Welcome to this week’s edition of the Threat Source newsletter.
It’s Cybersecurity Awareness Month, which means it’s time to hug your nearest defender — they’re probably tired, could be facing burnout or just have had too much coffee today.
What makes the cybersecurity landscape even more fraught right now is that qualified analysts, researchers and security practitioners are having a hard time finding work. Several major security firms have recently experienced layoffs or have shut down entirely, at the same time the community is lamenting about a cybersecurity skills gap and a lack of workers.
I was watching TechCrunch’s “Disrupt” conference last week and I found it interesting that one particular panel was discussing the challenges of hiring in cybersecurity right now, and the host of the panel asked if there is a stigma around hiring workers who had been a part of major breaches or security incidents (think: a SolarWinds employee who may have been working there during the major supply chain attack that targeted their software).
I had no idea this was even a going concern among security hiring managers, and it makes no sense why there would be. So, I started looking through job board postings and security forums and found that many active security job hunters are afraid to list if they worked somewhere during a notable incident. For example, this user on r/cybersecurity asked last year if they should leave a job off their résumé if they worked there when a major data breach occurred, even though they were not directly involved in the breach whatsoever.
And even if they were, who cares?
Sherrod DeGrippo, the director of threat intelligence strategy at Microsoft, had the perfect answer for this on the aforementioned TechCrunch panel. She said that if she sees a prospective employee who worked somewhere during a security “trash fire,” she looks "at that as somebody who has been on the frontlines and been under fire. They know what to do and they’ve been through it, and I guarantee they have learned from it.”
There has always been a stigma around disclosing data breaches for companies and employees alike, with targets being afraid of negative press or scrutiny that comes from publicly admitting to a data breach or cyber attack.
And I can see why someone wouldn’t want to mention that during a job interview. There could be an inherent “stink” that comes from working somewhere that got owned or had a ton of negative headlines around it, but I feel like that’s a stigma that needs to go away immediately if the security community does have any hope of closing the skills gap.
Anyone who’s been through a major security event, as I know firsthand from talking to many of Talos’ incident responders, always has something to learn — from either a positive or negative experience. It’s the same in every field, too.
When I was a journalist, I can’t say that I never had to issue a correction for a story I wrote or apologize to a source for misquoting them. They were mistakes I had to make as a young professional and learn from. And in this job, I’ve made a fair share of mistakes, too, and probably will make more. The important thing is, that I learn from those mistakes and make changes to my processes going forward to avoid those mistakes.
I would imagine the same would be for any engineer who mistakenly left a vulnerability in some code or downloaded that software update that seemed legitimate but actually was packed with malware.
If you’ve worked in security for long enough, no matter for what company, you’ve been involved in a major security incident. That should not deter someone from hiring you for your next job, and you shouldn’t be leaving this off a résumé.
I am curious to know if this is a real issue or stigma that’s out there, so if you’re a hiring manager or job applicant who’s experienced this, DM us on Twitter!
The one big thing
Qakbot appears to be still active, despite efforts from the FBI and other international law enforcement agencies to disrupt the massive botnet. Talos researchers discovered that the threat actors behind the Qakbot malware have been conducting a campaign since early August 2023 in which they have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails. Notably, this activity appeared to begin before the FBI seized Qakbot infrastructure in late August and has been ongoing since, indicating the law enforcement operation may not have impacted Qakbot operators’ spam delivery infrastructure but rather only their command and control (C2) servers.
Why do I care?
Qakbot is one of the largest, most notable malware networks on the landscape currently, so any activity from this group is notable. But it’s particularly noteworthy now that the actor was able to recover so quickly after the FBI’s efforts. This group is still actively sending spam, despite what recent headlines may indicate. Though Talos has not seen the threat actors distributing Qakbot itself post-infrastructure takedown, we assess the malware will continue to pose a significant threat moving forward.
So now what?
Given that Qakbot’s operators remain active, they may choose to rebuild Qakbot infrastructure to fully resume their pre-takedown activity, so it’s important to monitor the Talos blog and other security research for any additional activity. Talos has new ClamAV signatures that can detect the malware associated with this current campaign, and there is a list of IOCs at the end of our blog post everyone should be adding to their blocklists or other detection.
Top security headlines of the week
The company that manages the MOVEit file transfer software disclosed several vulnerabilities in one of its other products. Progress Software, the makers of MOVEit, which was the subject of a large data breach responsible for dozens of follow-on attacks, urged users to patch WS_FTP Server immediately. CVE-2023-40044 is a deserialization vulnerability in the Ad Hoc Transfer module in WS_FTP Server that an attacker could exploit without authentication to execute remote code. In all, the company disclosed eight vulnerabilities last week and released hotfixes for all versions of the software. According to the company’s website, WS_FTP Server offers “the unique business-grade features required to assure reliable and secure transfer of critical data.” The site lists several major customers who use the affected software, including the NFL’s Denver Broncos and clothing retailer H&M. (The Record by Recorded Future, Decipher)
Google and Yahoo are implementing new rules around bulk email sending designed to reduce the amount of spam users receive and encourage more users to report spam. Starting in early 2024, anyone sending more than 5,000 messages a day, will need to authenticate all messages using current authentication protocols like SPF or DKIM. All these emails must also offer a one-click unsubscribe option for recipients (so hopefully no more confusing “Are you sure you want to go?!” messages on email preference pages). In its announcement, Google says its current AI-based spam filters block 99.9 percent of spam emails. However, it’s become increasingly difficult as attackers have developed new methods of bypassing traditional blocking methods or create more convincing spam emails. (The Verge, ZDNet)
The U.S. Department of Homeland Security is investigating if any floorplans for U.S. government buildings or other physical security information were affected by a data breach at a large government contractor. Johnson Controls International, which manufacturers security systems and other hardware important to physical offices, disclosed this week that they are actively investigating a cyber attack “to assess what information was impacted” and is “executing our incident management and protection plan.” An internal DHS memo that CNN obtained stated that “Until further notice, we should assume that [the contractor] stores DHS floor plans and security information tied to contracts on their servers.” At the time of the memo, DHS was concerned about the possibility about a government shutdown in the U.S. that could delay research, however, Congress avoided a shutdown over the weekend by passing a temporary spending bill. (CNN, Axios)
Can’t get enough Talos?
- The Need to Know: What is the dark web?
- Threat Roundup for Sept. 22 - 29
- Talos Takes Ep. #156: Inside a Talos Incident Response emergency event
- Cisco Cybersecurity Awareness Month homepage
Upcoming events where you can find Talos
Bsides PDX (Oct. 6 - 7)
Portland State University, Oregon, U.S.
Cisco Cybersecurity Day (Oct. 11)
Nuremberg Exhibition Center, Germany
ATT&CKcon 4.0 (Oct. 24 - 25)
Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.
misecCON (Nov. 17)
Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines.
Most prevalent malware files from Talos telemetry over the past week
SHA 256: 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa
Typical Filename: vincpsarzh.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::tpd
SHA 256: 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440
Typical Filename: iizbpyilb.bat
Claimed Product: N/A
Detection Name: Trojan.Agent.DDOH
SHA 256: 7f66d4580871e3ee6a35c8fef6da7ab26a93ba36b80279625328aaf184435efa
Typical Filename: профиль 10 класс.exe
Claimed Product: N/A
Detection Name: Application_Blocker
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201