This edition pulls the curtain aside to show the realities of the VPN Filter campaign. Joe reflects on the struggle to prevent burnout in a world constantly on fire.

Thursday, September 18, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

This is gonna be a tough read. I’m sorry. Believe it or not, it’s even tougher for me to write. I want to talk about what it costs to be in the cybersecurity profession. Not money or time, but potentially your health, both mentally and physically. I want to move the curtain aside and show you an inside look at what happens to people when the pressure is high and the desire to succeed is not only essential, but sometimes even life and death. 

So, story time. 

Seven years ago, Cisco Talos disclosed a novel and new threat campaign: VPN Filter. VPN Filter was a small office/home office (SOHO) device botnet that had many new things we’d never seen before in SOHO devices: infection persistence past device reboot, modularity, victimology, and perhaps most importantly, the (later) attribution to the Russian threat actor APT28 (aka Sandworm). The platform also featured a kill switch, a module designed to cover the tracks and or destroy a device infected with VPN Filter. This could be executed en masse, if they desired. This was a methodical, clever and well-structured campaign to attack unpatched and/or vulnerable devices all over the world for state cyber operations. As I look back at that time, it was (and still is) a marvel of tradecraft and offensive cyber operations. 

Put yourself in our position at Talos. We’ve just discovered a massive campaign by a notorious threat actor. We all know what this is, who this is, and what the consequences could be — and the threat actor had a massive head start on us. We absolutely couldn’t screw this up. If we tipped our hand via our research, the threat actor might get spooked and just burn the whole thing down with the kill switch. The stakes were very high. 

We spent months reversing and analyzing the malware, the victimology, infrastructure, and understanding the scale and scope of what VPN Filter did and potentially could do. The more we peeled things back, the more ominous the implications and the harder we worked. 

As the weeks turned into months, the hours we worked grew longer and longer, and the stress began to take its toll on all of us. The raw enormity of the tasks of analyzing and responding to VPN Filter and the stress of being stealthy begin to extract a price from us personally. Attitudes grew sour, relationships frayed, and some were rent asunder completely. For me, personally, it was a very dark time and would cost me dearly – I would exit people management into an individual contributor role that I still inhabit to this day. 

In the end, the threat actor forced us to into action. We had always theorized a “break glass” moment when the threat actor might hit the gas pedal and we would have to alert the world. One day we saw a massive spike in infections in Ukraine, and we disclosed to the world VPN Filter. We still had so many unanswered questions but had no choice when we saw the spike. In a way, it was a mercy. We had long since hit our limit and were just all collectively cooked and demoralized. I know I was, and it deeply affected my relationships and career, the reverberations of which I still feel to this day.  

I’m often asked by new or potential security practitioners, “Joe, what’s a cool hacker story?!” I have plenty of those, and VPN Filter is certainly one of them. But rarely does anyone want to hear the worst days of our lives. The tales of burnout and stress. Of the long hours and constant work. There is _always_ a breach happening somewhere, your company is _always_ under attack, there is _always_ a story of a someone getting hacked and sometimes people are even hurt or killed. This cadence takes a toll – from events like VPN Filter, to being in a SOC – it’s all the same. No matter where you work, we are here to keep our customers, constituents, and communities safe from some real assholes out there. It is about fighting the good fight, and the fight never stops.  

So, what can we do about it? How can you avoid being me in the middle of VPN Filter? 

1.  **Learn and enforce boundaries.** You must make space and time for you and firmly enforce that space and time. If that means disabling after hours comms, then do so, and do so guilt free. You must look after yourself. 
2.  **Peer support.** Whether it's a therapist, a colleague, or a Slack/Discord/Bsides where you can share and vent with others in the same boat as you, you must reduce the sense of isolation this career space can give you. Others are looking for the same thing and happy to listen and share. Celebrate your wins with people who are eager to reciprocate.  
3.  **Unplugged self-care.** This is tough, and I’m not great at it. Exercise, paint, work in your garden and do something unrelated to your job. Put down the hell rectangle that is your phone and unplug from the news and social media. 
4.  **Mandatory decompression/vacation.** After an incident, be it VPN Filter or a breach, leaders: _look after your people._ Recognize burnout and push your directs into some enforced downtime so they can recover. At a minimum, rotate them into a less stressful role so they can take a break. It’s your responsibility to care for those who work hard for you. 

Responding after the event is just as important as responding to the event itself. Every breach, VPN Filter-like event, or emergency is an opportunity to reflect on the cost to your health and evaluate what you can do to help yourself and others. This is a tough gig sometimes, but it’s a calling we love. Just take care of yourself and each other, ya hear?

**The one big thing **

In Talos' latest blog post, we break down why having a Cisco Talos Incident Response (IR) Retainer is a game-changer for any organization facing today’s nonstop cyber threats. With a Talos IR Retainer, you get direct access to our expert team, 24/7 emergency support, and tailored plans that keep everyone — from IT to leadership — on the same page. You’ll also benefit from continuous threat intelligence and real-world guidance to help your organization bounce back stronger after any incident. 

**Why do I care? **

Our team helps you hunt threats before they escalate, assess your readiness and improve your security posture over time. If a cyber incident hits, having a trusted partner already in place means you’re prepared to act decisively, with clear roles, tested procedures and experts ready to back you up every step of the way. 

**So now what? **

Think about securing a Talos IR Retainer to make sure you’ve got experts on speed dial and your defenses are always up to date. Reach out to us to schedule a tabletop exercise or to talk through how prepared your organization really is.

**Top security headlines of the week **

**New VoidProxy phishing service bypasses MFA on Microsoft and Google accounts**   
An attack typically begins with a deceptive email sent from a compromised account of legitimate email service providers, like Constant Contact, Active Campaign or NotifyVisitors. (Hack Read) 

**Shai-Hulud supply chain attack: Worm used to steal secrets, 180+ npm packages hit**   
The self-spreading potential of the malicious code will likely keep the campaign alive for a few more days. To avoid being infected, users should be wary of any packages that have new versions on npm but not on GitHub, and pin dependencies. (SecurityWeek) 

**Google nukes 224 Android malware apps behind massive ad fraud campaign**   
The apps were downloaded over 38 million times and employed obfuscation and steganography to conceal the malicious behavior from Google and security tools. (Bleeping Computer) 

**Former FinWise employee may have accessed nearly 700K customer records**   
Nearly 700,000 FinWise Bank customers are being notified after a former employee may have accessed or taken personal data post-employment. The incident went undetected for over a year. (The Register)

**Can’t get enough Talos? **

*   **Alex Ryan: From zero chill to quiet confidence**   
    Discover how a Cisco Talos Incident Response expert transitioned from philosophy to the high-stakes, emotionally intense world of incident command, and the advice that she has for aspiring cybersecurity professionals. 
*   **Beers with Talos: How to ruin an APT's day**   
    The B-Team is joined by Sara McBroom from Talos’ nation-state threat intelligence and interdiction team. Sara shares her journey from a liberal arts major to tracking some of the world’s most advanced adversaries. 
*   **Tampered Chef: When malvertising serves up infostealers**   
    Imagine downloading a PDF Editor tool from the internet that works great... until nearly two months later, when it quietly steals your credentials. Nick Biasini explains how cybercriminals are investing in "malvertising" and challenges in defense.

