Image may be NSFW.
Clik here to view.
By Jon Munshaw.
- Strong experience administering endpoint protection.
- Strong experience managing email security products.
- Familiarity with incident response procedures, identity management and multi-factor authentication.
The one big thing
Why do I care?
I shouldn’t have to tell you why you should care about Ukraine. But if anything, this attack shows that even though public discussion around the war and follow-on cyber attacks has waned, the threat isn’t going anywhere.So now what?
In this instance, we saw a software company targeted with a backdoor designed for additional persistent access. This access could be leveraged in a variety of ways, including deeper access or launching additional attacks, including the potential for software supply chain compromise. It's a reminder that although the cyber activities haven't necessarily risen to the level many have expected, Ukraine is still facing a well-funded, determined adversary that can inflict damage in a variety of ways — this is just the latest example of those attempts. As always, Talos continually updates our coverage around the threats Ukraine faces and appropriate Cisco Secure protections.
Other news of note
Spyware continues to be a top threat for government officials, politicians and activists. The European Union recently found the NSO Group’s Pegasus spyware installed on several employees’ mobile devices. Apple initially alerted the EU that the devices had indicators of compromise related to the spyware. This led the European Commission to reach out to Israel, asking the country to "prevent the misuse of their products in the EU.” Meanwhile, the Canadian Parliament is investigating if the national police force uses Pegasus as part of its surveillance operations. Previously, the RCMP said it only used Pegasus in severe cases, deploying it 10 times between 2018 and 2020. (Reuters, Politico)
An attacker claims to have stolen data from more than 5.4 million Twitter users and is selling it on the dark web for $30,000. The seller using the username "devil" claims the data includes “Celebrities, to Companies, randoms, OGs, etc.” Twitter said it launched an investigation to verify the authenticity of the data and notify any users whose accounts may have been affected. The attacker exploited a vulnerability that was reported to Twitter several months ago through its bug bounty program and has since been fixed. Breached Forums, where the data is listed for sale, is the same site where an attacker leaked 23 TB of data from 1 billion Chinese citizens earlier this year. (Fortune, The Register)
A new malware tool broker known as “Knotweed” has been outed as the source of several spyware attacks and zero-day exploits against Microsoft and Adobe products. Microsoft stated in a new report that it believes the group is “linked to the development and attempted sale of a malware toolset called Subzero, which enables customers to hack into their targets' computers, phones, network infrastructure and internet-connected devices.” Some of the exploits the group sold were recently used in cyber attacks against Austria, Panama and the U.K. (Microsoft, Dark Reading)
Can’t get enough Talos?
- Talos Takes Ep. #105: We return once more to Transparent Tribe
- Quarterly Report: Incident Response Trends in Q2 2022
- What Talos Incident Response learned from a recent Qakbot attack hijacking old email threads
- Vulnerability Spotlight: How a code re-use issue led to vulnerabilities across multiple products
- How big is the risk that someone will hack an EV charging network?
Upcoming events where you can find Talos
Las Vegas, Nevada
Las Vegas, Nevada
Most prevalent malware files from Talos telemetry over the past week
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg