Learn more about the framework Talos IR uses to conduct proactive threat hunts, and how we can help you stay one step ahead of emerging threats.

Tuesday, May 6, 2025 06:00

At Cisco Talos, we understand that effective cybersecurity isn’t just about responding to incidents — it’s about preventing them from happening in the first place. One of the most powerful ways we do this is through proactive threat hunting. Our Talos Incident Response (Talos IR) team works closely with organizations to not only address existing threats but to anticipate and mitigate potential future risks. A key component of our threat-hunting approach is the Splunk SURGe team’s PEAK Threat Hunting Framework, which enables us to conduct comprehensive and proactive hunts with precision.

**What is the PEAK Threat Hunting Framework?**

The PEAK Framework (Prepare, Execute, and Act with Knowledge) offers a structured methodology for conducting effective and focused threat hunts. It ensures that every hunt is aligned with an organization's specific needs and threat landscape. At the core of the PEAK framework are baseline hunts, which lay the foundation for proactive threat detection, alongside advanced techniques such as hypothesis-driven hunts and model-assisted threat hunts (M-ATH), which further enhance threat detection and mitigation.

**Baseline hunts: the foundation of proactive threat hunting**

Baseline hunts involve establishing a clear understanding of an organization’s normal operating environment in terms of user activity, network traffic and system processes. By documenting and analyzing this baseline, Talos IR can identify anomalous behavior that may signal malicious activity.

While these hunts can be a reactive measure, it's important to use them proactively to detect threats trying to blend in with regular operations, such as insider threats, advanced persistent threats (APTs) and even novel attack techniques that might otherwise go undetected.

The key steps in baseline hunts are:

1.  Defining Normal Activity: Understanding what “normal” looks like in your environment, using data from system logs, user behavior, and network traffic.
2.  Anomaly Detection: Proactively hunting for deviations from the baseline that could indicate potential threats.
3.  Refining the Baseline: Continuously improving and updating the baseline to account for emerging threats and changes in your infrastructure.

**Hypothesis-driven hunts: Testing assumptions about threats**

In addition to baseline hunts, Talos IR also uses hypothesis-driven hunts to proactively test assumptions about potential threats. These hunts are guided by specific hypotheses or educated guesses about what attackers might be doing in a given environment. Rather than relying on a static, one-size-fits-all approach without adjustments, hypothesis-driven hunts are dynamic, adapting to the specific questions and emerging threats that arise.

For example, a hypothesis-driven hunt might begin with the assumption that a particular group of users is being targeted by a phishing campaign. The hunt would focus on testing this assumption by looking for evidence of malicious emails, unusual login patterns or attempts to collect or exfiltrate data.

The key steps in hypothesis-driven hunts are:

1.  Forming Hypotheses: Based on threat intelligence and past incidents, teams generate specific hypotheses about possible attack vectors or adversary behaviors.
2.  Testing Hypotheses: Using data sources such as endpoint telemetry, authentication logs or network traffic, the hypothesis is tested to see if evidence supports the theory.
3.  Analyzing Results: If the hypothesis is validated, further investigation is done to understand the full scope of the potential threat.

**Model-assisted threat hunts: Leveraging machine learning to find hidden threats**

Another powerful tool in Talos IR’s proactive hunting approach is model-assisted threat hunts (M-ATHs). These hunts leverage machine learning and advanced statistical models to sift through vast amounts of data and identify patterns that may indicate hidden threats. M-ATHs allow our team to detect threats that would be difficult to find using traditional methods.

Machine learning models are trained to detect suspicious behavior across different domains — such as user activity, network traffic or system logs — by looking for deviations from typical patterns. Over time, as these models learn from new data and threat intelligence, they improve in their ability to detect emerging threats.

The key steps in M-ATHs are:

1.  Data Collection: Gathering large datasets from multiple sources, including network traffic, endpoint data, authentication logs, and more.
2.  Model Training: Using machine learning algorithms to identify patterns in normal and malicious behavior.
3.  Anomaly Detection: The trained model helps identify new, previously undetected anomalies or potential threats by looking for deviations from established patterns.
4.  Refinement: The model is refined as new data is collected and analyzed, improving its ability to detect subtle threats.

**Empowering threat hunts with Talos Threat Intelligence**

A crucial element that enriches and empowers every Talos IR threat hunt is Talos Threat Intelligence. By integrating up-to-date, high-fidelity threat intelligence into our hunts, we enhance the accuracy, relevance, and speed of our investigations. Talos Threat Intelligence provides a continuous stream of data on emerging threats, attack trends and adversary tactics, which helps us refine hypotheses, adjust baselines and improve our machine learning models.

This intelligence is not just a complement to our hunting process; it is embedded in every stage. It helps guide our hypothesis-driven hunts, sharpens our baseline detections and feeds into the models we use for anomaly detection. With Talos Threat Intelligence, we ensure that every hunt is aligned with the latest threat landscape, empowering your team with the knowledge needed to stay one step ahead of attackers.

**Proactive engagements for IR Retainer customers**

For Talos IR Retainer customers, baseline hunts, hypothesis-driven hunts, and model-assisted threat hunts provide a valuable layer of ongoing, proactive support. These hunts help organizations detect and mitigate threats before they escalate into full-blown incidents. Our expert hunters work directly with your teams, ensuring that you stay ahead of evolving threats.

Some key benefits of these proactive engagements include:

*   Early Detection: Identifying abnormal activities that could signal a breach or malicious action, reducing the risk of an attack spreading.
*   Continuous Improvement: As we refine the baseline and hunting models, your security posture improves over time, allowing for faster and more accurate threat detection.
*   Actionable Insights: Proactive hunts deliver actionable intelligence that helps your teams strengthen their defenses, based on the latest threat trends and attack methods.

**Why it matters**

The cybersecurity landscape is constantly evolving, and traditional defensive methods alone are no longer sufficient. Threat actors are adept at blending malicious activity with normal operations, making it difficult to spot attacks using conventional means. By conducting baseline hunts, hypothesis-driven hunts and model-assisted threat hunts, Talos IR gives your organization the tools it needs to stay ahead of adversaries.

