Facebook users are the target of a scam e-commerce network that uses hundreds of fake websites to steal personal and financial data using brand impersonation and malvertising tricks.
Recorded Future's Payment Fraud Intelligence team, which detected the campaign on April 17, 2024, has given it the name ERIAKOS owing to the use of the same content delivery network (CDN) oss.eriakos[.]com.
"These

Online Fraud / Malvertising

Facebook users are the target of a scam e-commerce network that uses hundreds of fake websites to steal personal and financial data using brand impersonation and malvertising tricks.

Recorded Future's Payment Fraud Intelligence team, which detected the campaign on April 17, 2024, has given it the name ERIAKOS owing to the use of the same content delivery network (CDN) oss.eriakos\[.\]com.

"These fraudulent sites were accessible only through mobile devices and ad lures, a tactic aimed at evading automated detection systems," the company said, noting the network comprised 608 fraudulent websites and that the activity spans several short-lived waves.

A notable aspect of the sophisticated campaign is that it exclusively targeted mobile users who accessed the scam sites via ad lures on Facebook, some of which relied on limited-time discounts to entice users into clicking on them. Recorded Future said as many as 100 Meta Ads related to a single scam website are served in a day.

The counterfeit websites and ads have been found to mainly impersonate a major online e-commerce platform and a power tools manufacturer, as well as single out victims with bogus sales offers for products from various well-known brands. Another crucial distribution mechanism entails the use of fake user comments on Facebook to lure potential victims.

"Merchant accounts and related domains linked to the scam websites are registered in China, indicating that the threat actors operating this campaign likely established the business they use to manage the scam merchant accounts in China," Recorded Future noted.

This is not the first time criminal e-commerce networks have sprung up with an aim to harvest credit card information and make illicit profits off fake orders. In May 2024, a massive network of 75,000 phony online stores – dubbed BogusBazaar – was discovered to have made more than $50 million by advertising shoes and apparel by well-known brands at low prices.

Then last month, Orange Cyberdefense revealed a previously undocumented traffic direction system (TDS) called R0bl0ch0n TDS that's used to promote affiliate marketing scams through a network of fake shop and sweepstake survey sites with the goal of obtaining credit card information.

"Several distinct vectors are used for the initial dissemination of the URLs that redirect through the R0bl0ch0n TDS, indicating that these campaigns are likely carried out by different affiliates," security researcher Simon Vernin said.

The development comes as fake Google ads displayed when searching for Google Authenticator on the search engine have been observed redirecting users to a rogue site ("chromeweb-authenticators\[.\]com") that delivers a Windows executable hosted on GitHub, which ultimately drops an information stealer named DeerStealer.

What makes the ads seemingly legitimate is that they appear as if they are from "google.com" and the advertiser's identity is verified by Google, according to Malwarebytes, which said "some unknown individual was able to impersonate Google and successfully push malware disguised as a branded Google product as well."

Malvertising campaigns have also been spotted disseminating various other malware families such as SocGholish (aka FakeUpdates), MadMxShell, and WorkersDevBackdoor, with Malwarebytes uncovering infrastructure overlaps between the latter two, indicating that they are likely run by the same threat actors.

On top of that, ads for Angry IP Scanner have been used to lure users to fake websites, and the email address "goodgoo1ge@protonmail\[.\]com" has been used to register domains delivering both MadMxShell and WorkersDevBackdoor.

"Both malware payloads have the capability to collect and steal sensitive data, as well as provide a direct entry path for initial access brokers involved in ransomware deployment," security researcher Jerome Segura said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Facebook Ads Lead to Fake Websites Stealing Credit Card Information

PRESS RELEASE

BRATISLAVA — July 31, 2024 — ESET, a global leader in cybersecurity, today announced the introduction of the cloud version of ESET Secure Authentication, the multifactor authentication module of the ESET PROTECT Platform. With the new offering, ESET customers can consolidate their security stack and have endpoint protection and multifactor authentication (MFA) provided natively from one vendor with a single pane of glass experience, offering unparalleled flexibility and ease of use, utilizing a wide range of authentication methods in one effective and affordable solution for companies of all sizes.

“We understand how poor password hygiene can lead to devastating data breaches,” said Michal Jankech, Vice President of SMB and MSP segment at ESET. “With the cloud version of ESET Secure Authentication, ESET aimed to provide a solution that is flexible, scalable, easy to deploy, and above all, effective and affordable for companies of all sizes, boosting business data protection while reducing total cost of ownership, in an effort to deliver superior business value to our customers.” 

In today’s cybersecurity landscape, one of the most common ways hackers can gain access to a company’s data is through weak or stolen passwords gathered via automated bots, phishing, or targeted attacks. To protect against such threats, in addition to just protecting normal users’ logins to critical services, businesses can implement an advanced MFA solution to prevent unauthorized administrative access. ESET Secure Authentication provides an easy way for businesses of all sizes to implement MFA across commonly utilized systems such as VPNs, Remote Desktop Protocol, Outlook Web Access, and operating system logins. It supports technologies such as mobile apps with push notifications, hardware tokens, FIDO keys, and other custom methods.

The cloud version of ESET Secure Authentication will be available through the ESET PROTECT Elite subscription tier, and as a standalone solution without any change in pricing. The solution will be immediately available for new customers, and available to all North America customers later in Q4 2024. 

 About ESET

ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of known and emerging cyberthreats — securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. An ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and X.

You May Also Like

ESET Reveals Latest Cloud-Native Authentication Solution

The sustained cyberattack, likely made worse by a mitigation snafu, disrupted several Azure cloud services for nearly eight hours on July 30.

Source: DD Images via Shutterstock

Microsoft blamed an implementation error for amplifying the impact of a distributed denial-of-service (DDoS) attack yesterday, which ended up disrupting the company's Azure cloud services for nearly eight hours.

