Welcome to this week’s edition of the Threat Source newsletter. 

I am unbelievably lucky to do the work that I do. My title is technically ‘Senior Security Strategist’. It’s a very fancy title, but basically: I get to research threats with my colleagues and friends to keep people safe here at Talos. I also get to travel and talk to our customers and communities about that work and how we fight that good fight. This has taken me to some interesting places - from Ukraine to California and lots of places in between. Not bad for a guy from a small town in Alabama.  

This gig isn’t for everyone. You must have some extroverted tendencies, and as the youth would say, some ‘rizz’. It’s not enough to talk about something like, say, ransomware. You need to be able to explain it in high technical detail if needed and then explain it to a board of C-levels and speak the language of business they understand. And you need to do it in an engaging way to keep your audiences bought in. It’s a unique blend of security practitioner expertise and the ability to communicate that to audiences, some technical, some not.  

If you’re thinking this also requires some kind of social media influencer level of Hemsworth caliber good looks and hyper charisma, have no fear. I’m about as much a security influencer as Chris Farley was a Beverly Hills ninja. I am just a security nerd who likes to talk. Like I said - I'm very lucky.  

Sometimes this gig takes you to very unexpected places. A couple of weeks ago I found myself at the Ford Foundation Center for Social Justice. I was there to attend and support the NGO-ISAC annual summit. The NGO-ISAC ‘is a non-profit organization improving the cybersecurity of US-based nonprofits.’ They do amazing work supporting cyber security for non-governmental organizations that help protect and promote civil society. We’re also fortunate at Talos to be a partner with them and donate time and resources to support their mission of helping the helpers.  

We are proud to be partners and volunteer our time with NGO-ISAC and it’s members. If you ever want to be truly humbled, spend time with an NGO and learn about what they do. The energy and heart those people have is incredible and will inspire you. They help feed the hungry, cloth the homeless, protect refugees, promote democracies, and generally help take care of some of the most vulnerable people and institutions our society relies upon. They also traditionally struggle with cybersecurity - security investments and practitioner expertise can be difficult to obtain when your budgets are built upon donations to support your mission. They are the embodiment of fighting the good fight, and we at Talos will always have the time to help them help others.  

While I was there, we debuted a custom NGO version of Backdoors & Breaches I helped co-develop with the NGO-ISAC. It was a real hit, and we ran demo games that resonated very well with the audiences. Helping teach cybersecurity to NGOs is fantastic. If we can help them stay secure, there’s so many others who will be helped by it. Also, keep your eyes peeled for a blog post in January about how we designed and created a custom expansion for Backdoors & Breaches.  

Also, the Ford Foundation? Amazing building. It’s in the heart of NYC and is an island of pure serenity. They have an indoor atrium/park that is next level. They pipe in some absolute jazz bangers throughout the entire building that, mixed with the decor, exudes a class I've rarely encountered in my travels. If I could make a blanket out of that entire vibe and wrap myself up in it, I'd do it.  

The one big thing 

QR Codes, am I right? Sometimes you can scan one with your phone and maybe win a free cheeseburger, sometimes it can take you to a fake O365 phishing site. The tricky bit with QR codes in e-mails is how easily they can avoid spam filters. My man Jaeson Schultz did some great research on attacks, prevalence, and detection of QR codes in e-mail messages. The parts on AI-generated QR imagery are fantastic – be careful what you scan! 

Why do I care? 

E-mail phishing and evading defenses are a tried and tested tactic with attackers. QR codes are another method of attack, and because they can be difficult to defang/detect, defenders have to work extra hard to understand those threats and stop them.  

So now what? 

Exercise serious caution when scanning a QR code. If possible, detonate those suspicious QR code e-mails in a sandbox, like Threat Grid

Top security headlines of the week 

At least 97 major water systems in the US have serious cybersecurity vulnerabilities and compliance issues, raising concerns that cyberattacks could disrupt businesses, industry, and the lives of millions of citizens. (Dark Reading

The NSA updated its mobile devices security best practices report. Reboot those phones at least once a week friends.  (ZDNet

The United States and other Western nations released guidance Tuesday designed to evict the China-linked group in the wake of the high-profile hack. (CyberScoop

Can’t get enough Talos? 

Upcoming events where you can find Talos 

AVAR (Dec. 4-6)   

Chennai, India  

Vanja Svancer and Chetan Raghuprasad from Cisco Talos will both present, Vanja will be discussing Exploring Vulnerable Windows Drivers, while Chetan presents Sweet and Spicy Recipes for Government Agencies by SneakyChef.   

Most prevalent malware files from Talos telemetry over the past week  

SHA 256: 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647 

MD5: bbcf7a68f4164a9f5f5cb2d9f30d9790 

VirusTotal: https://www.virustotal.com/gui/file/0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647/details 

Typical Filename: cwjhtmbwgyomzrhbo.exe 

Claimed Product: n/a 

Detection Name: Win.Dropper.Scar::1201  

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/detection 

Typical Filename: VID001.exe 

Claimed Product: n/a 

Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   

MD5: 200206279107f4a2bb1832e3fcd7d64c  

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details%C2%A0 

Typical Filename: lsgkozfm.bat  

Claimed Product: N/A  

Detection Name: Win.Dropper.Scar::tpd    

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   

MD5: 71fea034b422e4a17ebb06022532fdde   

VirusTotal: https://www.virustotal.com/gui/file/bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a/details 

Typical Filename: VID001.exe   

Claimed Product: N/A   

Detection Name: RF.Talos.80   

SHA 256: 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   

MD5: 8b84d61bf3ffec822e2daf4a3665308c   

VirusTotal: https://www.virustotal.com/gui/file/3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66/details%C2%A0 

Typical Filename: RemComSvc.exe   

Claimed Product: N/A   

Detection Name: W32.3A2EA65FAE-95.SBX.TG