FireEye Breach Detection Guidance
Update 12/14: Cisco Talos has implemented additional blocks in relation to the supply chain attack on SolarWinds® Orion® Platform. The U.S. Cybersecurity and Infrastructure Security Agency has issued Emergency Directive 21-01 due to this campaign. Talos is continuing to investiga
Cisco Talos Advisory on Adversaries Targeting the Healthcare and Public Health Sector
Background Cisco Talos has become aware that an adversary is leveraging Trickbot banking trojan and Ryuk ransomware to target U.S. hospitals and healthcare providers at an increasing rate. Security journalists reported on October 28, 2020 that the adversary was preparing to encr
Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques
By Danny Adamitis with contributions from Paul Rascagneres. Executive summary After several months of activity, the actors behind the "Sea Turtle" DNS hijacking campaign are not slowing down. Cisco Talos recently discovered new details that suggest they regrouped af
Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques
By Danny Adamitis, David Maynor, and Kendall McKay. Cisco Talos assesses with moderate confidence that a campaign we recently discovered called "BlackWater" is associated with suspected persistent threat actor MuddyWater. Newly associated samples from April 2019 indica
Sodinokibi ransomware exploits WebLogic Server vulnerability
By Pierre Cadieux, Colin Grady, Jaeson Schultz and Matt Valites. Attackers are actively exploiting a recently disclosed vulnerability in Oracle WebLogic to install a new variant of ransomware called "Sodinokibi." Sodinokibi attempts to encrypt data in a user's dire
DNS Hijacking Abuses Trust In Core Internet Service
By Danny Adamitis, David Maynor, Warren Mercer, Matthew Olney and Paul Rascagneres. Update 4/18: A correction has been made to our research based on feedback from Packet Clearing House, we thank them for their assistance Preface This blog post discusses the technical details
Bitcoin Bomb Scare Associated with Sextortion Scammers
The claims in the emails we've seen from this actor are completely false, yet they have caused untold amounts of damage as organizations have evacuated buildings and called upon law enforcement to investigate.
Critical Infrastructure at Risk: Advanced Actors Target Smart Install Client
Update: 4/9 Cisco PSIRT has released additional guidance available here. Cisco has recently become aware of specific advanced actors targeting Cisco switches by leveraging a protocol misuse issue in the Cisco Smart Install Client. Several incidents in multiple countries, includi
CCleaner Command and Control Causes Concern
Introduction Talos recently published a technical analysis of a backdoor which was included with version 5.33 of the CCleaner application. During our investigation we were provided an archive containing files that were stored on the C2 server. Initially, we had concerns about th