< ciso
brief />
Tag Banner

All news with #talos tag

59 articles

Cisco Talos intelligence integrations overview

🎯 Cisco Talos Intelligence Integrations apply continuous, up-to-date threat intelligence across Cisco security and enterprise products to help identify and block malicious activity. The integrations aim to reduce uncertainty for defenders facing advanced, adaptive threats such as AI-assisted attacks and polymorphic malware. A short video introduces Talos team members and demonstrates how reputation and detection feeds inform security decisions. A more detailed technical overview is available on the Cisco Security site.
read more →

Talos: Multiple Vulnerabilities in WolfSSL, GeoVision, VTK

🔒 Cisco Talos disclosed multiple vulnerabilities across WolfSSL, GeoVision, and VTK-DICOM, all of which have been patched by vendors in line with Cisco’s disclosure policy. The findings include three WolfSSL issues (two improper input validation and one integer underflow), 14 GeoVision advisories spanning 37 CVEs, and one heap-based buffer overflow in VTK-DICOM. Snort rules to detect exploit attempts are available from Snort.org. Discoveries were made by Ankur Tyagi, Philippe Laulheret, and Emmanuel Tacheau of Cisco Talos.
read more →

Winning 54% of the Time: SOC Decisions and Threats

🎾 This week’s Threat Source reflects on decision-making in cybersecurity through a tennis analogy, arguing defenders need context and resilience rather than perfection. Cisco Talos details the China-nexus actor UAT-7810 expanding ORB networks by exploiting Ruckus and ASUS router vulnerabilities and deploying new backdoors like LONGLEASH and DOGLEASH. Additional briefs cover an AI-assisted ransomware incident, AirDrop/Quick Share flaws, a Tenda firmware backdoor, Estonia’s AI agent IDs, and new phishing and coinminer detections.
read more →

ARToken PhaaS reveals EvilTokens Microsoft 365 toolkit

🛡️ Cisco Talos uncovered a React-based ARToken management panel exposing 80+ API endpoints and client-side code that reveals expanded phishing capabilities. The platform, tied to the EvilTokens ecosystem, automates Microsoft 365 account compromise by stealing authentication tokens, obtaining persistent Primary Refresh Tokens (PRTs), and accessing Outlook, SharePoint, and OneDrive. ARToken deploys Cloudflare Workers, supports multi-tenant affiliate operations, and includes tools for BEC automation and mailbox monitoring.
read more →

Board Games Sharpen Cybersecurity Intuition

🎲 The Threat Source newsletter draws a connection between learning board games and developing cybersecurity skills, arguing that games sharpen pattern recognition, intuition, and adaptive thinking. The piece highlights how diverse games—from Ticket to Ride to Go—teach strategy, breaking habits, and embracing failure as a learning tool. It also summarizes Talos research on the ARToken phishing-as-a-service panel and recent threat trends affecting Microsoft 365, AI agents, and RMM vulnerabilities.
read more →

Martin Lee on Threat Research and Career Transition

🧭 In this Humans of Talos feature, Martin Lee, EMEA Lead at Talos, discusses his journey from studying human viruses to leading cybersecurity efforts. He explains how early exposure to the internet prompted a career shift from academia to threat research and how his role now focuses on externalizing the evolving threat landscape to partners and customers. Martin also highlights using a sociological lens to assess organizational resilience and offers career advice about visibility, curiosity, and diverse experiences.
read more →

Human behavior shapes cybersecurity outcomes

🛰️ Cisco Talos' Threat Source newsletter reflects on how human behavior, context, and competing priorities often override rational security decisions. The piece links a Spielberg film theme to cybersecurity, noting that knowledge alone doesn't ensure action — organizations struggle with budgets, workloads, and urgency. Talos highlights practical controls like segmentation, backups, and MFA, and showcases a new reverse-engineering method that pairs local AI agents with tools like vbdec to accelerate analysis while protecting sensitive binaries.
read more →

AI-Driven Vulnerabilities and Security Fundamentals

🔍 Talos contrasts personal tech nostalgia with a sharp warning: AI-driven vulnerability discovery now outpaces human patching. The blog highlights how frontier models can autonomously find and exploit zero-days in minutes, collapsing the traditional vulnerability lifecycle. It urges organizations to move beyond patch-centric defenses and adopt a three-stage fallback model emphasizing prevention, detection, and resilience through controls like MFA, CIS benchmarks, segmentation, and behavioral EDR/XDR.
read more →

Cisco Live report: AI, networking, and wellbeing

🐶 At Cisco Live U.S. in Las Vegas, the author describes the conference pace, the value of quiet spaces and noise-canceling gear, and the welcome presence of therapy dogs sponsored by Splunk. Discussions at the event centered on AI from an infrastructure and security lens, including the daunting scale of data and associated defense challenges. Cisco Talos highlights expansion of its Threat Hunting program using AI-driven telemetry plus expert validation to find advanced intrusions like a recent KongTuke C2 discovery.
read more →

Balancing Cyber Product Leadership and Endurance

🔥 Tony Giandomenico of Cisco Talos discusses how endurance from Ironman training informs his approach to leading major cybersecurity product launches. He highlights rapid advances in frontier AI models, the evolving threat landscape, and the need to apply similar AI-driven speed to defensive tools. Tony explains Cisco Talos Threat Hunting, its focus on endpoint telemetry and expansion into firewalls and identity, and stresses communication, influence, and purpose as keys to sustaining focus across long careers.
read more →

