Martin discusses how defenders can use threat intelligence to equip themselves against AI-based threats. Plus check out his introductory course to threat intelligence.

Thursday, January 30, 2025 14:05

Welcome to this week’s edition of the Threat Source newsletter. 

You don’t need me to tell you that security is constantly changing and that more change is on its way. The enthusiastic adoption of new AI systems will inevitably lead to more demands on cybersecurity teams. Not only will these systems need protecting against the same threats which affect current systems, but also against new types of threats that target AI models. We can only expect that attacks designed to subvert AI models and get them to function in ways detrimental to their operators’ interests will become more effective and beneficial to attackers over time. 

The good news is that we can expect AI enabled security systems to help protect against attacks, detect incursions, and orchestrate the remediation of affected systems. However, we must not overlook the fact that people will remain involved and invested in the outcome. Within this AI powered future will be CISOs who will be held responsible for the security of systems. There will also be many analysts tasked with keeping systems operating correctly while trying to anticipate and protect against forthcoming malicious campaigns.

Although we may not be able to predict the nature of attacks in this distant future, we can predict some of the skills that will be necessary to beat these attacks. Threat intelligence skills will be vital to equip future cyber security professionals not only to understand the goals of the threat actors that they face but to situate their attacks within the context of these goals. Armed with this understanding, security teams will be able to make better decisions regarding the allocation and prioritization of resources to best defend against attacks. 

Developing threat intelligence skills within the cyber security professionals of tomorrow begins today. Training up people who are early in their careers and students yet to begin their careers is one of the best investments we can make to build resilience against future threats.

To help skill up future analysts, my colleagues and myself in collaboration with Cisco’s Networking Academy have developed an introductory course to threat intelligence. This course is free for all, only registration is required, and is intended to give an overview of the domain for someone without prior knowledge which can be used as a starting point for further study or employment.

For those looking to develop a threat intelligence program as part of their cyber security strategy, we are hosting a technical seminar at Cisco Live EMEA on Sunday February 9th. The session, “Establishing a Threat Intelligence Program, Why its Necessary, What to Expect and How to Go about it \[TECSEC-2003\]”, will present how managers can set-up a threat intelligence team as part of their arsenal against the bad guys and what can reasonably be expected.

**The one big thing**

One pointer to the nature of future threats against AI systems is a technique used in spam that Talos recently blogged about. Hiding the nature of the content displayed to the recipient from anti-spam systems is not a new technique. Spammers have included hidden text or used formatting rules to camouflage their actual message from anti-spam analysis for decades. However, we have seen increase in the use of such techniques during the second half of 2024.

**Why do I care?**

Parsers which are required for computers to understand text content, view the world very differently from humans. The human eye ignores text in miniscule font or can’t detect black letters on a black background, but this is not necessarily the case for parsers. Where the human eye sees readily readable text, the parser can see the gibberish that spammers have included to confuse them. Potentially the opposite is also true with humans seeing gibberish, but language parsing software seeing readable text.

Being able to disguise and hide content from machine analysis or from human oversight is likely to become a more important vector of attack against AI systems as they become a larger part of our lives. 

**So now what?**

Fortunately, the techniques to detect this kind of obfuscation are well known and already integrated into spam detection systems such as Cisco Email Threat Defense. Conversely, the presence of attempts to obfuscate content in this manner makes it obvious that a message is malicious and can be classed as spam.

**Top security headlines of the week**

Another incident of an undersea telecommunications cable being cut in the Baltic was encountered. (CNN). Organisations need to plan for the effects of a major telecommunications outage or internet bandwidth restriction affecting their business.

Three members of Russia’s GRU have been placed under sanctions for their suspected role in conducting cyber attacks against Estonia in 2020 (SecurityAffairs). Threat actors might try to hide their identities but eventually they will be discovered and held to account for their actions.

A botnet consisting of infected IoT devices is behind the largest ever DDoS attack (Help Net Security). Small network connected devices can easily be overlooked as part of a cyber security strategy, but they can be compromised by threat actors and used for nefarious purposes.

**Can't get enough Talos?**

Today we released the new Cisco Talos Quarterly Trends Report - covering incidents from October to December 2024. The big call out? Threat actors are increasingly deployed web shells against vulnerable web applications. They primarily exploited vulnerable or unpatched public-facing applications to gain initial access, a notable shift from previous quarters.

Watch Hazel, Joe and Craig break down the report - they discuss hunting down web shells, the Interlock ransomware, and the increasing use of remote access tools within ransomware attacks.

**Upcoming events where you can find Talos**

Talos team members: Martin LEE, Thorsten ROSENDAHL, Yuri KRAMARZ, Giannis TZIAKOURIS, and Vanja SVAJCER will be speaking at Cisco Live EMEA. Amsterdam, Netherlands, 9-14 February.  (Cisco Live EMEA)

**Most prevalent malware files of the week**

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**VirusTotal:**https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**Typical Filename:** VID001.exe  
**Detection Name:** Simple\_Custom\_DetectionClaimed Product: 

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
**MD5:** 71fea034b422e4a17ebb06022532fdde  
**VirusTotal:** https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Coinminer:MBT.26mw.in14.Talos

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**VirusTotal:** https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

Defeating Future Threats Starts Today

This new report from Cisco Talos Incident Response explores how threat actors increasingly deployed web shells against vulnerable web applications, and exploited vulnerable or unpatched public-facing applications to gain initial access.

Talos IR trends Q4 2024: Web shell usage and exploitation of public-facing applications spike

Cisco Talos’ Vulnerability Research team recently disclosed three vulnerabilities in Observium, three vulnerabilities in Offis, and four vulnerabilities in Whatsup Gold.   
These vulnerabilities exist in Observium, a network observation and monitoring system; Offis DCMTK, a collection of libraries and applications implementing DICOM (Digital Imaging and Communications

Wednesday, January 29, 2025 11:45

Cisco Talos’ Vulnerability Research team recently disclosed three vulnerabilities in Observium, three vulnerabilities in Offis, and four vulnerabilities in Whatsup Gold.   

These vulnerabilities exist in Observium, a network observation and monitoring system; Offis DCMTK, a collection of libraries and applications implementing DICOM (Digital Imaging and Communications in Medicine) standard formats; and WhatsUp Gold, an IT infrastructure management product.  

