Cisco Talos’ Vulnerability Discovery & Research team recently disclosed five vulnerabilities in Nvidia and one in Adobe Acrobat.
The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    
For Snort

Wednesday, October 1, 2025 14:37

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed five vulnerabilities in Nvidia and one in Adobe Acrobat.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

****Nvidia vulnerabilities****

_Discovered by Dimitrios Tatsis of Cisco Talos._

Nvidia is a large technology company developing graphics cards, chip systems, and applications for AI and high performance computing. Talos has found 5 vulnerabilities in the CUDA Toolkit, a development environment for developing GPU-accelerated applications.

TALOS-2025-2155 (CVE-2025-23339) is an arbitrary code execution vulnerability in the DWARF parsing functionality of NVIDIA cuobjdump 12.8.55. A specially crafted fatbin file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

TALOS-2025-2169 (CVE-2025-23338) is an improper array index validation vulnerability in the symbol table parsing functionality of NVIDIA nvdisasm 12.8.90. A specially crafted ELF file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.

TALOS-2025-2172 (CVE-2025-23340) is an out-of-bounds write vulnerability in the RELA section parsing functionality of NVIDIA nvdisasm 12.8.90. A specially crafted ELF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.

TALOS-2025-2191 (CVE-2025-23271), a heap-based buffer overflow vulnerability, and TALOS-2025-2204 (CVE-2025-23308), an out-of-bounds write vulnerability, exist in the REL section header parsing functionality of NVIDIA nvdisasm 12.8.90. Specially crafted ELF files can lead to arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities.

****Adobe use-after-free vulnerability****

_Discovered by KPC of Cisco Talos._

Adobe Acrobat Reader is one of the most popular PDF reading software currently available.

Talos discovered TALOS-2025-2222 (CVE-2025-54257), a use-after-free vulnerability in the page property functionality of Adobe Acrobat Reader 2025.001.20531. Specially crafted Javascript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and could result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.

Nvidia and Adobe vulnerabilities

Hazel celebrates unseen effort in cybersecurity and shares some PII. Completely unrelated, but did you know “Back to the Future” turns 40 this year?

Welcome to this week’s edition of the Threat Source newsletter. 

“Back to the Future” is 40 years old this year, and at the risk of giving away sensitive information to an audience of hackers… so am I. 

I don’t really know what 40 is supposed to feel like. Honestly, I don’t feel all that different from my 20s, with two key exceptions: One, I care a whole lot less about what people think of me. And two, my trainer recently stopped mid-set to ask, “Was that your knee making that sound?” 

I’ve always loved “Back to the Future” (mommy issues aside). For my 30th birthday, I threw a BTTF-themed party. Guests had to dress for either 1955, 1985 or 1885. (2015 was also allowed, but only if you wore two ties.) 

But watching the documentary “Still” recently gave me a whole new appreciation for what Michael J. Fox went through to make it happen. 

Because he was still under contract with “Family Ties,” and because the original Marty had been fired five weeks into filming, Fox had to shoot both projects _at the same time._ He’d wrap “Back to the Future “at 2:00 a.m., sleep in the back of a car, then be on set for the sitcom a few hours later. 

In “Still,” he talks about mixing up lines between scripts, barely functioning from exhaustion and constantly fearing a call from his agent saying he wasn’t doing a good job. The pressure. The pace. The fear he was messing it up. Fox himself admits the experience nearly broke him. But he kept showing up, because people were counting on him. 

Sound familiar? 

That “I can’t stop, people are relying on me” mindset is something I see a lot in this industry. We care about the mission. We care about our teams. We don’t want to give the adversary any opportunity.  

So we say yes. We log back in. We fix the thing no one else will notice, but we know it matters. 

Fox’s schedule and resultant exhaustion weren’t the only issues behind the scenes of “Back to the Future.” The “What Went Wrong” podcast (a favourite of mine) recently covered the mishaps and difficulties, from the DeLorean doors constantly jamming shut, to having to change the entire ending. The film was originally supposed to climax at a nuclear test site, with Marty manufacturing a time machine out of a fridge.  

That ending was axed as the producers were concerned children would copy the idea and get trapped in fridges. Thankfully, Steven Spielberg (a producer on the film) would use the concept 20 years later in “Indiana Jones and the Kingdom of the Crystal Skull” to huge success. Ahem.  

So much about the making of “Back to the Future” was fraught and uncertain. But what we, the audience, saw was pure delight. And that’s the thing — what looks effortless on the surface is often the result of long hours, unfair compromises, and the kind of behind-the-scenes effort that nobody ever sees. 

I want to echo the thoughts of my colleague Joe from last week’s newsletter: B**urnout is brutal, a**nd it takes no prisoners. Trying to be there for everyone and everything all the time is unsustainable. And (trust me on this one), the longer we put off taking care of ourselves, the harder and longer the recovery.  

Creating boundaries is one of the best things we can do for ourselves. So, this week, whether you're coordinating an incident, researching something cool, supporting your team or just trying to be a functioning human, give yourself a moment. Identify your boundaries. Move them closer if you need to.  

In fact, write down just one thing that will help decompress you this week, and do that thing. Whether that’s less screen time, a short walk after dinner or playing a game.  

Just… give yourself permission, okay? As Doc Brown says: 

“The future is whatever you make it. So make it a good one.”

**The one big thing **

Cisco Talos uncovered a new PlugX malware variant targeting telecom and manufacturing sectors in Central and South Asia since 2022, using the same sneaky tactics as the RainyDay and Turian backdoors. These threats abuse legitimate software and share unique technical fingerprints, suggesting they're the work of the same or closely linked attackers. The campaign shows a high level of sophistication and ongoing risk for targeted industries. 

**Why do I care? **

If your organization is in telecom or manufacturing, especially in Central or South Asia, you’re squarely in the crosshairs of advanced attackers using updated, evasive malware that can compromise your systems, steal data and lurk undetected for years. 

Even if you’re in a different industry, attackers are getting smarter at hiding in plain sight and any organization could be at risk if these tactics spread. 

**So now what? **

Double down on security controls. Make sure your endpoint, email and network protection solutions are up to date, review your defenses against DLL hijacking and stay alert for new updates.