**Upcoming events where you can find Talos **

*   LABScon (Sept. 17 – 20) Scottsdale, AZ 
*   VB2025 (Sept. 24 – 26) Berlin, Germany 
*   Wild West Hackin' Fest (Oct. 8 – 10) Deadwood, SD

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Typical Filename: executable.exe   
Claimed Product: N/A     
Example Filename:0a0dc0e95070a2b05b04c2f0a049dad8\_1\_Exe.exe    
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**    
MD5: 85bbddc502f7b10871621fd460243fbc    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610    
Typical Filename: nwx3hgsl.exe   
Claimed Product: Self-extracting archive   
Detection Name: W32.41F14D86BC-100.SBX.TG 

**SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe**    
MD5: bf9672ec85283fdf002d83662f0b08b7    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe    
Typical Filename: werrx01USAHTML   
Claimed Product: N/A   
Detection Name: W32.C0AD494457-95.SBX.TG 

**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**    
MD5: aac3165ece2959f39ff98334618d10d9    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974    
Typical Filename: ~3B6A.tmp   
Claimed Product: N/A   
Detection Name: W32.Injector:Gen.21ie.1201 

**SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**   
MD5: 7bdbd180c081fa63ca94f9c22c457376    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
Typical Filename: img001.exe   
Claimed Product:   
Detection Name: Win.Dropper.Miner::95.sbx.tg

Put together an IR playbook — for your personal mental health and wellbeing

Discover how a Cisco Talos Incident Response expert transitioned from philosophy to the high-stakes world of incident command, offering candid insights into managing burnout and finding a supportive team.

Thursday, September 18, 2025 06:00

Welcome to another episode of Humans of Talos, our ongoing video interview series that celebrates the people powering Cisco’s threat intelligence efforts. In each episode, we dive deep into the personal journeys, motivations and lessons learned from the team members who help keep the internet safe.

This time, we sit down with Alex Ryan, a seasoned Incident Commander from Cisco Talos Incident Response. Read (or watch) on to hear her candid reflections on the emotional intensity of incident response, the critical role of a supportive team in preventing burnout, and invaluable advice for aspiring cybersecurity professionals.

**Amy Ciminnisi: Alex, you were recently on the Beers with Talos podcast, and during that, we learned that you have two liberal arts degrees, but you found yourself really loving how machines and systems worked, and then you work your way through the cybersecurity ranks. I'd love to know: What brought you to Talos?**

Alex Ryan: During my career inside companies doing incident response, vulnerability management, and risk management, Talos Intelligence was often one of my sources. I often looked at intelligence from vendors who were using their own datasets to generate the finished intelligence, rather than those who just took whatever intelligence was already out there, re-mashed it, and enriched it a bit. I have a lot of respect for Talos from using them as a source for guiding how I would do incident response and prioritize my defenses and things like that. When the opportunity came up to join Cisco Talos Incident Response as an Incident Commander, it was that reputation (and having used their material for so long which showed that there was really good quality people and research being done) that put this job at the top of my list of choices.

**AC: You have a very difficult job as an Incident Commander, acting as the point person in situations where people are possibly going through the worst days of their careers. What's something about your day-to-day role that people might be surprised by or interested in?**

AR: Incident response is a very high pressure situation to be in. You need to exude quiet confidence and build a trust relationships quickly with your customer. But on the back end, things can be chaotic: trying to get access to machines, trying to find the _right_ machines. "Do we have the right IOCs?" "What is this thing? Let me reverse engineer it." Trying to distill all of that activity into larger topics and give progress to the customer on it is critical.

It's also high risk for the business being impacted. I think that there was a statistic at one point that about 70% of small to medium businesses that paid the ransom after being compromised went out of business within a year, because the ransom was such a financial hit that they just couldn't absorb that kind of impact. So while the customer is trying to not freak out, I'm trying to exude quiet confidence while managing the forensics analysis activity. Trying to balance all of that is quite difficult, so incident response has a very high burnout rate.

After I came back from raising my children, it took me about two years to detox completely from incident response. I was _really_ high strung, and I had no chill. _Zero_ chill. I had to learn how to say no and how to prioritize my family over this hero complex that I was having at work. I would say I'm a much more well-rounded person now, and perhaps I'm better at my job because of that.

_Want to see more?_ _Watch the full interview__, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos!_

Alex Ryan: From zero chill to quiet confidence

With a Cisco Talos IR retainer, your organization can stay resilient and ahead of tomorrow's threats. Here's how.

**Why a Cisco Talos Incident Response Retainer is a game-changer**

Wednesday, September 17, 2025 06:00

In today’s hyper-connected world, cyber attacks are not a matter of if but when. Ransomware, phishing and data breaches dominate headlines. For any organization, the stakes are high and the impact can be wide. A cybersecurity breach can impact your organization’s ability to conduct normal business, damaging its reputation, reducing revenue, and disrupting operations. 

A Cisco Talos Incident Response (Talos IR) Retainer is a strategic investment that empowers your entire organization to stay resilient and ahead of tomorrow’s threats. Here’s how a Talos IR Retainer can strengthen your organization’s security and ensure peace of mind.

**What is a Cisco Talos IR Retainer? **

A Talos IR Retainer offers a direct line to Cisco’s top cybersecurity specialists, ensuring both proactive protection and swift response to cyber threats. Backed by Cisco Talos global threat intelligence and hundreds of threat intelligence researchers, it equips organizations to prevent, respond to, and recover from cyber incidents efficiently. From tailored incident response plans to 24/7 emergency support, the retainer is a lifeline in a threat landscape that never sleeps.

We have just released a series of short videos that explain the full range of Talos IR services. Check out the playlist here, or start by watching the Emergency Response video below:

**Benefits to the entire organization **

A Cisco Talos IR Retainer is not only designed to benefit your IT teams, but it’s a catalyst for building organization-wide resilience. Here is how Talos IR delivers value to clients’ stakeholders:  

1.  **Risk mitigation and cost savings**   
    Talos IR enables customers to respond swiftly to cyber threats and supports them through recovery efforts, minimizing downtime, costs, and regulatory risks 
2.  **Reputation protection**   
    A retainer equips leadership with strategic response plans and expert guidance, ensuring preparedness, demonstrating due diligence, and preserving stakeholder confidence during critical incidents. 
3.  **Organization-wide alignment**   
    A cybersecurity retainer ensures that your legal, human resources, information technology, and leadership teams are aligned before a threat strikes. Defined responsibilities and structured playbooks, plans, and tabletop exercises eliminate ambiguity and drive faster, more efficient incident response and recovery. Talos IR is there to create and review existing policies and make sure you are prepared at various levels.

**Bolstering organizational security **

A Talos IR Retainer transforms your organization’s security posture from reactive to proactive. Our job is to take you though the lifecycle of an incident and build up long-term resilience to cybersecurity attacks. We do this by delivering various engagements, such as: 

*   **Proactive Threat Hunting**   
    Using the PEAK Framework (Prepare, Execute, Act with Knowledge), Talos IR specialists proactively hunt for threats before they escalate, leveraging real-time intelligence to stay ahead of adversaries. 
*   **Customized preparedness**   
    Tailored IR plans, playbooks, and readiness assessments address your organization’s unique risks and evaluates the current state of its cybersecurity preparations.  
*   **Continuous improvement**   
    Post-incident reports and ongoing collaboration identify gaps and recommend long-term strategies, ensuring that security evolves with the threat landscape. 
*   **Vendor-agnostic integration**   
    Talos IR works with existing security tools, maximizing investments and enhancing detection and response capabilities in place. If needed, we can always deploy additional Cisco technology to help with an investigation. 
*   **Intelligence-driven defense**   
    Access to Talos’ global threat intelligence, updated in real time, ensures your organization is armed with the latest insights on adversary tactics, techniques, and procedures (TTPs). 

