{“lastseen”:”2025-11-20T22:05:15″,”description”:”\\n\\nWelcome to this week’s edition of the Threat Source newsletter.\\n\\nThis week, we explore how advances in agentic AI are rapidly transforming the cyber crime business.\\n\\nAgentic AI programming gives AI agents autonomy, allowing them to interact with external systems to collect information, make decisions with the help of a generative AI system, and then effect changes in the external environment. The activity takes place through various APIs according to the instructions provided to the agent and in the context of a defined workflow.\\n\\nThe advantage for human operators is that these systems can efficiently execute routine activities that would otherwise require accessing multiple systems. Essentially, the AI agent acts as a trusted assistant who is able to get on with things with minimal supervision while the human operator can focus on other things.\\n\\nAs this approach brings advantages to the legitimate economy, so it brings similar efficiencies to the cyber crime economy. More recently, the _publication_ of the discovery of the first AI-orchestrated cyber campaign should give us pause. It signals a new era for cybersecurity teams.\\n\\nWe’re entering a time when we can expect to see much experimentation and innovation with AI in both the legitimate and cyber crime economies. AI can act as a force enabler, making tasks easier and faster to perform. Similarly, AI can lower barriers to entry, allowing lower skilled actors to perform tasks that they lack the skills to perform. While AI does not bring new capabilities, it can make existing capabilities easier to execute. However, AI systems still require skillful instruction and supervision.\\n\\nAI is not infallible, it gets things wrong, and it is prone to inventing nonsense. When it does go off the rails, a human needs to step in and resolve the situation. This is not necessarily easy to do and may prove tricky for low-skilled threat actors.\\n\\nDon’t be discouraged: We can also leverage these developments to our advantage. Defensive teams can write their own agentic systems to find and fix weaknesses in their own systems before malicious actors identify them. We can deploy honeypot systems designed to be found by malicious AI systems, engage with them and tie up their resources.\\n\\nThe threat landscape has never been static. While AI does make some tasks more accessible to threat actors, it is a double-edged sword and also brings opportunities to defenders.\\n\\n## The one big thing\\n\\nCisco Talos has _introduced new features_ for Snort3 users within Cisco Secure Firewall. A new \\”Severity\\” rule group allows you to organize detection rules by CVSS-based vulnerability severity (low, medium, high, critical). This allows teams to better prioritize and manage rules according to risk and urgency. You can also select rules based on vulnerability age (e.g., last 2, 5, or 10 years).\\n\\n### Why do I care?\\n\\nThis update allows you greater flexibility and control. It makes it simpler to maintain consistent, targeted detection coverage, whether you’re running large, distributed networks or smaller environments with tailored security priorities.\\n\\n### So now what?\\n\\nReview your current Snort3 rule configurations in Cisco Secure Firewall and consider adopting the new Severity and time-based grouping features. By tailoring rule sets to your organization’s specific risk tolerance and patching cycles, you can optimize detection coverage, streamline management, and better protect your environments.\\n\\n## Top security headlines of the week\\n\\n**Critical** **railway** **braking** **systems** **open to** **tampering** \\nResearchers have figured out how to spoof the signals that tell train conductors to brake, opening the door to any number of dangerous attack scenarios. (_Dark Reading_)\\n\\n**EchoGram** **flaw bypasses guardrails in major LLMs** \\nA flaw discovered in early 2025 and dubbed EchoGram allows simple, specially chosen words or code sequences to completely trick the automated defences, or guardrails, meant to keep the AI safe. (_HackRead_)\\n\\n**Over 67,000 fake** **npm** **packages flood registry in worm-like spam attack** \\nThe worm-life propagation mechanism and the use of a distinctive naming scheme that relies on Indonesian names and food terms for the newly created packages have lent it the moniker IndonesianFoods Worm. The bogus packages masquerade as Next.js projects. (_The Hacker News_)\\n\\n**Cornerstone Staffing ransomware attack leaks 120,000 resumes, claims** **Qilin** **gang** \\nThe notorious Qilin gang posted the industry-leading recruitment agency on its dark leak blog last Thursday. The group claims to have exfiltrated 300GB of sensitive information from Cornerstone. (_Cybernews_)\\n\\n**Surveillance tech provider** **Protei** **was hacked, its data stolen, and its website defaced** \\nIt’s not clear exactly when or how Protei was hacked, but a copy of the company’s website saved on the Internet Archive’s Wayback Machine shows it was defaced on November 8 and restored soon after. (_TechCrunch_)\\n\\n## Can’t get enough Talos?\\n\\n** _The TTP: How Talos built an AI model into one of the internet ‘s most abused layers_** \\nHazel talks with Talos researcher David Rodriguez about how adversaries use DNS tunneling to sneak data out of networks, why it’s so difficult to spot in real time, and how Talos built an AI model to detect it without breaking anything important (like the internet).\\n\\n** _Humans of Talos: On epic reads, lifelong learning, and empathy_** \\nIn this episode, Bill Largent shares what drew him to Talos, how his love of reading has shaped his cybersecurity ethos, and the key insights he shares for the next generation of cybersecurity professionals.\\n\\n**_Unleashing the Kraken ransomware group_** \\nIn August 2025, Cisco Talos observed big-game hunting and double extortion attacks carried out by Kraken, a Russian-speaking group that has emerged from the remnants of the HelloKitty ransomware cartel.\\n\\n## Upcoming events where you can find Talos\\n\\n * _DeepSec IDSC_ (Nov. 18 – 21) Vienna, Austria\\n * _AVAR_ (Dec. 3 – 5) Kuala Lumpur, Malaysia\\n\\n\\n\\n## Most prevalent malware files from Talos telemetry over the past week\\n\\n**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507** \\nMD5: 2915b3f8b703eb744fc54c81f4a9c67f \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507_ \\nExample Filename: e74d9994a37b2b4c693a76a580c3e8fe_1_Exe.exe \\nDetection Name: Win.Worm.Coinminer::1201\\n\\n**SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59** \\nMD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59_ \\nExample Filename: ck8yh2og.dll \\nDetection Name: Auto.90B145.282358.in02\\n\\n**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974** \\nMD5: aac3165ece2959f39ff98334618d10d9 \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974_ \\nExample Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe \\nDetection Name: W32.Injector:Gen.21ie.1201\\n\\n**SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe** \\nMD5: bf9672ec85283fdf002d83662f0b08b7 \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe_ \\nExample Filename: f_0008d7.html \\nDetection Name: W32.C0AD494457-95.SBX.TG\\n\\n**SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91** \\nMD5: 7bdbd180c081fa63ca94f9c22c457376 \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91_ \\nExample Filename: e74d9994a37b2b4c693a76a580c3e8fe_3_Exe.exe \\nDetection Name: Win.Dropper.Miner::95.sbx.tg”,”published”:”2025-11-20T19:00:04″,”modified”:”2025-11-20T19:00:04″,”type”:”talosblog”,”title”:”It\u2019s not personal, it\u2019s just business”,”source”:””,”references”:””,”id”:”TALOSBLOG:8E8C680307357F0A6EB3E90B976F47E3″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/blog.talosintelligence.com\/its-not-personal-its-just-business\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-20T22:05:15″,”description”:”\\n\\nWelcome to this week’s edition of the Threat Source newsletter.\\n\\nThis week, we explore how advances in agentic AI are rapidly…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,69,11,5],"class_list":["post-27016","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-talosblog","tag-tapic","tag-vulnerability"],"yoast_head":"\n