By Jon Munshaw.
Thursday, June 30, 2022
Threat Source newsletter (June 30, 2022) — AI voice cloning is somehow more scary than deepfake videos
Vulnerability Spotlight: Command injection vulnerabilities in Robustel cellular router
Lilith >_> of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered four vulnerabilities in the Robustel R1510 industrial cellular router.
The R1510 is a portable router that shares 2G, 3G and 4G wireless internet access. It comes with several advanced software features for users like the ability to connect to a VPN, cloud data management and smart reboot.
There are three command injection vulnerabilities that exist in this device, as well as a data removal vulnerability that could allow an attacker to arbitrarily remove files from the device.
Tuesday, June 28, 2022
De-anonymizing ransomware domains on the dark web
By Paul Eubanks.
- We have developed three techniques to identify ransomware operators' dark websites hosted on public IP addresses, allowing us to uncover previously unknown infrastructure for the DarkAngels, Snatch, Quantum and Nokoyawa ransomware groups.
- The methods we used to identify the public internet IPs involved matching threat actors’ TLS certificate serial numbers and page elements with those indexed on the public internet, as well as taking advantage of ransomware operators’ security failures.
- In de-anonymizing the dark web infrastructure used by ransomware actors, we can enable hosting providers to reduce illegal activity on their networks, enhance threat actor tracking, assist in possible law enforcement investigations, and/or slow ransomware operations as they make operational changes.
Ransomware infrastructure landscape
Ransomware operators typically constrain their activities to the dark web to conceal their illegal activities. Their public leak sites and victim communication portals are accessible only on The Onion Router (TOR) network via a specific URL that is only available via direct disclosure. This limits access to fellow operators, victims and security researchers who track and discover such sites. The TOR network provides a reasonable cloak of anonymity when used properly, but when a threat actor makes configuration mistakes, their activity becomes public and can attract the attention of security researchers or law enforcement agencies. Ransomware operators seek to avoid this sort of attention at all costs and will go to great lengths to ensure their operations remain anonymous.
In several cases, we identified public IP addresses hosting the same threat actor infrastructure as those on the dark web, making their leak sites and other infrastructure components accessible for any user on the public internet. By removing the anonymity network that TOR provides, hosting providers can take action against these potentially illegal activities occurring on their networks, and we can observe changes in threat actor behavior upon their discovery.
Friday, June 24, 2022
Threat Roundup for June 17 to June 24
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 17 and June 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Tuesday, June 21, 2022
Avos ransomware group expands with new attack arsenal

- In a recent customer engagement, we observed a month-long AvosLocker campaign.
- The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners.
- The initial ingress point in this incident was a pair of VMWare Horizon Unified Access Gateways that were vulnerable to Log4Shell. While Cisco products were deployed on the network, the appliances were never configured, allowing the attacker to gain access to internal servers and maintain a foothold.
- During the time the attacker was active in the network, several security events were detected by the security products but were not reviewed by the security team, which could have prevented the ransomware activity.
Threat Actor Profile: Avos
Avos is a ransomware group first identified in 2021 initially targeting Windows machines. More recently, a new ransomware variant of AvosLocker, named after the group, is also targeting Linux environments. Well-funded and financially motivated, Avos has been active since June 2021 and follows the ransomware-as-a-service (RaaS) model, an affiliate program to recruit potential partners. The announcement of the program includes information about the features of the ransomware and lets affiliates know that AvosLocker operators will handle negotiation and extortion practices. The user "Avos" has also been observed trying to recruit individuals on the Russian forum XSS.

Friday, June 17, 2022
Threat Roundup for June 10 to June 17
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 10 and June 17. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Thursday, June 16, 2022
Threat Source newsletter (June 16, 2022) — Three top takeaways from Cisco Live
By Jon Munshaw.
Don’t think about the worst
A wink and a nod
We can’t replicate everything over the internet
The one big thing
Why do I care?