As new evidence is uncovered during a hunt, our team adapts and refines the investigation in real time — evolving the hypothesis, adjusting the scope or pivoting to new areas of focus based on what the data reveals.

If an active threat, adversary or malicious activity is detected during a hunt, Talos IR can dynamically pivot the engagement and escalate the situation to our 24/7 on-call Incident Response team. This ensures rapid response for containment, mitigation and eradication, effectively minimizing the potential impact of the threat.

Our Talos IR team collaborates seamlessly with the hunting team to deliver real-time support in identifying, isolating and neutralizing active threats. This integrated approach ensures your systems remain secure and prevents the threat from escalating further.

At Talos, our goal is to empower your team with the knowledge and tools to detect threats proactively, before they turn into incidents. Through our IR Retainer services, we provide continuous support to help you improve your security posture and stay one step ahead of emerging threats, all while leveraging the full power of Talos Threat Intelligence.

For more information about this service, download our At-a-Glance:

Proactive threat hunting with Talos IR

This week on the Lock and Code podcast, we speak with Emanuel Maiberg and Jason Koebler about Overwatch, an AI chatbot tool sold to US police.

_This week on the Lock and Code podcast_…

“Heidi” is a 36-year-old, San Francisco-born, divorced activist who is lonely, outspoken, and active on social media. “Jason” is a shy, bilingual teenager whose parents immigrated from Ecuador who likes anime, gaming, comic books, and hiking.

Neither of them is real. Both are supposed to fight crime.

Heidi and Jason are examples of “AI personas” that are being pitched by the company Massive Blue for its lead product, Overwatch. Already in use at police departments across the United States, Overwatch can allegedly help with the identification, investigation, and arrest of criminal suspects.

Understanding exactly how the technology works, however, is difficult—both Massive Blue and the police departments that have paid Massive Blue have remained rather secretive about Overwatch’s inner workings. But, according to an investigation last month by 404 Media, Overwatch is a mix of a few currently available technologies packaged into one software suite. Overwatch can scan social media sites for alleged criminal activity, and it can deploy “AI personas”—which have their own social media accounts and AI-generated profile pictures—to gather intelligence by chatting online with suspected criminals.

According to an Overwatch marketing deck obtained by 404 Media, the software’s AI personas are “highly customizable and immediately deployable across all digital channels” and can take on the personalities of escorts, money launderers, sextortionists, and college protesters (who, in real life, engage in activity protected by the First Amendment).

Despite the variety of applications, 404 Media revealed that Overwatch has sparked interest from police departments investigating immigration and human trafficking. But the success rate, so far, is non-existent: Overwatch has reportedly not been used in the arrest of a single criminal suspect.

Today, on the Lock and Code podcast with host David Ruiz, we speak with 404 Media journalists and co-founders Emanuel Maiberg and Jason Koebler about Overwatch’s capabilities, why police departments are attracted to the technology, and why the murkiness around human trafficking may actually invite unproven solutions like AI chatbots.

 ”Nobody is going to buy that—that if you throw an AI chatbot into the mix, that’s somehow going to reduce gun crime in Americ,” Maiberg said. “But if you apply it to human trafficking, maybe somebody is willing to entertain that because, well, what is the actual problem with human trafficking? Where is it actually happening? Who is getting hurt by it? Who is actually committing it?”

He continued:

> “Maybe there you’re willing to entertain a high tech science fiction solution.”

Tune in today to listen to the full conversation.

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 The AI chatbot cop squad is here (Lock and Code S06E09) 

Joe talks about how helping the helpers can put a fire in you and the importance of keeping nonprofits cybersecure.

Thursday, May 1, 2025 14:01

Welcome to this week’s edition of the Threat Source newsletter. 

Recently, I was invited to sit on a panel at the CIO4Good Conference here in Washington D.C., where I talked about incident response and cyber preparedness to a room full of CIOs who help lead wonderful missions to help others. I’m incredibly fortunate to be able to volunteer for the NGO community. I’ve been involved with them for a few years now, and it has been a singular experience.  

I sit in a uniquely blessed situation. Cisco Talos is resourced to help protect our customers — we have expertise, tooling and a huge array of diverse security skillsets. A humanitarian assistance or non-governmental organization (NGO) usually has none or very few of these luxuries. If I can take some of my time and experience here at Talos and help others who provide housing to the homeless, protect refugees or feed the hungry, damn right I’m gonna do it. And NGOs? They really need help.  

In today’s global humanitarian funding climate, money and grants are very scarce to come by_._ This means the competition for the dollars that remain is fierce, and that things like cybersecurity can fall by the wayside. But security in an NGO is incredibly important. We're talking about incredibly vulnerable and marginalized people who deserve aid, and the amazing volunteers who should have privacy without malicious interference. 

The hard truth is that cybersecurity can be a bleak space. We as professionals do not operate in the “good news” business. We work, and thrive, in adversarial conditions — actively searching for what the bad guys are doing and learning how they are coming after the good guys. They’re launching ransomware. They are extorting and causing real harm to others. This is day in and day out, and it can wear you down mentally. You have to endure and focus on the mission. After all, that’s the gig. 

This is why I enjoy volunteering by either giving some of my time and expertise to a mentee or to an NGO that has an outstanding mission to help others. It puts fuel in your soul and reminds you that others are fighting their own good fights. These organizations are some of the best. They have a thankless, often dangerous, mission to help others have better lives. The way I see it, volunteering is the least I could do. 

If you want to join me, there are some places that could use your help. Check out the Cyber Peace Institute, or Defcon Project Franklin.

**The one big thing **

This week is bittersweet because we’re discussing the final section of Talos' 2024 Year in Review report. Let’s jump into the abyss of AI-based threats together. 

**Why do I care? **

AI may not have upended the threat landscape last year, but it’s setting the stage for 2025, where agentic AI and automated vulnerability discovery could pose serious challenges for defenders. The future may bring:

1.  The use of agentic AI to conduct multi-stage attacks or find creative ways to access restricted systems 
2.  Improved personalization and professionalization of social engineering 
3.  Automated vulnerability discovery and exploitation 
4.  Capabilities to compromise AI models, systems and infrastructure that organizations around the world are building 

**So now what? **

Continue to stay informed and alert, and for more information, read Talos’ blog post about these threats or download the full Year in Review.

**Top security headlines of the week **

**AirPlay Vulnerabilities Expose Apple Devices to Zero-Click Takeover.** The identified security defects, 23 in total, could be exploited over wireless networks and peer–to-peer connections, leading to the complete compromise of not only Apple products, but also third-party devices that use the AirPlay SDK. (SecurityWeek) 

**4 Million Affected by VeriSource Data Breach.** VeriSource says the stolen information belonged to employees and dependents of companies using its services. It has been working with its customers to “collect the necessary information to notify additional individuals affected by this incident.” (SecurityWeek) 

**SAP NetWeaver Visual Composer Flaw Under Active Exploitation.** CVE-2025-31324 is a critical vulnerability with a maximum CVSS score of 10 that affects all SAP NetWeaver 7.xx versions. It allows unauthenticated remote attackers to upload arbitrary files to Internet exposed systems without any restrictions. (DarkReading) 

**FBI shares massive list of 42,000 LabHost phishing domains.** The FBI has shared 42,000 phishing domains tied to the LabHost cybercrime platform, one of the largest global phishing-as-a-service (PhaaS) platforms that was dismantled in April 2024. (BleepingComputer)

**Can’t get enough Talos? **

State-of-the-art phishing: MFA bypass. Cybercriminals are bypassing multi-factor authentication (MFA) using adversary-in-the-middle (AiTM) attacks via reverse proxies, intercepting credentials and authentication cookies.

IR Trends Q1 2025: Phishing soars as identity-based attacks persist. This quarter, phishing attacks surged as the primary method for initial access. Learn how you can detect and prevent pre-ransomware attacks.

TTP Episode 11. Craig, Bill and Hazel discuss three of the biggest callouts from Cisco Talos' latest Incident Response Quarterly Trends.

Talos Takes: Identity and MFA. Hazel and friends discuss how AI isn't rewriting the cybercrime playbook, but it is turbo charging some of the old tricks, particularly on the social engineering side.

**Upcoming events where you can find Talos **

*   PIVOTcon (May 7 – 9) Malaga, Spain 
*   CTA TIPS 2025 (May 14 – 15)  Arlington, VA 
*   Cisco Connect UK & Ireland (May 20) London, UK 
*   BotConf (May 20 – 23) Angers, France 
*   Cisco Live U.S. (June 8 – 12) San Diego, CA

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/    
Typical Filename: VID001.exe   
Detection Name: Win.Worm.Bitmin-9847045-0 

**SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**    
MD5: 7bdbd180c081fa63ca94f9c22c457376    
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
Typical Filename: img001.exe   
Detection Name: Simple\_Custom\_Detection 

**SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**    
MD5: 71fea034b422e4a17ebb06022532fdde    
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
Typical Filename: VID001.exe    
Detection Name: Coinminer:MBT.26mw.in14.Talos

Understanding the challenges of securing an NGO

Threat actors are bypassing MFA with adversary-in-the-middle attacks via reverse proxies. Phishing-as-a-Service tools like Evilproxy make these threats harder to detect.

Thursday, May 1, 2025 06:00

*   Cybercriminals are bypassing multi-factor authentication (MFA) using adversary-in-the-middle (AiTM) attacks via reverse proxies, intercepting credentials and authentication cookies. 
*   The developers behind Phishing-as-a-Service (PhaaS) kits like Tycoon 2FA and Evilproxy have added features to make them easier to use and harder to detect.
*   WebAuthn, a passwordless MFA solution using public key cryptography, prevents password transmission and nullifies server-side authentication databases, offering a robust defense against MFA bypass attacks. 
*   Despite its strong security benefits, WebAuthn has seen slow adoption. Cisco Talos recommends that organizations reassess their current MFA strategies in light of these evolving phishing threats.  

For the past thirty years, phishing has been a staple in many cybercriminals' arsenals. All cybersecurity professionals are familiar with phishing attacks: Criminals impersonate a trusted site in an attempt to social engineer victims into divulging personal or private information such as account usernames and passwords. In the early days of phishing, it was often enough for cybercriminals to create fake landing pages matching the official site, harvest authentication credentials and use them to access victims’ accounts.  

Since that time, network defenders have endeavored to prevent these types of attacks using a variety of techniques. Besides implementing strong anti-spam systems to filter phishing emails out of users’ inboxes, many organizations also conduct simulated phishing attacks on their own users to train them to recognize phishing emails. These techniques worked for a time, but as phishing attacks have become more sophisticated and more targeted, spam filters and user training have become less effective. 

At the root of this problem is the fact that usernames are often easy to guess or discover, and people are generally

very bad at using strong passwords

. People also tend to re-use the same weak passwords across many different sites. Cybercriminals, armed with a victim’s username and password, will often attempt credential stuffing attacks, and log into many different sites using the same username/password combination. 

To prove that users are valid, authentication systems generally rely on at least one of three authentication methods or factors: 

*   Something you **know** (_ex. a username and password_) 
*   Something you **have** (_ex. a smartphone or USB key_) 
*   Something you **are** (_ex. your fingerprint or face recognition_) 

In the presence of increasingly sophisticated phishing messages, using only one authentication factor, such as a username/password, is problematic. Many network defenders have responded by implementing MFA, which includes an additional factor, such as an SMS message or push notification, as an extra step to confirm a user’s identity when logging in. By including an additional factor in the authentication process, compromised usernames and passwords become much less valuable to cybercriminals. However, cybercriminals are a creative bunch, and they have devised a clever way around MFA. Enter the wild world of MFA bypass! 

**How do attackers bypass MFA? **

In order to bypass MFA, attackers insert themselves into the authentication process using an adversary-in-the-middle (AiTM) attack. 

Typically, this is done using a reverse proxy. A reverse proxy functions as an intermediary server, accepting requests from the client before forwarding them on to the actual web servers to which the client wishes to connect.  

To bypass MFA the attacker sets up a reverse proxy and sends out phishing messages as normal. When the victim connects to the attacker’s reverse proxy, the attacker forwards the victim’s traffic onwards to the real site. From the perspective of the victim, the site they have connected to looks authentic — and it is! The victim is interacting with the legitimate website. The only difference perceptible to the victim is the location of the site in the web browser’s address bar.  

By inserting themselves in the middle of this client-server communication the attacker is able to intercept the username and password as it is sent from the victim to the legitimate site. This completes the first stage of the attack and triggers an MFA request sent back to the victim from the legitimate site. When the expected MFA request is received and approved, an authentication cookie is returned to the victim through the attacker’s proxy server where it is intercepted by the attacker. The attacker now possesses both the victim’s username/password as well as an authentication cookie from the legitimate site.

__Figure 1. Flow diagram illustrating MFA bypass using a reverse proxy.__

**Phishing-as-a-Service (PhaaS) kits **

Thanks to turnkey Phishing-as-a-Service (Phaas) toolkits, almost anyone can conduct these types of phishing attacks without knowing much about what is happening under the hood. Toolkits such as Tycoon 2FA, Rockstar 2FA, Evilproxy, Greatness, Mamba 2FA and more have emerged in this space. Over time the developers behind some of these kits have added features to make them easier to use and harder to detect:

*   Phaas MFA bypass kits typically include templates for the most popular phishing targets to aid cybercriminals in the task of setting up their phishing campaigns. 
*   MFA bypass kits limit access to the phishing links to only users who possess the correct phishing URL and redirect other visitors to benign webpages.  
*   MFA bypass kits often check the IP address and/or User-Agent header of the visitor, preventing access if the IP address corresponds to a known security company/crawler or if the User-Agent indicates that it is a bot. User-Agent filters may also be used to further target the phishing attacks towards users running specific hardware/software. 
*   Reverse proxy MFA bypass kits typically inject their own JavaScript code into the pages they serve to victims to gather additional information about the visitor, and handle redirects after the authentication cookie has been stolen. These scripts are often dynamically obfuscated to prevent static fingerprinting that would allow security vendors to identify the MFA bypass attack sites. 
*   To thwart anti-phishing defenses which may automatically visit URLs contained in an email at the time it is received, there may be a short, programmable delay between when the phishing message is sent and when the phishing lure URL is activated. 

__Figure 2. An example phishing message associated with the Tycoon 2FA phishing toolkit.__

Accelerating the rise in MFA bypass attacks via reverse proxy are publicly available open-source tools, such as Evilginx. Evilginx debuted in 2017 as a modified version of the popular open-source web server nginx. Over time, the application was redesigned and rewritten in Go and implements its own HTTP and DNS server. Although it is marketed as a tool for red teams' penetration testing needs, because it is open source, anyone can download and modify it. 

Fortunately for defenders, there are characteristics common to Evilginx deployments, as well as other AiTM MFA bypass toolkits, that can provide clues an MFA bypass attack may be in progress: 

*   Many MFA bypass reverse proxy servers are hosted on relatively newly registered domains/certificates.  
*   Capturing an authentication cookie only gives attackers access to the victim’s account for that single session. Once they have access to a victim’s account, many attackers add additional MFA devices to the account to maintain persistence. By auditing MFA logs for this kind of activity, defenders may find accounts that have fallen victim to MFA bypass attacks. 
*   By default, Evilginx phishing lure URLs have a URL path consisting of 8 mixed case letters. 
*   By default, Evilginx uses HTTP certificates obtained from LetsEncrypt. Additionally, the certificates it creates by default have an Organization set to "Evilginx Signature Trust Co.", and a CommonName set to "Evilginx Super-Evil Root CA". 
*   After a session authentication cookie has been intercepted by the attacker, they will typically load this cookie into their own browser to impersonate the victim. Unless the attacker is careful, for a time, there will be two different users with different User-Agents and IP addresses using the same session cookie. This may be discoverable through web logs or security products that look for things like “impossible travel”. 
*   To avoid the victim clicking a link that redirects them away from the phishing site, the Evilginx reverse proxy rewrites URLs contained in the HTML from the legitimate site. Popular phishing targets may utilize very specific URL paths, and network defenders can look for these URL paths being served from servers other than the legitimate site.  
*   Many MFA bypass reverse proxy implementations are written using Transport Layer Security (TLS) implementations that are native to that programming language. Thus, the TLS fingerprint of the reverse proxy and the legitimate website will be different.  

**WebAuthn to the rescue? **

FIDO (Fast IDentity Online) Alliance and W3C  created WebAuthn (Web Authentication API) — a specification that enables MFA based on public key cryptography. WebAuthn is essentially passwordless. When a user registers for MFA using WebAuthn, a cryptographic keypair is generated. The private key is kept on the user’s device, and the corresponding public key is kept on the server.  

When a client wants to log in, they indicate this to the server who responds with a challenge. The client then signs this data and returns it to the server. The server can verify the challenge was signed using the user’s private key. No passwords are ever entered into a web form, and no passwords are transmitted over the internet. This also has the side effect of making server-side authentication databases useless to attackers. What good will stealing a public key do? 

__Figure 3. The WebAuthn authentication process.__

As an extra layer of security, WebAuthn credentials are also bound to the website origin where they will be used. For example, suppose a user clicks a link in a phishing message and navigates to an attacker-controlled reverse proxy at mfabypass.com, which is impersonating the user’s bank. The location in the web browser’s address bar will not match the location of the bank to which the credentials are bound, and the WebAuthn MFA authentication process will fail. Binding credentials to a specific origin also eliminates related identity-based attacks such as credential stuffing, where attackers try to reuse the same credentials at multiple sites. 

Although the WebAuthn specification was first published back in 2019, it has experienced relatively slow adoption. Based on authentication telemetry data from Cisco Duo for the past six months, it appears that WebAuthn MFA authentications still make up a very low percentage of all MFA authentications.  

To a certain degree, this is understandable. Many organizations may have already rolled out other types of MFA and may feel like that is enough protection. However, they may want to rethink their approach as more and more phishing attacks implement MFA bypass strategies.  

