{"id":605,"date":"2025-04-19T10:57:57","date_gmt":"2025-04-19T10:57:57","guid":{"rendered":"http:\/\/localhost\/?p=605"},"modified":"2025-04-19T10:57:57","modified_gmt":"2025-04-19T10:57:57","slug":"care-what-you-share","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=605","title":{"rendered":"Care what you share"},"content":{"rendered":"
\n

Vulnerability Details<\/h2>\n
\n

Basic Information<\/h3>\n\n\n\n\n\n\n
Title<\/th>\nCare what you share<\/td>\n<\/tr>\n
Type<\/th>\ntalosblog<\/td>\n<\/tr>\n
Published<\/th>\n2025-04-17T18:01:02<\/td>\n<\/tr>\n
Last Seen<\/th>\n2025-04-17T19:51:42<\/td>\n<\/tr>\n
CVSS Score<\/th>\n0.0 ()<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVSS v3 Details<\/h3>\n\n\n\n\n\n\n\n\n\n
Attack Vector<\/th>\n<\/td>\n<\/tr>\n
Attack Complexity<\/th>\n<\/td>\n<\/tr>\n
Privileges Required<\/th>\n<\/td>\n<\/tr>\n
User Interaction<\/th>\n<\/td>\n<\/tr>\n
Scope<\/th>\n<\/td>\n<\/tr>\n
Confidentiality Impact<\/th>\n<\/td>\n<\/tr>\n
Integrity Impact<\/th>\n<\/td>\n<\/tr>\n
Availability Impact<\/th>\n<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVE Information<\/h3>\n\n\n\n\n
CVE IDs<\/th>\n<\/td>\n<\/tr>\n
CWE<\/th>\n<\/td>\n<\/tr>\n
Bulletin Family<\/th>\nblog<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

Description<\/h3>\n
\n ![Care what you share](https:\/\/blog.talosintelligence.com\/content\/images\/2025\/04\/threat-source-newsletter-3.jpg)<\/p>\n

Welcome to this week’s edition of the Threat Source newsletter.<\/p>\n

As we navigate our daily routines, certain tasks become second nature to us, especially if they are integral to our professions. However, what feels instinctive to one person might be foreign to another. This disparity is akin to a skilled musician effortlessly playing a complex melody, while someone without musical training might appreciate the beauty of the music in a different way. Both may enjoy music, but they experience it from different perspectives.<\/p>\n

Lately, I’ve found myself thinking about these differences in the context of online interactions, particularly with search engines. I’ve become increasingly frustrated with how they try to influence my buying behavior or try to “enhance” search results with AI. It’s often unsuccessful, as many of you have experienced. I once looked up something for my father-in-law and got swamped for weeks after with advertisements absolutely irrelevant to me.<\/p>\n

It’s easy to overlook that when using a search engine, the exchange of knowledge is not one-sided. It’s not only users who gain knowledge from indexed content, but search engines also acquire detailed insights into user behavior and preferences. You may unknowingly share sensitive information that could be stored for extended periods or shared with third parties for advertising or other purposes. I tried to get around this by shifting to privacy-focused search engines but wasn’t happy with the experience, either because of smaller or different indexes, or I was missing results in my native language.<\/p>\n

Luckily, I came across an open-source project called _SearXNG_, a “free internet metasearch engine which aggregates results from up to 229 search services. Users are neither tracked nor profiled.”<\/p>\n

I like it for three reasons:<\/p>\n

1. You can try one of the _public instances_ and check if you like it before you go all-in.
\n 2. You can self-host it on bare metal, in Docker or LXC, giving you even more control over your data.
\n 3. With _Opensearch_ it seamlessly integrates with your existing browser.<\/p>\n

It took me a couple of days to get used to it, but I do really like it now. It’s not perfect, but it is a real timesaver. As a bonus, the search syntax for advanced use is easy to memorize:<\/p>\n

* “:en”, “:de” or “:fr” to search in a given language
\n * “!social_media” or “!news” to search just a given category<\/p>\n

The same principle applies to the increasing number of AI and large language models (LLMs) that process your queries — they also gather information about you. There are initiatives like Perplexica on GitHub that aim to bridge the gap for AI-assisted searches, although I haven’t explored them in detail. Additionally, if your interactions extend beyond simple searches to more profound inquiries, such as asking an LLM about the meaning of life, it’s wise to first assess the trustworthiness of the engine or the company behind it. Care what you share.<\/p>\n

## The one big thing<\/p>\n

We are continuing our discussion of Talos’ _2024 Year in Review_ report, looking at each section in detail. This week, let’s examine _ransomware_.<\/p>\n

### Why do I care?<\/p>\n

Ransomware actors overwhelmingly leveraged valid accounts for initial access in 2024, with this tactic appearing in almost 70% of related cases.<\/p>\n

