Great Scott, I’m tired

Welcome to this week’s edition of the Threat Source newsletter. 

“Back to the Future” is 40 years old this year, and at the risk of giving away sensitive information to an audience of hackers… so am I. 

I don’t really know what 40 is supposed to feel like. Honestly, I don’t feel all that different from my 20s, with two key exceptions: One, I care a whole lot less about what people think of me. And two, my trainer recently stopped mid-set to ask, “Was that your knee making that sound?” 

I’ve always loved “Back to the Future” (mommy issues aside). For my 30th birthday, I threw a BTTF-themed party. Guests had to dress for either 1955, 1985 or 1885. (2015 was also allowed, but only if you wore two ties.) 

But watching the documentary “Still” recently gave me a whole new appreciation for what Michael J. Fox went through to make it happen. 

Because he was still under contract with “Family Ties,” and because the original Marty had been fired five weeks into filming, Fox had to shoot both projects at the same time. He’d wrap “Back to the Future “at 2:00 a.m., sleep in the back of a car, then be on set for the sitcom a few hours later. 

In “Still,” he talks about mixing up lines between scripts, barely functioning from exhaustion and constantly fearing a call from his agent saying he wasn’t doing a good job. The pressure. The pace. The fear he was messing it up. Fox himself admits the experience nearly broke him. But he kept showing up, because people were counting on him. 

Sound familiar? 

That “I can’t stop, people are relying on me” mindset is something I see a lot in this industry. We care about the mission. We care about our teams. We don’t want to give the adversary any opportunity.  

So we say yes. We log back in. We fix the thing no one else will notice, but we know it matters. 

Fox’s schedule and resultant exhaustion weren’t the only issues behind the scenes of “Back to the Future.” The “What Went Wrong” podcast (a favourite of mine) recently covered the mishaps and difficulties, from the DeLorean doors constantly jamming shut, to having to change the entire ending. The film was originally supposed to climax at a nuclear test site, with Marty manufacturing a time machine out of a fridge.  

That ending was axed as the producers were concerned children would copy the idea and get trapped in fridges. Thankfully, Steven Spielberg (a producer on the film) would use the concept 20 years later in “Indiana Jones and the Kingdom of the Crystal Skull” to huge success. Ahem.  

So much about the making of “Back to the Future” was fraught and uncertain. But what we, the audience, saw was pure delight. And that’s the thing — what looks effortless on the surface is often the result of long hours, unfair compromises, and the kind of behind-the-scenes effort that nobody ever sees. 

I want to echo the thoughts of my colleague Joe from last week’s newsletter: Burnout is brutal, and it takes no prisoners. Trying to be there for everyone and everything all the time is unsustainable. And (trust me on this one), the longer we put off taking care of ourselves, the harder and longer the recovery.  

Creating boundaries is one of the best things we can do for ourselves. So, this week, whether you’re coordinating an incident, researching something cool, supporting your team or just trying to be a functioning human, give yourself a moment. Identify your boundaries. Move them closer if you need to.  

In fact, write down just one thing that will help decompress you this week, and do that thing. Whether that’s less screen time, a short walk after dinner or playing a game.  

Just… give yourself permission, okay? As Doc Brown says: 

“The future is whatever you make it. So make it a good one.”

The one big thing 

Cisco Talos uncovered a new PlugX malware variant targeting telecom and manufacturing sectors in Central and South Asia since 2022, using the same sneaky tactics as the RainyDay and Turian backdoors. These threats abuse legitimate software and share unique technical fingerprints, suggesting they’re the work of the same or closely linked attackers. The campaign shows a high level of sophistication and ongoing risk for targeted industries. 

Why do I care? 

If your organization is in telecom or manufacturing, especially in Central or South Asia, you’re squarely in the crosshairs of advanced attackers using updated, evasive malware that can compromise your systems, steal data and lurk undetected for years. 

Even if you’re in a different industry, attackers are getting smarter at hiding in plain sight and any organization could be at risk if these tactics spread. 

So now what? 