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.  

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.   

**Observium Vulnerabilities  **

_Discovered by Marcin "Icewall" Noga._   

Two cross-site scripting vulnerabilities exist in Observium, which can lead to arbitrary JavaScript code execution, as well as one HTML code injection vulnerability. All three can be triggered by an authenticated user clicking a malicious link crafted by the attacker.  

*   TALOS-2024-2090 (CVE-2024-47140) 
*   TALOS-2024-2091 (CVE-2024-47002) 
*   TALOS-2024-2092 (CVE-2024-45061) 

**Offis Vulnerabilities  **

_Discovered by Emmanuel Tacheau._   

Three vulnerabilities were found in the Offis DCMTK libraries that support the DICOM standard format. TALOS-2024-1957 (CVE-2024-28130) is an incorrect type conversion vulnerability that can lead to arbitrary code execution, and TALOS-2024-2121 (CVE-2024-52333) and TALOS-2024-2122 (CVE-2024-47796) are improper array index validation vulnerabilities that can lead to out-of-bounds write capabilities. All can be triggered with specially crafted malicious DICOM files.  

**Whatsup Gold Vulnerabilities  **

_Discovered by Marcin "Icewall" Noga._   

Two Whatsup Gold vulnerabilities include a risk of information disclosure (TALOS-2024-1932 (CVE-2024-5017) and TALOS-2024-2089 (CVE-2024-12105)), which can be triggered by an attacker making an authenticated HTTP request. 

There is also a risk of disclosure of sensitive information (TALOS-2024-1933 (CVE-2024-5010)), and denial of service (TALOS-2024-1934 (CVE-2024-5011)). These two vulnerabilities can be triggered by an attacker making an unauthenticated HTTP request.

Whatsup Gold, Observium and Offis vulnerabilities

Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor targeting users, predominantly in Poland and Germany.

Tuesday, January 28, 2025 06:00

*   Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor since as early as July 2024 targeting users, predominantly in Poland and Germany, based on the phishing email language. 
*   The actor has delivered different payloads, including Agent Tesla, Snake Keylogger, and a new undocumented backdoor we are calling TorNet, dropped by PureCrypter malware.  
*   The actor is running a Windows scheduled task on victim machines—including on endpoints with a low battery—to achieve persistence.  
*   The actor also disconnects the victim machine from the network before dropping the payload and then connects it back to the network, allowing them to evade detection by cloud antimalware solutions.  
*   We also found that the actor connects the victim’s machine to the TOR network using the TorNet backdoor for stealthy command and control (C2) communications and detection evasion. 

**The campaign **

The intrusions start with a phishing email as the initial infection vector. The actor is impersonating financial institutions and manufacturing and logistics companies by sending fake money transfer confirmations and fake order receipts, respectively. The phishing emails are predominantly written in Polish and German, indicating actor’s intent to primarily target users in those countries. We also found some phishing email samples from the same campaign written in English. We assess with medium confidence that the actor is financially motivated, based on the phishing email themes and the filenames of the email attachments.  

The phishing email has attachments with the file extension “.tgz”, indicating that the actor has used GZIP to compress the TAR archive of the malicious attachment file to disguise the actual malicious content of the attachment and evade email detections. 

Sample phishing email in Polish. 

Sample phishing email in German. 

When a user opens the compressed email attachment and manually unzips it and runs a .NET loader executable, it eventually downloads encrypted PureCrypter malware from a compromised staging server. The Loader decrypts the PureCrypter malware and runs it in the system memory.  

In a few intrusions in this campaign, we found that the PureCrypter malware drops and runs the TorNet backdoor. The TorNet backdoor establishes connection to the C2 server and also connects the victim machine to the TOR network. It has the capabilities to receive and run arbitrary .NET assemblies in the victim machine’s memory, downloaded from the C2 server, increasing the attack surface for further intrusions. 

**.NET loader implants PureCrypter **

Talos found that the compressed attachment files contain a large .NET executable file. The actor has instrumented the .NET executable to either download the next-stage malicious executables from a remote staging server or to reflectively load an embedded malicious binary.  

Some of the loader samples we analyzed in this campaign download the AES-encrypted binary of the PureCrypter malware hosted on compromised websites in paths “/filescontentgalleries/pictorialcoversoffiles/” and “/post-postlogin/” using a hardcoded URL. The encrypted PureCrypter binaries were stored with the arbitrary filenames using different file extensions, including .pdf, .dat, .wav, .vdf, .mp3 and .mp4. The loader decrypts the PureCrypter binary and loads reflectively. 

Snippet of the loader program that downloads the encrypted PureCrypter malware.

Network traffic showing the encrypted PureCrypter malware downloaded from the hosting site. 

In a few other loader samples, we found that the encrypted PureCrypter sample was embedded in the loader, which is decrypted using the AES algorithm and reflectively loaded into the victim machine’s memory.  

Snippet of the loader with embedded PureCrypter binary. 

**PureCrypter drops the TorNet backdoor **

The PureCrypter malware found in this intrusion is a Windows dynamic-link library obfuscated with Eziriz’s .NET Reactor obfuscator. It has resources of encrypted binaries of legitimate DLLs, including Protobuf-net and Microsoft task scheduler DLL along with the TorNet backdoor.  

PureCrypter initially creates a mutex on the victim machine and executes the command to release the currently assigned DHCP IP address of the victim machine, establishes persistence, performs various anti-analysis and detections tasks, drops and runs the payload, and finally executes a command to renew the IP address of the victim machine.  

Cmd /c ipconfig /release 
Cmd /c ipconfig /renew 

The threat actor is likely using this technique to evade detections from the cloud-based anti-malware programs by disconnecting the victim machine from the network and connects back to the network after dropping and running the backdoor.  

The PureCrypter malware performs various anti-debugger, anti-analysis, anti-VM, and anti-malware checks on the victim machine as described below: 

*   It checks if the process is debugged using the function “CheckRemoteDebuggerPresent”. 
*   It checks for the Sandboxie and Cuckoo sandbox environments by enumerating processes to look for “sbieDLL.dll” and “cuckoomon.dll”. 
*   It checks if the DLL is running in the virtual environment by executing the WMI queries and searches for the strings “VMware”, “VIRTUAL”, “AMI”, and “Xen”.  