The attack affected several Azure offerings, including Azure App Services, Azure IoT Central, Application Insights, Log Search Alerts, and Azure Policy. The disruption, which began at around 7:45 a.m. ET and lasted until 3:43 p.m. ET, also impacted the main Azure portal and a subset of Microsoft 365 and Microsoft Purview data-protection services.

**DDoS Cyber-Defense Error Under Investigation**

In an event summary yesterday, Microsoft described the DDoS attack as causing an "unexpected usage spike \[that\] resulted in Azure Front Door (AFD) and Azure Content Delivery Network (CDN) components performing below acceptable thresholds." The spike caused intermittent service errors, timeouts, and sudden latency increases.

More concerningly in some ways, "while the initial trigger event was a DDoS attack, which activated our DDoS protection mechanisms, initial investigations suggest that an error in the implementation of our defenses amplified the impact of the attack rather than mitigating it."

Microsoft has not specifically identified the mistake that exacerbated the DDoS attack. But according to its description of the events of July 30, the initial network configuration changes the company made to support DDoS mitigation efforts may have led to some unexpected "side effects." The company implemented an updated approach that it first rolled out in thbe Asia-Pacific region and Europe, and then deployed in the Americas after validating the approach worked.

"Our team will be completing an internal retrospective to understand the incident in more detail," Microsoft said. "We will publish a Preliminary Post Incident Review (PIR) within approximately 72 hours, to share more details on what happened and how we responded."

**Inadvertent Errors in DDoS Mitigation**

Rody Quinlan, staff research engineer at Tenable, says there are several ways an organization can mess up a DDoS mitigation effort.

"Organizations can inadvertently amplify cyberattacks through various implementation errors, such as misconfigured rate limiting, inefficient load balancing, firewall misconfigurations, overly aggressive security rules, inadequate resource scaling, incorrect traffic filtering, and dependence on single points of failure," he says. "These errors can lead to blocked legitimate traffic, overloaded servers, bottlenecked firewalls, and critical services being taken offline."

And while Microsoft's initial response might have contributed to its Azure service problems this week, the incident is another reminder of how effective DDoS attacks remain for adversaries looking to disrupt and degrade a target's online presence.

A Cloudflare report earlier this year identified a 117% increase year-over-year in network-layer DDoS attacks. Part of the reason for that is a specific increase in DDoS attacks that targeted retail, shipping, and public relations websites on and around Black Friday and the holiday shopping season in general. However, many of the attacks have also been by groups looking to send out a specific message or convey a particular political stance. Cloudflare, for example, said it has observed a massive increase in DDoS attacks that target Taiwanese, Israeli, and Palestinian sites amid geopolitical tensions in those areas, and attacks on environmental sciences websites.

**DDoS Attacks Adopt "Smash & Grab" Tactics**

"Trends in DDoS are often cyclical, but currently we’re seeing attacks grow larger in size, and shorter in duration," says Donny Chong, director at DDoS security vendor Nexusguard. "Our most recent data suggests that attack sizes increased by an average of 183% last year, with an average size of 0.80Gbps," he says. At the same time, between 2022 and 2023, the average duration of DDoS attacks dropped to just over 101 minutes. Currently, 81% of DDoS attacks last less than 90 minutes, Chong says.

"Part of this decrease in attack duration is due to attackers becoming more and more efficient when inflicting disruption on business," likely because they are using artificial intelligence (AI) to automate some attacks. But the shorter attack durations are also likely due to mitigation technologies, Chong says. "\[Attackers\] are finding it increasingly difficult to sustain prolonged disruptions. So, rather than a prolonged siege, it's now more a case of ‘smash and grab,'" he says.

Quinlan says the key to mitigating DDoS disruption is having a real-time traffic analysis capability, scalable cloud infrastructure, redundant systems, and intelligent load balancing to prevent overload. "Proper rate limiting, throttling, and WAFs \[Web application firewalls\] filtering malicious traffic, and regular software and hardware vulnerability remediation is crucial to protect systems," Quinlan says. "An effective incident-response plan and collaboration with Internet service providers and security providers enhance detection and mitigation capabilities."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Microsoft: Azure DDoS Attack Amplified by Cyber-Defense Error

A binary in Apple macOS could allow an adversary to execute an arbitrary binary that bypasses SIP.

Wednesday, July 31, 2024 12:00

Cisco Talos’ Vulnerability Research team has helped to disclose and patch six new vulnerabilities over the past three weeks, including one in a driver that powers certain NVIDIA graphics cards.  

The majority of the vulnerabilities that Talos disclosed during this period exist in Ankitects Anki, an open-source program that allows users to study information using flashcards. The most serious of these issues has a CVSS score of 9.6 out of 10. 

All the vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website. 

**Out-of-bounds read vulnerability in NVIDIA GPU Compiler Driver **

_Discovered by Piotr Bania._ 

A compiler driver in some NVIDIA graphics cards contains an out-of-bounds read vulnerability that could allow an adversary to read an arbitrary memory region. 

An adversary could exploit TALOS-2024-1956 (CVE-2024-0107) by sending a targeted device a specially crafted executable/shader file, leading to an out-of-bounds read. 

This vulnerability could be triggered from guest machines running virtualization environments to perform a guest-to-host escape — as previously demonstrated in other GPU vulnerabilities like TALOS-2018-0533. 

Talos researchers were able to trigger this vulnerability from a Hyper-V guest using the RemoteFX feature, which led to being able to execute the vulnerable code on the Hyper-V host. While Microsoft has deprecated RemoteFX, this feature may still be present in older versions of the Windows operating system. 

**Multiple vulnerabilities in Ankitects Anki flashcard software **

_Discovered by Autumn Bee Skerritt of Cisco Duo Security and Jacob B._ 

The Ankitects Anki flashcard software contains multiple vulnerabilities, one of which could lead to arbitrary code execution. This open-source tool allows users to create and share flashcards to study information.  

