Talos Takes

Everyone is talking about tools like ChatGPT and other AI tools that are dominating headlines and threatening to upend every industry possible. But where do these things stand in cybersecurity? In this week's episode, Jon talks to two women who are well-versed on the topic and recently presented about the cybersecurity implications of AI at several conferences. Gergana Karadzhova of Cisco Talos Incident Response and Saskia Laura Schroer, a security consulting engineer for Cisco, discuss how AI is currently influencing attackers and defenders. Are attackers already using these tools? Does it give them superpowers? And what questions are still left unanswered about this emerging technology?

It's been just over a year since Talos formed our Ukraine-focused task force. After Russia's invasion of Ukraine, many of our teammates sprung into action to protect critical infrastructure and networks there — not to mention the Talos employees who literally had to fight back to protect their home country. In this week's episode of Talos Takes, J.J. Cummings, one of the lead organizers of this task force, joins the show to discuss the group's ongoing work. J.J. talks about where the situation in Ukraine stands currently, how the cyber threats facing the country have evolved over the past year and much more. To further mark the one-year anniversary of the conflict, Talos has also released a graphic novel illustrating the formation of this task force. Additionally, the latest episode of ThreatWise TV from Cisco highlights the work Talos and Cisco are doing in Ukraine.

Vanja Svajcer and Andrew Windsor join the show this week to talk about their recent research into the Prometei botnet. This malware continues to evade detection and invade more machines so it can eventually hijack them to mine Monero cryptocurrency. Jon asks them about what's new with Prometei, why it's pretty generous in who it's targeting and where we could see it going next. Additional reading

Public perception is such that it's assumed we just get more spam in the U.S. during two major times of the year — Tax Season and Black Friday. But over the past few years, this trend has become a thing of the past. With Tax Day approaching for Americans, there won't be more spam emails coming their way than usual, it'll just be different. Eric Peterson from Talos' email detection team joins the show for Jon's triumphant return from parental leave to talk about tax-related spam. Eric talks about topics he's seen so far this year and why it's a myth that spam volume changes as Tax Day approaches.

Nick Biasini is back as host again to talk to Vitor Ventura about the benefits of taking an active approach to threat defense. Many organizations may just sit back and wait for something bad to happen. But as he outlined in his recent blog post, Vitor says there are many benefits to being proactive instead of reactive. Nick asks him about threat hunting as a team, scanning logs and tracking network traffic on an almost-constant basis.

We're back with the final year in review focused episode. This time the focus is on the ever broadening ransomware landscape and the commodity malware loaders that often support it. I'll be joined by one of the researchers from the year in review report, Aliza Johnson to talk about what we saw on the ransomware landscape over the last year as well as how threats like Qakbot, IcedID, and Trickbot have changed and evolved over the last year. We'll also cover how these threats overlap and how LoLBins are yet again an area of concern.

In this episode of Talos Takes I am joined by security researcher Guilherme Venere to discuss their recent research on LNK files. The usage of these files by malicious actors has exploded over the last six months as actors look to move away from macro based initial infection vectors. LNK files do have unique metadata attributes to allows for useful actor and threat tracking capabilities. We'll dig deeper on LNK files as well as the metadata you can leverage. For full details check out the blog at https://blog.talosintelligence.com/following-the-lnk-metadata-trail/

We're back with another year in review focused episode. This time the focus will be the threat landscape generally and I'll be joined by threat researcher Caitlin Huey. In this episode we'll discuss what we found in the last year, with a focus on the general threat landscape. We'll spend time discussing dual use tools, lolbins, and the surprising re-emergence of USB attacks in 2022.

In this episode of Talos Takes we are joined by Vanja Svjacer to discuss his recent blog on XLL abuse. This year Microsoft finally removed support for macros from their office suite creating a vacuum in the threat landscape. Macros had been the tool of choice for adversaries for the last several years and the race to find alternatives is underway. In this episode we'll talk a bit about Office Add-Ins and how we've already seen adversaries starting to abuse XLL files in the wild.