Select \* from Win32\_BIOS 
Select \* from Win32\_ComputerSystem 

*   It also checks if the process running is associated with “vmGuestLib.dll” to detect the VMWare environment. 
*   It checks if the victim machine username is “john” or “anna” or “xxxxxxxx”.  
*   It checks for the strings “amsi.dll” and “amsiscanbuffer” in the running processes modules of the victim machine.  
*   It checks if the Event Tracing for Windows (ETW) is configured for the victim machine by attempting to check if any processes point to the function “EtwEventWrite” of “ntdll.dll”.  
*   It modifies the Windows Defender settings by executing the PowerShell commands to add its process and the path of the dropped backdoor to the exclusion lists.

Add-MpPreference –ExclusionPath 
Add-MpPreference –ExclusionProcess 

After the evasion checks, PureCrypter decrypts the encrypted backdoor from its resource and drops it to the user profile application temporary folder with a random file name. It also decrypts another file resource using a custom string decryption algorithm, generating the arbitrary filename strings and the task name strings for the Windows Task scheduler.  

PureCrypter establishes the persistence in the Run registry key by adding the path of the loader. It also creates a Windows task using a task name gained by decrypting the strings from the resource file and executes the loader every two to four minutes with no execution time limit. The task can run if the machine switches to battery power and will not stop if it runs on a low battery power. The threat actor has instrumented this technique to possibly ensure an uninterrupted infection avoiding the victim machine operating system to deprioritize the process when a victim machine is running on low battery power mode.  

Code snippet of creating the Windows schedule task. 

PureCrypter drops a Visual Basic script in the Windows startup folder with the instructions to load and execute the dropped backdoor. 

Code Snippet showing the command to drop and execute a VB Script.

After establishing persistence, PureCrypter loads the dropped backdoor by accessing it through a URL scheme “file\[://\]<Path of the dropped backdoor>” and injects the backdoor into the .NET runtime executable process in the victim machine. The threat actor is using this technique to possibly masquerade the file access activity as a web request in the victim machine logs and to bypass detections for loading a file from suspicious file paths on the victim machine.  

Code snippet showing the process injection.

**Payload TorNet creates a backdoor on the victim machine **

Talos discovered a new .NET backdoor as the payload in the recent intrusions of this campaign, which we call TorNet. TorNet backdoor is also obfuscated with Eziriz’s .NET Reactor obfuscator and has hash values for the compilation time. This could be the artifact that was created when the samples were compiled in Visual Studio with the “/deterministic” parameter. When Visual Studio is configured to generate deterministic binaries, the compiled date/time field of the binaries will be replaced by a hash of the compilation options. Talos had previously seen, and reported this technique used by other threat actors to disguise the actual compilation time of the malware binaries.    

TorNet initially decodes a base64-encoded string to obtain the C2 domain, port number, and an alphanumeric string of 16 characters (5e7a81857a353068). It then performs the anti-debugging, anti-malware, anti-VM, and sandbox evasion checks similar to PureCrypter we discussed in the previous section.  

Code snippet showing the base64 string decoding to obtain the string, C2 domain, and port number. 

After the evasion checks, TorNet establishes a TCP socket connection to the C2 server by resolving the IP address of the C2 domain decoded from the base64-encoded string. The connection uses one of the port numbers 8194, 7890, or 8410. We observed that the C2 domains used by the backdoor were resolving to the IP address 104\[.\]168\[.\]7\[.\]37 during the period of our research. 

TorNet backdoor sample connecting to the C2 using the domain and port number.

After establishing the connection to the C2 server, TorNet sends the gained string “5e7a81857a353068” by decoding the base64-encoded strings to the C2 server, creating a hexadecimal byte stream of length 20 and writes it to a memory stream by compressing it using the GzipStream function.  

HEX stream: “3A 12 12 10 35 65 37 61 38 31 38 35 37 61 33 35 33 30 36 38” 

ASCII equivalent: “:<2-byte place holder>\\n5e7a81857a353068” 

TorNet then generates an MD5 hash value of the string “5e7a81857a353068” and uses it as a key to encrypt the compressed 20-byte hexadecimal data stream using the triple DES algorithm. Using the Bitconverter function, TorNet splits the encrypted byte stream and sends it to the C2 server by writing it to the TCP stream through the socket.  

Code snippet of TorNet showing the data exfiltration to the C2 server through sockets. 

The C2 server may send an arbitrary encrypted .NET assembly as a response to a TorNet’s request. TorNet will decrypt the arbitrary binary and reflectively run it. During our research, we were unable to receive a response from the C2, still analyzing the TorNet binary allowed us to assess that the received response will be an arbitrary .NET assembly code, enabling the attack surface for further attack.  

Code snippet for running the received arbitrary .NET assembly. 

TorNet also connects the victim machine to the TOR network. It downloads the TOR expert bundle from the TOR Project archive site, unpacks it and runs the “tor\[.\]exe” as a background process to connect to TOR.  

Code snippet shows the download and execution of tor\[.\]exe. 

Once TOR is running, TorNet connects to the TOR network using the TOR SocksPort (127\[.\]0\[.\]0\[.\]1:9050), and with the “socket.Poll” function, it routes all traffic from the backdoor process on the victim machine through the TOR network. The threat actor is leveraging the TOR network to anonymize the C2 communication and evade detection.  

Connections from TorNet on analysis machine to the TOR nodes.

****Coverage** **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64440, 64439, 64437, 64438 and 301115. 

ClamAV detections are also available for this threat: 

Win.Backdoor.TorNet-10041435-0    
Win.Downloader.TorNet-10041463-0    
Win.Malware.TorNet-10041565-0    
Win.Malware.TorNet-10041601-0    
Win.Trojan.TorNet-10041734-0 

**Indicators of Compromise  **

IOCs for this threat can be found in our GitHub repository here.

New TorNet backdoor seen in widespread campaign

Hidden text salting is a simple yet effective technique for bypassing email parsers, confusing spam filters, and evading detection engines that rely on keywords. Cisco Talos has observed an increase in the number of email threats leveraging hidden text salting.