**Top security headlines of the week **

**Microsoft fixed Entra ID vulnerability allowing Global Admin impersonation**   
Microsoft rolled out a global fix on July 17, just three days after the initial report and later added further mitigations that block applications from requesting Actor tokens for the Azure AD Graph. (HackRead) 

**U.S. Secret Service dismantles imminent telecommunications threat in New York tristate area**   
The U.S. Secret Service dismantled a network of electronic devices located throughout the New York tristate area that were used to conduct multiple telecommunications-related threats directed towards senior U.S. government officials. (U.S. Secret Service) 

**European airport disruptions caused by ransomware attack**    
ENISA said the type of ransomware involved in the attack has been identified and law enforcement is conducting an investigation. The cyberattack hit services provided by US-based Collins Aerospace, which is owned by RTX (formerly Raytheon). (SecurityWeek) 

**ChatGPT targeted in server-side data theft attack**   
The attack, dubbed ShadowLeak, targeted ChatGPT’s Deep Research capability, which is designed to conduct multi-step research for complex tasks. OpenAI neutralized ShadowLeak after notification. (SecurityWeek) 

**Attackers abuse AI tools to generate fake CAPTCHAs in phishing attacks**   
The fake CAPTCHA pages redirect victims to malicious websites hosted by the attackers. The apparent routine security check makes the malicious link appear more legitimate to the victim and helps bypass security tools. (Infosecurity Magazine) 

**SystemBC malware turns infected VPS systems into proxy highway**   
The operators of the SystemBC proxy botnet are hunting for vulnerable commercial virtual private servers (VPS) and maintain an average of 1,500 bots every day that provide a highway for malicious traffic. (Bleeping Computer)

**Can’t get enough Talos? **

**The TTP: Threat Hunter’s Cookbook**   
Hear from Ryan Fetterman and Sydney Marrone from the SURGe team (now part of Cisco’s Foundation AI group), who wrote the Threat Hunter’s Cookbook: a collection of practical “recipes” security teams can pick up and apply. 

**Engaging Cisco Talos Incident Response**   
You’ve called Talos IR about a cyber incident — now what happens? This blog post takes you behind the scenes of a Talos IR engagement, from picking up the phone to recovery and implementation of long-term security improvements. 

**Tampered Chef: When malvertising serves up infostealers**    
Imagine downloading a PDF Editor tool from the internet that works great... until nearly two months later, when it quietly steals your credentials. Nick Biasini explains how cybercriminals are investing in malvertising and challenges in defense.

**Upcoming events where you can find Talos **

*   VB2025 (Sept. 24 – 26) Berlin, Germany 
*   Wild West Hackin' Fest (Oct. 8 – 10) Deadwood, SD 
*   DEEP Conference (Oct. 22 – 23) Petrčane, Croatia

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a**    
MD5: 1f7e01a3355b52cbc92c908a61abf643    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a    
Example Filename: cleanup.bat    
Detection Name: W32.D933EC4AAF-90.SBX.TG 

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Example Filename: 0a0dc0e95070a2b05b04c2f0a049dad8\_1\_Exe.exe    
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: 57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536**    
MD5: 79b075dc4fce7321f3be049719f3ce27    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536   
Example Filename: RemCom.exe    
Detection Name: W32.57A6D1BDBD-100.SBX.VIOC 

**SHA256: 1e9efd7b2b70a21b49395081f8d70d5e500539abb51a4dd079ffb746f59e43a1**    
MD5: 45f586861cc745a6b29a957fdbc03645    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=1e9efd7b2b70a21b49395081f8d70d5e500539abb51a4dd079ffb746f59e43a1   
Example Filename: cleanup.bat    
Detection Name: W32.1E9EFD7B2B-90.SBX.TG 

**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**   
MD5: aac3165ece2959f39ff98334618d10d9 Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974   
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe    
Detection Name: W32.Injector:Gen.21ie.1201

Great Scott, I’m tired

What happens when you bring in a team of cybersecurity responders? How do we turn chaos into control, and what is the long-term value that Talos IR provides to the organizations we work with?

**What happens when you engage Cisco Talos Incident Response?**

Wednesday, September 24, 2025 06:00

In today’s world, cybersecurity incidents are not a matter of if, but **when** and **how**. From ransomware attacks to data breaches exposing sensitive information, organizations face a changing threat landscape. As a result of cybersecurity attacks, organizations can experience downtime, financial losses, reputational damage and regulatory penalties. That’s when it really helps to have a team like Cisco Talos Incident Response (Talos IR) by your side. But what exactly happens when you bring in a team of cybersecurity responders? How do we turn chaos into control, and what is the long-term value that Talos IR provides to the organizations we work with?

This blog post takes you behind the scenes of engaging an incident response (IR) firm like Talos IR. We will walk through what really happens during an IR engagement, from the moment you pick up a phone and call for help in the middle of a crisis to the long-term changes that make your organization stronger and more secure.

**Why engage an IR team? **

Before diving into the process, let’s address the fundamental question: Why engage an IR firm? Cybersecurity incidents are complex, often requiring specialized skills, tools and experience that internal teams may lack. The Talos Year In Review Report highlights the rising frequency and sophistication of attacks; as a result, many security teams are struggling to address emergencies due to resource constraints or the complexity of response at scale. 

Engaging an IR firm like Talos IR brings several key advantages: 

*   **Speed and availability**: We provide 24/7 global support, with response times often under a few hours for remote engagements and on-site support wherever needed. Engaging an IR firm is like calling in a S.W.A.T. team for a cybersecurity crisis. We bring the tools, tactics and experience to contain the threat and minimize damage while guiding the organization toward recovery and increasing future resilience. 
*   **Expertise**: With numerous incident responders and threat intelligence analysts, all of whom have access to industry-leading Talos threat intelligence, the team has deep experience handling diverse threats, from ransomware to business email compromise (BEC). We handle it all, from “small” attacks on a single organization to a country-level threats. We don’t focus just on typical IT environments — we work with ICS/OT, cloud or mobile forensic, as well.  
*   **Vendor-agnostic approach**: Talos IR works with customers’ existing infrastructure and tooling, whether you use Cisco products or not. We simply don’t like to wait for deployment of tools before getting our hands dirty in all the logs, consoles and forensic artifacts. At a time when you are already resource-constrained, the last thing we want to do is make you replace an existing security solution, such as endpoint detection and response (EDR), on the endpoints. 
*   **Comprehensive services**: Beyond emergency response, Talos IR provides proactive services like Threat Hunting and IR Planning to strengthen your security posture before an incident happens or after to build up resilience.

**Overview of the IR lifecycle **

The IR process typically follows a structured lifecycle, based on frameworks such as NIST SP 800-61 or the SANS Institute’s model. Talos IR aligns with these best practices, tailoring its approach to organization’s unique needs at the time of crisis and beyond. Handling incidents day in and day out has given Talos IR a deep well of experience, and we’ve built that knowledge into processes to support every organization we work with. The lifecycle of our IR typically includes: 

1.  Preparation 
2.  Identification 
3.  Containment 
4.  Eradication 
5.  Recovery 
6.  Lessons learned 

When you engage Talos IR, we apply this lifecycle with a blend of technical prowess, threat intelligence and collaborative teamwork. Let’s walk through each phase in detail.

**Phase 1: Preparation (before the incident) **

Preparation is the foundation of effective IR. While many organizations only engage IR firms during a crisis, proactive engagement with Talos IR can significantly reduce the impact of future incidents. With a Talos IR retainer, you secure an agreement that ensures rapid response during an emergency and access to proactive services tailored to your organization’s risk profile and needs, offering: 

*   **Emergency response**: Guaranteed access to a global team within a short time of experiencing of an incident. During major global cybersecurity events like Wannacry, Heartbleed or Log4J or others, an existing retainer can be the difference between receiving immediate help and waiting days to weeks.
*   **Proactive services**: Access to proactive services for Threat Hunting, Tabletop Exercises or Purple Teaming
*   **Relationship building**: Familiarity with your environment, reducing response time during a crisis

These services build trust and familiarity, ensuring Talos IR can hit the ground running during an emergency.

**Phase 2: Identification (beginning of incident) **

When a cybersecurity incident occurs, the first step is identifying and confirming the threat, whether it’s a ransomware attack, phishing campaign, or data breach. This is often when organizations reach out to Talos IR. Talos IR’s emergency response team is available 24/7 and can be reached via phone or email, but phone is the fastest and most direct way to reach our dedicated IR team.  

**Initial call**

During the first call, Talos IR gathers critical information to help us move onto analysis as soon as possible: 

*   **Nature of the incident**: What symptoms were observed (e.g., encrypted files, suspicious emails, new files on the webserver that were committed outside of the development lifecycle)? 
*   **Affected systems**: Which servers, endpoints, or networks are impacted? 
*   **Business impact**: Is the incident disrupting operations or exposing sensitive data? 
*   **Existing actions**: What steps have been taken so far? 
*   **Visibility**: What existing systems and tools can we access to handle the incident? Would complimentary Cisco tools help close a current gap, such as no EDR solution on a specific network? 

**Triage, scoping and analysis** 

Talos IR deploys a team led by an Incident Commander, who coordinates efforts and communicates with the stakeholders. The Incident Commander is supported by a skilled team of responders, threat analysts and project managers who keep everything moving and progress analysis 24/7. We typically start our work with in-depth triage of your environment which often involves: 

*   **Log analysis**: Reviewing logs from security information and event management (SIEM) systems, EDR tools, or network devices to identify indicators of compromise (IOCs)
*   **Threat intelligence**: Leveraging Talos global telemetry to match IOCs against known adversary tactics, techniques and procedures (TTPs)
*   **Digital forensics**: Collecting and analyzing evidence, such as memory dumps or disk images, to understand the attack’s scope

What makes IR truly effective is having access to as much relevant data as possible from the very beginning. The earlier our team can review endpoint telemetry, network traffic, identity logs and other critical data points, the faster we can determine what happened, how far the threat spread and what needs to be done to contain the threat. We often use the triage process to understand and search for: 

*   **Initial access vector**: Common vectors include phishing, exploited vulnerabilities (e.g., Microsoft Exchange Server flaws), or misconfigured VPN servers. You can read all about the trends we see each quarter here. 
*   **Adversary goals**: Is the attacker after data theft, ransomware deployment, or persistent access? 
*   **Scope**: How many systems, users, or networks are affected? 
*   **Persistence mechanisms**: Are there backdoors, scheduled tasks, or web shells that allow re-entry? 
*   **Data exfiltration**: Was sensitive data stolen? 

Talos IR provides an initial assessment, outlining the incident’s severity and recommended next steps, and keeps you updated daily. This phase sets the stage for containment, where speed is critical to limit damage. This analysis goes on for a number of days and typically uncovers additional information that adds to the picture during each 24-hour cycle.

**Phase 3: Containment (stopping the attack) **

Containment focuses on preventing the threat from spreading further while preserving evidence for analysis. Talos IR employs a technology-agnostic approach, working with existing tools to implement short-term and long-term containment strategies while simultaneously looking to minimize business impact. 

**Short-term containment** 

Immediate actions to isolate the threat typically include: 

*   **Network segmentation**: Isolating affected systems or subnets to prevent lateral movement
*   **Account lockdown and/or password changes**: Disabling compromised accounts, changing compromised passwords, or enforcing multi-factor authentication (MFA). Talos IR frequently observes incidents where the lack of MFA enables ransomware or business email compromise (BEC) attacks. 
*   **Process termination**: Isolating malicious processes, such as ransomware encryptors or command-and-control (C2) beacons, when identified. Reimaging devices is often a recommended step, but it depends on the extent of the breach.
*   **Firewall rules**: Blocking malicious IPs or domains identified through Talos’ threat intelligence

**Long-term security hardening** 

While short-term countermeasures stop immediate damage, long-term security hardening ensures the attacker can’t regain access. By working together with an organization on emergency response, Talos IR gains a great understanding of what needs to be applied to build long term resistance. Some of these recommendations would be: 

*   **Patching vulnerabilities**: Addressing exploited flaws, such as unpatched servers or vulnerable web applications
*   **Endpoint protection**: Extending EDR deployments to monitor for residual threats on systems that were previously unprotected
*   **Strengthening resilience:** Taking a long-term, strategic approach to uncover and address weaknesses in your organization’s security posture to better prepared for future threats
*   **Improving efficiency and consistency:** Developing clear policies and procedures, while automating routine tasks such system hardening to reduce risk

**Phase 4: Eradication (removing the threat) **

Once the threat is contained, Talos IR focuses on recommendations for completely removing all remnants of the adversary from the environment. Eradication is a delicate process that needs to balance business needs with recovery operations. Eradication typically involves: 

*   **Account remediation**: Resetting passwords and revoking compromised credentials. This may sound familiar from the containment phase, but often it is necessary to do two or more credential purges during a major incident. 
*   **System rebuilds**: In severe cases, rebuilding affected systems from clean backups to eliminate hidden threats.
*   **Reverting adversary changes**: Some sophisticated adversaries will do things like change firewall rules, embed fileless malware in the registry, or create future scheduled tasks as “sleeper agents.” Detecting, documenting and reverting these changes can be the most difficult and important part of eradication. 

Before wrapping up this phase, Talos IR verifies eradication through: 

*   **Threat hunting**: Scanning for residual IOCs or anomalous behavior
*   **Log reviews**: Confirming no further malicious activity

This process minimizes the risk of the adversary returning, as seen in cases where adversaries used tools like Cobalt Strike to maintain persistence. A single overlooked persistence mechanism is enough to let the adversary back in at a later date, which is why a thorough forensic review by an experienced IR team is critical. 

**Phase 5: Recovery (restoring operations) **

Recovery aims to restore systems and operations to normal while enhancing security to prevent recurrence. Talos IR collaborates with IT and business teams to ensure a smooth transition. If it is necessary to accept some risk in order to get business operations back online, the Talos IR Incident Commander will work with your organizational leadership to ensure that the risk is minimized and understood, and that compensating controls are applied.  

