Welcome to this week’s edition of the Threat Source newsletter.

What’s old is new again and what's old is still old. The fact that we are seeing a comeback of this USB thumb drive nonsense is giving me heartburn, and a headache, and my left eye is twitching …  and maybe numbness in my legs? Yes, I am getting old but I’m also just tired - not from age but from the unrelenting cycle of what’s old is new again. All simply because we can’t seem to learn from our own past. Please don’t put a random USB into any of your devices and for the last time GET OFF MY LAWN.

The one big thing

Cisco Talos IR posted their Incident Response Trends in Q4 2022. Ransomware continued to be a top threat Talos IR responded to this quarter, with appearances from both previously seen and newly observed ransomware families. However, Talos IR also observed a significant number of cases in which post-exploitation activities occurred where the actor’s motivation could not be determined. For example, phishing campaigns, our top initial-access vector this quarter, were equally as common and featured a variety of post-exploitation activities, including command execution to perform credential harvesting, red-teaming framework deployment and remote access tooling installation.

Why do I care?

Knowing what Talos IR is responding to this quarter gives you a direct view into what needs to be most secured and most analyzed to ensure your own environment remains secure.

So now what?

In all of Talos IR’s ransomware engagements that closed out this quarter, PsExec was used to facilitate lateral movement or execute the final ransomware executable. Talos IR recommends that organizations disable PsExec, as well as access to administrative shares, to limit lateral movement. Additionally, organizations should consider use of Microsoft AppLocker to block tools and files that have been consistently leveraged by adversaries. This helps to create another layer of enforcement for any known malicious or often-misused files.

Top security headlines of the week

CISA and the NSA released a joint advisory on January 25th detailing the use of legitimate remote monitoring and management software (RMM) for nefarious purposes. The joint advisory detailed attacks and warned the cybersecurity community about the malicious use of commercial RMM software, offering mitigations and indicators of compromise to watch out for.

Initial Access Broker market is booming, posing growing threat to enterprises. Research shows a sharp year-over-year growth in the number of IABs operating in underground forums and markets. For ransomware operators and other cybercriminals that are looking for quick access to enterprise networks, these brokers are the answer. (Dark Reading and GroupIB)

Can’t get enough Talos?

Upcoming events where you can find Talos

CactusCon (Jan 27-28)
Mesa, AZ

Cisco Live Amsterdam (Feb 6-10)
Amsterdam, Netherlands

Most prevalent malware files from Talos telemetry over the past week

SHA 256:
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Typical Filename: VID001.exe
Detection Name: Simple_Custom_Detection

SHA256:
e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256:
125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645
MD5: 2c8ea737a232fd03ab80db672d50a17a
Typical Filename: LwssPlayer.scr
Claimed Product: 梦想之巅幻灯播放器
Detection Name: Auto.125E12.241442.in02

SHA 256:
1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d
MD5: 26f927fb7560c11e509f0b8a7e787f79
Typical Filename: Iris QuickLinks.exe
Claimed Product: N/A
Detection Name: W32.File.MalParent