Talos Takes

Exploring vulnerable Windows drivers

Wed, 15 Jan 2025 05:00:00 -0500

Hazel sits down with Vanja Svajcer from Talos' threat research team. Vanja is a prolific malware hunter and this time he's here to talk about vulnerable Windows drivers. We've been covering these drivers quite a bit on the Talos blog over the last year, and during our research we investigated classes of vulnerabilities typically exploited by threat actors as well as the payloads they typically deploy post-exploitation. The attacks in which attackers are deliberately installing known vulnerable drivers only to later exploit them is a technique referred to as Bring Your Own Vulnerable Driver (BYOVD).

If you're curious about this topic and the recommendations our team has to help you address vulnerable drivers in your environment, then this episode is for you.

The full research can be found at https://blog.talosintelligence.com/exploring-vulnerable-windows-drivers/

It's the 35th anniversary of ransomware - let's talk about the major shifts and changes

Wed, 11 Dec 2024 08:00:00 -0500

Ransomware is 35 years old this month, which isn't exactly something to celebrate. But in any case, do join Hazel and special guest Martin Lee to discuss what happened in the very first ransomware incident in December 1989 and why IT "wasn't ready".

They then discuss how ransomware evolved to become the criminal entity it is today, which involves looking back on the likes of SamSam, Maze and the emergence of crypto currencies. Plus, learn why Martin says we shouldn't feel powerless in the face of ransomware.

Unwrapping the emerging Interlock ransomware attack

Thu, 14 Nov 2024 05:00:00 -0500

Chetan Raghuprasad is our guest today as he breaks down the relatively new Interlock ransomware attack. Cisco Talos Incident Response recently observed this attacker conducting big-game hunting and double extortion attacks.

Chetan talks about the initial access tactics, deployment of the ransomware encryptor, and how Interlock communicates with its victims using their “Worldwide Secrets Blog”.

For the full analysis, head to https://blog.talosintelligence.com/emerging-interlock-ransomware/

It's Taplunk! Talos and Splunk threat researchers meet to put the security world to rights

Thu, 31 Oct 2024 05:00:00 -0400

What happens when two sets of threat researchers from Talos and Splunk's SURGe team meet? Aside from some highly controversial opinions and omissions about the best horror movie, the team discuss what security trends are FUD, and what's actually fearful/ most challenging at the moment. Also, what is the security industry not aware of enough, and also too aware of? Plus some thoughts on cybersecurity awareness training and how we can do better.

This is a great conversation facilitated by SURGe's Mick Baccio, with Joe Marshall and Nick Biasini from Talos, and Tamara Chacon and Audra Streetman from SURGe.

Catch up on all the latest and greatest threat research from our friends at SURGe at https://www.splunk.com/en_us/surge.html

The biggest takeaways from Talos IR's new report: New ransomware variants, EDR tool uninstallation, and password spray attacks increasing

Fri, 25 Oct 2024 05:00:00 -0400

The Talos IR Quarterly Trends Q3 2024 is out now! In this episode Hazel Burton, Craig Jackson and Bill Largent discuss three big themes: some new ransomware players, the 'Bring Your Own Vulnerable Driver' trend, and why password spray attacks are making a comeback.

Check out the full report at https://blog.talosintelligence.com/incident-response-trends-q3-2024/

How Talos IR and Splunk are teaming up

Fri, 13 Sep 2024 04:00:00 -0400

Hazel Burton steps in as guest host this week to talk to Brad Garnett, the head of Cisco Talos Incident Response, and JK Lialias, the head of cybersecurity product marketing for Splunk. Brad and JK share two exciting in which Talos is being incorporated into Splunk now, and what that means for the ways we can keep users more secure. They also talk about what better visibility into attacker trends means for the end user and defenders.

Why the BlackByte ransomware group may be more active than we initially thought

Fri, 06 Sep 2024 04:00:00 -0400

James Nutland from Talos' Threat Intelligence team joins the show this week to talk to Jon about his report on the BlackByte ransomware group. They cover why this group is actually more active than we initially thought, and check on the general state of ransomware at this point in 2024.

AI, critical infrastructure dominate conversation at Hacker Summer Camp

Fri, 23 Aug 2024 04:00:00 -0400

It's quite the gang for Talos Takes this week with Joe Marshall, Nick Biasini and Mick Baccio (from Splunk's SURGe team) joining Jon this week to recap Black Hat and DEF CON. They share all the conversations and talking points they heard around AI, and the renewed importance of a software bill of goods for industrial control system environments.

A 1-on-1 with Talos VP Matt Watchinski

Fri, 16 Aug 2024 04:00:00 -0400

He's been here since the beginning, and now he's ready to reflect on the past 10 years of Cisco Talos. Matt Watchinski, the Vice President of Talos for Cisco, joins Jon this week to talk about Talos' recently celebrated 10th birthday and talk about the company's origins, how we've managed to balance growth and culture, and his favorite memories from the past 10 years.

What should we be doing to better support open-source software?

Fri, 02 Aug 2024 04:00:00 -0400

People who maintain, create and update open-source software are the unsung heroes of the internet. Their work keeps much of our networks running on a daily basis, and the vast majority of them do it for free! While there are some security pitfalls that can come with using OS software, Martin Lee and Jon get together to discuss what (if anything) we can be doing to better support OS software, and how to make our networks more resilient against vulnerabilities that can arise in these tools.

Threat actor trends and the most prevalent malware from the past quarter

Fri, 26 Jul 2024 04:00:00 -0400

Hazel Burton guest hosts this week to recap the top threats observed by Cisco Talos Incident Response (Talos IR) in the second quarter of 2024. She’s then joined by Talos’ Joe Marshall and Craig Jackson to pick out some of the most interesting stories from the report.

You got a data breach notification. Now what?

Fri, 19 Jul 2024 04:00:00 -0400

Joe Marshall, Talos' resident ICS and IoT expert, and Pierre Cadieux from Talos Incident Response join Jon this week to discuss data breaches. Between Snowflake, AT&T, Ticketmaster and more, we should probably assume our data has been part of a leak somewhere. So what steps should you take to prepare for this inevitability? Or what should you do when you get a data breach notification from a company?

