Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We hope everyone is staying home (if possible) and staying safe. Unfortunately, the bad guys aren’t going anywhere, so we’re still plugging away remotely. Hasn’t anyone told them we need a break?

COVID-19 is obviously on the top of everyone’s mind. We are working on some new content around working from home and COVID-related malware. In the meantime, go back and read our post from February about attackers trying to take advantage of coronavirus panic.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Upcoming public engagements

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Makuhari Messe, Tokyo, Japan
Date: June 10 - 12
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

  • Attackers are capitalizing on the COVID-19 pandemic, sending out a massive wave of spam and themed malware. The usual advice remains — check your sources; if it’s too good, it probably is; and don’t click on any emails unless you know who sent it.
  • More workers are also working from home than ever. This presents its own set of security risks, including a lack of security resources on home networks and an increasing reliance on cloud storage solutions.
  • Federal officials with the U.S. say they are consistently fighting off cyber attacks seeking to sow fear and doubt during its COVID-19 response. Some experts are already pointing fingers at Russian and Chinese online adversaries.
  • The U.S. Department of Health and Human Services was one of the first targets. Officials said the department’s networks were not affected though the attempted intrusion came at an inopportune time.
  • More Americans may be looking to have a virtual visit with a health care professional during the pandemic to avoid physically entering a doctor’s office. But President Donald Trump’s loosening of rules around those visits opens individuals to a new type of cyber scam.
  • While Congress works on bills to support businesses during the COVID-19 pandemic, there is also a quieter push to give the government a bypass around end-to-end encryption. The sponsors of the bill say it is designed to protect children from being exploited.
  • Cisco patched high-risk vulnerabilities in SD-WAN that could allow an attacker to obtain root privileges. The bugs could open many routers, controller software and network management systems to compromise.
  • Microsoft unintentionally fixed a vulnerability in its Azure cloud platform that could have given attackers access to the target’s cloud services. Researchers believe there was only a two-week window where adversaries could have exploited the bug earlier this year.

Title: Zoho ManageEngine contains remote code execution vulnerability, being exploited in the wild
Description: Attackers are exploiting a remote code execution vulnerability in Zoho ManageEngine in the wild. The bug, identified as CVE-2020-10189, could allow an attacker to deserialize data and then execute arbitrary code on the victim machine with SYSTEM or root privileges. One security researcher discovered 2,300 unprotected instances utilizing ManageEngine.
Snort SIDs: 53433 - 53435

Most prevalent malware files this week