Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We’ve got more ways than ever for you to get Talos content. We continue to grow our YouTube page with the second entry in the “Stories from the Field” series, this time with Matt Aubert discussing when to get lawyers involved in an incident.

Our podcast family also continues to grow, with new episodes this week of Talos Takes and Beers with Talos.

On the old-fashioned write-up end of things, we have the latest on our research into adversaries’ use of living-off-the-land binaries (also known as “LoLBins”). Recently, we’ve seen a wave of attacks utilizing the Microsoft Build Engine to conduct post-infection activities.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Upcoming public engagements

Event: Cisco Live Australia
Location: Melbourne Convention & Exhibition Centre, Melbourne, Australia
Date: March 3 - 6
Speakers: Nick Biasini
Synopsis: Cisco Talos specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In Nick's talk at Cisco Live, he will perform a deep analysis of recent threats and show how Talos leverages large datasets to deliver product improvements and mitigation strategies.

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Makuhari Messe, Tokyo, Japan
Date: April 13 - 15
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

  • Several American law enforcement and cyber agencies teamed up to detail a massive campaign by North Korean state-sponsored actors. In all, the entities tracked six different malware samples, linking them to the infamous Lazarus Group.
  • A new report from the Cyber Threat Alliance warns that state-sponsored actors from North Korea, Russia and China could all pose threats to the 2020 Olympics in Japan. Potential attacks include disinformation campaigns and the disruption of key services tied to the games.
  • The U.S. continues to trade barbs with Chinese tech company Huawei. American leaders even went as far as to warn other countries they may end information-sharing agreements if they use Huawei’s 5G technology.
  • A vulnerability in a popular WordPress plugin leaves more than 200,000 sites open to be totally wiped. Remote attackers could send specially crafted to these sites and trigger a wiping function in the plugin.
  • Amazon’s Ring smart doorbell and camera system made two-factor authentication required for all users. The settings change came after months of negative stories in the press regarding hacks of the devices and Amazon’s information-sharing with Facebook and law enforcement agencies.
  • UCLA canceled its plans to install a new facial recognition system after pushback from students. The college planned to integrate the technology with its campus’ security system.
  • Government leaders from the U.S. and England jointly blamed Russia for a cyber attack on the country of Georgia in October. State-run and private websites were taken down in the attack, including one belonging to the Georgian prime minister.
  • An American natural gas pipeline had to be shut down for two days after a ransomware attack. The U.S. Department of Homeland Security has yet to disclose the exact strain of ransomware and the location of the pipeline.

Notable recent security issues Title: Snake/Ekans malware adds new functionality to go after ICS
Description: The Snake ransomware (otherwise known as “Ekans”) has added new capabilities aimed at going after industrial industries. Ekans first emerged in December, but now has a relationship with the MEGACORTEX ransomware that could allow it to spread quickly on ICS systems and even force some services to revert to manual operations. The malware’s code now includes direct references to HMI processes and historian clients that are commonly linked to ICS.
Snort SIDs: 53106, 53107
 Title: Carrotbat malware, Syscon backdoor team up to target federal government
Description: An American federal agency was targeted in late January with a series of phishing emails utilizing a variant of the Carrotbat malware and the Syscon backdoor. Attackers used six unique email attachments in the campaign, all relating to the ongoing strained relationship between the U.S. and North Korea. Security researchers say these attackers are still active, despite the majority of their activity taking place over the summer.
Snort SIDs: 53129 – 53145

Most prevalent malware files this week