Friday, January 24, 2025 08:37

*   Cisco Talos observed an increase in the number of email threats leveraging hidden text salting (also known as "poisoning") in the second half of 2024.
*   Hidden text salting is a simple yet effective technique for bypassing email parsers, confusing spam filters, and evading detection engines that rely on keywords. The idea is to include some characters into the HTML source of an email that are not visually recognizable.
*   Talos observed this technique being used for various purposes, including evading brand name extraction by email parsers, confusing language detection procedures, and evading spam filters and detection engines in HTML smuggling.

**Introduction to hidden text salting**

Hidden text salting (or "poisoning") is an effective technique employed by threat actors to craft emails that can evade parsers, confuse spam filters, and bypass detection systems that rely on keywords. In this approach, features of the Hypertext Markup Language (HTML) and Cascading Style Sheets (CSS) are used to include comments and irrelevant content that are not visible to the victim when the email is rendered in an email client but can impact the efficacy of parsers and detection engines.

Due to the simplicity of hidden text salting and the number of ways threat actors can insert gibberish content in emails, this approach can introduce significant challenges to email parsers, spam filters, and detection engines.

**Technical explanation**

Talos has observed the use of hidden text salting for multiple purposes, such as evading brand name extraction by email parsers. Below is an example of a phishing email that impersonates the Wells Fargo brand.

A phishing email impersonating the Wells Fargo brand.

The HTML source of the above email is shown below. The **<style>** tag is used to define style information for an email via CSS. Inside the **<style>** element, one can specify how HTML elements should render in a browser or email client. The **<style>** element must be included inside the **<head>** section of the document. In this example, threat actors have set the **display** property to **inline-block**. When **inline-block** is used instead of **inline**, one can set a width and height on the element. In this case, the block’s width is set to zero. Additionally, the **overflow** property is set to “hidden,” resulting in the content outside the element box not being shown to the victim when the email is rendered in the email client.

The HTML source snippet of the above phishing email shows how the 'width' property in CSS is used to hide the irrelevant characters inserted between the letters of the Wells Fargo brand.

As a second example, the following email shows a phishing email, sent to another customer, that impersonates the Norton LifeLock brand.

A phishing email impersonating the Norton LifeLock brand.

In this case, threat actors have inserted Zero-Width SPace (ZWSP) and Zero-Width Non-Joiner (ZWNJ) characters between the letters of Norton LifeLock to evade detection. Although these characters are not visible to the naked eye, they are still considered characters or strings of characters by most email parsers. Therefore, one can consider them invisible characters.

The HTML source snippet of the above phishing email, with Zero-Width SPace (ZWSP) and Zero-Width Non-Joiner (ZWNJ) characters inserted between the letters of the Norton LifeLock brand.

Hidden text salting has also been used to confuse language detection procedures, thus evading possible spam filters that rely on such procedures. The example below shows a phishing email that impersonates the Harbor Freight brand. As it is visually obvious, the language of this email is English.

A phishing email impersonating the Harbor Freight brand.

However, a closer inspection of the email’s headers shows that the language of this email has been identified as French, as it is saved in the **LANG** field of Microsoft's **X-Forefront-Antispam-Report anti-spam** header. The LANG field specifies the language in which the message was written, and the **X-Forefront-Antispam-Report** header contains information about the message and how it was processed. This header is added to each message by Exchange Online Protection (EOP), Microsoft's cloud-based filtering service.

A snippet of the above email’s header shows French as the identified language of this email by Microsoft's cloud-based filtering service, called EOP.

When the HTML source of this email is inspected, several French words and sentences are found that are visually hidden. In this case, threat actors have used the **display** property of the **div** element to hide the French words, thus confusing the language detection module of Microsoft.

The HTML source snippet of the above phishing email, with French characters that are hidden using the display property.

Another case where hidden text salting has been used is in HTML smuggling in order to bypass detection engines (see the example below).

A spear phishing email with an HTML attachment.

A snippet of the HTML attachment from the above email is shown below. Threat actors have inserted multiple irrelevant comments between the base64-encoded characters to prevent file attachment parsers from easily putting these strings together and decoding them.

The HTML source snippet of the above phishing email, with irrelevant comments inserted between the base64-encoded characters.

**Mitigation**

The above cases are just a few examples demonstrating how simple and effective this technique is in evading detection. Detecting email content concealed through this technique, which is used to poison the HTML source of an email, is important since it poses significant challenges in identifying email threats that leverage this method. A few mitigation and detection strategies are discussed below that could be helpful in this mission.

**Advanced filtering techniques**: One mitigation strategy is to investigate and develop advanced filtering techniques that can more effectively detect hidden text salting and content concealment. For example, filtering systems could be made to identify questionable usage of CSS properties like visibility (e.g., "visibility: hidden") and display (e.g., "display: none") that are frequently used to conceal text. These systems could also examine the structure of the HTML source of emails to find the excessive use of inline styles or unusual nesting of elements that might suggest an effort to hide content.

**Relying on visual features**: Although improved filtering systems can be very useful in detecting hidden text salting and email threats that use this technique to avoid detection, threat actors can swiftly develop new techniques. Therefore, relying on some features in addition to the text domain, such as the visual characteristics of emails, could be helpful.

**Protection**

Protecting against these sophisticated and devious threats requires a comprehensive email security solution that harnesses AI powered detections. Secure Email Threat Defense utilizes unique deep and machine learning models, including Natural Language Processing, in its advanced threat detection systems that leverage multiple engines. These simultaneously evaluate different portions of an incoming email to uncover known, emerging, and targeted threats. This differentiated AI technology also extracts and analyzes the _content_ of image-only emails that aim to evade text-based detections.

Secure Email Threat Defense identifies malicious techniques used in attacks targeting your organization, derives unparalleled context for specific business risks, provides searchable threat telemetry, and categorizes threats to understand which parts of your organization are most vulnerable to attack.  

Start fortifying your environment against advanced threats. Sign up for a free trial of Email Threat Defense today.

Seasoning email threats with hidden text salting

Joe shares his recent experience presenting at the 32nd Crop Insurance Conference and how it's important to stay curious, be a forever student, and keep learning.

Thursday, January 23, 2025 14:05

Welcome to this week’s edition of the Threat Source newsletter.

Hello friends! Joe here again! I have just returned from the frozen northern tundra of Fargo, North Dakota. This was my first real visit to the frigid climates of the Midwest, and I have to say, they take cold to a new level. I was invited to present on cybersecurity at the 32nd Crop Insurance Conference, hosted by North Dakota State University (go Bisons!).