Key recovery recommendations often include: 

*   **Restoring from backups**: Deploying clean backups to affected systems, ensuring they’re free of malware
*   **Application testing**: Verifying critical applications (e.g., ERP systems) function correctly post-recovery
*   **User access**: Gradually restoring user access with strengthened controls, such as MFA
*   **Alternative processes**: Implementing manual or temporary workflows if systems remain offline
*   **Stakeholder communication**: Coordinating with PR and legal teams to manage external messaging and regulatory notifications
*   **Employee training**: Educating staff on phishing awareness or secure practices to prevent future incidents
*   **Logging improvements**: Enhancing visibility to overcome the logging deficiencies
*   **Patch management**: Establishing processes to prevent exploitation of known vulnerabilities

**Phase 6: Lessons learned (building resilience) **

The final phase of IR involves analyzing the incident to extract lessons and improve future preparedness. Talos IR’s approach ensures that insights translate into actionable strategies. Talos IR delivers a comprehensive incident report, including: 

*   **Incident summary**: A timeline of events, from initial detection to resolution 
*   **Findings**: Details on the attacker’s TTPs, entry points and impact
*   **Recommendations**: Specific actions to ensure long-term and short-term improvements

**Ongoing partnership **

At Talos IR, we believe IR isn’t only a service we provide; it’s a relationship and the ultimate team sport. We’re not here just for the crisis; we’re here to support before, during and long after the incident is resolved. As many of our long-term retainer customers like Veradigm have observed, those multi-year relationships pay great dividends during incidents:  

_“With the \[Talos IR\] retainer service we really appreciate established and met Service Level Agreements (SLAs). Plus, the knowledge of Cisco’s IR team on our unique environment, prior incidents, and their intelligence on the latest threats ensure we smoothly navigate, and balance preparation exercises and incidents based on our unique needs. Time to response in our SLA along with the unique knowledge, there isn’t a delay as one would expect. They are ready and we have ‘muscle memory’ from both tabletop scenarios and real-life situations. As a result of being in the highly regulated world of healthcare and with the constant need to consider patient safety, our circumstances can be tense from the start. They know how we need to react based on both exercises and incidents and can navigate smoothly in delicate situations/balances with our unique needs in mind,”_ **_Jeremy Maxwell, Veradigm CISO_****_._** 

This is one of many stories we observe during our engagements with different organizations. For Talos IR, once the immediate threat is handled, the real work begins. We help to strengthen your defenses through ongoing support, so your organization is better prepared for the future. We keep the defenders in the loop with up-to-date threat intelligence, and we run regular training and drills to make sure that various teams know exactly what to do if something happens again. 

It’s a partnership built on trust, experience and a shared goal: keeping your organization resilient in a constantly evolving threat landscape.

What happens when you engage Cisco Talos Incident Response?

Talos discovered that a new PlugX variant’s features overlap with both the RainyDay and Turian backdoors

How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking

This edition pulls the curtain aside to show the realities of the VPN Filter campaign. Joe reflects on the struggle to prevent burnout in a world constantly on fire.

Thursday, September 18, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

This is gonna be a tough read. I’m sorry. Believe it or not, it’s even tougher for me to write. I want to talk about what it costs to be in the cybersecurity profession. Not money or time, but potentially your health, both mentally and physically. I want to move the curtain aside and show you an inside look at what happens to people when the pressure is high and the desire to succeed is not only essential, but sometimes even life and death. 

So, story time. 

Seven years ago, Cisco Talos disclosed a novel and new threat campaign: VPN Filter. VPN Filter was a small office/home office (SOHO) device botnet that had many new things we’d never seen before in SOHO devices: infection persistence past device reboot, modularity, victimology, and perhaps most importantly, the (later) attribution to the Russian threat actor APT28 (aka Sandworm). The platform also featured a kill switch, a module designed to cover the tracks and or destroy a device infected with VPN Filter. This could be executed en masse, if they desired. This was a methodical, clever and well-structured campaign to attack unpatched and/or vulnerable devices all over the world for state cyber operations. As I look back at that time, it was (and still is) a marvel of tradecraft and offensive cyber operations. 

Put yourself in our position at Talos. We’ve just discovered a massive campaign by a notorious threat actor. We all know what this is, who this is, and what the consequences could be — and the threat actor had a massive head start on us. We absolutely couldn’t screw this up. If we tipped our hand via our research, the threat actor might get spooked and just burn the whole thing down with the kill switch. The stakes were very high. 

We spent months reversing and analyzing the malware, the victimology, infrastructure, and understanding the scale and scope of what VPN Filter did and potentially could do. The more we peeled things back, the more ominous the implications and the harder we worked. 

As the weeks turned into months, the hours we worked grew longer and longer, and the stress began to take its toll on all of us. The raw enormity of the tasks of analyzing and responding to VPN Filter and the stress of being stealthy begin to extract a price from us personally. Attitudes grew sour, relationships frayed, and some were rent asunder completely. For me, personally, it was a very dark time and would cost me dearly – I would exit people management into an individual contributor role that I still inhabit to this day. 

In the end, the threat actor forced us to into action. We had always theorized a “break glass” moment when the threat actor might hit the gas pedal and we would have to alert the world. One day we saw a massive spike in infections in Ukraine, and we disclosed to the world VPN Filter. We still had so many unanswered questions but had no choice when we saw the spike. In a way, it was a mercy. We had long since hit our limit and were just all collectively cooked and demoralized. I know I was, and it deeply affected my relationships and career, the reverberations of which I still feel to this day.  

I’m often asked by new or potential security practitioners, “Joe, what’s a cool hacker story?!” I have plenty of those, and VPN Filter is certainly one of them. But rarely does anyone want to hear the worst days of our lives. The tales of burnout and stress. Of the long hours and constant work. There is _always_ a breach happening somewhere, your company is _always_ under attack, there is _always_ a story of a someone getting hacked and sometimes people are even hurt or killed. This cadence takes a toll – from events like VPN Filter, to being in a SOC – it’s all the same. No matter where you work, we are here to keep our customers, constituents, and communities safe from some real assholes out there. It is about fighting the good fight, and the fight never stops.  

So, what can we do about it? How can you avoid being me in the middle of VPN Filter? 

1.  **Learn and enforce boundaries.** You must make space and time for you and firmly enforce that space and time. If that means disabling after hours comms, then do so, and do so guilt free. You must look after yourself. 
2.  **Peer support.** Whether it's a therapist, a colleague, or a Slack/Discord/Bsides where you can share and vent with others in the same boat as you, you must reduce the sense of isolation this career space can give you. Others are looking for the same thing and happy to listen and share. Celebrate your wins with people who are eager to reciprocate.  
3.  **Unplugged self-care.** This is tough, and I’m not great at it. Exercise, paint, work in your garden and do something unrelated to your job. Put down the hell rectangle that is your phone and unplug from the news and social media. 
4.  **Mandatory decompression/vacation.** After an incident, be it VPN Filter or a breach, leaders: _look after your people._ Recognize burnout and push your directs into some enforced downtime so they can recover. At a minimum, rotate them into a less stressful role so they can take a break. It’s your responsibility to care for those who work hard for you. 

Responding after the event is just as important as responding to the event itself. Every breach, VPN Filter-like event, or emergency is an opportunity to reflect on the cost to your health and evaluate what you can do to help yourself and others. This is a tough gig sometimes, but it’s a calling we love. Just take care of yourself and each other, ya hear?

