I think we can all agree that tabletop exercises are a good thing. They allow organizations of all sizes to test their incident response plans without the potentially devastating effects of a real-world cyber attack or intrusion. 

As part of my role at Talos, I’ve read hundreds of tabletop exercises for Cisco Talos Incident Response customers, and the knowledge and recommendations contained in each of them are invaluable. No matter how strong your incident response plan seems on paper, there is always something that can be improved, and a tabletop exercise can help your organization identify potential holes or areas of improvement.  

But as I was catching up on the news of the past week, I saw that these exercises may be flying too close to the sun — literally.  

The U.S. National Science Foundation recently released a study on possible outer space cyberattacks with the help of researchers at the California Polytechnic State University.  

The report outlines several possible cyber attack scenarios that could take place in outer space or affect our society’s activities outside of Earth’s atmosphere. One such hypothetical involved adversaries carrying out a distributed denial-of-service attack, disabling electronic door controls on a lunar settlement, trapping the residents inside of a physical structure and locking others out on the unforgiving surface of Earth’s moon.  

Researchers behind the report wrote that the hope is these types of scenarios help encourage private companies and the U.S. government to consider the security needs of any activities in space, including “running tabletop simulation or wargaming exercises.” 

I guess it never hurts to be overly prepared for anything, and we can never be too careful with these scenarios, but I also feel like we may be getting too far over our skis with this one. Recent tabletop exercises from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) testing possible AI-powered cyber attacks are at least a more prescient issue, even though I have my own reservations about how much of a boost adversaries are getting from AI tools currently.  

Some of the space-based scenarios Cal Poly outlined were admittedly stated as not likely to happen in at least 20 or more years, while others could occur in the next five years. But I also can’t help but ask “why?” when we still can’t even get users on Earth to patch to the most recent version of Microsoft Office, let alone keep their space network protected in a lunar colony (and if we’ve advanced that far, I hope we’re able to develop a better alternative to PowerPoint while we’re at it).  

I recommend at least skimming the entire 95-page report, maybe not necessarily to fuel your next tabletop exercise, but at least to help you feel like a poor password policy on some of your machines isn’t going to deprive anyone of oxygen.  

The one big thing 

Explore trends on when (and how) attackers will try their 'push-spray' MFA attacks, as well as how adversaries are using social engineering to try and bypass MFA altogether in the latest blog post on multi-factor authentication from Talos. The issues we’re seeing now are mostly down to attacker creativity to try and bypass MFA, and overall poor implementation of the solution (for example, not installing it on public-facing applications or EOL software). Our report highlights what types of MFA bypass techniques are most popular, the timing around these attacks, users who are targeted, and much more.  

Why do I care? 

In the latest Cisco Talos Incident Response Quarterly Trends report, instances related to multi-factor authentication (MFA) were involved in nearly half of all security incidents that our team responded to in the first quarter of 2024. In 25% of engagements, the underlying cause was users accepting fraudulent MFA push notifications that originated from an attacker. In 21% of engagements, the underlying cause for the incident was a lack of proper implementation of MFA. MFA is used in all sorts of web applications, login credentials and even access to services that are critical to day-to-day work. The fact that adversaries continue to target MFA should be monitored and stay top-of-mind for defenders.  

So now what? 

Consider implementing number-matching in MFA applications such as Cisco Duo to provide an additional layer of security to prevent users from accepting malicious MFA push notifications.  Implement MFA on all critical services including all remote access and identity access management (IAM) services. MFA will be the most effective method for the prevention of remote-based compromises. It also prevents lateral movement by requiring all administrative users to provide a second form of authentication. There are more recommendations in Talos’ blog.  

