This blog offers practical strategies, creative defenses, and talent management advice to help your business stay secure when every dollar counts.

Wednesday, October 29, 2025 06:00

*   During economic uncertainty, businesses face the challenge of maintaining strong cybersecurity while managing tightened budgets.  
*   Cyber threats can become more numerous, motivated, and persistent during economic downturns, making the need for resilient, cost-effective security measures critical.  
*   This blog shares practical strategies to help absorb budget cuts while minimizing the damage to an organization’s cybersecurity posture. 

**Learning from history **

As many seasoned industry professionals remember, 2008 – 2010 was a tough time for the tech industry as well as the larger U.S. economy. During the Great Recession, unemployment rose as high as 10%, and IT and cybersecurity budgets were certainly not spared. During the 2020 COVID-19 crisis, the need for tech workers and larger IT budgets to support remote work was so strong that it outweighed the global economic slowdown. As a result, many new IT professionals never experienced what a real recession feels like. 

The FBI noted a 22.3% increase in cybercrime complaint submissions from 2008 – 2009, which some attributed in part to unemployed, financially desperate tech workers turning their skillsets to crime. At that time, threat actors mostly targeted individuals in the form of scams, fraud, and other crimes. In today’s environment, a similar economic downturn could easily lead to a surge in the number and talent of ransomware operators. 

Why? Unlike in the Great Recession, most corporate networks are now remote- or hybrid-enabled by default. While nothing about a network’s attack surface would inherently change due to an economic downturn, any increase in the number and skill level of attackers, decrease in the number and skill of defenders, or decrease in the quality of security measures could have devastating consequences for the IT environment owner.

**Defend legacy hardware/software **

As was painfully highlighted in recent years by Salt Typhoon incursions into telecommunications networks, working with legacy hardware and software is a risk many businesses take. As belts tighten during an economic downturn, cybersecurity budgets will decrease, and many businesses will inevitably need to postpone technology upgrades beyond end of life. While this introduces risk, there are a few solid strategies to mitigate that risk. 

**Defense in depth and zero trust **

While these terms were both solid contenders for the No. 1 Sales Buzzword of 2023, they reflect a valuable underlying principle: Assume the adversary is going to gain a foothold and architect accordingly.  

If a business must continue to use 40% legacy firewalls and only has budget to replace 60%, those legacy firewalls should be positioned in the interior of the network versus on the perimeter and logically separated so an adversary cannot “island-hop” from one to the next using the same vulnerability. If a legacy server must be positioned in a public-facing location, it should be placed in a tightly-controlled DMZ where compromise of that server would not lead to further network intrusion. 

No breach is desirable, but you can minimize the potential for lateral movement. 

**Lock down unnecessary functionality **

Many vulnerable applications and systems are targeted via plugins or extra features that an organization isn’t even using. The classic example is a webserver with an abandoned WordPress plugin that later is discovered to be vulnerable. Another example is the SSH login method on a VMWare ESXi hypervisor — an organization may accidentally leave this enabled and allow an adversary to log in as root.  

For vulnerable systems and software, it is critical to review what is strictly necessary for it to operate and disable all other functionalities. This is an important part of attack surface reduction.

**Optimize open- and closed-source software **

While closed-source commercial security tools usually offer the easiest setup and best overall experience, transitioning a budget-constrained organization to a blend of commercial and open-source software may be the right answer for maximum efficacy. Here are some rules of thumb for selection. 

**Open source **

Open-source software excels when the product does not depend on frequent updates or detailed technical support. Initial setup may be involved and challenging, but financial savings can be significant. A good current example is the Zeek network security monitor, which is not a standalone security product but significantly enhances network-based detection capabilities. An open-source SIEM solution that may be suitable for smaller businesses is Security Onion. 

**Closed source/commercial **

For solutions that depend on frequent updates, particularly time-sensitive signature/definition updates, commercial security solutions are the only answer. This primarily includes endpoint detection and response (EDR)/antivirus (AV), firewall, and DNS security solutions. Recognizing that this is a mandatory expenditure will help solidify planning for other areas of cost savings.

**Configure what you already have **

For organizations that don’t have the budget for new security systems, making the most of what you already have can go a long way to ensure that basic level of security and hardening is applied. For further information beyond what is reflected below, consider reading this paper on practical security measures for small and/or budget-constrained organizations. 

**EDR and antivirus tuning **

Review configuration and policy settings for your existing security investments like AV or EDR solutions. Optimizing them is an easy way to increase security for free. Revisit any policies that were not recently reviewed. Simple configuration changes like turning on heuristic scanning in the AV software can help to catch threats that haven’t been seen before or use more advanced methods of compromise. During the AV/EDR review, checking the exclusions list is always a good idea. As an extreme example that Talos IR has unfortunately seen during incident response, having the whole C: drive excluded prevents any detections at all. Exclusions should be targeted and precise.