Double down on security controls. Make sure your endpoint, email and network protection solutions are up to date, review your defenses against DLL hijacking and stay alert for new updates.

Top security headlines of the week 

Microsoft fixed Entra ID vulnerability allowing Global Admin impersonation 
Microsoft rolled out a global fix on July 17, just three days after the initial report and later added further mitigations that block applications from requesting Actor tokens for the Azure AD Graph. (HackRead) 

U.S. Secret Service dismantles imminent telecommunications threat in New York tristate area 
The U.S. Secret Service dismantled a network of electronic devices located throughout the New York tristate area that were used to conduct multiple telecommunications-related threats directed towards senior U.S. government officials. (U.S. Secret Service) 

European airport disruptions caused by ransomware attack  
ENISA said the type of ransomware involved in the attack has been identified and law enforcement is conducting an investigation. The cyberattack hit services provided by US-based Collins Aerospace, which is owned by RTX (formerly Raytheon). (SecurityWeek) 

ChatGPT targeted in server-side data theft attack 
The attack, dubbed ShadowLeak, targeted ChatGPT’s Deep Research capability, which is designed to conduct multi-step research for complex tasks. OpenAI neutralized ShadowLeak after notification. (SecurityWeek) 

Attackers abuse AI tools to generate fake CAPTCHAs in phishing attacks 
The fake CAPTCHA pages redirect victims to malicious websites hosted by the attackers. The apparent routine security check makes the malicious link appear more legitimate to the victim and helps bypass security tools. (Infosecurity Magazine) 

SystemBC malware turns infected VPS systems into proxy highway 
The operators of the SystemBC proxy botnet are hunting for vulnerable commercial virtual private servers (VPS) and maintain an average of 1,500 bots every day that provide a highway for malicious traffic. (Bleeping Computer)

Can’t get enough Talos? 

The TTP: Threat Hunter’s Cookbook 
Hear from Ryan Fetterman and Sydney Marrone from the SURGe team (now part of Cisco’s Foundation AI group), who wrote the Threat Hunter’s Cookbook: a collection of practical “recipes” security teams can pick up and apply. 

Engaging Cisco Talos Incident Response 
You’ve called Talos IR about a cyber incident — now what happens? This blog post takes you behind the scenes of a Talos IR engagement, from picking up the phone to recovery and implementation of long-term security improvements. 

Tampered Chef: When malvertising serves up infostealers  
Imagine downloading a PDF Editor tool from the internet that works great… until nearly two months later, when it quietly steals your credentials. Nick Biasini explains how cybercriminals are investing in malvertising and challenges in defense.

Upcoming events where you can find Talos 

• VB2025 (Sept. 24 – 26) Berlin, Germany 
• Wild West Hackin’ Fest (Oct. 8 – 10) Deadwood, SD 
• DEEP Conference (Oct. 22 – 23) Petrčane, Croatia

Most prevalent malware files from Talos telemetry over the past week 

SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a  
MD5: 1f7e01a3355b52cbc92c908a61abf643  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a  
Example Filename: cleanup.bat  
Detection Name: W32.D933EC4AAF-90.SBX.TG 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: 0a0dc0e95070a2b05b04c2f0a049dad8_1_Exe.exe  
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536  
MD5: 79b075dc4fce7321f3be049719f3ce27  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536 
Example Filename: RemCom.exe  
Detection Name: W32.57A6D1BDBD-100.SBX.VIOC 

SHA256: 1e9efd7b2b70a21b49395081f8d70d5e500539abb51a4dd079ffb746f59e43a1  
MD5: 45f586861cc745a6b29a957fdbc03645  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=1e9efd7b2b70a21b49395081f8d70d5e500539abb51a4dd079ffb746f59e43a1 
Example Filename: cleanup.bat  
Detection Name: W32.1E9EFD7B2B-90.SBX.TG 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
MD5: aac3165ece2959f39ff98334618d10d9 Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe  
Detection Name: W32.Injector:Gen.21ie.1201

Cisco Talos Blog – ​Read More