Cisco Talos Incident Response observed data theft extortion more than any other type of cyber attack last quarter. So why has it become so popular? And what makes it different from ransomware? Jacob Finn from the Talos Threat Intelligence and Interdiction Team joins Jon this week to discuss the basics of data theft extortion. He just worked on an overview of this threat for Talos researchers and works closely with Talos IR on their quarterly trends reports. Jacob discusses why threat actors are choosing data theft extortion over ransomware and how this makes defense and detection more difficult. For more on this topic, read our one-page overview here.
Hazel Burton and Jon Munshaw use this week to look back on the top threats and cybersecurity trends so far in 2023 and the rest of the year. Hazel recently compiled Talos' Half-Year in Review, recapping the top stories that Talos has been following so far this year. She and Jon talk about what stood out from the report, what our researchers have been thinking about up to this point, and what we'll be discussing come December.
We're back with the audio version of our quarterly Cisco Talos Incident Response On Air stream. Join the Talos IR team as they recap the past quarter's top trends, including talking about malware they're seeing in the wild, tactics that attackers are using most often to break into networks, and much more. They discuss why healthcare continues to be a popular target for bad actors, and how adversaries are pivoting away from ransomware and instead opting for data theft and extortion. If you prefer a video version, watch it over on YouTube here.
When Martin Lee first told Jon about ISO 27001 and 27002, Jon had to immediately Google whatever this combination of letters and numbers meant. Turns out there are international standards for cybersecurity, just like they have for selling lightbulbs and installing electrical outlets — who knew? Martin recently wrote about these standards for the Talos blog, outlining a list of recommendations for any organization looking to build a threat intelligence program from the ground up. Jon interviewed him about what these standards are, exactly, what they mean for companies looking to implement these standards, and why they recently included threat intelligence.
Asheer Malhotra is back to talk to Jon Munshaw about spyware and mercenary groups. Asheer recently helped publish Talos research on Mercenary Groups and why they're so dangerous in particular. We briefly touched on this topic in a past episode on the Predator/Alien spyware tag team, but this time we're getting into the broader field of what Mercenary groups are, exactly, and what makes them so dangerous. Asheer talks about recent steps governments have taken to curb the sale of spyware and why the "average" user should care about this topic, even though they're unlikely to ever be a target.
We decided to have a web navigation extravaganza this week! Guilherme Venere and Jaeson Schultz from Talos Outreach have both long been researching the ways in which bad actors try to damage users' inherent trust in the internet. Most internet users interact with the web by typing in a URL or domain name into their web browser (i.e., google.com) expecting that will take them to the right place. But attackers have found various ways to mess with that series of handshakes that must take place. Guilherme and Jaeson talk to Jon about their past years of research into typosquatting domains, new TLDs that open up the door to data leaks, DNS manipulation and more.
Additional reading:
Aliza Johnson from Talos Threat Intelligence and Interdiction team joins Jon Munshaw this week for a Talos Takes episode on the MOVEit zero-day vulnerability (that's since been patched) making headlines recently. Talos published an advisory last week on everything we know so far about the exploitation of this vulnerability and the group behind it, Clop. Aliza discusses where things stand right now, what Clop is doing once they gain access via this vulnerability and what Talos recommends for mitigation strategies for potentially affected customers.
Cisco Talos Incident Response recently discovered an uptick in malicious actors compromising vendor and third-party accounts to sneak into targeted networks. Many enterprises have vendor and contractor accounts that need to access their network for a variety of things — IT support, cybersecurity, etc. — but these accounts are often monitored less than those belonging to full-time employees. Craig Jackson, who recently co-authored a blog post on this threat, joins Talos Takes this week to talk about vendor and contractor account (VCA) takeover and how they fit into the broader threat of supply chain attacks.
We're joined this week by Chetan Raghuprasad to discuss a new botnet he recently discovered and researched. Horabot can completely hijack a target's Outlook mailbox to steal their contact list and then send even more spam to targets. It's the perfect business email compromise tool for attackers that comes with a side of banking trojan. Chetan talks to Jon about this malware family's abilities, where it came from and what the actors behind it are hoping to achieve. For more, read Chetan's full blog post.
Despite governments' best efforts, spyware is still running rampant on the threat landscape. These types of tracking malware are used to target high-profile individuals like politicians, activists, journalists and more — and even sometimes for jealous exes to track their former partners. Asheer Malhotra, who recently dissected the Predator spyware, joins Talos Takes this week to talk about Predator and its associated tool, Alien. Asheer shares new technical details about this spyware and discusses why "mercenary" spyware groups are on the rise.
If listeners suspect their system(s) may have been compromised by commercial spyware, please consider notifying Talos’ research team at talos-mercenary-spyware-help@external.cisco.com to assist in furthering the community’s knowledge of these threats.