**Windows domain and cloud policies **

Another powerful, albeit time-consuming, security measure is to optimize Windows domain policies and configurations to help protect the organization. Windows Security baselines, published by Microsoft, are a great starting point. Policy settings like enforcing strong passwords, limiting admin access, and disabling unnecessary features can help tighten security without spending extra money. The CIS also recently published an extensive guide on Active Directory and GPM configuration best practices. For cloud environments, CISA’s SCuBA program offers excellent configuration security guidance.  

**PowerShell hardening  **

Locking down PowerShell so only trusted users can run it, or setting it to a restricted mode, makes it much harder for attackers to use it against you. The newest versions of PowerShell provide excellent controls, allowing your team to restrict access, limit which scripts can be executed, and configure other granular restrictions, which will help ensure that even if a malicious PowerShell script lands somewhere in the environment, the hardened configuration of PowerShell will limit its functionality.  

**Executable neutering **

Various tricks to prevent executables from running by default can be surprisingly effective. For example, changing the default program for opening .js files to Notepad stops these scripts from running. These small changes may seem simple, but together they can create strong layers of defense. For organizations with limited resources, these tweaks can make a big difference in reducing risk without breaking the bank. The following is a very simple PowerShell script which will ensure that malware on unsuspecting user systems is treated as a text file. Of course, these suggestions should be tested and modified to ensure that they do not impair valid enterprise functions.

\# List of dangerous file extensions to associate with Notepad 
$extensions = @(".js", ".jse", ".vbs", ".vbe", ".wsf", ".wsh", ".ps1", ".cmd", ".bat", ".hta", ".scr") 
foreach ($ext in $extensions) { 
    try { 
        $assoc = New-Object -ComObject WScript.Shell 
        $assoc.RegWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\$ext\\UserChoice\\Progid", "Applications\\notepad.exe", "REG\_SZ") 
        Write-Host "Set $ext to open with Notepad" 
    } 
    catch { 
        Write-Warning "Failed to set $ext: $\_" 
    } 
} 

_Figure 1: Sample script to neuter executables._

**Logging and alerting optimization **

Assuming you have the storage space, optimizing logging and alerting is a cheap way to improve network security when a breach is likely. A good understanding of which systems are legacy and therefore vulnerable is an excellent starting point — prioritizing visibility on those systems is key.  

**Canaries and decoys **

Thoughtful placement of canary tokens, decoy/honey accounts, and other creative countermeasures on vulnerable systems are other mechanisms to quickly detect and shut down an adversary in the network. This is especially important when you start with the assumption that you will be breached at some point due to vulnerable systems or software. 

**Firewalls and network filtering **

The majority of organizations have firewalls and network boundary devices deployed across their infrastructure. Tuning these devices to filter high ports and allow for common ports like 80/443 outbound while restricting access to unnecessary services results in the disruption of many command-and-control malware channels, which often try to evade detection by using high ports for communication.

**Doing more with less staffing **

An ISC2 survey showed that 24% of cybersecurity departments faced layoffs in 2024, a trend which seems to be continuing into 2025. This was not due to a surplus of cybersecurity staffing. 67% of respondents also agreed that they no longer had the staff to meet their goals. In an economic downturn, this situation would only worsen. It is therefore important to consider how to use the remaining personnel budget as effectively as possible. 

**Attract and retain high-quality people **

Recent developments have virtually guaranteed a future shortage of skilled mid-career cybersecurity professionals. First, the glut of cybersecurity talent on the market due to recent layoffs have led to many mid-career professionals taking entry-level jobs. Second, the advent of generative AI has led many organizations to reduce their hiring of entry-level professionals. These two factors have created an extremely hostile environment for recent graduates from cybersecurity educational programs. The authors of this post have personally observed several promising students graduate with cybersecurity degrees and ultimately pivot to unrelated fields due to the lack of opportunity. Unless gen AI advancements truly replace cybersecurity professionals, the current entry-level pipeline collapse may well lead to a shortage of skilled mid-career professionals in the next 5 – 10 years as the replacement rate drops below the rate of retirement and general attrition. 

With that in mind, forward-thinking organizations should take care to attract above-average, early-to-mid career talent and make every effort to train and retain them. It is currently a strong employers’ market, and forward investment now may result in relatively cheap, seasoned employees in the future when the pendulum swings back. 

**Quality specialist partners **

In a budget-constrained environment, having a strong relationship with on-demand cybersecurity consultants can be a form of leverage, providing tremendous benefit at a relatively cheap cost. If an organization is large enough to experience a significant cybersecurity incident every week, it would make sense to fully staff an in-house incident response team. However, for most organizations that only experience a few incidents per year, it makes good financial sense to employ a team of cybersecurity generalists and have an incident response provider on retainer for extreme circumstances.  