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Applianceand Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

State-of-the-art phishing: MFA bypass

San Francisco, United States, 29th April 2025, CyberNewsWire

**San Francisco, United States, April 29th, 2025, CyberNewsWire**

**By fusing agentic AI and contextual threat intelligence, SecAI transforms investigation from a bottleneck into a force multiplier.**

SecAI, an AI-enriched threat intelligence company, made its official debut today at RSA Conference 2025 in San Francisco, marking the company’s first public appearance on the global cybersecurity stage. At the event, the SecAI team is showcasing the latest version of its platform to security professionals from around the world.

The updated **SecAI Investigator** platform is purpose-built to solve one of cybersecurity’s most stubborn challenges: efficient threat investigation. It tackles this by combining two key innovations. First, it delivers curated, high-fidelity threat intelligence, which includes clear verdicts, multi-dimensional labels, and rich context like historical attack behavior through a unified interface. Second, it’s designed from the ground up with an AI-native architecture. The platform leverages advanced AI techniques not only for natural language interaction, but for deep information integration, contextual security reasoning, and suggest remediation options. 

SecAI Booth At RSA Conference 2025, N-6570

> “We believe the future of cybersecurity lies in intelligent systems that can think and adapt like seasoned analysts,” said **Chase Lee, Managing Director at SecAI**. “Threat investigation has remained one of the most human-intensive parts of the SOC, but it doesn’t have to be. By combining deep threat intelligence with agentic AI, we’re not just accelerating investigations—we’re reshaping what’s possible in cyber defense. This is about giving security teams superhuman capabilities to meet the scale and speed of modern threats.”

In the security operations lifecycle—typically divided into detection, investigation, and response—automation has advanced detection and response dramatically over the past decade. But investigation remains a critical bottlenecks, often consuming over 70% of analysts’ time. SecAI believes that effective investigation depends on two essential capabilities: accurately gathering and organizing relevant information, and making sound, timely judgments. The main blockers today are:

*   A lack of timely, comprehensive threat intelligence
*   Ineffective methods for connecting data points to practical workflows

SecAI Investigator addresses both. By streamlining the investigation process, the platform enables analysts to rapidly evaluate the nature and relevance of IPs, domains, and threat actors, dive deep into logs and alerts, and make faster, more confident decisions.

Looking ahead, SecAI plans to roll out API and threat intelligence feed integrations, allowing customers to embed SecAI’s contextual threat intelligence directly into their existing systems and workflows. This will enable real-time enrichment, faster responses, and more scalable intelligence-driven operations across teams.

Users can visit SecAI Investigator to explore the platform or connect with the SecAI team at RSA Conference 2025 at Booth 6570 for live demos and early access.

**About SecAI**

SecAI is an AI-native cybersecurity company specializing in threat detection, investigation, and response. By deeply analyzing adversary tactics, techniques, and procedures (TTPs) and fusing advanced generative AI with rich, contextual threat intelligence, SecAI delivers smarter, faster, and more effective solutions for modern security teams. The team’s mission is to transform cybersecurity operations by empowering analysts with intelligent systems that scale expertise and accelerate decision-making.

**Contact**

**PR Manager**  
**Nicholas Tan**  
**SecAI**  
**\[email protected\]**

SecAI Debuts at RSA 2025, Redefining Threat Investigation with AI

2024 wasn't the year that AI rewrote the cybercrime playbook — but it did turbocharge some of the old tricks. Read this summary of AI-based threats, from Talos' 2024 Year in Review.

Tuesday, April 29, 2025 05:47

2024 wasn't the year that AI rewrote the cybercrime playbook — but it did turbocharge some of the old tricks. In Cisco Talos' 2024 Year in Review, with the help of our friends at Robust Intelligence (now a Cisco company), we dissect how cybercriminals used generative AI to scale up social engineering, fine-tune phishing, and automate grunt work like OSINT gathering.

So while AI didn't completely rock the threat landscape last year, the groundwork is being laid for 2025, where agentic AI and automated vulnerability hunting could cause some significant challenges for defenders. Our research showcases the top four areas of concern for the coming year.

Curious about how AI could impact your defenses — or your data — this year? Take a look at this summary of AI-based threats:

Need a 60 second summary? Take a look at this video:

Download Talos' 2024 Year in Review.

Also check out Cisco's State of AI Security report.

Year in Review: AI based threats

This quarter, phishing attacks surged as the primary method for initial access. Learn how you can detect and prevent pre-ransomware attacks.

Monday, April 28, 2025 06:00

Phishing attacks spiked this quarter as threat actors leveraged this method of initial access in half of all engagements, a vast increase from previous quarters. Conversely, the use of valid accounts for initial access was rarely seen this quarter, despite being the top observed method in 2024, according to our Year in Review report. Nevertheless, valid accounts played a prominent role in the attack chains Cisco Talos Incident Response (Talos IR) observed as actors predominately used phishing to gain access to a user account, then leveraged this access to establish persistence in targeted networks.

Ransomware and pre-ransomware incidents made up a slightly larger portion of threats observed this quarter, with most incidents falling into the latter category. Talos IR’s investigations into pre-ransomware events provided unique insight into defensive measures that successfully stopped these attacks before a ransomware executable could be deployed, including early engagement with the incident response team and robust monitoring of certain threat actor tactics, techniques and procedures (TTPs).

Watch a discussion on the biggest trends on this latest report

**Actors leverage access to valid accounts via phishing to establish persistence**

Threat actors used phishing to achieve initial access in 50 percent of engagements, a notable increase from less than 10 percent last quarter. Vishing was the most common type of phishing attack seen, accounting for over 60 percent of all phishing engagements, though we also observed malicious attachment, malicious link and business email compromise (BEC) attacks.

Adversaries predominately leveraged phishing to gain access to a valid account, pivot deeper into the targeted network, and expand their foothold, contrasting other phishing objectives we have seen in the past such as eliciting sensitive information or monetary transfers. For example, in an observed vishing campaign — described in further detail in the ransomware section below — adversaries deceived users over the phone into establishing remote access sessions to the user’s workstation, then used this access to load tooling, establish persistence mechanisms and disable endpoint protections.

