Cisco Talos’ Vulnerability Discovery & Research team recently disclosed five vulnerabilities in Bloomberg Comdb2.  
Comdb2 is an open source, high-availability database developed by Bloomberg. It supports features such as clustering, transactions, snapshots, and isolation. The implementation of the database utilizes optimistic locking for concurrent operation.
The vulnerabilities

Thursday, July 24, 2025 10:03

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed five vulnerabilities in Bloomberg Comdb2.  

Comdb2 is an open source, high-availability database developed by Bloomberg. It supports features such as clustering, transactions, snapshots, and isolation. The implementation of the database utilizes optimistic locking for concurrent operation.

The vulnerabilities mentioned in this blog post have been patched by the vendor, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

**Comdb2 vulnerabilities**

_Discovered by a member of Cisco Talos._ 

Three null pointer dereference vulnerabilities exist in Bloomberg Comdb2 8.1. Two vulnerabilities (TALOS-2025-2197 (CVE-2025-36520) and TALOS-2025-2201 (CVE-2025-35966)) are in protocol buffer message handling, which can lead to denial of service. An attacker can simply connect to a database instance over TCP and send the crafted message to trigger this vulnerability. TALOS-2025-2199 (CVE-2025-48498) is in the distributed transaction component. A specially crafted network packet can lead to a denial of service. An attacker can send packets to trigger this vulnerability.

There are also two denial-of-service vulnerabilities:

*   TALOS-2025-2198 (CVE-2025-46354) exists in the Distributed Transaction Commit/Abort Operation of Bloomberg Comdb2 8.1. A specially crafted network packet can lead to a denial of service. An attacker can send a malicious packet to trigger this vulnerability.
*   TALOS-2025-2200 (CVE-2025-36512) exists in the Bloomberg Comdb2 8.1 database when handling a distributed transaction heartbeat. A specially crafted protocol buffer message can lead to a denial of service. An attacker can simply connect to a database instance over TCP and send the crafted message to trigger this vulnerability.

Bloomberg Comdb2 null pointer dereference and denial-of-service vulnerabilities

Cisco Talos Incident Response (Talos IR) recently observed attacks by Chaos, a relatively new ransomware-as-a-service (RaaS) group conducting big-game hunting and double extortion attacks.

Unmasking the new Chaos RaaS group attacks

FBI warns of Interlock ransomware using unique tactics to hit businesses and critical infrastructure with double extortion.

The Federal Bureau of Investigation (FBI), alongside the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a warning regarding increased activity by the Interlock ransomware group.

This financially motivated threat targets a wide range of organizations, including businesses and vital critical infrastructure across North America and Europe, employing a dangerous double extortion model to maximize pressure on victims.

****Interlock’s Uncommon Attack Methods****

Interlock ransomware was first detected in late September 2024, with FBI investigations as recent as June 2025 detailing their evolving tactics. The group develops encryptors for both Windows and Linux operating systems, with a particular focus on encrypting virtual machines (VMs). Open-source reports also suggest similarities between Interlock and the Rhysida ransomware variant.

This group stand out for its initial access techniques, which differ from many ransomware groups. One observed method involves ‘drive-by downloads’ from legitimate but compromised websites, where malicious software is disguised as fake updates for popular web browsers like Google Chrome or Microsoft Edge, or even common security tools such as FortiClient or Cisco-Secure-Client.

Moreover, they leverage a social engineering trick called ClickFix, where users are tricked into running harmful files by clicking on fake CAPTCHAs that instruct them to paste and execute malicious commands in their system’s run window.

Once inside a network, the ransomware deploys web shells and tools like Cobalt Strike to establish control, move between systems, and steal sensitive information. They gather login details, including usernames, passwords, and even use keyloggers to record keystrokes.

According to the advisory (PDF), After stealing data, Interlock encrypts systems, appending files with .interlock or .1nt3rlock extensions. They then demand ransom without an initial amount in their note, instead instructing victims to contact them via a special .onion website over the Tor browser. The group threatens to leak exfiltrated data if the ransom, typically paid in Bitcoin, is not met, a threat they have consistently followed through on.

****Urgent Defences for Organizations****

To counter the Interlock threat, federal agencies urge organizations to implement immediate security measures. Key defences include:

*   Preventing initial access by using DNS filtering and web access firewalls, and training employees to spot social engineering attempts.

