Asheer Malhotra is back to talk to Jon Munshaw about spyware and mercenary groups. Asheer recently helped publish Talos research on Mercenary Groups and why they're so dangerous in particular. We briefly touched on this topic in a past episode on the Predator/Alien spyware tag team, but this time we're getting into the broader field of what Mercenary groups are, exactly, and what makes them so dangerous. Asheer talks about recent steps governments have taken to curb the sale of spyware and why the "average" user should care about this topic, even though they're unlikely to ever be a target.
We decided to have a web navigation extravaganza this week! Guilherme Venere and Jaeson Schultz from Talos Outreach have both long been researching the ways in which bad actors try to damage users' inherent trust in the internet. Most internet users interact with the web by typing in a URL or domain name into their web browser (i.e., google.com) expecting that will take them to the right place. But attackers have found various ways to mess with that series of handshakes that must take place. Guilherme and Jaeson talk to Jon about their past years of research into typosquatting domains, new TLDs that open up the door to data leaks, DNS manipulation and more.
Aliza Johnson from Talos Threat Intelligence and Interdiction team joins Jon Munshaw this week for a Talos Takes episode on the MOVEit zero-day vulnerability (that's since been patched) making headlines recently. Talos published an advisory last week on everything we know so far about the exploitation of this vulnerability and the group behind it, Clop. Aliza discusses where things stand right now, what Clop is doing once they gain access via this vulnerability and what Talos recommends for mitigation strategies for potentially affected customers.
Cisco Talos Incident Response recently discovered an uptick in malicious actors compromising vendor and third-party accounts to sneak into targeted networks. Many enterprises have vendor and contractor accounts that need to access their network for a variety of things — IT support, cybersecurity, etc. — but these accounts are often monitored less than those belonging to full-time employees. Craig Jackson, who recently co-authored a blog post on this threat, joins Talos Takes this week to talk about vendor and contractor account (VCA) takeover and how they fit into the broader threat of supply chain attacks.
We're joined this week by Chetan Raghuprasad to discuss a new botnet he recently discovered and researched. Horabot can completely hijack a target's Outlook mailbox to steal their contact list and then send even more spam to targets. It's the perfect business email compromise tool for attackers that comes with a side of banking trojan. Chetan talks to Jon about this malware family's abilities, where it came from and what the actors behind it are hoping to achieve. For more, read Chetan's full blog post.
Despite governments' best efforts, spyware is still running rampant on the threat landscape. These types of tracking malware are used to target high-profile individuals like politicians, activists, journalists and more — and even sometimes for jealous exes to track their former partners. Asheer Malhotra, who recently dissected the Predator spyware, joins Talos Takes this week to talk about Predator and its associated tool, Alien. Asheer shares new technical details about this spyware and discusses why "mercenary" spyware groups are on the rise.
If listeners suspect their system(s) may have been compromised by commercial spyware, please consider notifying Talos’ research team at firstname.lastname@example.org to assist in furthering the community’s knowledge of these threats.
Hazel Burton is our special guest host this week of Talos Takes, featuring a very special guest: Talos Vice President Matt Watchinski! Matt and Hazel have a conversation for Mental Health Awareness Month, especially as it relates to the cybersecurity industry. They share tips on how to balance work and life (when it seems like cybersecurity is starting to permeate every aspect of our lives) and how to deal with failure. Join us for this incredibly candid conversation!
Talos researchers recently discovered a new ransomware group called "RA Group." This week, Nick Biasni joins Jon to discuss this new threat actor and the modified Babuk ransomware they've already used in attacks against a wide range of companies in the U.S. and South Korea. Nick talks about the group's use of source code that's already been leaked, where they could be headed next and what this group may signal for the larger ransomware landscape.
Other helpful links:
Tiago Pereira from Talos Outreach joins the show this week to talk about his recent discovery of a new phishing-as-a-service tool called "Greatness." Since everything else is "as-a-service" nowadays, it's only fitting that attackers have figured out how to monetize easy phishing tools, too. Tiago discusses what makes Greatness unique, why it's going after business targets specifically, and why it creates such convincing fake Office 365 login pages.
This week's episode is longer than usual, but we wanted to bring you the Cisco Talos Incident Response On Air livestream from last week for anyone who missed it. For anyone who prefers a video version, you can watch the recording here.
In this discussion, researchers from Talos IR and the Talos Threat Intelligence and Interdiction team cover the top threats and attacker tactics they saw over the past quarter. They talk about why the use of web shells is way up, whether or not the ransomware decline is real and how multi-factor authentication could have stopped many of the threats they worked on in the first quarter of 2023. For more, read the latest Talos IR Quarterly Trends report.