In this episode of Talos Takes we are joined by Jacob Finn to discuss the APT summary section of the larger year in review report. These state sponsored actors tend to conduct more sophisticated, targeted campaigns typically related to espionage or other information gathering activities. This episode will dive a bit deeper on what can be found in the report as well as an overview of the state sponsored activity we've observed from the last year.

In this episode of Talos Takes we are joined by Tiago Periera to discuss his recent blog on truebot activity. Truebot and the silence group have been active for a number of years operating primarily financially motivated cybercrime. In this episode we will talk about the recent campaign we observed as well as the tools and tactics we uncovered. We'll also discuss the links between these groups and other threat actors, like TA505.

In this episode of Talos Takes we are joined by Kendall McKay to discuss the recently released year in review report and dig deep on our activities in Ukraine. The year in review covers a vast amount of data and intel sources to identify some of the key trends we observed in 2022. Our activities in Ukraine have been well documented, in this episode we'll also talk more broadly about the trends and highlight some key findings from the past year.

LodaRAT is an AutoIT based RAT that has been distributed for the last several years. Initially tied to the Kasablanka group its distribution has grown over the years. In this episode we'll be talking with the researcher, Chris Neal, to discuss LodaRAT, the campaigns we've been observing along with some key tidbits about how AutoIT is abused by adversaries. Including some fun with decompiling and recompling.

InterPlanetary File System or IPFS has increased in prominence as a file hosting technology associated with Web 3.0. It's probably most well known for hosting NFTs, but this blockchain related technology is also being abused by bad actors. In this episode we'll be talking with Edmund Brumaghin about his recent research into IPFS and his findings. We'll also talk about the ways we've seen malicious actors abuse it and briefly touch on things organizations can do to protect themselves.

To wrap up Cybersecurity Awareness Month, we're looking at the best, and free, ways to improve your security skills. Jason Kirkland and David Roman from Cisco Talos Incident Response join Jon to talk about the websites, YouTube channels, social media profiles and more they use to stay up-to-date on security news and polish their cybersecurity skills. Here are links to some of the resources we spoke about in this episode:@SwiftOnSecurity@CISAgovBlue Team Village DiscordThe Definitive Compendium ProjectDigital Forensics & Incident ResponseFind your local BSides chapterDFIR DivaTryHackMeR/NetsecThirteen3Cisco Talos YouTube page

To celebrate this week's National Cybersecurity Awareness Month theme, we have a special 101 episode of Talos Takes to cover the basics of threat hunting. This is a crucial skill for any cybersecurity professional-in-training and one of the questions we get the most often. Asheer Malhotra from the Talos Outreach team joins the show to talk about where he starts finding new malware families and threat actors, what the barriers usually are that he has to overcome and what check boxes he has to hit before he can talk about something publicly. For more on this topic, watch our "Threat Hunting 101" livestream from earlier this week here.

To celebrate National Cybersecurity Awareness Month, two one-time "security noobs" talk about their career trajectories and how they've grown to see themselves in cyber. Sammi Seaman and Jon Munshaw talk about their previous careers in library services and journalism, respectively, and how they applied some of those skills to cybersecurity. Other talking points include:Cybersecurity "ah ha!" moments.Not being afraid to ask questions.Free ways to expand one's cybersecurity knowledge.The importance of getting involved in local cybersecurity conferences and non-profits.

Azim Khodjibaev joins the show once again for the latest addition of "Days of our Ransomware." Jon and Azim talk about the recent LockBit 3.0 leaks and the drama surrounding them. Will other actors try to backpack off the leaked builder? Why is LockBit switching to triple extortion tactics now? And what other trends are going on in the ransomware landscape? This is the perfect place to get caught up on all things ransomware to head into the rest of National Cybersecurity Awareness Month.

Nick Biasini is back on once again to talk to Jon about Insider Threats. Nick recently wrote a post about how he and Cisco Talos Incident Response are seeing an increase in these types of attacks in the wild. And while the term "insider threat" may sound like someone actively seeking to do something bad, that's now always the case. This week's episode discusses how to prepare for Insider Threats and some of the hallmarks of the spam emails, calls and mobile notifications we're seeing in these campaigns.

