threats and attacker tactics they saw over the past quarter. They talk about why the use of web shells is way up, whether or not the ransomware decline is real and how multi-factor authentication could have stopped many of the threats they worked on in the first quarter of 2023. For more, read the latest Talos IR Quarterly Trends report.

On the heels of law enforcement agencies from across the globe working together to disrupt two popular cybercrime forums — Genesis Market and BreachForums — Azim Khodjibaev from Talos' Threat Intelligence & Interdiction team joins Jon to talk about these types of sites. Azim has years of experience infiltrating and investigating these types of marketplaces to learn about emerging security threats. He talks about what goes into these types of takedowns and where the sites' users are likely to go from here.Suggested reading:Data breach leak site BreachForums shuts downThreat Source newsletter (April 13, 2023) — Dark web forum whac-a-mole

Nowadays it seems like every major tech company has their own multi-factor authentication solution, whether that be a unique app, one-time passcode generation or the "classic" SMS two-factor code. Thorsten Rosendahl, the newest addition to the Cisco Talos Strategic Communications team in Europe, joins the show this week to discuss the conversations he's been having with customers in the field around MFA. He and Jon cover the news that Twitter is going to start charging for users to enroll in SMS-based MFA, the challenge of having too many authenticator apps on their personal devices and how we can get closer to a passwordless future.Other suggested reading:Threat Source newsletter (Feb. 23, 2023) — Social media sites are making extra security a paid featureNot All MFA is Equal, and the Differences Matter a LotTalos Takes Ep. #45: SMS authentication is still around, but that doesn't mean it's a good option

With another major supply chain attack recently making headlines, we felt like it was a good time to refresh our advice on how to prepare for these types of cyber attacks. Adversaries are increasingly relying on users' inherent trust of the software running on their networks and devices to deliver hijacked, malicious updates that are actually malware. Craig Jackson, a senior Cisco Talos incident responder, joins the show to provide some advice on how organizations can prep for the next major supply chain attack. We also discuss the current, ongoing 3CX situation and how anyone potentially affected could respond now. Other suggested reading:3CX blames North Korea for supply chain mass-hackTalos blog post on the 3CX supply chain attackThe Company You Keep – Preparing for supply chain attacks with Talos IR