Welcome to this week’s edition of the Threat Source newsletter.

If you haven’t noticed yet we’ve had a few guest writers on this newsletter over the last few months. Alas my time covering the newsletter has ended and I leave you with one final edition. Have no fear, William Largent will be rounding out the guest appearances next week and your long-time host Jon Munshaw will be back at the helm. Thanks for sticking with us this long and if you’re newly subscribed welcome!

The one big thing

Next week will be our final installment of our 2022 Year in Review report coverage. We’ll be publishing a final topic summary on Ransomware and Commodity Loaders and follow up these reports with a livestream on LinkedIn and Twitter with report and subject matter experts.

Why do I care?

We published our full 2022 Year in Review early December. If you haven’t read  it yet we highly suggest your download your copy here or check out our previous  livestreams. Through these reports and videos we’ve broken down the threat  landscape and trends Talos observed over 2022. What’s that saying, history    repeats itself? Take a minute to look back and prepare for what lies ahead in 2023.

So now what?

Mark your calendar for our fourth and final livestream on Tuesday February 7th at 12 PM EST. Read the report, browse the topic summaries, or watch our livestreams on demand. Looking for extra credit? Read through Talos’ Head of Outreach Nick Biasini’s future predictions of State Sponsored attacks in 2023.

Top security headlines of the week

Coming back from the dead yet again a new Lazaurs campaign has been found to exploit unpatched Zimbra devices targeting medical research and energy industries along with their supply chain partners in attempts to gather intelligence. Through unpatched devices the threat actors are gaining network access and escalation privileges. (SC Media)

Google’s official mobile virtual network operator (MVNO), Google Fi, was in headlines due to a customer data breach via T-Mobile. Using technology to switch between cellular provides Google Fi provides constant coverage for customers through T-Mobile and US cellular. It’s reported the breach happened in November 2022 but wasn’t discovered until early January 2023. Customers have been notified but many questions remain, like are users still vulnerable? (TechCrunch)

Surprising quite literally no one, ChatGPT sets a record for the fastest-growing user base in history. Reaching an estimated 100 million active monthly users in December just two months after launch (yet every time I try to get it to write this newsletter it says the app is at capacity…). Whether you’re a user, a skeptic, or simply don’t care ChatGPT has stirred up a lot of attention lately, we’ll all just have to keep an eye on the evolution of ChatGPT. (Ars Techinca)

Can't get enough Talos?

·  State Sponsored Attacks in 2023 and Beyond

·  Quarterly Report: Incident Response Trends in Q4 2022

· CTIR On Air: Reviewing Q4's top threats livestream

· Threat Landscape Topic Summary Report: Cisco Talos Year in Review 2022

·  2022 Year in Review: Threat Landscape Livestream

Upcoming events where you can find Talos

Cisco Live Amsterdam (Feb 6-10)

Amsterdam, Netherland

WiCyS (March 16-18, 2023)


RSA (April 24-27, 2023)

San Francisco, CA

Most prevalent malware files from Talos telemetry over the past week

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

Typical Filename: VID001.exe

Claimed Product:  n/a

Detection Name: Simple_Custom_Detection

SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725

MD5:  d47fa115154927113b05bd3c8a308201

Typical Filename: msaccess.exe

Claimed Product: n/a

Detection Name: rojan.GenericKD

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c

MD5: a087b2e6ec57b08c0d0750c60f96a74c

Typical Filename: aact.exe

Claimed Product: n/a

Detection Name: W32.File.MalParent

SHA 256:  125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

Typical Filename: LwssPlayer

Claimed Product:  梦想之巅幻灯播放器

Detection Name: Auto.125E12.241442.in02

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

Typical Filename: Wextract

Claimed Product:  Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg