Security
Headlines
HeadlinesLatestCVEs

Headline

Threat Source newsletter (April 28, 2022) — The 2022 Cybersecurity Mock Draft

By Jon Munshaw. Welcome to this week’s edition of the Threat Source newsletter that’s going to be a little different, but bear with me. In honor of the NFL Draft starting this evening — an event that Cisco is helping to secure — I thought it’d be appropriate to look at building a…

[[ This is only the beginning! Please visit the blog for the complete entry ]]

TALOS
#vulnerability#web#mac#microsoft#cisco#perl#botnet#asus#auth#dell

By Jon Munshaw.

Welcome to this week’s edition of the Threat Source newsletter that’s going to be a little different, but bear with me.

In honor of the NFL Draft starting this evening — an event that Cisco is helping to secure — I thought it’d be appropriate to look at building a cybersecurity team from the ground up. As an avid NFL fan (go Browns!) I’m always thinking about what I would do if I was a general manager in a draft room. This year, if I was building a football team, I’d be steering clear of Aidan Hutchinson and Travon Walker early on and trying to trade back and take receivers like Chris Olave or Garrett Wilson.

But cybersecurity is also a team sport. You need a layered model to ensure your organization stays safe from everyday vulnerabilities, state-sponsored actors and everything in between. To build that team, we need to go through seven rounds of selections to build out the ultimate roster of security tools and skills that everyone needs to keep their organization secure (obviously, some of these are a bit tongue-in-cheek, if you want honest to goodness security advice, reach out to Cisco Talos Incident Response today). Email me at [email protected] with what — or who — you would select in the first round of your Cybersecurity Draft.

**Round 1: Multi-factor authentication **

MFA is a guy you want in the trenches with you every day on the security playing field. They’re going to protect your most important players from attacking bad guys looking to take advantage of holes in your protection. If we’re building a team from the ground up, we need to make sure we have the basics covered, and if your team doesn’t have MFA at this point, you’re going to be searching for an authentication method in the offseason free agency, and who wants to sign passwords to a three-year contract?

**Round 2: An Incident Response plan **

Incident Response Plans weren’t recruited highly in security high school, but they rose up through the ranks over the past few years to become a Wi-Feisman Trophy winner in 2021. An Incident Response plan is there for you when you fall behind on the scoreboard and need to make ground up quickly against attackers. A strong IR plan will give this team a base from which they can react to any attack quickly and try and minimize the damage, hopefully setting us up for a comeback in the fourth quarter. If you’re also looking to draft an IR plan of your own, might I suggest reaching out to Talos Incident Response, who can work to build one from the ground up?

**Round 3: User training **

A lot of people are concerned that when he was in college, User Training went relatively unnoticed for being “boring.” But there are ways to spice things up on the field, and I think as a manager, I can truly unlock Training’s potential. If our users are properly informed about the risks out there in an entertaining and educational way, we can hopefully lean on MFA in the trenches to work as it’s supposed to.

**Round 4: Endpoint detection **

Endpoint detection is projected to go earlier than this in the 2022 Cybersecurity Draft, but I personally think people have kind of forgotten about EDR recently and it could slide into the later rounds, which is where I’ll grab them up. EDR will set up in secondary on defense and monitor for any attacker movements on the offensive side of the field, letting the rest of the team know about any unusual activities, users or connections.

**Round 5: Vulnerability management program **

A vulnerability, asset and patching management program like Kenna Security will round out our starting defense. Here’s a guy who can muck up the middle of the field and make it harder for attackers to break through the line and further toward your network’s endzone. By deploying software like this, this team will make sure major holes are patched up right away before the opposing team’s leader can even see them on the field, and best of all, we can automate the process so we don’t need to focus as much as hands-on coaching with this position group.

**Round 6: Penetration testing **

Round 6 seems late, but with this front office, we can find greatness anywhere. Penetration testing is going to be this team’s Tom Brady coming from Round 6. We’ll grab a few pentesters to place on the perimeter and look in at the team to find any vulnerabilities in our team before our opponents can. That way when we head into a week of practice, we know what needs to be fixed right away before we are out against our opponents, and they can take advantage. (Plus, this pretty much guarantees we can use red in our uniforms and get something close to the awesome throwback Falcons gear.)

**Round 7: Physical backups **

Physical backup drives are the kickers of cybersecurity — you hate it when you have to rely on them in the final seconds, but when they work out, they can still be a lifesaver. By keeping physical backups of our team’s data and gameplans, we’re protected in a worst-case scenario and can recover quickly in crunch time rather than hoping we can pay the opponents to give us the ball back. Cloud backups would work just as well in this case, but we like that physical drives have put in years of work to get to this point.

