{“lastseen”:”2025-11-13T20:05:07″,”description”:”\\n\\nWelcome to this week’s edition of the Threat Source newsletter.\\n\\nA year ago, fresh off a layoff, I never would have guessed I’d be spending Halloween weekend bouncing between conversations about space policy, satellite hacking, and wedding plans. That’s exactly what happened when my space analyst friend came to stay with us for a few days. Between coffee runs, getting sneak peeks of his upcoming book, and painting on skull makeup for a party, we found ourselves deep in discussions about putting data centers in space and, inevitably, the world of satellite cybersecurity.\\n\\nSomewhere within all of that, I realized I was on deck for the newsletter intro soon, and I did what any cyber newbie would do: I asked the nearest expert if there had ever been a well-known cyberattack on satellites. My friend didn’t even blink before answering, \\”KA-SAT.\\”\\n\\nSome light research and a few Webex messages later, I was speaking with our own Joe Marshall — who, lucky for me, might be the only person at Cisco who’s been to satellite hacking training.\\n\\nJoe walked me through how on Feb. 24, 2022, just hours before Russia’s invasion of Ukraine, a cyber attack targeted Viasat’s KA-SAT satellite network. The attackers exploited a vulnerability in a VPN appliance, gaining access to the network’s management systems. They then deployed a wiper malware called AcidRain, which was designed to erase data on modems and routers across Europe.\\n\\nSatellite communications were disrupted for thousands of users in Ukraine, but surprisingly, beyond Ukraine’s borders, approximately 5,800 Enercon wind turbines in Germany lost connectivity for remote monitoring and control.\\n\\nOne surprise from the conversation was the overlap between the AcidRain wiper and _VPNFilter_, which you may remember from _Joe ‘s September newsletter_. AcidRain may be VPNFilter’s successor. Take a look:\\n\\nFigure 1. Section headers strings tables for VPNFilter (left) and AcidRain (right). Credit: SentinelOne.\\n\\nIdentical, hinting at a shared compiler and other technical links, as _SentinelOne ‘s_ _blog_ details.\\n\\nWhat followed this summary was a LOT of questions on my part. What _was_ the VPN vulnerability? How did the wiper work, exactly? What are the pros and cons of replacing vs. fixing the modems, and what about the logistics of the winning decision? Ultimately, while the AcidRain attack was destructive, it was, in the context of what else was happening to Ukraine’s infrastructure, a blip.\\n\\nAs a newcomer to both cybersecurity and Talos, I keep discovering that there are always gaps in the story. I didn’t get all my questions answered because companies guard details, official statements leave out key information, and sometimes, even years later, we’re still piecing things together. Being okay with that is a tall order for people who scour logs looking for a needle in a stack of needles. But when attacks are raining down, customers aren’t asking you to send a flawless analysis. They want to know what you’redoing to keep them safe.\\n\\nSo, as I write this, still with more questions than answers about AcidRain and the KA-SAT attacks, I’m learning to find peace in knowing that curiosity is the foundation for future expertise. Keep acquiring knowledge, asking questions (both basic and complex), and being okay with some uncertainty.\\n\\n## The one big thing\\n\\nCisco Talos _published a new blog today_ on the Kraken ransomware group. Linked to HelloKitty, they double-extort organizations globally with cross-platform attacks and use advanced techniques like encryption benchmarking and anti-analysis. Kraken has also launched a new underground forum to strengthen ties within the cybercrime community.\\n\\n### Why do I care?\\n\\nKraken’s advanced, cross-platform techniques — including encryption benchmarking and evasion methods — raise the threat level for organizations of all sizes, and may inspire similar advancements in future ransomware. Plus, their new secure underground forum may accelerate collaboration between threat actors, making robust, layered defenses and intelligence sharing among defenders even more critical.\\n\\n### So now what?\\n\\nPrioritize patching known vulnerabilities (especially SMB), strengthen credential management, and implement comprehensive endpoint, network, and access security solutions. Continuous monitoring, incident response planning, and user awareness training are crucial to detect and contain threats early.\\n\\n## Top security headlines of the week\\n\\n**SAP fixes serious security issues – here ‘s how to stay safe** \\nA patch is now publicly available, and while SAP’s users were previously notified, the researchers are once again urging everyone to apply it as soon as possible since the risk is only going to get bigger going forward. (_TechRadar_)\\n\\n**Phishing tool uses smart redirects to bypass detection** \\nA new phishing tool targeting Microsoft 365 users called Quantum Route Redirect simplifies what was once a technically complex campaign flow, as well as offers a uniquely evasive redirect feature that can bypass even robust email protections. (_Dark Reading_)\\n\\n**Cisco finds open-weight AI models easy to exploit in long chats** \\nThe report, titled Death by a Thousand Prompts: Open Model Vulnerability Analysis, analyzed eight leading open-weight language models and found that multi-turn attacks, where an attacker engages the model across multiple conversational steps, were up to ten times more effective than one-shot attempts. (_HackRead_)\\n\\n**Nearly 30 alleged victims of Oracle EBS hack named on Cl0p ransomware site** \\nThe Cl0p website lists major organizations such as Logitech, The Washington Post, Cox Enterprises, Pan American Silver, LKQ Corporation, and Copeland. (_SecurityWeek_)\\n\\n**Kimsuky APT takes over South Korean Androids, abuses KakaoTalk** \\nOne of North Korea’s formidable advanced persistent threat (APT) groups is targeting Android users in South Korea with a remote reset attack that exploits a feature in Google aimed at helping users find their devices. (_Dark Reading_)\\n\\n## Can’t get enough Talos?\\n\\n**The TTP: How Talos built an AI model into one of the internet ‘s most abused layers** \\nHazel talks with Talos researcher David Rodriguez about how adversaries use DNS tunneling to sneak data out of networks, why it’s so difficult to spot in real time, and how Talos built an AI model to detect it without breaking anything important (like the internet).\\n\\n**_The 2026 Snort Calendar is now available_** \\nSnorty will pose as a new mythical creature each month. To get your copy, fill out our short survey. Calendars will begin shipping in December 2025. U.S. shipping only, available while supplies last.\\n\\n** _Talos Takes: How attackers use your own tools against you_** \\nFrom a wave of Toolshell events, to a rise in post-exploitation phishing, and the misuse of legitimate tools like Velociraptor, this quarter’s cases all point to a theme: attackers are getting very good at living off what’s already in your environment.\\n\\n**_Do robots dream of secure networking?_** \\nThis blog demonstrates a proof of concept using LangChain and OpenAI, integrated with Cisco Umbrella API, to provide AI agents with real-time threat intelligence for evaluating domain dispositions.\\n\\n## Upcoming events where you can find Talos\\n\\n * _DeepSec IDSC_ (Nov. 18 – 21) Vienna, Austria\\n * _AVAR_ (Dec. 3 – 5) Kuala Lumpur, Malaysia\\n\\n\\n\\n## Most prevalent malware files from Talos telemetry over the past week\\n\\n**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507** \\nMD5: 2915b3f8b703eb744fc54c81f4a9c67f \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507_ \\nExample Filename: e74d9994a37b2b4c693a76a580c3e8fe_1_Exe.exe \\nDetection Name: Win.Worm.Coinminer::1201\\n\\n**SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610** \\nMD5: 85bbddc502f7b10871621fd460243fbc \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610_ \\nExample Filename: 85bbddc502f7b10871621fd460243fbc.exe \\nDetection Name: W32.41F14D86BC-100.SBX.TG\\n\\n**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974** \\nMD5: aac3165ece2959f39ff98334618d10d9 \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974_ \\nExample Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe \\nDetection Name: W32.Injector:Gen.21ie.1201\\n\\n**SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91** \\nMD5: 7bdbd180c081fa63ca94f9c22c457376 \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91_ \\nExample Filename: e74d9994a37b2b4c693a76a580c3e8fe_3_Exe.exe \\nDetection Name: Win.Dropper.Miner::95.sbx.tg\\n\\n**SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a** \\nMD5: 1f7e01a3355b52cbc92c908a61abf643 \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a_ \\nExample Filename: cleanup.bat \\nDetection Name: W32.D933EC4AAF-90.SBX.TG\\n\\n**SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe** \\nMD5: bf9672ec85283fdf002d83662f0b08b7 \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe_ \\nExample Filename: f_003b6c.html \\nDetection Name: W32.C0AD494457-95.SBX.TG”,”published”:”2025-11-13T19:00:14″,”modified”:”2025-11-13T19:00:14″,”type”:”talosblog”,”title”:”Viasat and the terrible, horrible, no good, very bad day”,”source”:””,”references”:””,”id”:”TALOSBLOG:2B7C070BB0BE7343A7C0C134DDA5C6D2″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/blog.talosintelligence.com\/viasat-and-the-terrible-horrible-no-good-very-bad-day\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-13T20:05:07″,”description”:”\\n\\nWelcome to this week’s edition of the Threat Source newsletter.\\n\\nA year ago, fresh off a layoff,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,69,11,5],"class_list":["post-26126","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-talosblog","tag-tapic","tag-vulnerability"],"yoast_head":"\n