An adversary could exploit all these vulnerabilities by sharing a specially crafted, malicious flashcard with a targeted user.  

TALOS-2024-1994 (CVE-2024-32152) could lead to the creation of an arbitrary file along a fixed path. This vulnerability exists because a malicious user could manipulate a blocklist that normally prevents the use of certain malicious commands.  

TALOS-2024-1992 (CVE-2024-29073) also involves manipulating the command blocklist, but in this case, could lead to arbitrary file read. 

An adversary could also exploit TALOS-2024-1995 (CVE-2024-32484), a cross-site scripting vulnerability, in the software to inject JavaScript code into a flashcard and read a normally inaccessible file.  

The most serious among this group of vulnerabilities is TALOS-2024-1993 (CVE-2024-26020), a script injection vulnerability that could lead to arbitrary code execution. This vulnerability has a CVSS score of 9.6 out of 10. In Talos’ testing, researchers could exploit this vulnerability to obtain full command injection on the targeted user’s system.

Out-of-bounds read vulnerability in NVIDIA driver; Open-source flashcard software contains multiple security issues

Apple has released security updates that patch vulnerabilities in Siri and VoiceOver that could be used to access sensitive user data.

Apple has released security updates for many of its products in order to patch several vulnerabilities that could allow an attacker to steal sensitive information from a locked device.

Included in the patches for Apple Watch, iOS, and iPadOS are four vulnerabilities in Siri. While your device is locked there are several voice-commands your digital assistant can process.

Apple has restricted these options to stop an attacker with physical access from being able to access contacts from the lock screen and access other sensitive user data. Using Siri on a locked device has limitations to protect your privacy and security, and the digital assistant should only be able to perform tasks that do not require access to sensitive data locked behind the device’s security systems, such as Face ID or a passcode.

A similar vulnerability was also patched in the VoiceOver component in Apple Watch, iOS, iPadOS, and macOS Ventura. To check whether VoiceOver is on or off on your iPhone or iPad, you can check by looking at **Settings > Accessibility > VoiceOver**.

To check if you’re using the latest software version of iOS and iPadOS, go to **Settings** > **General** > **Software Update**. You want to be on iOS 17.6 or iPadOS 17.6, so update now if you’re not. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

iPad Software update is available

Here’s an overview of the available updates for the various Apple products:

Name:

Available for:

Safari 17.6

macOS Monterey and macOS Ventura

iOS 17.6 and iPadOS 17.6

iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

iOS 16.7.9 and iPadOS 16.7.9

iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation

macOS Sonoma 14.6

macOS Sonoma

macOS Ventura 13.6.8

macOS Ventura

macOS Monterey 12.7.6

macOS Monterey

watchOS 10.6

Apple Watch Series 4 and later

tvOS 17.6

Apple TV HD and Apple TV 4K (all models)

visionOS 1.3

Apple Vision Pro

iOS 15.8.3 and iPadOS 15.8.3

iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Apple also patched the regreSSHion vulnerability that allows unauthenticated Remote Code Execution (RCE) in OpenSSH.

For beta testers Apple also released the first beta of iOS 18.1 to developers. This update is available for iPhone 15 Pro and iPhone 15 Pro Max and includes the first set of Apple Intelligence features, such as Writing Tools, new features for Mail and notifications, upgrades to Photos, and more.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple fixes Siri vulnerabilities that could have allowed sensitive data theft from locked device. Update now! 

We look back on 10 years of Talos, in multiple interviews with Talos' leaders.

Wednesday, July 31, 2024 07:55

As part of the celebrations of Cisco Talos turning 10, we’d like to take you back to where it all began: How we formed our mission of protecting our customers and making the internet suck a bit less, an insight into our culture, and how we came to work with some of the most talented human beings on the planet.  

This is the history of Talos, as told through the eyes of some of our senior leaders. 

**The Sourcefire years**

_Editor's note: Sourcefire was a company that specialized in Firepower network security appliances based on Snort, an open-source intrusion detection system. Sourcefire was acquired by Cisco for $2.7 billion in July 2013._

**Matt Watchinski, Vice President of Talos:** What I remember most from the early years of Sourcefire was all of us being crowded into a minuscule meeting room. We spent our days discussing huge, complicated s\*\*t. There was so much mutual respect and understanding for what we set out to achieve. 

**Chris Marshall, Director of Talos Network Detection and Response Team:** We all collectively believed that we could be the best security team on the planet. We were so passionately driven to achieve things together. And we went out of our way to take care of each other to make sure those two other things happened. 

**Watchinksi:** We had a group that could change priorities on a dime, and then actually execute on them — without anybody coming back and saying, “The dumbest decision in the entire world was just made in that tiny room. Now we have to go and do stupid s\*\*t.” Everybody came back from that room and said, “Alright, this is the thing that's going to make Sourcefire the most successful, and so that’s the direction we’re going to march in.” 

**Lurene Grenier, Director of Competitive Analysis:** At Sourcefire our goal was to build the best and most open product we could. At the time, all the rules had to be written by hand, without any guidance. We had no contracts with any companies. The biggest thing on the map at that point was Patch Tuesday bugs, and they were all remote root bugs. Every month, 15 - 20 of those bugs would get dropped. It was my job to grab the patches, patch the systems, reverse engineer the patches, and write an exploit for the bug. And then I would pass that exploit to the team who wrote the \[Snort\] rules. We would write the documentation, package everything up, and send that to QA. 

We significantly changed the security posture and behaviour of Fortune 50 companies on the regular, with about 30 people. We were doing things that the industry said was impossible. And my favorite part was we had executives from those Fortune 50 companies coming out to buy us lunch, begging us to stop telling the public the truth. 

