Marshall is a senior security strategist for Talos’ Strategic Communications team, specifically focusing on industrial control systems.

Monday, June 5, 2023 07:06

Joe Marshall was a security practitioner before he even knew it.

Marshall started his career in information technology as a systems administrator. On the surface, he jokes that he was a “white-collar plumber” — fixing IT issues as they arose, handing out new credentials and asking users if they had tried turning something off and back on again.

But while he served in these roles across multiple companies for about 10 years, he became familiar with cybersecurity almost by accident.

“When you’re in IT or sysadmin, it’s not just ‘something’s broke, I’m here to fix it,’” Marshall said. “You have to create accounts, worry about password securities, updating critical patches — you don’t think of yourself as a security practitioner but that’s actually what you’re doing every day.”

His work today, though, is a far cry from having to provide hands-on support for someone’s broken email system.

Marshall is a senior security strategist for Talos’ Strategic Communications team, specifically focusing on industrial control systems. He spends most of his days talking to customers, users and industry leaders informing them about the latest security threats facing large industrial systems — think grain co-ops, electrical grids, manufacturing facilities and water pipelines.

He first got into the ICS space by working as a cybersecurity architect for Exelon, one of the largest public utility companies in the U.S. Prior to his time at Exelon, Marshall jokes that he knew nothing about ICS or operational technology, but he soon found that these systems had more in common with the systems he was used to working with.

“IT and OT \[operational technology\] is 95% one and the same, it’s just how they’re deployed and managed,” Marshall said.

Prior to joining the Strategic Communications team, Marshall also spent time with Talos Outreach publishing new research, and for several years led his own team of researchers who were specifically tasked with finding vulnerabilities and new security threats in ICS systems, internet-of-things devices and other products that are vital to critical infrastructure.

Marshall speaking at Cisco Live U.S. 2022.

All this experience has given him a greater appreciation for public utilities across the country and the workers who ensure that everyone has basic needs delivered to their home like water and electricity. He’s gotten hands-on at site visits and conferences with electrical grids responsible for serving thousands of households and has even become familiar with the agricultural industry, speaking with grain co-ops and farmers who are asking about threats to their OT processes that help them process their various products.

“I’m never coming in with sunshine and smiles saying, ‘everything’s cool, nothing to worry about,’” Marshall said. “That would be doing a disservice. I'm coming in to tell them how they can make their processes more resilient. To do that means you, as the presenter need to do your homework. You need to understand the basics of crops or how, say, a dairy farm works and what technology stack they’re working with.”

That’s specifically come into play in Ukraine, where Marshall has spent time on the ground with defenders and infrastructure managers to help strengthen the security of the country’s power grid and agricultural supply chain. This has become even more important during Russia’s invasion of Ukraine, during which Russian military forces have launched kinetic and cyber attacks against critical infrastructure.

Marshall said he is always in contact with friends and colleagues there, providing advice to improve their cyber defenses.

“It’s different when you’re looking at Ukraine because every day, there are so many tragedies that occur. I’ve been there. When you see a building that you’ve been in, or you know your friends are in, and you see it get hit with a missile, it rocks you,” he said.

Knowing how devastating cyber attacks can be on critical infrastructure around the world is “pretty sobering knowledge,” Marshall said, but he actively tries to avoid catastrophizing or always putting worst-case scenarios out into the world. Despite many headlines around the dangers of cyber attacks on the U.S. power grid, Marshall jokes that critters like snakes and squirrels have caused more power outages in modern history than cyber attacks.

“Have more faith in the resiliency of your critical infrastructure,” he said. “You have so many smart people talking every day about how to make our infrastructure more resilient and more powerful. Never fear, you have smart people working on it. Even if you’ve lost power, people are working to bring it back.”

Given the high-stakes environments he often works in, Marshall said he tries to unplug and step away from work frequently to decompress and step back — often by playing video games or practicing playing the banjo. Marshall is a proponent of talk therapy and encourages everyone in the security community to reach out to their support systems to avoid burnout.

“We're constantly sitting on knowledge that no one else knows about, and you’re constantly thinking about what the consequences could be,” he said. “Humans are humans, and we all have different thresholds that we crack under. If your cup is very full, and something pours in, something has to pour out.”