Using Cisco Talos as an example, not only is an annual retainer with Cisco Talos Incident Response cheaper than employing a single full-time incident responder, but the retaining organization also gets the benefit of a highly-experienced incident response team that deals with major incidents around the globe on a weekly basis. 

Hard decisions are inevitable when the security budget decreases. However, exploring new options to add efficiency can not only protect the organization in the short term, but also provide long-term efficiency gains when budgetary restrictions eventually ease.

Cybersecurity on a budget: Strategies for an economic downturn

Cisco Talos investigated the Qilin ransomware group, uncovering its frequent attacks on the manufacturing sector, use of legitimate tools for credential theft and data exfiltration, and sophisticated methods for lateral movement, evasion, and persistence.

Uncovering Qilin attack methods exposed through multiple cases

We’ve relied on passwords for years to protect our online accounts, but they’ve also become one of the easiest ways attackers get in. Cisco Duo helps clear up some of the biggest passwordless myths.

Friday, October 24, 2025 06:00

By Janet Ho, Cisco Duo

**Why passwords are still a problem**

We’ve relied on passwords for years to protect our online accounts, but they’ve also become one of the easiest ways attackers get in. Many people reuse or simplify passwords, or even write them down because it’s hard to remember so many. That makes it easier for attackers to take advantage of stolen or reused credentials, and even worse, one stolen password can sometimes unlock several accounts.  

**Did you know?** According to Forbes, 244 million passwords were leaked on a single crime forum, and half of the world’s internet users have been exposed to reuse attacks. 

That’s why passwordless authentication is becoming so important. It lets you prove who you are without typing a password, using things like your fingerprint, face, or a security key on your device. This makes sign-ins easier for you and harder for attackers to fake, helping protect against phishing and stolen or weak passwords. 

**Clearing up the biggest myths about passwordless **

Even with all these benefits, a few common myths still make people hesitate about going passwordless. Let’s clear them up. 

It’s easy to assume that “passwordless” means skipping an important layer of protection. 

In reality, passwordless **is** multi-factor. It verifies who you are using both your device and something only you can provide like your fingerprint or PIN. 

When you log in, your device unlocks a unique digital key that never leaves it. Your fingerprint, face or PIN is only checked locally, not sent online. This makes it nearly impossible for attackers to steal or fake your login, the same strength as MFA, just without the password hassle. 

A PIN might look like a password, but it doesn’t work the same way. Instead of being sent over the internet or stored on a company server, your PIN only unlocks your device locally. That means there’s nothing for attackers to steal or guess remotely. 

Even a short PIN can be strong because your device limits how many times someone can try it. An attacker would have to physically possess your device to even attempt it. If you want extra protection, you can use a biometric like a fingerprint or face scan instead. 

Biometrics sometimes get a bad reputation because people remember early flaws or scary headlines like phones that could be fooled by photos or fake fingerprints. Those issues came from outdated, low-cost sensors that were easier to trick. 

Modern systems like Face ID and Windows Hello use 3D mapping, infrared light and “liveness” detection to make spoofing extremely difficult. In passwordless authentication, your fingerprint or face simply unlocks a private key stored on your device. That key never leaves your phone or computer and can’t be reused on other sites. Because biometrics are checked locally, not online, they block the remote attacks that plague passwords. 

Some worry that using biometrics means handing over personal data that could be stolen. That concern usually comes from news about biometric surveillance, where information is stored in large central databases.  

Passwordless authentication works differently. Your biometric stays on your device and is only used to unlock a local security key — it’s never uploaded, shared, or compared against a massive database. 

The difference matters. **Surveillance biometrics** identify you remotely by matching your data against millions of records. **Authentication biometrics**, like Face ID or Windows Hello, simply confirm that _you_ are the one holding your own device. That local check is what keeps your biometric private and safe. 

A truly phishing-resistant passwordless system has a few built-in protections against modern phishing techniques. 

Each login uses a unique digital key that stays on your device and never gets sent to the website. Even if someone builds a fake login page, there’s nothing to steal or reuse. That’s because passwordless systems check that you’re on the real website, not a look-alike page. Your browser does that check automatically before letting your device complete the login. 

And only trusted software on your device can trigger your authenticator to approve a login. Hidden apps or push-phishing attempts can’t reach it. 

Together, these protections make phishing far harder and, in most cases, stop it completely.  

**The bottom line: Easier, safer sign-ins for everyone **

Passwordless isn’t just a new way to log in. It’s a safer, simpler way to protect what matters most. Whether at home or at work, taking small steps toward passwordless helps reduce risk and makes security easier for everyone. 

Learn more about the myths and read the full report on Busting Passwordless Myths. 

Take the next step and check out 5 Step Path to Passwordless ebook.

Think passwordless is too complicated? Let's clear that up

In this week’s newsletter, Bill explores how open communication about your skills and experience can help your security team uncover hidden gaps, strengthen your defenses, and better prepare for ever-present threats.

Thursday, October 23, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

“The truth about the world, he said, is that anything is possible... For existence has its own order and that no man's mind can compass, that mind itself being but a fact among others.” ― Cormac McCarthy, "Blood Meridian"

Earlier this week, I spent a few days off to take a reading retreat with my wife. Diving into several books from various genres and sitting on several quiet acres in the Texas hill country was a wonderful way to refuel. While reading a completely different book, I was reminded of this quoted section from Cormac and it gave me pause.  

We, as security practitioners, often move forward with the knowledge and expertise we've acquired along the various paths that led us to this point. It's easy to fall into the trap of assuming that, because we've shared similar experiences, we all possess the same skillsets — each of us following our own string in the maze. In the end, the gaps between what we assume about each other and the reality can be tremendous. How do we ensure these aren’t the very gaps adversaries exploit, and that our perceived strengths don’t become our weaknesses? 

It comes down to communication and community. Talking openly about our skillsets can feel unnecessary among seasoned practitioners—we often assume that everyone has followed a similar path through the maze of their careers. But in practice, conversations quickly reveal this isn’t the case. One of the best ways to build the soft skills that help your career grow is by meeting with your team and discussing the technical skills that got you here and how you apply them now, which skills still benefit your daily routine, and which have fallen to the wayside via obsolescence. If you can create a meeting focused on this topic — rotating among your direct team and involving the team or leader above — you’ll start to pinpoint the skillsets that have the greatest impact on your day-to-day work.  

This process will help you identify specific technical skills needed for hiring or training new team members. It also gives junior analysts a clear view of what senior analysts rely on in their expanded roles, helping to guide their own education. Furthermore, when everyone understands the technical and soft skills that leadership uses, it can help remove the distance between technical and people leaders — and can leave a “string” for those early in their careers to follow as they navigate their own path through the maze 

Know your environment. This is always my first answer whenever I’m asked what to do next or how to proceed. Knowing with extreme clarity both the skillsets on your team and the foundation they’re built upon will allow your team to thrive and grow. It also makes it easier to identify opportunities for cross-training and to provide targeted mentorship where it’s needed most. 

“War was always here. Before man was, war waited for him. The ultimate trade awaiting its ultimate practitioner.” ― Cormac McCarthy, "Blood Meridian"

**The one big thing **

According to the Cisco Talos IR Trends Q3 2025 report, over 60% of our incident response cases involved attackers exploiting public-facing applications, mainly through the ToolShell attack chain against unpatched Microsoft SharePoint servers. This is a huge jump from under 10% last quarter. About 20% of cases were ransomware-related (down from 50%), but new ransomware variants and tactics, like using legitimate tools for persistence, were seen. Attackers also increased their use of compromised internal accounts for phishing, and public administration became the top targeted sector for the first time since we began these reports in 2021. 

**Why do I care? **

Attackers are going after anyone with exposed or outdated systems, including local governments and public services. With attackers exploiting new vulnerabilities almost immediately (especially in widely used software like SharePoint), even small delays in patching or weak internal defenses can put your organization and its data at serious risk. 

**So now what? **

Prioritize rapid patching of public-facing applications, especially after new vulnerabilities are disclosed, and implement strong network segmentation to limit attackers' lateral movement. Additionally, enhancing multi-factor authentication, improving centralized logging, and educating your users can help detect and block attacks earlier. 

**Top security headlines of the week **

**Vulnerability in Dolby Decoder can allow zero-click attacks**   
Tracked as CVE-2025-54957 (CVSS score of 7.0), the security defect can be triggered using malicious audio messages, leading to remote code execution. On Android, the vulnerability can be exploited remotely without user interaction. (SecurityWeek) 

**131 Chrome extensions caught hijacking WhatsApp Web for massive spam campaign**   
Researchers have uncovered a coordinated campaign that leveraged 131 rebranded clones of a WhatsApp Web automation extension for Google Chrome to spam Brazilian users at scale. (The Hacker News) 

**Prosper data breach impacts 17.6 million accounts**   
Hackers stole personal and financial details belonging to 17.6 million users of the Prosper lending platform, including Social Security numbers and government IDs. (SecurityWeek) 

**"PassiveNeuron” cyber spies target orgs with custom malware**   
A threat campaign is targeting high-profile organizations in the government, industrial, and financial sectors across Asia, Africa, and Latin America, with two custom malware implants designed for cyber espionage. (Dark Reading) 

**Can’t get enough Talos? **

*   **Reducing abuse of Microsoft 365 Exchange Online Direct Send**   
    Cisco Talos has observed increased activity by malicious actors leveraging Direct Send as part of phishing campaigns. Here's how to strengthen your defenses. 
*   **Beers with Talos: Two Marshalls, one podcast**   
    Talos' Vice President Christopher Marshall (the “real Marshall,” much to Joe’s displeasure) joins Hazel, Bill, and Joe for a very real conversation about leading people when the world won’t stop moving. 