This month’s round of updates also includes a fix for the high-profile Follina vulnerability disclosed a few weeks ago. Attackers are actively exploiting this in the wild to deliver malware, so this is especially important to patch for immediately. Also, this release marks the official end of Internet Explorer, the Microsoft browser that’s been around for more than 25 years. As of Tuesday, Microsoft stopped officially supporting most versions of Explorer and disabled the IE desktop application. All Explorer users are encouraged to switch over to Microsoft Edge (or another web browser).
Wednesday, June 15, 2022
Vulnerability Spotlight: Vulnerabilities in Anker Eufy Homebase could lead to code execution, authentication bypass
Lilith >_> of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered three vulnerabilities in the Anker Eufy Homebase 2.
The Eufy Homebase 2 is the video storage and networking gateway that works with Anker’s Eufy Smarthome ecosystem. All Eufy devices connect to this cloud-connected device and allow users to adjust the settings on other Eufy Smarthome devices.
Tuesday, June 14, 2022
Microsoft Patch Tuesday for June 2022 — Snort rules and prominent vulnerabilities
By Chetan Raghuprasad.
Microsoft released its monthly security update Tuesday, disclosing 55 vulnerabilities in the company’s firmware and software. One of these vulnerabilities is considered critical, 40 are listed as high severity, and the remainder is considered "moderate."
The most serious issue is CVE-2022-30136, a remote code execution vulnerability in the Windows Network File System (NFS) service, version NFSv4.1, with a severity score of near-maximum 9.8. An attacker can exploit the vulnerability over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to execute remote code. To mitigate this vulnerability, users are advised to disable the vulnerable version NFSV4.1 and restart the NFS server or reboot the machine.
Thursday, June 9, 2022
Threat Source newsletter (June 9, 2022) — Get ready for Cisco Live
By Jon Munshaw.
Cisco Secure Pub
Talos Insights: The State of Cybersecurity
Interactive sessions
The one big thing
Why do I care?
If an attacker exploited this vulnerability, they could completely take over the targeted host and execute remote code on the targeted machine. And although a patch is available for this vulnerability, many instances remain unpatched, and reports continue to pour in that attackers are using exploit code available in the wild. This is all a bad recipe for a vulnerability that I relatively easy for attackers to exploit and we know they’re scanning for. Attackers are also exploiting this issue to spread China Chopper, a longstanding malware that can act as a backdoor on targeted machines and essentially be a backup plan for threat actors to retain access.
Talos EMEA monthly update: Business email compromise
The latest edition of the Talos EMEA Monthly Update is available now on Cisco.com and Cisco's YouTube page. You can also view the episode in its entirety above.
For June, Hazel and Martin got together to discuss business email compromise. BEC has quickly become the most lucrative attack vector for threat actors, even surpassing ransomware. This episode provides a quick explainer of what BEC is and how organizations can be prepared for when, not if, this type of spam campaign comes for them.
Friday, June 3, 2022
Threat Advisory: Atlassian Confluence zero-day vulnerability under active exploitation
Cisco Talos is monitoring reports of an actively exploited zero-day vulnerability in Confluence Data Center and Server. Confluence is a Java-based corporate Wiki employed by numerous enterprises. At this time, it is confirmed that all supported versions of Confluence are affected by this vulnerability.
Vulnerability Details
The vulnerability, CVE-2022-26134, is reportedly associated with command injection. An attacker could exploit this vulnerability to execute remote code and, per reports, is being actively exploited in the wild. The attacks delivered several payloads, including the in-memory BEHINDER implant as well as webshells, including China Chopper. In addition to the initial attacks outlined in the report, researchers confirmed additional, continued exploitation is ongoing. There is now a Proof of Concept (PoC) available so exploitation could increase in the near term.The vulnerability itself appears to be an OGNL injection vulnerability specifically impacting the web server and can be exploited via an HTTP request. It appears that all HTTP methods are vulnerable as well. The exploitation appears to be relatively straightforward and should be resolved immediately either through patching or other mitigations.
