Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

This month’s Microsoft Patch Tuesday was particularly hefty, with the company disclosing nearly 100 vulnerabilities — three of which Talos researchers discovered. For our complete wrapup, check out the blog post here, and be sure to update your Microsoft products now if you haven’t already.

Over on our YouTube page, we have a new video series we’re debuting called “Stories from the Field” with the Cisco Talos Incident Response Team. In each video, one of our team members will discuss one incident they remember working on and what lessons they took away from it, and what other defenders can learn.

On the research side of things, we have new findings out about a variant of the Loda RAT. We recently discovered that this malware family added several anti-detection features and is targeting victims across the Americas.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Upcoming public engagements

Event: Cisco Live Australia
Location: Melbourne Convention & Exhibition Centre, Melbourne, Australia
Date: March 3 - 6
Speakers: Nick Biasini
Synopsis: Cisco Talos specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In Nick's talk at Cisco Live, he will perform a deep analysis of recent threats and show how Talos leverages large datasets to deliver product improvements and mitigation strategies.

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Makuhari Messe, Tokyo, Japan
Date: April 13 - 15
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

  • The U.S. charged four members of the Chinese military for their involvement in the massive Equifax data breach. Federal prosecutors allege the men hacked into Equifax’s systems and stole the personal information of nearly half of all Americans.
  • Political pundits, security researchers and government officials are still unpacking the Iowa caucus debacle. While a results-reporting app has been largely to blame, there are several factors that went into a heavy delay of the democratic presidential primary results.
  • One factor that may have been involved is a distributed denial-of-service attack on a phone line used to report election results in Iowa. Members of an online forum started an effort to flood the phone line the day of the election, with Iowa Democratic party officials saying they received "an unusually high volume of inbound phone calls to its caucus hotline."
  • But the app used in Iowa isn’t the only new technology making an appearance in this year’s election. The discourse in Iowa is leading other states’ officials to take a closer look at their election systems and whether they have paper backups in place.
  • A cyber group in the Gaza strip may be behind a new string of attacks on Palestinians. Attackers use politically themed documents and emails to lure victims into clicking on malicious links, eventually installing backdoors on their machines.
  • The xHelper trojan on Android devices can even survive a factory reset of the infected device. Instead, users need to scan for specific files on their device and remove them prior to any resets so that the malware does not come pre-installed.
  • Google says new initiatives for its Play store helped block more than 1.9 billion malware infections in 2019. The company says that new scanning policies and stepped-up privacy rules have cut back on malicious apps.
  • A powerful Republican Senator blocked three new election security bills from being introduced to the full chamber. One of the bills would have outlawed voting machines from being connected to the internet, while another two would increase the level of cooperation between the FBI and local voting officials.
  • Iran says it deflected one of the largest cyber attacks in the country’s history. Researchers found that internet access was restricted to roughly 25 percent of all users in Iran during the attack last week for about an hour.

Notable recent security issues Title: 12 critical vulnerabilities fixed in latest Microsoft Patch Tuesday  
Description: Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 98 vulnerabilities, 12 of which are considered critical and 84 that are considered important. There are also two bugs that were not assigned a severity. This month's patches include updates to the Windows kernel, the Windows scripting engine and Remote Desktop Procol, among other software and features. Microsoft also provided a critical advisory covering updates to Adobe Flash Player.
Snort SIDs: 48701, 48702, 53050 - 53056, 53061, 53072, 53073, 53079 - 53089
 Title: Adobe releases updates for Reader, Flash Player and more
Description: Adobe disclosed 42 new vulnerabilities this week as part of its monthly security update, 35 of which are considered critical. These updates include Acrobat Reader, Flash Player and other Adobe products. Most notable are two bugs in Flash Player and Adobe Framemaker that could allow an attacker to execute arbitrary code on the victim machine.
Snort SIDs: 52331, 52332

Most prevalent malware files this week