**What it means to have IR specialists on speed dial **

Having Talos IR specialists on call is like having an elite SWAT team for cybersecurity. Here is what Talos IR provides for your organization: 

*   **Rapid response, 24/7**   
    With a retainer, Cisco Talos IR specialists mobilize within hours of an incident, isolating threats and minimizing damage. This speed is critical, as every minute counts when containing ransomware or a data breach. 
*   **Expert guidance**   
    The Talos IR team brings unmatched expertise, analyzing adversary TTPs and providing actionable recommendations across many verticals and industries. 
*   **Tailored support**   
    Specialists collaborate with your teams, aligning response efforts with your business priorities. Whether coordinating with legal or PR, they ensure a cohesive strategy. 
*   **Peace of mind**   
    Knowing experts are a call away reduces stress for your executives and IT teams. Priority access means your organization is never left waiting during a crisis. 
*   **Post-Incident Review**   
    Talos IR delivers comprehensive reports that detail root causes, remediation steps, and preventive measures, turning incidents into opportunities for increased cybersecurity and prevention of future incidents.

**Real-world impact **

Our customers trust us to bring the expertise and knowledge they need to navigate their most challenging days with confidence.  Read about our work with Veradigm and how we made a difference during a Qakbot attack here. 

**Take the next step **

A Cisco Talos IR Retainer is a shield against cyber chaos. It strengthens your cybersecurity and ensures rapid recovery with specialists just a call away. Here’s how to get started: 

*   **Secure a Retainer**: Lock in priority access to proactive and emergency services. 
*   **Schedule a Tabletop Exercise**: Test your preparedness with tailored scenarios to fit your environment. 
*   **Explore** **our website****:** Access quarterly trends and learn more about Talos and what we do to secure our clients.

Why a Cisco Talos Incident Response Retainer is a game-changer

Thor examines why supply chain and identity attacks took center stage in this week’s headlines, rather than AI and ransomware.

Thursday, September 11, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

I took a two-week vacation (thanks to Bill for covering my author shift last week) and made the deliberate choice to leave my laptop behind. No emails, IMs, no IT at all. Thank you, European work culture! It was a complete break. 

Well, almost. 

The weather didn’t always cooperate, so instead of freezing on a beach, I found myself catching up on TV — mostly news and a few series. But wherever I clicked, I just couldn’t escape the daily dose of AI. What can we do about invasive mosquitos? Ask AI. Government doesn’t move the needle? Ask AI. Want the weather forecast? AI, obviously. There are countless ads with people asking AI whether or not to wear a jacket “because it might rain.” Even with your favorite TV shows, gone are the days when the hoodied hacker sits in front of a black terminal with green text running a dangerous (haha) ping or nmap. Now, they're writing lines like, “Did you try breaking the firewall with our latest AI algorithm, bro?” 

Coming back to work and catching up on our industry news, I almost expected AI to be dominating the headlines. But it wasn't, and neither was ransomware. Instead, they were all about breaches. Many — but not all — reports referenced compromised OAuth tokens linked to Salesloft’s Drift integration, with a notable number of high-profile victims. Sure, this isn’t a scientific or qualitative analysis (ransomware isn’t disappearing anytime soon), but the reporting and the headlines have definitely shifted from one to the other. 

Looking past the buzzwords and catchphrases, the headlines really boiled down to two main themes: supply chain and identity attacks. In a SaaS world, I think it’s time to rethink their definitions and priority levels. 

Why? First, supply chain attacks aren’t limited to hardware or software anymore. We need to consider the datapath (or where data possibly is processed) as a key part of the supply chain. 

Second, identity attacks don’t just target users; interconnected applications are increasingly at risk, too. I’m not saying we can ignore the users, especially with current reporting that it started with access through a GitHub account or software vulnerabilities in our “classic” applications, but we absolutely need to broaden our focus. Last week’s headlines made that clear. 

**The one big thing **

Cisco Talos’ latest blog post details the Cyber Threat Intelligence Capability Maturity Model (CTI-CMM), a framework that helps organizations assess and enhance their cyber threat intelligence programs across 11 key domains. By outlining clear maturity levels and improvement cycles, CTI-CMM can help your team benchmark your current capabilities and develop a strategy for continuous (and practical) growth. 

**Why do I care? **

Understanding and improving your CTI program’s maturity can help your organization better anticipate, detect, and respond to cyber threats, no matter your budget or staffing level. It also makes the security investments you do have more effective, and ensure your team’s efforts are aligned with business priorities.  

**So now what? **

Check out the CTI-CMM framework to assess where your organization stands, identify gaps and opportunities, and create a roadmap to practical improvements for your organization.

**Top security headlines of the week **

**Huge NPM supply chain attack goes out with whimper**   
A supply chain attack involving multiple NPM packages had the potential to be one of the most impactful security incidents in recent memory, but such fears seemingly have proved unrealized. (Dark Reading) 

**Swiss Re warns of rate deterioration in cyber insurance**   
Increased competition among insurers has led to a third consecutive year of reduced rates, according to the report, as the available supply of cyber coverage has exceeded current demand. (Cybersecurity Dive) 

**Critical SAP vulnerability actively exploited by hackers**   
A critical security flaw has been found in several SAP products, and could allow a malicious actor to gain administrator-level control. (HackRead)

**No gains, just pains: 1.6M fitness phone call recordings exposed**   
Sensitive info from hundreds of thousands of gym customers and staff was left sitting in an unencrypted, non-password protected database. Audio recordings spanned from 2020 to 2025. (The Register)

**US offers $10M reward for Ukrainian ransomware operator**   
Volodymyr Tymoshchuk allegedly hit hundreds of organizations with the LockerGoga, MegaCortex, and Nefilim ransomware families. According to an indictment, the intrusions caused hundreds of millions of dollars in losses. (Security Week)

**China accuses Dior's Shanghai branch of illegal data transfer**   
China's public security authority alleges that Dior's Shanghai branch has transferred customers' personal data to its headquarters in France illegally, leading to a data leak in May. (Reuters)

**Can’t get enough Talos? **

*   **Beers with Talos: How to ruin an APT's day**  
    The B-Team is joined by Sara McBroom from Talos’ nation-state threat intelligence and interdiction team. Sara shares her journey from a liberal arts major to tracking some of the world’s most advanced adversaries.
*   **Who would sign up to secure a network full of hackers?**   
    Our latest video takes you behind-the-scenes at the Black Hat Network Operations Center (NOC) to see how Cisco and SnortML contain the chaos. 
*   **Patch Tuesday for Sept 2025**   
    In this month’s release, Microsoft observed none of the included vulnerabilities being exploited in the wild. However, there are eight vulnerabilities where exploitation may be likely. 
*   **Cisco: 10 years protecting Black Hat**   
    Cisco works with other official providers to bring the hardware, software and engineers to build and secure the Black Hat USA network: Arista, Corelight, Lumen, and Palo Alto Networks.

**Upcoming events where you can find Talos **

*   LABScon (Sept. 17 – 20) Scottsdale, AZ 
*   VB2025 (Sept. 24 – 26) Berlin, Germany 
*   Wild West Hackin' Fest (Oct. 8 – 10) Deadwood, SD

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**     
MD5: 85bbddc502f7b10871621fd460243fbc      
VirusTotal: https://www.virustotal.com/gui/file/41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610/details  
Typical Filename: N/A     
Claimed Product: Self-extracting archive     
Detection Name: Win.Worm.Bitmin-9847045-0 

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507     
Typical Filename: VID001.exe    
Claimed Product: N/A    
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**    
MD5: 8c69830a50fb85d8a794fa46643493b2     
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0    
Typical Filename: AAct.exe     
Claimed Product: N/A     
Detection Name: PUA.Win.Dropper.Generic::1201

Beaches and breaches

The Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) helps organizations assess and improve their threat intelligence programs by outlining 11 key areas and specific missions where CTI can support decision-making.