Hypothesis-Driven Threat Hunting at Cisco Talos

🔍 Cisco Talos Threat Hunting adopts a hypothesis-first approach: rather than waiting for alert thresholds, analysts formulate theories about adversary behavior and search telemetry to validate them. Using AI for scale and human expertise for context, continuous hunts run across global telemetry to surface candidates that automated detection misses. Confirmed findings are reported with remediation guidance and feed back into detection tuning and product improvements.
read more →

Four MediaInfoLib Heap Buffer Overflows Patched

🛡️ Cisco Talos disclosed four heap-based buffer overflow vulnerabilities in the MediaArea MediaInfoLib (v26.01) library, all of which can lead to arbitrary code execution when processing a malicious media file. The issues were found by Dimitrios Tatsis of Talos and have been patched by the vendor per Cisco’s third-party disclosure policy. Users can obtain Snort rules to detect exploitation and consult Talos for vulnerability advisories. Administrators should update MediaInfoLib to the vendor-released fixed versions promptly.
read more →

EvidenceForge: Realistic Synthetic Security Logs

🔍 EvidenceForge is an open-source project from Cisco Talos that generates correlated, multi-source synthetic security logs using a single canonical event model, causal ordering, and realistic background noise. It outputs synchronized telemetry across 20+ log formats (Windows, Linux, network, and EDR) from a version-controllable YAML scenario file and includes AI-assisted scenario authoring. The tool emphasizes deterministic generation, sensor-aware visibility, and built-in validation to produce datasets suitable for training, testing, and exercises.
read more →

The Art of Being Ungovernable: Career and Threats

📝 This edition of the Threat Source newsletter blends career reflection with active threat intelligence. The author argues that being ungovernable — intellectually curious and challenging — can accelerate growth when paired with the right peers. Cisco Talos also documents a Chinese-language BadIIS MaaS campaign, highlighting indicators like embedded demo.pdb strings and recommending IIS monitoring and updated endpoint detections.
read more →

Talos Discloses TP-Link, Photoshop, OpenVPN, Norton Flaws

🔒 Cisco Talos disclosed multiple vulnerabilities affecting TP‑Link, Adobe Photoshop, OpenVPN, and Norton VPN. Most issues were patched by vendors under Cisco’s third‑party disclosure policy; the Norton installer flaw was observed in use before a patch was available. The TP‑Link Archer AX53 firmware contains eight issues including buffer overflow and several command injection and config‑control flaws that allow code execution or arbitrary file access. Talos recommends applying vendor updates and using updated Snort rules to detect exploitation.
read more →

Tracking demo.pdb BadIIS: Commodity IIS Malware Toolset

🔍 Since 2024, Talos has tracked a BadIIS variant identified by consistent "demo.pdb" PDB paths across the Asia‑Pacific region and isolated cases elsewhere. The PDB path patterns—including Chinese folder names, Administrator\Desktop build artifacts, and date‑based versioning—provide a reliable fingerprint for clustering and attribution. Talos recovered a 2022 builder that produces configured 32/64‑bit payloads, uses a unique 'lwxat' C2 authentication check and XOR 0x3 obfuscation, and supports modular SEO‑fraud and proxy features. Evidence shows active development from Sept. 2021 through Jan. 2026.
read more →

Ongoing Exploitation of Cisco Catalyst SD-WAN Systems

🔔 Talos reports active, in-the-wild exploitation of multiple Cisco Catalyst SD‑WAN vulnerabilities, including CVE-2026-20182 and a chained set (CVE-2026-20133, CVE-2026-20128, CVE-2026-20122) that enable unauthorized access, persistent webshell deployment, and privilege escalation. The threat cluster UAT-8616 and other adversaries have deployed JSP webshells such as XenShell, Godzilla, and Behinder and have installed miners, C2 implants, and reconnaissance and tunneling tools post-compromise. Customers should urgently apply Cisco updates, follow Talos detection guidance and Snort/ClamAV signatures, and engage TAC for incident support and remediation.
read more →

Breaking Things to Keep Them Safe: Philippe Laulheret

🔍 In this Humans of Talos interview, Senior Vulnerability Researcher Philippe Laulheret explains how his lifelong curiosity and Capture The Flag experience led him from French engineering school to a career in ethical hacking. He describes selecting research targets, reverse engineering techniques, and memorable tests—like bypassing a fingerprint reader with a green onion—to find flaws before adversaries exploit them. Philippe also contrasts the methodical reality of research with movie portrayals and outlines his path through industry roles to Talos.
read more →

CloudZ RAT and Pheno Plugin Abuse Microsoft Phone Link

🔐 Cisco Talos has observed the CloudZ RAT paired with a previously undocumented plugin, Pheno, harvesting SMS messages and one-time passwords by abusing Microsoft's Phone Link functionality. Pheno scans for Phone Link processes and confirms active paired sessions before extracting synced SMS content from local SQLite files, allowing attackers to capture OTPs without touching the victim's mobile device. Observed since January 2026, the campaign uses a Rust loader, a .NET payload deployed via regasm.exe, and multiple anti-analysis techniques; Talos published IoCs and ClamAV signatures to aid detection.
read more →

UAT-8302: China-Nexus APT Targeting Government Networks

🔒 Cisco Talos discloses UAT-8302, a China-nexus APT targeting government entities in South America and southeastern Europe since late 2024 into 2025. Post-compromise activity includes reconnaissance, credential theft, and lateral movement using tools like Impacket, plus deployment of multiple custom backdoors such as NetDraft, CloudSorcerer v3, and VSHELL with stagers SNOWLIGHT and SNOWRUST. Talos links these artifacts to other China-nexus clusters and publishes IOCs, ClamAV signatures, and Snort rules to assist defenders.
read more →