Outside of Talos, Marshall also works with the non-governmental organization NetHope, which helps other non-profits embrace and adapt to new technologies. He specifically is working with electric utilities in Ukraine to make their grids and networks more resilient and hopes one day “we can reinvent the way grid resiliency is thought of.”

He likes to embrace the fun side of security, too. Marshall led the team that created  “Advanced Persistent Thirst,” a kegerator that currently resides in Talos’ Fulton, Maryland office. Marshall’s team the keg several years ago that had several interconnected ICS devices. He and his team brought it to different security conferences, offering a job interview (and even hiring them) to anyone who could hack into the kegerator to make it dispense beer.

Even if he’s introducing ideas around cybersecurity with a keg, pun or meme in a presentation, Marshall said his goal is to always make whoever is listening “a better student of the game.”

“People are going to be your biggest and best asset. Technology is not going to solve your woes alone,” he said. “Having smart people and letting them do smart stuff and getting out there, is hands down the biggest leap you can make.”

How Joe Marshall helps defend everything from electrical grids to grain co-ops across multiple continents

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 26 and June 2. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for May 26 to June 2

Developing a robust cybersecurity practice involves implementing multiple layers of security measures that are interconnected and continually monitored, including training and awareness programs to ensure that employees follow best practices.

Friday, June 2, 2023 08:06

One of the primary reasons why cybersecurity remains a complex undertaking is the increased sophistication of modern cyber threats. As the internet and digital technologies continue to advance, so do the methods and tools cybercriminals use. This means that even the most secure systems are vulnerable to attacks. Detecting and preventing these attacks require constant vigilance and adaptation. The human element of security only makes this more complex, rendering well-secured systems vulnerable to compromise due to human error or negligence, such as weak passwords or falling victim to social engineering attacks.

Developing a robust cybersecurity practice involves implementing multiple layers of security measures that are interconnected and continually monitored, including training and awareness programs to ensure that employees follow best practices. Even with best practices in place, the potential for threats from cybercriminals remains a constant concern. To assist companies in their journey for cybersecurity, Cisco Talos Incident Response has a new paper that outlines what businesses with a burgeoning security program need for a robust foundation and logging architecture for businesses, even those with limited resources.

This paper focuses on key areas of cybersecurity aiming at the holistic protection of IT environments, including their comprising endpoints, networks, cloud services and physical security. The paper also poses a set of essential questions that, when answered at the strategic level, can increase the resilience and security of a business.

The advice we outline in this paper may not be for every organization — much of this depends on budgeting, human resources and the maturity of your security operations. However, we hope businesses of all sizes can find advice in any of these sections that could help them address gaps in organizational security or potential areas of investment.

Cybersecurity for businesses of all sizes: A blueprint for protection

The latest on a newly discovered phishing botnet and the latest headlines regarding how countries use spyware.

Thursday, June 1, 2023 14:06

Welcome to this week’s edition of the Threat Source newsletter.

The use of spyware continues to make headlines across the globe. While primarily used by authoritarian regimes to track potentially sensitive subjects like political opponents or activists, governments from all over the world are guilty of entering into deals with companies that make spyware.

Many of these same governments (looking at you, U.S.) are still using this software despite active attempts to stop companies from creating and selling spyware. It’s not just governments, either. Everyone from jealous exes or overbearing spouses has used spyware to track, quite literally, every move the target makes.

Talos recently was able to dissect one such spyware, Predator, revealing new details about how the spyware works, exactly, and the various functions it must track the target and steal information off their device that could even allow the end user to track the target’s exact location.

U.S. President Joe Biden signed an executive order a few weeks ago that bans the U.S. government from entering into contracts to use commercial spyware. It also threatened to step in when it looked like a U.S. company was going to purchase NSO Group, an infamous Israeli maker of the Pegasus spyware.

The European Union is also under pressure to adapt new anti-spyware laws after a study from a European parliament special committee found that Hungary and Poland used surveillance software to illegally monitor journalists, politicians and activists.

New legislation and policy can certainly help in stopping the development of these dangerous tools, but actions are louder than words.

Between 2011 and 2023, at least 74 governments worked with commercial firms to obtain spyware or digital forensics technology, according to a report from Carnegie’s global inventory of commercial spyware and digital forensics. So, if the U.S. passes anti-spyware laws, that still leaves another 70-some countries where this needs to be addressed.