Top security headlines of the week 

The threat actor behind the wide-reaching Snowflake breach is putting pressure on victims and requesting increasing ransom payments to avoid leaking their data. According to a new report, as many as 10 companies are still under pressure to hand over monetary payments, with requests from adversaries ranging between $300,000 and $5 million. The hacking scheme, which affects more than 160 companies, now seems to be entering a new phase where the attackers are trying to figure out how to profit from the breach. The perpetrators also publicly speak about how the breach came about, telling Wired that they stole terabytes of data by first breaching a third-party contractor that works with Snowflake. They could then access data companies have stored on their Snowflake instances, such as Ticketmaster. The attackers are also expected to list the stolen data for sale on dark web forums where it may be sold to the highest bidder. (Wired, Bloomberg

Dutch military officials warned this week that a cyber espionage campaign from Chinese state-sponsored actors was more wide-reaching than previously known. Officials disclosed the campaign in February, warning that adversaries exploited a critical FortiOS/FortiProxy remote code execution vulnerability (CVE-2022-42475) in 2022 and 2023 to deploy malware on vulnerable Fortigate network security appliances. Now, they’ve expanded the number of affected devices to more than 20,000 after the Dutch Military Intelligence and Security Service (MIVD) first estimated that around 14,000 devices were hit. These targets reportedly include dozens of government agencies, international organizations and defense contractors. The MIVD released a renewed warning about the vulnerability because it believes the Chinese actors still have access to many victims’ networks. The Coathanger malware used in this attack is difficult to detect, as it intercepts system calls to avoid alerting users of its presence. It also survives operating system firmware upgrades. “The NCSC and the Dutch intelligence services have been seeing a trend for some time that vulnerabilities in publicly accessible edge devices such as firewalls, VPN servers, routers and email servers are being exploited,” the MIVD said in its updated statement. (Bleeping Computer, Decipher

U.S. federal agents have shut down and charged two individuals with running a popular dark web marketplace called “Empire Market.” The site helped generate and organize more than $430 million worth of sales, including illegal drug trades, counterfeit money and stolen credit card data. Federal prosecutors charged Thomas Pavey, also known as "Dopenugget” and Raheim Hamilton, also known as "Sydney" and "Zero Angel," for running Empire Market between 2018 and 2020. The indictment, announced earlier this week, reveals that the two individuals used to advertise these services and stolen data on a site known as AlphaBay before that was shut down in 2017, at which point they launched Empire Market. The site only accepted cryptocurrency for payments to conceal the nature of the transactions, as well as the identities of Empire Market administrators, moderators, buyers and sellers. At the time of the arrest, federal officials seized more than $75 million worth of cryptocurrency and other valuable items. (CBS News, Bloomberg

Can’t get enough Talos? 

Upcoming events where you can find Talos 

Cisco Connect U.K. (June 25)

London, England

In a fireside chat, Cisco Talos experts Martin Lee and Hazel Burton discuss the most prominent cybersecurity threat trends of the near future, how these are likely to impact UK organizations in the coming years, and what steps we need to take to keep safe.

BlackHat USA (Aug. 3 – 8) 

Las Vegas, Nevada 

Defcon (Aug. 8 – 11) 

Las Vegas, Nevada 

BSides Krakow (Sept. 14)  

Krakow, Poland 

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991

SHA 256: 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202 
MD5: e4acf0e303e9f1371f029e013f902262 
Typical Filename: FileZilla_3.67.0_win64_sponsored2-setup.exe 
Claimed Product: FileZilla 
Detection Name: W32.Application.27hg.1201 

SHA 256: a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0 
MD5: b4440eea7367c3fb04a89225df4022a6 
Typical Filename: Pdfixers.exe 
Claimed Product: Pdfixers 
Detection Name: W32.Superfluss:PUPgenPUP.27gq.1201 

SHA 256: 2d1a07754e76c65d324ab8e538fa74e5d5eb587acb260f9e56afbcf4f4848be5 
MD5: d3ee270a07df8e87246305187d471f68 
Typical Filename: iptray.exe 
Claimed Product: Cisco AMP 
Detection Name: Generic.XMRIGMiner.A.A13F9FCC

SHA 256: 9b2ebc5d554b33cb661f979db5b9f99d4a2f967639d73653f667370800ee105e 
MD5: ecbfdbb42cb98a597ef81abea193ac8f 
Typical Filename: N/A 
Claimed Product: MAPIToolkitConsole.exe 
Detection Name: Gen:Variant.Barys.460270