Welcome to this week's edition of the Threat Source newsletter.

I continue to be saddened by all the conflict in Israel and Gaza that's still ongoing. I'll be back with a "normal" newsletter next week, as unfortunately, there doesn't seem to be a peaceful solution coming any time soon.

In the meantime, I just wanted to use this space again to provide a roundup of the best resources I found this week for Cybersecurity Awareness Month. Taking a "Security Action" of any kind – whether it be simply enabling multi-factor authentication for your online banking login or marking that weird email as spam – can go a long way toward you and any organizations you're a part of be more security resilient.

• The Annual Cybersecurity Attitudes and Behaviors Report 2023 (National Cybersecurity Alliance)
• 2023 Data Breach Investigations Report (Verizon)
• Cisco is continuing to invest in the future of skills certifications. Here's how the company thinks it'll help fill the lack of cybersecurity experts (Fortune)
• The open nature of XDR and cross-domain telemetry (Cisco Secure livestream)
• Federal Cyber Chief Tells Agencies to Tap Brakes on AI (Wall Street Journal)
• Former NSA Director: AI is 'double-edged sword' for cybersecurity (The Hill)
• Small-Business Cybersecurity: 20 Effective Tips From Tech Experts (Forbes)
• 5 quick tips to strengthen your Android phone security today (ZDNet)
• Fact Sheet: Improving Security of Open Source Software in Operational Technology and Industrial Control Systems (CISA)
• Cisco 2023 Consumer Privacy Survey

The one big thing

Cisco has identified active exploitation of a previously unknown, zero-day vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks. This affects physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS Server feature enabled. Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity.

Why do I care?

Security researchers have already confirmed that threat actors have installed implants on targeted devices by exploiting this vulnerability. Up to 10,000 devices could already be affected, according to some estimates. In a worst-case scenario, the attacker could execute arbitrary code on the targeted devices.

So now what?

Cisco recommends in its security advisory disabling the HTTP server feature on internet-facing systems. This is consistent with, not only best practices, but guidance the U.S. government has provided in the past on mitigating risk from internet-exposed management interfaces. As this is a critical vulnerability, Talos strongly recommends affected entities immediately implement the steps outlined in Cisco's PSIRT advisory. As soon as a patch is available, Talos and Cisco will be informing users, who should then patch as soon as possible.

Top security headlines of the week

Government officials are starting to disclose the true breadth of Russia's cyber attacks at the outset of its invasion of Ukraine. The head of the cyber division of Ukraine's intelligence service said in a recent interview with Recorded Future that Ukraine worked with the U.S. to disrupt multiple attempts at disrupting Ukraine's critical infrastructure in February 2022, right as Russia was launching a ground invasion of Ukraine. Sandra Joyce, the executive vice president of global intelligence at Mandiant, also said in a separate interview this week that protecting Ukraine in the initial weeks and months of the invasion was like "hand-to-hand combat." Joyce also said that her company saw more wiper malware deployed against Ukraine in the first few weeks of the invasion than it had all of the past eight years it had partnered with Ukraine. Another top Ukrainian cybersecurity official called these attacks from Russia "nothing but a war crime." (The Record, Yahoo! News)

Internet giant Amazon is slowly rolling out passkeys as a login method for its users. Amazon quietly added the feature under users' account management portal to opt into setting up a passkey. This means users can login using biometric authentication on their device, such as their fingerprint or face scan. This conceivably makes it more difficult for bad actors to access their accounts unknowingly, as they'd need physical access to their device. However, this login option still does not work on Amazon's native apps, like Prime Video or Amazon shopping, on mobile devices. And the passkey login still requires a multi-factor authentication code to be entered, which would conceivably be redundant with a passkey. A spokesperson for Amazon told news outlet TechCrunch that the company is "in the early stages of adding Passkey support for Amazon.com to give customers another secure way to access their accounts. We will have more to share soon." (TechCrunch, Dark Reading)

Threat actors in Vietnam attempted to infiltrate U.S. government officials' devices with spyware earlier this year, according to a new report, as well as devices belonging to a high-profile CNN anchor. The spyware was embedded in links placed in messages on the social media platform formerly known as Twitter. While the attempts appear to be unsuccessful, it does highlight the continued threat that spyware poses, specifically the Predator software, which Talos has written about previously. An Italian cybersecurity research group also recently found that bad actors were trying to spread spyware through fake national alerts in Italy. The actors have set up a fake site posing as Italy's recently released IT Alert program for natural disasters, urging users to download an app to receive critical alerts. (Washington Post, Cyber Security Hub)

Can't get enough Talos?

• Talos Takes Ep. #158: How to find the right password management solution for you
• Why logging is one of the most overlooked aspects of incident response, and how Cisco Talos IR can help
• Snapshot fuzzing direct composition with WTF
• Ransomware versus data theft

Upcoming events where you can find Talos

ATT&CKcon 4.0** (Oct. 24 - 25)**

_McLean, Virginia _

> Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in "One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK." Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

misecCON** (Nov. 17)**

_Lansing, Michigan _

> Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines.

Most prevalent malware files from Talos telemetry over the past week

SHA 256: 744c5a6489370567fd8290f5ece7f2bff018f10d04ccf5b37b070e8ab99b3241 **MD5:**a5e26a50bf48f2426b15b38e5894b189 **Typical Filename:**a5e26a50bf48f2426b15b38e5894b189.vir **Claimed Product: **N/A Detection Name: Win.Dropper.Generic::1201

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5 **MD5:**8c80dd97c37525927c1e549cb59bcbf3 **Typical Filename:**Eternalblue-2.2.0.exe **Claimed Product:**N/A Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440 **MD5:**ef6ff172bf3e480f1d633a6c53f7a35e **Typical Filename:**iizbpyilb.bat **Claimed Product: **N/A Detection Name: Trojan.Agent.DDOH

**SHA 256:**975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa
MD5: 9403425a34e0c78a919681a09e5c16da **Typical Filename:**vincpsarzh.exe **Claimed Product:**N/A **Detection Name: **Win.Dropper.Scar::tpd

SHA 256: 2ebfc0b6ae3e80ca4e5a3ebfa4d9d7e99818be183d57ce6fbb9705104639bf95 **MD5:**2371212b783f959809647de4f476928b **Typical Filename:**wzncntdmgkm.bat **Claimed Product:**N/A Detection Name: Win.Dropper.Scar::tpd