Biden’s executive order isn’t bulletproof, either. The U.S. still does not have a comprehensive privacy law that could provide legal protections to targets of spyware or regulates what types of software private companies can build.

Individual states and local governments can also still pass their own rules that could prevent area companies from producing this type of software.

And internationally, it will take a coalition of governments to place international economic pressure on companies that make spyware. This could include sanctions against individual companies, or against the countries that allow those companies to operate within their borders.

As bad guys have shown throughout the history of the internet, they’re going to find ways to get around rules and regulations. The work our researchers did to uncover more about Predator is incredibly important because these tools pose a serious threat to human rights and national security of all nations.

I’d encourage everyone to ask lawmakers at all levels about what they're doing to address the international proliferation of spyware. All countries should be working to reduce demand and supply of spyware, because the industry clearly isn’t going to slow down on its own.

**The one big thing**

Talos has observed a threat actor deploying a previously unidentified botnet program Talos is calling “Horabot,” which delivers a known banking trojan and spam tool onto victim machines in a campaign that has been ongoing since at least November 2020. This campaign involves a multi-stage attack chain that begins with a phishing email and leads to payload delivery through the execution of a PowerShell downloader script and sideloading to legitimate executables.

**Why do I care?**

This newly discovered Outlook botnet allows threat actors to gain complete control of the target’s Outlook mailbox. And it’s targeting users with Yahoo, Gmail and Outlook email accounts, which are three of the most popular email providers across the globe. Anyone hit with Horabot is at risk of having their contact list stolen so the threat actor can send the malware to others and then uses your email to send phishing emails with malicious HTML attachments.

**So now what?**

Phishing education continues to be of the utmost importance. If one person inside an organization is infected with Horabot, it puts the entire company at risk of being targeted. Users should be educated on how to spot obvious phishing attempts or potentially malicious attachments. Talos’ blog post on Horabot also outlines several Cisco Secure solutions that can detect and block this new botnet.

**Top security headlines of the week**

Newly leaked documents show that **Spain is advocating the European Union to ban end-to-end encryption** and that it has support for the policy among other member nations. The EU commission has been considering laws for years that would ban encryption so that governments could scan private messages to identify potentially illegal content. In the leaked document, Spain argues that it is “imperative that we have access to that data,” though privacy and security experts are concerned of the implications of this. Several companies that offer encrypted messaging services have threatened to cease operations in the EU rather than break their encryption methods. At least one member country, Germany, says it would not enforce the law if passed. (Wired, techdirt)

Security researchers at Microsoft revealed that **Chinese state-sponsored actors may have access to U.S. critical infrastructure networks,** though American officials say they are still actively working to remove the threat and confirm that the adversaries have been eliminated. Microsoft said that the actors targeted the U.S. territory of Guam, likely to disrupt critical communication in the event of a military conflict between the U.S. and China in the Pacific Ocean, which would likely be in the event China were to invade Taiwan. National Security Agency Director of Cybersecurity Rob Joyce said the activity likely dates to last year and that the Biden administration is concerned about the “scope and scale” of the campaign. (New York Times, CNN)

Various industries are **still feeling the effects of a data breach against outsourcing firm Capita.** As many as 90 companies have reported breaches and the use of stolen personal information that Capita held, according to the U.K.’s Information Commissioner’s Office. Capita, which provides critical services to national and local governments in Britain, first disclosed the breach in late March. A large number of U.K. public and private organizations use Capita, which handles the personal information of millions of people. Capita often handles the payout of pension plans to other companies’ employees, and its clients also include local government councils. The Capita incident highlights the negative downstream effects that can come from any data breach. (The Guardian, BBC)

**Can’t get enough Talos?**

*   Decipher Podcast: Hazel Burton
*   What is a web shell?
*   Vulnerability Spotlight: Memory corruption vulnerability in Mitsubishi PLC could lead to DoS, code execution
*   Predator: Looking under the hood of Intellexa’s Android spyware
*   Predator malware might be worse than previously thought

**Upcoming events where you can find Talos**

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**REcon** **(June 9 - 11)**

Montreal, Canada

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** a8a6d67140ac6cfec88b748b8057e958a825224fcc619ed95750acbd1d7a4848  
**MD5:** 8cb26e5b687cafb66e65e4fc71ec4d63  
**Typical Filename:** a8a6d67140ac6cfec88b748b8057e958a825224fcc619ed95750acbd1d7a4848-dropped.bin  
**Claimed Product:** Datto Service Monitor  
**Detection Name:** W32.Auto:a8a6d6.in03.Talos