Wednesday, September 10, 2025 10:01

*   The Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) helps organizations assess and improve their threat intelligence programs by outlining 11 key areas and specific missions where CTI can support decision-making. 
*   The model describes four levels of maturity, guiding teams from basic, ad hoc activities to highly strategic and refined practices through a cycle of continuous improvement. 
*   CTI-CMM builds on earlier capability models and research, offering a practical framework for organizations to benchmark and evolve their CTI efforts. 

**Overview **

The familiar idiom “walk before you run” summarizes a fundamental truth about skill acquisition: you must master certain foundational capabilities before you can successfully execute more complex activities. This principle applies universally, from learning a new sport to developing highly specialized technical skills. Any area will have foundational skills, activities that anyone competent in the domain can perform, and characteristics that show that an individual (or team) has reached the highest levels of mastery. 

Capability maturity models (CMMs) outline the hierarchy of skills and activities that may be required within a particular area. The capabilities and characteristics are listed for teams of different levels of maturity operating within a domain. These descriptions can be used to evaluate the current level of a team or to identify the capabilities that must be acquired in order to improve. 

Despite its importance, the exact function of cyber threat intelligence (CTI) can vary widely across organizations. The community-developed  Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) shows how threat intelligence can help an organization and the various levels of capability that cyber threat intelligence teams can achieve. 

**Details **

The CTI-CMM lists 11 domains where CTI can greatly improve decision-making,  and also details specific “missions” CTI can carry out to strengthen each domain. 

Domain 

Abridged Description 

Example CTI Mission 

Asset, Change and Configuration Management 

Manage the organization’s IT and OT assets. 

Rapidly detect at-risk assets. 

Threat and Vulnerability Management 

Detect, identify, analyze, manage, and respond to cybersecurity threats and vulnerabilities. 

Reduce risk against new and emerging adversaries, malware, vulnerabilities, and exploits. 

Risk Management 

Identify, analyze and respond to cyber 

risk the organization is subject to. 

Improve risk decisions. 

Identity and Access Management 

Manage identities for entities that may be 

granted logical or physical access to the organization’s assets. 

Reduce incident detection times, accelerate remediation. 

Situational Awareness 

Establish situational 

awareness for operational state and cybersecurity state. 

Drive threat-informed decision-making based on the current and forecast threat landscape. 

Event and Incident Response, Continuity of Operations 

Respond to, and recover from cybersecurity events and incidents. 

Create an intelligence 

advantage for incident responders and strengthen the security posture. 

Third-Party Risk Management 

Manage the cyber risks arising from suppliers and other third parties 

Monitor, detect, assess and mitigate potential incidents posed by third-party vendors and suppliers. 

Fraud and Abuse Management 

Shield organizations from malicious digital scams and attacks. 

Share threats 

and findings with relevant stakeholders. 

Workforce Management 

Create a culture of cybersecurity 

and security competence. 

Support hardening of the human element. 

Cybersecurity Architecture 

Maintain the structure and behavior of the organization’s cybersecurity architecture. 

Provide insights into cyber threats that may 

target the organization. 

Cybersecurity Program Management 

Provides governance, strategic planning and sponsorship for the organization’s cybersecurity activities. 

Deliver tailored intelligence inputs to 

inform cybersecurity decision-making. 

  
The missions span a wide spectrum, from proactively monitoring an organization’s attack surface in support of asset management to providing crucial situational awareness of the evolving threat landscape and its direct relevance to organizational activities. 

The CTI-CMM also defines distinct levels of maturity for threat intelligence activities, providing a clear progression path: 

A placeholder for practices that are not executed. 

Many threat intelligence activities begin here, characterized by basic, ad hoc and unplanned efforts focused on short-term, reactive results. 

As an activity matures, it becomes planned, with documented procedures and metrics demonstrating its support for stakeholders. The focus shifts towards proactive and predictive intelligence, delivering short- and intermediate-term results. 

At the highest level, activities are highly refined, focusing on delivering long-term strategic outcomes for the business. This level integrates prescriptive intelligence and recommendations, combined with continuous improvement practices, making practices measurable and aligned directly to business objectives. 

  
The framework espouses an improvement process analogous to the “plan, do, check, act” management model. In this case, the steps within a cycle of improvement are “prepare, assess, plan, deploy, measure.” With each rotation through the cycle, the capabilities of the threat intelligence program are incrementally improved, growing the maturity of the program. 

**History of CTI-CMM **

This approach to improving capabilities and benchmarking against defined standards is not new. CMMs originated in the mid-1980s, driven by the U.S. Department of Defense's desire to compare and evaluate software contractors. Largely thanks to the efforts of the Software Engineering Institute (SEI) at Carnegie Mellon University, CMMs evolved into the widely-applied Capability Maturity Model Integration (CMMI). 

The CTI-CMM adopts domains from the Cybersecurity Capability Maturity Model (C2M2), developed by the U.S. energy industry and first published in 2012. While the C2M2 acknowledged the importance of threat intelligence as a concept within overall cybersecurity posture, it did not specifically address the maturity of a dedicated threat intelligence program. However, the very first paper describing a maturity model for threat intelligence was published in the same year by the industry vendor Verisign. Thus, the origins of the CTI-CMM can be traced back to these two initiatives of the early 2010s. 

**Closing **

It's crucial for organizations to understand that aspiring to the highest level of CTI maturity is not always a practical goal. The intelligence program should focus on meeting the real needs of its users and stakeholders rather than seeking to hit a high score on an industry framework. An intelligence team with more resources may produce “better” intelligence and be more responsive. However, in a world of finite resources, those additional resources may be better spent in delivering “good enough” intelligence to teams that can use it well, rather than delivering the best intelligence to teams without the capacity or resources to effectively utilize the information. 

Ultimately, the Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) provides an invaluable resource for organizations to assess and evolve their CTI capabilities. As threat intelligence solidifies its role as an indispensable component of cybersecurity strategy, maturity models tools will become not only the drivers for internal organizational growth but also key instruments for external entities to benchmark and compare organizations’ overall cybersecurity maturity.

Maturing the cyber threat intelligence program

Microsoft has released its monthly security update for September 2025, which includes 86 vulnerabilities affecting a range of products.

Tuesday, September 9, 2025 15:12

Microsoft has released its monthly security update for September 2025, which includes 86 vulnerabilities affecting a range of products.

In this month’s release, Microsoft observed none of the included vulnerabilities being exploited in the wild. However, there are eight vulnerabilities where exploitation may be likely. Five consist of elevation of privileges, two may result in information disclosure and only one, CVE-2025-54916, is a remote code execution (RCE) vulnerability.

CVE-2025-54916 is an RCE vulnerability caused by a stack-buffer overflow in Windows NTFS that allows an authorized attacker to execute code over the network. Microsoft has noted that this vulnerability affects different versions of Windows 10, 11, Server 2008, 2012, 2016, 2019, 2022 and 2025.

CVE-2025-54910 is an RCE vulnerability caused by a heap-based buffer overflow in Microsoft Office that allows an unauthorized attacker to execute code locally. This type of vulnerability is also known as Arbitrary Code Execution (ACE). Microsoft clarifies that the attack itself is carried out locally, and that the location of the attacker can be remote, but the vulnerability must be exploited locally. This vulnerability affects Microsoft 365 Apps, Office 2016, 2019 and LTSC 2021 and 2024. 

CVE-2025-54918 is an elevation of privilege (EoP) vulnerability caused by improper authentication in Windows NTLM that allows an authorized attacker to elevate privileges over a network to gain SYSTEM privileges. This vulnerability affects various versions of Windows including Windows 10, 11, Server 2008, 2012, 2016, 2019, 2022 and 2025.