**Upcoming events where you can find Talos **

*   NTNU MALWAREFORUM (Oct. 28 – 29) Oslo, Norway 
*   Bsides Osijek (Nov. 5) Osijek, Croatia 
*   AVAR (Dec. 3 – 5) Kuala Lumpur, Malaysia 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a**    
MD5: 1f7e01a3355b52cbc92c908a61abf643   
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a    
Example Filename: cleanup.bat    
Detection Name: W32.D933EC4AAF-90.SBX.TG 

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe\_1\_Exe.exe    
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**   
MD5: 85bbddc502f7b10871621fd460243fbc    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610    
Example Filename: 85bbddc502f7b10871621fd460243fbc.exe   
Detection Name: W32.41F14D86BC-100.SBX.TG 

**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**    
MD5: aac3165ece2959f39ff98334618d10d9    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974   
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe    
Detection Name: W32.Injector:Gen.21ie.1201 

**SHA256: 629ff05b7396cd0278ac345008b1e9246a6511da973e3e7eb630c5890758c15a**   
MD5: 6692f8df8616472715273203b42e754d    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=629ff05b7396cd0278ac345008b1e9246a6511da973e3e7eb630c5890758c15a    
Example Filename: EasyAsVPNgo.exe   
Detection Name: W32.Proxy.27e2.1201

Strings in the maze: Finding hidden strengths and gaps in your team

Cisco Talos Incident Response observed a surge in attacks exploiting public-facing applications — mainly via ToolShell targeting SharePoint — for initial access, with post-exploitation phishing and evolving ransomware tactics also persisting this quarter.

IR Trends Q3 2025: ToolShell attacks dominate, highlighting criticality of segmentation and rapid response

Cisco Talos has observed increased activity by malicious actors leveraging Direct Send as part of phishing campaigns. Here's how to strengthen your defenses.

Tuesday, October 21, 2025 06:00

**Overview **

Microsoft 365 Exchange Online’s Direct Send is designed to solve an enterprise-scale operational challenge: certain devices and legacy applications such as multifunction printers, scanners, building systems, and older line‑of‑business apps, need to send email into the tenant but lack the ability to properly authenticate. Direct Send preserves business workflows by allowing messages from these appliances to bypass more rigorous authentication and security checks. 

Unfortunately, Direct Send’s ability for content to bypass standard security checks makes it an attractive target for exploitation. Cisco Talos has observed increased activity by malicious actors leveraging Direct Send as part of phishing campaigns and business email compromise (BEC) attacks. Public research from the broader community, including reporting by Varonis, Abnormal Security, Ironscales, Proofpoint, Barracuda, Mimecast, Arctic Wolf, and others, agree with Cisco Talos findings: Adversaries have actively targeted corporations using Direct Send in recent months. 

Microsoft Inc., for its part, has already introduced a Public Preview of the RejectDirectSend control and signaled future improvements, such as Direct Send-specific usage reports and an eventual “default‑off” posture for new tenants. These ongoing enhancements, layered with existing security controls, are helping organizations strengthen their defenses while still supporting the business-critical workflows that Direct Send was designed to enable.

**How Direct Send is exploited **

Direct Send abuse is the opportunistic exploitation of a trusted pathway. Adversaries emulate device or application traffic and send unauthenticated messages that appear to originate from internal accounts and trusted systems. The research cited above describes recurring techniques, such as: 

*   Impersonating internal users, executives, or IT help desks (e.g., observed by  Abnormal and Varonis) 
*   Business-themed lures, such as task approvals, voicemail or service notifications, and wire or payment prompts (e.g., Proofpoint’s observations about social engineering payloads) 
*   QR codes embedded in PDFs and low-content or empty-body messages carrying obfuscated attachments used to bypass traditional content filters and drive the user to credential harvesting pages (e.g., highlighted in Ironscales, Barracuda, and Mimecast reporting) 
*   Use of trusted Exchange infrastructure and legitimate SMTP flows to inherit implicit trust and decrease payload scrutiny

_“What happens when a feature built for convenience becomes an attacker’s perfect disguise?” – Abnormal Security, framing the dual‑use nature of Direct Send._

Legitimate dependencies still exist. Many enterprises have not fully migrated older scanning or workflow systems to authenticated submission (SMTP AUTH) or to partner connectors. A hasty blanket disablement without visibility and change planning can disrupt invoice processing, document distribution, or facilities notifications. That’s precisely why Microsoft is building reporting to help administrators sequence risk reduction without accidental business impact.

**Examples**

Figure 1. Spoofed American Express dispute (left), fake ACH payment notice (right).

