FBI warns of Interlock ransomware using unique tactics to hit businesses and critical infrastructure with double extortion.

The Federal Bureau of Investigation (FBI), alongside the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a warning regarding increased activity by the Interlock ransomware group.

This financially motivated threat targets a wide range of organizations, including businesses and vital critical infrastructure across North America and Europe, employing a dangerous double extortion model to maximize pressure on victims.

****Interlock’s Uncommon Attack Methods****

Interlock ransomware was first detected in late September 2024, with FBI investigations as recent as June 2025 detailing their evolving tactics. The group develops encryptors for both Windows and Linux operating systems, with a particular focus on encrypting virtual machines (VMs). Open-source reports also suggest similarities between Interlock and the Rhysida ransomware variant.

This group stand out for its initial access techniques, which differ from many ransomware groups. One observed method involves ‘drive-by downloads’ from legitimate but compromised websites, where malicious software is disguised as fake updates for popular web browsers like Google Chrome or Microsoft Edge, or even common security tools such as FortiClient or Cisco-Secure-Client.

Moreover, they leverage a social engineering trick called ClickFix, where users are tricked into running harmful files by clicking on fake CAPTCHAs that instruct them to paste and execute malicious commands in their system’s run window.

Once inside a network, the ransomware deploys web shells and tools like Cobalt Strike to establish control, move between systems, and steal sensitive information. They gather login details, including usernames, passwords, and even use keyloggers to record keystrokes.

According to the advisory (PDF), After stealing data, Interlock encrypts systems, appending files with .interlock or .1nt3rlock extensions. They then demand ransom without an initial amount in their note, instead instructing victims to contact them via a special .onion website over the Tor browser. The group threatens to leak exfiltrated data if the ransom, typically paid in Bitcoin, is not met, a threat they have consistently followed through on.

****Urgent Defences for Organizations****

To counter the Interlock threat, federal agencies urge organizations to implement immediate security measures. Key defences include:

*   Preventing initial access by using DNS filtering and web access firewalls, and training employees to spot social engineering attempts.

*   Patching and updating to make sure all operating systems, software, and firmware are up to date, prioritizing known vulnerabilities.

*   Strong authentication implementation, like multi-factor authentication (MFA) for all services where possible, along with stronger identity and access management policies.

*   Network Control by segmenting networks to limit how far ransomware can spread.

*   Backup and recovery by maintaining multiple, offline, immutable (unchangeable) backups of all critical data.

Also, no-cost resources are available through the ongoing #StopRansomware initiative.

FBI and CISA Warn of Interlock Ransomware Targeting Critical Infrastructure

In the first Humans of Talos, Amy sits with Hazel Burton — storyteller, security advocate, and all-around Talos legend. Hazel shares her journey from small business entrepreneurship to leading content programs at Talos.

Wednesday, July 23, 2025 06:00

Welcome to the first episode of Humans of Talos, a new video interview series that shines a spotlight on team members across Talos. Featuring their personal stories, career journeys and unique perspectives, you'll get an inside look into what it's like to work in our organization and the people who make the internet more secure for all.

**Amy Ciminnisi:** **Hello and welcome to the first episode of Humans of Talos! I'm here with Hazel Burton, who should be a familiar face to most of you. I'm curious: What led you to your role at Talos? What made you want to join?**

Hazel Burton: I'd always worked in small businesses before and always had a bit of an entrepreneurial mindset because of that. I just started doing things that I wasn't supposed to be doing! I commandeered an office in one of the small businesses, turned it into a TV studio and started creating security content. That somehow led me on a path to joining Cisco.

I was doing a lot of storytelling and communications around some of the main challenges that people in this industry go through, but I was always finding excuses to work with Talos. I love the people at Talos, but I also love the ethos: doing the right thing, even if it makes no commercial sense whatsoever. So when I was asked to hop over the fence and work full-time at Talos leading content programs and and data-driven stuff, it was an opportunity to help a really strong organization rooted in that ethos to do what they do best and make things easier for people in this industry. So it was a pretty easy decision to make to join Talos.

**AC: Following that, what advice you would give to someone who would want to join Talos?**

HB: Ask bold questions would be my first piece of advice. This is a very safe space to be able to do things like that. Ask, "Could this work? What if we tried this?" I promise you, you will be hired based on you asking those questions and you will be trusted to find the answers, even if the answer is, "Yeah, that didn't work at all, did it? Oh, well."

