{“lastseen”:”2025-09-11T20:05:17″,”description”:”\\n\\nWelcome to this week’s edition of the Threat Source newsletter.\\n\\nI took a two-week vacation (thanks to Bill for covering my author shift last week) and made the deliberate choice to leave my laptop behind. No emails, IMs, no IT at all. Thank you, European work culture! It was a complete break.\\n\\nWell, almost.\\n\\nThe weather didn’t always cooperate, so instead of freezing on a beach, I found myself catching up on TV — mostly news and a few series. But wherever I clicked, I just couldn’t escape the daily dose of AI. What can we do about invasive mosquitos? Ask AI. Government doesn’t move the needle? Ask AI. Want the weather forecast? AI, obviously. There are countless ads with people asking AI whether or not to wear a jacket \\”because it might rain.\\” Even with your favorite TV shows, gone are the days when the hoodied hacker sits in front of a black terminal with green text running a dangerous (haha) ping or nmap. Now, they’re writing lines like, \\”Did you try breaking the firewall with our latest AI algorithm, bro?\\”\\n\\nComing back to work and catching up on our industry news, I almost expected AI to be dominating the headlines. But it wasn’t, and neither was ransomware. Instead, they were all about breaches. Many — but not all — reports referenced compromised OAuth tokens linked to Salesloft’s Drift integration, with a notable number of high-profile victims. Sure, this isn’t a scientific or qualitative analysis (ransomware isn’t disappearing anytime soon), but the reporting and the headlines have definitely shifted from one to the other.\\n\\nLooking past the buzzwords and catchphrases, the headlines really boiled down to two main themes: supply chain and identity attacks. In a SaaS world, I think it’s time to rethink their definitions and priority levels.\\n\\nWhy? First, supply chain attacks aren’t limited to hardware or _software_ anymore. We need to consider the datapath (or where data possibly is processed) as a key part of the supply chain.\\n\\nSecond, identity attacks don’t just target users; interconnected applications are increasingly at risk, too. I’m not saying we can ignore the users, especially with _current reporting_ that it started with access through a GitHub account or software vulnerabilities in our \\”classic\\” applications, but we absolutely need to broaden our focus. Last week’s headlines made that clear.\\n\\n## The one big thing\\n\\nCisco Talos’ _latest blog post_ details the Cyber Threat Intelligence Capability Maturity Model (CTI-CMM), a framework that helps organizations assess and enhance their cyber threat intelligence programs across 11 key domains. By outlining clear maturity levels and improvement cycles, CTI-CMM can help your team benchmark your current capabilities and develop a strategy for continuous (and practical) growth.\\n\\n### Why do I care?\\n\\nUnderstanding and improving your CTI program’s maturity can help your organization better anticipate, detect, and respond to cyber threats, no matter your budget or staffing level. It also makes the security investments you do have more effective, and ensure your team’s efforts are aligned with business priorities.\\n\\n### So now what?\\n\\nCheck out the _CTI-CMM framework_ to assess where your organization stands, identify gaps and opportunities, and create a roadmap to practical improvements for your organization.\\n\\n## Top security headlines of the week\\n\\n**Huge NPM supply chain attack goes out with whimper** \\nA supply chain attack involving multiple NPM packages had the potential to be one of the most impactful security incidents in recent memory, but such fears seemingly have proved unrealized. (_Dark Reading_)\\n\\n**Swiss Re warns of rate deterioration in cyber insurance** \\nIncreased competition among insurers has led to a third consecutive year of reduced rates, according to the report, as the available supply of cyber coverage has exceeded current demand. (_Cybersecurity Dive_)\\n\\n**Critical SAP vulnerability actively exploited by hackers** \\nA critical security flaw has been found in several SAP products, and could allow a malicious actor to gain administrator-level control. (_HackRead_)\\n\\n**No gains, just pains: 1.6M fitness phone call recordings exposed** \\nSensitive info from hundreds of thousands of gym customers and staff was left sitting in an unencrypted, non-password protected database. Audio recordings spanned from 2020 to 2025. (_The Register_)\\n\\n**US offers $10M reward for Ukrainian ransomware operator** \\nVolodymyr Tymoshchuk allegedly hit hundreds of organizations with the LockerGoga, MegaCortex, and Nefilim ransomware families. According to an indictment, the intrusions caused hundreds of millions of dollars in losses. (_Security Week_)\\n\\n**China accuses Dior ‘s Shanghai branch of illegal data transfer** \\nChina’s public security authority alleges that Dior’s Shanghai branch has transferred customers’ personal data to its headquarters in France illegally, leading to a data leak in May. (_Reuters_)\\n\\n## Can’t get enough Talos?\\n\\n * **Beers with Talos: How to ruin an APT ‘s day** \\nThe B-Team is joined by Sara McBroom from Talos’ nation-state threat intelligence and interdiction team. Sara shares her journey from a liberal arts major to tracking some of the world’s most advanced adversaries.\\n * **_Who would sign up to secure a network full of hackers?_** \\nOur latest video takes you behind-the-scenes at the Black Hat Network Operations Center (NOC) to see how Cisco and SnortML contain the chaos.\\n * ** _Patch Tuesday for Sept 2025_** \\nIn this month’s release, Microsoft observed none of the included vulnerabilities being exploited in the wild. However, there are eight vulnerabilities where exploitation may be likely.\\n * ** _Cisco: 10 years protecting Black Hat_** \\nCisco works with other official providers to bring the hardware, software and engineers to build and secure the Black Hat USA network: Arista, Corelight, Lumen, and Palo Alto Networks.\\n\\n\\n\\n## Upcoming events where you can find Talos\\n\\n * _LABScon_ (Sept. 17 – 20) Scottsdale, AZ\\n * _VB2025_ (Sept. 24 – 26) Berlin, Germany\\n * _Wild West Hackin ‘ Fest_ (Oct. 8 – 10) Deadwood, SD\\n\\n\\n\\n## Most prevalent malware files from Talos telemetry over the past week\\n\\n**SHA 256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610 ** \\nMD5: 85bbddc502f7b10871621fd460243fbc \\nVirusTotal: https:\/\/www.virustotal.com\/gui\/file\/41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610\/details \\nTypical Filename: N\/A \\nClaimed Product: Self-extracting archive \\nDetection Name: Win.Worm.Bitmin-9847045-0\\n\\n**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 ** \\nMD5: 2915b3f8b703eb744fc54c81f4a9c67f \\nVirusTotal: https:\/\/www.virustotal.com\/gui\/file\/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 \\nTypical Filename: VID001.exe \\nClaimed Product: N\/A \\nDetection Name: Win.Worm.Coinminer::1201\\n\\n**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 ** \\nMD5: 8c69830a50fb85d8a794fa46643493b2 \\nVirusTotal: https:\/\/www.virustotal.com\/gui\/file\/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 \\nTypical Filename: AAct.exe \\nClaimed Product: N\/A \\nDetection Name: PUA.Win.Dropper.Generic::1201″,”published”:”2025-09-11T18:00:14″,”modified”:”2025-09-11T18:00:14″,”type”:”talosblog”,”title”:”Beaches and breaches”,”source”:””,”references”:””,”id”:”TALOSBLOG:4C4B3CD4ADDF09026F71C2D5DA7374E9″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/blog.talosintelligence.com\/beaches-and-breaches\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-09-11T20:05:17″,”description”:”\\n\\nWelcome to this week’s edition of the Threat Source newsletter.\\n\\nI took a two-week vacation (thanks to Bill for covering my author shift last…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,69,11,5],"class_list":["post-17179","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-talosblog","tag-tapic","tag-vulnerability"],"yoast_head":"\n