
Welcome to this week’s Threat Source newsletter.
There’s a fairly cliché phrase in cybersecurity that I’m sure our audience is familiar with: Attackers only need to be right once, whereas defenders need to be right 100% of the time.
I guess it captures the asymmetry of this industry, but I’ve never been entirely comfortable with the phrase because it assumes cybersecurity is a game of perfection. One mistake and it's over.
I’ve been watching a lot of Wimbledon this week, as I have done since childhood. In fact, I believe my first words were, “C’mon Tim!” (For our non-U.K. audience, I’m referring to tennis player Tim Henman, who made four Wimbledon semi-finals in the late 90s and early 2000s and has a hill in the Wimbledon grounds named after him).
Of the “big three” (or the “big four” if you’re Scottish), my favourite was always Rafa Nadal, but I have to admit there’s no one who could deliver a one-handed backhand quite like Roger Federer. I bet that when he swats at a fly, the fly apologises and claps its wings.
As I saw him sitting in the Royal Box entirely on his own this week, watching tennis out of pure love of the game while everyone else scoffed their strawberries and cream in the comfort of hospitality, I remembered the commencement speech he gave at Dartmouth a couple of years ago. He told the students that, across his entire career, he won 80% of his matches.
But of all the total points he played, he won 54% of them.
Tennis is a long game (no one can tell you that more than Novak Djokovic and Felix Auger Aliassime who just played the longest quarter final in Wimbledon’s history last night). And, mathematically in tennis, you can lose more points and overall games than your opponent and still win the match. Which point you win matters more than the total amount of points you win.
If you go to the IBM SlamTracker right now, you’ll see all sorts of stats around when players choose to attack, how often they successfully convert those attacking positions into points, and how often they win points they looked destined to lose (the “steal” score).
Tennis is hundreds of small decisions: When to attack, when to defend, when to be patient, when to let the point develop. Not all of those decisions pan out because, well, you’re playing against an opponent who’s also making decisions within the point… and not a brick wall.
In the SOC, it’s also about making thousands of judgement calls, using whatever hand you’re dealt. And with more context, you’re able to know your environment better and make better decisions. You can test more assumptions and follow a hypothesis that might lead somewhere, or nowhere at all.
Because that’s the job, and perfection is a myth.
The one big thing
Cisco Talos’ latest findings on the China-nexus threat actor UAT-7810 shows they are expanding their Operational Relay Box (ORB) networks with a fresh suite of custom malware. The group exploits known vulnerabilities in unpatched Ruckus and ASUS routers to deploy new tools, including the upgraded "LONGLEASH" and "DOGLEASH" backdoors. UAT-7810 builds these covert networks to provide infrastructure for other APT groups to launch attacks against high-value targets.
Why do I care?
ORB networks create a massive blind spot. They allow secondary threat actors to mask their origins and route malicious traffic through seemingly innocuous nodes. By compromising edge devices like wireless routers, UAT-7810 builds a highly evasive, decentralized proxy network that easily bypasses traditional perimeter defenses. The active development of sophisticated, multi-platform tools like LONGLEASH shows this group is heavily investing in making their infrastructure incredibly resilient and hard to dismantle.
So now what?
Because UAT-7810 relies on exploiting n-day vulnerabilities, defenders must ensure all edge devices, particularly Ruckus and ASUS routers, are fully patched. Monitor network traffic for unusual proxying behavior or unauthorized connections on devices that typically lack complex services. The blog post has a complete list of IOCs to help detect and block this malware suite.
Top security headlines of the week
The “first” AI-run ransomware attack still needed a human
Researchers at cloud security firm Sysdig said they’d documented the first known case of “agentic ransomware.” (The encryption was non-reversible — essentially a wiper, not ransomware.) A human provided compromised credentials, provisioned the command-and-control server, the staging server used for the stolen data, chose a victim, and more. (TechCrunch)
AirDrop and Quick Share flaws let nearby attackers trigger crashes and bypass checks
Two researchers have found six security flaws in AirDrop and Quick Share. An attacker within wireless range, with just a laptop and no prior connection, can crash the sharing service on a Mac or iPhone set to receive from anyone, with no tap or prompt. (The Hacker News)
Hidden backdoor in Tenda router firmware grants admin access
A hidden authentication backdoor has been found in multiple Tenda router firmware versions, potentially allowing an attacker to gain administrative access to the device's web management panel. According to the CERT Coordination Center, the issue remains unfixed because the maker couldn't be reached. (BleepingComputer)
State IDs for AI agents: Will Estonia set a precedent?
Estonia's government will soon assign official government ID numbers to AI agents. The point is to enable organizations and individuals to use AI when engaging government systems, but in a way that's limited and auditable. (Dark Reading)
Can’t get enough Talos?
Space pirates, Living Off Trusted Services, and Bill declares food war
The team discusses how Living Off Trusted Services (LOTS) differs from Living Off the Land (LOTL) (and Lord of the Rings (LOTR]), why trusted services create new detection challenges, and what defenders should be monitoring.
ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365
Talos has identified "ARToken," a phishing-as-a-service platform that targets Microsoft 365. The ARToken panel exposes 80+ API endpoints for device code phishing, Primary Refresh Token persistence, email access, BEC operations, and SharePoint exfiltration.
Martin Lee: Running through the Arctic (and the threat landscape)
Ever wonder how someone goes from studying human viruses to leading cybersecurity teams? How about running through the Arctic for fun? In this Humans of Talos you get to hear from Martin and that’s ALWAYS worth pulling up a seat.
Upcoming events where you can find Talos
- Black Hat USA (Aug. 1 – 6) Las Vegas, NV
- DEF CON 34 (Aug. 6 – 9) Las Vegas, NV
Most prevalent malware files from Talos telemetry over the past week
SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Example Filename: VID001.exe
Detection Name: Win.Worm.Coinminer::1201**
SHA256: 621c6d42409e8aa423684827b4375a35684c71c600f2dd9101f235e8ec633488
MD5: 9b512ba139304c247ddd3d2c4b9179fd
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=621c6d42409e8aa423684827b4375a35684c71c600f2dd9101f235e8ec633488
Example Filename: 9b512ba139304c247ddd3d2c4b9179fd.exe
Detection Name: W32.HEUR:Attribute.28iy.1201
SHA256: 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f
MD5: 38de5b216c33833af710e88f7f64fc98
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f
Example Filename: SECOH-QAD.exe
Detection Name: Win.Tool.Procpatcher::1201
SHA256: afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638
MD5: cc4d231df34e57f59eb970353c7d9de2
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638
Example Filename: sample.exe
Detection Name: PUA.Win.Tool.Kmsactivator::1201
Source: FSecure
Source Link: https://blog.talosintelligence.com/winning-54-of-the-time/