All news with #talos tag

🛡️ Cisco Talos disclosed four heap-based buffer overflow vulnerabilities in the MediaArea MediaInfoLib (v26.01) library, all of which can lead to arbitrary code execution when processing a malicious media file. The issues were found by Dimitrios Tatsis of Talos and have been patched by the vendor per Cisco’s third-party disclosure policy. Users can obtain Snort rules to detect exploitation and consult Talos for vulnerability advisories. Administrators should update MediaInfoLib to the vendor-released fixed versions promptly.

🔍 EvidenceForge is an open-source project from Cisco Talos that generates correlated, multi-source synthetic security logs using a single canonical event model, causal ordering, and realistic background noise. It outputs synchronized telemetry across 20+ log formats (Windows, Linux, network, and EDR) from a version-controllable YAML scenario file and includes AI-assisted scenario authoring. The tool emphasizes deterministic generation, sensor-aware visibility, and built-in validation to produce datasets suitable for training, testing, and exercises.

📝 This edition of the Threat Source newsletter blends career reflection with active threat intelligence. The author argues that being ungovernable — intellectually curious and challenging — can accelerate growth when paired with the right peers. Cisco Talos also documents a Chinese-language BadIIS MaaS campaign, highlighting indicators like embedded demo.pdb strings and recommending IIS monitoring and updated endpoint detections.

🔒 Cisco Talos disclosed multiple vulnerabilities affecting TP‑Link, Adobe Photoshop, OpenVPN, and Norton VPN. Most issues were patched by vendors under Cisco’s third‑party disclosure policy; the Norton installer flaw was observed in use before a patch was available. The TP‑Link Archer AX53 firmware contains eight issues including buffer overflow and several command injection and config‑control flaws that allow code execution or arbitrary file access. Talos recommends applying vendor updates and using updated Snort rules to detect exploitation.

🔍 Since 2024, Talos has tracked a BadIIS variant identified by consistent "demo.pdb" PDB paths across the Asia‑Pacific region and isolated cases elsewhere. The PDB path patterns—including Chinese folder names, Administrator\Desktop build artifacts, and date‑based versioning—provide a reliable fingerprint for clustering and attribution. Talos recovered a 2022 builder that produces configured 32/64‑bit payloads, uses a unique 'lwxat' C2 authentication check and XOR 0x3 obfuscation, and supports modular SEO‑fraud and proxy features. Evidence shows active development from Sept. 2021 through Jan. 2026.

🔔 Talos reports active, in-the-wild exploitation of multiple Cisco Catalyst SD‑WAN vulnerabilities, including CVE-2026-20182 and a chained set (CVE-2026-20133, CVE-2026-20128, CVE-2026-20122) that enable unauthorized access, persistent webshell deployment, and privilege escalation. The threat cluster UAT-8616 and other adversaries have deployed JSP webshells such as XenShell, Godzilla, and Behinder and have installed miners, C2 implants, and reconnaissance and tunneling tools post-compromise. Customers should urgently apply Cisco updates, follow Talos detection guidance and Snort/ClamAV signatures, and engage TAC for incident support and remediation.

🔍 In this Humans of Talos interview, Senior Vulnerability Researcher Philippe Laulheret explains how his lifelong curiosity and Capture The Flag experience led him from French engineering school to a career in ethical hacking. He describes selecting research targets, reverse engineering techniques, and memorable tests—like bypassing a fingerprint reader with a green onion—to find flaws before adversaries exploit them. Philippe also contrasts the methodical reality of research with movie portrayals and outlines his path through industry roles to Talos.

🔐 Cisco Talos has observed the CloudZ RAT paired with a previously undocumented plugin, Pheno, harvesting SMS messages and one-time passwords by abusing Microsoft's Phone Link functionality. Pheno scans for Phone Link processes and confirms active paired sessions before extracting synced SMS content from local SQLite files, allowing attackers to capture OTPs without touching the victim's mobile device. Observed since January 2026, the campaign uses a Rust loader, a .NET payload deployed via regasm.exe, and multiple anti-analysis techniques; Talos published IoCs and ClamAV signatures to aid detection.

🔒 Cisco Talos discloses UAT-8302, a China-nexus APT targeting government entities in South America and southeastern Europe since late 2024 into 2025. Post-compromise activity includes reconnaissance, credential theft, and lateral movement using tools like Impacket, plus deployment of multiple custom backdoors such as NetDraft, CloudSorcerer v3, and VSHELL with stagers SNOWLIGHT and SNOWRUST. Talos links these artifacts to other China-nexus clusters and publishes IOCs, ClamAV signatures, and Snort rules to assist defenders.

🔒 Talos IR’s Q1 2026 analysis finds phishing reemerged as the top initial access vector, with public administration and health care tied as the most targeted sectors. Investigations documented abuse of AI-enabled services like Softr to build credential-harvesting pages and the first observed intrusion by Crimson Collective exploiting exposed developer secrets. Pre-ransomware activity rose but no encryptions occurred due to early mitigation. Talos emphasizes properly configured MFA, patching, and centralized logging.

