{“lastseen”:”2025-09-04T20:05:17″,”description”:”\\n\\nWelcome to this week’s edition of the Threat Source newsletter.\\n\\n _This is the way the world ends_ \\n _This is the way the world ends_ \\n _This is the way the world ends_ \\n _Not with a bang but a whimper. _- T.S. Eliot\\n\\nSo this is how Summer Camp 2025 ends, not with a bang but a whimper. We’ve put the summer behind us and are moving on to the next phase of the year, where we all put our noses down and grind from here to the holiday season. Happy Grind Season 2025.\\n\\nAs you know, threat research never takes a day off, but I’m going to step in and remind you all to look at your calendars. Decide, here and now, to take some time before that holiday season so that you can take care of your mental health, because mental health _is_ health.\\n\\nThis is doubly important if you lead a team of people. Take a minute and make sure that they are going to do the same. Ensure your entire team is taking care of themselves. In the end, you will all be better for it.\\n\\nSince we are on the subject of mental health, I don’t know if anyone else has read this paper _(Psychopathia Machinalis: A Nosological Framework for Understanding Pathologies in Advanced Artificial Intelligence)_, but I found it truly fascinating. It’s one of the things we, as security practitioners, need to be cognizant of as we go forward with our AI tooling and efforts to protect against AI threats.\\n\\n _\\” As artificial intelligence (AI) systems attain greater autonomy and complex environmental interactions, they begin to exhibit behavioral anomalies that, by analogy, resemble psychopathologies observed in humans.\\” _\\n\\nThe behavior of an evolving AI, and the psychosis it could present, is a touch-point to the long-standing problematic internal employee. This creates an interesting dynamic for defense and strategies within the evolving internal landscape. \\n\\nI think understanding this presented framework can go a long way in identifying the types of behaviors that lead to malicious activity — not unlike understanding employee behavior. Stay ahead of the curve and prepare for not only a hallucinated package from an internal AI tool but perhaps a revelation that leads to new and interesting malicious behaviors.\\n\\n## The one big thing\\n\\nIn the latest episode of _The Talos Threat Perspective,_ we explore three vulnerabilities that Talos researchers uncovered (and helped to fix) this year which highlight how attackers are pushing past the boundaries defenders rely on. One lived in the security chip within Dell laptops’ firmware, another in Microsoft Office for macOS permissions and the third in small office\/home routers.\\n\\n### Why do I care?\\n\\nThese aren’t just isolated issues. The Dell vulnerability showed that even a clean Windows reinstall isn’t always enough to kick out an attacker. The Office for macOS issue demonstrated how adversaries can \\”borrow\\” sensitive permissions like microphone access from trusted apps. And compromised routers allowed attackers to blend in with legitimate ISP traffic, making malicious connections hard to spot. Each case reveals current attacker creativity levels.\\n\\n### So now what?\\n\\nTake a closer look at the research:\\n\\n * Watch the full Talos Threat Perspective episode here: _TTP Ep14: Persistence, Privilege \\u0026 Camouflage_\\n * Read Philippe’s blog on the Dell firmware vulnerabilities: _Revault: When your SOC turns against you_\\n\\n\\n\\n## Top security headlines of the week\\n\\n**TransUnion says hackers stole 4.4 million customers ‘ personal information** \\nTransUnion is one of the largest credit reporting agencies in the United States, and stores the financial data of more than 260 million Americans. They confirmed that the stolen PII includes customers’ names, dates of birth, and Social Security numbers. (_TechCrunch_)\\n\\n**Google warns that mass data theft hitting Salesloft AI agent has grown bigger** \\nGoogle is advising users of the Salesloft Drift AI chat agent to consider all security tokens connected to the platform compromised following the discovery that unknown attackers used some of the credentials to access email from Google Workspace accounts. (_Ars Technica_)\\n\\n**High-severity vulnerability in Passwordstate credential manager** \\nPasswordstate is urging companies to promptly install