What we learned from studying the TTPs of the 14 most active ransomware groups

Fri, 12 Jul 2024 04:00:00 -0400

Fresh off an analysis of the 14 most active ransomware groups, James Nutland joins Jon this week to discuss his findings. They talk about the most common TTPs shared among these groups, and the potential outliers among these gangs and how they try to infect victims. For more on this topic, watch the inaugural episode of "The Talos Threat Perspective."

Time to catch up on the wide-reaching Snowflake incident

Fri, 28 Jun 2024 04:00:00 -0400

Over 160 companies have been affected by a data breach at data storage company Snowflake, including Ticketmaster, Nieman Marcus and more. But the issue wasn't a security vulnerability or some sophisticated malware — it was just someone who exposed their login credentials at a different company. Host Jon Munshaw got Pierre Cadieux from Talos IR and Nick Biasini from Talos Outreach to discuss the follow-on breaches that have resulted from this and the lessons we can learn about making our login credentials more secure.

Everything we know about denial-of-service attacks in 2024

Fri, 21 Jun 2024 04:00:00 -0400

You may think a DDoS attack is so early aughts. But some of the largest attacks of this type have occurred in just the past few years. Talos recently updated our advice for how to best mitigate and prepare for this threat, so Aliza Johnson from Talos' Threat Intelligence & Interdiction team joins the show this week to discuss her recent findings and hacktivists' trends around using this threat.

The many shades of LilacSquid

Fri, 14 Jun 2024 04:00:00 -0400

Anna Bennett, one of Talos' threat hunters, joins the show this week to talk about one of her recent findings — the LilacSquid APT. This is a newly discovered threat actor that Talos found hiding on networks for months and years at a time, silently stealing sensitive information the entire time. Anna discusses LilacSquid's activities, potential motivations, and how they overlap with North Korean APTs.

A mid-year checkin on Volt Typhoon

Fri, 07 Jun 2024 04:00:00 -0400

The Volt Typhoon threat actor is one of the longest-running cybersecurity storylines this year. The Chinese state-sponsored actor has already been accused of a range of attacks, specifically targeting critical infrastructure and U.S. military bases. Since it's been a few months without any new developments with this group, we thought it'd be a good idea to check in with Talos' Threat Intelligence and Interdiction team on what's going on with this actor, and if they're up to anything new.

How much has AI helped bad actors who spread disinformation?

Fri, 31 May 2024 04:00:00 -0400

Inspired by his quotes in a recent CNBC article, Jon Munshaw wanted to have Martin Lee on the show this week to discuss AI and how adversaries can use these tools to create deepfakes and disinformation. Martin shares why he thinks the threats of increasing fake news with the advent of AI tools are a bit overblown, and how the dangers in spreading fake news come more from text-based posts than any deepfake video or audio. If you'd like to learn more about how to detect potential deepfake videos or fake news articles, check out the additional resources here and here.

Recapping RSA

Fri, 17 May 2024 04:00:00 -0400

Nicole Hoffman, fresh off her trip to the RSA Conference, joins host Jon Munshaw this week to talk about her major takeaways from the week in San Francisco. Nicole talks about how most of the discussions on the floor centered around AI, and what lessons other defenders are learning from some of our past mistakes. If you'd like to check out Nicole's other work, buy her children's cybersecurity books on Amazon.

Why CoralRaider is looking to steal your login credentials

Fri, 10 May 2024 04:00:00 -0400

Joey Chen from Talos' Outreach team is here to tell us all about his research into the CoralRaider threat actor. He's helped write two posts on the recently discovered APT, disclosing new information about how this Vietnamese-based actor is targeting login credentials. After stealing those credentials, they go on to try and sell them on the dark web, or use them to try and brute force their way into more important accounts. Joey discusses what this actor is really after, and why they've been growing so quickly.

4 takeaways from what Talos IR is seeing in the field

Fri, 03 May 2024 04:00:00 -0400

Hazel Burton steps in to host this week's episode as we cover the recent Cisco Talos Incident Response Quarterly Trends Report from the first quarter of this year. Hazel talks to different Talosians to find out why business email compromise is on the rise, how attackers are bypassing MFA, and more.

How to defend against brute force attacks

Fri, 26 Apr 2024 04:00:00 -0400

After a recent spike in brute force attempts targeting SSH and VPN services, we felt it was a good time to give listeners a lesson on brute force attacks. Nick Biasini joins host Jon Munshaw this week to discuss the basics of these methods, how administrators can protect their accounts, and other potential defense mechanisms (or whether to just take passwords out of the equation entirely).

What are the dangers of enabling sideloading and third-party apps?

Fri, 19 Apr 2024 04:00:00 -0400

Apple now must allow users to be able to sideload apps onto their phones or access third-party app stores, thanks to a law from the European Union that went into effect earlier this year. Terryn Valikodath from Cisco Talos Incident Response joins Jon this week to discuss the potential dangers that come with allowing users to sideload apps onto their devices, and how attackers may take advantage of this new opening.

Why we need to stop calling as-a-service group takedowns "takedowns"

Fri, 12 Apr 2024 04:00:00 -0400

Hazel Burton and Thorsten Rosendahl join Jon Munshaw on this week's episode to discuss the problem with threat actor "hydras." They recently wrote about the topic for the Talos blog, highlighting how law enforcement takedowns of these groups are closer to just disruptions or setbacks for these massive actors. They talk about what really needs to be done to stop ransomware actors and why RaaS is a breeding ground for "hydras."

Turla has been around for 20-plus years at this point, but they're still mixing things up

Fri, 05 Apr 2024 04:00:00 -0400

Holger Unterbrink of Talos Outreach joins the show this week to discuss his recent Turla APT research. This Russian state-sponsored actor has been around for years but is regularly adding new tooling to its arsenal. Holger has new details about their latest tool, TinyTurlaNG, and insight into the types of organizations they're targeting.

