All news with #talos tag

🔒 Cisco Talos disclosed a use-after-free flaw in Foxit Reader (TALOS-2026-2365 / CVE-2026-3779) exploitable via malicious PDF JavaScript, and six vulnerabilities in LibRaw including heap-based buffer overflows and integer overflows across multiple CVEs. All issues were patched by vendors following Cisco’s disclosure policy. Administrators should apply vendor updates and deploy Snort rules from Talos to detect exploitation.

🔍 Talos' 2025 Year in Review documents state-sponsored activity from China, Russia, North Korea, and Iran, each pursuing different goals such as espionage, disruption, and financial gain. Despite varied motives, adversaries consistently exploit both newly disclosed and long-known vulnerabilities, and rely on identity-based access and stealthy persistence. Notable examples include rapid exploitation and web shells from China, geopolitically timed campaigns and common malware families from Russia, North Korean social-engineering and a $1.5B crypto theft, and Iran's mix of visible disruption and stealthy APT activity such as ShroudedSnooper. Defenders are urged to prioritise patching, identity security, network visibility, and hunts for long-term presence.

🔍 Cisco Talos attributes a previously undocumented cluster, UAT-10362, to targeted spear‑phishing against Taiwanese NGOs and suspected universities, deploying a new Lua‑based stager named LucidRook. The actor uses RAR/7‑Zip lures and a dropper called LucidPawn, relying on repeated DLL side‑loading to execute payloads. LucidRook embeds an Lua 5.4.8 interpreter and Rust libraries to fetch and run encrypted Lua bytecode, while some variants use a reconnaissance DLL, LucidKnight, to profile targets before staging further activity.

🔍 The Cisco Talos Year in Review synthesizes vast telemetry and Talos IR casework into practical intelligence for defenders. Incident responders should use the report to build realistic tabletop scenarios, validate detections, and stress-test IR plans focusing on dominant TTPs such as valid account abuse, credential dumping, and MFA bypasses. Map findings to MITRE ATT&CK and prioritize vulnerabilities and detections accordingly. It also highlights evolving phishing themes and nascent AI-enabled threats that should shape training and threat-hunting priorities.

🔒 Talos analysts Amy Ciminnisi and Pierre Cadieux review the ransomware and vulnerability patterns that shaped 2025. They emphasize persistent campaigns against the manufacturing sector, increased targeting of management infrastructure, and the rise of stealthy living-off-the-land techniques that evade traditional controls. The hosts explain how to spot the difference between a system administrator and a threat actor and outline steps organizations can take to move beyond reactive defenses toward a more resilient, proactive security posture.

🔍 Talos' 2025 Year in Review highlights a marked shift in attacker behavior driven by both newly disclosed flaws and long-entrenched components. In the final weeks of 2025 React/React2Shell surged to the top of exploit activity, followed by legacy targets such as PHPUnit and Log4j. Agentic AI accelerated the creation and deployment of proofs-of-concept and exploit kits, dramatically reducing attacker time-to-exploit. Talos urges organizations to prioritize identity-adjacent systems and management planes for patching and mitigation.

🔐 Cisco Talos is investigating a March 31, 2026 supply chain attack that briefly replaced the official Axios npm package with two malicious releases (v1.14.1 and v0.30.4). The tainted packages were available for about three hours, and Talos strongly advises rolling back to known safe versions (v1.14.0 or v0.30.3) and auditing any systems that installed them. The injected runtime dependency executes at post-install and fetches platform-specific RAT payloads for Linux, MacOS, and Windows.

🔒 Cisco Talos disclosed multiple vulnerabilities impacting Canva Affinity, TP-Link Archer AX53, and HikVision face recognition terminals. Researchers identified 19 EMF-related issues in Canva Affinity, including out-of-bounds reads and a type confusion that can lead to memory corruption and arbitrary code execution. TP-Link’s AX53 contains 10 vulnerabilities across tmpServer, tdpServer and SSH hostkey handling that range from buffer overflows to write-what-where flaws and credential exposure via MITM. A HikVision SADP XML parser stack-based buffer overflow can be triggered by a malicious network packet. All identified issues have been patched following coordinated disclosure; users should apply vendor updates and consider Snort rule coverage for detection.

🔒 The Talos 2025 Year in Review synthesizes Cisco telemetry, incident response cases, and Talos research into a free, cross‑functional report highlighting identity-focused attacks, supply‑chain risks, and phishing trends. Key findings include React2Shell as the most targeted CVE, ToolShell ranking third, and Qilin as the dominant ransomware variant. The report warns that attackers increasingly compromise network infrastructure — especially ADCs and management platforms — to bypass MFA and escalate across environments, and recommends prioritizing patching and treating these devices as identity control points.

🔒The author opens this week’s Threat Source newsletter with personal reflections on being raised by a single mother, connecting those experiences to the gender imbalance in STEM and cybersecurity. He cites sobering statistics — for example, women comprise 28.2% of the global STEM workforce and occupy only 16% of CISO roles — and highlights mentorship programs like WiCyS and CTFs. Talos also summarizes a March 10 update on cyber activity tied to the Middle East conflict and provides practical defensive advice for destructive malware, DDoS, and website defacement.