Threat Roundup for May 27 to June 3
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 27 and June 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Thursday, June 2, 2022
Threat Source newsletter (June 2, 2022) — An RSA Conference primer
By Jon Munshaw.
The one big thing
Why do I care?
If an attacker were to successfully exploit this vulnerability, they could execute remote code on the targeted machine. Needless to say, that’s bad. This is just the latest in a string of Microsoft vulnerabilities to make headlines over the past 12 months, including PrintNightmare and multiple Exchange Server issues. If those cases have taught us anything, it’s that attackers aren’t afraid to look for vulnerable Microsoft products to try and gain a foothold on a targeted network or machine.
Wednesday, June 1, 2022
Threat Advisory: Zero-day vulnerability in Microsoft diagnostic tool MSDT could lead to code execution
Although a patch hasn't been released yet, Microsoft has provided workarounds and Windows Defender protections for the CVE and malware exploiting this vulnerability. Cisco Talos has also released coverage to protect against this vulnerability, the full details of which are available below.
Tuesday, May 31, 2022
Researcher Spotlight: Martin Lee, EMEAR lead, Talos Strategic Communications
Who knew you could connect Moses to threat intelligence?
Friday, May 27, 2022
Threat Roundup for May 20 to May 27
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 20 and May 27. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Thursday, May 26, 2022
Threat Source newsletter (May 26, 2022) — BlackByte adds itself to the grocery list of big game hunters
By Jon Munshaw.
The one big thing
Why do I care?
Talos has been monitoring BlackByte for several months and we can confirm they are still active after the FBI released a joint cybersecurity advisory in February 2022. Additionally, BlackByte is considered part of the big game ransomware groups, which are targeting large, high-profile targets, looking to exfiltrate internal data and threatening to publicly release it. Like similar groups, they have their own leaks site on the darknet.
Wednesday, May 25, 2022
Vulnerability Spotlight: Vulnerabilities in Open Automation Software Platform could lead to information disclosure, denial of service
Jared Rittle of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered eight vulnerabilities in the Open Automation Software Platform that could allow an adversary to carry out a variety of malicious actions, including improperly authenticating into the targeted device and causing a denial of service.
The OAS Platform facilitates the simplified data transfer between various proprietary devices and applications, including software and hardware.
The most serious of these issues is TALOS-2022-1493 (CVE-2022-26082), which an attacker could exploit to gain the ability to execute arbitrary code on the targeted machine. This issue has a severity score of 9.1 out of a possible 10. Another vulnerability, TALOS-2022-1513 (CVE-2022-26833) has a 9.4 severity score and could lead to the unauthenticated use of the REST API.
Friday, May 20, 2022
Threat Roundup for May 13 to May 20
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 13 and May 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Thursday, May 19, 2022
Threat Source newsletter (May 19, 2022) — Why I'm missing the days of iPods and LimeWire
By Jon Munshaw.
Wednesday, May 18, 2022
The BlackByte ransomware group is striking users all over the globe
News summary
- Cisco Talos has been monitoring the BlackByte Ransomware Group for several months, infecting victims all over the world, from North America to Colombia, Netherlands, China, Mexico and Vietnam.
- The FBI released a joint cybersecurity advisory in February 2022 warning about this group, stating that the group has targeted at least three critical infrastructure sectors in the U.S.
- Talos has monitored ongoing BlackByte attacks dating back to March.
- BlackByte updated its leak site with a new design and new victims and is still actively exploiting victims worldwide.
Tuesday, May 17, 2022
Vulnerability Spotlight: Multiple memory corruption vulnerabilities in NVIDIA GPU driver
Piotr Bania of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered four vulnerabilities in the NVIDIA D3D10 driver for graphics cards that could allow an attacker to corrupt memory and write arbitrary memory on the card.
