February
- Attackers use a malicious PowerPoint presentation to target members of the Tibetan government in the hopes of infecting them with ExileRAT.
March
- Talos discovers a new point-of-sale malware for sale online called “GlitchPOS” that is easy enough to use that anyone could set up their own credit card-skimming botnet.
April
- Talos publishes a list of malicious groups on Facebook using straightforward names that carry out a range of malicious activities, including the sale of credit card data and other malware services.
- A campaign known as “Sea Turtle” expands on the growing popularity of DNS hijacking attacks, spoofing legitimate DNS addresses to target public and private entities, including national security organizations, located primarily in the Middle East and North Africa.
- Yet another DNS hijacking campaign, “Karkoff,” shows that the actors behind DNSpionage are retooling their procedures to avoid detection and improve the efficacy of their operations.
May
- The Qakbot banking trojan evolves to maintain persistence and potentially evade detection.
- Talos discovers “BlackWater,” a trojan that our researchers believed with moderated confidence was associated with the MuddyWater APT.
- A “wormable” Microsoft vulnerability called “BlueKeep” is discovered, leading researchers to believe the Remote Desktop Protocol bug could lead to a similar attack to WannaCry. Talos released new Snort rules to protect against this vulnerability and outlined how to defend against it using Cisco Firepower.
June
- A threat actor merges together multiple open-source projects to install malware on victims’ machines in a campaign Talos called “Frankenstein.”
- Talos publishes the details of the new Spelevo exploit kit, showing that exploit kits aren’t going anywhere.
July
- A wave of RATs and information-stealers use the well-known “Heaven’s Gate” exploit to achieve infection.
- Sea Turtle returns with new DNS hijacking techniques and a growing pool of targets.
- A slew of cities around the U.S., most notably Baltimore, suffer ransomware attacks, causing experts to debate whether it’s ever a good idea for a ransomware victim to pay the extortion payment.
September
- After going quiet over the summer, Emotet returns with a new group of IOCs, but the same set of protections as always.
- The Tortoiseshell APT uses a fake hiring website targeted toward U.S. military veterans to infect victims with a malware downloader.
- The ODT file type becomes increasingly popular among attackers, which can allow malware to avoid traditional detection methods.
October
- A rare iOS jailbreak called “checkra1n” hits the scene, leading to some attackers attempting to trick users into downloading a tool that they believe will unlock their devices, but actually just installs malware.
- Talos uncovers a group of spyware software that exist in a legal and moral gray area, but attackers have been using to carry out malicious actions.
November
- The first reports surface of BlueKeep being exploited in the wild, though there is no evidence to suggest it’s part of a broad campaign.