Welcome to this week’s edition of the Threat Source newsletter.
Benjamin Franklin once said, “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.” In much the same way, those who rush for efficiency without taking into account security end up neither efficient nor secure.
The past week the Department of Government Efficiency (or DOGE) has put on a clinic of how not to do things. For example, the Doge.gov website was easily and immediately compromised. Researchers were able to push updates to the public website via access to a database of government employment information. Not to be outdone the DOGE team hastily stood up the Waste.gov website which still had a placeholder Wordpress default template, including the sample text which features an imaginary architecture firm called Études, from a default WordPress theme called Twenty Twenty-Four. This slapdash nonsense was hidden behind a password wall after the research information became public.
It’s really an excellent lesson in what happens when security is not taken into account and the instant ramifications. As an entire infosec community we’ve talked at length about how baking security into every decision is incredibly important and that trying to bolt on fixes after the fact not only doesn’t work but highlights the lack of rigor and awareness of security in the room - creating an attractive target.
Let’s take a deep breath, take a moment to create a more secure process, follow those processes, and ensure security is in place at every step - then we can attack matters of efficiency.
Introduction to Malware Binary Triage (IMBT) Course
Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.
Enroll Now and Save 10%: Coupon Code MWNEWS10
Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.
<div>
<div>
<h2>Newsletter reader survey</h2>
<p><i><em>We want your feedback! Tell us your thoughts and five lucky readers will receive Talos Swag boxes.</em></i></p>
<a href="https://forms.office.com/r/PhJ1FFRfHe" rel="noreferrer" target="_blank">Launch survey</a>
</div>
</div>
</div><h3>The one big thing </h3><p>Cisco Talos has published a blog on the ongoing research into <a href="https://blog.talosintelligence.com/salt-typhoon-analysis/" rel="noreferrer" target="_blank"><u>Salt Typhoon</u></a>. Cisco Talos been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies, <a href="https://blog.talosintelligence.com/state-sponsored-campaigns-target-global-network-infrastructure/" rel="noreferrer" target="_blank"><u>an issue that we have been concerned with for a long time here at Talos</u></a>. The activity, initially reported in late 2024 and later confirmed by the U.S. government, is being carried out by a highly sophisticated threat actor dubbed Salt Typhoon. </p><p>A hallmark of this campaign is the use of living-off-the-land (LOTL) techniques on network devices. It is important to note that while the telecommunications industry is the primary victim, the advice contained herein is relevant to, and should be considered by, all infrastructure defenders. </p><h3>Why do I care? </h3><p><a href="https://blog.talosintelligence.com/state-sponsored-campaigns-target-global-network-infrastructure/" rel="noreferrer" target="_blank"><u>State sponsored actors</u></a> have been aggressively targeting global network infrastructure and understanding and mitigating these actions will help you improve your network infrastructure resilience. </p><h3>So now what? </h3><p>Cisco Talos has released an extensive list of preventative measures for general and Cisco-specific devices which can be found in the <a href="https://blog.talosintelligence.com/salt-typhoon-analysis/" rel="noreferrer" target="_blank"><u>Salt Typhoon blog post</u></a>. </p><h3>Top security headlines of the week </h3><p>Palo Alto Networks has warned that hackers are exploiting another vulnerability in its firewall software to break into unpatched customer networks. (<a href="https://techcrunch.com/2025/02/19/palo-alto-networks-warns-of-another-firewall-vulnerability-under-attack-by-hackers/" rel="noreferrer" target="_blank"><u>TechCrunch</u></a>) </p><p>Security researchers warn a critical vulnerability in SonicWall’s SonicOS is under active exploitation.(<a href="https://www.cybersecuritydive.com/news/vulnerability-sonicwall-firewalls-exploitation/740345/" rel="noreferrer" target="_blank"><u>CyberSecurityDrive</u></a>) </p><p>Two security vulnerabilities have been discovered in the OpenSSH secure networking utility suite that, if successfully exploited, could result in an active machine-in-the-middle (MitM) and a denial-of-service (DoS) attack, respectively, under certain conditions. (<a href="https://thehackernews.com/2025/02/new-openssh-flaws-enable-man-in-middle.html" rel="noreferrer" target="_blank"><u>TheHackerNews</u></a>) </p><h3>Can’t get enough Talos? </h3><ul><li><a href="https://blog.talosintelligence.com/clearml-and-nvidia-vulns/" rel="noreferrer" target="_blank"><u>Talos Vulnerability Research: ClearML and NVIDIA</u></a> </li><li><a href="https://blog.talosintelligence.com/small-praise-for-modern-compilers-a-case-of-ubuntu-printing-vulnerability-that-wasnt/" rel="noreferrer" target="_blank"><u>Vulnerability Deep Dive: Small praise for modern compilers - A case of Ubuntu printing vulnerability that wasn’t</u></a> </li></ul><h3>Upcoming events where you can find Talos </h3><p><a href="https://www.rsaconference.com/usa" rel="noreferrer" target="_blank"><u>RSA</u></a> (April 28-May 1, 2025) <br /> San Francisco, CA </p><p><a href="https://www.cyberthreatalliance.org/tips-conference/" rel="noreferrer" target="_blank"><u>CTA TIPS 2025</u></a> (May 14-15, 2025) <br />Arlington, VA </p><h3>Most prevalent malware files from Talos telemetry over the past week </h3><p>SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5 MD5: ff1b6bb151cf9f671c929a4cbdb64d86 <br />VirusTotal : <a href="https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5" rel="noreferrer" target="_blank"><u>https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5</u></a> <br />Typical Filename: endpoint.query<br />Claimed Product: Endpoint-Collector <br />Detection Name: W32.File.MalParent </p><p>SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 <br />MD5: 7bdbd180c081fa63ca94f9c22c457376 <br />VirusTotal: <a href="https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0" rel="noreferrer" target="_blank"><u>https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0</u></a> <br />Typical Filename: c0dwjdi6a.dll <br />Claimed Product: N/A<br />Detection Name: Trojan.GenericKD.33515991 </p><p>SHA 256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 <br />MD5: 2915b3f8b703eb744fc54c81f4a9c67f <br />VirusTotal: <a href="https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507" rel="noreferrer" target="_blank"><u>https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507</u></a> <br />Typical Filename: VID001.exe <br />Detection Name: Simple_Custom_Detection </p><p>SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca<br />MD5: 71fea034b422e4a17ebb06022532fdde<br />VirusTotal: <a href="https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca" rel="noreferrer" target="_blank"><u>https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca</u></a> <br />Typical Filename: VID001.exe<br />Claimed Product: N/A<br />Detection Name: Coinminer:MBT.26mw.in14.Talos </p>
Article Link: Efficiency? Security? When the quest for one grants neither.