Talos Takes

Anna Bennett, one of Talos' threat hunters, joins the show this week to talk about one of her recent findings — the LilacSquid APT. This is a newly discovered threat actor that Talos found hiding on networks for months and years at a time, silently stealing sensitive information the entire time. Anna discusses LilacSquid's activities, potential motivations, and how they overlap with North Korean APTs.

The Volt Typhoon threat actor is one of the longest-running cybersecurity storylines this year. The Chinese state-sponsored actor has already been accused of a range of attacks, specifically targeting critical infrastructure and U.S. military bases. Since it's been a few months without any new developments with this group, we thought it'd be a good idea to check in with Talos' Threat Intelligence and Interdiction team on what's going on with this actor, and if they're up to anything new.

Inspired by his quotes in a recent CNBC article, Jon Munshaw wanted to have Martin Lee on the show this week to discuss AI and how adversaries can use these tools to create deepfakes and disinformation. Martin shares why he thinks the threats of increasing fake news with the advent of AI tools are a bit overblown, and how the dangers in spreading fake news come more from text-based posts than any deepfake video or audio. If you'd like to learn more about how to detect potential deepfake videos or fake news articles, check out the additional resources here and here.

Nicole Hoffman, fresh off her trip to the RSA Conference, joins host Jon Munshaw this week to talk about her major takeaways from the week in San Francisco. Nicole talks about how most of the discussions on the floor centered around AI, and what lessons other defenders are learning from some of our past mistakes. If you'd like to check out Nicole's other work, buy her children's cybersecurity books on Amazon.

Joey Chen from Talos' Outreach team is here to tell us all about his research into the CoralRaider threat actor. He's helped write two posts on the recently discovered APT, disclosing new information about how this Vietnamese-based actor is targeting login credentials. After stealing those credentials, they go on to try and sell them on the dark web, or use them to try and brute force their way into more important accounts. Joey discusses what this actor is really after, and why they've been growing so quickly.

Hazel Burton steps in to host this week's episode as we cover the recent Cisco Talos Incident Response Quarterly Trends Report from the first quarter of this year. Hazel talks to different Talosians to find out why business email compromise is on the rise, how attackers are bypassing MFA, and more.

After a recent spike in brute force attempts targeting SSH and VPN services, we felt it was a good time to give listeners a lesson on brute force attacks. Nick Biasini joins host Jon Munshaw this week to discuss the basics of these methods, how administrators can protect their accounts, and other potential defense mechanisms (or whether to just take passwords out of the equation entirely).

Apple now must allow users to be able to sideload apps onto their phones or access third-party app stores, thanks to a law from the European Union that went into effect earlier this year. Terryn Valikodath from Cisco Talos Incident Response joins Jon this week to discuss the potential dangers that come with allowing users to sideload apps onto their devices, and how attackers may take advantage of this new opening.

Hazel Burton and Thorsten Rosendahl join Jon Munshaw on this week's episode to discuss the problem with threat actor "hydras." They recently wrote about the topic for the Talos blog, highlighting how law enforcement takedowns of these groups are closer to just disruptions or setbacks for these massive actors. They talk about what really needs to be done to stop ransomware actors and why RaaS is a breeding ground for "hydras."

Holger Unterbrink of Talos Outreach joins the show this week to discuss his recent Turla APT research. This Russian state-sponsored actor has been around for years but is regularly adding new tooling to its arsenal. Holger has new details about their latest tool, TinyTurlaNG, and insight into the types of organizations they're targeting.

Jon started noticing that Talos is finding more threat actors using Telegram nowadays for their communication and coordination, so he decided to bring Azim Khodjibaev on to ask him if he was just inventing this, or if it was a real trend. Turns out it's a real trend! Azim fills listeners in on why Telegram is becoming the app of choice for APTs to publish "news," threaten data leaks, and more.

Nick Biasini joins Jon this week to talk about passive security. He recently wrote about this topic for the Talos blog and joined Wendy Nather in discussing the merits of passive security versus active blocking. Nick defines what passive security is, exactly, and why it's not the way to go in the modern age.

Chetan Raghuprasad from the Talos Outreach team joins Talos Takes this week to talk to Jon about the GhostSec threat actor that he and a few colleagues wrote about for the Talos blog. GhostSec has teamed up with another ransomware group to carry out double extortion attacks all over the globe, with increasing frequency over the past year. They discuss what's unique about this particular RaaS model, where GhostSec came from, and the benefits of going in on a team-up.

Now more than ever, adversaries are logging in, not breaking in. They're stealing legitimate user credentials to hide undetected on a targeted network after acquiring said credentials in a variety of ways. Hazel Burton joins Jon Munshaw this week to discuss identity attacks, recommendations for avoiding them, and how QR code phishing plays into these tactics.

Gergana Karadzhova-Dangela and Thorsten Rosendahl, our resident experts on all things European Union cybersecurity law, join the show this week to talk about the impending NIS2 regulations. Don't worry, you've still got plenty of time to work on them, but this is a good place to get started even if you've never seen the phrase "NIS2" before. Find more of their writing on NIS2 here and here.

Reposted from the Cisco Security Stories feed: Meet Jeremy Maxwell, CISO of Veradigm, a healthcare IT company. Jeremy discusses how his organization proactively prepares for cybersecurity incidents within a highly regulated industry.

Chris Neal from Talos Outreach joins the show today to talk about his research into the ways adversaries are using malicious drivers on Windows to spread malware. He recently launched a new series on the Talos blog about the basics of drivers and how security researchers can reverse engineer them to learn more about attacker TTPs and develop new detection content. Chris discusses when he first spotted this type of attack, what advantages it presents for the attacker and the other aspects of the research he plans to dive into.

This week, we're bringing you the audio version of our recent Talos IR On Air video. Several Talos incident responders got together to recap the top threats and attacker trends of Q4 2023, as outlined in our full Quarterly Trends Report. Hear about why ransomware was up for the first time the entire year, and which sectors were being targeted most often.

We're talking about vulnerabilities this week with Jerry Gamblin from Cisco Vulnerability Management. Jerry joins the show to talk about the release of CVSS 4.0 this year — the newest method the security community will use to score the severity of certain vulnerabilities. Jerry discusses what makes this scoring system different from previous iterations if it changes how he views the term "severe" and how that fits into Cisco's overall vulnerability management processes.

In this special edition of the show, we're bringing you the audio version of our Year in Review livestream. Recorded at the end of December, this stream included Hazel Burton, Nick Biasini and Laurie Varner from Cisco Talos Incident Response recapping the year that was in cybersecurity. They covered the highlights of our 2023 Year in Review report, their personal takeaways from the past year, and trends to watch for heading into the new year.