**The one big thing **

In Talos' latest blog post, we break down why having a Cisco Talos Incident Response (IR) Retainer is a game-changer for any organization facing today’s nonstop cyber threats. With a Talos IR Retainer, you get direct access to our expert team, 24/7 emergency support, and tailored plans that keep everyone — from IT to leadership — on the same page. You’ll also benefit from continuous threat intelligence and real-world guidance to help your organization bounce back stronger after any incident. 

**Why do I care? **

Our team helps you hunt threats before they escalate, assess your readiness and improve your security posture over time. If a cyber incident hits, having a trusted partner already in place means you’re prepared to act decisively, with clear roles, tested procedures and experts ready to back you up every step of the way. 

**So now what? **

Think about securing a Talos IR Retainer to make sure you’ve got experts on speed dial and your defenses are always up to date. Reach out to us to schedule a tabletop exercise or to talk through how prepared your organization really is.

**Top security headlines of the week **

**New VoidProxy phishing service bypasses MFA on Microsoft and Google accounts**   
An attack typically begins with a deceptive email sent from a compromised account of legitimate email service providers, like Constant Contact, Active Campaign or NotifyVisitors. (Hack Read) 

**Shai-Hulud supply chain attack: Worm used to steal secrets, 180+ npm packages hit**   
The self-spreading potential of the malicious code will likely keep the campaign alive for a few more days. To avoid being infected, users should be wary of any packages that have new versions on npm but not on GitHub, and pin dependencies. (SecurityWeek) 

**Google nukes 224 Android malware apps behind massive ad fraud campaign**   
The apps were downloaded over 38 million times and employed obfuscation and steganography to conceal the malicious behavior from Google and security tools. (Bleeping Computer) 

**Former FinWise employee may have accessed nearly 700K customer records**   
Nearly 700,000 FinWise Bank customers are being notified after a former employee may have accessed or taken personal data post-employment. The incident went undetected for over a year. (The Register)

**Can’t get enough Talos? **

*   **Alex Ryan: From zero chill to quiet confidence**   
    Discover how a Cisco Talos Incident Response expert transitioned from philosophy to the high-stakes, emotionally intense world of incident command, and the advice that she has for aspiring cybersecurity professionals. 
*   **Beers with Talos: How to ruin an APT's day**   
    The B-Team is joined by Sara McBroom from Talos’ nation-state threat intelligence and interdiction team. Sara shares her journey from a liberal arts major to tracking some of the world’s most advanced adversaries. 
*   **Tampered Chef: When malvertising serves up infostealers**   
    Imagine downloading a PDF Editor tool from the internet that works great... until nearly two months later, when it quietly steals your credentials. Nick Biasini explains how cybercriminals are investing in "malvertising" and challenges in defense.

**Upcoming events where you can find Talos **

*   LABScon (Sept. 17 – 20) Scottsdale, AZ 
*   VB2025 (Sept. 24 – 26) Berlin, Germany 
*   Wild West Hackin' Fest (Oct. 8 – 10) Deadwood, SD

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Typical Filename: executable.exe   
Claimed Product: N/A     
Example Filename:0a0dc0e95070a2b05b04c2f0a049dad8\_1\_Exe.exe    
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**    
MD5: 85bbddc502f7b10871621fd460243fbc    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610    
Typical Filename: nwx3hgsl.exe   
Claimed Product: Self-extracting archive   
Detection Name: W32.41F14D86BC-100.SBX.TG 

**SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe**    
MD5: bf9672ec85283fdf002d83662f0b08b7    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe    
Typical Filename: werrx01USAHTML   
Claimed Product: N/A   
Detection Name: W32.C0AD494457-95.SBX.TG 

**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**    
MD5: aac3165ece2959f39ff98334618d10d9    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974    
Typical Filename: ~3B6A.tmp   
Claimed Product: N/A   
Detection Name: W32.Injector:Gen.21ie.1201 

**SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**   
MD5: 7bdbd180c081fa63ca94f9c22c457376    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
Typical Filename: img001.exe   
Claimed Product:   
Detection Name: Win.Dropper.Miner::95.sbx.tg

Put together an IR playbook — for your personal mental health and wellbeing

Discover how a Cisco Talos Incident Response expert transitioned from philosophy to the high-stakes world of incident command, offering candid insights into managing burnout and finding a supportive team.

Thursday, September 18, 2025 06:00

Welcome to another episode of Humans of Talos, our ongoing video interview series that celebrates the people powering Cisco’s threat intelligence efforts. In each episode, we dive deep into the personal journeys, motivations and lessons learned from the team members who help keep the internet safe.

This time, we sit down with Alex Ryan, a seasoned Incident Commander from Cisco Talos Incident Response. Read (or watch) on to hear her candid reflections on the emotional intensity of incident response, the critical role of a supportive team in preventing burnout, and invaluable advice for aspiring cybersecurity professionals.

**Amy Ciminnisi: Alex, you were recently on the Beers with Talos podcast, and during that, we learned that you have two liberal arts degrees, but you found yourself really loving how machines and systems worked, and then you work your way through the cybersecurity ranks. I'd love to know: What brought you to Talos?**

Alex Ryan: During my career inside companies doing incident response, vulnerability management, and risk management, Talos Intelligence was often one of my sources. I often looked at intelligence from vendors who were using their own datasets to generate the finished intelligence, rather than those who just took whatever intelligence was already out there, re-mashed it, and enriched it a bit. I have a lot of respect for Talos from using them as a source for guiding how I would do incident response and prioritize my defenses and things like that. When the opportunity came up to join Cisco Talos Incident Response as an Incident Commander, it was that reputation (and having used their material for so long which showed that there was really good quality people and research being done) that put this job at the top of my list of choices.

**AC: You have a very difficult job as an Incident Commander, acting as the point person in situations where people are possibly going through the worst days of their careers. What's something about your day-to-day role that people might be surprised by or interested in?**

AR: Incident response is a very high pressure situation to be in. You need to exude quiet confidence and build a trust relationships quickly with your customer. But on the back end, things can be chaotic: trying to get access to machines, trying to find the _right_ machines. "Do we have the right IOCs?" "What is this thing? Let me reverse engineer it." Trying to distill all of that activity into larger topics and give progress to the customer on it is critical.

It's also high risk for the business being impacted. I think that there was a statistic at one point that about 70% of small to medium businesses that paid the ransom after being compromised went out of business within a year, because the ransom was such a financial hit that they just couldn't absorb that kind of impact. So while the customer is trying to not freak out, I'm trying to exude quiet confidence while managing the forensics analysis activity. Trying to balance all of that is quite difficult, so incident response has a very high burnout rate.

After I came back from raising my children, it took me about two years to detox completely from incident response. I was _really_ high strung, and I had no chill. _Zero_ chill. I had to learn how to say no and how to prioritize my family over this hero complex that I was having at work. I would say I'm a much more well-rounded person now, and perhaps I'm better at my job because of that.

