Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We have an early holiday present for you! This week, we introduced a new podcast to the Talos family. Talos Takes, a new short-form show, takes listeners through a quick breakdown of a particular topic or security news story, with our Talos spin. The first three episodes are available now on the Talos podcasts page, and on the Beers with Talos feed. In 2020, we’ll give Talos Takes its own feed you’ll be able to subscribe to.

Not to be overshadowed, there is also a new Beers with Talos episodeavailable just in time for your holiday road trip. This week’s episode features special guest Joe Marshall from the Talos Outreach team, who brings his expertise on IoT and ICS security to the table.

To wrap up the year, we released a blog post running through the top malware and cyber news stories of 2019. This post is a perfect place to look back on all the major research we put out this year.

Cisco’s annual winter shutdown begins next week, so this will be the last Threat Source newsletter until Jan. 9. See you in 2020!

Cyber Security Week in Review

  • The city of New Orleans declared a State of Emergency days after it was hit with a cyber attack. Many government services went down, although emergency services like 911 were not impacted. Local officials say they’ve engaged the FBI to assist with their recovery and an investigation into the attack.
  • Meanwhile, the city of Pensacola, Florida still recovers from its own ransomware attack. The city brought in an outside firm to launch an investigation into what kind of malware its systems were hit with and provide recommendations on how to recover.
  • Congress approved $425 million in funding to improve America’s election security. But some lawmakers and security experts say it’s too little, too late, to protect the 2020 presidential election.
  • GSuite is banning the use of what it considers “less secure” apps. Beginning in June 2020, developers will only Google will only allow users to sign into apps that only rely on a username and password via their Google Account. Google considers secure apps to be those that rely on OAuth tokens.
  • Ring security cameras continue to come under fire for a series of negative headlines around its security. There are several key security features the service is missing, including the lack of alerts when a new user logs into the account from an unknown IP address or if there are multiple users signed into an account at the same time.
  • In response to many of these stories, Amazon, the company behind Ring, said many of these hacks are the result of users relying on unsecure username and password combinations. They also recommended opting into two-factor authentication.
  • Canadian lab testing company LifeLabs says it recently suffered an attack that compromised 15 million individuals’ personal information and paid a ransom to retrieve that data. Representatives from the company say they believe that paying the ransom ensures the compromised data will not be used in additional attacks.
  • Google released an emergency update for its Chrome web browser after a bug appeared that wiped data from other Android apps. Chrome 79 mistakenly cleared information from apps that are completed unrelated to Chrome, including the Finance app.
  • Microsoft released an out-of-band security update for SharePoint. CVE-2019-1491 could allow an attacker to obtain sensitive information, and then use that information in additional attacks.

Notable recent security issues Title: New malware-as-a-service family targets tech, health care companies
Description: The new Zeppelin malware is targeting health care and tech companies in the U.S. and Europe. Researchers believe Zeppelin is a variant of the ransomware-as-a-service family known as Vega. While Vega started out earlier this year targeting Russian-speaking victims, researchers believe the malware could be in a new adversaries’ hands now that they are targeting users elsewhere. Zeppelin is highly configurable and can be deployed as an EXE, DLL, or wrapped in a PowerShell loader.
Snort SIDs: 52451 – 52453 (By Nicholas Mavis)
 Title: Gamaredon attacks spread to Ukrainian journalists, law enforcement agencies
Description: A well-known APT is expanding its pool of targets, now going after journalists and law enforcement agencies in Ukraine. The group, which is believed to have Russian ties based on the language used in their malware, previously went after Ukrainian military and government agencies. There are also new TTPs associated with this group, including the use template injection in their malware.
Snort SIDs: 52445 - 52448 (By Joanne Kim)

Most prevalent malware files this week