Welcome to this week’s edition of the Threat Source newsletter.

We’re firing up the conference circuit again for 2023, kicking things off next week with the RSA Conference in San Francisco. Cisco has a ton of exciting announcements, keynotes and talks lined up for the week, but there are also plenty of Talos-focused events to take in.

We’ll be at our own booth giving “flash talks” throughout the conference and will generally be around to answer questions about Talos, provide service demos and talk about the latest security offerings from Cisco. In case you’re having a hard time finding the Cisco booth, use RSA’s map here. The main Talos team will be at North Expo N-5845 and Cisco Talos Incident Response will be at South Expo S-1027.

Here are some of the other major events at RSA that we’re taking part in.

  • Brad Garnett, the head of Cisco Talos Incident Response, is joining the Cisco Secure Security Stories podcast for a live recording on Tuesday the 25th at 11 a.m. PT inside the Customer Lounge at the Marriott Marquis. Head up to the fifth floor and look for the Sierra K room! Brad will be discussing the latest trends and attacker TTPs his team is seeing in the field.
  • Cisco has a special sponsored talk on Wednesday the 26th from 9:40 – 10:30 a.m. PT with Nick Biasini, the head of Talos Outreach, and AJ Shipley, Cisco Secure’s vice president of product management for threat, detection and response. This session will analyze why industry partnerships are a must for security to win. Come meet A.J. and Nick in the Moscone South building, or if you can’t make it, a recording will be available for RSA attendees.
  • There will be two live Beers with Talos episodes on the 26th at 2 p.m. PT and the 27th at 9 a.m. PT. Join the BWT gang for gameshows, security hot takes and general debauchery. Both recording sessions will be in the Customer Lounge.
  • If you want a chance to meet the BWT hosts and some other special Talos guest, join us in the Customer Lounge on Wednesday at 4 p.m. PT for a meet-and-greet and networking session. This is an open session with Talos experts, Beers with Talos and members of the Cisco CISO Advisory panel.
  • The latest episode of ThreatWise TV from (now Talos’ own!) Hazel Burton also has a rundown of everything you can expect from Cisco and Talos at RSA. You can also read Cisco’s preview blog post here.

The one big thing

The UK’s National Cyber Security Center (NCSC) released a report this week on a sustained campaign by a Russian intelligence agency targeting a vulnerability in routers that Cisco published a patch for in 2017. This campaign, dubbed "Jaguar Tooth," is an example of a much broader trend of sophisticated adversaries targeting networking infrastructure to advance espionage objectives or pre-position for future destructive activity. While infrastructure of all types has been observed under attack, attackers have been particularly successful in compromising infrastructure with out-of-date software.

Why do I care?

In short, there are extremely sophisticated actors who are increasingly targeting network infrastructure devices from a variety of manufacturers. Talos and Cisco are concerned that insufficient awareness and patching, the reliance on end-of-life equipment and the necessity for always-on connectivity makes too many infrastructure devices easy prey. The results of these issues range from being an unwitting participant in criminal activity to events of true national security impact.

So now what?

Relying on out-of-date gear or utilizing out-of-date protocols and technologies will eventually cost your organization. Work with your vendor to give yourself the best chance of defending your environment. Talos’ blog also has a series of recommendations for defending and updating aging network infrastructure. For the specific Jaguar Tooth campaign, users who haven’t already should patch affected devices immediately.

Top security headlines of the week

A 21-year-old was arrested for allegedly leaking sensitive Pentagon and Department of Defense documents and images on a Discord server. The images eventually made their way onto other popular social media platforms in the public eye. The U.S. military is increasingly relying on Discord and other emerging social platforms for recruitment but has become a popular place for leakers to share secrets and other sensitive information. One of the other users on the Discord server where the most recent slate of images was leaked said the alleged leaker wanted to make sure “we know what’s going on with our tax dollars,” though the user who spoke to CNN was only 17 years old.  A 2021 report from the U.S. House of Representatives found that user moderation on platforms like Discord is not enough to prevent leaks, saying “the risks of relying too much on user moderation when the userbase may not have an interest in reporting problematic content.” (Washington Post, Slate, CNN)

The U.S. Cybersecurity and Infrastructure Security Agency released new guidance for software manufacturers to adopt secure-by-design principles and make the software more secure from the start of its lifecycle rather than being tacked on as later patches. Some of the major recommendations include having companies take ownership of the security implications of their products, embracing “radical transparency” toward security issues and ensuring there is support from company leadership to prioritize product security.  Other federal agencies from Australia, Canada, the United Kingdom, Germany, Netherlands and New Zealand published similar guidelines. (FedScoop, CISA)

Montana is set to be the first U.S. state to ban downloads of the popular social media app TikTok, citing security and data privacy concerns related to the app’s Chinese owners. The bill, which is set to be signed into law soon, is likely to spark a Constitutional debate around First Amendment freedom of speech protections and national digital privacy law. The state is likely to also face technical challenges around restricting downloads, and access to, the app. Company representatives from TikTok called the bill an "attempt to censor American voices” and “egregious government overreach.” A similar ban is being considered in U.S. Congress but faces a more uphill battle than in Montana’s Republican-controlled legislature. (Wired, Buzzfeed)

Can’t get enough Talos?

Upcoming events where you can find Talos

RSA (April 24 - 27)

San Francisco, CA

Cisco Talos Incident Response: On Air (April 27)


Cisco Live U.S. (June 4 - 8)

Las Vegas, NV

Most prevalent malware files from Talos telemetry over the past week

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

SHA 256: e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6
MD5: 1e2a99ae43d6365148d412b5dfee0e1c
Typical Filename: PDFpower.exe
Claimed Product: PdfPower
Detection Name: Win32.Adware.Generic.SSO.TALOS

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725
MD5: d47fa115154927113b05bd3c8a308201
Typical Filename: mssqlsrv.exe
Claimed Product: N/A
Detection Name: Trojan.GenericKD.65065311

SHA 256: 4ad8893f8c7cab6396e187a5d5156f04d80220dd386b0b6941251188104b2e53
MD5: cdd331078279960a1073b03e0bb6fce4
Typical Filename: mediaget.exe
Claimed Product: MediaGet
Detection Name: W32.DFC.MalParent