Welcome to this week’s edition of the Threat Source newsletter.

Between the White House’s recent meeting, countless conference talks and report after report warning of cybersecurity burnout, there’s been a ton of talk recently around the cybersecurity skills gap and hiring.

Everyone wants to know the magic ticket to figure out how to increase hiring at their cybersecurity practice without hiring somehow with under-developed skills that could leave clients open to attack. This is not a problem exclusive to cybersecurity, but I do find it interesting that there’s been so much talk about the problems the cybersecurity workforce faces and not much about actual solutions.

I think a good place to start would change the meaning of what an “entry-level” position truly is in security. I came into this field with zero security experience from the domain of journalism. My family considered me to be “a computer guy” just because I was good at searching the internet for public information as a journalist. Granted, I’m no security expert four years into this, but between internal mentorships and educational support outside of the company, I can at least write a basic ClamAV signature and could talk to a CEO about the difference between ransomware and business email compromise. Imagine what someone who at least knew what Kali Linux was before their first day could do with that same amount of time.

I decided to go on LinkedIn and search for “entry-level” cybersecurity roles by literally clicking a box in the search function. Granted, this could be the LinkedIn algorithm serving me jobs that would be best suited for me based on my level of experience, but I found countless “entry-level” openings that I would not be qualified for based on the qualifications listed in the posting. Even if someone were to apply and still get an interview, who’s to say someone with less experience wouldn’t be deterred from applying in the first place by feeling they were under-qualified?

One listing (I’m not naming any names) was for an “entry-level” cybersecurity analyst at a mid-size firm. The top requirement was that the candidate has “three-plus years of experience analyzing general cybersecurity-related technical problems" and a bachelor’s degree in “cybersecurity or a related field” and it would be “nice if you have” a master’s degree and several different certifications.

Another analyst role didn’t ask for a specific number of years’ worth of experience, but it did say the ideal candidate needs:

  • Strong experience administering endpoint protection.
  • Strong experience managing email security products.
  • Familiarity with incident response procedures, identity management and multi-factor authentication.

I’d be willing to bet there are folks who have years of experience at Talos who don’t have “strong experience” with all of those fields listed above.  And I’ve met team members who didn’t go to college for security — they may have started out in the military or a totally different field before pivoting to security.

I’m not saying we should let just anyone manage a SOC team for a Fortune 500 company. But if we’re going to build up the next generation of defenders, we do need to widen the scope of what it means to be at the entry-level of cybersecurity. I would encourage hiring managers to take chances on people who don’t have a “traditional” security background and be willing to invest time and money into training employees who are keen and willing but may not have the exact certifications, which can always come later.

If every “entry-level” job requires years of experience, how is anyone ever actually supposed to get their first job in security? And don’t say “pay your dues at unpaid internships.”

The one big thing

Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage of cyber attacks. Working jointly with Ukrainian organizations, Cisco Talos has discovered a fairly uncommon piece of malware targeting Ukraine — the GoMet backdoor — this time aimed at a large software development company whose software is used in various state organizations within Ukraine. As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack, though at this time we do not have any evidence that they were successful.

Why do I care? 

I shouldn’t have to tell you why you should care about Ukraine. But if anything, this attack shows that even though public discussion around the war and follow-on cyber attacks has waned, the threat isn’t going anywhere. 

So now what? 

In this instance, we saw a software company targeted with a backdoor designed for additional persistent access. This access could be leveraged in a variety of ways, including deeper access or launching additional attacks, including the potential for software supply chain compromise. It's a reminder that although the cyber activities haven't necessarily risen to the level many have expected, Ukraine is still facing a well-funded, determined adversary that can inflict damage in a variety of ways — this is just the latest example of those attempts. As always, Talos continually updates our coverage around the threats Ukraine faces and appropriate Cisco Secure protections. 

Other news of note

Spyware continues to be a top threat for government officials, politicians and activists. The European Union recently found the NSO Group’s Pegasus spyware installed on several employees’ mobile devices. Apple initially alerted the EU that the devices had indicators of compromise related to the spyware. This led the European Commission to reach out to Israel, asking the country to "prevent the misuse of their products in the EU.” Meanwhile, the Canadian Parliament is investigating if the national police force uses Pegasus as part of its surveillance operations. Previously, the RCMP said it only used Pegasus in severe cases, deploying it 10 times between 2018 and 2020. (Reuters, Politico)

An attacker claims to have stolen data from more than 5.4 million Twitter users and is selling it on the dark web for $30,000. The seller using the username "devil" claims the data includes “Celebrities, to Companies, randoms, OGs, etc.” Twitter said it launched an investigation to verify the authenticity of the data and notify any users whose accounts may have been affected. The attacker exploited a vulnerability that was reported to Twitter several months ago through its bug bounty program and has since been fixed. Breached Forums, where the data is listed for sale, is the same site where an attacker leaked 23 TB of data from 1 billion Chinese citizens earlier this year. (Fortune, The Register)

A new malware tool broker known as “Knotweed” has been outed as the source of several spyware attacks and zero-day exploits against Microsoft and Adobe products. Microsoft stated in a new report that it believes the group is “linked to the development and attempted sale of a malware toolset called Subzero, which enables customers to hack into their targets' computers, phones, network infrastructure and internet-connected devices.” Some of the exploits the group sold were recently used in cyber attacks against Austria, Panama and the U.K. (Microsoft, Dark Reading)

Can’t get enough Talos?

Upcoming events where you can find Talos

BlackHat U.S. (Aug. 6 - 11, 2022)
Las Vegas, Nevada

DEF CON U.S. (Aug. 11 - 14, 2022)
Las Vegas, Nevada

Security Insights 101 Knowledge Series(Aug. 25, 2022)


Most prevalent malware files from Talos telemetry over the past week

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

Typical Filename: VID001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c

MD5: a087b2e6ec57b08c0d0750c60f96a74c

Typical Filename: AAct.exe  

Claimed Product: N/A

Detection Name: PUA.Win.Tool.Kmsauto::1201

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

MD5: 7bdbd180c081fa63ca94f9c22c457376

Typical Filename: c0dwjdi6a.dll

Claimed Product: N/A

Detection Name: Trojan.GenericKD.33515991

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

Typical Filename: LwssPlayer.scr

Claimed Product: 梦想之巅幻灯播放器

Detection Name: Auto.125E12.241442.in02