Vitor Ventura from the Talos Outreach team joins the show this week to run down Talos' recent research into the Lazarus Group. This well-known North Korean state-sponsored threat actor is well known for their ransomware and cryptocurrency-related cyber attacks, but we recently found them launching a new information-stealing trojan targeting energy companies. Vitor talks about the new trojan, MagicRAT, and how it fits into their larger plans and motivations.

Guilherme Venere of the Outreach team joins Jon this week to discuss the Gamaredon APT group. This Russian state-sponsored actor is infamous at this point in its life, but it keeps growing by adding new tools and malware. Recently, Guilherme helped to discover a new campaign targeting users and organizations in Ukraine, a common target of Gamaredon since the onset of Russia's invasion. They discuss what's unique about this particular attack, and why we can't just assume their activities will stay isolated to Ukraine for the time being.

We're headed back to school with Talos Takes again! Pierre Cadieux from Cisco Talos Incident Response joins the show to talk about advice for educational institutions. Jon asks him about common incident response advice for the education sector and we cover security advice for school admins, parents and students who have to worry about electronic devices traveling to and from school and connecting to all sorts of networks. This episode is particularly relevant this week given some recent major cyber attacks against the education sector, including a major event at the combined Los Angeles school district.

This week, we have the audio version of our recent livestream for Ukraine Independence Day. Talos assembled a panel of experts who have been working hands-on to defend critical Ukraine systems and its citizens from cyber threats. JJ Cummings, Ashlee Benge and Dmytro Krozhevin answer questions from Hazel Burton about the current security threats Ukraine faces, what Talos has done to hunt for threats in the region and how Cisco is supporting its employees in Ukraine.

An underrated aspect of Russia’s invasion of Ukraine is the effect it’s had on the global food supply chain. Ukraine is a major importer and exporter of grain and other food staples, but the industry now faces kinetic and cyber threats. Joe Marshall of Talos has spent months learning all about agricultural cybersecurity and the unique position farming equipment and infrastructure is in. Joe recently wrote about these threats for the Talos blog and joins Talos Takes to talk about how important Ukraine is to the global food supply chain and what law enforcement and global governments can do to prepare for potential state-sponsored attacks.

The public traditionally thinks about cyber attacks as being from some well-funded, state-sponsored actor. But increasingly small-time criminals are turning to the internet to make their money. Increasingly, they’re not carrying out one-off robberies, and instead are working on insurance fraud scams and spam emails. Nick Biasini joins Talos Takes this week to discuss his recent research into this topic and shares what the data shows about the growth of small-time cybercrime.

This week’s episode of Talos Takes is a special extra large edition. We’ve got the audio version of our recent Cisco Talos Incident Response On Air stream where some of our responders got together to discuss the past threats of the top quarter. Liz Waddell and other team members covered everything from recent ransomware actor drama, to the importance of saving logs and other tips they picked up over the past few months.

Nate Pors joins the show this week to recap the recently released Cisco Talos Incident Response Quarterly Report. He and Jon recap the top attacker trends from the past quarter, including highlighting which types of attacks CTIR saw in the field and what new techniques adversaries are using. Topics discussed include the increased targeting of telecommunications companies, a decline in ransomware attacks and more business email compromise.

Chris Neal from Talos Outreach recently dove into a recent AvosLocker ransomware attack in the wild. This week, he joins the show to recap his major takeaways from this attack that other potential targets can learn from. He and Jon talk about the current ransomware-as-a-service landscape, the use of living-off-the-land binaries and other calling cards from this actor to keep an eye out for.

Jon reports live from the floor of Cisco Live U.S. this week. He interviewed several Talos speakers about their talks at Cisco Live and some of the major takeaways from conversations with users and customers this week.

Get ready for Cisco Live next week in Vegas with a quick primer on everything Talos has going on at the conference. We’re excited to be back in person interacting with customers and users. Jon has a complete rundown of the Talos space at the conference, some talk highlights and other things you should know before you go. For a complete agenda, check out the Cisco Live Session Catalog.