CVE-2025-54101 is an RCE vulnerability caused by a use-after-free in Windows SMB v3 Client/Server that allows an authorized attacker to execute code over a network. Successful exploitation requires the attacker to win a race condition. This vulnerability affects various versions of Windows including Windows 10, 11, Server 2008, 2012, 2016, 2019 and 2022.

Two RCE vulnerabilities in DirectX Graphics kernel may result in remote code execution: CVE-2025-55226 and CVE-2025-55236. CVE-2025-55226 is caused by concurrent execution using a shared resource and improper synchronization in the Graphics Kernel allowing an authorized attacker to execute code locally. Microsoft also notes that this vulnerability requires an attacker to prepare the target environment to improve exploit reliability. This vulnerability affects various versions of Windows including Windows 10, 11, Server 2008, 2012, 2016, 2019, 2022 and 2025.

CVE-2025-55236 is a time-of-check time-of-use (toctou) race condition in the Graphics Kernel allowing an authorized attacker to execute locally. This vulnerability affects various versions of Windows including Windows 10, 11, Server 2019, 2022 and 2025.

Talos would also like to highlight the following important vulnerabilities as Microsoft has assessed that their exploitation is more likely:

CVE-2025-53803: Windows Kernel Memory Information Disclosure Vulnerability.

CVE-2025-53804: Windows Kernel-Mode Driver Information Disclosure Vulnerability.

CVE-2025-54093: Windows TCP/IP Driver Elevation of Privilege Vulnerability.

CVE-2025-54098: Windows Hyper-V Elevation of Privilege Vulnerability.

CVE-2025-54110: Windows Kernel Elevation of Privilege Vulnerability.

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.   

Snort2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 65327 – 65334.

The following Snort3 rules are also available: 301310 – 301313.

Microsoft Patch Tuesday for September 2025 – Snort rules and prominent vulnerabilities

Explore lessons learned from over two years of Talos IR pre-ransomware engagements, highlighting the key security measures, indicators and recommendations that have proven effective in stopping ransomware attacks before they begin.

**Stopping ransomware before it starts: Lessons from Cisco Talos Incident Response**

Monday, September 8, 2025 06:00

*   Over the past two and a half years (January 2023 through June 2025), Cisco Talos Incident Response (Talos IR) has responded to numerous engagements that we classified as pre-ransomware incidents.
*   Talos looked back to analyze what key security measures were credited with deterring ransomware deployment in each pre-ransomware engagement, finding that the top two factors were swift engagement with the incident response team and rapid actioning of alerts from security solutions (predominantly within two hours of the alert).
*   We also classified almost two dozen observed pre-ransomware indicators in these engagements, as the top observed tactics provide insight into what malicious activity frequently preempts a more severe attack. Finally, we analyzed Talos IR’s most frequent recommendations to customers to ascertain common security gaps.
*   Aggregation of this data and the follow-on analysis is intended to provide actionable guidance that can assist organizations in improving their defenses against ransomware activity. 

**What characterizes an incident as “pre-ransomware?”  **

Talos IR associates specific adversary actions with pre-ransomware activity. When threat actors attempt to gain enterprise-level domain administrator access, they often conduct a series of account pivots and escalations, deploy command-and-control (C2) or other remote access solutions, harvest credentials and/or deploy automation to execute the modification of the OS. Though the specific tools or elements in the attack chain vary by adversary, Talos IR has seen these same classic steps in practice for years. These actions, along with observed indicators of compromise (IOCs) or tactics, techniques and procedures (TTPs) that we associate with known ransomware threats without the end result of enterprise-wide encryption, lead us to categorize an incident as “pre-ransomware.” 

It is worth noting that some of the above attack techniques are also often deployed by initial access brokers (IABs) who seek to gain and sell access to compromised systems, and it is possible some of the incidents involved in this case study could have therefore been perpetrated by IABs instead of ransomware operators. While it is often challenging to determine a threat actor’s end goal, we have high confidence that all incidents involved tactics are consistently seen preceding ransomware deployment. If the adversary was instead an IAB, we have seen these types of IAB campaigns very frequently result in a ransomware attack after access has been sold, rendering the activity relevant to this analysis.

**Key security actions and measures that deter ransomware deployment **

Talos analyzed incident response engagements spanning the past two and a half years that we categorized as pre-ransomware attacks, identifying actions and security measures that we assessed were key in halting adversaries’ attack chains before encryption. An overview of our findings can be found in Figure 1, followed by a more thorough breakdown of each category to explore exactly how certain actions impeded ransomware execution.

Figure 1. Pie chart of factors hindering ransomware deployment.

**Swift engagement of Talos IR **

Engaging Talos IR within one to two days of first observed adversary activity (though we advise engagement as quickly as possible) was credited with preventing a more serious ransomware attack in approximately a third of engagements, providing benefits such as: 

*   **Extensive knowledge of the threat landscape:** In multiple engagements, Talos IR was able to correlate TTPs and IOCs on customers’ networks with other ransomware and pre-ransomware engagements we had responded to, identifying when the infection was part of a larger, widespread campaign. This insight helped Talos IR anticipate and intercept adversaries’ next steps as well as provide customers additional IOCs to block that were seen in other engagements.
*   **Actionable recommendations for isolation and remediation:** In some engagements, the customers quickly acted on Talos’ pre-ransomware security guide, which Talos IR assessed prevented more catastrophic events.
*   **Enhanced monitoring:** The Cisco Extended Detection and Response (Cisco XDR) team can provide extra vigilance in their monitoring after containment of the pre-ransomware threat to ensure full eradication.

We observed numerous incidents where Talos IR was not engaged by the customer immediately, which enabled the adversary to continue working through their attack chain and conduct data theft and/or ransomware deployment. This often results in consequences such as backup files being corrupted or encrypted, endpoint detection and response (EDR) and other security tools being disabled, disruption to day-to-day operations and more.

**EDR/MDR alert prompted security teams’ rapid containment **

Vigilant monitoring of security solutions and logs allows network administrators to act quickly when a threat is first detected, isolate the malicious activity and cut off threat actors’ ability to escalate their attack. In our case study, action from the security team within two hours of an alert from the organization’s EDR or managed detection and response (MDR) solution correlated with successful isolation of the threat in almost a third of engagements. Some of the observed alerts that prompted swift response in pre-ransomware engagements included, amongst others:

*   Attempted connections to blocked domains  
*   Brute force activity  
*   PowerShell download cradle  
*   Deviations from expected baseline activity as determined by the organization 
*   Newly created domain administrator accounts  
*   Successful connections to an unknown, outside public IP addresses  
*   Reconnaissance activity, including shell access and user discovery commands such as whoami
*   Modification of multi-factor authentication (MFA) tooling to provide bypass tokens 
*   Modification of an account to be exempt from MFA requirements

**USG and/or other partners notified on ransomware staging **

In almost 15 percent of engagements, targeted organizations were able to get ahead of the threat to their environment due to notification from U.S. government (USG) partners and representatives of their managed service provider (MSP) about possible ransomware staging in their environment. In particular, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has launched an initiative to provide early warnings about potential ransomware attacks, aiming to help organizations detect threats and evict actors before significant damage occurs. CISA’s intelligence predominately derives from their partnerships with the cybersecurity research community, infrastructure providers and cyber threat intelligence companies.

**Security solutions configured to block and quarantine malicious activity  **

In over 10 percent of Talos IR engagements, customers’ security solutions actively blocked and/or quarantined malicious executables, effectively stopping adversaries’ attack chains in their tracks.  

Talos often observes organizations deploying endpoint protection technology in a passive manner, meaning the product is producing alerts to the user but not taking other actions. This configuration puts organizations at unnecessary risk, and Talos IR has responded to multiple engagements where passive deployment enabled threat actors to execute malware, including ransomware. A more aggressive configuration impeded ransomware deployment in this case study, underscoring its importance. 

