Cisco Talos has discovered a new threat we're calling "Sea Turtle," which is targeting public and private entities across the globe. The attackers appear to be using DNS hijacking as their primary method of attack. Check out all the details here
We have new tools we're excited to show off: GhIDA, an IDA Pro plugin that integrates the Ghidra decompiler in the IDA workflow, and Ghidraaas, a simple web server that exposes Ghidra analysis through REST APIs
Last day to register! Get the latest intel on Miners, Malspam, and Meltdowns from Talos Research Engineer Nick Biasini. The event is nearly full, so register now.
#MagicRAT
is the latest
#malware
from the well-known
#LazarusGroup
(a suspected North Korean APT). More on this new threat and Lazarus Group's overall goals here
BlackMatter, BlackCat, DarkSide...it can be tough to keep up with all these
#ransomware
threat actors and their various names. But is there any real connection between these groups? We take a closer look in our newest blog post
The adversary behind WastedLocker is taking advantage of various "dual-use" toolsets like Cobalt Strike, Mimikatz, Empire and PowerSploit to move laterally across many victims' networks. Find out the full details of this threat here
It's here! Snort 3 is now in beta. Here's everything you need to know about what makes Snort 3 different from 2, and what changes we plan on making in the future. Let us know what you think!
Cisco Talos has discovered a new malware we're calling
#DNSpionage
that's targeting governments in the Middle East and even one airline company. Here's a breakdown of the attacker's methods and the malicious documents they're spreading
Despite a recent takedown from the FBI, our research indicates that the actor behind
#Qakbot
is still active with its spamming operations, and is still delivering the
#RansomKnight
#malware
Cisco Talos recently discovered a new attack framework called "Manjusaka" that could be the next
#CobaltStrike
and grow in popularity in the coming months. Read all about this new threat here:
We recently discovered a new C2 framework called
#Alchimist
that's spreading the new
#Insekt
trojan, targeting Windows, Mac and Linux machines Windows, Linux and Mac machines
Interview with a
#LockBit
#ransomware
operator: Over the course of several weeks, we conducted multiple interviews that gave us a rare, first-hand account of a ransomware operator’s cybercriminal activities. Read the full report here
#NorthKorea
's Lazarus Group is back again, this time with two new remote access trojans. The attacker continues to use the same infrastructure, but is changing up their eventual payloads. More here:
We have new details on a
#spyware
tool called
#Predator
that's actively being sold and used to unknowingly track targeted users. Here's the full technical breakdown of how this tool works and why the use of "mercenary" spyware is on the rise
2021 started off with the fallout of
#SolarWinds
. Now, somehow, we're dealing with
#Log4j
. Let's take a look back at the Year in Malware to see how we got here
The Talos Quarterly Threat Briefing is coming up next Tuesday - "Miners, Malspam, and Meltdowns"
Get the Talos take on a very active quarter in the threat landscape.
Spots are limited, register now:
We are actively following the
#Kaseya
supply chain attack and associated
#REvil
ransomware. Here's what we know so far and some defensive strategies to deploy
As the Russia-led invasion intensifies, Ukraine is being attacked by bombs and bytes. Cisco is working around the clock on a global, company-wide effort to protect our customers there and ensure that nothing goes dark
Recently, a new threat referred to as
#SQUIRRELWAFFLE
(unfortunately no, we didn't name it) is being spread more widely via spam campaigns, infecting systems with a new malware loader. Find out why you should be on the lookout
Join
@infosec_nick
on Tues Feb 27 for the Talos Quarterly Threat Briefing - "Miners, Malspam, and Meltdowns" - a look at the most insidious threats Talos has seen in the last quarter.
