Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We’re entering our Year in Review period. Now’s the time to look back on the top stories from 2019 and think about what we learned.

In the vulnerability space, Talos researchers were just as busy as always. We disclosed more than one vulnerability per working day this year, many of which were in internet-of-things and ICS devices. For more on what we can take away from the year in vulnerability disclosures, check out our post here.

Speaking of vulnerabilities, we had many more to add to the yearly count this week. There’s too many to name here, but some highlights include a remote code execution bug in Apple’s Safari web browser and a denial-of-service in the Linux kernel.

Microsoft also disclosed its own set of vulnerabilities as part of the last Patch Tuesday of 2019. Check out our breakdown of the most notable bugs here and our Snort rules to protect against exploitation of them here. Talos discovered two of the bugs patched this month, both in Windows Remote Desktop Protocol in older versions of Windows.

Cyber Security Week in Review

  • Adobe released its monthly security update Tuesday, fixing 14 critical vulnerabilities across its suite of products. Among the bugs disclosed are 14 critical vulnerabilities in Adobe Acrobat Reader.
  • A series of news reports this week revealed Ring security cameras are open to serious exploits. In Florida, an attacker took over a Ring’s speaker and shouted racial slurs at the owners. And in Tennessee, another man took over a family’s device after only owning it for four days, potentially spying on three young girls and talking to one of them, saying he was santa.
  • A new report from the U.S. National Infrastructure Advisory Council warned the White House that a cyber attack on America’s infrastructure poses an “existential threat” to the country. The group also urged U.S. President Donald Trump to take “bold action” to protect ICS systems.
  • A new decryptor from the makers of the Ryuk ransomware may actually damage larger files. The program is meant to help a victim recover their files after paying the proposed ransom.
  • The new “Snatch” ransomware evades detection by rebooting Windows machines mid-infection. The malware forces the victim machine to boot in safe mode, and then begin the encryption process.
  • The city of Pensacola, Florida continues to recover from a ransomware attack, just days after a shooting at a local military base. The city’s phone lines, some email services and other online platforms were still down as of Thursday.
  • Iran says it fended off a large cyber attack on unspecified “electronic infrastructure.” One government official said he could not provide specific details on the malware, but called the threat actors “very organized” and “governmental.”
  • U.S. President Donald Trump says he discussed election security with Russian officials during a private meeting this week. Russian Foreign Minister Sergei Lavrov said in a press conference after the meeting Russia has wanted to publish information that would allegedly clear it of any wrongdoing during the 2016 U.S. presidential election, but the U.S. has blocked that release.
  • Apple released the newest version of iOS this week, which provides new security features for Safari. The mobile version of the web browser now supports NFC, USB and Lightning-complaint keys so users don’t have to rely only on passwords.
  • A new feature in Google Chrome will alert users if their login credentials were exposed in a data breach. Each time the user logs into a site using the browser, it will check those credentials against a database of known leaked information.

Notable recent security issues Title: Microsoft discloses two critical bugs as part of monthly security update
Description: Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 25 vulnerabilities, two of which are considered critical. This month’s security update covers security issues in a variety of Microsoft services and software, including Remote Desktop Protocol, Hyper-V and multiple Microsoft Office products.
Snort SIDs: 52402, 52403, 52410, 52411, 52419, 52420
 Title: AMD ATI Radeon ATIDXX64.DLL shader functionality sincos denial-of-service vulnerability
Description: Cisco Talos recently discovered a denial-of-service vulnerability in a specific DLL inside of the AMD ATI Radeon line of video cards. This vulnerability can be triggered by supplying a malformed pixel shader inside a VMware guest operating system. Such an attack can be triggered from VMware guest usermode to cause an out-of-bounds memory read on vmware-vmx.exe process on host, or theoretically through WEBGL.
Snort SIDs: 51461, 51462 (By Tim Muniz)

Most prevalent malware files this week