The other one — I don't know if I can say this, you might want to bleep it out — but don't be an arsehole. The people that we work with are as generous as they are amazingly smart and talented. So sharing their knowledge, helping each other out, not mocking someone for not knowing something, saying, "I don't have any experience in this, can you help me?" That is what Talos is about. If you are only looking after number one, then probably don't join Talos. But if you do want to be part of something where everyone has your back, then do.

The third thing that I think is really important for people to know, because they might have been burned by this before, is that we do actually have a leadership team who fights to give Talos people the air cover that they need when they need to go out and do things. So, it happens quite often where we'll have to drop something and go to a rapid response effort — because, you know, the world — and we're given the resources to be able to do that and the air cover. So if you don't have that at the moment, trust me: When you find it, it's the most amazing thing in the world because you know that you are going to have a clear runway. That is the nature of how the organization works.

**AC: Yeah. It doesn't just help the person grow their own skillset, it doesn't just help Talos — but having that airway helps everyone as a whole, the cybersecurity community and beyond.**

HB: Also, bring your own nerdy self to work! Again, it's a very safe place to do that.

_For more, watch the_ _full interview._

Meet Hazel Burton

Cisco on Monday updated its advisory of a set of recently disclosed security flaws in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) to acknowledge active exploitation.
"In July 2025, the Cisco PSIRT [Product Security Incident Response Team], became aware of attempted exploitation of some of these vulnerabilities in the wild," the company said in an alert.
The

Cisco Confirms Active Exploits Targeting ISE Flaws Enabling Unauthenticated Root Access

Cisco Talos is aware of the ongoing exploitation of CVE-2025-53770 and CVE-2025-53771 in the wild. These are path traversal vulnerabilities affecting SharePoint Server Subscription Edition, SharePoint Server 2016, and SharePoint Server 2019.

Monday, July 21, 2025 16:33

Cisco Talos is aware of the ongoing exploitation of CVE-2025-53770 and CVE-2025-53771 in the wild. These are path traversal vulnerabilities affecting SharePoint Server Subscription Edition, SharePoint Server 2016, and SharePoint Server 2019. According to Microsoft, these vulnerabilities do not affect SharePoint Online in Microsoft 365 and only apply to on-premises SharePoint servers.  

Microsoft has also released security updates and mitigation guidance for multiple affected products. At the time of this writing, no updated security patches are currently available for SharePoint Server 2016.  

These two vulnerabilities, CVE-2025-53770 / CVE-2025-573771, are related to CVE-2025-49704 and CVE-2025-49706, which were featured in the July Microsoft Patch Tuesday updates. The new updates that Microsoft has published provide more comprehensive protection against exploitation attempts targeting these vulnerabilities. In addition to installing the updates provided by Microsoft, they are also recommending users rotate the SharePoint Server ASP.NET machine keys to ensure data integrity. The Cybersecurity Infrastructure Security Agency (CISA) has also released additional details and technical indicators associated with ongoing exploitation attempts targeting unprotected SharePoint servers between July 18 – 19, 2025.  

**Vulnerability details **

These are both unauthenticated remote code execution vulnerabilities related to CVE-2025-47904 and CVE-2025-49706. One of the key features of the previous vulnerabilities is that the user needed to be authenticated to obtain a valid signature by extracting the ValidationKey from memory or configuration. In the case of CVE-2025-53770 and CVE-2025-53771, attackers have managed to eliminate the need to be authenticated to obtain a valid signature, resulting in unauthenticated remote code execution. 

Patches have already been provided by Microsoft for most versions of SharePoint Server. However, as of the time of this publishing, SharePoint Server 2016 remains unpatched. As an alternative option, Microsoft has recommended that the Antimalware Scan Interface (AMSI) is turned on and configured correctly with the associated antivirus solution. 

Once patches are applied, Microsoft also recommends that users rotate their SharePoint Server ASP.NET machine keys in case the signing keys were compromised in the attack. This can be done both manually via Powershell and via Central Admin. 

**Coverage **

As part of our coverage of the July Microsoft Patch Tuesday release on July 8, 2025, Talos previously published Snort SID 65092 to provide detection for exploitation attempts targeting CVE-2025-49704. We have investigated the new details provided by Microsoft as well as open-source information related to ongoing reports of exploitation activity targeting these vulnerabilities and have confirmed that the existing coverage remains effective at this time. Additionally Talos has published Snort SID 65183 to provide detection for the webshell being deployed in the current campaigns.  

Malicious Process Creation By Microsoft Exchange Server lIS triggers on creation of the webshell payload 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Snort SIDs for this threat are 65092 (Vulnerability). 65183 (Webshell).

ToolShell: Details of CVEs Affecting SharePoint Servers

On this episode of Uncanny Valley, we dive into the differences between what the US government said about a Jeffrey Epstein video it released and the story told by its metadata.

How WIRED Analyzed the Epstein Video

Cisco just disclosed a critical severity flaw in its ISE and ISE-PIC products, joining two similar bugs disclosed last month.

Cisco Discloses '10' Flaw in ISE, ISE-PIC — Patch Now

This week, Martin shows how stepping away from the screen can make you a stronger defender, alongside an inside scoop on emerging malware threats.

Thursday, July 17, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter.

Burnout is a real issue for people in cybersecurity. We protect the systems that allow modern life to function. Our hours are long, our sense of responsibility real and occasionally heavy. Everyone notices when we have a bad day and an attack evades our protections, but nobody notices our best days when complex threats are detected and neutralized. Our failures are very visible, while our successes are imperceptible to others. This, coupled with a professional propensity to always consider negative outcomes, is a recipe for poor mental health – not to mention that we most of our waking hours sitting in front of screens, engaging with machines.

Making a difference and stopping the bad guys means being in cybersecurity for the long haul. Experience is built with each new deployment and each resolved incident. Sometimes the worst incidents are in retrospect the best learning experiences. Professional experience is gained through many years of struggle. Losing a team member through burnout or being unable to continue with a career in the domain is a personal tragedy and a loss of experience to the entire cybersecurity community.

Various factors contribute to the high stress loads felt by cybersecurity teams. Many of these, such as the nature and frequency of attacks, are outside of our control. Others, such as budget approval or the appropriate prioritisation of projects, often appear close to being under control before somehow getting derailed.

We might not be able to control external factors, but we can manage our own responses to the stress that we face. Firstly, set boundaries and stick to them. Once your shift is over, stop working – and that includes thinking about it. This is easier said than done, but unless there is a real emergency, practice stepping away from work at the end of the day. Leaving work at work allows you to destress during your free time. 

Second, prioritize fun activities that don’t involve work or computers. Set aside time during your week to do something that you enjoy. Having many different activities and pastimes in your life helps provide balance. If one aspect of your life is particularly tough, then balance that with another part of your life which is going well. Personally, I find joy and escape in trail running. Finding myself deep in the countryside as far away from computer screens as possible provides me with time to recharge and recover.

Detecting threats and stopping the bad guys requires more than technical prowess. We must be committed to looking after ourselves, and each other, and to disconnecting from our passion for the work to continue doing it for years to come. 

**The one big thing  **

Cisco Talos identified a Malware-as-a-Service (MaaS) operation in early 2025 that used the Emmenhtal loader and Amadey malware to deliver malicious payloads targeting Ukrainian entities, often via public GitHub repositories. Talos worked with GitHub to remove these malicious accounts and recommends security solutions to prevent similar threats. 

**Why do I care?  **

This operation shows how easily adversaries can use trusted platforms like GitHub to deliver malware, making it more difficult for organizations to detect and block threats — especially if GitHub access is required for legitimate purposes.   

**So now what?**

Organizations should review their security policies around GitHub access, deploy advanced security controls and remain vigilant for phishing campaigns and malware leveraging public repositories to minimize the risk of compromise.

**Top security headlines of the week  **

**Four arrested in connection with M&S and Co-op cyber-attacks**   
The National Crime Agency (NCA) says a 20-year-old woman was arrested in Staffordshire, and three males - aged between 17 and 19 - were detained in London and the West Midlands. (BBC)

**Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb**    
The flaw allows unauthenticated attackers to execute remote code by writing malicious files to the server's filesystem, potentially leading to full remote code execution. (Security Affairs)

**Train brakes can be hacked over radio — and the industry knew for 20 years**   
“Successful exploitation... could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train which may lead to a disruption of operations, or induce brake failure,” CISA said. (SecurityWeek)

**Episource is notifying millions of people that their health data was stolen**   
The breach affects more than 5.4 million people, making it one of the largest healthcare breaches of the year so far. The attacker stole personal information and protected health data. (TechCrunch)

**Can’t get enough Talos? **

**The significance of timeliness in incident response**   
Cisco Talos IR compares two real-world ransomware engagements and shares how the organizations’ response times made all the difference in the outcome of an attack.

**Talos Takes: Why attackers love your remote access tools**  
Attackers are increasingly abusing the same remote access tools that IT teams rely on every day. In this episode, Hazel sits down with Talos security researcher Pierre Cadieux to unpack why these legitimate tools have become such an effective tactic for adversaries.

**TTP: The next phase of LLM abuse**   
Talos researcher Jaeson Schultz explores how cybercriminals are starting to integrate LLMs into full attack workflows, and even experiment with manipulating the data these models rely on.

**Upcoming events where you can find Talos  **

*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2 – 7) Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week   **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376   
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details   
Typical Filename: IMG001.exe    
Claimed Product: N/A   
Detection Name: Simple\_Custom\_Detection

**SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**   
MD5: 71fea034b422e4a17ebb06022532fdde    
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details   
Typical Filename: VID001.exe    
Claimed Product: N/A    
Detection Name: Coinminer:MBT.26mw.in14.Talos

This is your sign to step away from the keyboard

Threat actors are leveraging public GitHub repositories to host malicious payloads and distribute them via Amadey as part of a campaign observed in April 2025.
"The MaaS [malware-as-a-service] operators used fake GitHub accounts to host payloads, tools, and Amadey plug-ins, likely as an attempt to bypass web filtering and for ease of use," Cisco Talos researchers Chris Neal and Craig Jackson

Hackers Use GitHub Repositories to Host Amadey Malware and Data Stealers, Bypassing Filters

Hackers abused fake GitHub accounts to spread Emmenhtal, Amadey, Lumma and Redline infoStealers in attacks linked to a phishing campaign targeting Ukraine in early 2025.

A newly identified Malware-as-a-Service (MaaS) operation is using GitHub repositories to spread a mix of infostealer families. This campaign was spotted by cybersecurity researchers at Cisco Talos, who published their findings earlier today, detailing how the threat actors behind this activity are using the Amadey bot to pull malware directly from public GitHub pages onto infected systems.

This operation surfaced in April 2025, but its activity traces back to at least February, around the same time Ukrainian organizations were being hit with SmokeLoader phishing emails. Talos analysts noticed a notable overlap in tactics and infrastructure between that campaign and the new Amadey-driven one, suggesting the same hands may be behind both.

What stood out in this case was the abuse of GitHub. The attackers created fake accounts and used them like open directories, hosting payloads, tools, and Amadey plug-ins. By leveraging GitHub’s widespread use and trust in corporate environments, the attackers likely sidestepped many standard web filters that might have otherwise blocked malicious domains.

One GitHub account in particular, as per Cisco Talos’ technical blog post, named “Legendary99999,” was used heavily. It hosted more than 160 repositories, each containing just a single malicious file ready to be downloaded via a direct GitHub URL.

The malicious Legendary99999 account (Image via Cisco Talos)

Two other accounts, “Milidmdds” and “DFfe9ewf,” followed a similar approach, though “DFfe9ewf” appeared to be more experimental. In total, these accounts hosted scripts, loaders and binaries from several infostealer families including Amadey, Lumma, Redline and AsyncRAT.

Amadey isn’t new. It first appeared in 2018 on Russian-speaking forums, sold for around $500, and has since been used by various groups to create botnets and drop additional malware.

The malware can harvest system info, download more tools, and expand its functionality with plug-ins. Despite being commonly used as a downloader, its flexible design means it can pose a larger threat depending on how it’s configured.

The technical link between this campaign and the earlier SmokeLoader operation centers on a loader known as “Emmenhtal.” First documented in 2024 by Orange Cyberdefense, Emmenhtal is a multi-layer downloader that wraps its final payload in layers of obfuscation. Talos found that variants of Emmenhtal were not only used in the phishing campaign that targeted Ukrainian entities but also embedded in scripts hosted on the fake GitHub accounts.

What’s additionally noteworthy is that several scripts from the “Milidmdds” account, such as “Work.js” and “Putikatest.js,” were nearly identical to those seen in the earlier campaign. The only differences were minor changes in function names and final download targets. Instead of SmokeLoader, these versions fetched Amadey, PuTTY executables and remote access tools like AsyncRAT.

The use of GitHub wasn’t limited to JavaScript droppers. Talos also found a Python script named “checkbalance.py” masquerading as a crypto tool. In reality, it decoded and ran a PowerShell script that downloaded Amadey from a known command and control address. Even more, it showed an error message in broken Cyrillic, hinting at its origins or intended audience.