**SHA 256:** f3d5815e844319d78da574e2ec5cd0b9dd0712347622f1122f1cb821bb421f8f  
**MD5:** a2d60b5c01a305af1ac76c95e12fdf4a  
**Typical Filename:** KMSAuto.exe  
**Claimed Product:** N/A  
**Detection Name:** W32.File.MalParent

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d  
**MD5:** fd743b55d530e0468805de0e83758fe9  
**Typical Filename:** KMSAuto\_Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:**  W32.File.MalParent

Legislation alone isn’t enough to stop spyware

Cisco Talos has observed a threat actor deploying a previously unidentified botnet program Talos is calling “Horabot,” which delivers a known banking trojan and spam tool onto victim machines in a campaign that has been ongoing since at least November 2020.

New Horabot campaign targets the Americas

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 19 and May 26. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for May 19 to May 26

A vulnerability, TALOS-2023-1727 (CVE-2023-1424), exists in the device’s MELSOFT Direct functionality that is triggered if an adversary sends the targeted device a specially crafted network packet.

Friday, May 26, 2023 15:05

Cisco Talos recently discovered a memory corruption vulnerability in the Mitsubishi MELSEC iQ-F FX5U programmable logic controller that is caused by a buffer overflow condition.

The iQ-F FX5U is one offering in Mitsubishi’s MELSEC PLC line of hardware that comes with a built-in processor, power supply, Ethernet and 16 I/O points. Users can configure this PLC to host multiple network services, such as an HTTP Server, FTP Server, FTP Client, MODBUS/TCP interface and other Mitsubishi-specific protocols.

A vulnerability, TALOS-2023-1727 (CVE-2023-1424), exists in the device’s MELSOFT Direct functionality that is triggered if an adversary sends the targeted device a specially crafted network packet.

This buffer overflow condition could lead to a denial-of-service condition within the RTOS task responsible for parsing the MELSOFT Direct protocol, and potentially give the adversary the ability to execute remote code on the targeted device.

Cisco Talos worked with Mitsubishi to ensure this vulnerability is resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Mitsubishi Electric Corp. MELSEC iQ-F FX5U, versions 1.240 and 1.260. Talos tested and confirmed these versions of the controller could be exploited by this vulnerability, however, Mitsubishi also stated in its advisory that versions 1.220 and later are affected.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 61432 and 61433. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Memory corruption vulnerability in Mitsubishi PLC could lead to DoS, code execution

What are web shells? And why are attackers increasingly using them in their campaigns? We break it down in this blog.

Friday, May 26, 2023 08:05

_Editor's note: The Need to Know is a new series from Talos, which focuses on cybersecurity terms, threats, tools and tactics that are discussed in our broader threat research. Think of this as a living encyclopedia of security terms and trends._

Cisco Talos Incident Response recently released our 2023 Q1 Incident Response Quarterly Trends report. One of the most noteworthy trends was the prolific use of web shells in cyberattacks.

In fact, not only were web shells the most observed threat overall, but they also appeared in almost a quarter of all incidents. That’s a marked increased from our previous trends report (the usage growing from 6% to 25%).

You may be wondering, why is that? Or maybe, what are web shells? And why do attackers use them in their campaigns? Let’s break it down:

**What are web shells?**

A web shell is a tool that bad actors may use to interact with and maintain access to a system, after an initial compromise\[M(1\] . It takes the form of a web script (a piece of code) which is then uploaded to a vulnerable system. Afterwards, it can be used to interact with the underlying operating system.

The complexity of modern systems, especially websites that may include third-party software or libraries (that, in turn, make many outbound connections), means that malicious scripts that threat actors use for initial access, are easily missed.

After that initial access, malicious web scripts can leverage exploitation techniques, or are used to carry out further attacks.

**How are web shells typically used in attacks?**

Attackers will look for vulnerabilities within a system to find the best place (as far as they are concerned) to drop a web shell (or in many cases, multiple shells). Those vulnerabilities might be in a website content management system or an unpatched web server, for example.

The point of this is to establish a foothold to gain persistent access to a system. Imagine you’ve built a secret door that no one else knows about – you have the key, so you can return as often as you like.