The examples in Figure 1 (victim information redacted) demonstrate very obvious attacks that were presumed to be internal messages and therefore bypassed sender verification that could have convicted these threats. 

**Direct Send bypasses sender verification **

There are three key elements to email domain sender verification: 

1.  DomainKeys-Identified Mail (DKIM) is a cryptographic signature of message headers and content. This can verify that the message was sent by a server with a key authorized by the owner of the sending domain. 
2.  Sender Policy Framework (SPF) specifies a list of IP ranges that are authorized to send on behalf of the domain. 
3.  Domain-based Message Authentication, Reporting and Conformance (DMARC) defines what to do with a domain’s noncompliant mail when it lacks a DKIM signature and SPF authorization. Senders can choose a DMARC policy that instructs recipients to reject this mail. This is increasingly common, especially with banks.

Had the previous examples in Figure 1 been scanned with DMARC, DKIM, and SPF, they would have been rejected. However, Direct Send prevents this sort of inspection.

**Mitigation and recommendations **

With Direct Send abuse becoming more prevalent, it is critical for organizations to review their security posture related to Direct Send. Aligning with Microsoft’s guidance and community findings, Talos recommends: 

1.  **Disable or restrict Direct Send where feasible.** 
    1.  Inventory current reliance. Although forthcoming Microsoft reporting should make this more streamlined, creating or reviewing internal device inventories, SPF records, and connector configs. 
    2.  Enable Set-OrganizationConfig -RejectDirectSend $true once you’ve validated mailflows for legitimate internal traffic.
2.  **Migrate devices to authenticated SMTP.** 
    1.  Prefer authenticated SMTP client submission (port 587) for devices and applications that can store modern credentials or leverage app-specific identities (Microsoft documentation). 
    2.  Use SMTP relays with tightly scoped source IP restrictions only for devices that are unable to use authenticated submission.
3.  **Implement partner/inbound connectors for approved senders.** 
    1.  Establish certificate or IP-based partner connectors for third-party services legitimately sending with your accepted domains.
4.  **Strengthen authentication and alignment.** 
    1.  Maintain SPF with required authorized sending IPs; adopt Soft Fail (~all) per guidance from the Messaging, Malware and Mobile Anti-Abuse Working Group (M³AAWG) as well as Microsoft. 
    2.  Enforce DKIM signing and monitor DMARC aggregate reports for anomalous internal-looking unauthenticated traffic.
5.  **Strengthen policy, access, and monitoring.** 
    1.  Restrict egress on port 25 from general user segments; only designated hosts should originate SMTP traffic. 
    2.  Use Conditional Access or equivalent policies to block legacy authentication paths that are no longer justified. 
    3.  Alert on unexpected internal domain messages lacking authentication.

_“You can’t block what you don’t see.” – Ironscales, on visibility as a prerequisite to confident enforcement_

These defenses layer on Microsoft’s platform controls, reducing attacker dwell time and shortening the detection-to-remediation window.

**How Talos protects against Direct Send abuse **

Talos leverages advanced AI and machine learning to continuously analyze global email telemetry, campaign infrastructure, and evolving social engineering tactics — ensuring our customers stay ahead of emerging threats. Our security platform goes far beyond basic header checks, using behavioral analytics, deep content inspection, and continually adapting models to identify and neutralize sophisticated malicious actors before they target your organization. 

Contact Cisco Talos Incident Response to learn more about everything from proactively securing critical communications and endpoint protection, to security auditing and incident management. 

_Acknowledgments: We appreciate the sustained efforts of Microsoft’s engineering and security teams and the broader research community whose transparent publications inform defenders worldwide._

Reducing abuse of Microsoft 365 Exchange Online’s Direct Send

This edition highlights the detailed studies that have been recently published on how ransomware attacks affect victims, from PTSD to burnout, and discusses ways to help deal with the fallout of victimization.

Thursday, October 16, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

I count myself fortunate that I have never been on the receiving end of a ransomware attack. My experiences have been from research and response, never as a victim. It’s a tough scenario: One day you are working or minding your own business when suddenly, threatening notes appear on desktops and systems simply stop working. So much of our survival as humans is tied to our livelihoods, so the amount of stress incurred can be severe. I get it, truly.  

Consequently, I am endlessly academically fascinated at stress responses and how humans… well… _human_ during moments of adversity. A ransomware attack most certainly qualifies as adverse, and my sympathies are with you if you’ve ever had to endure one. But there’s a science to both the personal response, and the business response and its impacts writ large. 

