Everything is connected to security

Everything is connected to security

/in

Everything is connected to security

Welcome to this week’s edition of the Threat Source newsletter.

Hello friends! Joe here again! I have just returned from the frozen northern tundra of Fargo, North Dakota. This was my first real visit to the frigid climates of the Midwest, and I have to say, they take cold to a new level. I was invited to present on cybersecurity at the 32nd Crop Insurance Conference, hosted by North Dakota State University (go Bisons!).

If you’re wondering why I or anyone would care to discuss cybersecurity in such a niche industry, the answer is simple: Everything is connected to security, even something you wouldn’t think would nominally matter. Agriculture and adjacent industries are roughly 6 percent of our GDP and account for about 10 percent of all U.S. jobs. The trillions of dollars that industry generates are targets for cyber-crime-motivated threat actors and nation-states who would seek to degrade it.

Agriculture is also a deeply underserved community and industry with regard to cybersecurity. And that’s both in general security literacy and security investments. So, I have a soft spot for folks up against threat actors who seek to exploit the most vulnerable, like agriculture industries. If the knowledge I can share will help them and their businesses stay more secure, it’s always worth it.

Pro-tip: If you ever find yourself at a conference, maybe to give a presentation, stay and listen beyond your time on the stage. For security conferences, sure, but for super niche or industry-specific conferences? Even better. I’m not a farmer or in agriculture, but I learned a lot in North Dakota. So, sit through other presentations – the further away from cyber security it is, the better. There’s more to this industry than malware analysis, threat actor cluster tracking, and incident response. For example, at this conference, I learned about climate change affecting agriculture, trade tariffs, agronomics, and insurance. You never know when that knowledge will pay dividends down the road for cybersecurity research. Stay curious, be a forever student, and keep learning.

The one big thing

Remember the old meme ‘Good luck, I’m behind seven proxies? Well, it still holds up in this Talos blog post. Proxy chains are something that hit our radar as old as VPNFilter, back in 2018. It’s a smart way to do business if your obscurity is your primary goal. TOR or other proxy solutions may have weaknesses that expose your operations to risk, and that’s why they’re getting more and more crafty about it. And we’ve moved far past generic VPN services for obscurity. Network defenders can find themselves between a rock and a hard place forensically when determining malicious connections to their networks.

Why do I care?

This is always going to be a sore point for network defenders. Adversaries are absolutely going to use and abuse any kind of proxy service to launch their attacks from. It’s an absolute given. It goes off the rails when it’s your own employees too. As per the blog post “Organizations need to realize that attacks can come from anywhere, even the same IP space that your employees connect to their VPNs, so plan accordingly.”

So now what?

Using additional controls and forensic data is a must here. Identity and access management, combined with a mobile device management/application solution is key here. Control as much of your ecosystem as you absolutely can. This isn’t cheap, but it’s most certainly a step up from implementing MFA and hoping for the best.

Top security headlines of the week

  • Hold onto your seats – Mirai came in super-hot with a massive 5.6 Tbps DDoS attack. So far, the largest ever recorded. (Hacker News)
  • Here’s some sobering statistics about healthcare data breaches. “Between 2009 and 2023, 5,887 healthcare data breaches of 500 or more records were reported to OCR [sic] Office of Civil Rights. Those breaches have resulted in the exposure or impermissible disclosure of 519,935,970 healthcare records. That equates to more than 1.5x the population of the United States.” (HIPAA Journal
  • Businesses are folding a lot more due to cyber-attacks, and mostly at small and medium-sized businesses, which absolutely jives with what we see at Talos. Ransomware cartels love to target the small business. Cyber Insurance may be the saving grace here. (Bloomberg Law

Can’t get enough Talos?

  • My colleague Martin Lee did an amazing Net Academy series on threat intelligence 101. If you’re a NetAcad member, I highly suggest you watch it! And if not, sign up. It’s free!
  • In running the biggest scam ever, I still get to be on Talos podcasts. Listen to myself and my colleagues discuss crossword puzzles and why Pauly Shore gets a bad rap.

Upcoming events where you can find Talos 

Cisco Live EMEA (February 9-14, 2025) 
Amsterdam, Netherlands

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: 7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5
MD5: ff1b6bb151cf9f671c929a4cbdb64d86
VirusTotal: https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  
Typical Filename: endpoint.query
Claimed Product: Endpoint-Collector
Detection Name: W32.File.MalParent

 

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe
Detection Name: Simple_Custom_Detection

 

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
MD5: 71fea034b422e4a17ebb06022532fdde
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Coinminer:MBT.26mw.in14.Talos

 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991

 

Cisco Talos Blog – ​Read More