Amy Ciminnisi 0:00

Welcome to the Talos Takes Podcast, where we discuss Talos' latest research and security news. This podcast is for everyone, from the C suite to the frontline. Hello everyone, and welcome back to the show. Today we are doing something a little different. We are going to be taking a deep dive into the Talos 2025 year in review. I'll put the link to the full report in the show notes. It's been a really busy year in the world of cybersecurity. And today we are looking at the trends that really moved the needle from ongoing ransomware challenges in manufacturing to vulnerabilities that have been exploited both at lightning speed and those that have stuck around after they should have been patched. I'm joined today by Pierre Cadieux, who is the research lead for threat intelligence and interdiction here at Talos. Pierre, thanks so much for coming on. How are you doing?

Pierre Cadieux 0:57

Thanks, Amy. I'm doing great.

Amy Ciminnisi 0:59

Wonderful. So we've got a lot to cover, so I'm gonna jump right into our ransomware findings. The report shows that manufacturing is still the most targeted sector. This has been a trend for a very long time now. And we've discussed why at length in previous episodes. It's mainly because manufacturing has very low tolerance for downtime. They have very tight production schedules and resource requirements. I'm curious what other factors come to play in this? Maybe let's talk about IT and OT.

Pierre Cadieux 1:32

There's a lot of interlinking between their operational side of things where they may have like mechanical robots that are doing automation and manufacturing of actual pieces, and then their distribution, shipping, receiving, and payment side. And those two entities usually are separated. Often the mechanical side of things is what we refer to as an operational technology or OT network. And there's often, there's supposed to be many times, an air gap or some sort of a filter or block between the two. And then the IT network is where they have their purchasing, their uh shipping, receiving, and all those things that have the logistics of how they get their supplies and materials and how they sell their stuff to their customers. What we were seeing is uh a couple things. One, yes, manufacturing has certainly been targeted quite a bit uh continuously. They have a low tolerance for downtime, so possibly likely to pay. They're gonna really suffer from any sort of interruption to their business cycle. One. The second thing is we've seen a little bit of a convergence between their IT and OT environments where classically I mentioned that air gap and that separation, that's blurring. A lot of times we're seeing applications that span from one to the other or manufacturing systems that are now reliant on cloud systems or relying on other interconnected systems. And so that increases a different, you know, uh vulnerability and risk exposure that they're not necessarily prepared for or classically not prepared for. And we certainly see uh adversaries, subadversaries targeting OT environments when they have access to it. Obviously, the the rule of thumb is that you shouldn't have access to it, those shouldn't be interconnected. But if they are, there's certainly vulnerabilities that are being exploited in that too.

Amy Ciminnisi 3:04

Yes, absolutely. So, in terms of ransomware groups that were really active in 2025, Qilin really led the charge. They had an average of 40 victims per month on their data leak site, except for January when they had less. We'll be talking about that in a few questions. But Akira and Play were also showing really rare staying power. That's really uncommon for these groups. So, what do we know about the tactics or infrastructure or maybe the affiliate models that have allowed these groups to sustain this momentum more than short-lived groups?

Pierre Cadieux 3:51

Sure. Um, Qilin certainly has been noticeable in our investigations that we've conducted. We've seen a large spike in in Qilin victims. And so we've done a lot of investigation of them uh over the past year. They've shifted around a little bit and their actions have been pretty consistent, though. And and one of the things to remember about ransomware is that the impact is still there. If someone gets ransomed and their business is down, the victim company has to make some decisions and has to try and recover or possibly negotiate. The effectiveness of these ransomware adversaries is that they're using a tried and true playbook. They're using a process that has been effective, honestly, since 2018. So a lot of these steps and a lot of the attack chain uh and sequence hasn't really changed significantly since around 2018 or so. They've been different toolings that have been sliced in there to accomplish these different steps, but it still goes from an you know initial count uh from concept traditional count compromise to uh lateral movement, uh deploying of tools, etc. What we've seen a lot of the adversaries move towards is leveraging those living off-the-land binaries and living off-the-land tools, like also the vulnerable drivers. And so a combination of those living off-the-land things become a little bit less visible for defenders to be able to see those because those tools are always built in. And we certainly have seen Qilin shift to moving different kinds of data exfiltration or data theft tools. So instead of copying via some of the tooling they've used before, they've moved to tools like Cyberduck to move data to cloud hosted systems as well. Play has also been very consistent with regard to their technology that they use, their tactics and techniques. We've also seen though, uh play is slightly shifting again towards those living off land at uh tools. And that might also align with a slight change in their affiliate program where they have some new affiliates doing things slightly differently. One of the other things about She Lin is that they also are very good at compensating their um their associates. So their affiliates and associates that they work with that do some of the initial brokering for them or later on handle the the data uh selling and such, uh, they are good at sharing that money, which again motivates people and makes them do, you know, uh, you know, be motivated. Money is a powerful motivator. It gets them to do this whole thing and it gets all these other folks to again join them in this in this journey.