**Robust security restrictions prevented access to key resources  **

Based on our analysis, organizations’ robust security restrictions were key in impeding ransomware actors’ attack chains in nine percent of engagements. For example, in one engagement, the threat actors compromised a service account at the targeted organization, but appropriate privilege restrictions on the account prevented their attempts to access key systems like domain controllers.   

Also of note, organizations who implemented thorough logging and/or had a SIEM in place to aggregate event data were able to provide Talos with forensic visibility to determine the exact chain of events and where additional security measures could be implemented. When an organization lacks these records, it can be challenging to identify the precise security weaknesses that enabled threat activity.

**Most observed pre-ransomware indicators **

Upon categorizing TTPs observed in this case study per the MITRE ATT&CK framework, Talos found that the following in Figure 2 were most frequently seen across engagements.

Figure 2. Prevalence of pre-ransomware TTPs.

We dove deeper into some of the top attack techniques and found the following:  

*   Remote Services: Talos IR frequently saw remote services such as RDP, PsExec and PowerShell leveraged by adversaries.  
*   Remote Access Software: Frequently seen remote access software included AnyDesk, Atera, Microsoft Quick Assist and Splashtop.  
*   OS Credential Dumping: Top observed credential dumping techniques/locations included the domain controller registry, the SAM registry hive, AD Explorer, LSASS and NTDS.DIT. Mimikatz was also frequently used. 
*   Network Service Discovery: Top observed tools and commands used for network service discovery included netscan, nltest and netview.

The top observed TTPs serve as a reminder to security teams on what malicious activity often preempts a more severe attack. For example, prioritizing moderating the use of remote services and remote access software and/or securing the aforementioned credential stores could assist in limiting the majority of adversaries seen in these pre-ransomware engagements.

**Observed security gaps and prevalent Talos IR recommendations **

Talos IR crafts security recommendations for customers in each incident upon analyzing the environment and the adversary’s attack chain to help address any existing security weaknesses. Our most frequent recommendations include:  

1.  Bring all operating systems and software patching up to date.
2.  Store backups offline.
3.  Configure security solutions to permit only proven benign applications to launch and prevent the installation of unexpected software.
4.  Require MFA on all critical services, including remote access and identity access management (IAM) services, and monitor for MFA misuse.
5.  Deploy Sysmon for enhanced endpoint visibility and logging.
6.  Implement meaningful firewall rules for both inbound and outbound traffic to block unwanted protocols from being able to be used by adversaries as part of their C2 or data exfiltration actions.
7.  Implement robust network segmentation to minimize lateral movement and reduce the attack surface, ensuring valuable assets such as domain controllers do not connect directly to the internet aside from critical functions.
8.  Establish or intensify end-user cybersecurity training on social engineering tactics, including coverage of recently popularized attacks such as MFA fatigue attacks and actor-in-the-middle token phishing attacks.

Stopping ransomware before it starts: Lessons from Cisco Talos Incident Response

Bill takes thoughtful look at the transition from summer camp to grind season, explores the importance of mental health and reflects on AI psychiatry.

Thursday, September 4, 2025 14:02

Welcome to this week’s edition of the Threat Source newsletter. 

_This is the way the world ends_   
_This is the way the world ends_   
_This is the way the world ends_   
_Not with a bang but a whimper._ – T.S. Eliot 

So this is how Summer Camp 2025 ends, not with a bang but a whimper. We’ve put the summer behind us and are moving on to the next phase of the year, where we all put our noses down and grind from here to the holiday season. Happy Grind Season 2025.

As you know, threat research never takes a day off, but I’m going to step in and remind you all to look at your calendars. Decide, here and now, to take some time before that holiday season so that you can take care of your mental health, because mental health _is_ health.

This is doubly important if you lead a team of people. Take a minute and make sure that they are going to do the same. Ensure your entire team is taking care of themselves. In the end, you will all be better for it. 

Since we are on the subject of mental health, I don’t know if anyone else has read this paper (Psychopathia Machinalis: A Nosological Framework for Understanding Pathologies in Advanced Artificial Intelligence), but I found it truly fascinating. It’s one of the things we, as security practitioners, need to be cognizant of as we go forward with our AI tooling and efforts to protect against AI threats.  

_"As artificial intelligence (AI) systems attain greater autonomy and complex environmental interactions, they begin to exhibit behavioral anomalies that, by analogy, resemble psychopathologies observed in humans."_  

The behavior of an evolving AI, and the psychosis it could present, is a touch-point to the long-standing problematic internal employee. This creates an interesting dynamic for defense and strategies within the evolving internal landscape.  

I think understanding this presented framework can go a long way in identifying the types of behaviors that lead to malicious activity — not unlike understanding employee behavior. Stay ahead of the curve and prepare for not only a hallucinated package from an internal AI tool but perhaps a revelation that leads to new and interesting malicious behaviors.

**The one big thing **

In the latest episode of The Talos Threat Perspective, we explore three vulnerabilities that Talos researchers uncovered (and helped to fix) this year which highlight how attackers are pushing past the boundaries defenders rely on. One lived in the security chip within Dell laptops’ firmware, another in Microsoft Office for macOS permissions and the third in small office/home routers. 

**Why do I care? **

These aren’t just isolated issues. The Dell vulnerability showed that even a clean Windows reinstall isn’t always enough to kick out an attacker. The Office for macOS issue demonstrated how adversaries can “borrow” sensitive permissions like microphone access from trusted apps. And compromised routers allowed attackers to blend in with legitimate ISP traffic, making malicious connections hard to spot. Each case reveals current attacker creativity levels. 

**So now what? **

Take a closer look at the research:

*   Watch the full Talos Threat Perspective episode here: TTP Ep14: Persistence, Privilege & Camouflage 
*   Read Philippe’s blog on the Dell firmware vulnerabilities: Revault: When your SOC turns against you

**Top security headlines of the week **

**TransUnion says hackers stole 4.4 million customers’ personal information**   
TransUnion is one of the largest credit reporting agencies in the United States, and stores the financial data of more than 260 million Americans. They confirmed that the stolen PII includes customers’ names, dates of birth, and Social Security numbers. (TechCrunch) 

**Google warns that mass data theft hitting Salesloft AI agent has grown bigger**   
Google is advising users of the Salesloft Drift AI chat agent to consider all security tokens connected to the platform compromised following the discovery that unknown attackers used some of the credentials to access email from Google Workspace accounts. (Ars Technica) 

**High-severity vulnerability in Passwordstate credential manager**    
Passwordstate is urging companies to promptly install an update fixing a high-severity vulnerability that hackers can exploit to gain administrative access to their vaults. (Ars Technica) 

**JSON config file leaks Azure ActiveDirectory credentials**   
A publicly accessible configuration file for ASP.NET Core applications has been leaking credentials for Azure ActiveDirectory (AD), potentially allowing cyberattackers to authenticate directly via Microsoft's OAuth 2.0 endpoints and infiltrate Azure cloud environments. (Dark Reading)

**WhatsApp zero-day exploited in attacks targeting Apple users**   
Tracked as CVE-2025-55177 (CVSS score of 5.4), an attacker could have exploited the issue to trigger the processing of content from arbitrary URLs, on the victims’ devices, WhatsApp’s advisory reads. (SecurityWeek)

**Can’t get enough Talos?**

**Cisco: 10 years protecting Black Hat**   
Cisco works with other official providers to bring the hardware, software and engineers to build and secure the Black Hat USA network: Arista, Corelight, Lumen, and Palo Alto Networks.

**Tales from the Black Hat NOC**   
How do you build and defend a network where attacks are not just expected, but a part of the curriculum? Hazel sits down with Jessica Oppenheimer to learn more.