*   Patching and updating to make sure all operating systems, software, and firmware are up to date, prioritizing known vulnerabilities.

*   Strong authentication implementation, like multi-factor authentication (MFA) for all services where possible, along with stronger identity and access management policies.

*   Network Control by segmenting networks to limit how far ransomware can spread.

*   Backup and recovery by maintaining multiple, offline, immutable (unchangeable) backups of all critical data.

Also, no-cost resources are available through the ongoing #StopRansomware initiative.

FBI and CISA Warn of Interlock Ransomware Targeting Critical Infrastructure

In the first Humans of Talos, Amy sits with Hazel Burton — storyteller, security advocate, and all-around Talos legend. Hazel shares her journey from small business entrepreneurship to leading content programs at Talos.

Wednesday, July 23, 2025 06:00

Welcome to the first episode of Humans of Talos, a new video interview series that shines a spotlight on team members across Talos. Featuring their personal stories, career journeys and unique perspectives, you'll get an inside look into what it's like to work in our organization and the people who make the internet more secure for all.

**Amy Ciminnisi:** **Hello and welcome to the first episode of Humans of Talos! I'm here with Hazel Burton, who should be a familiar face to most of you. I'm curious: What led you to your role at Talos? What made you want to join?**

Hazel Burton: I'd always worked in small businesses before and always had a bit of an entrepreneurial mindset because of that. I just started doing things that I wasn't supposed to be doing! I commandeered an office in one of the small businesses, turned it into a TV studio and started creating security content. That somehow led me on a path to joining Cisco.

I was doing a lot of storytelling and communications around some of the main challenges that people in this industry go through, but I was always finding excuses to work with Talos. I love the people at Talos, but I also love the ethos: doing the right thing, even if it makes no commercial sense whatsoever. So when I was asked to hop over the fence and work full-time at Talos leading content programs and and data-driven stuff, it was an opportunity to help a really strong organization rooted in that ethos to do what they do best and make things easier for people in this industry. So it was a pretty easy decision to make to join Talos.

**AC: Following that, what advice you would give to someone who would want to join Talos?**

HB: Ask bold questions would be my first piece of advice. This is a very safe space to be able to do things like that. Ask, "Could this work? What if we tried this?" I promise you, you will be hired based on you asking those questions and you will be trusted to find the answers, even if the answer is, "Yeah, that didn't work at all, did it? Oh, well."

The other one — I don't know if I can say this, you might want to bleep it out — but don't be an arsehole. The people that we work with are as generous as they are amazingly smart and talented. So sharing their knowledge, helping each other out, not mocking someone for not knowing something, saying, "I don't have any experience in this, can you help me?" That is what Talos is about. If you are only looking after number one, then probably don't join Talos. But if you do want to be part of something where everyone has your back, then do.

The third thing that I think is really important for people to know, because they might have been burned by this before, is that we do actually have a leadership team who fights to give Talos people the air cover that they need when they need to go out and do things. So, it happens quite often where we'll have to drop something and go to a rapid response effort — because, you know, the world — and we're given the resources to be able to do that and the air cover. So if you don't have that at the moment, trust me: When you find it, it's the most amazing thing in the world because you know that you are going to have a clear runway. That is the nature of how the organization works.

**AC: Yeah. It doesn't just help the person grow their own skillset, it doesn't just help Talos — but having that airway helps everyone as a whole, the cybersecurity community and beyond.**

HB: Also, bring your own nerdy self to work! Again, it's a very safe place to do that.

_For more, watch the_ _full interview._

Meet Hazel Burton

Cisco on Monday updated its advisory of a set of recently disclosed security flaws in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) to acknowledge active exploitation.
"In July 2025, the Cisco PSIRT [Product Security Incident Response Team], became aware of attempted exploitation of some of these vulnerabilities in the wild," the company said in an alert.
The

Cisco Confirms Active Exploits Targeting ISE Flaws Enabling Unauthenticated Root Access

Cisco Talos is aware of the ongoing exploitation of CVE-2025-53770 and CVE-2025-53771 in the wild. These are path traversal vulnerabilities affecting SharePoint Server Subscription Edition, SharePoint Server 2016, and SharePoint Server 2019.

