Cherry pie, Douglas firs and the last trip of the summer

(Welcome to this week’s edition of the Threat Source newsletter.)

Diane,

2:01 p.m., August 21st. I’ve just returned from a remarkable journey through Seattle and the misty roads of the Olympic Peninsula. If you ever find yourself driving beneath those towering Douglas firs or dragged by your partner through the Twilight Museum in Forks, I recommend stopping for a cup of hot, black coffee and a slice of cherry pie at any roadside diner. It’s nothing short of extraordinary.

But as I navigated the Rialto Beach tidepools (at 5:30 a.m., no less) and moss-laden trees of the Hoh Rainforest, I made a classic misstep: I forgot to connect to Wi-Fi the entire trip. By the time I returned, my high-speed data allowance had vanished into the mist, leaving me puzzled and restarting my cell phone for days — a humbling reminder that even seasoned agents can overlook the basics.

Travel is a curious thing, Diane. When you’re on the road, it’s easy to let your guard down, become enchanted by the scenery and forget that digital dangers can lurk behind every public WiFi signal or seemingly harmless USB charging station.

As the summer draws to a close and more people venture out of Twin Peaks for those last-minute adventures, I’ve compiled a list of field-tested precautions for the journey ahead, because even professionals need a reminder sometimes:

Update your devices and back up important data before you leave. If a device is lost, stolen or infected with malware, you’ll still have access to your files.
Turn off auto-connect features to reduce the risk of connecting to rogue networks or devices.
Only take what you need. The fewer devices you take, the fewer you have to keep track of and worry about.
Limit the use of location services on your devices and apps unless necessary. This protects your privacy and reduces the risk of targeted attacks while traveling.
Steer clear of public computers in hotel lobbies and libraries, especially for accessing sensitive accounts. If you must use them — or if you log in to any streaming services during your stay — don’t forget to log out of your accounts.
Public WiFi is convenient, but we know its security can be questionable. Use a VPN or your phone’s hotspot for a more secure connection.
Set up device tracking (like Find My iPhone or Find My Device) and know how to remotely wipe your device in case it’s lost or stolen.
Take a power bank with you to avoid using USB charging stations, which could result in malware being downloaded to your device.

Diane, the woods are lovely, dark and deep, and so are the digital trails we leave behind. Stay vigilant, stay caffeinated and remember that the best protection is awareness.

Special Agent Dale Cooper

The one big thing

Static Tundra, a Russian state-backed group, is exploiting end-of-life and unpatched Cisco network devices using a seven-year-old patched vulnerability (CVE-2018-0171) to steal data and maintain long-term hidden access in organizations worldwide. Their tactics include persistent implants and bespoke SNMP tools to exfiltrate data and maintain undetected access, with a focus on entities of strategic interest to the Russian government. We urge immediate patching or disabling of at-risk features to prevent compromise.

Why do I care?

If your organization uses Cisco devices that haven’t been patched or replaced, you could be vulnerable to undetected cyberattacks and data breaches—even if the vulnerability is years old. This risk affects organizations of all sizes and industries, putting sensitive data and business operations in jeopardy.

So now what?

Immediately review your network infrastructure for unpatched or end-of-life Cisco devices and apply available patches or disable vulnerable features as recommended. Ongoing security hardening, regular updates and vigilant monitoring are critical to defend against this and similar state-sponsored threats.

Top security headlines of the week

Workday Data Breach Bears Signs of Widespread Salesforce Hack
Workday said threat actors gained access to a third-party customer relationship management (CRM) system and obtained “commonly available business contact information” such as names, phone numbers, and email addresses. (SecurityWeek)

Novel 5G Attack Bypasses Need for Malicious Base Station
A team of researchers from the Singapore University of Technology and Design released a framework named Sni5Gect that can be used to sniff messages and perform message injection in 5G communications. (SecurityWeek)

Internet-wide Vulnerability Enables Giant DDoS Attacks
Researchers from Tel Aviv University have identified a way around the Rapid Reset fix called “MadeYouReset,” and it’s raising the possibility that attackers could enact cyberattacks against up to one-third of all websites globally. (Dark Reading)

Threat Actors Allegedly Listed Windows Zero-Day RCE Exploit For Sale on Dark Web
The threat actor claims it targets fully updated Windows 10, Windows 11, and Windows Server 2022 systems. The sale conditions emphasize exclusivity, prohibiting resale unless explicitly negotiated, which is typical for premium exploits. (Cybersecurity News)

XenoRAT malware campaign hits multiple embassies in South Korea
The targets were generally European embassies in Seoul and the themes included fake meeting invites, official letters, and event invitations, often sent from impersonated diplomats. (BleepingComputer)

Can’t get enough Talos?

The art of controlling information
JJ Cummings leads Talos’ Threat Intelligence and Interdiction team on nation-state security and intelligence. He shares his story, thoughts on burnout and motivation, and advice for anyone looking to join Talos.

Ransomware incidents in Japan during the first half of 2025
In the first half of 2025, the number of ransomware attacks in Japan increased by approximately 1.4 times compared to the previous year. Read our blog to learn the most recent trends.

Cyber Analyst Series: Cybersecurity overview and the role of the cybersecurity analyst
A series of videos on the profession of cybersecurity analysts made in conjunction with the Ministry of Digital Transformation of Ukraine for Diia.Education (available in English and Ukrainian languages).

Upcoming events where you can find Talos

BlueTeamCon (Sept. 4 – 7) Chicago, IL
LABScon (Sept. 17 – 20) Scottsdale, AZ
VB2025 (Sept. 24 – 26) Berlin, Germany

Most prevalent malware files from Talos telemetry over the past week

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 
MD5: 71fea034b422e4a17ebb06022532fdde  
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

SHA 256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610
MD5: 85bbddc502f7b10871621fd460243fbc
VirusTotal: https://www.virustotal.com/gui/file/41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610/details
Typical Filename: N/A
Claimed Product: Self-extracting archive
Detection Name: Win.Worm.Bitmin-9847045-0

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details
Typical Filename: IMG001.exe
Detection Name: Simple_Custom_Detection

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa
MD5: df11b3105df8d7c70e7b501e210e3cc3
VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details
Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

Cisco Talos Blog – Read More