Welcome to this week’s edition of the Threat Source newsletter.

I’m writing this earlier in the week as I get ready for some personal travel (everyone is lucky I passed on writing another Cybersecurity Mock Draft), so apologies if I miss anything major that happens at RSA.

But Cisco beat everyone to the punch Monday morning anyway, making a slew of major announcements on RSA travel day. By the time you’re reading this, it’s still not too late to track down someone from our team if you want to learn more. (Read last week’s newsletter for more on that.)

Cisco Duo announced that all paid customers of its service can now use Trusted Endpoints to block access from unknown devices.

Duo is also re-introducing three editions of the product: Duo Essentials, Duo Advantage and Duo Premier. Even with the added security features announced Monday, the price-per-user is not rising, giving customers strong security at an unmatched value.

Cisco also announced its new extended detection and response (XDR) platform – Cisco XDR. This new offering combines users’ endpoint, network and application telemetry with customized detection based on their environment. This platform will detect threats in an environment that many other point products can’t see on their own.

Hazel Burton from Talos has a new episode of ThreatWise TV out this week discussing XDR, including an interview with a current enterprise XDR user. Nick Biasini, Talos’ head of outreach, is also on that episode to discuss how Cisco XDR is adapting to current attacker tactics, techniques and procedures.

The one big thing

More information and research is still coming out around the 3CX supply chain attack. A new report indicates that it was actually two supply chain attacks linked together. The adversaries involved in the 3CX compromise first backdoored another application, which it then used to infiltrate 3CX and send out a malicious, fake update there. Additional reporting indicates that these same state-sponsored actors also infiltrated several critical infrastructure networks with a backdoor during this same campaign.

Why do I care?

This news further highlights why it’s so important to plan for and defend against supply chain attacks. These are increasingly popular attacks that state-sponsored, well-funded adversaries are clearly using in the wild to target multiple sectors and industries.

So now what?

I already outlined several important steps to take that any organization can take to prepare for a supply chain attack. This recent Talos Takes episode with Craig Jackson of Cisco Talos Incident Response also provides valuable advice for organizations of all sizes.

Top security headlines of the week

AI-generated spam is already hitting email inboxes, Amazon reviews and social media posts. Security researchers and reporters have already spotted several instances where AI chat bots like ChatGPT are used to write fake reviews for popular Amazon products or even post tweets. Many of these reviews have a dead giveaway because they include the phrase “I cannot generate inappropriate content,” a message ChatGPT usually sends back when explicitly asked to generate spam or something with hateful content. Other AI models are learning to scan targets’ social media profiles to quickly learn and assume things such as political affiliation and employment status to create hyper-targeted spam and phishing. Experts warn this could lead to the further proliferation of fake news, misinformation and scams. (Vice, Gizmodo)

Exploit code for a 9.8-severity vulnerability in the PaperCut printer management software went online this week, potentially increasing the likelihood that attackers will try to exploit it in the wild. Although Cut disclosed this vulnerability and released a patch in March, many instances remain unpatched. CVE-2023-27350 is an improper access control issue in the SetupCompleted class of PaperCut MF/NG. An adversary could exploit this vulnerability to bypass authentication and execute arbitrary code with System-level privileges. Security researchers found attackers using this vulnerability to install two pieces of malicious remote management software. PaperCut users should ensure they are using PaperCut MF and NG versions 20.1.7, 21.2.11, and 22.0.9. (Ars Technica, SecurityWeek)

U.S. law enforcement and intelligence agencies are increasingly prioritizing disrupting dark web networks and forums versus arresting admins and users. U.S. Deputy Attorney General Lisa Monaco said during a talk at the RSA conference this week that prosecutors and investigators are being directed to have a “bias toward action to disrupt and prevent, to minimize that harm if it’s ongoing” and to “take that action to prevent that next victim.” That being said, the recent seizure of Genesis Market, a popular dark web forum, highlights how law enforcement is becoming better at unmasking many of these sites’ creators and making users’ activities less anonymous. (CyberScoop, SC Media)

Can’t get enough Talos?

Upcoming events where you can find Talos

Cisco Live U.S. (June 4 - 8)

Las Vegas, NV

Most prevalent malware files from Talos telemetry over the past week


SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

SHA 256: e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6
MD5: 1e2a99ae43d6365148d412b5dfee0e1c
Typical Filename: PDFpower.exe
Claimed Product: PdfPower
Detection Name: Win32.Adware.Generic.SSO.TALOS

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725
MD5: d47fa115154927113b05bd3c8a308201
Typical Filename: mssqlsrv.exe
Claimed Product: N/A
Detection Name: Trojan.GenericKD.65065311

SHA 256: 4ad8893f8c7cab6396e187a5d5156f04d80220dd386b0b6941251188104b2e53
MD5: cdd331078279960a1073b03e0bb6fce4
Typical Filename: mediaget.exe
Claimed Product: MediaGet
Detection Name: W32.DFC.MalParent