We’re doing something a bit different this week — it’s just Jon for a few minutes talking about Talos’ plans at the RSA Conference coming up next week. Catch up on our plans for the week and here about some special events we have planned. To stay up-to-date on the latest, follow us on Twitter. And if you prefer a written preview, read this week’s Threat Source newsletter.

Kendall McKay joins Jon this week to discuss the Hive and Conti ransomware chats she and her colleagues recently reviewed. We obtained some leaked chats between these ransomware groups and some of their victims, showing us what communicating with an attacker is really like. Jon and Kendall discuss the negotiation process over a ransom payment and what else we learned from these chat logs.

On this week’s episode of Talos Takes, we’re bringing you the recording of last week’s live stream with Cisco Talos Incident Response. Beers with Talos’ own Liz Waddell hosted the first in our new “On Air” series with CTIR, where she and her fellow Talosians recapped the previous quarter’s top threats. They run through the malware families CTIR saw most in the field and discussed other trends that threat actors are starting to adapt.

It’s tax season! You know what that means — sadness, frustration and scams. Host Jon Munshaw sat down with Nick Biasini from the Talos Outreach team to talk about common tactics adversaries use around this “holiday” to try and spread malware, steal personal information and take users’ money. We talk about free security tools you can deploy to block these types of threats, common spam tactics to keep an eye out for and other services that can help you prepare for a worst-case scenario.

Cisco Talos threat intelligence team and Cisco ThousandEyes went live on Talos’ social media platforms Friday to provide guidance on current cyberattacks and insight into internet activity in Ukraine. Both teams are actively monitoring the digital landscape and openly sharing essential findings to contribute to the safety of our customers globally.Many of our teams have set aside normal tasks, now spending their time watching over Ukrainian networks. Other teams have focused on protecting refugees, physically and digitally. Still, others have volunteered their free time contributing critical components to our open-source intelligence work. The audio version of this briefing will share what we have seen and how you can protect your data, network and teams.

Jon Munshaw and Nick Biasini sit down for a few minutes to discuss the latest on the ongoing cyber attacks and security concerns in Ukraine. They discuss how a recent set of attacks against government-run websites compares to past attacks like NotPetya, and provide guidance for any companies who may be based in, or do business in, Ukraine. For more of Talos’ insight on this, please continue to check back on our blog post here.

We thought it was usually all about “New year, new me,” heading into 2022, but turns out it’s the same cybersecurity problems. Join host Jon Munshaw as he welcomes on threat researcher JJ Cummings to discuss how the Log4j vulnerability event evolved over the holiday break. JJ, who you may recognized from our recent live Beers with Talos episode, discusses the new CVE that popped up the week after Christmas, and then discusses what things he and his team will be looking into regarding Log4shell in 2022.

This is a special XL edition of Talos Takes that is a replay of a live stream our amazing researchers put on earlier this week. You’ll hear Matt Olney, Amy Henderson and Vitor Ventura, all from Talos, talk about the Log4J vulnerability that is ruining the internet for everyone right now. They discussed the latest news around the vulnerability, provided advice to users who may be affected (i.e., pretty much everyone) and looked at where we go from here. If you’d like to hear more from us, you can join us LIVE on all of our social media platforms at noon ET on Friday, Dec. 17 for a special episode of Beers with Talos, where we’ll have more updates on Log4J.

Emotet was about a month late for Halloween, because it’s got its zombie costume on. The long-known botnet is showing some signs of life in late 2021 after an international law enforcement takedown earlier this year. Nick Biasini joins Talos Takes this week to discuss what signs we’re seeing to indicate Emotet’s return, and provides some advice as to what we should look out for as we head into 2022.

We know, we know. We do one of these every year. But people still falling for scams, so we still have to keep reminding people how to shop safely online! This year is a bit different than past Black Fridays and Cyber Mondays because of the issues around the supply chain. Attackers are sure to try to convince you that the big gift you want this year won’t arrive on time so you have to “ACT NOW!” Plus, there’s the continued frenzy to find PlayStation 5s and XBOX Series X/S’s. Jon and Nick talk about scams you’re likely to see while shopping online over the long weekend and provide some helpful tips that anyone can use.