Amy Ciminnisi 6:13

Yeah. And now we're seeing we we talked about this in a previous episode, uh, the Talos Year in Review and Splunk Top 50. Bill and Lou were talking about how ransomware groups are even poaching people from other ransomware groups that have gone defunct or things like that. So definitely really interesting how those groups mirror, you know, legitimate business activity as well.

Pierre Cadieux 6:40

Yeah. We've certainly seen that over the years from some of the early on uh ransomware adversary groups that have then morphed into other groups and then shifted to other things and changed their tooling or kept their same philosophy. If you look back, a lot of these current groups can trace their lineages back to some of these early groups from you know seven, eight years ago.

Amy Ciminnisi 6:59

Wow. Yeah. So so let's move back to the living off the land binaries. It's really interesting. The top tools in Talos incident response cases were RDP, PS Exec, and PowerShell, these are really standard admin tools. How can security teams spot the difference between a systems admin doing their job and an attacker who's using these tools without accidentally breaking their own operations? It's a really loaded question, I know, but it is.

Pierre Cadieux 7:29

Yeah. Well, and that's that is where context and visibility of knowing what normal looks like is super important. If you know what normal looks like, who should be logging into which systems at which times? For instance, you can then flag on things that are unknown and then maybe investigate those or have those elevated to a point where they maybe correlated with other information, cause something to be investigated or blocked. It's really difficult because a lot of these tools are built in and they're part of the operating system. You can be selective about permissions for some of these, especially on systems where it's a larger risk, domain controllers, large interconnected systems like SharePoint servers and that sort of thing. You can restrict which groups or users can execute these programs. The problem is that most environments don't do that. Application uh execution control is part of the uh Active Directory domain capabilities, but it's difficult to manage and becomes maybe a little top-heavy on the administrative side of things to manage it, but it can protect you against this kind of thing. Managing your environment, understanding what is installed, who should be accessing it, which systems do what, which ones are exposed to the internet. You have that visibility, you can likely understand again what normal looks like and then be able to identify those things that are suspicious. It is difficult, but and it requires internal awareness of your business, internal awareness of your architecture, and understanding of again, I've said this like four times now, what normal is. Uh, but but without that, you don't have the context. You can then start jumping at shadows if you go too far and say everybody who's PowerShell is obviously malicious. That's inaccurate.

Amy Ciminnisi 9:05

Yes. And so going back to a few questions ago, um, we talked about Qilin, the month of January. It is consistently the quietest month for ransomware, possibly due to, you know, uh threat actors being online less for regional holidays, things like that. But generally it's a nice bit of breathing room for defenders. Um, have you seen any organizations actually take advantage of that time to get ahead of the game? And what should teams be prioritizing when things are a bit slower?

Pierre Cadieux 9:39

We've certainly seen different slow periods up and down. I was in charge of the uh incident response team here at Talos for about seven years. And during that time, I was able to predict to a certain extent some of the peaks and lulls, knowing how our adversaries work. There are certain predictable times like January. January actually around Orthodox Easter, strangely enough, which is coming up as well. Also uh usually in July, August, summer break, summer vacation. And then again, there's usually a little bit of a slow time somewhere between November and December, there's a little bit of a uh bobble where things go down, then they spike right back up again, then they spike back down again uh when we get to January. So knowing that those various cycles, you know that there's going to be spikes here and there for one type of adversary group. The thing is, we've got so many different types of adversary groups that defenders have to be prepared for that while one group is taking a break and having a vacation or having a holiday, other groups continue. And so the time for preparation and for retooling and getting things ready is today. It should be done every day. There isn't there isn't a time where you should just wait till January and we'll retool it then. You should have your own built-in cycles for how you do that, including rest. Having the time to have some downtime for your team, especially if their responsibility is to defend your infrastructure on a 24 by 7 basis is important. You burnout is the real thing, and it does happen to defenders, it happens to everybody. And I'm sure Ransom adversaries get, you know, that's why they take their vacations, because they're also probably a little tired. So it's really important to just have your own internal cycle for balancing your own efficiencies. Whatever cycle works for you for the vulnerability scanning, for remediation, for patching, for setting up your defenses, for testing your defenses, we recommend something like a monthly, quarterly cycle for doing certain things, like doing your testing of your instant response plan uh or testing of your tooling and making sure that you're aware of the latest detections and that sort of thing. Some things require you to be a little more rapid about these things. If there's like new vulnerabilities you have to patch immediately, that's gonna break your cycle and it's gonna be accelerated. And if you also have new detections you have to deploy or new methodologies you have to deploy to detect new things or secure something, that's also going to be the things. And then you have the business layer on top of that, or maybe the business wants to push something out sooner and you have to now change your whole cycle to beat that. So again, the the reality ends up being a little less clear than having a downtime sign. But the month of January is a good time for everybody to reassess on an annual basis how things went and to plan ahead for the year coming. And so I do see that as being valuable.