Ransomware actors exploited public-facing applications nearly 20% of the time. The Known Exploited Vulnerabilities Catalog for 2024 lists 28 out of 186 Vulnerabilities as “Known to be used in Ransomware Campaigns” with CVE ID’s all the way from 2012-2024 (except for 2015).<\/p>\n

### So now what?<\/p>\n

These are major risks which can be mitigated by applying basic cyber hygiene principles. Please update and patch your software, and protect your credentials. Tune in next week to learn about multi-factor authentication (MFA) and identity threats, and why you need to do more than just enable MFA.<\/p>\n

## Top security headlines of the week<\/p>\n

* **OpenAI cuts safety tests in “reckless” AI push.** According to the article, testing has gone down from six months to just days. We all know that even with six months of testing any model, it’ll never be quite perfect. (MSN) Further compounding this:
\n * **AI-hallucinated code dependencies become new supply chain risk.** “Slopsquatting” (as a spin on typosquatting) has become a thing. Threat actors can check with one or more AI models what packages they hallucinate and upload their malicious ones to PyPI or npm. (BleepingComputer)
\n * **Windows Recall seems to be back again.** More privacy-related news. If I recall (pun intended) correctly, in May last year Microsoft introduced Recall — a feature which constantly takes screenshots, indexes them, and makes them searchable for you. After huge backslashes in the community, and the creation of tools like _TotalRecall_, Microsoft paused the launch last June. (BleepingComputer)
\n * **The 25-year-old CVE program seemed to be at risk.** MITRE warned on April 15 that its contract to maintain the Common Vulnerabilities and Exposures (CVE) program expired on April 16. This was big. Just in Q1 about 11,781 vulnerabilities were added (with 415 rejected) to the Database. Stopping this would have caused a lot of trouble. (Krebs on Security) However, the Cybersecurity and Infrastructure Security Agency (CISA) _announced_ that it had exercised an option to extend MITRE’s contract–reportedly for another 11 months, according to multiple sources.<\/p>\n

## Can’t get enough Talos?<\/p>\n

* ** _Unmasking the new XorDDoS controller and infrastructure._** Cisco Talos observed the ongoing global spread of the XorDDoS malware, predominantly targeting the United States, with evidence suggesting Chinese-speaking operators are using sophisticated tools to orchestrate widespread attacks.
\n * ** _Talos Takes: Year in Review Special (Pt. 2)_.** Azim Khodjibaev and Lexi DiScola join Hazel to discuss some of the most prolific ransomware groups (and why LockBit may end this year very differently to how they ended 2024).<\/p>\n

## Upcoming events where you can find Talos<\/p>\n

* _RSA_ (April 28 – May 1) San Francisco, CA
\n * _PIVOTcon_ (May 7 – 9) Malaga, Spain
\n * _CTA TIPS 2025_ (May 14 – 15) Arlington, VA
\n * _Cisco Connect UK & Ireland_ (May 20) London, UK
\n * _Cisco Live U.S._ (June 8 – 12) San Diego, CA<\/p>\n

## Most prevalent malware files from Talos telemetry over the past week<\/p>\n

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 **
\nMD5: 2915b3f8b703eb744fc54c81f4a9c67f
\nVirusTotal: https:\/\/www.virustotal.com\/gui\/file\/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
\nTypical Filename: VID001.exe
\nDetection Name: Win.Worm.Bitmin-9847045-0<\/p>\n

**SHA256: 2e964c017df8b7d56600a5d68018f9f810a1c7dd3da800b5b5dfe85e9ce6b385 **
\nMD5: 01b521c78f5bbdaba0cc221bc893e2b8
\nVirusTotal: https:\/\/www.virustotal.com\/gui\/file\/2e964c017df8b7d56600a5d68018f9f810a1c7dd3da800b5b5dfe85e9ce6b385
\nTypical Filename: toyboy.exe
\nDetection Name: Gen:Variant.Tedy.758566<\/p>\n

**SHA256: 2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277 **
\nMD5: 42c016ce22ab7360fb7bc7def3a17b04
\nVirusTotal: https:\/\/www.virustotal.com\/gui\/file\/2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277
\nTypical Filename: Rainmeter-4.5.22.exe
\nDetection Name: Artemis!Trojan<\/p>\n

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 **
\nMD5: 7bdbd180c081fa63ca94f9c22c457376
\nVirusTotal: https:\/\/www.virustotal.com\/gui\/file\/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
\nTypical Filename: IMG001.exe
\nDetection Name: Win.Trojan.Miner-9835871-0\n <\/p><\/div>\n<\/p><\/div>\n

\n

Impact Assessment<\/h3>\n\n\n\n
Base Score<\/th>\n0.0<\/td>\n<\/tr>\n
Severity<\/th>\n<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

View full CVE details<\/a><\/p>\n<\/p><\/div>\n<\/div>\n