Monday, July 21, 2025 16:33

Cisco Talos is aware of the ongoing exploitation of CVE-2025-53770 and CVE-2025-53771 in the wild. These are path traversal vulnerabilities affecting SharePoint Server Subscription Edition, SharePoint Server 2016, and SharePoint Server 2019. According to Microsoft, these vulnerabilities do not affect SharePoint Online in Microsoft 365 and only apply to on-premises SharePoint servers.  

Microsoft has also released security updates and mitigation guidance for multiple affected products. At the time of this writing, no updated security patches are currently available for SharePoint Server 2016.  

These two vulnerabilities, CVE-2025-53770 / CVE-2025-573771, are related to CVE-2025-49704 and CVE-2025-49706, which were featured in the July Microsoft Patch Tuesday updates. The new updates that Microsoft has published provide more comprehensive protection against exploitation attempts targeting these vulnerabilities. In addition to installing the updates provided by Microsoft, they are also recommending users rotate the SharePoint Server ASP.NET machine keys to ensure data integrity. The Cybersecurity Infrastructure Security Agency (CISA) has also released additional details and technical indicators associated with ongoing exploitation attempts targeting unprotected SharePoint servers between July 18 – 19, 2025.  

**Vulnerability details **

These are both unauthenticated remote code execution vulnerabilities related to CVE-2025-47904 and CVE-2025-49706. One of the key features of the previous vulnerabilities is that the user needed to be authenticated to obtain a valid signature by extracting the ValidationKey from memory or configuration. In the case of CVE-2025-53770 and CVE-2025-53771, attackers have managed to eliminate the need to be authenticated to obtain a valid signature, resulting in unauthenticated remote code execution. 

Patches have already been provided by Microsoft for most versions of SharePoint Server. However, as of the time of this publishing, SharePoint Server 2016 remains unpatched. As an alternative option, Microsoft has recommended that the Antimalware Scan Interface (AMSI) is turned on and configured correctly with the associated antivirus solution. 

Once patches are applied, Microsoft also recommends that users rotate their SharePoint Server ASP.NET machine keys in case the signing keys were compromised in the attack. This can be done both manually via Powershell and via Central Admin. 

**Coverage **

As part of our coverage of the July Microsoft Patch Tuesday release on July 8, 2025, Talos previously published Snort SID 65092 to provide detection for exploitation attempts targeting CVE-2025-49704. We have investigated the new details provided by Microsoft as well as open-source information related to ongoing reports of exploitation activity targeting these vulnerabilities and have confirmed that the existing coverage remains effective at this time. Additionally Talos has published Snort SID 65183 to provide detection for the webshell being deployed in the current campaigns.  

Malicious Process Creation By Microsoft Exchange Server lIS triggers on creation of the webshell payload 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Snort SIDs for this threat are 65092 (Vulnerability). 65183 (Webshell).

ToolShell: Details of CVEs Affecting SharePoint Servers

On this episode of Uncanny Valley, we dive into the differences between what the US government said about a Jeffrey Epstein video it released and the story told by its metadata.

How WIRED Analyzed the Epstein Video

Cisco just disclosed a critical severity flaw in its ISE and ISE-PIC products, joining two similar bugs disclosed last month.

Cisco Discloses '10' Flaw in ISE, ISE-PIC — Patch Now

This week, Martin shows how stepping away from the screen can make you a stronger defender, alongside an inside scoop on emerging malware threats.

Thursday, July 17, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter.

Burnout is a real issue for people in cybersecurity. We protect the systems that allow modern life to function. Our hours are long, our sense of responsibility real and occasionally heavy. Everyone notices when we have a bad day and an attack evades our protections, but nobody notices our best days when complex threats are detected and neutralized. Our failures are very visible, while our successes are imperceptible to others. This, coupled with a professional propensity to always consider negative outcomes, is a recipe for poor mental health – not to mention that we most of our waking hours sitting in front of screens, engaging with machines.

Making a difference and stopping the bad guys means being in cybersecurity for the long haul. Experience is built with each new deployment and each resolved incident. Sometimes the worst incidents are in retrospect the best learning experiences. Professional experience is gained through many years of struggle. Losing a team member through burnout or being unable to continue with a career in the domain is a personal tragedy and a loss of experience to the entire cybersecurity community.