an update fixing a high-severity vulnerability that hackers can exploit to gain administrative access to their vaults. (_Ars Technica_)\\n\\n**JSON config file leaks Azure ActiveDirectory credentials** \\nA publicly accessible configuration file for ASP.NET Core applications has been leaking credentials for Azure ActiveDirectory (AD), potentially allowing cyberattackers to authenticate directly via Microsoft’s OAuth 2.0 endpoints and infiltrate Azure cloud environments. (_Dark Reading_)\\n\\n**WhatsApp zero-day exploited in attacks targeting Apple users** \\nTracked as CVE-2025-55177 (CVSS score of 5.4), an attacker could have exploited the issue to trigger the processing of content from arbitrary URLs, on the victims’ devices, WhatsApp’s advisory reads. (_SecurityWeek_)\\n\\n## Can’t get enough Talos?\\n\\n**_Cisco: 10 years protecting Black Hat_** \\nCisco works with other official providers to bring the hardware, software and engineers to build and secure the Black Hat USA network: Arista, Corelight, Lumen, and Palo Alto Networks.\\n\\n**_Tales from the Black Hat NOC_** \\nHow do you build and defend a network where attacks are not just expected, but a part of the curriculum? Hazel sits down with Jessica Oppenheimer to learn more.\\n\\n**_Static Tundra exposed_** \\nA Russian state-sponsored group, Static Tundra, is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide.\\n\\n## Upcoming events where you can find Talos\\n\\n * _BlueTeamCon_ (Sept. 4 – 7) Chicago, IL\\n * _LABScon_ (Sept. 17 – 20) Scottsdale, AZ\\n * _VB2025_ (Sept. 24 – 26) Berlin, Germany\\n\\n\\n\\n## Most prevalent malware files from Talos telemetry over the past week\\n\\n**SHA 256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610** \\nMD5: 85bbddc502f7b10871621fd460243fbc \\nVirusTotal: _https:\/\/www.virustotal.com\/gui\/file\/41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610\/details_ \\nTypical Filename: N\/A \\nClaimed Product: Self-extracting archive \\nDetection Name: Win.Worm.Bitmin-9847045-0\\n\\n**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 ** \\nMD5: 2915b3f8b703eb744fc54c81f4a9c67f \\nVirusTotal: _https:\/\/www.virustotal.com\/gui\/file\/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507_ \\nTypical Filename: VID001.exe \\nClaimed Product: N\/A \\nDetection Name: Win.Worm.Coinminer::1201\\n\\n**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 ** \\nMD5: 8c69830a50fb85d8a794fa46643493b2 \\nVirusTotal: _https:\/\/www.virustotal.com\/gui\/file\/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0_ \\nTypical Filename: AAct.exe \\nClaimed Product: N\/A \\nDetection Name: PUA.Win.Dropper.Generic::1201\\n\\n**SHA 256: 186aa2c281ca7bb699ce0b48240b7559a9ac5b0ba260fb78b81ec53249548f62** \\nMD5: bfc168a01a2b0f3cd11bf4bccd5e84a1 \\nVirusTotal: _https:\/\/www.virustotal.com\/gui\/file\/186aa2c281ca7bb699ce0b48240b7559a9ac5b0ba260fb78b81ec53249548f62_ \\nTypical Filename: PDFSkills_Updater.exe \\nClaimed Product: PDF Skills \\nDetection Name: Win64.Application.Agent.W2MG0A\\n\\n**SHA 256: 83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08 ** \\nMD5: 906282640ae3088481d19561c55025e4 \\nVirusTotal: _https:\/\/www.virustotal.com\/gui\/file\/83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08_ \\nTypical Filename: AAct_x64.exe \\nClaimed Product: N\/A \\nDetection Name: PUA.Win.Tool.Winactivator::1201″,”published”:”2025-09-04T18:02:14″,”modified”:”2025-09-04T18:02:14″,”type”:”talosblog”,”title”:”From summer camp to grind season”,”source”:””,”references”:””,”id”:”TALOSBLOG:D85FCF4D4234BBAC65EF69B85239284C”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[“CVE-2025-55177″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:5.4,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:L\/I:L\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/blog.talosintelligence.com\/from-summer-camp-to-grind-season\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-09-04T20:05:17″,”description”:”\\n\\nWelcome to this week’s edition of the Threat Source newsletter.\\n\\n _This is the way the world ends_ \\n _This is…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,82,12,21,13,7,69,11,5],"class_list":["post-15872","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-54","tag-exploit","tag-medium","tag-news","tag-security","tag-talosblog","tag-tapic","tag-vulnerability"],"yoast_head":"\n