In some engagements, actors leveraged phishing attacks to steal users’ legitimate access tokens, enabling them to maintain persistent access to the targeted networks. In one engagement, adversaries deployed a phishing email with a malicious link to successfully steal a user’s multi-factor authentication (MFA) session token along with their credentials. From there, the actors gained unauthorized access to the target’s Microsoft Office 365 environment and deployed enterprise applications with the likely goal of gaining further access into additional accounts. In another phishing engagement, upon gaining access to a user’s valid account, the actors cloned their active access token and specified new credentials for outbound connections. They then sought to expand their access by running commands to gather system information and creating a scheduled task to execute a malicious JavaScript file upon user login.

**Ransomware trends****Vishing campaign leveraging BlackBasta and Cactus TTPs hits manufacturing and construction organizations **

Ransomware and pre-ransomware incidents made up over 50 percent of engagements this quarter, an increase from nearly 30 last quarter. A robust campaign leveraging BlackBasta and Cactus TTPs that targeted manufacturing and construction organizations accounted for over 60 percent of pre-ransomware and ransomware engagements and was consistent with public reporting on likely related incidents.  

The attack chain we observed begins with the threat actors flooding users’ mailboxes at targeted organizations with a large volume of benign spam emails. After a few days, the actors call the victim, usually via Microsoft Teams, and direct them to initiate a Microsoft Quick Assist remote access session, helping them with installation of the program if not already present on the user’s system. Once a Quick Assist session is established, the adversary loads tooling to collect information about the target system and establish persistence. The actors create the TitanPlus registry key and embed IP addresses to enable command and control (C2) communication, using character substitution to obfuscate the infrastructure. After completing the TitanPlus registry key persistence process, the adversary then performs subsequent privilege escalation and lateral movement, seemingly with the ultimate goal of deploying ransomware. We initially observed the threat actors leveraging BlackBasta ransomware and pivoting to Cactus ransomware after public reporting on their use of the former was released. Our analysis of engagements involving Cactus led us to identify a previously undocumented variant of the ransomware, which builds upon previous functionality with new command-line arguments that provide the threat actors with greater control over the binary's function, likely to prioritize efficiency and maximum impact.

**Looking forward:** The threat actors responsible for this campaign have proven to be agile, modifying their TTPs as more public reporting on this campaign emerges, which leads us to assess they will continue to adjust their TTPs and/or incorporate a different ransomware family or tooling into their attack chain moving forward to evade detection. We published our findings on this campaign in our Year in Review report in late March 2025 and will be tracking this activity to see if the threat actors modify their operations moving forward.

**Early detection of pre-ransomware TTPs halts attacks before encryption**

Out of all ransomware and pre-ransomware engagements this quarter, 75 percent of incidents fell into the latter category, providing insight into defensive measures that successfully stopped these attacks before a ransomware executable could be deployed.

One tactic that proved effective was early engagement with the incident response team. For example, in one engagement, Talos IR was contacted directly after the organization’s users experienced a flood of spam email. Given this TTP was consistent with the vishing campaign we had already observed affecting other organizations, we were able to advise that this was very likely pre-ransomware activity and share actionable indicators of compromise (IOCs) and mitigation recommendations.    

Another defensive measure that was effective in containing pre-ransomware activity was robust monitoring and endpoint detection and response (EDR) solutions, particularly those configured to alert on unauthorized remote access connections and suspicious file execution. In one engagement, Cisco XDR was configured to flag certain TTPs that the security team identified were consistent with pre-ransomware activity, and soon after the alerts were triggered, they moved quickly to focus on eradication of the threat. The TTPs included use of remote access tools, disabling of the volume shadow copy service (VSS), and use of a local account to deploy a vulnerable driver. In another engagement, the organization’s monitoring tools alerted them of unauthorized remote access and they acted swiftly to respond to the affected system, resulting in the threat actor only having access to the targeted system for three minutes. In a different incident, suspicious file execution was flagged, leading the customer to identify the threat and isolate the system within hours of initial access.

**Crytox becomes latest ransomware group to leverage HRSword to disable EDR protections**

Crytox appeared in a Talos IR engagement for the first time this quarter, with affiliates leveraging HRSword as part of their attack chain — a tool that has not previously been publicly associated with the ransomware group. According to public reporting, Crytox is a ransomware family first seen in 2020 that typically encrypts local disks and network drives and drops a ransom note with a five-day ultimatum. Affiliates are known to leverage the uTox messenger application so victims can communicate with the threat actors. 

Talos IR responded to an engagement in which adversaries exploited a public-facing application that was not protected by MFA to gain initial access, then launched a ransomware attack that encrypted two hypervisors hosting numerous VM servers. The actors used TTPs that aligned with known Crytox TTPs, including using uTox for communication and dropping a ransomware note that matches publicly shared Crytox ransom notes. Of note, we also observed the affiliates using HRSword to disable the target’s EDR solution. We first reported on ransomware actors’ use of HRSword in FY24 Q1, specifically highlighting a Phobos incident, and observed additional threat groups leverage the tool throughout the remainder of the year.

**Targeting**

The manufacturing industry vertical was the most affected this quarter, accounting for 25 percent of engagements. Notably, though education was the most targeted vertical for the second half of 2024, we did not respond to any incidents targeting education entities this quarter.

**Initial access**

As mentioned, the most observed means of gaining initial access this quarter was phishing, followed by use of valid accounts and exploitation of public facing applications. The increase in phishing attacks this quarter is likely due in part to the robust vishing campaign we observed that accounted for over 60 percent of all phishing engagements.

**Recommendations for addressing top security weaknesses **

**Implement properly configured MFA and other access control solutions**

Half of the engagements this quarter involved MFA issues, including misconfigured MFA, lack of MFA and MFA bypass. As mentioned in the above ransomware section, token theft played a role in several incidents this quarter, enabling threat actors to bypass authentication controls and establish trusted connections. We also observed threat actors adding malicious secondary MFA devices to compromised accounts as well as taking advantage of a lack of MFA on remote access services, the latter of which is a tactic we have consistently observed in previous quarters. Talos IR recommends monitoring and alerting on the following for effective MFA deployment: abuse of bypass codes, creation of accounts designed to bypass or be exempt from MFA and removal of accounts from MFA.