Over the past year, excellent research has been published on these facets of response to help answer some of these questions, and naturally I dove right into the research. One of the things that stuck out to me was that the impact of the attacks and its effect on small businesses as a victim segment. A notable quote from a small business in the U.K. government’s “The experiences and impacts of ransomware attacks on individuals and organisations” states: 

> _“I’ve started to rebuild, using personal funds and living off personal funds for the last 2 or 3 years… I’ve got 0 savings left… It’s had a total impact on me… I’ve gone from probably nearly a £250,000 business down to about a £20,000 business.”_

This quote isn’t unique in its impacts. Anecdotally, I can tell you small businesses are a large swath of victims for ransomware operators. It makes sense — Small victims likely pay out less but likely have lower security standards and security knowledge to defend themselves with. They also do not have the cash reserves, legal teams, or dedicated IT security staff that a mid-sized or larger business have. Simply put, they are disproportionately vulnerable.  

So, what about the impacts to health and wellbeing? What, if anything, do we do? And why the hell should any business even care? To paraphrase the Royal United Services Institute (RUSI) report ‘Your Data is Stolen and Encrypted’: The Ransomware Victim Experience, ransomware victims experience trauma, exhaustion, and emotional harm that rival — and often outlast — the financial or operational damage. You can survive the battle of immediate operational harm of a cyber attack and recover your day-to-day business operations only to lose the war as your employees cope and process the trauma of the event and thus impact your business’ ability to compete and survive.  

A cyber attack is both a technical and psychological crisis. Business leadership would be wise to understand this. Lead with empathy and remember that your employees look to you for leadership, especially in these incidents. People follow calm, not commands. Have an incident response plan for how you respond to the technical crises, but also for how to take care of your people. You might find yourself that much stronger at the end, both with a company that handles adversity and employees that are cared for. 

**The one big thing **

Cisco Talos discovered a new malware campaign linked to the North Korean threat group Famous Chollima, which targets job seekers with trojanized applications to steal credentials and cryptocurrency. The campaign features two primary tools, BeaverTail and OtterCookie, whose functionalities are merging and now include new modules for keylogging, screenshot capture, and clipboard monitoring. The attackers deliver these threats through malicious NPM packages and even a fake VS Code extension, making detection and prevention more challenging. 

**Why do I care? **

This campaign highlights how attackers use social engineering and software supply chain attacks to compromise individuals and organizations, not just targeting companies directly. If you or your organization use development tools, npm packages, or receive unsolicited job offers, you could be at risk of credential or cryptocurrency theft. 

**So now what? **

Be vigilant when installing NPM packages, browser extensions, or software from unofficial sources, and verify the legitimacy of job offer communications. Use layered security solutions, such as endpoint protection, multi-factor authentication, and network monitoring tools like those recommended by Cisco, to detect and block these threats. 

**Top security headlines of the week **

**Harvard is first confirmed victim of Oracle EBS zero-day hack**   
Harvard was listed on the data leak website dedicated to victims of the Cl0p ransomware on October 12. The hackers have made available over 1.3 TB of archive files that allegedly contain Harvard data. (SecurityWeek) 

**Two new Windows zero-days exploited in the wild**   
Microsoft released fixes for 183 security flaws spanning its products, including three vulnerabilities that have come under active exploitation in the wild. One affects every version ever shipped. (The Hacker News) 

**Officials crack down on Southeast Asia cybercrime networks, seize $15B**   
The cryptocurrency seizure and sanctions targeting the Prince Group, associates and affiliated businesses mark the most extensive action taken against cybercrime operations in the region to date. (CyberScoop) 

**Extortion group leaks millions of records from Salesforce hacks**   
The leak occurred days after the group, an offshoot of the notorious Lapsus$, Scattered Spider, and ShinyHunters hackers, claimed the theft of data from 39 Salesforce customers, threatening to leak it unless the CRM provider pays a ransom. (SecurityWeek)

**Can’t get enough Talos? **

**Humans of Talos: Laura Faria and empathy on the front lines**   
What does it take to lead through chaos and keep organizations safe in the digital age? Amy sits down with Laura Faria, Incident Commander at Cisco Talos Incident Response, to explore a career built on empathy, collaboration, and a passion for cybersecurity. 

**Beers with Talos: Two Marshalls, one podcast**   
Talos' Vice President Christopher Marshall (the “real Marshall,” much to Joe’s displeasure) joins Hazel, Bill, and Joe for a very real conversation about leading people when the world won’t stop moving. 

**Upcoming events where you can find Talos **

*   DEEP Conference (Oct. 22 – 23) Petrčane, Croatia 
*   NTNU MALWAREFORUM (Oct. 28 – 29) Oslo, Norway 
*   Bsides Osijek (Nov. 5) Osijek, Croatia 
*   AVAR (Dec. 3 – 5) Kuala Lumpur, Malaysia 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a**   
MD5: 1f7e01a3355b52cbc92c908a61abf643    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a    
Example Filename: cleanup.bat    
Detection Name: W32.D933EC4AAF-90.SBX.TG 

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe\_1\_Exe.exe    
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**    
MD5: aac3165ece2959f39ff98334618d10d9    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974    
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe   
Detection Name: W32.Injector:Gen.21ie.1201  

**SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**    
MD5: 85bbddc502f7b10871621fd460243fbc    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610    
Example Filename:85bbddc502f7b10871621fd460243fbc.exe    
Detection Name: W32.41F14D86BC-100.SBX.TG 

**SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**    
MD5: 7bdbd180c081fa63ca94f9c22c457376    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe\_3\_Exe.exe    
Detection Name: Win.Dropper.Miner::95.sbx.tg

Ransomware attacks and how victims respond

Cisco Talos has uncovered a new attack linked to Famous Chollima, a threat group aligned with North Korea (DPRK).