NVIDIA graphics drivers are software for NVIDIA Graphics GPU cards that are installed on PCs. The D3D10 driver communicates between the operating system and the GPU. It's required in most cases for the PC to function properly.
Monday, May 16, 2022
Ransomware: How executives should prepare given the current threat landscape
By Nate Pors.
Top executives are increasingly dreading the phone call from their fellow employees notifying them that their company has been hit by a cyber attack. Nearly every week in 2021 and early 2022, a prominent organization has been in the media spotlight as their public relations team struggles to explain how they were attacked and how they can regain consumer confidence. A recent survey showed that 37 percent of organizations surveyed had been affected by ransomware attacks in the last year.
Worse, the days when executive leadership teams could fully delegate responsibility to a CISO are over. Regardless of reality, surveys have shown that about 40 percent of the public perception of fault for a ransomware attack land squarely on the CEO’s shoulders, and that 36 percent of attacks result in the loss of C-level talent. While executive involvement in the security program does not guarantee a successful defense, it does give the Executive Leadership Team (ELT) a degree of ownership of the final product, as well as the ability to speak confidently and knowledgeably to the public.
Cisco Talos Incident Response (CTIR) has assisted hundreds of organizations through recent ransomware incidents and executive tabletop exercises and compiled the following observations for how top executives can best prepare and evaluate their teams.
Friday, May 13, 2022
Threat Roundup for May 6 to May 13
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 6 and May 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
EMEAR Monthly Talos Update: Wiper malware
Cisco Talos and Cisco Secure are launching a new video series to fill you in on the latest cybersecurity trends. We’re thrilled to launch our first video in the new Talos Threat Update series, which you can watch above or over at this link, where Martin Lee and Hazel Burton talk about wiper malware — what is it, why is it important and how you can prepare your organization against it.
While this series is primarily focused on the European region, the advice and topics covered each month apply to users everywhere.
In each video, Hazel Burton dives into important security topics with Cisco Secure researchers, asking the tough questions and giving straight answers.
Thursday, May 12, 2022
Threat Source newsletter (May 12, 2022) — Mandatory MFA adoption is great, but is it too late?
By Jon Munshaw.
Vulnerability Spotlight: How an attacker could chain several vulnerabilities in an industrial wireless router to gain root access
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Francesco Benvenuto and Jon Munshaw.
Cisco Talos recently discovered several vulnerabilities in InHand Networks’ InRouter302 that could allow an attacker to escalate their privileges on the targeted device from a non-privileged user to a privileged one. There are also multiple vulnerabilities that could allow an adversary to reach unconstrained root privileges. The router has one privileged user and several non-privileged ones.
The InRouter is an industrial LTE router that includes remote management functionalities and several security protection mechanisms, such as VPN connections and a firewall.
The router can be managed mainly in two ways: through the web interface, and through a router console accessible by telnet or, if enabled, SSH. The router does not provide access in any way to the Linux system beneath the router functionalities.
Wednesday, May 11, 2022
Bitter APT adds Bangladesh to their targets

- Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims.
- As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other features, includes remote file execution capability.
- Based on the similarities between the C2 server in this campaign with that of Bitter's previous campaign, we assess with moderate confidence that this campaign is operated by the Bitter APT group.
Executive Summary
Cisco Talos discovered an ongoing campaign operated by what we believe is the Bitter APT group since August 2021. This campaign is a typical example of the actor targeting South Asian government entities.