**The acquisition of Sourcefire**

**Marshall:** I came to Sourcefire from the U.S. military. I had no idea what being acquired meant.  

**Watchinski:** We had been in negotiations with Cisco for about six months. I couldn’t tell anyone about that though. Those final negotiations went on until 4 a.m. the morning that the deal closed. We didn’t stop until we had reached a deal that was right for our people. At 4:30 a.m., I sent a text to my directs, telling them that something big was happening, and they should come into the office at 7 a.m.  

**Marshall:** At the time, I ran the response work. And Watchinski didn't tell me if there was a problem. So, my instincts told me something was very wrong. “Who else do I need to call? How bad is the situation?” And he just replied, “I just need you there first thing in the morning.” So, the next morning Watchinski walked in, and me, \[Matt\] Olney \[Director of Threat Intelligence and Interdiction\] and Nigel \[Houghton, former director of Talos Operations\] are standing around anxiously. And then Watchinski said, “Cisco just bought us. We're not working today.”   

**Three teams coming together**

 **Watchinski:** For the first year after the acquisition, Sourcefire continued as the VRT (Vulnerability Research Team). During that time, we met various people across Cisco and tried to figure out what they all did. One of the people I met was Luci \[Lagrimas\]. She’s an incredible person, and we started hatching a plan on how we could be successful together. 

We proposed bringing together a singular set of services, a singular threat research and intelligence team, a singular understanding of our data, and a singular voice of how we talk about security. 

I gave a presentation to what was then three different groups — VRT, Cisco Threat Research, Analysis and Communications (TRAC), and Security Applications (SecApps).  

**Luci Lagrimas, Senior Director of Engineering:** That was a day I’ll always remember. We all gave presentations about who we were and who our teams were. I put three pictures on an “About Me” slide, and one of them was me playing field hockey, wearing a T-shirt that definitely showed off my guns. \[Matt\] Olney leans over to Marshall and says, “Dude, she can kick our ass!”  

**Matt Olney, Director of Talos Threat Intelligence & Interdiction**: This remains true to this day. 

__Luci’s photo from her original slide deck at the first Talos meeting.__

**Marshall:** My first impression of Luci was that slide. That set the tone for these teams coming together, because here’s this badass lady with a field hockey stick causing carnage on the field, and that’s what we were going to bring into our group.  

**The Talos brand is born**

**Lee Jones, Talos distinguished engineer:** My first exposure to Matt \[Watchinski\] was a cultural definition point, because Matt came in and did what he’s great at, which is coalesce things. It was incredible to watch how he started forming the vision of what Talos was going to be. 

**Watchinski:** I believe that to have an effective team, you need three things: a mission that everybody understands, a culture that everybody can work in, and some type of icon that people can rally behind. A colleague of mine would always say, “This is how you build a cult!” And I would reply, “Yeah, kinda...but the good kind of cult.” 

I knew that having three different brands and messages wouldn’t work. We needed the branding to reflect on who we were as a new team coming together. That was a point of unity — giving up what the VRT had built from a brand perspective for over 10 years. And asking the others to do the same. 

**Luci:** Between April and August 2014, the team leaders all threw different ideas into the ring about what we would be called and what sort of brand could represent who we were becoming.  

**Watchinski:** If I remember it right, it was Matt Olney who came up with Talos, protector of the shores. That one resonated most with everyone, because it aligned with our main mission of protecting our customers.  

**Matt Olney** It came about because we wanted something big to represent us. We were now part of a team that was focussed on much more than vulnerabilities. We wanted to have a larger voice as an organization, and a larger role in security consciousness. 

**Luci:** Talos was officially launched at BlackHat in 2014. 

**The team grows**

**Liz Cooperrider, Leader, Talos Project Management Office:** When I started reporting directly to Matt \[Watchinski\] he elevated the Project Management Office (PMO) and the value of what we brought to the organization. 

Since 2019, we’ve been able to grow and become an integral part of Talos, mainly because I was given a lot of independence and autonomy from the team.

**Lee:** After Talos was formed, I was working across the Cisco portfolio, helping them to design products from a security perspective. In 2018, I came back home to Talos. My role was to work with Luci to transition the architectural aspect of Talos, and get it to a trusted product partner level, global in scope and scale, beyond the core competency of the security mission. 

We created a service delivery architecture called “Tomorrowland”. This was a big turning point. It didn’t change our security capabilities themselves, but our ability to project our power went up. 

**Lee:** At a lot of other places, rank and hierarchy matter. Titles matter, and there can be a top-down approach sometimes. But at Talos, there’s a culture of asking questions and pushing back to see, “Do I really believe this and want to incorporate this to my mission?” That is very energizing. I sat back and thought, “This is where I want to be. I’m happy. This is what I was hoping for.” 

**Amy Henderson, Director of Talos Strategic Communications and Operations:** I was a portfolio manager in the Customer Experience organization in Cisco, and at that time (October 2019), one of our key services was Incident response. The IR team worked very closely with Talos, sharing intelligence, understanding what's going on at a customer site when things go down, etc. We eventually came to the decision that Incident Response should become Talos Incident Response, bringing those teams under one umbrella. 

I got to know Watchinski and Olney and really enjoyed working with them. But there was a moment during the transition that the Talos team pulled back. They said they wanted to pause things because it wasn’t being done in the right way. Not being part of Talos at that point, I really appreciated their honesty and integrity. Because when you’re working towards delivering on a priority, sometimes you end up just pushing the ball down the road without necessarily getting the outcome that you want. It’s important to take stock and think about, “Is this actually what we want to achieve?” 

I pinged Olney and said how much I respected their decision. Because it showed the character of the Talos team. They’re not going to rubber stamp everything and say it’s OK when it’s not. 