Amy Ciminnisi 12:21

100%. Don't let it be like, you know, how people have in their personal lives a New Year's resolution where you really do it in January and then it kind of dies off in February, March, April. Make sure it's make sure it's year-round.

Pierre Cadieux 12:34

My trick for that is scheduling things. Starting in January, you schedule things on a periodic basis. So you come back to the reminder, it comes up in in March. You're like, oh yeah, I scheduled that thing for for now. And and then you do it.

Amy Ciminnisi 12:44

So let's shift into talking about the vulnerabilities section of the year in review. I have said this time and time again on this podcast. We are seeing things like React to Shell and Tool Shell being exploited almost the second that they are discovered and disclosed. With that kind of speed, how should defenders decide whether it's, you know, an all-hands-on-deck emergency versus something that can wait? Do you have any examples from this year where triage really paid off?

Pierre Cadieux 13:13

Yeah. And so going back to what we were just talking about, having that vulnerability awareness of your environment, the architectural context of your environment, knowing which systems are business critical, which systems are exposed to the internet, which systems have different types of countermeasures or security controls. That helps you understand the mitigations in place when you start looking at a vulnerability on one of those systems. You can say, okay, this tool shell thing, that's SharePoint. Do we have SharePoint? Yes, we do. Okay. Is it internet facing? Yes or no? That's a big part of it. It shouldn't be, but but potentially, and many customers have had a yes. And then if it isn't, what are the controls that we have in place for limiting access to it? What's the roles or accounts that can access it? And uh how do we authenticate them? You may be okay, the only way to get into the environment is either be physical access or you have to have an authenticated VPN connection with multi-factor authentication. Maybe we start looking at those MFA connections, MFA and uh VPN connections a little bit more closely to see if anybody's trying to come in that's maybe unexpected. And also maybe looking at the logins for the and the connections to the SharePoint system, making sure that we're looking at uh how it's done. And then also plan a schedule for testing the deployment of the patches and deploying the patches. And the worst case scenario, I'd say you can also isolate systems that are vulnerable that you have no security controls for or a way to patch. You can essentially put up another layer of defense around it to limit access to it. That's something that you should have with a technological understanding of how to do every application and every system is going to be a little bit different, but we have technology. We should be able to use that to create defenses for us. And we also have the ability to say, you know what, we're gonna have to patch this now. And we have to you know pull the trigger and then you know actually execute a patch. So certainly understanding your environment gives you a better response and understanding for how to secure those things. And that's really the responsibility again of those defenders to know their environment, know what normal is, know their vulnerability exposure, and know their their attack service. What is an attacker from the outside seeing when they scan your network? Do they see that SharePoint system? And if so, take the correct action.

Amy Ciminnisi 15:13

Yeah, I'm pretty sure the answer to this one's going to be similar too, but the URN review also talks about zombie vulnerabilities, things like log4j that just won't go away even years later. 32% of the vulnerabilities that we saw exploited in 2025 are at least a decade old. So why do they stick around for so long in enterprise environments? And realistically, what can companies do to finally clear them out? Is this really also just an asset management problem at its core?

