Welcome to this week’s edition of the Threat Source newsletter.
I count myself fortunate that I have never been on the receiving end of a ransomware attack. My experiences have been from research and response, never as a victim. It’s a tough scenario: One day you are working or minding your own business when suddenly, threatening notes appear on desktops and systems simply stop working. So much of our survival as humans is tied to our livelihoods, so the amount of stress incurred can be severe. I get it, truly.
Consequently, I am endlessly academically fascinated at stress responses and how humans… well… human during moments of adversity. A ransomware attack most certainly qualifies as adverse, and my sympathies are with you if you’ve ever had to endure one. But there’s a science to both the personal response, and the business response and its impacts writ large.
Over the past year, excellent research has been published on these facets of response to help answer some of these questions, and naturally I dove right into the research. One of the things that stuck out to me was that the impact of the attacks and its effect on small businesses as a victim segment. A notable quote from a small business in the U.K. government’s “The experiences and impacts of ransomware attacks on individuals and organisations” states:
“I’ve started to rebuild, using personal funds and living off personal funds for the last 2 or 3 years… I’ve got 0 savings left… It’s had a total impact on me… I’ve gone from probably nearly a £250,000 business down to about a £20,000 business.”
This quote isn’t unique in its impacts. Anecdotally, I can tell you small businesses are a large swath of victims for ransomware operators. It makes sense — Small victims likely pay out less but likely have lower security standards and security knowledge to defend themselves with. They also do not have the cash reserves, legal teams, or dedicated IT security staff that a mid-sized or larger business have. Simply put, they are disproportionately vulnerable.
So, what about the impacts to health and wellbeing? What, if anything, do we do? And why the hell should any business even care? To paraphrase the Royal United Services Institute (RUSI) report ‘Your Data is Stolen and Encrypted’: The Ransomware Victim Experience, ransomware victims experience trauma, exhaustion, and emotional harm that rival — and often outlast — the financial or operational damage. You can survive the battle of immediate operational harm of a cyber attack and recover your day-to-day business operations only to lose the war as your employees cope and process the trauma of the event and thus impact your business’ ability to compete and survive.
A cyber attack is both a technical and psychological crisis. Business leadership would be wise to understand this. Lead with empathy and remember that your employees look to you for leadership, especially in these incidents. People follow calm, not commands. Have an incident response plan for how you respond to the technical crises, but also for how to take care of your people. You might find yourself that much stronger at the end, both with a company that handles adversity and employees that are cared for.
The one big thing
Cisco Talos discovered a new malware campaign linked to the North Korean threat group Famous Chollima, which targets job seekers with trojanized applications to steal credentials and cryptocurrency. The campaign features two primary tools, BeaverTail and OtterCookie, whose functionalities are merging and now include new modules for keylogging, screenshot capture, and clipboard monitoring. The attackers deliver these threats through malicious NPM packages and even a fake VS Code extension, making detection and prevention more challenging.
Why do I care?
This campaign highlights how attackers use social engineering and software supply chain attacks to compromise individuals and organizations, not just targeting companies directly. If you or your organization use development tools, npm packages, or receive unsolicited job offers, you could be at risk of credential or cryptocurrency theft.
So now what?
Be vigilant when installing NPM packages, browser extensions, or software from unofficial sources, and verify the legitimacy of job offer communications. Use layered security solutions, such as endpoint protection, multi-factor authentication, and network monitoring tools like those recommended by Cisco, to detect and block these threats.
Top security headlines of the week
Harvard is first confirmed victim of Oracle EBS zero-day hack
Harvard was listed on the data leak website dedicated to victims of the Cl0p ransomware on October 12. The hackers have made available over 1.3 TB of archive files that allegedly contain Harvard data. (SecurityWeek)
Two new Windows zero-days exploited in the wild
Microsoft released fixes for 183 security flaws spanning its products, including three vulnerabilities that have come under active exploitation in the wild. One affects every version ever shipped. (The Hacker News)
Officials crack down on Southeast Asia cybercrime networks, seize $15B
The cryptocurrency seizure and sanctions targeting the Prince Group, associates and affiliated businesses mark the most extensive action taken against cybercrime operations in the region to date. (CyberScoop)
Extortion group leaks millions of records from Salesforce hacks
The leak occurred days after the group, an offshoot of the notorious Lapsus$, Scattered Spider, and ShinyHunters hackers, claimed the theft of data from 39 Salesforce customers, threatening to leak it unless the CRM provider pays a ransom. (SecurityWeek)
Can’t get enough Talos?
Humans of Talos: Laura Faria and empathy on the front lines
What does it take to lead through chaos and keep organizations safe in the digital age? Amy sits down with Laura Faria, Incident Commander at Cisco Talos Incident Response, to explore a career built on empathy, collaboration, and a passion for cybersecurity.
Beers with Talos: Two Marshalls, one podcast
Talos’ Vice President Christopher Marshall (the “real Marshall,” much to Joe’s displeasure) joins Hazel, Bill, and Joe for a very real conversation about leading people when the world won’t stop moving.
Upcoming events where you can find Talos
- DEEP Conference (Oct. 22 – 23) Petrčane, Croatia
- NTNU MALWAREFORUM (Oct. 28 – 29) Oslo, Norway
- Bsides Osijek (Nov. 5) Osijek, Croatia
- AVAR (Dec. 3 – 5) Kuala Lumpur, Malaysia
Most prevalent malware files from Talos telemetry over the past week
SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a
MD5: 1f7e01a3355b52cbc92c908a61abf643
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a
Example Filename: cleanup.bat
Detection Name: W32.D933EC4AAF-90.SBX.TG
SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_1_Exe.exe
Detection Name: Win.Worm.Coinminer::1201
SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
MD5: aac3165ece2959f39ff98334618d10d9
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe
Detection Name: W32.Injector:Gen.21ie.1201
SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610
MD5: 85bbddc502f7b10871621fd460243fbc
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610
Example Filename:85bbddc502f7b10871621fd460243fbc.exe
Detection Name: W32.41F14D86BC-100.SBX.TG
SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_3_Exe.exe
Detection Name: Win.Dropper.Miner::95.sbx.tg