If you’re wondering why I or anyone would care to discuss cybersecurity in such a niche industry, the answer is simple: Everything is connected to security, even something you wouldn’t think would nominally matter. Agriculture and adjacent industries are roughly 6 percent of our GDP and account for about 10 percent of all U.S. jobs. The trillions of dollars that industry generates are targets for cyber-crime-motivated threat actors and nation-states who would seek to degrade it.

Agriculture is also a deeply underserved community and industry with regard to cybersecurity. And that’s both in general security literacy and security investments. So, I have a soft spot for folks up against threat actors who seek to exploit the most vulnerable, like agriculture industries. If the knowledge I can share will help them and their businesses stay more secure, it’s always worth it.

Pro-tip: If you ever find yourself at a conference, maybe to give a presentation, stay and listen beyond your time on the stage. For security conferences, sure, but for super niche or industry-specific conferences? Even better. I’m not a farmer or in agriculture, but I learned a lot in North Dakota. So, sit through other presentations – the further away from cyber security it is, the better. There’s more to this industry than malware analysis, threat actor cluster tracking, and incident response. For example, at this conference, I learned about climate change affecting agriculture, trade tariffs, agronomics, and insurance. You never know when that knowledge will pay dividends down the road for cybersecurity research. Stay curious, be a forever student, and keep learning.

**The one big thing**

Remember the old meme ‘Good luck, I’m behind seven proxies? Well, it still holds up in this Talos blog post. Proxy chains are something that hit our radar as old as VPNFilter, back in 2018. It’s a smart way to do business if your obscurity is your primary goal. TOR or other proxy solutions may have weaknesses that expose your operations to risk, and that’s why they’re getting more and more crafty about it. And we’ve moved far past generic VPN services for obscurity. Network defenders can find themselves between a rock and a hard place forensically when determining malicious connections to their networks.

**Why do I care?**

This is always going to be a sore point for network defenders. Adversaries are absolutely going to use and abuse any kind of proxy service to launch their attacks from. It’s an absolute given. It goes off the rails when it’s your own employees too. As per the blog post “Organizations need to realize that attacks can come from anywhere, even the same IP space that your employees connect to their VPNs, so plan accordingly.”

**So now what?**

Using additional controls and forensic data is a must here. Identity and access management, combined with a mobile device management/application solution is key here. Control as much of your ecosystem as you absolutely can. This isn’t cheap, but it’s most certainly a step up from implementing MFA and hoping for the best.

**Top security headlines of the week**

*   Hold onto your seats – Mirai came in super-hot with a massive 5.6 Tbps DDoS attack. So far, the largest ever recorded. (Hacker News)
*   Here’s some sobering statistics about healthcare data breaches. “Between 2009 and 2023, 5,887 healthcare data breaches of 500 or more records were reported to OCR \[sic\] Office of Civil Rights. Those breaches have resulted in the exposure or impermissible disclosure of 519,935,970 healthcare records. That equates to more than 1.5x the population of the United States.” (HIPAA Journal) 
*   Businesses are folding a lot more due to cyber-attacks, and mostly at small and medium-sized businesses, which absolutely jives with what we see at Talos. Ransomware cartels love to target the small business. Cyber Insurance may be the saving grace here. (Bloomberg Law) 

**Can’t get enough Talos?**

*   My colleague Martin Lee did an amazing Net Academy series on threat intelligence 101. If you’re a NetAcad member, I highly suggest you watch it! And if not, sign up. It’s free!
*   In running the biggest scam ever, I still get to be on Talos podcasts. Listen to myself and my colleagues discuss crossword puzzles and why Pauly Shore gets a bad rap.

**Upcoming events where you can find Talos **

Cisco Live EMEA (February 9-14, 2025)   
Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  
**MD5:** ff1b6bb151cf9f671c929a4cbdb64d86  
**VirusTotal:** https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
**Typical Filename:** endpoint.query  
**Claimed Product:** Endpoint-Collector  
**Detection Name:** W32.File.MalParent

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**VirusTotal:** https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**Typical Filename:** VID001.exe  
**Detection Name:** Simple\_Custom\_Detection

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
**MD5:** 71fea034b422e4a17ebb06022532fdde  
**VirusTotal:** https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Coinminer:MBT.26mw.in14.Talos

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**VirusTotal:** https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

Everything is connected to security

Bill discusses how to find 'the helpers' and the importance of knowledge sharing. Plus, there's a lot to talk about in our latest vulnerability roundup.

Thursday, January 16, 2025 14:15

Welcome to this week’s edition of the Threat Source newsletter. 

“When I was a boy and I would see scary things in the news, my mother would say to me, ‘Look for the helpers. You will always find people who are helping.’” 

 ― Fred Rogers 

There’s no world where following Mr. Roger’s advice is wrong. With the wildfires raging in Greater Los Angeles now more than ever I am very aware of the need to look for the helpers. I get it, I see the news and it’s overwhelming and terrifying. So Gentle Reader I’m asking that instead of just finding the helpers – be the helper.  

 I’d like everyone to take a moment and think about what you can do to be a helper – not just with the catastrophic fires and the incredible destruction but in your own world. In your home life and in your work life. Nothing is more intrinsic to information security than the sharing of knowledge and information. It’s how we all got the roles that we are in now. The older I get the more joy I find in sharing anything and everything that I know. I’m proud to be a mentor in Cisco’s

Women in Cybersecurity

and outside of work I’ve started volunteering to teach English as a second language – and cannot tell you how rewarding both are. There are so many incredible non-profits that you can give your time and money. Do both. There are so many infosec groups that are in need of your time, your invaluable experience, and mentorship. Be the helper. Find a local group, find an internal team within your organization, and if you can’t find one – create one.  

 Be the helper.  

Let’s use this terrible event as a driver to push us all to do more to be the helpers. After all, what would Mr. Rogers do?  

**The one big thing **

Cisco Talos discovered forty-four vulnerabilities, and sixty-three CVEs were discovered across ten .cgi and three .sh files, as well as the static login page, of the Wavlink AC3000 wireless router web application.   

 The Wavlink AC3000 wireless router is one of the most popular gigabit routers in the US, in part due to both its potential speed capabilities and low price point. Talos is releasing these advisories in accordance with Cisco’s third-party vulnerability 

**Why do I care? **

  
An attacker can send a specially crafted set of network packets over WAN to gain root access to the router via the wcrtrl service and static login credentials. With the ongoing state-sponsored attacks on infrastructure this is critical to a secure environment.  