For the first time in Talos Takes’ history, we have a formal crossover with Beers with Talos. Mitch Neff, the host of BWT, joins the show to talk about his horror stories using public WiFi networks. He and Jon discuss the safest ways to interact with large, public network in places like libraries, parks and airports, and potential alternatives to public hotspots.

Jon took a break from listening to “Red (Taylor’s Version)” to turn this podcast around quickly to align with our recent research on the Kimsuky APT. This North Korean state-sponsored actor is in the wild again targeting South Korean organizations that house potentially sensitive information. The group set up fake Blogger sites to lure in the victims to read about news related to nuclear disarmament and relations on the Korean peninsula, but instead were hit with infostealing malware. Assheer Malhotra, who helped research and write our latest blog, joins the show to discuss this group’s motivations, what information they may have been looking for, and how Talos helped put a stop to their actions.

We continue our special series for National Cybersecurity Awareness Month by addressing everyone’s worst nightmare: phish. Who among us hasn’t gotten the call, “We’re trying to reach out about your car’s extended warranty?” In this Talos Takes, Jaeson Schultz, Talos’ foremost spam and phish expert, breaks down spam emails, phone calls and messages for any user. We discuss new trends we’re seeing from attackers in 2021, talk about the best software solutions available and give advice to Jon’s 77-year-old grandmother.

Everyone loves to talk and write about how tough it is that we are all working remotely during the COVID-19 pandemic. So for once — to celebrate National Cybersecurity Awareness Month — Talos Takes wants to talk about the positives! Christopher Marshall, the head of Talos’ detection research team, joins the show to discuss how he’s kept his team’s morale up during this time. Cybersecurity is a rough industry to be in, regardless of any external factors. So it’s important for him to avoid employee burnout and turnover. He and Jon also discuss the positives of working remotely, what they’re most looking forward to when they can go back into the office and their favorite pandemic-era hobbies.

“Proxyware” sounds like a complicated topic that you’re too afraid to ask about. But really, it’s just software that allows users to sell off a portion of their internet bandwidth for a small profit. Problem is, attackers are swooping in on this popular software to spread malware and steal users’ money. Edmund Brumaghin joins the show this week to discuss his recent research into proxyware applications and how malware is hiding in plain sight. Edmund discusses why these types of apps are potentially unwanted applications, and what the threat is for enterprise users with remote workers, as well as personal PC users.

There are so many options now for basic web browsing. There are ad-blocking plugins, privacy browsers, incognito mode, password managers — but for the average user, this can be a lot to keep up with. In this episode of Talos Takes, we dissect all these options and talk about what your best options are to keep your information safe while doing some everyday web browsing.

Talos intakes a ridiculous amount of information every day. So how do we parse what is and isn’t important enough to share? In this episode of Talos Takes, Amy Henderson from our Threat Intelligence and Interdiction team talks about our information-sharing partnerships with both private and public entities. How do we disseminate important information to our friends in the field? And why are security organizations like the Cyber Threat Alliance so important?

More shoppers are expected to buy online this year than ever. Everyone’s encouraged to stay home and avoid lines and crowds due to the COVID-19 pandemic, which has left retailers offering deals earlier in November than ever before. So how can you stay safe while doing all your holiday shopping online? In this episode of Talos Takes, we’ll talk through some of the common schemes we’re seeing and talk about what makes this year unique when it comes to spam campaigns.

Everything was on fire this year, and the internet was no different. Ransomware was the leading cause of headaches and late night for defenders and IT experts this year. On the latest Talos Takes episode (and last of 2020), Azim Khodjibaev joins us to talk about ransomware’s big year. We talk about why adversaries wanted to go big-game hunting, and what this could mean for trends in 2021.

The major SolarWinds campaign has been generating headlines for weeks now. And while its specific targets make this attack unique, this is far from the first-ever supply chain attack. So what is a supply chain attack? And should your organization be prepared for them? In this episode of Talos Takes, Nick Biasini talks about the history of supply chain attacks, and how they can even be traced back to the 1970s.