Hello Talos followers. I’m back for my annual takeover of the Threat Source newsletter. First, an update on that killer sloth movie I was so excited about in August 2023. “Slotherhouse” debuted with an impressive $137,133 at the box office, with critics hailing its various set pieces such as “death by sleeping bag balcony trap” (read that again) and “a particularly gruesome use of hair straighteners.”
Onto less grisly fare. In the times when I used to frequent the site formerly known as Twitter, my favorite account to follow was “Sorkinese” – a daily elocution safari with the wit and wisdom of Aaron Sorkin characters (mainly from The West Wing). Before Sorkinese’s well timed final tweet in July last year (“The internet people have gone crazy!”) one piece of Sorkin dialogue that I always enjoyed seeing on the feed was “What kind of day has it been?.” The Wingnuts amongst you will know that Sorkin used this as the title of key episodes in several of his shows. It’s meant to signal the end of something, and a reflection of what’s important.
As summer is drawing to a close and “sweater weather” begins again in earnest, I wanted to use this opportunity to reflect a little…what kind of summer has it been?
I live in the UK, so “wet” is the first word that comes to mind. But since I allegedly work in the security industry, and this is allegedly a security newsletter, I’ll steer things in that direction. In a "here's what I made earlier" moment (hello to the small percentage of Brits who will get that reference), this is a video which features Talos’ Head of Outreach Nick Biasini. We asked him to reflect on his two biggest areas of concern/importance in the threat landscape right now:
One more quick thing – it’s now a week until we launch our new documentary, “The Light We Keep: A Project PowerUp Story.” This video will explore first-hand accounts of the chaos and consequences of electronic warfare, and how we developed a solution to maintain reliable power in the event of GPS jamming on Ukraine's electrical grid.
Keep an eye on our social channels for its release and be sure to join us for the live online launch event which will include a Q & A with myself, Joe Marshall, Matt Watchinski, and Matt Olney.
Register for the livestream on September 5th
Watch The Light We Keep trailer
The one big thing
BlackByte is a ransomware-as-a-service (RaaS) group believed to be an offshoot of the infamous Conti ransomware group. They have continued to leverage tactics, techniques and procedures (TTPs) that have formed the foundation of its tradecraft since its inception, continuously iterating its use of vulnerable drivers to bypass security protections and deploying a self-propagating, wormable ransomware encryptor. In recent investigations, Cisco Talos Incident Response (Talos IR) has also observed BlackByte using techniques that depart from their established tradecraft. Members of the team, in collaboration with Talos Intelligence and Interdiction, wrote a blog detailing their findings.
Why do I care?
During an investigation of a recent BlackByte attack, Talos IR and Talos threat intelligence personnel noted close similarities between indicators of compromise (IOCs) discovered during the investigation and other events flagged in Talos’ global telemetry. Further investigation of these similarities provided additional insights into BlackByte’s current tradecraft and revealed that the group has been significantly more active than would appear from the number of victims published on its data leak site.
So now what?
Talos IR has provided a full set of recommendations to help defenders protect against RAAS groups such as BlackByte. Including how to detect lateral movement. You’ll find these recommendations in the blog, alongside the MITRE ATT&CK mapping of new TTPs, and Indicators of Compromise.
Top security headlines of the week
- Hundreds of open-source large language model (LLM) builder servers and dozens of vector databases are leaking highly sensitive information to the open Web. Dark Reading
- A recent Qilin ransomware attack targeted credentials that were stored in Google Chrome browsers on a portion of the impacted network’s endpoints. Researchers said the move is an “unusual tactic, and one that could be a bonus multiplier for the chaos already inherent in ransomware situations.” Decipher
- Labor Day warning: Protect your date with these high-tech travel tips. Talos’ Nick Biasini recently gave advice on how to spot travel related phishing emails, and how to be aware of vulnerable Bluetooth connections and WIFI spots. Share with your friends and family! ABC News
Can’t get enough Talos?
Talos’ Kelly Patterson just released a 3-part blog series of her research into the intricacies of fuzzing µC/OS protocol stacks. Kelly hopes her research will encourage more widespread use of fuzzing of RTOS software components.
Check out the series below:
- Part 1: HTTP server fuzzing
- Part 2: Handling multiple requests per test case
- Part 3: TCP/IP server fuzzing, implementing a TAP driver
Live launch of The Light We Keep documentary, followed by Q & A (Sept. 5th)
Online
BSides Krakow (Sept. 14)
Krakow, Poland
LABScon (Sept. 18 - 21)
Scottsdale, Arizona
VB2024 (Oct. 2 - 4)
Dublin, Ireland
Most prevalent malware files from Talos telemetry over the past week
SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991
SHA 256:9ef2e8714e85dcd116b709894b43babb4a0872225ae7363152013b7fd1bc95bc
MD5: 4813fa6d610e180b097eae0ce636d2aa
Typical Filename: xmrig.exe
Claimed Product: XMRig
Detection Name: Trojan.GenericKD.70491190
SHA 256: 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe
MD5: 49ae44d48c8ff0ee1b23a310cb2ecf5a
Typical Filename: nYzVlQyRnQmDcXk
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::tpd
SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
MD5: 8c69830a50fb85d8a794fa46643493b2
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201