Why more actors are starting to use Telegram for their communications

Fri, 22 Mar 2024 04:00:00 -0400

Jon started noticing that Talos is finding more threat actors using Telegram nowadays for their communication and coordination, so he decided to bring Azim Khodjibaev on to ask him if he was just inventing this, or if it was a real trend. Turns out it's a real trend! Azim fills listeners in on why Telegram is becoming the app of choice for APTs to publish "news," threaten data leaks, and more.

Why no one should be relying on passive security in 2024

Fri, 15 Mar 2024 04:00:00 -0400

Nick Biasini joins Jon this week to talk about passive security. He recently wrote about this topic for the Talos blog and joined Wendy Nather in discussing the merits of passive security versus active blocking. Nick defines what passive security is, exactly, and why it's not the way to go in the modern age.

What's new about GhostSec's ransomware-as-a-service model

Fri, 08 Mar 2024 04:00:00 -0500

Chetan Raghuprasad from the Talos Outreach team joins Talos Takes this week to talk to Jon about the GhostSec threat actor that he and a few colleagues wrote about for the Talos blog. GhostSec has teamed up with another ransomware group to carry out double extortion attacks all over the globe, with increasing frequency over the past year. They discuss what's unique about this particular RaaS model, where GhostSec came from, and the benefits of going in on a team-up.

Why are "identity attacks" on the rise?

Fri, 01 Mar 2024 04:00:00 -0500

Now more than ever, adversaries are logging in, not breaking in. They're stealing legitimate user credentials to hide undetected on a targeted network after acquiring said credentials in a variety of ways. Hazel Burton joins Jon Munshaw this week to discuss identity attacks, recommendations for avoiding them, and how QR code phishing plays into these tactics.

The tl;dr of NIS2

Fri, 23 Feb 2024 04:00:00 -0500

Gergana Karadzhova-Dangela and Thorsten Rosendahl, our resident experts on all things European Union cybersecurity law, join the show this week to talk about the impending NIS2 regulations. Don't worry, you've still got plenty of time to work on them, but this is a good place to get started even if you've never seen the phrase "NIS2" before. Find more of their writing on NIS2 here and here.

Case study: How Talos IR helped a healthcare tech company avoid a ransomware attack

Fri, 16 Feb 2024 09:00:00 -0500

Reposted from the Cisco Security Stories feed: Meet Jeremy Maxwell, CISO of Veradigm, a healthcare IT company. Jeremy discusses how his organization proactively prepares for cybersecurity incidents within a highly regulated industry.

How are attackers using malicious drivers in Windows to stay undetected?

Fri, 02 Feb 2024 04:00:00 -0500

Chris Neal from Talos Outreach joins the show today to talk about his research into the ways adversaries are using malicious drivers on Windows to spread malware. He recently launched a new series on the Talos blog about the basics of drivers and how security researchers can reverse engineer them to learn more about attacker TTPs and develop new detection content. Chris discusses when he first spotted this type of attack, what advantages it presents for the attacker and the other aspects of the research he plans to dive into.

(XL Edition): Talos IR recaps the top threats of Q4 2023

Fri, 26 Jan 2024 04:00:00 -0500

This week, we're bringing you the audio version of our recent Talos IR On Air video. Several Talos incident responders got together to recap the top threats and attacker trends of Q4 2023, as outlined in our full Quarterly Trends Report. Hear about why ransomware was up for the first time the entire year, and which sectors were being targeted most often.

What's new with CVSS 4.0, and does it really change anything?

Fri, 19 Jan 2024 04:00:00 -0500

We're talking about vulnerabilities this week with Jerry Gamblin from Cisco Vulnerability Management. Jerry joins the show to talk about the release of CVSS 4.0 this year — the newest method the security community will use to score the severity of certain vulnerabilities. Jerry discusses what makes this scoring system different from previous iterations if it changes how he views the term "severe" and how that fits into Cisco's overall vulnerability management processes.

XL Edition: Talos' 2023 Year in Review

Fri, 12 Jan 2024 03:00:00 -0500

In this special edition of the show, we're bringing you the audio version of our Year in Review livestream. Recorded at the end of December, this stream included Hazel Burton, Nick Biasini and Laurie Varner from Cisco Talos Incident Response recapping the year that was in cybersecurity. They covered the highlights of our 2023 Year in Review report, their personal takeaways from the past year, and trends to watch for heading into the new year.

Year in Review: Why are attackers targeting the telecommunications sector so often?

Fri, 05 Jan 2024 04:00:00 -0500

We're back from holiday break with the first new Talos Takes episode of 2024! We're continuing our dive into Talos' Year in Review report with Lexi DiSchola, one of the many researchers who helped put this report together. She discusses why we believe the telecommunications sector was the most-targeted industry in 2023, advice for companies in that space, and other popular targets for attackers.

Year in Review: Why was 2023 the year of data theft extortion?

Fri, 15 Dec 2023 04:00:00 -0500

Jon apologizes for how he sounds in this episode, he was having mic troubles we discovered only during post-production. But outside of that, we continue the series of episodes recapping 2023 with our Year in Review report. This week, Aliza Johnson from the Talos Threat Intelligence & Interdiction team comes on the show to talk about data theft extortion. She shares why her team saw such a spike in this type of activity in 2023, what can be done to stop it, and which ransomware actors are pivoting to this tactic.

2023 Year in Review: Everything you need to know about Chinese state-sponsored actors

Fri, 08 Dec 2023 04:00:00 -0500

To celebrate the launch of our 2023 Year in Review report, we're doing a series of episodes highlighting several of our key takeaways from the past year. First up, we have David Liebenberg from our Threat Intelligence team to discuss Chinese state-sponsored actors. This is an area David's been studying for many years now and actively researches. He'll discuss the latest Chinese APTs to step onto the scene and trends he's seeing from that area of the world.