**Static Tundra exposed**   
A Russian state-sponsored group, Static Tundra, is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide.

**Upcoming events where you can find Talos **

*   BlueTeamCon (Sept. 4 – 7) Chicago, IL 
*   LABScon (Sept. 17 – 20) Scottsdale, AZ 
*   VB2025 (Sept. 24 – 26) Berlin, Germany

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**  
MD5: 85bbddc502f7b10871621fd460243fbc  
VirusTotal: https://www.virustotal.com/gui/file/41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610/details  
Typical Filename: N/A  
Claimed Product: Self-extracting archive  
Detection Name: Win.Worm.Bitmin-9847045-0 

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**     
MD5: 2915b3f8b703eb744fc54c81f4a9c67f     
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Typical Filename: VID001.exe     
Claimed Product: N/A     
Detection Name: Win.Worm.Coinminer::1201  

**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**    
MD5: 8c69830a50fb85d8a794fa46643493b2     
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0   
Typical Filename: AAct.exe     
Claimed Product: N/A     
Detection Name: PUA.Win.Dropper.Generic::1201 

**SHA 256: 186aa2c281ca7bb699ce0b48240b7559a9ac5b0ba260fb78b81ec53249548f62**   
MD5: bfc168a01a2b0f3cd11bf4bccd5e84a1   
VirusTotal: https://www.virustotal.com/gui/file/186aa2c281ca7bb699ce0b48240b7559a9ac5b0ba260fb78b81ec53249548f62   
Typical Filename: PDFSkills\_Updater.exe   
Claimed Product: PDF Skills   
Detection Name: Win64.Application.Agent.W2MG0A 

**SHA 256: 83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08**    
MD5: 906282640ae3088481d19561c55025e4    
VirusTotal: https://www.virustotal.com/gui/file/83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08    
Typical Filename: AAct\_x64.exe    
Claimed Product: N/A    
Detection Name: PUA.Win.Tool.Winactivator::1201

From summer camp to grind season

This week, Joe encourages you to find your community in cybersecurity and make the effort to grow, network and hack stuff together.

Thursday, August 28, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

As summer retreats into the rear-view mirror, I’d like to take a moment to reflect on one of my favorite things about the cybersecurity profession: the community. Earlier this month, I attended Black Hat USA 2025 and DEF CON 33 in scalding hot Las Vegas, NV. We often refer to it as “hacker summer camp,” where all the security nerds of various stripes congregate to eat, drink, party, hack and reforge or make new bonds of fellowship with other awesome hackers. Hacker summer camp is, simply put, a whirlwind of activity, from the talks to see, villages to visit, parties to attend, and knowledge to gain. In 5 days, I think I walked almost 30 miles. By the end I was exhausted, but happy to have learned so much and see many of my hacker friends. 

For all the fun and learning you can have at summer camp, it's a very privileged position to be able to attend. Las Vegas is not a cheap town. Hotels, flights and food — everything, really — is more expensive than average. A Black Hat badge is $1,000+, and DEF CON $500+. If you’re new to this space and early in your career, or your company doesn’t have the money to send you, the FOMO can be real. Earlier in my career, getting the opportunity to visit hacker summer camp — either with my company covering my costs or me paying out of pocket — wasn’t going to happen.  

I bring this up not to flex that I went to BH/DEF CON, but to tell you that as good as those conferences are, there is _so much more__._ Do not be daunted by what is inaccessible but know that there are other conferences out there for like-minded hackers who want to learn and share knowledge with you, wherever you are in the world. Are you in high school? I promise you there are clubs and organizations there to help you. College? There are student clubs and organizations there that will welcome you. And if you’re looking for projects and contests, there are quite a few out there. And hackathons? I got you covered, fam. 

It’s also important to know that there are smaller information security conferences around the world. Perhaps the most popular and usually super local is Bsides. Check them out — their website has a calendar that might have one local to you.  

Infosec is as much a calling as it is a career. You were drawn to this space for a reason — and finding friends and colleagues who match your vibe is important to both grow as a human, but also to maintain a healthy relationship with this industry, especially one that’s notoriously capable of burning you out. We as humans are social creatures, and we need social interaction, even if it’s limited doses (I see you, introverts). Our professions are a natural magnet to pull others into our orbit. I can tell you so many of the things that I consider personal career milestones happened because I talked with fellow security practitioners over drinks or a meal, and something truly wonderful happened.  

So go find your people, lean into the things you are a total security nerd about, and enjoy the fellowship and growth. You’ll be all the better for it.

**The one big thing **

Last week, Talos shared that ransomware attacks in Japan surged by about 1.4 times in the first half of 2025, with small and medium-sized companies (especially manufacturing) being the hardest hit. The Qilin group was the most active, and a new player, "Kawa4096," also began targeting Japanese businesses. Even though some major ransomware groups were shut down, new threats are quickly taking their place. 

**Why do I care? **

The ransomware landscape is always changing, and it often highlights vulnerabilities in small and mid-sized businesses in critical industries like manufacturing. With new ransomware groups like Kawa4096 emerging and techniques evolving, the risks are growing, and attackers are finding new ways to target organizations that may not have strong defenses.

**So now what? **

While small- to mid-size manufacturing companies are the most targeted in Japan, it’s important for all businesses to stay updated on threats, invest in cybersecurity, and train their teams to spot suspicious activity. ClamAV detections are also available in the blog.

**Top security headlines of the week **

**Organizations warned of exploited Git vulnerability**   
The US cybersecurity agency CISA on Monday warned that the flaw, tracked as CVE-2025-48384 (CVSS score of 8.1), is an arbitrary file write during the cloning of repositories with submodules that use a ‘recursive’ flag. (SecurityWeek) 

**CISA updates SBOM recommendations**   
The document is primarily meant for federal agencies, but CISA hopes businesses will also use it to push vendors for software bills of materials. (Cybersecurity Dive) 

**AI-powered ransomware: "PromptLock”**   
Although it has not yet been observed in active cyberattacks, the researchers said the PromptLock ransomware appears to be under development and nearly ready to be unleashed onto the threat landscape. (Dark Reading) 

**Credential harvesting campaign targets ScreenConnect cloud administrators**   
The campaign uses compromised Amazon Simple Email Service accounts to spear-phish senior IT administrators who have elevated privileges in ScreenConnect environments. (Cybersecurity Dive) 

**Security researcher maps hundreds of TeslaMate servers spilling Tesla vehicle data**   
A security researcher has found over a thousand publicly exposed hobby servers run by Tesla vehicle owners that are spilling sensitive data about their vehicles, including their granular location histories. (TechCrunch)

**Can’t get enough Talos? **

*   **State of Identity Security Report**   
    Cisco Duo’s global survey of 650 Security & Data Ops leaders shows where orgs succeed, and where they’re exposed. Download the full report now. 
*   **Static Tundra exposed**   
    A Russian state-sponsored group, Static Tundra, is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide.