🔒 Cisco Talos disclosed a use-after-free flaw in Foxit Reader (TALOS-2026-2365 / CVE-2026-3779) exploitable via malicious PDF JavaScript, and six vulnerabilities in LibRaw including heap-based buffer overflows and integer overflows across multiple CVEs. All issues were patched by vendors following Cisco’s disclosure policy. Administrators should apply vendor updates and deploy Snort rules from Talos to detect exploitation.

🔍 Talos' 2025 Year in Review documents state-sponsored activity from China, Russia, North Korea, and Iran, each pursuing different goals such as espionage, disruption, and financial gain. Despite varied motives, adversaries consistently exploit both newly disclosed and long-known vulnerabilities, and rely on identity-based access and stealthy persistence. Notable examples include rapid exploitation and web shells from China, geopolitically timed campaigns and common malware families from Russia, North Korean social-engineering and a $1.5B crypto theft, and Iran's mix of visible disruption and stealthy APT activity such as ShroudedSnooper. Defenders are urged to prioritise patching, identity security, network visibility, and hunts for long-term presence.

🔍 Cisco Talos attributes a previously undocumented cluster, UAT-10362, to targeted spear‑phishing against Taiwanese NGOs and suspected universities, deploying a new Lua‑based stager named LucidRook. The actor uses RAR/7‑Zip lures and a dropper called LucidPawn, relying on repeated DLL side‑loading to execute payloads. LucidRook embeds an Lua 5.4.8 interpreter and Rust libraries to fetch and run encrypted Lua bytecode, while some variants use a reconnaissance DLL, LucidKnight, to profile targets before staging further activity.

🔍 The Cisco Talos Year in Review synthesizes vast telemetry and Talos IR casework into practical intelligence for defenders. Incident responders should use the report to build realistic tabletop scenarios, validate detections, and stress-test IR plans focusing on dominant TTPs such as valid account abuse, credential dumping, and MFA bypasses. Map findings to MITRE ATT&CK and prioritize vulnerabilities and detections accordingly. It also highlights evolving phishing themes and nascent AI-enabled threats that should shape training and threat-hunting priorities.

🔒 Talos analysts Amy Ciminnisi and Pierre Cadieux review the ransomware and vulnerability patterns that shaped 2025. They emphasize persistent campaigns against the manufacturing sector, increased targeting of management infrastructure, and the rise of stealthy living-off-the-land techniques that evade traditional controls. The hosts explain how to spot the difference between a system administrator and a threat actor and outline steps organizations can take to move beyond reactive defenses toward a more resilient, proactive security posture.

🔍 Talos' 2025 Year in Review highlights a marked shift in attacker behavior driven by both newly disclosed flaws and long-entrenched components. In the final weeks of 2025 React/React2Shell surged to the top of exploit activity, followed by legacy targets such as PHPUnit and Log4j. Agentic AI accelerated the creation and deployment of proofs-of-concept and exploit kits, dramatically reducing attacker time-to-exploit. Talos urges organizations to prioritize identity-adjacent systems and management planes for patching and mitigation.

🔐 Cisco Talos is investigating a March 31, 2026 supply chain attack that briefly replaced the official Axios npm package with two malicious releases (v1.14.1 and v0.30.4). The tainted packages were available for about three hours, and Talos strongly advises rolling back to known safe versions (v1.14.0 or v0.30.3) and auditing any systems that installed them. The injected runtime dependency executes at post-install and fetches platform-specific RAT payloads for Linux, MacOS, and Windows.

🔒 Cisco Talos disclosed multiple vulnerabilities impacting Canva Affinity, TP-Link Archer AX53, and HikVision face recognition terminals. Researchers identified 19 EMF-related issues in Canva Affinity, including out-of-bounds reads and a type confusion that can lead to memory corruption and arbitrary code execution. TP-Link’s AX53 contains 10 vulnerabilities across tmpServer, tdpServer and SSH hostkey handling that range from buffer overflows to write-what-where flaws and credential exposure via MITM. A HikVision SADP XML parser stack-based buffer overflow can be triggered by a malicious network packet. All identified issues have been patched following coordinated disclosure; users should apply vendor updates and consider Snort rule coverage for detection.

🔒 The Talos 2025 Year in Review synthesizes Cisco telemetry, incident response cases, and Talos research into a free, cross‑functional report highlighting identity-focused attacks, supply‑chain risks, and phishing trends. Key findings include React2Shell as the most targeted CVE, ToolShell ranking third, and Qilin as the dominant ransomware variant. The report warns that attackers increasingly compromise network infrastructure — especially ADCs and management platforms — to bypass MFA and escalate across environments, and recommends prioritizing patching and treating these devices as identity control points.

🔒The author opens this week’s Threat Source newsletter with personal reflections on being raised by a single mother, connecting those experiences to the gender imbalance in STEM and cybersecurity. He cites sobering statistics — for example, women comprise 28.2% of the global STEM workforce and occupy only 16% of CISO roles — and highlights mentorship programs like WiCyS and CTFs. Talos also summarizes a March 10 update on cyber activity tied to the Middle East conflict and provides practical defensive advice for destructive malware, DDoS, and website defacement.