Threat actors thrive in chaos

Welcome to this week’s edition of the Threat Source newsletter.

If there’s one thing that threat actors love, it’s chaos. Headlines in the news that provoke an emotional response make excellent phishing lures because the intense feelings invoked by a provocative subject line cause our critical thinking faculties to be bypassed. Without cautious reflection, we’re likely to engage with bait, fall for the lure and “click the link” rather than pausing to ask ourselves what the headline’s writer is trying to achieve.

Economic disruption also works in the bad guys’ favor. In budgetary crises, investments in cyber defenses may be postponed or the hiring of sorely needed additional team members delayed. Alternatively, an end-of-life device that is still functional despite obsolescence and many unpatched vulnerabilities may get an additional year of operation before replacement.

In such a climate, security teams are often asked to do more with less. However, security can be improved simply by getting the basics right and addressing gaps that don’t require investment. Patching might be time-consuming, but it doesn’t require extra budget. Prioritize removing the most exploited vulnerabilities as listed in our 2024 Year in Review report. Next, review your MFA implementation, ensuring that it is deployed everywhere throughout the organization and that it can’t be bypassed.

When times are tough, focus on getting the basics right and fixing what can be fixed without needing costly investment. Each vulnerability fixed, each weakness remediated helps move the security posture forwards and makes your organization a tougher target for the bad guys who in turn are more likely to seek easier quarry.

The one big thing

We are continuing our discussion of Talos' 2024 Year in Review report, looking at each section in detail. This week, let’s examine the evolution of email lures and the nature of the most frequently targeted vulnerabilities.

Why do I care?

In a world of limited resources, effective defense requires identifying areas that are more likely to be targeted by threat actors and prioritizing shoring up these areas. Not all vulnerabilities or systems are exploited equally, and remediating the most frequently exploited vulnerabilities maximizes security effectiveness.

So now what?

Educate users on the types of social engineering that threat actors are currently using in email lures. Social engineering is not static but constantly changing to try and outwit unwary targets.

Exploitation of the Shellshock series of vulnerabilities should not be continuing for over 10 years since disclosure. Aggressively identify systems within your IT estate that are vulnerable to this attack and urgently patch them.

Top security headlines of the week

Hackers strike Australia's largest pension funds. A series of coordinated attacks has reportedly led to criminals compromising in excess of 20,000 pension accounts and stealing funds. (Reuters)

Ireland Plans 300-Strong Military Cyber Command. The Irish armed forces are creating a Joint Cyber Defence Command to support defensive and offensive cyber operations. (Irish Times)

Baltimore City Falls Victim to Vendor Fraud. Two payments totaling $1.5 million were reportedly paid to a fraudulent bank account that had been swapped for a contractor’s genuine account. (CBS News)

CISA Warns of Vulnerabilities in ICS Software. The US Cybersecurity & Infrastructure Agency released advisories relating to five series vulnerabilities in Industrial Control Systems software. (CISA)

Can’t get enough Talos?

Unraveling the U.S. toll road smishing scams. Talos has observed a widespread and ongoing smishing campaign since October 2024 that targets toll road users in the U.S. Read the blog here.
Beers with Talos: 2024 Year in Review. Joe, Hazel, Bill and Dave break down 2024 Year in Review and discuss how and why cybercriminals are learning on attacks based in stealth and simplicity. Listen here.
The TTP Ep 10 (Part 1). Peeling back the layers of the threats that dominated 2024. Watch now.
The TTP Ep 10 (Part 2). Ransomware groups, and why we're seeing more identity attacks. Watch now.

Upcoming events where you can find Talos

RSA (April 28 – May 1) San Francisco, CA 
PIVOTcon (May 7 – 9) Malaga, Spain 
CTA TIPS 2025 (May 14 – 15) Arlington, VA 
Cisco Connect UK & Ireland (May 20) London, UK
Cisco Live U.S. (June 8 – 12) San Diego, CA

Most prevalent malware files from Talos telemetry over the past week

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details
Typical Filename: VID001.exe
Detection Name: Simple_Custom_Detection

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details
Typical Filename: IMG001.exe
Detection Name: Simple_Custom_Detection

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
MD5: 71fea034b422e4a17ebb06022532fdde
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details
Typical Filename: VID001.exe
Detection Name: Coinminer:MBT.26mw.in14.Talos

SHA 256: 7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b
MD5: f5e908f1fac5f98ec63e3ec355ef6279
VirusTotal: https://www.virustotal.com/gui/file/7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b/details
Typical Filename: IMG001.exe
Detection Name: Win.Dropper.Coinminer::tpd

Intelligence Center

Vulnerability Research

Incident Response

Security Resources

Media

Company

One mighty fine-looking report

Money Laundering 101, and why Joe is worried

Tomorrow, and tomorrow, and tomorrow: Information security and the Baseball Hall of Fame