Inside Talos' effort to protect the Ukrainian power grid

Fri, 01 Dec 2023 04:00:00 -0500

Joe Marshall, a central figure in the story of how Cisco Talos and other teams within Cisco worked together to protect the Ukrainian power grid, joins the show this week. He recaps a recent CNN story highlighting the new piece of equipment he and a group of volunteers worked on together to ensure the clocks that power the Ukrainian electric grid can withstand GPS disruption in the face of Russian cyber attacks and kinetic warfare.

Why has the Phobos ransomware been working for so long?

Fri, 17 Nov 2023 04:00:00 -0500

Guilherme Venere from Talos Outreach joins the show this week to talk about his research into the 8Base threat actor and its use of a variant of the Phobos ransomware. He recently published several works on the many variants of Phobos that exist in the wild, and why 8Base has been so successful using it for years now.

A warning about scams in "Roblox" (or any other online game, really)

Fri, 10 Nov 2023 04:00:00 -0500

Tiago Pereira from Talos Outreach joins the program this week to talk about his research into the different types of scams that appear in the online game "Roblox." Many underage users are at risk of being targeted by malicious users looking to steal their money, in-game items or even install malware on their devices.

XL Edition: The top incident response trends of Q3

Fri, 03 Nov 2023 09:00:00 -0400

This week is a special edition of Talos Takes. We have the audio version of Talos Incident Response's recent On Air stream, where they discussed the top attacker trends they're seeing in the field. Talos' incident responders discuss the malware they're seeing most often in infections, how attackers are shifting their tactics, and what other defenders can learn from these findings.

Patching 101

Fri, 27 Oct 2023 04:00:00 -0400

Jerry Gamblin from Cisco Kenna joins this week's episode to talk about all things patching. If you're the average user, you probably don't think about patching much because many of them happen automatically in the background. However many admins and users can unknowingly fall behind when it comes to protecting themselves against the latest vulnerabilities.

What happens when you actually click the "report spam" button?

Fri, 20 Oct 2023 04:00:00 -0400

Everyone is tired of getting spam emails at this point, and it can feel exhausting always to click that "report spam" button just to get another phony email a few hours later. But we're here to assure you that reporting and filtering spam really does help in the long run! Nick Biasini joins the show this week to discuss all things spam for Cybersecurity Awareness Month.

How to find the right password management solution for you

Fri, 13 Oct 2023 04:00:00 -0400

To continue our Cybersecurity Awareness Month series, Harpreet Singh from Talos Incident Response joins Jon to talk about password managers. They discuss the upside of using a third-party service like 1Password or LastPass, the potential dangers of using built-in browser password managers like Google Chrome and Safari, and other good password hygiene advice.

Cybersecurity Awareness Month: The best practices for implementing multi-factor authentication

Fri, 06 Oct 2023 04:00:00 -0400

All of October, we'll be covering broad security-related topics for Cybersecurity Awareness Month. First up, we address the basics of implementing MFA in any environment, why any type of MFA is better than no MFA, the pitfalls of certain types of authentication, and whether going passwordless is the future.

Inside a Talos Incident Response emergency event

Fri, 29 Sep 2023 03:00:00 -0400

Hazel Burton takes over as guest host for this episode as she talks to Nate Pors from Cisco Talos Incident Response. Nate was part of Talos IR's team that helped Veradigm, a healthcare technology company, prevent a Qakbot ransomware attack. Nate and his team recently wrote about this experience for the Talos blog, and Veradigm's CISO even joined the Cisco Security Stories podcast recently to discuss his company's relationship with Talos IR. Nate discusses how his team's pre-existing relationship with Veradigm helped them respond quickly and effectively. If you've ever wanted to hear a play-by-play of a security event, this is your chance.

How Talos helped defend Black Hat's network in Vegas

Fri, 22 Sep 2023 03:00:00 -0400

What happens when the hackers become the hacked? Black Hat is one of the largest cybersecurity conferences in the world, and Talos had a hand in defending the on-site network for the past few years. Yuri Kramarz from Talos Incident Response worked in Black Hat's Network Operations Center this year to help defend Black Hat's network and attendees who connected to the network while attending the conference in August in Las Vegas. He joins Talos Takes this week to discuss what he's learned from the past few years working in the NOC, what types of threats Black Hat faces, and the lessons learned he now takes back into the field with customers. You can also read his reflections on working in the NOC in 2022 here.

SapphireStealer hits the open internet

Fri, 08 Sep 2023 08:00:00 -0400

Cisco Talos has recently written about malware families that go open-source, sometimes of their own volition, and sometimes because of leaks. In the case of SapphireStealer, we still don't really know why someone posted this malware to GitHub, but now that it's out there, we can't put it back in a box. Edmund Brumaghin, who assisted with Talos' research and blog post on SapphireStealer, joins Talos Takes this week to discuss this information-stealer. Edmund talks about the goals that someone has by making malware open-source, how that affects detection and what makes SapphireStealer unique among infostealers.

You're never going to believe this, but Lazarus Group is back again

Fri, 01 Sep 2023 04:00:00 -0400

North Korea's infamous APT group is back on the scene, this time with two new remote access trojans. By now, you've probably heard of Lazarus Group and all the annoying things they do to steal sensitive information, make money for North Korea's missile program, etc. But we have an update on their current tactics and payloads they're sending around the globe. Asheer Malhotra from Talos Outreach joins Talos Takes this week to discuss the two new RATs he and his team discovered, why Lazarus Group is still creating new tools, and how their use of older, open-source software has made tracking them ever-so-slightly easier.

Carrying out incident response in-person vs. virtually

Fri, 25 Aug 2023 04:00:00 -0400

Everything about the modern workplace is different now from the start of the COVID-19 pandemic. Many companies are embracing the remote work lifestyle, while others are stuck in a hybrid model or pushing employees to come back to the office. With that in mind, we felt like it was a good time to check in on the incident response process for companies who have to deal with working remotely and those who prefer to conduct business in person. Yuri Kramarz and Gergana Karadzhova-Dangela from Cisco Talos Incident Response join the show this week to discuss how they handle onsite incident response versus engagements that need to be done remotely. There are drawbacks and benefits of both models, so it's up to the individual customer and specific circumstances to determine how a responder can best approach the event in question.

