Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

As long as COVID-19 is in the headlines (which is going to be a long time) actors are going to try and capitalize. We fully expect to see a rise in spam that’s now related to the economic assistance packagepassed by the U.S. government.

In non-virus-related news, we also have a new overview of the Trickbot banking trojan. This family has been around for a while, but we’ve recently seen a spike in distribution related to the aforementioned COVID-19 campaigns. What does Trickbot look like? And what are some best practices to defend against it? We run through all that here.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Upcoming public engagements

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Makuhari Messe, Tokyo, Japan
Date: June 10 - 12
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

  • U.S. Congressional leaders are pushing for more states to go to a vote-by-mail system during the ongoing COVID-19 pandemic. Some states and local governments may even dip into cyber security grant funds to establish these services.
  • Major tech companies have been gearing up to defend the upcoming General Election in the U.S. But over the past four years, as defenders have been on the lookout for misinformation campaigns, attackers have been changing just as quickly.
  • A new phishing campaign attempts to lure victims in by lying to them that they’ve been exposed to COVID-19. The emails contain a document that asks the user to enable macros, and if they do, the macros will download malware.
  • Cyber security incidents are up across the board. Representatives with the World Health Organization and the U.S. Department of Health and Human Services say hospitals, non-governmental organizations and testing labs have all been targeted with various attacks.
  • So-called “Zoombombers” are taking advantage of the rising popularity of video conferencing app Zoom. These attacks see malicious users hop onto random calls, then share their screen or microphone to shout racial slurs and display other harmful and inappropriate content.
  • Meanwhile, Zoom says it will put a 90-day freeze on developing new features so that it can focus solely on fixing security bugs. The service has gone up from 10 million users in December to 200 million currently.
  • Forty-two million users of a third-party version of the popular Telegram messaging app had their information exposed. Security researchers discovered an unprotected server containing phone numbers and Telegram usernames.
  • Several popular online gambling sites went down for several days this week after a cyber attack on the SBTech platform. The cyber intrusion came just as SBTech was preparing to merge with popular Daily Fantasy Sports site DraftKings.
  • Several tech companies around the globe are developing apps that would help track the spread of COVID-19. However, many of them present security and privacy risks.
  • More than 4,000 apps on the Google Play store silently track a list of all the apps a user has installed on their device. A new report states these companies then turn around and build a profile for the user to sell to advertisers.

Notable recent security issues

Title: Zyxel devices exploited by critical vulnerability, now patched
Description: A variant of the Mirai botnet, known as Mukashi, targeted vulnerable Zyxel network-attached storage devices. CVE-2020-9054 was assigned a critical rating of 9.8 out of 10 and has since been patched. Attackers can exploit this vulnerability to compromise a device and then launch additional distributed denial-of-service attacks and attach the malware to specific TCP ports.
Snort SIDs: 53495, 53496, 53507 – 53510

Title: Ransomware families launch new sites to publish stolen data
Description: Attackers behind several different ransomware families are creating websites where they say they will publish information stolen in attacks if the victims do not pay the requested extortion payment. Malware like Sodinokibi, Nemty and DoppelPaymer are following the lead of the actors behind the Maze ransomware, who launched a similar site in early March. Cisco Talos released new Snort rules this week to prevent the Sodinokibi ransomware from being downloaded onto targeted machines.
Snort SIDs: 53511, 53512