Adversaries then have several options in front of them, depending on their ultimate motivation. We’ve seen them remotely execute arbitrary code or commands, as well as move laterally within the network, or deliver additional malicious payloads.

As noted in the Talos Q1 2023 Incident Response report, exploitation of public-facing applications was the top observed initial access technique, with the increased web shell activity likely contributing to this significant observation.

**Notable example: China Chopper**

China Chopper is a web shell that allows attackers to retain access to an infected system using a client side application, which contains all the information required to control the target.

In 2019, due to its significant use over the previous two years (including espionage campaigns), two Talos researchers took a closer look at the China Chopper web shell. They explored several cases studies where China Chopper was used.

**How can you detect web shells?**

A web shell will often leave sticky fingerprints at the scene. An intrusion prevention system such as Snort can help detect if an attacker has used a tool like a web shell to gain remote access.

Cisco Secure Network Analytics can help uncover rogue connections, as can Cisco Umbrella by blocking malicious connections at the DNS level.

Organizations should deploy endpoint detection and response tools such as Cisco Secure Endpoint, which gives users the ability to track process invocation and inspect processes.

**Prevention recommendations**

The increase in web shell engagements highlights the need for more awareness and protections in helping to prevent web shells. Talos provides the following recommendations:

· Routinely update and patch all software and operating systems to identify and remediate vulnerabilities or misconfigurations in web applications and web servers.

· In addition to patching, perform general system hardening, including removing services or protocols where they are unnecessary and being aware of all systems exposed directly to the internet.

· Disable unnecessary php functions in your “php.ini”, such as eval(), exec(), peopen(), proc\_open() and passthru().

· Frequently audit and review logs from web servers for unusual or anomalous activity.

Read the full 2023 Q1 Talos Incident Response Quarterly Trends report\[MOU2\]

What is a web shell?

Steam, the most popular video game storefront on PCs, only recently announced that it was ending support for Windows 7 and 8, and even then, it won’t be official until January.

Thursday, May 25, 2023 14:05

Welcome to this week’s edition of the Threat Source newsletter.

As a longtime macOS user, I must admit I’m behind the times when it comes to Microsoft Windows. Since buying a Steam Deck, I’ve actually come to learn more about Linux and the Proton compatibility layer than I ever did about Windows.

But it still came as a shock to me this week when I uncovered a weird trend on social media: People bragging about still using Windows 7.

Microsoft stopped putting out free security updates for Windows 7 in January 2020 and only more recently stopped offering its paid Extended Security Updates (ESU). The company explicitly told users at the beginning of this year that it was unsafe to continue to keep using Windows 7 and that users should upgrade to Windows 10 or use a new machine that can run Windows 11.

Yet I still found an entire subreddit dedicated to keeping Windows 7 up and running on computers and countless posts promoting how well the 13-year-old operating system runs with modern GPUs and graphics cards.

Steam, the most popular video game storefront on PCs, only recently announced that it was ending support for Windows 7 and 8, and even then, it won’t be official until January. And Roblox, which is quietly one of the biggest video games in the world, only recently ended support for Windows 7 and 8.

I’m sure there are other examples of this among other types of software, but video games are the most specific corner of the internet I’m in, so that’s my frame of reference.

The moral of the story here is that using Windows 7 to do anything, but especially connecting to the internet (which is required to download and play video games) is a terrible idea. Attackers are always targeting outdated operating systems because they’re the most likely to be unpatched and vulnerable.

Running an operating system that is no longer receiving any type of security updates is extremely dangerous. If infected, that single machine could also be used as a springboard for the attacker to target and infect other machines on your network.

Since the start of this year, there have been 47 vulnerabilities discovered in Windows 7, according to the U.S.’s National Institute of Standards and Technology Vulnerability Database. There are even more security issues with third-party software running on Windows 7.

Just because something is old, doesn’t mean that attackers aren’t paying attention anymore. Without official support or security updates for Windows 7, Microsoft is no longer compelled to disclose formal vulnerabilities with CVEs attached to inform users about any security holes in the operating system.

Upgrading a PC or buying a new one is expensive, I get it. But Windows 7 isn’t a novelty anymore, it’s a security risk. If you feel like you absolutely have to keep Windows 7 running on a machine for some reason, make sure it is isolated from your network or just doesn’t connect to the internet at all.