This campaign targets an elite unit of the Bangladesh's government with a themed lure document alleging to relate to the regular operational tasks in the victim's organization. The lure document is a spear-phishing email sent to high-ranking officers of the Rapid Action Battalion Unit of the Bangladesh police (RAB). The emails contain either a malicious RTF document or a Microsoft Excel spreadsheet weaponized to exploit known vulnerabilities. Once the victim opens the maldoc, the Equation Editor application is automatically launched to run the embedded objects containing the shellcode to exploit known vulnerabilities described by CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802 — all in Microsoft Office — then downloads the trojan from the hosting server and runs it on the victim's machine. The trojan masquerades as a Windows Security update service and allows the malicious actor to perform remote code execution, opening the door to other activities by installing other tools. In this campaign, the trojan runs itself but the actor has other RATs and downloaders in their arsenal.
Such surveillance campaigns could allow the threat actors to access the organization's confidential information and give their handlers an advantage over their competitors, regardless of whether they're state-sponsored.
Tuesday, May 10, 2022
Threat Advisory: Critical F5 BIG-IP Vulnerability

Summary
A recently disclosed vulnerability in F5 Networks' BIG-IP could allow an unauthenticated attacker to access the BIG-IP system to execute arbitrary system commands, create and delete files, disable services and could lead to additional malicious activity.
This vulnerability, tracked as CVE-2022-1388 is an authentication bypass vulnerability in F5's BIG-IP modules affecting the iControl REST component. BIG-IP is F5's line of appliances that organizations use as load balancers, firewalls, and for inspection and encryption of data passing in to and out of networks. The vulnerability has a CVSS score of 9.8 out of a possible 10 and is considered critical.
F5 discovered the vulnerability on May 4, 2022 and has subsequently released a security advisory and patches, along with a subsequent advisory from the U.S. Cybersecurity & Infrastructure Security Agency (CISA).
Cisco Talos is closely monitoring the recent reports of exploitation attempts against CVE-2022-1388 and strongly recommends users issue patches to affected systems as soon as possible.
Microsoft Patch Tuesday for May 2022 — Snort rules and prominent vulnerabilities
By Jon Munshaw, with contributions from Jaeson Schultz.
Microsoft returned to its normal monthly patching volume in May, disclosing and fixing 74 vulnerabilities as part of the company’s latest security update. This month’s Patch Tuesday includes seven critical vulnerabilities after Microsoft disclosed more than 140 security issues in April.
The point-to-point tunneling feature in Windows contains two of the most serious vulnerabilities that could allow an attacker to execute remote code on a targeted RAS server machine. While CVE-2022-21972 and CVE-2022-23270 are rated “critical,” Microsoft stated the attack complexity is high since an adversary needs to win a race condition, making it less likely an attacker could exploit these issues.
CVE-2022-26931 and CVE-2022-26923 are elevation of privilege vulnerabilities in Windows Kerberos and Windows Active Directory, respectively. They both are considered critical, though CVE-2022-26931 is considered less likely to be exploited because it has a higher attack complexity.
The Windows Network File System contains the highest-rated vulnerability of the month: CVE-2022-26937, which has a severity score of 9.8 out of a possible 10. An attacker could exploit this vulnerability by making an unauthenticated, specially crafted call to an NFS service to eventually gain the ability to execute remote code.
May’s Patch Tuesday also features a vulnerability in the Magnitude Simba Amazon Redshift ODBC Driver that affects the Windows self-hosted integration runtime service. An attacker could exploit CVE-2022-29972 to execute remote code, though they would need to first have the same level of privilege as a Synapse Administrator, Synapse Contributor or Synapse Computer Operator.
Talos would also like to highlight six important vulnerabilities that Microsoft considers to be “more likely” to be exploited:
- CVE-2022-29104 — Windows Print Spooler elevation of privilege
- CVE-2022-29108 — Microsoft SharePoint Server remote code execution
- CVE-2022-29114 — Windows Print Spooler information disclosure
- CVE-2022-29132 — Windows Print Spooler elevation of privilege
- CVE-2022-29142 — Windows Kernel elevation of privilege
- CVE-2022-23279 — Windows ALPC elevation of privilege
A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 59726 - 59728, 59730, 59731, 59733, 59734, 59737 and 59738. For Snort 3, the following rules are also available to protect against these vulnerabilities: 300125, 300126, 300128, 300129, 300130, 300133 and 300134 - 300137.