_Want to see more?_ _Watch the full interview__, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos!_

Alex Ryan: From zero chill to quiet confidence

With a Cisco Talos IR retainer, your organization can stay resilient and ahead of tomorrow's threats. Here's how.

**Why a Cisco Talos Incident Response Retainer is a game-changer**

Wednesday, September 17, 2025 06:00

In today’s hyper-connected world, cyber attacks are not a matter of if but when. Ransomware, phishing and data breaches dominate headlines. For any organization, the stakes are high and the impact can be wide. A cybersecurity breach can impact your organization’s ability to conduct normal business, damaging its reputation, reducing revenue, and disrupting operations. 

A Cisco Talos Incident Response (Talos IR) Retainer is a strategic investment that empowers your entire organization to stay resilient and ahead of tomorrow’s threats. Here’s how a Talos IR Retainer can strengthen your organization’s security and ensure peace of mind.

**What is a Cisco Talos IR Retainer? **

A Talos IR Retainer offers a direct line to Cisco’s top cybersecurity specialists, ensuring both proactive protection and swift response to cyber threats. Backed by Cisco Talos global threat intelligence and hundreds of threat intelligence researchers, it equips organizations to prevent, respond to, and recover from cyber incidents efficiently. From tailored incident response plans to 24/7 emergency support, the retainer is a lifeline in a threat landscape that never sleeps.

We have just released a series of short videos that explain the full range of Talos IR services. Check out the playlist here, or start by watching the Emergency Response video below:

**Benefits to the entire organization **

A Cisco Talos IR Retainer is not only designed to benefit your IT teams, but it’s a catalyst for building organization-wide resilience. Here is how Talos IR delivers value to clients’ stakeholders:  

1.  **Risk mitigation and cost savings**   
    Talos IR enables customers to respond swiftly to cyber threats and supports them through recovery efforts, minimizing downtime, costs, and regulatory risks 
2.  **Reputation protection**   
    A retainer equips leadership with strategic response plans and expert guidance, ensuring preparedness, demonstrating due diligence, and preserving stakeholder confidence during critical incidents. 
3.  **Organization-wide alignment**   
    A cybersecurity retainer ensures that your legal, human resources, information technology, and leadership teams are aligned before a threat strikes. Defined responsibilities and structured playbooks, plans, and tabletop exercises eliminate ambiguity and drive faster, more efficient incident response and recovery. Talos IR is there to create and review existing policies and make sure you are prepared at various levels.

**Bolstering organizational security **

A Talos IR Retainer transforms your organization’s security posture from reactive to proactive. Our job is to take you though the lifecycle of an incident and build up long-term resilience to cybersecurity attacks. We do this by delivering various engagements, such as: 

*   **Proactive Threat Hunting**   
    Using the PEAK Framework (Prepare, Execute, Act with Knowledge), Talos IR specialists proactively hunt for threats before they escalate, leveraging real-time intelligence to stay ahead of adversaries. 
*   **Customized preparedness**   
    Tailored IR plans, playbooks, and readiness assessments address your organization’s unique risks and evaluates the current state of its cybersecurity preparations.  
*   **Continuous improvement**   
    Post-incident reports and ongoing collaboration identify gaps and recommend long-term strategies, ensuring that security evolves with the threat landscape. 
*   **Vendor-agnostic integration**   
    Talos IR works with existing security tools, maximizing investments and enhancing detection and response capabilities in place. If needed, we can always deploy additional Cisco technology to help with an investigation. 
*   **Intelligence-driven defense**   
    Access to Talos’ global threat intelligence, updated in real time, ensures your organization is armed with the latest insights on adversary tactics, techniques, and procedures (TTPs). 

**What it means to have IR specialists on speed dial **

Having Talos IR specialists on call is like having an elite SWAT team for cybersecurity. Here is what Talos IR provides for your organization: 

*   **Rapid response, 24/7**   
    With a retainer, Cisco Talos IR specialists mobilize within hours of an incident, isolating threats and minimizing damage. This speed is critical, as every minute counts when containing ransomware or a data breach. 
*   **Expert guidance**   
    The Talos IR team brings unmatched expertise, analyzing adversary TTPs and providing actionable recommendations across many verticals and industries. 
*   **Tailored support**   
    Specialists collaborate with your teams, aligning response efforts with your business priorities. Whether coordinating with legal or PR, they ensure a cohesive strategy. 
*   **Peace of mind**   
    Knowing experts are a call away reduces stress for your executives and IT teams. Priority access means your organization is never left waiting during a crisis. 
*   **Post-Incident Review**   
    Talos IR delivers comprehensive reports that detail root causes, remediation steps, and preventive measures, turning incidents into opportunities for increased cybersecurity and prevention of future incidents.

**Real-world impact **

Our customers trust us to bring the expertise and knowledge they need to navigate their most challenging days with confidence.  Read about our work with Veradigm and how we made a difference during a Qakbot attack here. 

**Take the next step **

A Cisco Talos IR Retainer is a shield against cyber chaos. It strengthens your cybersecurity and ensures rapid recovery with specialists just a call away. Here’s how to get started: 

*   **Secure a Retainer**: Lock in priority access to proactive and emergency services. 
*   **Schedule a Tabletop Exercise**: Test your preparedness with tailored scenarios to fit your environment. 
*   **Explore** **our website****:** Access quarterly trends and learn more about Talos and what we do to secure our clients.

Why a Cisco Talos Incident Response Retainer is a game-changer

Thor examines why supply chain and identity attacks took center stage in this week’s headlines, rather than AI and ransomware.

Thursday, September 11, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

I took a two-week vacation (thanks to Bill for covering my author shift last week) and made the deliberate choice to leave my laptop behind. No emails, IMs, no IT at all. Thank you, European work culture! It was a complete break. 

Well, almost. 

The weather didn’t always cooperate, so instead of freezing on a beach, I found myself catching up on TV — mostly news and a few series. But wherever I clicked, I just couldn’t escape the daily dose of AI. What can we do about invasive mosquitos? Ask AI. Government doesn’t move the needle? Ask AI. Want the weather forecast? AI, obviously. There are countless ads with people asking AI whether or not to wear a jacket “because it might rain.” Even with your favorite TV shows, gone are the days when the hoodied hacker sits in front of a black terminal with green text running a dangerous (haha) ping or nmap. Now, they're writing lines like, “Did you try breaking the firewall with our latest AI algorithm, bro?” 

Coming back to work and catching up on our industry news, I almost expected AI to be dominating the headlines. But it wasn't, and neither was ransomware. Instead, they were all about breaches. Many — but not all — reports referenced compromised OAuth tokens linked to Salesloft’s Drift integration, with a notable number of high-profile victims. Sure, this isn’t a scientific or qualitative analysis (ransomware isn’t disappearing anytime soon), but the reporting and the headlines have definitely shifted from one to the other. 

Looking past the buzzwords and catchphrases, the headlines really boiled down to two main themes: supply chain and identity attacks. In a SaaS world, I think it’s time to rethink their definitions and priority levels. 