**Brad Garnett, Director of Talos Incident Response:** I was another Talos transplant. I was running the Incident Response team on the CX side, and as Amy mentioned it made sense to bring us into Talos. Response and intelligence are like peanut butter and jelly, it just goes together.  

We gathered in London in the fall of 2019, and we talked about what IR might look like inside of Talos. Our brand, reputation, integration, intelligence services etc. I still have that agenda from nearly five years ago, and I still remember our first three customers.

That helps me bring perspective — no matter how challenging things get, we’ve hugely grown in scale. Customers need us more than ever. And our mission has grown to not just helping customers on an individual level, but to use that experience to protect all our customers. “The power of the debrief”, as I frequently say to my team. Take what we’re seeing and go help more people. 

**The mission**

**Olney**: When people ask me what I do, I tell them, “I build the expertise that allows me and my team to go places and fix things.” I’m most proud of the work that we do that makes no sense from a corporate or financial perspective, such as the election security work, the work we’ve done to protect Ukraine’s critical infrastructure…the stuff that doesn’t turn a dollar but makes the world a better place. To do all that within a capitalistic entity is pretty remarkable. 

That’s what makes me so proud of this team. We approach security problems as, “How can I positively affect the most amount of people?”  

**Luci:** Whenever I see Talos in the news, I feel really proud to be a part of an organization that isn’t out there just for the money. We’re out there to make the world a better place. 

**Watchinski:** The work we did to help Ukraine, to fill 747s with Cisco kit and fly into a country at war….being able to actually support their operations from either afar or in country, help protect their people, help them turn back on civil infrastructure so that trains run, telephones work, payment processing is functional, the basic needs of society are still met, even though adversaries are actively trying to bring those things offline… I don't think there's a ton of companies that can say they have the capability to do those things. Or even the will to do them. 

**Amy:** And then on top of that, you have Joe Marshall’s Project PowerUp work which helped keep the electrical grid in Ukraine running after disruption from GPS jamming. Joe, on his own terms, found the right people, pulled volunteers together, and we were able to build something to help the grid maintain better time so Ukrainians can have more stable electrical power. 

Extract from a Dutch newspaper reporting on Talos' work on Project PowerUp

 **Marshall:** When we can pull off that kind of thing, it’s because of the trust that we have. More people today trust us than ever before. And I think that trust is well-deserved because of the solid information we can provide.

We bring verified information our customers can act upon, as well as bringing calm to a situation so we can encourage reason. We keep doing that no matter what else happens, and that gives people peace of mind. 

**Amy:** What’s common amongst the folks that we hire is they know that sometimes they’ll need to drop everything and pivot to a rapid response effort. I hope they know that our leadership team fights to give them air cover to a) keep them sane during those times, and b) makes sure that they have what they need. As a leadership team we fight for budgets and time and resources that can help them, because our people have such an innate sense of doing the right thing. We know that the lengths that people go to, and that's one of the many reasons why we will protect them every single day. 

** Our culture**

**Lurene:** In the early days of Sourcefire, there was no situation that came up where we couldn't sit down together and come up with a plan to solve it. We would make it work, and in so doing, we would make a change in the industry. We were given the space to do that. Matt \[Watchinski\] would say, “Go figure this out, come up with some plans, give me three options, and then we're gonna pick one of them and do it.” 

When I came back to Talos two years ago, I was so pleased to see that everybody had protected that culture and passed it on to new leaders in the group. I’m really proud of that. 

It’s our job to make people feel comfortable who might not feel comfortable elsewhere. Developing a space for people who are extremely valuable team members but might have trouble thriving in an extremely generic environment. I am one of those people, so I know I can say that. 

**Olney:** We want Talos be a thing that's worth being yourself with. Our culture is very conscious.  We didn’t do a survey and figure out, “Employees are 2.5% more engaged if you give them free drinks.” They get to define who they are, and who they want to be at Talos. And they get to define what you want your experience at Talos to be like. 

**Liz:** In other organizations, if a team doesn't make their deliverable, there’s zero compassion and no understanding – “Why did that fail?” Within Talos, we can fail and fail fast because there is so much clear transparency. That’s completely a part of the culture. 

**Marshall:** It really is. Until I myself attain perfection, it’s unfair for me to expect perfection from anyone else. 

**Olney:** We ask so much of our people.  We ask them to move fast and make tough decisions. If we were set the tone that every time someone screwed up, it was a job threatening situation, then people would be far more hesitant. They would work inside of smaller boxes. They would think smaller, and they would act less boldly. They would fade into the background more often. That’s the exact opposite of what we want.  

There’s no “Key performance metric” for Joe Marshall to build relationships with the Ukrainians and then come up with a solution that helps them keep the lights on. It’s just what we do…it’s just what we, as Talos, do. 

**Watchinski:** Our culture is the thing I’m most proud of, of all the things Talos has achieved over the past 10 years. 

**Liz:** Talos is also very family first. I remember once I was caring for my father. He had had a hip replacement, and I was to take care of him when he came home from the hospital. I thought I could do it by myself – be his 24-hour nurse and do my job at the same time. I showed up to a sync with Chinski, and he immediately knew something was wrong. He wasn't interested in any of the business side of things. He simply said, “Go. Go take care of your father.”  

**Marshall:** I stand by the idea that if I take care of my people, my people take care of me. That’s something I ask of all my managers — just take care of your people. The No. 2 thing I ask is to meet the needs of the business. 

**Watchinski:** A lot of people in this organization have been with me for 5,10,15 even 20 years. They’ve gone from junior analyst to senior director inside a Fortune 500 company. And even when you look at all the folks that have left the organization over the years, they've all gone on to do great things. 

**Marshall:** No matter what, I want people to be better for their time spent with us. And if they exit tomorrow but they’ve accomplished that, then we’ve done our job. 

**Brad:** People who have moved on from Talos have said to me, “The Talos years are some of the best years of my career.” To me, that’s worth protecting. 

