Cisco Talos Blog

June 22, 2021 07:56

Attackers in Executive Clothing - BEC continues to separate orgs from their money

By Nick Biasini. In today's world of threat research, the focus tends to be on the overtly malicious practice of distributing and installing malware on end systems. But this is far from the complete picture of what threats organizations face. One of the most, if not the most

April 22, 2021 09:50

Threat Advisory: Pulse Secure Connect Coverage

Pulse Secure announced that a critical vulnerability (CVE-2021-22893) was discovered in their VPN service "Pulse Secure Connect" in a recent security advisory. The advisory states that, "a vulnerability was discovered under Pulse Connect Secure (PCS). This include

April 15, 2021 11:45

Threat Advisory: NSA SVR Advisory Coverage

The U.S. National Security Agency released an advisory outlining several vulnerabilities that the Russian Foreign Intelligence Services (SVR) is exploiting in the wild. The U.S. formally attributed the recent SolarWinds supply chain attack to the SVR group in this advisory and de

April 7, 2021 08:06

Sowing Discord: Reaping the benefits of collaboration app abuse

As telework has become the norm throughout the COVID-19 pandemic, attackers are modifying their tactics to take advantage of the changes to employee workflows. * Attackers are leveraging collaboration platforms, such as Discord and Slack, to stay under the radar and evade organ

March 9, 2021 19:52

Hafnium Update: Continued Microsoft Exchange Server Exploitation

Update 3/11: The following OSQuery detects active commands being run through webshells observed used by actors on compromised Exchange servers. While systems may have been patched to defend against Hafnium and others, threat actors may have leveraged these vulnerabilities to esta

February 17, 2021 08:00

Masslogger campaigns exfiltrates user credentials

By Vanja Svajcer. News summary * As protection techniques develop, attackers are finding it harder to successfully attack their targets and must find creative ways to succeed. * Cisco Talos recently discovered a campaign utilizing a variant of the Masslogger trojan designe

December 14, 2020 17:20

Threat Advisory: SolarWinds supply chain attack

Update 12/21: IOC section updated to include new information and associated stage. Update 12/18: We have been able to verify the name server for the DGA domain was updated as far back as late February. Compromised binaries appear to have been available on the SolarWinds website

December 14, 2020 09:15

FireEye Breach Detection Guidance

Update 12/14: Cisco Talos has implemented additional blocks in relation to the supply chain attack on SolarWinds® Orion® Platform. The U.S. Cybersecurity and Infrastructure Security Agency has issued Emergency Directive 21-01 due to this campaign. Talos is continuing to investiga

October 30, 2020 17:30

Cisco Talos Advisory on Adversaries Targeting the Healthcare and Public Health Sector

Background Cisco Talos has become aware that an adversary is leveraging Trickbot banking trojan and Ryuk ransomware to target U.S. hospitals and healthcare providers at an increasing rate. Security journalists reported on October 28, 2020 that the adversary was preparing to encr