But more preferably, upgrade to Windows 10. If you’re already using Windows 7, it’s free, and likely whatever hardware you’re using can support Windows 10. If you’re starting from scratch, many online stores have deeply discounted product keys for Windows 10 or 11 for $20 or less — just make sure to download the ISO directly from Microsoft still.

**The one big thing**

Montana recently became the first state in the U.S. to ban the app TikTok, though the law still has a long way to go before it can be enforced. The state’s governor signed a bill last week that prohibits mobile application stores from offering the app in the state by the start of 2024, or else they’ll face fines. However, it’s currently unclear if it’s even feasible for Montana to enforce this ban, as app stores don’t geofence certain applications on its stores, and internet service providers are exempt from having to enforce these rules. TikTok has recently become a target for Republican lawmakers over concerns that its Chinese-backed parent company is collecting and using Americans’ data. TikTok and popular TikTok creators in Montana have already sued the state to stop the law.

**Why do I care?**

Even if you are not an active TikTok user, the ban is noteworthy because it has major implications for American law and the enforcement of the First Amendment in the U.S. Opponents of Montana’s bill say it's a clear violation of the First Amendment. The various legal challenges are likely going to shift through the legal system for months, but any eventual decisions could influence how states view banning certain technology or even books and movies.

**So now what?**

There are many questions still unanswered about how this ban will work or whether it will stand. So for now, interested parties can’t do much but sit back and wait for the legal proceedings to play out.

**Top security headlines of the week**

Apple released a security update for many of its devices last week that **fixed three zero-day vulnerabilities in the WebKit browser engine.** A few days after the patches initially dropped, security researchers also discovered the updates addressed a different vulnerability known as “ColdInvite” (CVE-2023-27930). An attacker could exploit ColdInvite to attack a co-processor chip on iPhones and escape its isolation environment, eventually accessing the iPhone’s kernel. The three WebKit vulnerabilities affect some iPhones and iPads. CVE-2023-28204, CVE-2023-32373 and CVE-2023-32409 could be exploited to escape the Web Content sandbox. Google’s Threat Analysis Group and Amnesty International co-reported CVE-2023-32409, which led many security experts to speculate means attackers exploited this issue to spread spyware. (SecurityWeek, Forbes)

**Two popular Android set-top TV boxes sold on Amazon are preloaded with malware** that quietly generates revenue for the manufacturers in the background. The devices click on ads while running without the user knowing and connect to a global botnet of other infected Android devices around the globe. Despite the reported security issues, the devices were still for sale on Amazon as of earlier this week. However, the security researcher who discovered this botnet worked with the internet company hosting the command and control servers that sent directions to devices part of the botnet to take those servers down. However, that doesn’t mean the botnet or ad-click malware could never come back — the easiest solution for users is to replace the devices immediately. (TechCrunch, ArsTechnica)

Security researchers are concerned that **two new top-level domains from Google — .zip and .mov — will cause confusion among users and potentially open the door for scammers.** Because these new TLDs (like .com, .gov, .uk, etc.) are the same as popular file extensions, adversaries could disguise legitimate-looking file names and actually send people to a malicious web address without the user knowing that it could even be a web page. They could also be used to create legitimate-looking URLs that match that of a real website but just add one character in a long string, eventually pointing people to a malicious file or site. However, Google says it's actively monitoring for domain abuse. (Wired, Ars Technica)

**Can’t get enough Talos?**

*   Highlights of Talos IR On Air: Reviewing Q1's top threats
*   Beers with Talos Ep. #135: The XDR Files
*   Talos Takes Ep. #139: RA Group is just the latest example of the ransomware landscape splintering

*   Beers with Talos Ep. #136: Oh hello, “Susan”

**Upcoming events where you can find Talos**

**Cisco Live U.S. (June 4 - 8)**

Las Vegas, NV

**Discover Cyber Workshop for Women** **(June 8)**

Doha, Qatar

**REcon (June 9 - 11)**

Montreal, Canada

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 856777e16c153722ebd3f389197d4b6482f8afb2e51345e1ab19760c486c3f78  
**MD5:** c720ac483a5752c2b69945a8ad673162  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** DeepScan:Generic.BitcoinMiner.9.88FBC400

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

It’s apparently hip to still be using Windows 7

Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco Talos has new details of a commercial spyware product sold by the spyware firm Intellexa (formerly known as Cytrox).