For more Talos 10 celebrations, take a look at some our key moments:

"There is no business school class that would ever sit down and design Talos"

Japanese organizations are the target of a Chinese nation-state threat actor that leverages malware families like LODEINFO and NOOPDOOR to harvest sensitive information from compromised hosts while stealthily remaining under the radar in some cases for a time period ranging from two to three years.
Israeli cybersecurity company Cybereason is tracking the campaign under the name Cuckoo Spear,

Cyber Attack / Threat Intelligence

Japanese organizations are the target of a Chinese nation-state threat actor that leverages malware families like LODEINFO and NOOPDOOR to harvest sensitive information from compromised hosts while stealthily remaining under the radar in some cases for a time period ranging from two to three years.

Israeli cybersecurity company Cybereason is tracking the campaign under the name **Cuckoo Spear**, attributing it as related to a known intrusion set dubbed APT10, which is also known as Bronze Riverside, ChessMaster, Cicada, Cloudhopper, MenuPass, MirrorFace, Purple Typhoon (formerly Potassium), and Stone Panda.

"The actors behind NOOPDOOR not only utilized LODEINFO during the campaign, but also utilized the new backdoor to exfiltrate data from compromised enterprise networks," it said.

The findings come weeks after JPCERT/CC warned of cyber attacks mounted by the threat actor targeting Japanese entities using the two malware strains.

Earlier this January, ITOCHU Cyber & Intelligence disclosed that it had uncovered an updated version of the LODEINFO backdoor incorporating anti-analysis techniques, highlighting the use of spear-phishing emails to propagate the malware.

Trend Micro, which originally coined the term MenuPass to describe the threat actor, has characterized APT10 as an umbrella group comprising two clusters it calls Earth Tengshe and Earth Kasha. The hacking crew is known to be operational since at least 2006.

While Earth Tengshe is linked to campaigns distributing SigLoader and SodaMaster, Earth Kasha is attributed to the exclusive use of LODEINFO and NOOPDOOR. Both the sub-groups have been observed targeting public-facing applications with the aim of exfiltrating data and information in the network.

Earth Tengshe is also said to be related to another cluster codenamed Bronze Starlight (aka Emperor Dragonfly or Storm-0401), which has a history of operating short-lived ransomware families like LockFile, Atom Silo, Rook, Night Sky, Pandora, and Cheerscrypt.

On the other hand, Earth Kasha has been found to switch up its initial access methods by exploiting public-facing applications since April 2023, taking advantage of unpatched flaws in Array AG (CVE-2023-28461), Fortinet (CVE-2023-27997), and Proself (CVE-2023-45727) instances to distribute LODEINFO and NOOPDOOR (aka HiddenFace).

LODEINFO comes packed with several commands to execute arbitrary shellcode, log keystrokes, take screenshots, terminate processes, and exfiltrate files back to an actor-controlled server. NOOPDOOR, which shares code similarities with another APT10 backdoor known as ANEL Loader, features functionality to upload and download files, execute shellcode, and run more programs.

"LODEINFO appears to be used as a primary backdoor and NOOPDOOR acts as a secondary backdoor, keeping persistence within the compromised corporate network for more than two years," Cybereason said. "Threat actors maintain persistence within the environment by abusing scheduled tasks."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Target Japanese Firms with LODEINFO and NOOPDOOR Malware

We’ll TL;DR the FUDdy introduction: we all know that phishing attacks are on the rise in scale and complexity, that AI is enabling more sophisticated attacks that evade traditional defenses, and the never-ending cybersecurity talent gap means we’re all struggling to keep security teams fully staffed. 
Given that reality, security teams need to be able to monitor and respond to threats

We'll TL;DR the FUDdy introduction: we all know that phishing attacks are on the rise in scale and complexity, that AI is enabling more sophisticated attacks that evade traditional defenses, and the never-ending cybersecurity talent gap means we're all struggling to keep security teams fully staffed.

Given that reality, security teams need to be able to monitor and respond to threats effectively and efficiently. You obviously can't let real threats slip past unnoticed, but you also can't afford to waste time chasing false positives.

In this post, we're going to look at some of the ways Material Security's unique approach to email security and data protection can dramatically–and quantifiably–save your security teams hours each week while improving the effectiveness of your security program.

**What's Your Alert Budget?**

Before we dive into the "how," let's take a moment to look at _why_ efficiency is critical in security operations. To do that, let's think about how many alerts can your security and incident response teams realistically triage, investigate, and respond to in a given day. Just like your department has a budget that limits how much money you can spend on people and tools, your security teams have a limit to the amount of time they can devote to responding to threats on any given day. **That's your alert budget**.

That number will change day-to-day, of course, depending on the severity and complexity of the incidents that pop, the number of critical strategic projects your team is working on, and myriad other factors. But there is a limit. And just as you can't afford to waste your limited financial resources on redundant tools or software that provides no value to your team, you can't afford for your teams to waste their alert budget investigating duplicate alerts, remediating the same issue over and over, or chasing false positives.

The efficiency with which your security team spends their alert budget is just as important as how you spend your money, if not more so. Now let's dive into how we help improve that efficiency.

**Balancing Accuracy and Sensitivity**

No matter how many alerts your team receives, there are a limited number of hours in any given day that your team can devote to responding to them. Material's approach to phishing has been built on the philosophy that we need to help our customers make the most of their time. The alerts we generate must both catch as many threats as possible–while also generating as few false positives as possible.

"Precision" and "recall" are terms that will be familiar to a data scientist, but may not immediately ring a bell for security folks. In the context of email detections, precision is a measure of how many emails flagged as malicious are actually malicious, while recall is a measure of how many of the actual malicious emails received are flagged by the system.