**So now what? **

   
Cisco Talos has released several Snort rules and ClamAV signatures to detect and defend against the exploitation of these vulnerabilities.  

**Top security headlines of the week **

Hackers are exploiting a new Fortinet firewall bug to breach company networks. (TechCrunch) 

CISA is urging federal agencies to patch a command injection flaw tracked as CVE-2024-12686, otherwise known as BT24-11, and has added it to the Known Exploited Vulnerabilities (KEV) Catalog. The medium-severity security bug was found as a part of BeyondTrust's Remote Support SaaS Service security investigation, which was launched after a major data breach at the US Treasury Department. (DarkReading)  

Microsoft rings in 2025 with record security update. Microsoft has issued patches for an unprecedented 159 CVEs, including eight zero-days, three of which attackers are already exploiting. (DarkReading)  

**Can’t get enough Talos? **

*   Slew of Wavlink Vulnerabilities  
*   Evolution and Abuse of Proxy Networks 
*   Patch Tuesday was a big one 

Our latest Talos Takes podcast sees Hazel sits down with Vanja Svajcer to discuss new research on vulnerable drivers.

**Upcoming events where you can find Talos **

Cisco Live EMEA (February 9-14, 2025)     
Amsterdam, Netherlands 

**Most prevalent malware files from Talos telemetry over the past week  **

 SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   

MD5: ff1b6bb151cf9f671c929a4cbdb64d86   

VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5 

Typical Filename: endpoint.query   

Claimed Product: Endpoint-Collector   

Detection Name: W32.File.MalParent   

SHA 256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 

 VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

Typical Filename: VID001.exe 

Detection Name: Simple\_Custom\_Detection 

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  

MD5: 71fea034b422e4a17ebb06022532fdde  

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

Typical Filename: VID001.exe 

Claimed Product: N/A   

Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   

MD5: 7bdbd180c081fa63ca94f9c22c457376  

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0 

Typical Filename: c0dwjdi6a.dll  

Claimed Product: N/A   

Detection Name: Trojan.GenericKD.33515991

Find the helpers

Lilith >_> of Cisco Talos discovered these vulnerabilities. 
Forty-four vulnerabilities and sixty-three CVEs were discovered across ten .cgi and three .sh files, as well as the static login page, of the Wavlink AC3000 wireless router web application.  
The Wavlink AC3000 wireless router is one of the

Wednesday, January 15, 2025 08:00

_Lilith >\_> of Cisco Talos discovered these vulnerabilities._ 

Forty-four vulnerabilities and sixty-three CVEs were discovered across ten .cgi and three .sh files, as well as the static login page, of the Wavlink AC3000 wireless router web application.  

The Wavlink AC3000 wireless router is one of the most popular gigabit routers in the US, in part due to both its potential speed capabilities and low price point. 

Talos is releasing these advisories in accordance with Cisco’s third-party vulnerability disclosure policy. Wavlink has declined to release a patch for these vulnerabilities.  

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.   

**Static login vulnerability **

An attacker can send a specially crafted set of network packets over WAN to gain root access to the router via the wcrtrl service and static login credentials.  

Static Login 

*   TALOS-2024-2034 (CVE-2024-39754): Static login 

**Ten .cgi vulnerabilities **

An unauthenticated HTTP request can trigger the following types of vulnerabilities: 

touchlist\_sync.cgi 

*   TALOS-2024-1999 (CVE-2022-2488): Arbitrary code execution 
*   TALOS-2024-2000 (CVE-2024-34166): Command injection 
*   TALOS-2024-2046 (CVE-2024-36258): Buffer overflow  

Login.cgi 

*   TALOS-2024-2017 (CVE-2024-39363): Persistent XXS 
*   TALOS-2024-2018 (CVE-2024-39759-CVE-2024-39761): Command injection 
*   TALOS-2024-2019 (CVE-2024-36290): Buffer overflow  
*   TALOS-2024-2036 (CVE-2024-39608): Unauthenticated firmware upload  

internet.cgi 

*   TALOS-2024-2020 (CVE-2024-39762-CVE-2024-39765): Command injection 
*   TALOS-2024-2021 (CVE-2024-39288): Buffer overflow 
*   TALOS-2024-2022 (CVE-2024-39768-CVE-2024-39770): Buffer overflow  

firewall.cgi 

*   TALOS-2024-2023 (CVE-2024-39367): Command injection  

adm.cgi 

*   TALOS-2024-2024 (CVE-2024-39756): Buffer overflow 
*   TALOS-2024-2025 (CVE-2024-37184): Buffer overflow 
*   TALOS-2024-2026 (CVE-2024-39294): Buffer overflow 
*   TALOS-2024-2027 (CVE-2024-39358): Buffer overflow 
*   TALOS-2024-2028 (CVE-2024-21797): Command injection 
*   TALOS-2024-2029 (CVE-2024-37357): Buffer overflow 
*   TALOS-2024-2030 (CVE-2024-39774): Buffer overflow 
*   TALOS-2024-2031 (CVE-2024-39370): Arbitrary code execution 
*   TALOS-2024-2032 (CVE-2024-37186): OS command injection 
*   TALOS-2024-2033 (CVE-2024-39781-CVE-2024-39783): OS Command injection 

wireless.cgi 

*   TALOS-2024-2039 (CVE-2024-39357): Buffer overflow 
*   TALOS-2024-2040 (CVE-2024-39359): Buffer overflow 
*   TALOS-2024-2041 (CVE-2024-36493): Buffer overflow 
*   TALOS-2024-2042 (CVE-2024-39603): Buffer overflow 
*   TALOS-2024-2043 (CVE-2024-39757): Buffer overflow 
*   TALOS-2024-2044 (CVE-2024-34544): Command injection 

usbip.cgi 

*   TALOS-2024-2045 (CVE-2024-36272): Buffer overflow 

qos.cgi 

*   TALOS-2024-2047 (CVE-2024-36295): Command injection 
*   TALOS-2024-2048 (CVE-2024-39299): Buffer overflow 
*   TALOS-2024-2049 (CVE-2024-39801-CVE-2024-39803): Buffer overflow 

openvpn.cgi 

*   TALOS-2024-2050 (CVE-2024-39798-CVE-2024-39800): Configuration control 
*   TALOS-2024-2051 (CVE-2024-38666): Configuration control 

nas.cgi 

*   TALOS-2024-2052 (CVE-2024-39602): Configuration control 
*   TALOS-2024-2053 (CVE-2024-39793-CVE-2024-39795): Configuration control 
*   TALOS-2024-2054 (CVE-2024-39360): Command injection 
*   TALOS-2024-2055 (CVE-2024-39280): Configuration control 
*   TALOS-2024-2056 (CVE-2024-39788-CVE-2024-39790): Configuration control 
*   TALOS-2024-2057 (CVE-2024-39786-CVE-2024-39787): Directory traversal 
*   TALOS-2024-2058 (CVE-2024-39784-CVE-2024-39785): Command injection 

