Welcome to this week’s edition of the Threat Source newsletter.

Our hearts are with the people of Turkey and Syria and all those impacted by the tragic earthquake. The Cisco Foundation has launched a matching campaign to support local disaster relief organizations. As a person it’s always difficult to try to find impactful ways to help people so far removed from us.. As a security practitioner it’s my duty to remind you that criminals will exploit your empathy and this situation for their own profit. Be acutely aware of phishing scams, malvertising, and typosquats that will leverage your kindness for their gain. Give freely but take a moment when you do to ensure that you are donating to sources that can help and that above all you aren’t padding the pockets of cybercriminals.

The one big thing

Ransomware and commodity loaders remain at the forefront of the threat landscape. The ransomware space is dynamic, continually adapting to changes in the geopolitical environment, actions by defenders, and efforts by law enforcement, This leads groups to rebrand under different names, shut down operations, and form new strategic partnerships. Cisco Talos observed several related trends across 2022 and this activity is highlighted in the Ransomware and Commodity Loader Topic Summary Report.

Why do I care?

Understanding the most recent trends in ransomware, including the goals, victimology, and TTPs will increaser your ability to defend, understand, and react to these events. We've seen seismic shifts in how state sponsored actors attack and this will migrate to every level of threat actor.

So now what?

Education is key and continuing to follow the research that Talos releases and validating your environment against that research is critical.

Top security headlines of the week

This week, the Dutch national police shut down the criminal messaging service Exclu in conjunction with a sweeping crackdown that included 79 searches and 42 arrests in the Netherlands, Germany, and Belgium. The shutdown highlights the efforts authorities are putting into disrupting the use of messaging apps in the cybercriminal ecosystem. This particular service was unique in that it was exclusively the domain of cybercriminals and drug dealers, but it offers a glimpse into the evolving communication methods of the cybercrime in 2023.( DarkReading)

Exploit code has been released for an actively exploited zero-day vulnerability affecting Internet-exposed GoAnywhere MFT administrator consoles. GoAnywhere MFT is a web-based and managed file transfer tool designed to help organizations to transfer files securely with partners and keep audit logs of who accessed the shared files. (Bleepingcomputer)

Can’t get enough Talos?

Upcoming events where you can find Talos

Cisco Live Amsterdam (Feb 6-10)

Amsterdam, Netherlands

WiCyS (March 16-18, 2023)

Denver,CO

RSA (April 24-27, 2023)

San Francisco, CA

Most prevalent malware files from Talos telemetry over the past week

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

Typical Filename: A9CE7F0974.tmp

Claimed Product:  n/a

Detection Name: Simple_Custom_Detection

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

Typical Filename: Wextract

Claimed Product:  Internet Explorer

Detection Name: W32.File.MalParent

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

Typical Filename: software.Scr

Claimed Product:  梦想之巅幻灯播放器

Detection Name: Auto.125E12.241442.in02

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

Typical Filename: Wextract

Claimed Product:  Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423

MD5: 954a5fc664c23a7a97e09850accdfe8e

Typical Filename: teams15

Claimed Product:  n/a

Detection Name: Gen:Variant.MSILHeracles.59885