Hacktivism is quietly growing, especially when it comes to Russia's invasion of Ukraine

Fri, 18 Aug 2023 04:00:00 -0400

The stereotypical "hacker" who looks to do good in the world probably involves a Guy Fawkes mask and black hoodie. But hacktivism has become much more than that, especially since Russia invaded Ukraine. On the heels of a newly released overview on hacktivism, Lexi DiScola from the Talos Threat Intelligence and Interdiction team joins Talos Takes this week to discuss these actors. While not just anyone is likely a target for hacktivists, Talos has seen groups become more brazen and start looking to make money off their operations.

What's the difference between data theft extortion and ransomware?

Fri, 11 Aug 2023 04:00:00 -0400

Cisco Talos Incident Response observed data theft extortion more than any other type of cyber attack last quarter. So why has it become so popular? And what makes it different from ransomware? Jacob Finn from the Talos Threat Intelligence and Interdiction Team joins Jon this week to discuss the basics of data theft extortion. He just worked on an overview of this threat for Talos researchers and works closely with Talos IR on their quarterly trends reports. Jacob discusses why threat actors are choosing data theft extortion over ransomware and how this makes defense and detection more difficult. For more on this topic, read our one-page overview here.

Reading 2023's cybersecurity tarot cards

Fri, 04 Aug 2023 04:00:00 -0400

Hazel Burton and Jon Munshaw use this week to look back on the top threats and cybersecurity trends so far in 2023 and the rest of the year. Hazel recently compiled Talos' Half-Year in Review, recapping the top stories that Talos has been following so far this year. She and Jon talk about what stood out from the report, what our researchers have been thinking about up to this point, and what we'll be discussing come December.

(XL Edition): The top trends that Talos IR saw last quarter

Fri, 28 Jul 2023 04:00:00 -0400

We're back with the audio version of our quarterly Cisco Talos Incident Response On Air stream. Join the Talos IR team as they recap the past quarter's top trends, including talking about malware they're seeing in the wild, tactics that attackers are using most often to break into networks, and much more. They discuss why healthcare continues to be a popular target for bad actors, and how adversaries are pivoting away from ransomware and instead opting for data theft and extortion. If you prefer a video version, watch it over on YouTube here.

ISO 27002 sounds intimidating, but really it's just a cybersecurity shopping list

Fri, 21 Jul 2023 04:00:00 -0400

When Martin Lee first told Jon about ISO 27001 and 27002, Jon had to immediately Google whatever this combination of letters and numbers meant. Turns out there are international standards for cybersecurity, just like they have for selling lightbulbs and installing electrical outlets — who knew? Martin recently wrote about these standards for the Talos blog, outlining a list of recommendations for any organization looking to build a threat intelligence program from the ground up. Jon interviewed him about what these standards are, exactly, what they mean for companies looking to implement these standards, and why they recently included threat intelligence.

The dangers of "Mercenary" groups and the spyware they create

Fri, 14 Jul 2023 04:00:00 -0400

Asheer Malhotra is back to talk to Jon Munshaw about spyware and mercenary groups. Asheer recently helped publish Talos research on Mercenary Groups and why they're so dangerous in particular. We briefly touched on this topic in a past episode on the Predator/Alien spyware tag team, but this time we're getting into the broader field of what Mercenary groups are, exactly, and what makes them so dangerous. Asheer talks about recent steps governments have taken to curb the sale of spyware and why the "average" user should care about this topic, even though they're unlikely to ever be a target.

The various ways attackers can mess with URLs, TLDs and DNS

Fri, 30 Jun 2023 04:00:00 -0400

We decided to have a web navigation extravaganza this week! Guilherme Venere and Jaeson Schultz from Talos Outreach have both long been researching the ways in which bad actors try to damage users' inherent trust in the internet. Most internet users interact with the web by typing in a URL or domain name into their web browser (i.e., google.com) expecting that will take them to the right place. But attackers have found various ways to mess with that series of handshakes that must take place. Guilherme and Jaeson talk to Jon about their past years of research into typosquatting domains, new TLDs that open up the door to data leaks, DNS manipulation and more.

Additional reading:

What we know so far about the MOVEit zero-day making the rounds

Fri, 23 Jun 2023 04:00:00 -0400

Aliza Johnson from Talos Threat Intelligence and Interdiction team joins Jon Munshaw this week for a Talos Takes episode on the MOVEit zero-day vulnerability (that's since been patched) making headlines recently. Talos published an advisory last week on everything we know so far about the exploitation of this vulnerability and the group behind it, Clop. Aliza discusses where things stand right now, what Clop is doing once they gain access via this vulnerability and what Talos recommends for mitigation strategies for potentially affected customers.

The hidden threat to the software supply chain you may not be thinking about

Fri, 16 Jun 2023 04:00:00 -0400

Cisco Talos Incident Response recently discovered an uptick in malicious actors compromising vendor and third-party accounts to sneak into targeted networks. Many enterprises have vendor and contractor accounts that need to access their network for a variety of things — IT support, cybersecurity, etc. — but these accounts are often monitored less than those belonging to full-time employees. Craig Jackson, who recently co-authored a blog post on this threat, joins Talos Takes this week to talk about vendor and contractor account (VCA) takeover and how they fit into the broader threat of supply chain attacks.

Horabot is here to do "horable" things to your email inbox

Fri, 09 Jun 2023 04:00:00 -0400

We're joined this week by Chetan Raghuprasad to discuss a new botnet he recently discovered and researched. Horabot can completely hijack a target's Outlook mailbox to steal their contact list and then send even more spam to targets. It's the perfect business email compromise tool for attackers that comes with a side of banking trojan. Chetan talks to Jon about this malware family's abilities, where it came from and what the actors behind it are hoping to achieve. For more, read Chetan's full blog post.

