Welcome to this week’s edition of the Threat Source newsletter.
The new head of the UK’s National Cyber Security Centre, Richard Horne, recently remarked that there is a “clearly widening gap between, on the one hand, the threat and our exposure to it and, on the other, the defences that are in place to protect us.”
To those of us working in cyber security, the threat is evident. We spend our lives following the actions of threat actors and analysing their new attacks. Our thoughts and actions are rooted in how the threat landscape is evolving. Unfortunately, this is not necessarily the case for those who decide budget allocations.
Nobody wants to suffer a breach, but often security teams are frustrated by competing budget items and the difficulties of explaining complex mitigations to people who may have different priorities and interests.
If keeping informed is one half of the solution to closing the gap, the other is in recognising that we are all human. We’re all trying to do the best that we can with the information that we have available to us. What may be perceived as irrational behaviour to one observer, may be the most obvious course of action to another with a different point of view.
Constantly explaining how threat actors are changing and how attacks are evolving is vital to ensure that organisations can maintain a good security posture. Talking about cyber security to different audiences, using the language and metaphors with which they are familiar are all part of the solution in defeating cyber attacks.
If we are to move to a world free from cyber insecurity we must close the gap between threat and defense. This will take communication and understanding, both to communicate the threat, but also to understand the constraints that decision makers work under. Yet, we also need to express and recognise the effort and sometimes heroic acts of effort that cyber security teams undertake to keep businesses running and free from breaches.
This is all the more true during the holiday period, when many engineers and analysts are monitoring systems or on-call, keeping the systems running and the lights on, so that others can enjoy the festivities. If this is you, then know that we’re thinking of you.
Hiding the origin and destination of network traffic is vital for the bad guys to cover their tracks and obfuscate their actions. A malicious connection that originates from the same IP space as legitimate employees’ connections is less likely to catch the attention of security teams than one from a distant country. Similarly, exfiltrating data in small chunks to many in-country residential IP addresses is less likely to raise alarms than exfiltrating to a single address.
Cybercriminals are increasingly compromising consumer and IoT devices to build vast networks of proxy systems, enabling them to mask their activities and route malicious traffic through a global pool of hijacked IP addresses.
Why do I care?
Routing malicious traffic through otherwise unsuspicious networks makes identification and attribution of attacks difficult. Owners and operators of compromised systems recruited to act as proxies suffer from reduced performance and the theft of network and CPU resources from their systems.
So now what?
Firstly, ensure that patches are applied, and default or easy to guess credentials are changed to avoid becoming part of the problem. Apply zero-trust principles to authenticate users via MFA in the context of the time and date of the access; importantly verify that the connecting device confirms to policy and is authorised to connect to corporate systems. For full details on how to respond to this threat see the blog post.
Presidential Elections in Romania hit by Cyber Campaign
The first round of the presidential election in Romania has been annulled by the country’s constitutional court following claims of a foreign influence campaign to sway the vote, and cyber-attacks targeting electoral data.
Secure Criminal Chat System “Matrix” Disrupted by Law Enforcement
The Matrix secure communication systems which offered encrypted messaging for criminals has been taken down by law enforcement authorities with millions of messages secured for investigation. This take down follows similar success against other criminal messaging systems such as EncroChat, Sky ECC and Ghost.
Wanted Russian Suspected Ransomware Actor Arrested
Authorities in Russia have arrested Mikhail Matveev, an individual wanted in the US in connection with alleged participation in LockBit, Hive and Babuk ransomware attacks. The broader significance of this arrest in Russia is unclear, although it does indicate that tolerance of the actions cyber criminals located within Russia does have limits.
Cisco Live EMEA (February 9-14, 2025)
Amsterdam, Netherlands
SHA256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe
Claimed Product: n/a
Detection Name: Win.Worm.Bitmin-9847045-0
SHA256:3294df8e416f72225ab1ccf0ed0390134604bc747d60c36fbb8270f96732e341
MD5: b6bc3353a164b35f5b815fc1c429eaab
VirusTotal:
https://www.virustotal.com/gui/file/3294df8e416f72225ab1ccf0ed0390134604bc747d60c36fbb8270f96732e341
Typical Filename: b6bc3353a164b35f5b815fc1c429eaab.msi
Claimed Product: n/a
Detection Name: Simple_Custom_Detection
SHA256:47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
MD5: 71fea034b422e4a17ebb06022532fdde
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
Typical Filename: VID001.exe
Claimed Product: n/a
Detection Name: Coinminer:MBT.26mw.in14.Talos
SHA256:a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
Typical Filename: img001.exe
Claimed Product: n/a
Detection Name: Win.Trojan.Miner-9835871-0
SHA256:3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66
MD5: 8b84d61bf3ffec822e2daf4a3665308c
VirusTotal: https://www.virustotal.com/gui/file/3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66/
Typical Filename: RemComSvc.exe
Claimed Product: N/A
Detection Name: W32.3A2EA65FAE-95.SBX.TG