**Three .sh vulnerabilities **

Attackers can send specially crafted HTTP requests. A man-in-the-middle attack can trigger the fw\_check.sh and update\_filter\_url.sh vulnerabilities. 

testsave.sh 

*   TALOS-2024-2035 (CVE-2024-39773): Firmware update 

fw\_check.sh 

*   TALOS-2024-2037 (CVE-2024-39273): Firmware upload  

update\_filter\_url.sh 

*   TALOS-2024-2038 (CVE-2024-39604): Argument injection

Slew of WavLink vulnerabilities

Microsoft has released its monthly security update for January of 2025 which includes 159 vulnerabilities, including 10 that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”

Tuesday, January 14, 2025 16:15

Microsoft has released its monthly security update for January of 2025 which includes 159 vulnerabilities, including 12 that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”  

One notable critically rated vulnerability that has been patched this month is CVE-2025-21309, which is a remote code execution vulnerability affecting Windows Remote Desktop Services. Exploitation of this vulnerability could lead to arbitrary code execution on systems where the Remote Desktop Gateway role has been enabled. This vulnerability has been assigned a CVSS 3.1 score of 8.1 and is considered “more likely to be exploited” by Microsoft. 

Another notable remote code execution vulnerability in Window Object Linking and Embedding (OLE) was also patched this month. This vulnerability, CVE-2025-21298, is a critical remotely exploitable vulnerability that can be triggered by sending a malicious email to a victim running a vulnerable version of Microsoft Outlook. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on vulnerable systems and can be triggered when the victim previews the malicious email. This vulnerability has been assigned a CVSS 3.1 score of 9.8. Microsoft recommends disabling RTF as mitigation for this vulnerability. 

CVE-2025-21294 is a critical vulnerability in Microsoft Digest Authentication that affects multiple versions of Windows and Windows Server. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on vulnerable systems. To exploit this vulnerability, an attacker would need to win a race condition. 

CVE-2025-21295 is a critical remote code execution vulnerability in SPNEGO Extended Negotiation (NEGOEX) Security Mechanism. This vulnerability could allow an attacker to execute arbitrary code on vulnerable systems and does not require user interaction for successful exploitation.  

CVE-2025-21296 is a critical remote code execution vulnerability in BranchCache. This vulnerability could allow an attacker to execute arbitrary code on vulnerable systems. Microsoft assesses that an attacker would need to be on the same network to successfully exploit this vulnerability.  

CVE-2025-21297 is another critical remote code execution vulnerability in Windows Remote Desktop Services. Microsoft has assessed that this vulnerability is “less likely to be exploited” and that it would require an attacker to win a race condition for exploitation to be successful. This vulnerability affects multiple versions of Windows Server.  

CVE-2025-21298 is a critical remote code execution vulnerability in Windows Object Linking and Embedding (OLE). It could allow an attacker to execute arbitrary code on vulnerable systems. Microsoft recommends disabling RTF as a mitigation for this vulnerability.

CVE-2025-21307 is a critical remote code execution vulnerability in Windows Reliable Multicast Transport Driver (RMCAST). This vulnerability, if successfully exploited, could enable an unauthenticated attacker to execute arbitrary code by sending a specially crafted packet to vulnerable systems.  

CVE-2025-21311 is a critical privilege escalation vulnerability in NTLMv1. This vulnerability can be exploited remotely and could allow an attacker to increase their level of access to vulnerable systems. Microsoft recommends disabling the use of NTLMv1 as a mitigation for this vulnerability. 

CVE-2025-21362 - is a critical remote code execution vulnerability in Microsoft Excel. This vulnerability could allow an attacker to execute arbitrary code on vulnerable systems. This vulnerability can also be triggered via the preview pane.  

CVE-2025-21380 is a critical information disclosure vulnerability affecting Azure Marketplace SaaS Resources. According to Microsoft this vulnerability, which could enable an attacker to disclose information, has been mitigated.  

CVE-2025-21385 is a critical information disclosure vulnerability affecting Microsoft Purview. This vulnerability is due to a Server-Side Request Forgery (SSRF) vulnerability that Microsoft reports has been mitigated. 

Talos would also like to highlight the following important vulnerabilities that Microsoft considers to be “more likely” to be exploited:   

*   CVE-2025-21189 - MapUrlToZone Security Feature Bypass Vulnerability 
*   CVE-2025-21210 - Windows BitLocker Information Disclosure Vulnerability 
*   CVE-2025-21219 - MapUrlToZone Security Feature Bypass Vulnerability 
*   CVE-2025-21268 - MapUrlToZone Security Feature Bypass Vulnerability 
*   CVE-2025-21269 - MapUrlToZone Security Feature Bypass Vulnerability 
*   CVE-2025-21292 - Windows Search Service Elevation of Privilege Vulnerability 
*   CVE-2025-21299 - Windows Kerberos Security Feature Bypass Vulnerability 
*   CVE-2025-21314 - Windows SmartScreen Spoofing Vulnerability 
*   CVE-2025-21315 - Microsoft Brokering File System Elevation of Privilege Vulnerability 
*   CVE-2025-21328 - MapUrlToZone Security Feature Bypass Vulnerability 
*   CVE-2025-21329 - MapUrlToZone Security Feature Bypass Vulnerability 
*   CVE-2025-21354 - Microsoft Excel Remote Code Execution Vulnerability 
*   CVE-2025-21364 - Microsoft Excel Security Feature Bypass Vulnerability 
*   CVE-2025-21365 - Microsoft Word Remote Code Execution Vulnerability 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 64432 – 64436, 64444 - 64457. There are also these Snort 3 rules: 301113, 301114, 301117 - 301123.