A security system that generates very few false positives has high precision, and a system that catches nearly all the threats it sees has high recall. At a certain granular level, there is some tradeoff between the two: as you can imagine, you can lower the number of false positives you generate by decreasing the sensitivity of the detections: but decreasing the sensitivity will often lead to true positives being missed as well. Conversely, you can minimize those missed true positives by turning the sensitivity way up, but doing so will generate more false positives.

The focus at Material has been to build a detection engine that balances the two effectively, and surfaces the malicious messages that you truly need to focus on. In today's increasingly-complex threat environment, no single layer of protection is sufficient–and no single method of detection can possibly strike the right balance on its own. To that end, the Material Detection Engine is made up of four key components:

*   **Material Detections:** A combination of machine learning techniques with rules built by our dedicated threat research team. AI and ML are great for connecting dots and finding relationships that humans may miss, but for all the advancements in AI lately, there's still no replacement for the insight and capability of human expertise. Material Detections are the best of both worlds.
*   **Custom Detections:** Every organization and every environment are unique, so we give customers the ability to create custom detections based on what you're seeing across your user base or out in the wild.
*   **Email Provider Alerts:** Google and Microsoft periodically issue alerts for phishing emails that they've detected post-delivery; we ingest and process those alerts and add them to our detections.
*   **User Reports:** Material automates your abuse mailbox, from ingesting user reports, consolidating similar messages within a single case, and applying automated protection immediately while providing flexible remediation flows to security teams.

All of these facets combine into a powerful and incredibly precise detection platform that gives our customers powerful protection without wasting their time with false positives and noise–striking what we believe to be the right balance between precision and recall. But while effectively balancing accuracy and sensitivity is critical, it's not enough: a modern email security platform also needs to streamline security operations themselves.

**Fool Me Twice, Shame on Me**

There's been a noticeable uptick in email attack campaigns that are not just wide-ranging but very personalized. There's debate about how much of this can be attributed to generative AI–the prevailing assumption was that the explosion of generative AI would give adversaries a new bag of tools to play with, but research like Verizon's 2024 DBIR show little meaningful impact on attacks and breaches at this point.

Regardless of whether these attacks are AI-generated or not, there's no denying they're on the rise. Sure, we all still get the generic and transparent '_are you available?'_ messages from our "CEOs" when we first join a new company. But we also get emails with fake invoices coming from domains that are spoofs or homoglyphs of trusted partners and vendors. We see complex pretexting attacks laying out completely believable stories from senders who appear to have connections with us. We receive emails from spoofed or homoglyph domains that fool even the most conscientious user.

And often these attacks are repeated across an organization, but tailored to each recipient. Not only do they evade native email security controls and make it through SEGs, but they appear as individual attacks. Subject lines, senders, and even body content can vary from email to email, making it hard to easily group them together–meaning your security team has to burn through multiple cycles to investigate and respond to dozens or hundreds of iterations of the exact same attack.

Material helps security and IR teams address this problem with automatic clustering of suspicious messages. When Material detects a potential threat, it automatically creates a Case within our platform. It then scours the entire environment for messages that match that case, based on a range of criteria. It looks for similarities among the usual fields, of course: matching senders, matching subject lines, matching body text, etc. But it also looks for things like the URLs embedded within the messages and attachment, matching attacks that are otherwise impossible to group by other means.

Material creates cases for all detected messages, and clusters similar messages together, simplifying investigation and remediation.

And when messages are clustered together in a single case, it makes triage, investigation, and even remediation significantly simpler. Speedbumps by default are automatically applied to _all_ the messages within the case–so your users will get a warning that the message may be malicious before your team even has a chance to investigate. And once you've investigated and applied a remediation to a single message within the case, every message in that case–even matched messages that are delivered after your investigation–receive that same remediation.

We've already seen powerful examples of how this helps our customers in the real world. One Material customer recently told us that they tracked their phishing email investigations over a three-month period. In those 90 days with Material Security's help, their SOC saved over 300 hours of time investigating and responding to phishing emails. All those hours stayed in their alert budget to deal with other pressing matters.

**Harnessing Your Organization's Collective Intelligence**

Today's workforce is well aware of phishing threats. That doesn't mean they don't still fall for them, of course, but it means they're on the lookout for suspicious, poorly-worded, or simply unexpected messages.

And it's important to get it right. No single line of defense is going to catch all inbound email threats, and for all the incredible advancements in AI and machine detections, sometimes there's no substitute for a keen-eyed employee noticing an email just doesn't pass the sniff test.

The downside is that _handling_ user reporting can also be a significant drain on your security team if not handled correctly. Duplicate reports, harmless emails flagged for review, the need to respond to the user(s) who flagged… when you add up the minutes all of these actions require over dozens or hundreds of reports every day, it can be a significant time suck.

Material automates the full lifecycle of user report response, applying immediate herd immunity to all messages within a reported message case across your entire organization.

Material cuts away the day-to-day backend slog of user reporting, automating your abuse mailbox to both speed remediation and save your security team time. Material automatically adds a speedbump to reported messages across your entire user base, providing an immediate layer of protection while your security team investigates the issue.

Granular remediation options allow your teams to speedbump, block links, or outright delete reported emails that turn out to be malicious. And thanks to case consolidation and similar message matching, when you've investigated and responded to one email, you've responded to every similar message in the entire case. Finally, Material automatically responds to reporters with an acknowledgement message–that you can change or update as your investigation proceeds if you wish.

Material simplifies and streamlines the process of ingesting and responding to user reporting, while adding immediate protection to provide air cover for investigations.

**Advanced Protection You Can Trust, Efficiency You Can Take to the Bank**

Your security teams have to juggle enough as it is. With Material Security, they'll chase far fewer false positives, triage and investigate phishing cases faster, and spend less time on administrative busywork with user reporting. Material frees up more of your alert budget so you can spend it on what really matters.

