Welcome to this week’s edition of the Threat Source newsletter.

I’ve started flying again on a somewhat regular basis now that work conferences and out-of-state vacations are becoming a thing again. I took about 18 months or so off flying during the peak of the pandemic, but now I’ve received by second booster shot of the vaccine and am confident in the ability to acquire N95 masks when I need them.

One thing I didn’t miss about flying at all is the airports themselves — lines upon lines, waiting forever just to check a bag, and having to pay $6 for a cup of coffee from a Subway because that’s the only restaurant that happens to be open at 5 a.m.

There’s certainly a temptation to try to streamline the entire airport process by consolidating your personal information into one app. In Maryland, where I live, they recently rolled out the use of state IDs in Apple Wallet and use them at airports. And American Airlines now has its own travel app where users can consolidate their driver’s license, passports, TSA Pre-Check and more in one place to make flying easier. And other states have pledged to work on going digital with their IDs. But I’m hesitant to be willing to take the security risk with these apps in exchange for just not having to fumble around with a physical ID while I’m waiting in the TSA line. During the COVID-19 pandemic, many states rolled out their own tracking apps to alert users if they’ve potentially been exposed, and eventually to log their vaccination status.

It didn’t take long for bad actors to start taking advantage of these apps. North Dakota’s state-run app almost immediately violated its own terms of service by sending users’ location data and personal information to advertisers. And in Pennsylvania, up to 72,000 people may have had their personal information affected as part of a data leak at a third-party contact-tracing service.

And this could be said for pretty much anything in security, but I simply ask — “What could go wrong?”

I have no doubt the people who create these apps have the best intentions in mind. But when you start adding on layers of bureaucracy, plus the blurred lines that come with governments enlisting third parties to create apps on their behalf, and then bad guys looking into every nook and cranny for their next foothold, there are too many unknowns with these plans.

I certainly see the appeal of being able to always keep digital versions of my ID on my phone. It could probably help me avoid some awkward stares from fellow travelers the next time I’m at the airport as I spend the extra 30 seconds fishing out my boarding pass and ID.

But this has got to be another example of consumers sacrificing privacy for the sake of convenience, and I’m not even sure how much of a convenience they are.

The one big thing

The Transparent Tribe APT just won’t go away. We’ve been tracking this threat actor for more than a year, and now they’re shifting again by targeting college-aged students in India. This group traditionally goes after government organizations and other government-adjacent companies in the region, likely seeking out sensitive information. The attacks resulted in the deployment of CrimsonRAT, Transparent Tribe's malware of choice for establishing long-term access into victim networks.

Why do I care? 

Regardless of whether you’re a potential target for this group, it’s clear that everyone in the security space should be following Transparent Tribe. They’ve gone from a relatively unknown group operating on the Indian subcontinent to an actor we’ve continuously followed and has widened their target scope in recent months. Anyone hit with the group’s signature CrimsonRAT malware could have sensitive information stolen, including the attacker being able to take screenshots, log keystrokes and run certain processes on the endpoint. 

So now what? 

Organizations must always be on the lookout for these types of highly motivated adversaries. In-depth defense strategies based on a risk analysis approach can deliver the best prevention results. However, this should always be complemented by a strong incident response plan that's been tested with tabletop exercises and reviewed and improved every time it's put to the test on real engagements. Additionally, there are several Snort rules and ClamAV signatures that protect against this group’s tactics and tools. 

Other news of note

A group known as Predatory Sparrow is claiming responsibility for a series of cyber attacks on steel facilities in Iran, one of which caused a fire at a plant. Additionally, they group dumped nearly 20 GBs of documents they claim include information connecting the facilities to Iran’s Revolutionary Guard Corps. Predatory Sparrow also launched a Telegram page, where it posted the message, “These companies are subject to international sanctions and continue their operations despite the restrictions. These cyber-attacks, being carried out carefully to protect innocent individuals." Other attacks from the group came in 2021 when they targeted an Iranian railway system and a state-run gasoline distribution center. (CyberScoop, Yahoo!, BBC)

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) selected four encryption algorithms it says can withstand threats from quantum computing, with a new standard expected to come in about two years. Current encryption methods are not expected to hold up as other countries develop quantum computing technologies that can break those algorithms. Once the new encryption standards are created, companies will be urged, but not necessarily required, to adopt them. It’s recommended that organizations take inventory of applications that use the current public key encryption standards in preparation for the switch. (VentureBeat, DarkReading, Wired)

Apple released a new Lockdown Mode for its major operating systems that can help victims respond to spyware attacks. If enabled, Lockdown Mode turns off certain functions on the devices that may be vulnerable to attack and remote monitoring, including message attachments, shared photo albums and mobile device management. The announcement comes as more instances of governments using spyware have come to light, targeting high-profile journalists, politicians and activists. Apple is offering a $2 million bug bounty to anyone who can discover a vulnerability in Lockdown Mode. (CNET, Apple)

Can’t get enough Talos?

Upcoming events where you can find Talos

A New HOPE (July 22 - 24, 2022)
New York City

BlackHat U.S. (Aug. 6 - 11, 2022)
Las Vegas, Nevada

DEF CON U.S. (Aug. 11 - 14, 2022)
Las Vegas, Nevada

Most prevalent malware files from Talos telemetry over the past week

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

Typical Filename: VID001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: bd517b0695921df15586f2e81f970313112d008f52955502194cdf44a227a664

MD5: aa367b2ef077ffd51bf0597237ef513e

Typical Filename: 1302323352.exe

Claimed Product: N/A

Detection Name: W32.DFC.MalParent

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

Typical Filename: LwssPlayer.scr

Claimed Product: 梦想之巅幻灯播放器

Detection Name: Auto.125E12.241442.in02

SHA 256: 91e994229a7c8fdd899ce9b961516179da4c41be0818b5f07f07e4f4b4ebf28e

MD5: a7742a6d7d8b39f1a8cdf7f0b50f12bb

Typical Filename: wrsanvs.exe

Claimed Product: N/A

Detection Name: W32.Auto:91e994229a.in03.Talos