Microsoft Patch Tuesday for January 2025 — Snort rules and prominent vulnerabilities

Hazel gets inspired by watching Wendy Nather’s recent keynote, and explores ways to challenge security assumptions.

Thursday, January 9, 2025 14:15

Welcome to the first edition of the Threat Source newsletter for 2025.  

Upon returning to work this week from my Lindt chocolate reindeer coma, my first task was to write this newsletter. As I stared at a blank template hoping for inspiration to suddenly strike, I did what any security professional should do at the start (and indeed any) time of year. I listened to Wendy Nather. 

Legendary Security Hall of Famer Wendy recently gave the keynote at BSides NYC and the video has just landed. The theme? “When do we get to play in easy mode?” I.e why is security still so hard? 

Wendy showed a list of the InfoSec Research Council’s “Hard Problems” list of 2005. Any of these sound familiar? 

*   Global scale identity management 
*   Insider threat 
*   Availability of time critical systems 
*   Building scalable secure systems 
*   Attack attribution and situational understanding 
*   Information provenance 
*   Security with privacy 
*   Enterprise level security metrics 

If the toughest challenges we face in 2025 are also the same challenges we were dealing with twenty years ago, what hope is there? 

Plus, if anything, security is even harder today than it was then, due to all the added complexity. Wendy also pointed out the larger ripple effect of breaches today due to supply chains, stolen credentials up for sale, and shared infrastructure. 

Jeez Hazel, way to start 2025 on a massive downer. 

However, something we can perhaps do more of this year is to go a bit easier on ourselves. Plus, ﻿if something you’ve been trying for a while isn’t working and is only leading to deeper frustrations, is it possible to come at from it a different way? 

One of Wendy’s recommendations on how to do just that uses the example of user awareness training. As she said in her keynote, it’s easy to get someone to click on a link (sorry to any bad guys reading this, but you’re not exactly carrying out rocket surgery with your phishing campaigns). 

Getting 1000 people NOT to click on a link is infinitely harder. Wendy even said that she once worked in an organization where the people who attended cybersecurity awareness training were even MORE likely to click on malicious links. The theory being that these people really wanted to help the security team, and were more than happy to respond to emails asking them to test the strength of their passwords. 

And that’s where social engineering, defender style, can come in. "People are your greatest asset, if you treat them that way." 

I'm seeing a lot of "how to thrive in 2025!" posts right now. For anyone who isn't ready for that, or tired of it all, I just want to say, I'm right there with you. But if you're also feeling like it's "new year, same problems"  perhaps there's one thing that you can pick this year which has the potential to change that story.

Wendy’s keynote contains a bunch of insights for defenders on how to go about picking something to change or improve, from knowledge sharing, to hiring, and addressing complexity. I’m also looking forward to reading the upcoming National Academy of Science’s report on Cyber Hard Problems, of which Wendy is on the committee for. 

I'd thoroughly recommend checking out the full keynote, if only to see Wendy yielding a hammer in a moderately threatening manner.

**The one big thing**

Attacks in which malicious actors are deliberately installing known vulnerable drivers, only to exploit them later, is a technique referred to as Bring Your Own Vulnerable Driver (BYOVD).   

Cisco Talos recently published our research into the real-world application of the BYOVD technique. We identified three major payloads used, as well as recent activity linked to ransomware groups. 

** Why do I care?  **

With the wide availability of tools exploiting vulnerable drivers, exploitation has moved from the domain of advanced threat actors into the domain of commodity threats - primarily ransomware. Malicious actors use corrupted drivers to perform a myriad of actions that help them achieve their goals, such as escalating privileges, deploying unsigned malicious code, or even terminating EDR tools. 

**So now what?  **

There are a few things we can do to mitigate the risks and detect potential campaigns using BYOVD technique. This could include enforcement of Extended Validation (EV) and Windows Hardware Quality Labs (WHQL) certified drivers, preventing risks associated with legacy drivers. If the blocking of all legacy drivers is not possible, employing the Windows Defender Application Control (Windows Security) drivers blocklist is recommended way to prevent the execution of known vulnerable drivers. Read more in the Talos blog. 

**Top security headlines of the week   **

*   CISA says there is ‘no indication’ of a wider government hack beyond the treasury, following the disclosure that the department had been the target of a “major incident” in December. TechCrunch 
*   FireScam Android spyware campaign fakes the Telegram Premium app and delivers information-stealing malware. Researchers say this is a prime example of the rising threat of adversaries leveraging everyday applications. Dark Reading. 
*   Meduza stealer analysis: A closer look at its techniques and attack vector. Splunk Threat Research 

**Can’t get enough Talos?  **

*   Talos Takes is now in video format! Catch up on the latest discussion, all about the major shifts and changes in ransomware since the very first iteration over 35 years ago. 

*   The evolution and abuse of proxy networks – check out this piece of research by Nick Biasini and Vitor Ventura. 

**Upcoming events where you can find Talos     **

Cisco Live EMEA (February 9-14, 2025)  

Amsterdam, Netherlands  

**Most prevalent malware files of the week**

**SHA 256:**  
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f

**VirusTotal:** https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**Typical Filename:** VID001.exe  
**Detection Name:** Simple\_Custom\_Detection

**SHA 256:**  
7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
**MD5:** ff1b6bb151cf9f671c929a4cbdb64d86  

**VirusTotal :** https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  
**Typical Filename:** endpoint.query    
**Claimed Product:** Endpoint-Collector    
**Detection Name:** W32.File.MalParent  

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5**: 7bdbd180c081fa63ca94f9c22c457376 

**VirusTotal:** https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0  
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:**47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5**: 71fea034b422e4a17ebb06022532fdde 

**VirusTotal:**  https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A    
**Detection Name:** Coinminer:MBT.26mw.in14.Talos

**SHA256:**873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f   
**MD5:** d86808f6e519b5ce79b83b99dfb9294d  

**VirusTotal:** https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f   
**Typical Filename:** n/a   
**Claimed Product:** n/a    
**Detection Name:** Win32.Trojan-Stealer.Petef.FPSKK8