To see how much time you can give back to your security team, contact us for a demo today.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

How To Get the Most From Your Security Team’s Email Alert Budget

OpenAI’s newest model is “a data hoover on steroids,” says one expert—but there are still ways to use it while minimizing risk.

Open AI says this data is used to train the AI model and improve its responses, but the terms allow the firm to share your personal information with affiliates, vendors, service providers, and law enforcement. “So it’s hard to know where your data will end up,” says Love.

OpenAI’s privacy policy states that ChatGPT does collect information to create an account or communicate with a business, says Bharath Thota, a data scientist and chief solutions officer of analytics practice at management consulting firm Kearney, which advises firms on managing and using AI data to power new revenue streams.

Part of this data collection includes full names, account credentials, payment card information, and transaction history, he says. “Personal information can also be stored, particularly if images are uploaded as part of prompts. Likewise, if a user decides to connect with any of the company’s social media pages like Facebook, LinkedIn, or Instagram, personal information may be collected if they’ve shared their contact details.”

OpenAI uses consumer data like other big tech and social media companies, but it does not sell advertising. Instead, it provides tools—an important difference, says Jeff Schwartzentruber, senior machine learning scientist at security firm eSentire. “The user input data is not used directly as a commodity. Instead, it is used to improve the services that benefit the user—but it also increases the value of OpenAI’s intellectual property.”

****Privacy Controls****

Since its launch in 2020 and amid criticism and privacy scandals, OpenAI has introduced tools and controls you can use to lock down your data. OpenAI says it is “committed to protecting people's privacy.”

For ChatGPT specifically, OpenAI says it understands users may not want their information used to improve its models and therefore provides ways for them to manage their data. “ChatGPT Free and Plus users can easily control whether they contribute to future model improvements in their settings,” the firm writes on its website, adding that it does not train on API, ChatGPT Enterprise, and ChatGPT Team customer data by default.

“We provide ChatGPT users with a number of privacy controls, including giving them an easy way to opt out of training our AI models and a temporary chat mode that automatically deletes chats on a regular basis,” OpenAI spokesperson Taya Christianson tells WIRED.

The firm says it does not seek out personal information to train its models, and it does not use public information on the internet to build profiles about people, advertise to them, or target them—or to sell user data.

OpenAI does not train your models on audio clips from voice chats—unless you choose to share your audio “to improve voice chats for everyone,” the Voice Chat FAQ on OpenAI’s website notes.

“If you share your audio with us, then we may use audio from your voice chats to train our models,” Open AI says in its Voice Chats FAQ. Meanwhile, transcribed chats may be used to train models depending on your choices and plan.

Can GPT-4o Be Trusted With Your Private Data?

Companies in Russia and Moldova have been the target of a phishing campaign orchestrated by a little-known cyber espionage group known as XDSpy.
The findings come from cybersecurity firm F.A.C.C.T., which said the infection chains lead to the deployment of a malware called DSDownloader. The activity was observed this month, it added.
XDSpy is a threat actor of indeterminate origin that was first

Cyber Espionage / Threat Intelligence

Companies in Russia and Moldova have been the target of a phishing campaign orchestrated by a little-known cyber espionage group known as **XDSpy**.

The findings come from cybersecurity firm F.A.C.C.T., which said the infection chains lead to the deployment of a malware called DSDownloader. The activity was observed this month, it added.

XDSpy is a threat actor of indeterminate origin that was first uncovered by the Belarusian Computer Emergency Response Team, CERT.BY, in February 2020. A subsequent analysis by ESET attributed the group to information-stealing attacks aimed at government agencies in Eastern Europe and the Balkans since 2011.

Attack chains mounted by the adversary are known to leverage spear-phishing emails in order to infiltrate their targets with a main malware module known as XDDown that, in turn, drops additional plugins for gathering system information, enumerating C: drive, monitoring external drives, exfiltrating local files, and gathering passwords.

Over the past year, XDSpy has been observed targeting Russian organizations with a C#-base dropper named UTask that's responsible for downloading a core module in the form of an executable that can fetch more payloads from a command-and-control (C2) server.

The latest set of attacks entails the use of phishing emails with agreement-related lures to propagate a RAR archive file that contains a legitimate executable and a malicious DLL file. The DLL is then executed by means of the former using DLL side-loading techniques.

The library takes care of downloading and running DSDownloader, which, in turn, opens a decoy file as a distraction while surreptitiously downloading the next-stage malware from a remote server. F.A.C.C.T. said the payload was no longer available for download at the time of analysis.

The onset of the Russo-Ukrainian war in 2022 has witnessed a significant escalation in cyber attacks on both sides, with Russian companies compromised by DarkWatchman RAT as well as by activity clusters tracked as Core Werewolf, Hellhounds, PhantomCore, Rare Wolf, ReaverBits, and Sticky Werewolf, among others in recent months.

What's more, pro-Ukrainian hacktivist groups such as Cyber.Anarchy.Squad has also set its sights on Russian entities, conducting hack-and-leak operations and disruptive attacks against Infotel and Avanpost.

The development comes as the Computer Emergency Response Team of Ukraine (CERT-UA) warned of a spike in phishing attacks carried out by a Belarusian threat actor called UAC-0057 (aka GhostWriter and UNC1151) that distribute a malware family referred to as PicassoLoader with an aim to drop a Cobalt Strike Beacon on infected hosts.

It also follows the discovery of a new campaign from the Russia-linked Turla group that utilizes a malicious Windows shortcut (LNK) file as a conduit to serve a fileless backdoor that can execute PowerShell scripts received from a legitimate-but-compromised server and disable security features.

"It also employs memory patching, bypass AMSI and disable system's event logging features to impair system's defense to enhance its evasion capability," G DATA researchers said. "It leverages Microsoft's msbuild.exe to implement AWL (Application Whitelist) Bypass to avoid detection."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel