\n<\/p>\n
Welcome to this week’s edition of the Threat Source newsletter.<\/p>\n
Authority bias is one of the many things that shape how we think. Taking the advice of someone with recognized authority is often far easier (and usually leads to a better outcome) than spending time and effort in researching the reasoning and logic behind that advice. Put simply, it’s easier to take your doctor’s advice on health matters than it is to spend years in medical school learning why the advice you received is necessary.<\/p>\n
This tendency to respect and follow authoritative instructions translates into our use of computers, too. If you’re reading this, you’ve likely been the recipient of many questions about computer-related matters from friends and family. However, your trust can be abused, even by someone who seems knowledgeable and respectable.<\/p>\n
Attackers have learned that by impersonating individuals with some form of authority, such as banking staff, tax officials or IT professionals, they can persuade victims to carry out actions against their own interests. In our most recent _Incident Response Quarterly Trends update_, we describe how ransomware actors masquerade as IT agents when contacting their victims, instructing them to install remote access software. This allows the threat actor to set up long-term access to the device and continue the pursuit of their malicious objectives.<\/p>\n
If someone contacts you out of the blue professing to be an IT or bank\/tax expert with urgent or helpful instructions, end the conversation immediately. Follow up with a call to the main contact details of the team or organization that contacted you to verify if the call was genuine. Be aware of the scams that the bad guys are using and spread awareness far and wide. Expect threat actors to attempt to exploit human nature and its own vulnerabilities.<\/p>\n
## The one big thing<\/p>\n
Threat hunting is an integral part of any cyber security strategy because identifying potential incursions early allows issues to be swiftly resolved before harm is incurred. There are many different approaches to threat hunting, each of which may uncover different threats.<\/p>\n
### Why do I care?<\/p>\n
As threat actors increasingly use living-off-the-land binaries (LOLBins) — i.e. using either dual-use tools or the tools that they find already in place on compromised systems — detecting the presence of an intruder is no longer a case of simply finding their malware.<\/p>\n
Spotting bad guys is still possible, but requires a slightly different approach: either looking for evidence of the potential techniques they use, or finding evidence that things aren’t quite as they should be.<\/p>\n
### So now what?<\/p>\n
Read about the different types of threat hunting strategies the Talos IR team uses and investigate how these can be used within your environment to improve your chances of finding incursions early.<\/p>\n
## Top security headlines of the week<\/p>\n
**MySQL turns 30**
The popular database was founded on May 23, 1995 and is at the heart of many high-traffic applications such as Facebook, Netflix, Uber, Airbnb, Shopify, and Booking.com. (Oracle)<\/p>\n
**Disney Slack attack wasn ‘t Russian protesters, just a Cali dude with malware**
A resident of California has pleaded guilty to conducting an attack in which 1.1 TB of data was stolen. The attack was conducted by releasing a trojan masquerading as an AI art generation application. (The Register)<\/p>\n
**Ransomware Group Claims Attacks on UK Retailers**
The DragonForce ransomware group says it orchestrated the disruptive cyberattacks that hit UK retailers Co-op, Harrods, and Marks & Spencer (M&S). (Security Week)<\/p>\n
**Attackers Ramp Up Efforts Targeting Developer Secrets**
Attackers are increasingly seeking to steal secret keys or tokens that have been inadvertently exposed in live environments or published in online code repositories. (Dark Reading)<\/p>\n
## Can’t get enough Talos?<\/p>\n
**Spam campaign targeting Brazil abuses Remote Monitoring and Management tools**
A new spam campaign is targeting Brazilian users with a clever twist — abusing the free trial period of trusted remote monitoring tools and the country’s electronic invoice system to spread malicious agents. **_Read now_**<\/p>\n
**Threat Hunting with Talos IR**
Talos recently published a **blog** on the framework behind our Threat Hunting service, featuring this handy video:<\/p>\n
## Upcoming events where you can find Talos<\/p>\n
* CTA TIPS 2025 (May 14 – 15) Arlington, VA
* Cisco Connect UK & Ireland (May 20) London, UK
* BotConf (May 20 – 23) Angers, France
* Cisco Live U.S. (June 8 – 12) San Diego, CA<\/p>\n
## Most prevalent malware files from Talos telemetry over the past week<\/p>\n
**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https:\/\/www.virustotal.com\/gui\/file\/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507\/
Typical Filename: VID001.exe
Detection Name: Win.Worm.Bitmin-9847045-0<\/p>\n
**SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**
MD5: 7bdbd180c081fa63ca94f9c22c457376
VirusTotal: https:\/\/www.virustotal.com\/gui\/file\/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
Typical Filename: img001.exe
Detection Name: Simple_Custom_Detection<\/p>\n
**SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**
MD5: 71fea034b422e4a17ebb06022532fdde
VirusTotal: https:\/\/www.virustotal.com\/gui\/file\/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
Typical Filename: VID001.exe
Detection Name: Coinminer:MBT.26mw.in14.Talos<\/p>\n
**SHA256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**
MD5: 8c69830a50fb85d8a794fa46643493b2
VirusTotal: https:\/\/www.virustotal.com\/gui\/file\/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
Typical Filename: AAct.exe
Detection Name: W32.File.MalParent\n<\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title The IT help desk kindly requests you read this newsletter Update ID TALOSBLOG:A78414C700D3F63463DB747C4E1AF8C3 Type talosblog Published 2025-05-08T18:01:48 Last Updated…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,34,12,13,33,7,69,11,5],"class_list":["post-3668","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-00","tag-exploit","tag-news","tag-none","tag-security","tag-talosblog","tag-tapic","tag-vulnerability"],"yoast_head":"\n
The IT help desk kindly requests you read this newsletter - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=3668\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The IT help desk kindly requests you read this newsletter - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title The IT help desk kindly requests you read this newsletter Update ID TALOSBLOG:A78414C700D3F63463DB747C4E1AF8C3 Type talosblog Published 2025-05-08T18:01:48 Last Updated...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=3668\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-08T15:36:50+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3668#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3668\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"The IT help desk kindly requests you read this newsletter\",\"datePublished\":\"2025-05-08T15:36:50+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3668\"},\"wordCount\":1044,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-0.0\",\"exploit\",\"news\",\"NONE\",\"Security\",\"talosblog\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=3668#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3668\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3668\",\"name\":\"The IT help desk kindly requests you read this newsletter - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-05-08T15:36:50+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3668#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=3668\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3668#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"The IT help desk kindly requests you read this newsletter\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The IT help desk kindly requests you read this newsletter - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=3668","og_locale":"en_US","og_type":"article","og_title":"The IT help desk kindly requests you read this newsletter - zero redgem","og_description":"Security Update News Update Information Title The IT help desk kindly requests you read this newsletter Update ID TALOSBLOG:A78414C700D3F63463DB747C4E1AF8C3 Type talosblog Published 2025-05-08T18:01:48 Last Updated...","og_url":"https:\/\/zero.redgem.net\/?p=3668","og_site_name":"zero redgem","article_published_time":"2025-05-08T15:36:50+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=3668#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=3668"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"The IT help desk kindly requests you read this newsletter","datePublished":"2025-05-08T15:36:50+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=3668"},"wordCount":1044,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-0.0","exploit","news","NONE","Security","talosblog","tapic","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=3668#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=3668","url":"https:\/\/zero.redgem.net\/?p=3668","name":"The IT help desk kindly requests you read this newsletter - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-05-08T15:36:50+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=3668#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=3668"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=3668#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"The IT help desk kindly requests you read this newsletter"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/3668","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3668"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/3668\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3668"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3668"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3668"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}