Why? First, supply chain attacks aren’t limited to hardware or software anymore. We need to consider the datapath (or where data possibly is processed) as a key part of the supply chain. 

Second, identity attacks don’t just target users; interconnected applications are increasingly at risk, too. I’m not saying we can ignore the users, especially with current reporting that it started with access through a GitHub account or software vulnerabilities in our “classic” applications, but we absolutely need to broaden our focus. Last week’s headlines made that clear. 

**The one big thing **

Cisco Talos’ latest blog post details the Cyber Threat Intelligence Capability Maturity Model (CTI-CMM), a framework that helps organizations assess and enhance their cyber threat intelligence programs across 11 key domains. By outlining clear maturity levels and improvement cycles, CTI-CMM can help your team benchmark your current capabilities and develop a strategy for continuous (and practical) growth. 

**Why do I care? **

Understanding and improving your CTI program’s maturity can help your organization better anticipate, detect, and respond to cyber threats, no matter your budget or staffing level. It also makes the security investments you do have more effective, and ensure your team’s efforts are aligned with business priorities.  

**So now what? **

Check out the CTI-CMM framework to assess where your organization stands, identify gaps and opportunities, and create a roadmap to practical improvements for your organization.

**Top security headlines of the week **

**Huge NPM supply chain attack goes out with whimper**   
A supply chain attack involving multiple NPM packages had the potential to be one of the most impactful security incidents in recent memory, but such fears seemingly have proved unrealized. (Dark Reading) 

**Swiss Re warns of rate deterioration in cyber insurance**   
Increased competition among insurers has led to a third consecutive year of reduced rates, according to the report, as the available supply of cyber coverage has exceeded current demand. (Cybersecurity Dive) 

**Critical SAP vulnerability actively exploited by hackers**   
A critical security flaw has been found in several SAP products, and could allow a malicious actor to gain administrator-level control. (HackRead)

**No gains, just pains: 1.6M fitness phone call recordings exposed**   
Sensitive info from hundreds of thousands of gym customers and staff was left sitting in an unencrypted, non-password protected database. Audio recordings spanned from 2020 to 2025. (The Register)

**US offers $10M reward for Ukrainian ransomware operator**   
Volodymyr Tymoshchuk allegedly hit hundreds of organizations with the LockerGoga, MegaCortex, and Nefilim ransomware families. According to an indictment, the intrusions caused hundreds of millions of dollars in losses. (Security Week)

**China accuses Dior's Shanghai branch of illegal data transfer**   
China's public security authority alleges that Dior's Shanghai branch has transferred customers' personal data to its headquarters in France illegally, leading to a data leak in May. (Reuters)

**Can’t get enough Talos? **

*   **Beers with Talos: How to ruin an APT's day**  
    The B-Team is joined by Sara McBroom from Talos’ nation-state threat intelligence and interdiction team. Sara shares her journey from a liberal arts major to tracking some of the world’s most advanced adversaries.
*   **Who would sign up to secure a network full of hackers?**   
    Our latest video takes you behind-the-scenes at the Black Hat Network Operations Center (NOC) to see how Cisco and SnortML contain the chaos. 
*   **Patch Tuesday for Sept 2025**   
    In this month’s release, Microsoft observed none of the included vulnerabilities being exploited in the wild. However, there are eight vulnerabilities where exploitation may be likely. 
*   **Cisco: 10 years protecting Black Hat**   
    Cisco works with other official providers to bring the hardware, software and engineers to build and secure the Black Hat USA network: Arista, Corelight, Lumen, and Palo Alto Networks.

**Upcoming events where you can find Talos **

*   LABScon (Sept. 17 – 20) Scottsdale, AZ 
*   VB2025 (Sept. 24 – 26) Berlin, Germany 
*   Wild West Hackin' Fest (Oct. 8 – 10) Deadwood, SD

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**     
MD5: 85bbddc502f7b10871621fd460243fbc      
VirusTotal: https://www.virustotal.com/gui/file/41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610/details  
Typical Filename: N/A     
Claimed Product: Self-extracting archive     
Detection Name: Win.Worm.Bitmin-9847045-0 

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507     
Typical Filename: VID001.exe    
Claimed Product: N/A    
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**    
MD5: 8c69830a50fb85d8a794fa46643493b2     
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0    
Typical Filename: AAct.exe     
Claimed Product: N/A     
Detection Name: PUA.Win.Dropper.Generic::1201

Beaches and breaches

The Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) helps organizations assess and improve their threat intelligence programs by outlining 11 key areas and specific missions where CTI can support decision-making.

Wednesday, September 10, 2025 10:01

*   The Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) helps organizations assess and improve their threat intelligence programs by outlining 11 key areas and specific missions where CTI can support decision-making. 
*   The model describes four levels of maturity, guiding teams from basic, ad hoc activities to highly strategic and refined practices through a cycle of continuous improvement. 
*   CTI-CMM builds on earlier capability models and research, offering a practical framework for organizations to benchmark and evolve their CTI efforts. 

**Overview **

The familiar idiom “walk before you run” summarizes a fundamental truth about skill acquisition: you must master certain foundational capabilities before you can successfully execute more complex activities. This principle applies universally, from learning a new sport to developing highly specialized technical skills. Any area will have foundational skills, activities that anyone competent in the domain can perform, and characteristics that show that an individual (or team) has reached the highest levels of mastery. 

Capability maturity models (CMMs) outline the hierarchy of skills and activities that may be required within a particular area. The capabilities and characteristics are listed for teams of different levels of maturity operating within a domain. These descriptions can be used to evaluate the current level of a team or to identify the capabilities that must be acquired in order to improve. 

Despite its importance, the exact function of cyber threat intelligence (CTI) can vary widely across organizations. The community-developed  Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) shows how threat intelligence can help an organization and the various levels of capability that cyber threat intelligence teams can achieve. 

**Details **

The CTI-CMM lists 11 domains where CTI can greatly improve decision-making,  and also details specific “missions” CTI can carry out to strengthen each domain. 

Domain 

Abridged Description 

Example CTI Mission 

Asset, Change and Configuration Management 

Manage the organization’s IT and OT assets. 

Rapidly detect at-risk assets. 

Threat and Vulnerability Management 

Detect, identify, analyze, manage, and respond to cybersecurity threats and vulnerabilities. 

Reduce risk against new and emerging adversaries, malware, vulnerabilities, and exploits. 

Risk Management 

Identify, analyze and respond to cyber 

risk the organization is subject to. 

Improve risk decisions. 

Identity and Access Management 

Manage identities for entities that may be 

granted logical or physical access to the organization’s assets. 

Reduce incident detection times, accelerate remediation. 

Situational Awareness 

Establish situational 

awareness for operational state and cybersecurity state. 

Drive threat-informed decision-making based on the current and forecast threat landscape. 

Event and Incident Response, Continuity of Operations 

Respond to, and recover from cybersecurity events and incidents. 

Create an intelligence 

advantage for incident responders and strengthen the security posture. 