Pierre Cadieux 15:47

I'm gonna shortcut that by saying yes, it is. But I'll also give you a little bit of background here. So one of the times when the January wasn't quiet for us, by the way, was when like so here's some examples solar winds that happened in December and then bled over into January. Log4J, which also happened in December and then bled over into January and still happening today. Uh, both of those were things that caused January to become very busy, not necessarily for ransomware adversaries, but for other adversaries who are interested in exploiting those things very dynamically and fast. Those vulnerabilities that stick around, adversaries are generally just like defenders, lazy, and they're gonna use something that works. So if there's a vulnerability, I remember seeing uh adversaries exploiting 10, 15-year-old Linux vulnerabilities on systems and you know, exploiting a bad installation of SSH or bad web server or something like that just because it was present. You when you're scanning for trying to get into an environment, you're not picky about what's gonna work. You're just saying, okay, this will get me in. I'm in. And then you can retool things and whatever else. Having a vulnerability on your environment, again, we talked about the management of your attack surface and that sort of thing. You have to know if you have something in your environment that is vulnerable. This is why the whole concept of creating your internal vulnerability scan, scanning for vulnerabilities, having a patch maintenance cycle, all that stuff is crucial to defending. Adversaries will also scan your environment happily, but they won't tell you what they're gonna, they're just gonna come in and use it. So yeah, it could be that your perimeter looks really nice and secure, but once they get inside, then there's a lot of vulnerabilities. They will still exploit those. And so if there's code that's existing somewhere on an application that's maybe in development, but it's on a server and it happens to have the vulnerable version of Log4j, they'll happily pop it. And then they'll use it to pivot to other systems. We have seen Log4j come up as part of our investigations probably about once every month or so, month, six months. I do expect that it's gonna continue for probably the rest of my career. I imagine we're gonna see this forever. Yeah. Well, and we still see uh other vulnerabilities. I don't have a good uh list right in front of me right now, but they're definitely vulnerabilities that are old, that are probably eight, 10, 15 years old that are still exploited. Again, a lot of these are the these components that get embedded into code and software, software modules, and that sort of thing. So it's not like the operating system hasn't been updated. The application that you rely on has this little snippet of code in there that happens to be vulnerable and nobody knows it, and it's it becomes complicated that way.

Amy Ciminnisi 18:14

Yes. And I'm taking this from the year in review. About 25% of the vulnerabilities on that top 100 list affect these frameworks and libraries that are used, you know, across the software ecosystem. And that really highlights the risks of these supply chain style attacks. Absolutely. Last question for today. In the yearn review, we note that about a quarter of the top network infrastructure CVEs were aimed right at management platforms. So ADCs, VPNs, that kind of thing. Why are some attackers so obsessed with these? And what makes them such a high value target compared to the rest of the network?

Pierre Cadieux 19:01

Yeah. Again, different adversaries focus on different things. A lot of our sort of nation state or adversaries that like to do espionage like to access these kinds of systems because it provides a lot of information about the architecture and configuration of the environment. So if you have access to an environment that is the management layer for an entire network, now you know their configurations and all the various different things. Now you know their architecture. Now you've got a great place for doing your reconnaissance and gathering information. And perhaps you can also can manipulate the settings and manipulate the configuration and deploy tooling of your like that you want to give you a backdoor into these systems as well. It also gives you an understanding of how the authentication works and gives you a chance to get in there and become persistent. On the VPN side of things, it is the doorway that you come into to get into a network. So a VPN environment takes the internet traffic and allows you to come into this internal network. If that is not properly secured, it can be trivial to exploit. If it's a single factor authentication, don't do this at home, kids. Please make sure to have multi-factor deployed. Uh, still talking about that today, but a lot of customers have single factor VPN still, and so it can be easily exploited and then becomes trivial to get credentials and get into an environment, and you can then also again create persistence on there as well. Um, depending on how it's configured, you can certainly have an account or have many accounts that have access that you can then use to connect in again. So those are uh we've seen VPNs used as an initial access point for attacks for years. It's still one of the biggest ones, and then adding in this additional dimension of having a way of getting understanding of the architecture and the settings, configuration, possibly even the vulnerabilities of an entire network. That's pretty huge. Yeah, and that's it's scary.

Amy Ciminnisi 20:50

Yeah, it's terrifying.

Pierre Cadieux 20:52

Yeah.

Amy Ciminnisi 20:53

So on that cheerful note, that is a wrap on this episode. We covered a lot of ground today. So, Pierre, thank you so much for joining and helping us make sense of all of this. It's been a pleasure having you.

Pierre Cadieux 21:05

Thanks, Amy.

Amy Ciminnisi 21:06

No problem. And for our listeners, it doesn't have to stay terrifying. Look into our year in review, see the data for yourself. We also have actionable insights and tips on how to improve your defense posture given all of these different threats for the coming year ahead. Um, so you can find that complete report on our website or in the show notes below. We never gate it. We want this to be as accessible to the security community as possible. You don't have to put in any fake names and email addresses like I used to to, you know, not get spammed. So you can access it right online. Thank you so much for tuning in. We'll catch you on the next episode where we talk about state sponsored threats and phishing. Until then, stay safe out there.