**Other newsy nuggets **

New research indicates the use of the NSO Group’s Pegasus spyware continues to spread, even to democratic nations. The Spanish government recently deployed the tool against individuals in Catalan, an area looking to separate from Spain. Spyware continues to be a growing concern across the globe, with evidence indicating that Pegasus is being used in at least 45 countries, according to new reporting in the New Yorker, and similar tools are in use by law enforcement agencies in the U.S. and Europe, areas where governments have pledged to crack down on spyware. (The New Yorker, CNET)

Western governments doubled down on warnings that Russian state-sponsored actors could target critical infrastructure with cyber attacks in the coming weeks, as the country’s invasion of Ukraine drags on. A new alert from cybersecurity agencies in the U.S., Canada, Australia and other countries warns the attacks could come as a Russian response to international sanctions, adding that “other cybercrime groups have recently conducted disruptive attacks against Ukrainian websites, likely in support of the Russian military offensive.” (CISA, Reuters)

The Emotet botnet could be testing new techniques in preparation for a large-scale campaign in the coming months. Security researchers recently spotted the threat actor emailing targets OneDrive URLs that hosted ZIP files containing malicious Microsoft Excel files that installed Emotet onto the targeted machine. This would represent the biggest comeback from Emotet since a law enforcement effort in January 2021 disrupted the botnet. Talos has previously seen signs that the botnet and the actor behind it was not likely to go away even after the takedown efforts. (Cybersecurity Dive, ZDNet, Talos)

**Can’t get enough Talos? **

  • Talos Researcher Spotlight: Liz Waddell, CTIR practice lead
  • Threat Roundup (April 15 – 22)
  • Talos Takes Ep. #93: Kenna 101 — Best patching and mitigation strategies
  • Quarterly Report: Incident Response trends in Q1 2022

**Upcoming events where you can find Talos ****BSides Charm (April 30 - May 1, 2022)
Towson, Maryland ****RSA 2022 (June 6 – 9, 2022)
San Francisco, California ****Cisco Live U.S. (June 12 – 16, 2022)
Las Vegas, Nevada ****DEF CON 2022 (Aug. 11 - 14, 2022)
Las Vegas, Nevada ****Most prevalent malware files from Talos telemetry over the past week **

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934 MD5: 93fefc3e88ffb78abb36365fa5cf857c Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645 MD5: 2c8ea737a232fd03ab80db672d50a17a Typical Filename: LwssPlayer.scr
Claimed Product: 梦想之巅幻灯播放器
Detection Name: Auto.125E12.241442.in02

SHA 256: 792bc2254ce371be35fcba29b88a228d0c6e892f9a525c330bcbc4862b9765d0 MD5: b46b60327c12290e13b86e75d53114ae Typical Filename: NAPA_HQ_SetW10config.exe Claimed Product: N/A Detection Name: W32.File.MalParent

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa MD5: df11b3105df8d7c70e7b501e210e3cc3 Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

SHA 256: 1a234656f81e870cdeb0e648a6b305a41452c405cca21124de26b54f79d55ad0
MD5: 10f1561457242973e0fed724eec92f8c Typical Filename: ntuser.vbe
Claimed Product: N/A
Detection Name: Auto.1A234656F8.211848.in07.Talos

Related news

Ambient.ai Expands Computer Vision Capabilities for Better Building Security

The AI startup releases new threat signatures to expand the computer vision platform’s ability to identify potential physical security incidents from camera feeds.

Bumblebee Malware Buzzes Into Cyberattack Fray

The sophisticated Bumblebee downloader is being used in ongoing email-borne attacks that could lead to ransomware infections.

Cybercriminals Using New Malware Loader 'Bumblebee' in the Wild

Cybercriminal actors previously observed delivering BazaLoader and IcedID as part of their malware campaigns are said to have transitioned to a new loader called Bumblebee that's under active development. "Based on the timing of its appearance in the threat landscape and use by multiple cybercriminal groups, it is likely Bumblebee is, if not a direct replacement for BazaLoader, then a new,

U.S Cybersecurity Agency Lists 2021's Top 15 Most Exploited Software Vulnerabilities

Log4Shell, ProxyShell, ProxyLogon, ZeroLogon, and flaws in Zoho ManageEngine AD SelfService Plus, Atlassian Confluence, and VMware vSphere Client emerged as some of the top exploited security vulnerabilities in 2021. <!--adsense--> That's according to a "Top Routinely Exploited Vulnerabilities" report released by cybersecurity authorities from the Five Eyes nations Australia, Canada, New Zealand

CISA: Log4Shell Was the Most-Exploited Vulnerability in 2021

Internet-facing zero-day vulnerabilities were the most commonly used types of bugs in 2021 attacks, according to the international Joint Cybersecurity Advisory (JCSA).

TALOS: Latest News

New PXA Stealer targets government and education sectors for sensitive information