While GitHub acted quickly to shut down the identified accounts after being alerted, this incident highlights how everyday platforms can be exploited for malicious purposes. In environments where GitHub access is required, spotting this kind of misuse isn’t easy.

Talos researchers are continuing to monitor the infrastructure and believe the operators are distributing payloads on behalf of multiple clients. The variety of infoStealers seen in these repositories supports that theory, and with GitHub’s accessibility, it offers an efficient delivery method for MaaS operations looking to stay undetected.

GitHub Abused to Spread Amadey, Lumma and Redline InfoStealers in Ukraine

A Department of Homeland Security memo confirms Chinese group Salt Typhoon, extensively compromised a US National Guard network for nearly a year, stealing sensitive military and law enforcement data.

A sophisticated Chinese APT group, Salt Typhoon, successfully infiltrated the US state’s Army National Guard network for nearly a year, from March 2024 to December 2024. This breach, detailed in a Department of Homeland Security (DHS) memo from June,

While this raises concerns about the security of the US military and critical infrastructure systems, the attack is not entirely unexpected. As reported by Hackread.com, infostealers, available for as little as $10, have already compromised highly sensitive systems belonging to the US military and even the FBI.

The DHS memo, which obtained its information from a Department of Defense (DOD) report and was later shared with NBC News through a freedom of information request by the national security transparency non-profit Property of the People, revealed that Salt Typhoon “extensively compromised” the network. While the specific state was not named, the attack allowed the hackers to collect vital information.

****Deep Compromise and Data Theft****

During their prolonged access, Salt Typhoon managed to gather sensitive data, including network configurations and details of data traffic with National Guard units in every other US state and at least four US territories. Critically, this stolen information also contained administrator credentials and network diagrams, which could be used to facilitate future attacks on other National Guard units.

The data stolen also included geographic location maps and personally identifiable information (PII) of service members. In some 14 states, National Guard units work closely with “fusion centres” for intelligence sharing, meaning the breach could have a wider impact, the memo noted.

****Salt Typhoon- A Persistent Threat****

It is worth noting that Salt Typhoon (aka GhostEmperor, FamousSparrow, Earth Estries and UNC2286) has a history of targeting US government and critical infrastructure sectors, including energy, communications, transportation, and water systems.

As Hackread.com previously reported, in November 2024, Salt Typhoon was linked to a significant hack of T-Mobile, highlighting vulnerabilities in telecom systems. So far, the group has compromised at least eight major US internet and phone companies, including AT&T and Verizon.

These access points were reportedly used to monitor communications of prominent political figures, including the Harris and Trump presidential campaigns and Senate Majority Leader Chuck Schumer’s office.

A June 2025 advisory from the FBI and Canada’s Cyber Centre warned of Salt Typhoon’s global campaign against telecom networks, exploiting vulnerabilities like CVE-2023-20198 in devices to steal data and maintain hidden access.

****Implications****

Given the complex nature of National Guard units, which operate under both federal and state authority, the incident may create more points for possible cyberattacks. The Department of Defence has not commented on the specifics, but a National Guard Bureau spokesperson confirmed the compromise, noting it hasn’t affected their missions.

“DHS is continuing to analyse these types of attacks and is coordinating closely with the National Guard and other partners to prevent future attacks and mitigate risk,” a DHS spokesperson said.

Meanwhile, China’s embassy in Washington spokesperson did not deny the campaign but emphasized that the US lacks conclusive evidence linking Salt Typhoon to the Chinese government. Nevertheless, cybersecurity experts recommend hardening network devices, implementing stronger password policies, and enabling strong encryption to counter such threats.

“Volt Typhoon is focused on prepositioning for disruption, and creating a deterrent effect based on this, whilst Salt Typhoon is focused on positioning for intelligence gathering,” said Casey Ellis, Founder at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity. 

“An intrusion on a National Guard isn’t a ‘military only’ operation. States regularly engage their National Guard to assist with the cyber defense of civilian infrastructure. As a target, they would be a rich source of all kinds of useful intelligence,” Casey argued.

“Intelligence informs action, so while the Volt Typhoon announcement is encouraging, it’s important to remember that we are basically playing a giant game of whack-a-mole here. Vigilance and continuing efforts towards resilience are key for domestic defenders of all types,” he advised.

Tag

#cisco