BeaverTail and OtterCookie evolve with a new Javascript module

Laura opens up about her journey through various cybersecurity roles, her leap into incident response, and what it feels like to support customers during their toughest moments — including high-stakes situations impacting critical infrastructure.

Thursday, October 16, 2025 06:00

What does it take to lead through chaos and keep organizations safe in the digital age? This week, Amy sat down with Laura Faria, an incident commander at Cisco Talos Incident Response, to explore a career built on empathy, collaboration, and a passion for cybersecurity.

Laura opens up about her journey through various cybersecurity roles, her leap into incident response, and what it feels like to support customers during their toughest moments — including high-stakes situations impacting critical infrastructure.

**Amy Ciminnisi: Laura, it's great to have you on. You're an incident commander, like Alex from last episode. When did your time at Talos start, and what did your journey here look like?**

Laura Faria: My entire career, I've worked in many large cybersecurity vendors - endpoint vendors, firewall vendors, RAV vendors... So I've been in a lot of different roles, but they were mostly in sales. I was actually a Cisco employee prior to joining Talos IR. I've been at Cisco for a little over a year now, and Talos is one of the best places to work in Cisco, in my opinion. They have a really high reputation because everyone knows the quality of research that Talos provides our customers with.

I'd never been an incident commander before, so it was a really new position to me. But it was definitely something I was interested in, and the more I learned about what the role entailed, the more I was excited to pursue it.

**AC: This is a very high-pressure role, and I'm sure you have to deal with a lot of chaos, a lot of moving parts. How do you stay focused and motivated to keep going when you're tackling these really serious incidents for our clients?**

LF: A common phrase in Talos IR is "It's never a good day when an incident happens." During very serious episodes, being there to help the customer feels really good, especially if you're a people person, and especially if you're empathetic and a lot with people's emotions.

Recently, I had a very difficult incident where a large health care facility was seeing a lot of outages in different locations throughout the nation. Every time we saw a site outage, it was devastating because we knew what that meant. We actually had people's lives in our hands. Although it's a very difficult job, taking the time to look at the big picture and understand the importance of your job is really what keeps you going.

_Want to see more?_ _Watch the full interview__, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos!_

Laura Faria: Empathy on the front lines

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed one vulnerability in the OpenPLC logic controller and four vulnerabilities in the Planet WGR-500 router.  
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability

Wednesday, October 15, 2025 13:39

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed one vulnerability in the OpenPLC logic controller and four vulnerabilities in the Planet WGR-500 router.  

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

****OpenPLC denial-of-service vulnerability****

_Discovered by a member of Cisco Talos._   

OpenPLC is an open-source programmable logic controller intended to provide a low cost industrial solution for automation and research. 

Talos researchers found TALOS-2025-2223 (CVE-2025-53476), a denial-of-service vulnerability in the ModbusTCP server functionality of OpenPLC\_v3. A specially crafted series of network connections can prevent the server from processing subsequent Modbus requests. An attacker can open a series of TCP connections to trigger this vulnerability.

****Planet WGR-500 stack-based buffer overflow, OS command injection, format string vulnerabilities****

_Discovered by Francesco Benvenuto of Cisco Talos._   

The Planet Networking & Communication WGR-500 is an industrial router designed for Internet of Things (IoT) networks, particularly industrial networks such as transportation, government buildings, and other public areas. Talos found four vulnerabilities in the router software.

TALOS-2025-2226 (CVE-2025-54399-CVE-2025-54402) includes multiple stack-based buffer overflow vulnerabilities in the formPingCmd functionality. A specially crafted series of HTTP requests can lead to stack-based buffer overflow.

TALOS-2025-2227 (CVE-2025-54403-CVE-2025-54404) includes multiple OS command injection vulnerabilities in the swctrl functionality. A specially crafted network request can lead to arbitrary command execution.

TALOS-2025-2228 (CVE-2025-48826) is a format string vulnerability in the formPingCmd functionality of Planet WGR-500. A specially crafted series of HTTP requests can lead to memory corruption.

TALOS-2025-2229 (CVE-2025-54405-CVE-2025-54406) includes multiple OS command injection vulnerabilities in the formPingCmd functionality. A specially crafted series of HTTP requests can lead to arbitrary command execution.