Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Despite tensions starting to fizzle between the U.S. and Iran, people are still worried about cyber conflict. What would that even look like? Is it too late to start worrying now, anyway? That’s the main topic of the latest Beers with Talos podcast.

You should probably know this already, but you should actually never count out any type of cyber threat. Despite the declining popularity of virtual currencies, we are still seeing adversaries who want to hijack victims’ computing power to farm them. Take Vivin, for example. The latest cryptominer actor we discovered has been active since 2017, and is just getting started with its malicious activities in 2020.

Over at the Snort blog, you’ll want to keep an eye out for some changes we have coming to Snort.org. We’ll spare you the details for now, but please bear with us if the search function isn’t working correctly for you or you see anything else wonky on the site.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Upcoming public engagements

Event: Talos Insights: The State of Cyber Security at Cisco Live Barcelona
Location: Fira Barcelona, Barcelona, Spain
Date: Jan. 27 - 31
Speakers: Warren Mercer
Synopsis: Cisco Talos specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. We are responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk, we will perform a deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies.

Event: A World of Threats: When DNS becomes the new weapon for governments at Swiss Cyber Security Days
Location: Forum Fribourg, Granges-Paccot, Switzerland
Date: Feb. 12 - 13
Speakers: Paul Rascagnères
Synopsis: In this presentation, Paul will present two threat actors Cisco Talos has been tracking who are manipulating the DNS system. On Jan. 22, 2019, the U.S. DHS published a directive concerning this attack vector. We will present the timeline for these events and their technical details. One of the actors is behind the campaign we named “Sea Turtle.” This actor is more advanced and more aggressive than others we’ve observed in the past. They do not hesitate to directly target registrars and one registry. The talk will break down these two actors and the methodology used to target the victims.

Cyber Security Week in Review


  • United Nations officials are investigating the hacking of Amazon CEO Jeff Bezos’ cellphone. Bezos reportedly watched a malicious video in 2018 that was infected with spyware, allowing a malicious actor to spy on his device for nine months until February 2019. Two security experts say in their findings that the hack is said to have originated from the Saudi Arabian government. 
  • A new survey from NPR and PBS found that the spread of misinformation is Americans’ top concern heading into the 2020 presidential election. This ranked far above foreign interference (15 percent) and problems at the polling place (5 percent). 
  • Technology company Citrix released another round of patches for a critical vulnerability in Application Delivery Controller and Citrix Gateway. Attackers have already exploited the bug to install malware on Citrix servers after proof-of-concept code was leaked in December prior to patches being ready. 
  • U.S. President Donald Trump and Attorney General William Barr renewed a pressure campaign on Apple this week, calling again on the company to decrypt iPhones belonging to criminal suspects. The recent argument centers around a phone belonging to a man who killed multiple people on a naval base last year. 
  • Meanwhile, a new report states that Apple dropped a previous plan to encrypt iCloud backups after the FBI complained. The decision came more than two years ago but is just being brought to light now. 
  • Google also took a shot at Apple this week, preparing a research paper that states there are multiple vulnerabilities in the Safari web browser that puts users’ data at risk. Even if a user was to opt out of location tracking, the bugs could be exploited by third-party companies to obtain “sensitive private information about the user’s browsing habits.” 
  • Foreign currency exchange service Travelex says its first customer-facing services are back online, weeks after a ransomware attack. The company still maintains that there is “no evidence that any data has left the organization.” 
  • Intelligence Community Threats Executive Shelby Pierson says the U.S. government learned from its mistakes in 2016 and is prepared to more quickly disclose threats to U.S. elections. Former President Barack Obama’s administration came under fire for taking too long to disclose what it knew about Russia interfering in the 2016 presidential election.  
  • Microsoft is warning of a critical vulnerability in Internet Explorer that’s being exploited in the wild, though no patch is available as of Thursday morning. An attacker could exploit this vulnerability to corrupt memory in such a way that they could execute arbitrary code in the context of the current user. 

    • Notable recent security issues

    Title: Microsoft cryptogrophy vulnerability lingers after Patch Tuesday
    Description: The U.S. National Security Agency released a warning late last week, urging users to update their Microsoft products as soon as possible to fix a vulnerability in its cryptographic certificate-signing function. Attackers could use this bug to sign a program, and make it appear as if it is from a trusted source, without the user ever knowing about the adversary’s actions. A security researcher was even able to create a proof of concept “Rick Rolling” the NSA’s website to display a popular internet meme. The NSA’s statement says that it believes “the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.”
    Snort SIDs: 52617 - 52619
    Title: Emotet continues to grow, spike in spam to start off 2020 
    Description: Emotet continues to infect individuals and organizations all over the world, but Cisco Talos recently discovered a new relationship between Emotet and the .mil (U.S. military) and .gov (U.S./state government) top-level domains (TLDs). When Emotet emerged from its summer vacation back in mid-September 2019, relatively few outbound emails were seen directed at the .mil and .gov TLDs. But sometime in the past few months, Emotet was able to successfully compromise one or more persons working for or with the U.S. government. As a result of this, Talos saw a rapid increase in the number of infectious Emotet messages directed at the .mil and .gov TLDs in December 2019.
    Snort SIDs: 51967-51971, 52029

    Most prevalent malware files this week