Coming from the newspaper and media industry, I’m no stranger to wanting to write catchy headlines. I’m certainly at fault for throwing together a story about so-and-sos house sold for X million dollars.  

But recently I’ve been wondering if those “big numbers” for cybersecurity are helpful at all, even though they might generate clicks to a news organization. 

I saw several media outlets had reported on a new estimate from commercial insurance market Lloyd's of London that a cyber attack on any international global payments systems could cost $3.5 trillion globally, hurting many major world economies. 

At face value, that seems bad, and it’s a number that’s sure to come up with board rooms or any place decision-makers meet to discuss cybersecurity. 

It likely catches the eye of readers at home who are skimming newspaper headlines (if you’re like my dad and one of the last people who still reads physical newspapers).  

But what use is actually throwing these types of numbers out there? It reminds me of the discussion around climate change or any other problem that seems larger than life. I tend to not dwell on the worst-case scenario reports that always come out and make headlines because I feel these have a tendency to make people feel defeated — like there is no purpose in trying to make a difference because the problem is so overwhelming that one individual contribution won’t matter anyway, so then we all sit by and do nothing. 

If every time there is a major cyber attack, and we shame the targeted company by pointing out how many millions of dollars they lost, it’s just another form of public shaming that I’ve written about before that can lead to a stigma around disclosing cyber attacks. 

That Lloyd’s of London report is far from the first of its kind, these kinds of numbers pop up all the time, especially at the end of the calendar year when outlets want to write stories about how much cyber attacks cost consumers that year (there were estimates ranging from $7 billion to $10 billion in 2022). 

To me, numbers like this only contribute to fear, uncertainty and doubt (FUD) in the cybersecurity space. A small business owner who sees cybersecurity as a trillion-dollar problem to be solved by world governments isn’t going to see implementing a better password on their store’s wireless router as anything that’s going to help, because the global economy is in a bad place anyway if one day everyone’s point-of-sale systems go down at once. 

I’m sure many of these reports and estimates are created in good faith by experts who know what they’re talking about, and on a grand scale, yes, it’s important to know how serious of a problem this is for everyone, no matter where you live in the world. 

But I think we’d all be better served spending time talking about ways to get easy cybersecurity wins rather than losing sleep over a global hack that may or may not ever happen. 

The one big thing 

New Talos research shows that the YoroTrooper threat actor is likely operating out of Kazakhstan. Our latest blog post on this group outlines how they’re still expanding their spam operations and using Azerbaijan-related false flags to throw researchers off their scent. The threat actor also uses online exchanges, such as alfachange[.]com, which converts money from Kazakhstani Tenge to Bitcoin via their Visa and Mastercard cards. 

Why do I care? 

YoroTrooper’s targeting appears to be focused on Commonwealth of Independent States (CIS) countries, and the operators have compromised multiple state-owned websites and accounts belonging to government officials of these countries between May and August 2023. Any organization that falls into that category should certainly be on the lookout, but since this actor has continued to operate for so long, it’s impossible to say where they’d pivot next. Talos believes that, in addition to commodity and custom malware, YoroTrooper continues to rely heavily on phishing emails that direct victims to credential harvesting sites. 

So now what? 

Talos has an exhaustive list of new indicators of compromise that you can run against your network to check for any YoroTrooper activity. A new round of Snort rules and ClamAV signatures can also detect this activity, along with the many information-stealing malware that YoroTrooper tends to use in its campaigns.  

Top security headlines of the week 

AI tools like ChatGPT are getting increasingly good at writing malicious code and spam emails, two new studies found. An internal study at IBM found that employees who were targeted with ChatGPT-written spam emails were just as likely to click on them as ones written by humans. The leader of the experiment said it only took her team about five minutes to get ChatGPT to write the spam email in question, despite workarounds in place to keep users from exploiting the chat bot for these types of uses. A separate study at the University of Sheffield released last week also found that, by asking ChatGPT and other AI applications for a certain series of prompts, they produced malicious code. When executed, that code would leak confidential database information, interrupt a database's normal service, or destroy it. That study specifically focused on Text-to-SQL systems, which is AI that allows users to search databases by asking questions in plain language. (Axios, TechXplore) 

The alleged leader of the Ragnar Locker ransomware gang was arrested in Paris earlier this month. Eleven law enforcement agencies teamed up to find the suspected developer and take down infrastructure associated with Ragnar Locker. Five additional suspects were interviewed in Spain and Latvia. Authorities seized the group’s leak site, as well, posting a takedown notice for victims, though no resources appear to be available yet for anyone looking to negotiate with the attackers or who are currently infected with Ragnar Locker. Ragnar Locker has been active since 2019, targeting the energy sector, hospitals, airports, and more. It utilized double extortion tactics, threatening to leak any stolen data if the ransom isn’t paid. For example, this resulted in the reveal of several video games under development by Capcom. (Dark Reading, CPO Magazine) 

Attackers breached the network of software firm Okta, stealing access tokens and sitting on the company’s customer support platform for at least two weeks. Okta said the attack only affected a few customers, but password management service 1Password said this week it was the target of a follow-on attack using the stolen tokens. However, 1Password said no customer login information was affected. Okta provides identity and login tools like multi-factor authentication and single sign-on to major companies across the globe. The disclosure from Okta came weeks after major cyber attacks on MGM Resorts and Caesar’s Entertainment, in which adversaries tricked Okta multi-factor authentication administrators into resetting requirements, which provided them easier access to the targeted networks at those casinos and hotels. (Krebs on Security, Ars Technica) 

Can’t get enough Talos? 

• Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities 
• Attacks on web applications spike in third quarter, new Talos IR data shows 
• The Need to Know: What is cracktivator software? 
• 9 vulnerabilities found in VPN software, including 1 critical issue that could lead to remote code execution 
• Talos Takes Ep. #159: What happens when you actually click the "report spam" button?  

Upcoming events where you can find Talos 

Black Hat Middle East and Africa (Nov. 16) 

Riyadh, Saudi Arabia 

Rami Atalhi from Talos Incident Response will discuss how generative AI affects red and blue teams in cybersecurity. Discover how generative AI creates a bridge between these teams, fostering teamwork and innovative strategies. Real-world cases will demonstrate how generative AI drives success, providing insights for building resilient cybersecurity plans. 

misecCON (Nov. 17) 

Lansing, Michigan 

Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines. 

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59 
MD5: 3b100bdcd61bb1da816cd7eaf9ef13ba 
Typical Filename: vt-upload-C6In1 
Claimed Product: N/A  
Detection Name: Backdoor:KillAV-tpd 

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5 
MD5: 8c80dd97c37525927c1e549cb59bcbf3   
Typical Filename: Eternalblue-2.2.0.exe   
Claimed Product: N/A   
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos 

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
VirusTotal: Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg 

SHA 256: 744c5a6489370567fd8290f5ece7f2bff018f10d04ccf5b37b070e8ab99b3241 
MD5: a5e26a50bf48f2426b15b38e5894b189 
Typical Filename: a5e26a50bf48f2426b15b38e5894b189.vir 
Claimed Product: N/A 
Detection Name: Win.Dropper.Generic::1201 

SHA 256: 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab 
MD5: 4c648967aeac81b18b53a3cb357120f4 
Typical Filename: yypnexwqivdpvdeakbmmd.exe 
Claimed Product: N/A  
Detection Name: Win.Dropper.Scar::1201