Spots are limited, register now:
We have more information to unveil regarding VPNFilter. There are seven new third-stage modules that we believe everyone needs to know about. Read about our updates here
To no one's surprise, the
#Emotet
botnet is back, this time using OneNote documents to spread its malware and infect systems. Here's what we know about this latest reboot and how users can stay protected
Cisco Talos has been tracking several different sextortion spam campaigns over the past few months. Here are the connections we were able to draw, in addition to other spam campaigns that are hitting people's inboxes
Two VPN clients — ProtonVPN and NordVPN — have very similar privilege escalation vulnerabilities that could allow an attacker to execute code with administrator privileges. Here's what to watch out for, and how you can protect against them
We recently discovered a new point-of-sale malware available on some forums called "GlitchPOS." The malware is easy enough to set up and use that it could allow basically any user to establish their own botnet
#GlitchPOS
#malware
From
@CNN
, learn how a team of experts from Talos and others at
@Cisco
are helping to protect
#Ukraine
's power grid with a line of specially crafted devices
The
#Turla
APT is back with a new backdoor, very similar to its previous "TinyTurla" tool. Read more about what this Russian state-sponsored actor is up to now
SO THERE ARE THESE BAD GUYS IN CANADA WHO SEND YOUR GRANDMA MEAN EMAILS ASKING FOR $100 AMAZON GIFT CARDS AND YOU CLICK ON A BAD LINK THAT GIVES YOU BAD THINGS
Today, we are releasing the 1.0 beta version of Dynamic Data Resolver (DDR) — a plugin for IDA that makes reverse-engineering malware easier. Check out the full details here
Adversaries are increasingly relying on publishing sites to host lure documents to bypass traditional detection techniques. More on our blog about what Talos Incident Response is seeing in the wild with this tactic
#Ransomware
is not just financial extortion. It is crime that transcends business, academic and geographic boundaries. Talos was proud to assist with this
#RansomwareTaskForce
report that provides a path forward to mitigate this criminal enterprise
Cisco Talos is aware of CVE-2021-44228, an actively exploited vulnerability in
#Apache
#Log4j
. We are releasing coverage to defend against the exploitation of this
#vulnerability
A new variant of the
#Hawkeye
malware is active after a change in ownership. We've seen it be used against organizations to steal sensitive information and account credentials for use in additional attacks. Here's a rundown of all features and protections
We recently discovered several vulnerabilities in a smart air fryer that an attacker could use to change cooking settings. Here's more on these issues and a Snort rule to keep your chicken tenders safe
We recently uncovered a new threat actor called "SWEED" that's been active for at least three years. Check out our full breakdown here, along with coverage of the various malware families they distribute
#SWEED
#malware
Today marks one year since Russia invaded Ukraine. Talos stays committed to our unwavering support of our colleagues, partners, and the people of Ukraine:
Our vulnerability analysts have developed a custom fuzzer using the popular snapshot fuzzer “WTF” which targets Direct Composition in
#Windows
. Learn more about this tool and how it could help other researchers here
We recently identified a series of documents that we believe are part of a coordinated series of cyber attacks that we are calling the "Frankenstein" campaign. Why should you be worried about this? And what can you do to keep your network safe?
Last night, we released the latest Snort rule update, which includes coverage for the highly publicized Microsoft vulnerability CVE-2019-0708. The vulnerability is wormable, meaning future malware that exploits this bug could spread from system to system
A new C2 platform called
#DarkUtilities
recently popped up, and attackers wasted no time in leveraging it for their
#malware
campaigns. Here's what we know about this "C2aaS"
[UPDATE]As part of our work analyzing malicious activity in Ukraine, we are tracking many actors, both state-sponsored and typical cybercriminals. One recent sample indicates a possible increase in threats targeting countries that are *NOT* Ukraine.
Emotet is back again with a new campaign displaying many characteristics of older runs, including the use of Auto_Open macros inside XLS documents. Read Talos’ latest coverage of Emotet here:
We recently discovered a new threat actor called
#YoroTrooper
that's primarily motivated by espionage-related activities. Find out what this group may be after and why.
We recently saw threat actors exploiting a
#Windows
policy loophole that allows the signing and loading of cross-signed kernel-mode drivers with older signature timestamps.
#Microsoft
just released an advisory on this activity, but more on our blog here:
Shoutout to the many members of our team who worked on our DNS hijacking research that won the Peter Ször Award for outstanding research at the
@virusbtn
conference. Thanks to
@martijn_grooten
, as well!
A new malware campaign is distributing Agent Tesla and Loki, but traditional antivirus systems aren't picking it up. Find out why here, and dig more into our research
We have some exciting news to share! Cisco Talos, in partnership with the state of Maryland, is launching CyberVets USA, an industry partnership of cyber-focused companies offering free training and certifications to the military and veteran community
.
@snort
was hard at work all last year protecting users on a day-to-day basis. Here's a look at which rules that were triggered the most in 2018, which paints a picture of what attackers used the most
Individuals and organizations often rely on secure messaging apps to keep their communications safe and encrypted. But there are usually ways to get around these apps' security protocols. We break down potential exploits in a few of these services here
Organizations around the U.S. were hit with phony bomb threats yesterday. Talos was able to connect these attacks to the same actors behind a sextortion campaign we recently reported on. Read about our new findings here.