Good afternoon, Talos readers.

Every day, we see mountains and mountains of data. So how do we comb through all of it to find out what's important to customers and users? Well, there are many ways, but we wanted to give readers and researchers a look into at least one option using Apache Spark.

Our new walkthrough will show we use machine learning, software and good 'ole fashioned intuition to work through a huge dataset.

October is the start of National Cybersecurity Awareness Month. To celebrate, we'll be releasing special episodes of the Talos Takes podcast each week centered around a specific theme. First up, we have Chris Marshall from Talos discussing how to avoid burnout. Cybersecurity is a stressful industry even when we're not in a global pandemic. So how have we adapted to our new hybrid work style at Talos? Listen to find out.

Do you have a particular threat, IOC, malware family or actor you want us to be covering in the Threat Source newsletter? Let us know at

Upcoming Talos public engagements

National Cybersecurity Awareness Month with Cisco Talos Incident Response

Speaker: Brad Garnett

Date: Oct. 18 at 9:30 a.m. ET

Location: Livestream on all Talos social media accounts

Description: Join Cisco Talos Incident Response as we go live to celebrate National Cybersecurity Awareness Month. Brad Garnett, CTIR's general management, will be live to answer your questions, talk about the trends he's seeing on the threat landscape, and the growing threat of ransomware. Please use this page to drop us any questions ahead of time, or join us in the chat live. A recording will be made available shortly after on our YouTube page at

Cybersecurity week in review

  • An anonymous hacker leaked what amounts to essentially the entirety of Twitch. The popular streaming service's source code was posted online, along with a massive trove of data that includes information on the highest-paid streamers.
  • Twitch followed up the leak by changing all stream keys. The company attributed the leak to a server configuration change error that left the data exposed.
  • A new lawsuit addresses what is believed to be the first death ever attributed to a ransomware attack. The family filing the suit says their baby died in a hospital after it did not receive adequate care while hospital staff tried to recover from a cyber attack.
  • The White House is organizing a meeting of cybersecurity experts from 30 countries to address cybercrime and ransomware. U.S. President Joe Biden said in a statement the group would also discuss "improving law enforcement collaboration" around illegal cryptocurrency transactions.
  • Facebook, Instagram and WhatsApp were down for several hours Monday due to a BGP error. While speculation immediately swirled on social media about a potential cyber attack, Facebook says it was simply a command issued during maintenance that caused the outage.
  • A recent report found that cyber attacks targeting the maritime transportation system rose by 400 percent over the course of a few months in 2020. These types of attacks threaten to disrupt international trade, transportation companies and more.
  • Recent data shows many users in Europe and the U.K. use their favorite soccer team's name in their passwords, leading to easy-to-guess login information. Researchers found more than 800 million leaked passwords out of a group of 2.5 billion that used teams' nicknames.
  • The U.S. Transportation Security Agency plans to enact new cybersecurity guidelines for the railroad and airline industries. After the announcement, leaders from the rail industry immediately pushed back on the new mandates.
  • The U.S. Department of Justice created a new task forcespecifically focused on investigating the illegal use of cryptocurrency. Among its several duties, the group will track down and attempt to recover any payments made as a result of ransomware attacks.

Notable recent security issues

Attackers spread malware disguised as solution for Pegasus spyware

Threat actors are impersonating the group Amnesty International and promising to protect against the Pegasus spyware as part of a scheme to deliver malware. Amnesty International recently made international headlines when it released a groundbreaking report on the widespread use of Pegasus to target international journalists and activists. Adversaries have set up a phony website that looks like Amnesty International's — a human rights-focused non-governmental organization — and points to a promised anti-virus tool to protect against the NSO Group's Pegasus tool. However, the download actually installs the little-known Sarwent malware. Sarwent contains the usual abilities of a remote access tool (RAT) — mainly serving as a backdoor on the victim machine — and can also activate the remote desktop protocol on the victim machine, potentially allowing the adversary to access the desktop directly.

Snort SIDs: 54357, 57901

SonicWall patches critical vulnerability in remote connect device

Description: SonicWall released a security update for its Secure Mobile Access (SMA) 100 line of devices. The company disclosed a critical vulnerability that could allow unauthenticated attackers to remotely gain admin access on targeted devices. CVE-2021-20034 has a severity score of 9.1 out of a possible 10. The SMA 100 allows remote workers to securely connect to their office’s network and devices. The product recently came under additional scrutiny after SonicWall warned users that attackers were specifically targeting end-of-life versions of the device to spread ransomware attacks.

Snort SID: 58224 - 58226

Most prevalent malware files this week

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: 6c62b768d8b22888724288af038bc0b6e55280ddbbe42a436cdf68889346df18

MD5: 830ffb393ba8cca073a1c0b66af78de5

Typical Filename: smbscanlocal0902.exe

Claimed Product: N/A

Detection Name: MS17010::mURLin::W32.Auto:6c62b768d8.in03.Talos

SHA 256: fad16599a866f466bdeff2a716b9aa79faa6677f2895f0b262cf9402deb4b66c

MD5: 04c1f4395f80a3890aa8b12ebc2b4855

Typical Filename: zReXhNb

Claimed Product: N/A

Detection Name: Auto.FAD16599A8.241842.in07.Talos

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2

MD5: fe3659119e683e1aa07b2346c1f215af

Typical Filename: SqlBase.exe

Claimed Product: SqlServerWorks.Runner

Detection Name: W32.8639FD3EF8-95.SBX.TG

Keep up with all things Talos by following us on Twitter. Snort, and ClamAV also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.