The Predator spyware and more "mercenary" groups

Fri, 02 Jun 2023 09:00:00 -0400

Despite governments' best efforts, spyware is still running rampant on the threat landscape. These types of tracking malware are used to target high-profile individuals like politicians, activists, journalists and more — and even sometimes for jealous exes to track their former partners. Asheer Malhotra, who recently dissected the Predator spyware, joins Talos Takes this week to talk about Predator and its associated tool, Alien. Asheer shares new technical details about this spyware and discusses why "mercenary" spyware groups are on the rise.

If listeners suspect their system(s) may have been compromised by commercial spyware, please consider notifying Talos’ research team at talos-mercenary-spyware-help@external.cisco.com to assist in furthering the community’s knowledge of these threats.

How to adapt to the constant change that comes with cybersecurity

Fri, 26 May 2023 04:00:00 -0400

Hazel Burton is our special guest host this week of Talos Takes, featuring a very special guest: Talos Vice President Matt Watchinski! Matt and Hazel have a conversation for Mental Health Awareness Month, especially as it relates to the cybersecurity industry. They share tips on how to balance work and life (when it seems like cybersecurity is starting to permeate every aspect of our lives) and how to deal with failure. Join us for this incredibly candid conversation!

RA Group is just the latest example of the ransomware landscape splintering

Fri, 19 May 2023 04:00:00 -0400

Talos researchers recently discovered a new ransomware group called "RA Group." This week, Nick Biasni joins Jon to discuss this new threat actor and the modified Babuk ransomware they've already used in attacks against a wide range of companies in the U.S. and South Korea. Nick talks about the group's use of source code that's already been leaked, where they could be headed next and what this group may signal for the larger ransomware landscape.

Other helpful links:

What makes the new Greatness phishing-as-a-service tool so great?

Fri, 12 May 2023 04:00:00 -0400

Tiago Pereira from Talos Outreach joins the show this week to talk about his recent discovery of a new phishing-as-a-service tool called "Greatness." Since everything else is "as-a-service" nowadays, it's only fitting that attackers have figured out how to monetize easy phishing tools, too. Tiago discusses what makes Greatness unique, why it's going after business targets specifically, and why it creates such convincing fake Office 365 login pages.

XL Edition: Talos Incident Response livestream on top trends from the past quarter

Fri, 05 May 2023 04:00:00 -0400

This week's episode is longer than usual, but we wanted to bring you the Cisco Talos Incident Response On Air livestream from last week for anyone who missed it. For anyone who prefers a video version, you can watch the recording here.

In this discussion, researchers from Talos IR and the Talos Threat Intelligence and Interdiction team cover the top threats and attacker tactics they saw over the past quarter. They talk about why the use of web shells is way up, whether or not the ransomware decline is real and how multi-factor authentication could have stopped many of the threats they worked on in the first quarter of 2023. For more, read the latest Talos IR Quarterly Trends report.

Analyzing the recent takedown of popular dark web forums

Fri, 28 Apr 2023 04:00:00 -0400

On the heels of law enforcement agencies from across the globe working together to disrupt two popular cybercrime forums — Genesis Market and BreachForums — Azim Khodjibaev from Talos' Threat Intelligence & Interdiction team joins Jon to talk about these types of sites. Azim has years of experience infiltrating and investigating these types of marketplaces to learn about emerging security threats. He talks about what goes into these types of takedowns and where the sites' users are likely to go from here.

Suggested reading:

What does the future of MFA look like?

Fri, 21 Apr 2023 09:00:00 -0400

Nowadays it seems like every major tech company has their own multi-factor authentication solution, whether that be a unique app, one-time passcode generation or the "classic" SMS two-factor code. Thorsten Rosendahl, the newest addition to the Cisco Talos Strategic Communications team in Europe, joins the show this week to discuss the conversations he's been having with customers in the field around MFA. He and Jon cover the news that Twitter is going to start charging for users to enroll in SMS-based MFA, the challenge of having too many authenticator apps on their personal devices and how we can get closer to a passwordless future.

Other suggested reading:

How to best prepare for, and respond to, supply chain attacks

Fri, 14 Apr 2023 09:00:00 -0400

With another major supply chain attack recently making headlines, we felt like it was a good time to refresh our advice on how to prepare for these types of cyber attacks. Adversaries are increasingly relying on users' inherent trust of the software running on their networks and devices to deliver hijacked, malicious updates that are actually malware. Craig Jackson, a senior Cisco Talos incident responder, joins the show to provide some advice on how organizations can prep for the next major supply chain attack. We also discuss the current, ongoing 3CX situation and how anyone potentially affected could respond now.

Other suggested reading:

The defensive and offensive implications of ChatGPT and AI

Fri, 31 Mar 2023 04:00:00 -0400

Everyone is talking about tools like ChatGPT and other AI tools that are dominating headlines and threatening to upend every industry possible. But where do these things stand in cybersecurity? In this week's episode, Jon talks to two women who are well-versed on the topic and recently presented about the cybersecurity implications of AI at several conferences. Gergana Karadzhova of Cisco Talos Incident Response and Saskia Laura Schroer, a security consulting engineer for Cisco, discuss how AI is currently influencing attackers and defenders. Are attackers already using these tools? Does it give them superpowers? And what questions are still left unanswered about this emerging technology?

Talos Takes Ep. #132: Reflecting on one year of Talos' work in Ukraine

Fri, 24 Mar 2023 04:00:00 -0400

It's been just over a year since Talos formed our Ukraine-focused task force. After Russia's invasion of Ukraine, many of our teammates sprung into action to protect critical infrastructure and networks there — not to mention the Talos employees who literally had to fight back to protect their home country. In this week's episode of Talos Takes, J.J. Cummings, one of the lead organizers of this task force, joins the show to discuss the group's ongoing work. J.J. talks about where the situation in Ukraine stands currently, how the cyber threats facing the country have evolved over the past year and much more. To further mark the one-year anniversary of the conflict, Talos has also released a graphic novel illustrating the formation of this task force. Additionally, the latest episode of ThreatWise TV from Cisco highlights the work Talos and Cisco are doing in Ukraine.