Vulnerability Spotlight: Vulnerability in Alyac antivirus program could stop virus scanning, cause denial of service
Cisco Talos recently discovered an out-of-bounds read vulnerability in the ESTsecurity Corp.’s Alyac antivirus software that could cause a denial-of-service condition.
If successful, an attacker could trigger this vulnerability to stop the program from scanning for malware, which would be crucial in a potential attack scenario. Alyac is an antivirus software developed for Microsoft Windows machines.
Talos Incident Response added to German BSI Advanced Persistent Threat response list
Cisco Talos Incident Response is now listed as an approved vendor on the Bundesamt für Sicherheit in der Informationstechnik (BSI) Advanced Persistent Threat (APT) response service providers list. Talos Incident Response successfully demonstrated to the BSI, through a review of our processes and a technical panel interview, that we can respond to cybersecurity incidents involving APT actors throughout Germany. Additionally, Cisco was recognized as a Leader by IDC MarketScape for our Worldwide Incident Readiness services. We look forward to continuing to provide our wide range of market-leading, globally delivered incident response services to Cisco’s German Federal, Public and Private business customers.
Friday, May 6, 2022
Threat Roundup for April 29 to May 6
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 29 and May 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Thursday, May 5, 2022
Threat Source newsletter (May 5, 2022) — Emotet is using up all of its nine lives
By Jon Munshaw.
Mustang Panda deploys a new wave of malware targeting Europe

By Jung soo An, Asheer Malhotra and Justin Thattil, with contributions from Aliza Berk and Kendall McKay.
- In February 2022, corresponding roughly with the start of the Russian Invasion of Ukraine, Cisco Talos began observing the China-based threat actor Mustang Panda conducting phishing campaigns against European entities, including Russian organizations. Some phishing messages contain malicious lures masquerading as official European Union reports on the conflict in Ukraine and its effects on NATO countries. Other phishing emails deliver fake "official" Ukrainian government reports, both of which download malware onto compromised machines.
- Mustang Panda has been known to use themed lures relating to various current-day events and issues, including the COVID-19 pandemic, international summits and various political topics.
- While the Ukraine-related Mustang Panda developments have been reported by at least one other security firm, we identified additional samples that have not been cited in open-source reporting.
- Apart from targeting European countries, Mustang Panda has also targeted organizations in the U.S. and Asia.
- In these campaigns, we've observed the deployment of Mustang Panda's PlugX implant, custom stagers and reverse shells and meterpreter-based shellcode, all used to establish long-term persistence on infected endpoints with the intention of conducting espionage.
Threat actor profile
MustangPanda, also known as "RedDelta" or "Bronze President," is a China-based threat actor that has targeted entities all over the world since at least 2012, including American and European entities such as government organizations, think tanks, NGOs, and even Catholic organizations at the Vatican.
We've also observed extensive targeting of Asian countries as well, such as the Taiwanese government, activists in Hong Kong, NGOs in Mongolia and Tibet, Myanmar and even Afghan and Indian telecommunication firms.
The threat actor heavily relies on sending lures via phishing emails to achieve initial infection. These lures often masquerade as legitimate documents of national and organizational interest to the targets. These infection vectors deploy malware predominantly consisting of the PlugX remote access trojan (RAT) with custom stagers, reverse shells, meterpreter and Cobalt Strike, which act as another mechanism for achieving long term access into their targets. One thing remains consistent across all these campaigns — Mustang Panda is clearly looking to conduct espionage campaigns.
Tuesday, May 3, 2022
Conti and Hive ransomware operations: What we learned from these groups' victim chats
As part of Cisco Talos’ continuous efforts to learn more about the current ransomware landscape, we recently examined a trove of chat logs between the Conti and Hive ransomware gangs and their victims.