**Enforce user education on phishing and social engineering attacks**

Half of the engagements this quarter involved social engineering, potentially highlighting insufficient user education. This security weakness corresponds with the surge in phishing attacks, as users were manipulated to grant attackers access to their environments, with vishing proving to be particularly effective. Talos IR recommends raising awareness of phishing and social engineering techniques, as user education is a key part of spotting phishing attempts, countering MFA bypass techniques and knowing where to report suspicious activity.

**Protect endpoint security solutions**

Almost 20 percent of incidents involved organizations that did not have protections in place to prevent uninstallation of EDR solutions, enabling actors to disable these defenses. Talos IR strongly recommends ensuring endpoint solutions are protected with an agent or connector password and customizing their configurations beyond the default settings. Additional recommendations for hardening EDR solutions against this threat can be found in our 2024 Year in Review report.

**Top-observed MITRE ATT&CK techniques**

The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagement. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note this is not an exhaustive list.

Key findings from the MITRE ATT&CK framework include:  

*   This was the first quarter since January to March of 2024 (Q1 FY24) in which phishing was the top initial access technique, with actors leveraging vishing, malicious links, malicious attachments and BEC attacks.   
*   We observed actors leveraging a wider variety of commercial and open-source remote access tools this quarter, including SplashTop, Atera, TeamViewer, AnyDesk, LogMeIn, ScreenConnect, QuickAssist, TightVNC and Level’s RMM platform. These tools appeared in 50 percent of engagements, a slight increase from almost 40 percent last quarter.

Tactic  

Technique  

Example  

Reconnaissance (TA0043)  

T1590 Gather Victim Network Information 

Adversaries may gather information about the victim's networks that can be used during targeting. Information may include a variety of details, including administrative data as well as specifics regarding its topology and operations. 

T1595.002 Active Scanning: Vulnerability Scanning 

Adversaries may run vulnerability scans against an organization’s public-facing infrastructure to identify potential vulnerabilities to exploit.   

Initial Access (TA0001) 

T1598.004  Phishing for Information: Spearphishing Voice   

In an observed campaign, users received calls from the adversary posing as IT support and were prompted to initiate a QuickAssist session. 

T1598.003 Phishing for Information: Spearphishing Link 

Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. 

T1598 Phishing for Information: Spearphishing Attachment 

Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. 

T1190 Exploit in Public-Facing Application 

Adversaries may exploit a vulnerability to gain access to a target system. 

T1078 Valid Accounts 

Adversaries may use compromised credentials to access valid accounts during their attack. 

Execution (TA0002)  

T1059.001 Command and Scripting Interpreter: PowerShell 

Adversaries may abuse PowerShell to execute commands or scripts throughout their attack. 

T1047 Windows Management Instrumentation 

Adversaries may use Windows Management Instrumentation (WMI) to execute malicious commands during the attack. 

T1053 Scheduled Task/Job 

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. 

Persistence (TA0003) 

T1098 Account Manipulation 

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.  

T1136.001 Create Account: Local Account 

Adversaries may create a local account to maintain access to victim systems. 

T1547.001 Persistence: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 

Adversaries established persistence by embedding IP addresses in the TitanPlus registry key.  

T1133 External Remote Services 

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. 

T1546.008 Event Triggered Execution: Accessibility Features 

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. 

Privilege Escalation (TA0004)   

T1134 Access Token Manipulation 

Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. 

Defense Evasion (TA0005)  

T1562.001 Impair Defenses: Disable or Modify Tools 

Adversaries may disable or uninstall security tools to evade detection. 

T1562.004 Impair Defenses: Disable or Modify System Firewall   

Adversaries may disable or modify system firewalls to bypass controls limiting network usage.   

T1564.008 Hide Artifacts: Email Hiding Rules 

Adversaries may use email rules to hide inbound or outbound emails in a compromised user's mailbox. 

T1070.001 Indicator Removal: Clear Windows Event Logs 

Adversaries may clear the Windows event logs to cover their tracks and impair forensic analysis. 

T1112 Modify Registry 

Adversary used some registry modifications to get privilege escalation. 

Credential Access (TA0006)  

T1003 OS Credential Dumping 

Adversaries may dump credentials from various sources to enable lateral movement. 

T1528 Steal Application Access Token 

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources. 

Discovery (TA0007) 

T1046 Network Service Discovery 

Adversaries may use tools like Advanced Port Scanner for network scanning. 

T1057 Process Discovery 

Adversaries may attempt to get information about running processes on a system.   

T1018 Remote System Discovery 

Adversaries may attempt to discover information about remote systems with commands, such as “net view”. 

T1082 System Information Discovery 

An adversary may attempt to get detailed information about the operating system and hardware. 

T1016 System Network Configuration Discovery 

Adversaries may use commands, such as ifconfig and net use, to identify network connections. 

T1087.001 Account Discovery: Local Account 

Enumerate user accounts on the system. 

Lateral Movement (TA0008)  

T1021.001 Remote Services: Remote Desktop Protocol 

Adversaries may abuse valid accounts using RDP to move laterally in a target environment. 

T1021.006 Remote Services: Windows Remote Management 

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). 

Command and Control (TA0011)  

T1219 Remote Access Software 

An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. 

T1105 Ingress Tool Transfer 

Adversaries may transfer tools from an external system to a compromised system. 

T1572 Protocol Tunneling 

Adversaries may tunnel network communications to and from a victim system within a separate protocol, such as SMB, to avoid detection and/or enable access. 

Exfiltration (TA0010)  

T1048 Exfiltration Over Alternative Protocol 

Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel, such as WinSCP.   

Impact (TA0040)  

T1486 Data Encrypted for Impact 

Adversaries may use ransomware to encrypt data on a target system. 