Various factors contribute to the high stress loads felt by cybersecurity teams. Many of these, such as the nature and frequency of attacks, are outside of our control. Others, such as budget approval or the appropriate prioritisation of projects, often appear close to being under control before somehow getting derailed.

We might not be able to control external factors, but we can manage our own responses to the stress that we face. Firstly, set boundaries and stick to them. Once your shift is over, stop working – and that includes thinking about it. This is easier said than done, but unless there is a real emergency, practice stepping away from work at the end of the day. Leaving work at work allows you to destress during your free time. 

Second, prioritize fun activities that don’t involve work or computers. Set aside time during your week to do something that you enjoy. Having many different activities and pastimes in your life helps provide balance. If one aspect of your life is particularly tough, then balance that with another part of your life which is going well. Personally, I find joy and escape in trail running. Finding myself deep in the countryside as far away from computer screens as possible provides me with time to recharge and recover.

Detecting threats and stopping the bad guys requires more than technical prowess. We must be committed to looking after ourselves, and each other, and to disconnecting from our passion for the work to continue doing it for years to come. 

**The one big thing  **

Cisco Talos identified a Malware-as-a-Service (MaaS) operation in early 2025 that used the Emmenhtal loader and Amadey malware to deliver malicious payloads targeting Ukrainian entities, often via public GitHub repositories. Talos worked with GitHub to remove these malicious accounts and recommends security solutions to prevent similar threats. 

**Why do I care?  **

This operation shows how easily adversaries can use trusted platforms like GitHub to deliver malware, making it more difficult for organizations to detect and block threats — especially if GitHub access is required for legitimate purposes.   

**So now what?**

Organizations should review their security policies around GitHub access, deploy advanced security controls and remain vigilant for phishing campaigns and malware leveraging public repositories to minimize the risk of compromise.

**Top security headlines of the week  **

**Four arrested in connection with M&S and Co-op cyber-attacks**   
The National Crime Agency (NCA) says a 20-year-old woman was arrested in Staffordshire, and three males - aged between 17 and 19 - were detained in London and the West Midlands. (BBC)

**Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb**    
The flaw allows unauthenticated attackers to execute remote code by writing malicious files to the server's filesystem, potentially leading to full remote code execution. (Security Affairs)

**Train brakes can be hacked over radio — and the industry knew for 20 years**   
“Successful exploitation... could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train which may lead to a disruption of operations, or induce brake failure,” CISA said. (SecurityWeek)

**Episource is notifying millions of people that their health data was stolen**   
The breach affects more than 5.4 million people, making it one of the largest healthcare breaches of the year so far. The attacker stole personal information and protected health data. (TechCrunch)

**Can’t get enough Talos? **

**The significance of timeliness in incident response**   
Cisco Talos IR compares two real-world ransomware engagements and shares how the organizations’ response times made all the difference in the outcome of an attack.

**Talos Takes: Why attackers love your remote access tools**  
Attackers are increasingly abusing the same remote access tools that IT teams rely on every day. In this episode, Hazel sits down with Talos security researcher Pierre Cadieux to unpack why these legitimate tools have become such an effective tactic for adversaries.

**TTP: The next phase of LLM abuse**   
Talos researcher Jaeson Schultz explores how cybercriminals are starting to integrate LLMs into full attack workflows, and even experiment with manipulating the data these models rely on.

**Upcoming events where you can find Talos  **

*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2 – 7) Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week   **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376   
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details   
Typical Filename: IMG001.exe    
Claimed Product: N/A   
Detection Name: Simple\_Custom\_Detection

**SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**   
MD5: 71fea034b422e4a17ebb06022532fdde    
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details   
Typical Filename: VID001.exe    
Claimed Product: N/A    
Detection Name: Coinminer:MBT.26mw.in14.Talos

This is your sign to step away from the keyboard

Threat actors are leveraging public GitHub repositories to host malicious payloads and distribute them via Amadey as part of a campaign observed in April 2025.
"The MaaS [malware-as-a-service] operators used fake GitHub accounts to host payloads, tools, and Amadey plug-ins, likely as an attempt to bypass web filtering and for ease of use," Cisco Talos researchers Chris Neal and Craig Jackson

Tag

#cisco