🔍 Cisco Talos is actively monitoring the evolving conflict in the Middle East for cyber-related activity and currently reports no significant, state-sponsored cyber impacts. Incidents observed to date are limited — primarily website defacements, small distributed-denial-of-service (DDoS) campaigns, and opportunistic phishing using conflict-themed lures. Talos assesses that Iranian-aligned groups historically operate in espionage, destructive attacks, and hack-and-leak operations, which remain plausible avenues. Organizations should prioritize MFA, timely patching, robust monitoring, and targeted third-party risk controls to reduce collateral exposure.

🚨 Cisco Talos reports an ongoing campaign by UAT-10027 using a new backdoor called Dohdoor since December 2025. Dohdoor leverages DNS-over-HTTPS (DoH) for stealthy command-and-control, downloads and executes payloads within legitimate Windows processes, and employs phishing, PowerShell abuse, and DLL sideloading. The campaign targets U.S. education and health care organizations with C2 infrastructure hidden behind reputable services.

🔒 Cisco Talos attributes a previously undocumented activity cluster, tracked as UAT-10027, to an ongoing campaign targeting U.S. education and healthcare since December 2025. The actor deploys a novel backdoor called Dohdoor that uses DNS-over-HTTPS (DoH) for stealthy C2 and reflectively loads additional payloads into memory. Initial access is suspected to begin with social-engineering and a PowerShell script that retrieves a staged batch and malicious DLLs (observed as propsys.dll and batmeter.dll), which are launched via DLL side‑loading of legitimate executables. Talos observed the adversary fronting C2 behind Cloudflare to make traffic appear as legitimate HTTPS and unhooking user-mode API hooks in NTDLL.dll to evade EDR; follow-on payloads have been assessed as Cobalt Strike beacons.

🔎 Ryan Liles describes his role connecting Cisco product teams with independent evaluators to ensure products are tested and validated beyond vendor claims. As part of Talos’ Vulnerability Research and Discovery group, he coordinates third-party testing labs and navigates sensitive conversations about methodology and deployment. Liles stresses calm, fact-focused dialogue and long-standing industry relationships to resolve issues and improve testing outcomes.

🛡️ Cisco Talos discovered DKnife, a modular AitM framework operating on Linux-based network gateways since at least 2019 and active into early 2026. Deployed at the edge rather than endpoints, it performs deep packet inspection, credential interception, and selective traffic manipulation. Operators use it to hijack software and app updates to deliver ShadowPad and DarkNimbus payloads, and to perform DNS and binary replacement attacks.

🛡️ Cisco Talos researchers describe DKnife as an ELF-based Linux toolkit used since 2019 to hijack router traffic and perform adversary-in-the-middle operations. The framework has seven modules — including yitiji.bin to create a bridged TAP interface and mmdown.bin to drop malicious APKs — enabling DPI, credential harvesting, and delivery of backdoors such as ShadowPad and DarkNimbus. Talos attributes the activity to a China-nexus actor and noted C2 servers remained active as of January 2026.

🔍 Cisco Talos researchers uncovered DKnife, a Linux-based gateway-monitoring and adversary-in-the-middle framework used since at least 2019 and active through January 2026. The toolkit targets routers and edge devices running CentOS/Red Hat Enterprise Linux, using seven ELF components to perform DPI, traffic interception, DNS hijacking and in-line substitution of Android and Windows downloads. Talos attributes the framework with high confidence to Chinese-nexus actors and notes overlaps with campaigns delivering WizardNet, DarkNimbus and ShadowPad.

🔒 Cisco Talos researchers disclosed DKnife, a modular Linux-based adversary-in-the-middle (AitM) framework used by China-linked actors since at least 2019. The toolkit deploys seven router-focused implants to perform deep packet inspection, TLS termination, DNS and update hijacking, credential harvesting, and malware delivery via intercepted APKs and binary replacement. Operators used DKnife to push ShadowPad and DarkNimbus variants and to target Chinese-language services and app updates through compromised routers and edge devices.

📰 Hazel Burton opens this Threat Source newsletter by acknowledging how difficult it can be to stay engaged with the news and suggests small, human respites—like the U.K. show Taskmaster—to remind readers creativity and levity persist under pressure. On the technical side, Cisco Talos Incident Response’s Q4 2025 report shows exploitation of public-facing applications remains the leading initial access vector (down from 62% to ~40%), while phishing and credential harvesting rose and ransomware incidents fell to 13% with Qilin still common. The newsletter urges rapid patching, correct MFA configuration and monitoring, and comprehensive logging to detect suspicious activity.

🔍 Cisco Talos stresses the simple but essential advice: know your environment, and pay attention to reconnaissance rather than dismissing it as noise. Researchers disclosed patched vulnerabilities in Foxit PDF Editor, Epic Games Store, and MedDream PACS, including privilege escalation, use‑after‑free, and XSS that could enable code execution or unauthorized access. The newsletter also covers active phishing and ransomware activity and provides telemetry on prevalent malware. Organizations should patch affected products, enhance detection for recon patterns, and apply layered defenses.