T1490 Inhibit System Recovery 

Adversaries may disable system recovery features, such as volume shadow copies. 

T1489 Service Stop 

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. 

Software/Tool  

S0029 PsExec 

Free Microsoft tool that can remotely execute programs on a target system. 

S0349 LaZagne 

A post-exploitation, open-source tool used to recover stored passwords on a system. 

S0357 Impacket 

An open-source collection of modules written in Python for programmatically constructing and manipulating network protocols. 

S0002 Mimikatz 

Credential dumper that can obtain plaintext Windows logins and passwords. 

S0097 Ping 

An operating system utility commonly used to troubleshoot and verify network connections. 

S0552 AdFind 

Freely available command-line query tool used for gathering information from Active Directory. 

S1071 Rubeus   

A C# toolset designed for raw Kerberos interaction. 

S0057 Tasklist 

A utility that displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer.

IR Trends Q1 2025: Phishing soars as identity-based attacks persist

In this episode of Uncanny Valley, our hosts explain how to prepare for travel to and from the United States—and how to stay safe.

Protecting Your Phone—and Your Privacy—at the US Border

In this edition, Bill explores how intellectual curiosity drives success in cybersecurity, shares insights on the IAB ToyMaker’s tactics, and covers the top security headlines you need to know.

Thursday, April 24, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

"Be curious, not judgmental," Ted Lasso says, misattributing Walt Whitman. We forgive Ted because... well, he's Ted Lasso. 

If you’ve not watched the first season of Ted Lasso, there is a defining moment where Ted confronts a nefarious bully. While putting him in his place with kindness and skill, Ted refers to this quote. It’s a defining moment not only for Ted but for the secondary and tertiary characters in the scene. One of the questions that I'm asked most when public speaking is “How do I get into Talos?” For people considering a new career, it’s “How do I get into cybersecurity?” To all those questions, my answer is "Be curious, not judgmental." 

I think there is no greater skill necessary in security than intellectual curiosity. If you have that, you can learn the rest. The hiring process to get in the door at Talos is extremely challenging and the candidates are incredible. That's why when I interview candidates for various roles in Talos I rarely, if ever, fixate on a niche skillset, instead focusing on the prospective employee’s intellectual curiosity. I ask weird questions that don’t seem related to the specific job role, not in an effort to throw them off but simply because I am curious and hope that they are as well.  

_Do you like to read? Do you ever read books outside of your normal wheelhouse? What are some favorite fiction and non-fiction books? Do you have a favorite craft or hobby? How many different Linux distributions have you installed? What are your 5 favorite board games? Do you play video games, and if so, what are a few favorites from each platform and decade?_   

These kinds of questions help me identify what kind of innate curiosity that the prospective candidate possesses and from their answers we will invariably fall down a rabbit hole while my co-workers shake their heads at me in disdain.  

Beyond that, I always listen for my favorite answer: “I don’t know, but...” There’s no better answer to a very difficult question than “I don’t know, but I’d probably try X,” or “I don’t know, but I’d love to learn...” 

Barbecue sauce.

**The one big thing **

Cisco Talos has released a blog post on the initial access broker (IAB) we call “ToyMaker” — a financially-motivated threat actor. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. LAGTOY can be used to create reverse shells and execute commands on infected endpoints. 

**Why do I care? **

A compromise by LAGTOY may result in access handover to a secondary threat actor. Specifically, we’ve observed ToyMaker hand over access to Cactus, a double extortion gang who employed their own tactics, techniques and procedures (TTPs) to carry out malicious actions across the victim’s network. Our blog details a timeline with turnaround time from ToyMaker to Cactus. 

**So now what?**

Cisco Talos has released information to help ensure protection including techniques and related IOCs. Check out the blog post for full details.

**Top security headlines of the week **

**Apple says zero-day bugs exploited against ‘specific targeted individuals’ using iOS.** Apple has released new software updates across its product line to fix two security vulnerabilities, which the company said may have been actively used to hack customers running its mobile software, iOS. (TechCrunch)

**Microsoft purges millions of cloud tenants in the wake of Storm-0558.** In an effort to thwart state-sponsored activity stemming from preventable security issues, Microsoft is making significant efforts to purge inactive Azure cloud tenants and take comprehensive inventory of cloud and network assets. (DarkReading) 

**Researchers warn of critical flaw found in Erlang OTP SSH.** The vulnerability could allow unauthenticated attackers to gain full access to a device. Many of these devices are widely used in IoT and telecom platforms. (cybersecuritydrive) 

**CISA flags actively exploited vulnerability in SonicWall SMA devices.** The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw impacting SonicWall Secure Mobile Access 100 Series gateways to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. (The Hacker News)

**Can’t get enough Talos? **

*   Talos Takes: Year in Review Special: Part 3 
*   TL,DR: Attacks on identity, and Multi Factor Authentication 
*   Unmasking the new XorDDoS controller and infrastructure

**Upcoming events where you can find Talos **

*   RSA (Apr. 28 – May 1) San Francisco, CA 
*   PIVOTcon (May 7 – 9) Malaga, Spain 
*   CTA TIPS 2025 (May 14 – 15)  Arlington, VA 
*   Cisco Connect UK & Ireland (May 20) London, UK 
*   BotConf (May 20 – 23) Angers, France 
*   Cisco Live U.S. (June 8 – 12) San Diego, CA

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA256: 2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277**    
MD5: 42c016ce22ab7360fb7bc7def3a17b04    
VirusTotal: https://www.virustotal.com/gui/file/2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277    
Typical Filename: Rainmeter-4.5.22.exe     
Detection Name: Artemis!Trojan  

**SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5**      
MD5: ff1b6bb151cf9f671c929a4cbdb64d86      
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
Typical Filename: endpoint.query        
Detection Name: W32.File.MalParent    

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f      
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507      
Typical Filename: VID001.exe      
Detection Name: Win.Worm.Bitmin-9847045-0  

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**      
MD5: 7bdbd180c081fa63ca94f9c22c457376      
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91     
Typical Filename: IMG001.exe     
Detection Name: Win.Trojan.Miner-9835871-0

Tag

#cisco