Welcome to this week’s edition of the Threat Source newsletter.

What’s old is new again and what's old is still old. The fact that we are seeing a comeback of this USB thumb drive nonsense is giving me heartburn, and a headache, and my left eye is twitching …  and maybe numbness in my legs? Yes, I am getting old but I’m also just tired - not from age but from the unrelenting cycle of what’s old is new again. All simply because we can’t seem to learn from our own past. Please don’t put a random USB into any of your devices and for the last time GET OFF MY LAWN.

The one big thing

Cisco Talos IR posted their Incident Response Trends in Q4 2022. Ransomware continued to be a top threat Talos IR responded to this quarter, with appearances from both previously seen and newly observed ransomware families. However, Talos IR also observed a significant number of cases in which post-exploitation activities occurred where the actor’s motivation could not be determined. For example, phishing campaigns, our top initial-access vector this quarter, were equally as common and featured a variety of post-exploitation activities, including command execution to perform credential harvesting, red-teaming framework deployment and remote access tooling installation.

Why do I care?

Knowing what Talos IR is responding to this quarter gives you a direct view into what needs to be most secured and most analyzed to ensure your own environment remains secure.

So now what?

In all of Talos IR’s ransomware engagements that closed out this quarter, PsExec was used to facilitate lateral movement or execute the final ransomware executable. Talos IR recommends that organizations disable PsExec, as well as access to administrative shares, to limit lateral movement. Additionally, organizations should consider use of Microsoft AppLocker to block tools and files that have been consistently leveraged by adversaries. This helps to create another layer of enforcement for any known malicious or often-misused files.

Top security headlines of the week

CISA and the NSA released a joint advisory on January 25th detailing the use of legitimate remote monitoring and management software (RMM) for nefarious purposes. The joint advisory detailed attacks and warned the cybersecurity community about the malicious use of commercial RMM software, offering mitigations and indicators of compromise to watch out for.

Initial Access Broker market is booming, posing growing threat to enterprises. Research shows a sharp year-over-year growth in the number of IABs operating in underground forums and markets. For ransomware operators and other cybercriminals that are looking for quick access to enterprise networks, these brokers are the answer. (Dark Reading and GroupIB)

Can’t get enough Talos?

Upcoming events where you can find Talos

CactusCon (Jan 27-28)
Mesa, AZ

Cisco Live Amsterdam (Feb 6-10)
Amsterdam, Netherlands

Most prevalent malware files from Talos telemetry over the past week

SHA 256:
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Typical Filename: VID001.exe
Detection Name: Simple_Custom_Detection

MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256:
MD5: 2c8ea737a232fd03ab80db672d50a17a
Typical Filename: LwssPlayer.scr
Claimed Product: 梦想之巅幻灯播放器
Detection Name: Auto.125E12.241442.in02

SHA 256:
MD5: 26f927fb7560c11e509f0b8a7e787f79
Typical Filename: Iris QuickLinks.exe
Claimed Product: N/A
Detection Name: W32.File.MalParent