Why does the Prometei botnet keep growing?

Fri, 17 Mar 2023 10:00:00 -0400

Vanja Svajcer and Andrew Windsor join the show this week to talk about their recent research into the Prometei botnet. This malware continues to evade detection and invade more machines so it can eventually hijack them to mine Monero cryptocurrency. Jon asks them about what's new with Prometei, why it's pretty generous in who it's targeting and where we could see it going next.

Additional reading

There's not actually more spam during Tax Season — it's just different spam

Fri, 10 Mar 2023 09:00:00 -0500

Public perception is such that it's assumed we just get more spam in the U.S. during two major times of the year — Tax Season and Black Friday. But over the past few years, this trend has become a thing of the past. With Tax Day approaching for Americans, there won't be more spam emails coming their way than usual, it'll just be different. Eric Peterson from Talos' email detection team joins the show for Jon's triumphant return from parental leave to talk about tax-related spam. Eric talks about topics he's seen so far this year and why it's a myth that spam volume changes as Tax Day approaches.

The benefits of taking an active approach to threat defense

Fri, 03 Mar 2023 09:00:00 -0500

Nick Biasini is back as host again to talk to Vitor Ventura about the benefits of taking an active approach to threat defense. Many organizations may just sit back and wait for something bad to happen. But as he outlined in his recent blog post, Vitor says there are many benefits to being proactive instead of reactive. Nick asks him about threat hunting as a team, scanning logs and tracking network traffic on an almost-constant basis.

Year in Review - Ransomware and Commodity Loaders

Fri, 10 Feb 2023 10:00:00 -0500

We're back with the final year in review focused episode. This time the focus is on the ever broadening ransomware landscape and the commodity malware loaders that often support it. I'll be joined by one of the researchers from the year in review report, Aliza Johnson to talk about what we saw on the ransomware landscape over the last year as well as how threats like Qakbot, IcedID, and Trickbot have changed and evolved over the last year. We'll also cover how these threats overlap and how LoLBins are yet again an area of concern.

Following the LNK metadata trail

Fri, 03 Feb 2023 10:00:00 -0500

In this episode of Talos Takes I am joined by security researcher Guilherme Venere to discuss their recent research on LNK files. The usage of these files by malicious actors has exploded over the last six months as actors look to move away from macro based initial infection vectors. LNK files do have unique metadata attributes to allows for useful actor and threat tracking capabilities. We'll dig deeper on LNK files as well as the metadata you can leverage. For full details check out the blog at https://blog.talosintelligence.com/following-the-lnk-metadata-trail/

Year in Review - Threat Landscape Edition

Fri, 27 Jan 2023 10:00:00 -0500

We're back with another year in review focused episode. This time the focus will be the threat landscape generally and I'll be joined by threat researcher Caitlin Huey. In this episode we'll discuss what we found in the last year, with a focus on the general threat landscape. We'll spend time discussing dual use tools, lolbins, and the surprising re-emergence of USB attacks in 2022.

XLLing and the post macro era

Fri, 20 Jan 2023 10:00:00 -0500

In this episode of Talos Takes we are joined by Vanja Svjacer to discuss his recent blog on XLL abuse. This year Microsoft finally removed support for macros from their office suite creating a vacuum in the threat landscape. Macros had been the tool of choice for adversaries for the last several years and the race to find alternatives is underway. In this episode we'll talk a bit about Office Add-Ins and how we've already seen adversaries starting to abuse XLL files in the wild.

Year in Review: APT Summary Edition

Fri, 13 Jan 2023 10:00:00 -0500

In this episode of Talos Takes we are joined by Jacob Finn to discuss the APT summary section of the larger year in review report. These state sponsored actors tend to conduct more sophisticated, targeted campaigns typically related to espionage or other information gathering activities. This episode will dive a bit deeper on what can be found in the report as well as an overview of the state sponsored activity we've observed from the last year.

Truebot and the Silence group

Fri, 06 Jan 2023 10:00:00 -0500

In this episode of Talos Takes we are joined by Tiago Periera to discuss his recent blog on truebot activity. Truebot and the silence group have been active for a number of years operating primarily financially motivated cybercrime. In this episode we will talk about the recent campaign we observed as well as the tools and tactics we uncovered. We'll also discuss the links between these groups and other threat actors, like TA505.

Year in Review & Ukraine Activities

Fri, 16 Dec 2022 10:00:00 -0500

In this episode of Talos Takes we are joined by Kendall McKay to discuss the recently released year in review report and dig deep on our activities in Ukraine. The year in review covers a vast amount of data and intel sources to identify some of the key trends we observed in 2022. Our activities in Ukraine have been well documented, in this episode we'll also talk more broadly about the trends and highlight some key findings from the past year.

Update on LodaRAT and its many variants

Fri, 02 Dec 2022 10:00:00 -0500

LodaRAT is an AutoIT based RAT that has been distributed for the last several years. Initially tied to the Kasablanka group its distribution has grown over the years. In this episode we'll be talking with the researcher, Chris Neal, to discuss LodaRAT, the campaigns we've been observing along with some key tidbits about how AutoIT is abused by adversaries. Including some fun with decompiling and recompling.

The basics of InterPlanetary File System (IPFS) and how its being abused

Fri, 18 Nov 2022 10:00:00 -0500

InterPlanetary File System or IPFS has increased in prominence as a file hosting technology associated with Web 3.0. It's probably most well known for hosting NFTs, but this blockchain related technology is also being abused by bad actors. In this episode we'll be talking with Edmund Brumaghin about his recent research into IPFS and his findings. We'll also talk about the ways we've seen malicious actors abuse it and briefly touch on things organizations can do to protect themselves.

