Welcome to this week’s edition of the Threat Source newsletter.

The time has come once again for all of us (well, not me specifically but lots of other Talos people) to descend on Las Vegas for Hacker Summer Camp. Cisco Talos will be well-represented at BlackHat and DEF CON over the course of the next few weeks with a slew of presentations, demos and appearances to speak to the security community.

As always, we’ll be at the Cisco booth at BlackHat, located just north of the main entrance (it’s #1532 if you’re searching!). If you need help finding us, download the BlackHat app to see a map of the entire conference. Talos researchers will be at the booth throughout the conference to give lightning talks on a wide range of topics — everything from machine learning to the basics of spotting phishing emails. New talks will take place every other half hour starting at 10 a.m. local time on Wednesday.

We’ll also have a presence at the BlackHat Career Zone — diagonal from Startup City on the show floor at Kiosk #CZ2 — throughout the conference, where you can talk to us about current job openings, ask for advice on career advancement or just talk about future opportunities for how you could become part of our team. On Thursday, Aug. 10, from 10 a.m. - noon local time, we’ll have Talos hiring managers at the Cisco booth to also talk about potential job opportunities.

The highlight of BlackHat is our sponsored talk on Aug. 9 at 11:30 a.m. local time in Business Hall Theater A. Nick Biasini, our head of Outreach, joins Cisco’s Vice President of Product Management for Threat, Detection and Response A.J. Shipley to talk about Cisco XDR. Learn how the newest offering from Cisco Secure combines telemetry from multiple sources and applies analytics to uncover malicious activities and attacker tactics, techniques and procedures (TTPs).

The following week at DEF CON, Vitor Ventura and Asheer Malhotra will be at the Crypto and Privacy Village, delivering a talk on “Mercenary” threat actors and the spyware they create on the Saturday of the conference at 6 p.m local time. Asheer and Vitor have written extensively about this topic and why the malware they’re creating and selling is potentially more dangerous than “traditional” spyware.

Keep an eye out on our Twitter (or X, whatever we’re calling it) for more information about a live Beers with Talos podcast recording and other opportunities to ask our researchers questions.

If you're flying out to Vegas for either conference, make sure to bookmark our Half-Year in Review to read during your travels. This is a great overview of the top threats of 2023 so far this year and looks at where the cybersecurity landscape might head next.

The one big thing

Since the discovery of the high-profile VPNFilter malware in 2018, our vulnerability research team has had a renewed focus on small and home office (SOHO) wireless routers. These are devices that are present in almost every house and business in the modern world because they are necessary to deliver the internet to multiple devices everyone possesses and relies on today. Over the past four-plus years, Talos worked with multiple vendors to disclose and patch nearly 290 CVEs in a wide range of products and libraries these routers use. This week, we released a full rundown of all these vulnerabilities and what the major takeaways are for users and the manufacturers behind these products.

Why do I care?

Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance. However, they are also often deployed without a sophisticated security team in place to mitigate vulnerabilities. These routers are usually connected to the internet directly and all local network traffic passes through these devices. Since VPNFilter, Talos has investigated 13 SOHO and industrial routers from various vendors. Our reports to these vendors resulted in appropriate Snort network intrusion detection coverage and several security fixes from each vendor. These fixes help customers who deploy Cisco Secure solutions and improve the security posture of anyone using these devices once the vulnerabilities are patched.

So now what?

The most important security step a user of these devices can take is to assess each service present on the device. Verify that each service running is required for the day-to-day operation of each device and disable all extraneous services. Services that cannot be disabled should be restricted to absolute minimal access or completely blocked using alternative methods, such as firewall rules to block traffic. During the acquisition process, if possible, basic research should be done to ensure the devices have sane, secure defaults enabled, such as the use of encrypted protocols for remote access and administration, if applicable.

Top security headlines of the week

American military officials and cybersecurity experts are actively hunting for malware that is reportedly loaded onto systems belonging to major power and water suppliers and communications systems that service U.S. military bases. A new report from the New York Times states that the malware is a “ticking time bomb” that could disrupt U.S. military operations in the event of a direct or indirect military conflict with China. Sources in the report indicated that the malware comes from a Chinese state-sponsored actor that may be working for the People’s Liberation Army. While the government is still actively hunting for the malicious code, it is apparently hidden deep within targeted networks and has taken months to find. Microsoft and the White House disclosed that Chinese state-sponsored actors accessed the emails of at least two dozen American organizations, including some federal government agencies. (The New York Times, CNN)

The effects of the MOVEit data breach continue to spread. Government contractor Maximus disclosed last week that, although its systems were not directly affected by the Clop ransomware gang’s attack on the MOVEit file transfer software, as many as 8 million to 11 million individuals’ personal information may have been compromised. The company said in a filing to the U.S. Securities and Exchange Commission that attackers may have accessed files that "contain personal information, including Social Security numbers, protected health information, and/or other personal information, of at least 8-to-11 million individuals.” Clop claims on its leak site that it stole 169 GB of data from Maximus. More than 200 organizations have reportedly been affected by the MOVEit breach. (TechCrunch, Dark Reading)

Russian state-sponsored actors are suspected to be behind a series of denial-of-service attacks against multiple Italian banks on Wednesday, leaving many consumers unable to access their accounts. Italy’s cybersecurity agency said at least five banks were affected, though they were able to restore services fairly quickly. The group NoName057(16) took credit for the attacks on its Telegram channels, accusing Italian government officials of being anti-Russian and supporting Ukraine. Security researchers said the DDoS attacks caused “short-lived disruption with little to no wider consequence.” Actors with potential links to Russia have been behind several recent high-profile denial-of-service attacks, including against video game company Blizzard and Microsoft Outlook. (Reuters, The Record by Recorded Future)

Can’t get enough Talos?

Upcoming events where you can find Talos

BlackHat (Aug. 5 - 10)

Las Vegas, Nevada

Grace Hopper Celebration (Sept. 26 - 29)

Orlando, Florida

Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.

ATT&CKcon 4.0 (Oct. 24 - 25)

McLean, Virginia

Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

Most prevalent malware files from Talos telemetry over the past week

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991

SHA 256: 7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b
MD5: f5e908f1fac5f98ec63e3ec355ef6279
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::tpd

SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1
MD5: 3e10a74a7613d1cae4b9749d7ec93515
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::1201

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201