**Upcoming events where you can find Talos **

*   BlueTeamCon (Sept. 4 – 7) Chicago, IL 
*   LABScon (Sept. 17 – 20) Scottsdale, AZ 
*   VB2025 (Sept. 24 – 26) Berlin, Germany 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Typical Filename: VID001.exe    
Claimed Product: N/A    
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**      
MD5: 7bdbd180c081fa63ca94f9c22c457376      
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details    
Typical Filename: IMG001.exe     
Claimed Product: N/A    
Detection Name: Simple\_Custom\_Detection 

**SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**     
MD5: 71fea034b422e4a17ebb06022532fdde      
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details   
Typical Filename: VID001.exe      
Claimed Product: N/A      
Detection Name: Coinminer:MBT.26mw.in14.Talos

Link up, lift up, level up

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed ten vulnerabilities in BioSig Libbiosig, nine in Tenda AC6 Router, eight in SAIL, two in PDF-XChange Editor, and one in a Foxit PDF Reader.
The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed ten vulnerabilities in BioSig Libbiosig, nine in Tenda AC6 Router, eight in SAIL, two in PDF-XChange Editor, and one in a Foxit PDF Reader.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

****Libbiosig vulnerabilities****

_Discovered by Mark Bereza and Lilith >\_> of Cisco Talos._

BioSig is an open source software library for biomedical signal processing. The aim of the BioSig project is to foster research in biomedical signal processing by providing free and open source software tools for many different application areas. BioSig for C/C++ provides command line tools for data conversion, a library to access a number of data formats (libbiosig), and some experimental code for network transfer of biosignal data.

Talos discovered ten vulnerabilities in libbiosig, affecting both version 3.9.0 of the stable release and the latest commit on the Master Branch at the time of disclosure to the vendor, grouped here by vulnerability type:

Integer overflow:

*   TALOS-2025-2231 (CVE-2025-53518) exists in the ABF parsing functionality. A specially crafted ABF file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
*   TALOS-2025-2233 (CVE-2025-52581) exists in the GDF parsing functionality. A specially crafted GDF file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Stack-based buffer overflow:

*   TALOS-2025-2234 (CVE-2025-54480-54494) and TALOS-2025-2236 (CVE-2025-46411) exist in the MFER parsing functionality. A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Heap-based buffer overflow:

*   TALOS-2025-2232 (CVE-2025-53853) exists in the ISHNE parsing functionality. A specially crafted ISHNE ECG annotations file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
*   TALOS-2025-2235 (CVE-2025-53557) and TALOS-2025-2237 (CVE-2025-53511) exist in the MFER parsing functionality. A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. 
*   TALOS-2025-2239 (CVE-2025-54462) exists in the Nex parsing functionality. A specially crafted .nex file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
*   TALOS-2025-2240 (CVE-2025-48005) exists in the RHS2000 parsing functionality. A specially crafted RHS2000 file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Out-of-bounds read:

*   TALOS-2025-2238 (CVE-2025-52461) exists in the Nex parsing functionality. A specially crafted .nex file can lead to an information leak. An attacker can provide a malicious file to trigger this vulnerability.

****Tenda vulnerabilities****

_Discovered by Lilith >\_> of Cisco Talos._

The Tenda AC6 is a popular and affordable dual-band gigabit WiFi Router available online, especially on Amazon. All vulnerabilities were found in Tenda AC6 V5.0 V02.03.01.110.

TALOS-2025-2161 (CVE-2025-31355) is a firmware update vulnerability in the Firmware Signature Validation functionality of Tenda. A specially crafted malicious file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Two unencrypted transmission of credentials vulnerabilities were found: TALOS-2025-2162 (CVE-2025-27564) exists in the web portal authentication functionality, while TALOS-2025-2167 (CVE-2025-31646) is in the Session Authentication Cookie functionality. Specially crafted network packets can lead to arbitrary authentication or authentication bypass, respectively. An attacker can sniff network traffic to trigger these vulnerabilities.

TALOS-2025-2163 (CVE-2025-24322) is an unsafe default authentication vulnerability in the Initial Setup Authentication functionality of Tenda. A specially crafted network request can lead to arbitrary code execution. An attacker can browse to the device to trigger this vulnerability.

TALOS-2025-2164 (CVE-2025-24496) is an information disclosure vulnerability in the /goform/getproductInfo functionality of Tenda. Specially crafted network packets can lead to a disclosure of sensitive information. An attacker can send packets to trigger this vulnerability.

TALOS-2025-2165 (CVE-2025-27129) is an authentication bypass vulnerability in the HTTP authentication functionality of Tenda. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can send packets to trigger this vulnerability.

TALOS-2025-2166 (CVE-2025-30256) is a denial of service vulnerability in the HTTP Header Parsing functionality of Tenda. A specially crafted series of HTTP requests can lead to a reboot. An attacker can send multiple network packets to trigger this vulnerability.

TALOS-2025-2168 (CVE-2025-32010) is a stack-based buffer overflow vulnerability in the Cloud API functionality of Tenda. A specially crafted HTTP response can lead to arbitrary code execution. An attacker can send an HTTP response to trigger this vulnerability.

TALOS-2025-2178 (CVE-2025-31143) is a cleartext transmission vulnerability that exists in the Tenda App Router Authentication functionality of Tenda. An attacker can send information gleaned from sniffing network traffic to trigger this vulnerability, which can lead to arbitrary authentication.

****SAIL vulnerabilities****

_Discovered by a member of Cisco Talos._

SAIL is a format-agnostic image decoding library supporting all popular image formats. It provides a C/C++ API for end-users and works on Windows, macOS, and Linux platforms.

Talos found eight memory corruption vulnerabilities in SAIL Image Decoding Library v0.9.8.

TALOS-2025-2215 (CVE-2025-46407) exists in the BMPv3 Palette Decoding functionality. When loading a specially crafted .bmp file, an integer overflow can be made to occur which will cause a heap-based buffer to overflow when reading the palette from the image. These conditions can allow for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2216 (CVE-2025-32468) exists in the BMPv3 Image Decoding functionality. When loading a specially crafted .bmp file, an integer overflow can be made to occur when calculating the stride for decoding. Afterwards, this will cause a heap-based buffer to overflow when decoding the image which can lead to remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2217 (CVE-2025-35984) exists in the PCX Image Decoding functionality. When decoding the image data from a specially crafted .pcx file, a heap-based buffer overflow can occur which allows for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2218 (CVE-2025-53510) exists in the PSD Image Decoding functionality. When loading a specially crafted .psd file, an integer overflow can be made to occur when calculating the stride for decoding. Afterwards, this will cause a heap-based buffer to overflow when decoding the image which can lead to remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2219 (CVE-2025-53085) exists in the PSD RLE Decoding functionality. When decompressing the image data from a specially crafted .psd file, a heap-based buffer overflow can occur which allows for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2220 (CVE-2025-50129) exists in the PCX Image Decoding functionality. When decoding the image data from a specially crafted .tga file, a heap-based buffer overflow can occur which allows for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2221 (CVE-2025-52930) exists in the BMPv3 RLE Decoding functionality. When decompressing the image data from a specially crafted .bmp file, a heap-based buffer overflow can occur which allows for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2224 (CVE-2025-52456) exists in the WebP Image Decoding functionality. When loading a specially crafted .webp animation an integer overflow can be made to occur when calculating the stride for decoding. Afterwards, this will cause a heap-based buffer to overflow when decoding the image which can lead to remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

****PDF-XChange out-of-bounds read vulnerabilities****

_Discovered by KPC of Cisco Talos._

PDF-XChange Editor allows the creation, editing, manipulation, and conversion of PDF files, conforming to international ISO specifications for PDF files.

TALOS-2025-2171 (CVE-2025-27931) and TALOS-2025-2203 (CVE-2025-47152) are out-of-bounds read vulnerabilities in the EMF functionality of PDF-XChange Editor version 10.5.2.395. By using a specially crafted EMF file, an attacker could exploit these vulnerabilities to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.

****Foxit memory corruption vulnerability****

_Discovered by KPC of Cisco Talos._

Foxit PDF Reader is a popular free program for viewing, creating, and editing PDF documents. It is commonly used as an alternative to Adobe Acrobat Reader and has a widely used browser plugin available.

TALOS-2025-2202 (CVE-2025-32451) is a memory corruption vulnerability in Foxit Reader 2025.1.0.27937. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.