The best (and free) ways to improve your cybersecurity skills

Fri, 28 Oct 2022 10:00:00 -0400

To wrap up Cybersecurity Awareness Month, we're looking at the best, and free, ways to improve your security skills. Jason Kirkland and David Roman from Cisco Talos Incident Response join Jon to talk about the websites, YouTube channels, social media profiles and more they use to stay up-to-date on security news and polish their cybersecurity skills.

Here are links to some of the resources we spoke about in this episode:

The basics of threat hunting

Fri, 21 Oct 2022 10:00:00 -0400

To celebrate this week's National Cybersecurity Awareness Month theme, we have a special 101 episode of Talos Takes to cover the basics of threat hunting. This is a crucial skill for any cybersecurity professional-in-training and one of the questions we get the most often. Asheer Malhotra from the Talos Outreach team joins the show to talk about where he starts finding new malware families and threat actors, what the barriers usually are that he has to overcome and what check boxes he has to hit before he can talk about something publicly. For more on this topic, watch our "Threat Hunting 101" livestream from earlier this week here.

Tips for kickstarting your cybersecurity career

Fri, 14 Oct 2022 10:00:00 -0400

To celebrate National Cybersecurity Awareness Month, two one-time "security noobs" talk about their career trajectories and how they've grown to see themselves in cyber. Sammi Seaman and Jon Munshaw talk about their previous careers in library services and journalism, respectively, and how they applied some of those skills to cybersecurity. Other talking points include:

Cybersecurity "ah ha!" moments.
Not being afraid to ask questions.
Free ways to expand one's cybersecurity knowledge.
The importance of getting involved in local cybersecurity conferences and non-profits.

The latest on Lockbit 3.0 drama and the rest of the ransomware landscape

Fri, 07 Oct 2022 11:00:00 -0400

Azim Khodjibaev joins the show once again for the latest addition of "Days of our Ransomware." Jon and Azim talk about the recent LockBit 3.0 leaks and the drama surrounding them. Will other actors try to backpack off the leaked builder? Why is LockBit switching to triple extortion tactics now? And what other trends are going on in the ransomware landscape? This is the perfect place to get caught up on all things ransomware to head into the rest of National Cybersecurity Awareness Month.

An "insider threat" doesn't always have to know they're a threat

Fri, 30 Sep 2022 10:00:00 -0400

Nick Biasini is back on once again to talk to Jon about Insider Threats. Nick recently wrote a post about how he and Cisco Talos Incident Response are seeing an increase in these types of attacks in the wild. And while the term "insider threat" may sound like someone actively seeking to do something bad, that's now always the case. This week's episode discusses how to prepare for Insider Threats and some of the hallmarks of the spam emails, calls and mobile notifications we're seeing in these campaigns.

Once more into the Lazarus Pit

Fri, 23 Sep 2022 10:00:00 -0400

Vitor Ventura from the Talos Outreach team joins the show this week to run down Talos' recent research into the Lazarus Group. This well-known North Korean state-sponsored threat actor is well known for their ransomware and cryptocurrency-related cyber attacks, but we recently found them launching a new information-stealing trojan targeting energy companies. Vitor talks about the new trojan, MagicRAT, and how it fits into their larger plans and motivations.

Digging into Gamaredon's cave and its recent campaign against Ukraine

Fri, 16 Sep 2022 13:00:00 -0400

Guilherme Venere of the Outreach team joins Jon this week to discuss the Gamaredon APT group. This Russian state-sponsored actor is infamous at this point in its life, but it keeps growing by adding new tools and malware. Recently, Guilherme helped to discover a new campaign targeting users and organizations in Ukraine, a common target of Gamaredon since the onset of Russia's invasion. They discuss what's unique about this particular attack, and why we can't just assume their activities will stay isolated to Ukraine for the time being.

Back to school advice for teachers, students, parents, admins and everyone in between

Fri, 09 Sep 2022 08:00:00 -0400

We're headed back to school with Talos Takes again! Pierre Cadieux from Cisco Talos Incident Response joins the show to talk about advice for educational institutions. Jon asks him about common incident response advice for the education sector and we cover security advice for school admins, parents and students who have to worry about electronic devices traveling to and from school and connecting to all sorts of networks. This episode is particularly relevant this week given some recent major cyber attacks against the education sector, including a major event at the combined Los Angeles school district.

XL Edition: Talos' update on our work in Ukraine

Fri, 02 Sep 2022 09:00:00 -0400

This week, we have the audio version of our recent livestream for Ukraine Independence Day. Talos assembled a panel of experts who have been working hands-on to defend critical Ukraine systems and its citizens from cyber threats. JJ Cummings, Ashlee Benge and Dmytro Krozhevin answer questions from Hazel Burton about the current security threats Ukraine faces, what Talos has done to hunt for threats in the region and how Cisco is supporting its employees in Ukraine.

Talos Takes Ep. #110: The kinetic and cyber threats Ukrainian agriculture faces

Fri, 26 Aug 2022 09:00:00 -0400

An underrated aspect of Russia’s invasion of Ukraine is the effect it’s had on the global food supply chain. Ukraine is a major importer and exporter of grain and other food staples, but the industry now faces kinetic and cyber threats. Joe Marshall of Talos has spent months learning all about agricultural cybersecurity and the unique position farming equipment and infrastructure is in. Joe recently wrote about these threats for the Talos blog and joins Talos Takes to talk about how important Ukraine is to the global food supply chain and what law enforcement and global governments can do to prepare for potential state-sponsored attacks.

Talos Takes Ep. #109: Why cybercrime is going small-time

Fri, 19 Aug 2022 09:00:00 -0400

The public traditionally thinks about cyber attacks as being from some well-funded, state-sponsored actor. But increasingly small-time criminals are turning to the internet to make their money. Increasingly, they’re not carrying out one-off robberies, and instead are working on insurance fraud scams and spam emails. Nick Biasini joins Talos Takes this week to discuss his recent research into this topic and shares what the data shows about the growth of small-time cybercrime.

Talos Takes Ep. #61: Why does SideCopy seem so familiar?