Third-Party Risk Management 

Manage the cyber risks arising from suppliers and other third parties 

Monitor, detect, assess and mitigate potential incidents posed by third-party vendors and suppliers. 

Fraud and Abuse Management 

Shield organizations from malicious digital scams and attacks. 

Share threats 

and findings with relevant stakeholders. 

Workforce Management 

Create a culture of cybersecurity 

and security competence. 

Support hardening of the human element. 

Cybersecurity Architecture 

Maintain the structure and behavior of the organization’s cybersecurity architecture. 

Provide insights into cyber threats that may 

target the organization. 

Cybersecurity Program Management 

Provides governance, strategic planning and sponsorship for the organization’s cybersecurity activities. 

Deliver tailored intelligence inputs to 

inform cybersecurity decision-making. 

  
The missions span a wide spectrum, from proactively monitoring an organization’s attack surface in support of asset management to providing crucial situational awareness of the evolving threat landscape and its direct relevance to organizational activities. 

The CTI-CMM also defines distinct levels of maturity for threat intelligence activities, providing a clear progression path: 

A placeholder for practices that are not executed. 

Many threat intelligence activities begin here, characterized by basic, ad hoc and unplanned efforts focused on short-term, reactive results. 

As an activity matures, it becomes planned, with documented procedures and metrics demonstrating its support for stakeholders. The focus shifts towards proactive and predictive intelligence, delivering short- and intermediate-term results. 

At the highest level, activities are highly refined, focusing on delivering long-term strategic outcomes for the business. This level integrates prescriptive intelligence and recommendations, combined with continuous improvement practices, making practices measurable and aligned directly to business objectives. 

  
The framework espouses an improvement process analogous to the “plan, do, check, act” management model. In this case, the steps within a cycle of improvement are “prepare, assess, plan, deploy, measure.” With each rotation through the cycle, the capabilities of the threat intelligence program are incrementally improved, growing the maturity of the program. 

**History of CTI-CMM **

This approach to improving capabilities and benchmarking against defined standards is not new. CMMs originated in the mid-1980s, driven by the U.S. Department of Defense's desire to compare and evaluate software contractors. Largely thanks to the efforts of the Software Engineering Institute (SEI) at Carnegie Mellon University, CMMs evolved into the widely-applied Capability Maturity Model Integration (CMMI). 

The CTI-CMM adopts domains from the Cybersecurity Capability Maturity Model (C2M2), developed by the U.S. energy industry and first published in 2012. While the C2M2 acknowledged the importance of threat intelligence as a concept within overall cybersecurity posture, it did not specifically address the maturity of a dedicated threat intelligence program. However, the very first paper describing a maturity model for threat intelligence was published in the same year by the industry vendor Verisign. Thus, the origins of the CTI-CMM can be traced back to these two initiatives of the early 2010s. 

**Closing **

It's crucial for organizations to understand that aspiring to the highest level of CTI maturity is not always a practical goal. The intelligence program should focus on meeting the real needs of its users and stakeholders rather than seeking to hit a high score on an industry framework. An intelligence team with more resources may produce “better” intelligence and be more responsive. However, in a world of finite resources, those additional resources may be better spent in delivering “good enough” intelligence to teams that can use it well, rather than delivering the best intelligence to teams without the capacity or resources to effectively utilize the information. 

Ultimately, the Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) provides an invaluable resource for organizations to assess and evolve their CTI capabilities. As threat intelligence solidifies its role as an indispensable component of cybersecurity strategy, maturity models tools will become not only the drivers for internal organizational growth but also key instruments for external entities to benchmark and compare organizations’ overall cybersecurity maturity.

Maturing the cyber threat intelligence program

Microsoft has released its monthly security update for September 2025, which includes 86 vulnerabilities affecting a range of products.

Tuesday, September 9, 2025 15:12

Microsoft has released its monthly security update for September 2025, which includes 86 vulnerabilities affecting a range of products.

In this month’s release, Microsoft observed none of the included vulnerabilities being exploited in the wild. However, there are eight vulnerabilities where exploitation may be likely. Five consist of elevation of privileges, two may result in information disclosure and only one, CVE-2025-54916, is a remote code execution (RCE) vulnerability.

CVE-2025-54916 is an RCE vulnerability caused by a stack-buffer overflow in Windows NTFS that allows an authorized attacker to execute code over the network. Microsoft has noted that this vulnerability affects different versions of Windows 10, 11, Server 2008, 2012, 2016, 2019, 2022 and 2025.

CVE-2025-54910 is an RCE vulnerability caused by a heap-based buffer overflow in Microsoft Office that allows an unauthorized attacker to execute code locally. This type of vulnerability is also known as Arbitrary Code Execution (ACE). Microsoft clarifies that the attack itself is carried out locally, and that the location of the attacker can be remote, but the vulnerability must be exploited locally. This vulnerability affects Microsoft 365 Apps, Office 2016, 2019 and LTSC 2021 and 2024. 

CVE-2025-54918 is an elevation of privilege (EoP) vulnerability caused by improper authentication in Windows NTLM that allows an authorized attacker to elevate privileges over a network to gain SYSTEM privileges. This vulnerability affects various versions of Windows including Windows 10, 11, Server 2008, 2012, 2016, 2019, 2022 and 2025.

CVE-2025-54101 is an RCE vulnerability caused by a use-after-free in Windows SMB v3 Client/Server that allows an authorized attacker to execute code over a network. Successful exploitation requires the attacker to win a race condition. This vulnerability affects various versions of Windows including Windows 10, 11, Server 2008, 2012, 2016, 2019 and 2022.

Two RCE vulnerabilities in DirectX Graphics kernel may result in remote code execution: CVE-2025-55226 and CVE-2025-55236. CVE-2025-55226 is caused by concurrent execution using a shared resource and improper synchronization in the Graphics Kernel allowing an authorized attacker to execute code locally. Microsoft also notes that this vulnerability requires an attacker to prepare the target environment to improve exploit reliability. This vulnerability affects various versions of Windows including Windows 10, 11, Server 2008, 2012, 2016, 2019, 2022 and 2025.

CVE-2025-55236 is a time-of-check time-of-use (toctou) race condition in the Graphics Kernel allowing an authorized attacker to execute locally. This vulnerability affects various versions of Windows including Windows 10, 11, Server 2019, 2022 and 2025.

Talos would also like to highlight the following important vulnerabilities as Microsoft has assessed that their exploitation is more likely:

CVE-2025-53803: Windows Kernel Memory Information Disclosure Vulnerability.

CVE-2025-53804: Windows Kernel-Mode Driver Information Disclosure Vulnerability.

CVE-2025-54093: Windows TCP/IP Driver Elevation of Privilege Vulnerability.

CVE-2025-54098: Windows Hyper-V Elevation of Privilege Vulnerability.

CVE-2025-54110: Windows Kernel Elevation of Privilege Vulnerability.

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.   

Snort2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 65327 – 65334.

The following Snort3 rules are also available: 301310 – 301313.