Welcome to this week’s edition of the Threat Source newsletter.

As we hurtle toward the end of another year I get that tightness in my chest – that feeling that I think most, if not all, Threat Source readers get at this time of year. That's right, it’s once again the time of year when no matter what your current role or area of expertise you become tech support for your entire family and anyone they’ve ever met. They will give you unsolvable tech problems and expect holiday miracles. I have no particularly stellar advice that will help you. I have no words of wisdom that will keep you from your pain. I have only this – you aren’t alone. Make sure to take copious notes so that you can regale your workplace associates with the highlights and kick off the new year by putting that pain behind you.

Stay tuned next week for our inaugural Year in Review report!

The one big thing

Cisco Talos Incident Response shared a white paper on the steps organizations should follow to secure any major event. Outlining ten major event preparation focus areas, for each of the ten identified areas, Talos IR provides a short checklist to ensure that different organizations and committees can ask the right questions to vendors, suppliers and other event participants. Although the checklist can serve as a useful starting point for most of our readers, the complexity of the problem and diverse security requirements will likely require an in-depth analysis to identify all risk avenues.

Why do I care?

Cisco Talos IR has successfully participated in a number of global events at both the forefront as well as in supporting roles, to ensure that threats are contained before causing major disruption. This white paper leverages that experience to provide the reader with insight into the challenges, critical aspects and methodologies that can be utilized to achieve a strong sense of cyber security and IR readiness at both strategic and tactical levels.

So now what?

Ensure that the proper teams read the white paper, follow the blueprint, and are prepared to handle several types of attacks before, during and after the event. Leverage the ten focus areas to help your organization build appropriate security strategies ahead of major events.

Top security headlines of the week

Many endpoint detection and response (EDR) technologies may have a vulnerability in them that gives attackers a way to manipulate the products into erasing any data on installed systems. Or Yair, a security researcher at SafeBreach discovered the issue, Security products, such as EDR tools have super-user rights on systems, which could allow an attacker to wipe almost any file on the system, including system files. Yair disclosed the issue at the Black Hat Europe conference on Wednesday, Dec 7 having notified the vendors between July and August. Vulnerable products included Microsoft Windows Defender, Windows Defender for Endpoint, TrendMicro ApexOne, Avast Antivirus, AVG Antivirus, and SentinelOne. (Darkreading)

Rackspace has confirmed today that a ransomware attack is behind an ongoing Hosted Exchange outage. Rackspace tweeted "Since becoming aware of suspicious activity in our Hosted Exchange environment on 12/2, we’ve determined that the isolated disruption is the result of ransomware and our security team is working with a lead cyber defense firm to investigate." The cloud service provider says it will notify customers if it finds evidence that the attackers gained access to their sensitive information.(Bleepingcomputer)

Can’t get enough Talos?

Upcoming events where you can find Talos

CactusCon (Jan 27-28)
Mesa, AZ

Most prevalent malware files from Talos telemetry over the past week

SHA 256:
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Typical Filename: VID001.exe
Detection Name: Simple_Custom_Detection

SHA 256:
1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d
MD5: 26f927fb7560c11e509f0b8a7e787f79
Typical Filename: Iris QuickLinks.exe
Claimed Product: N/A
Detection Name: W32.File.MalParent

SHA256:
e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256:
125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645
MD5: 2c8ea737a232fd03ab80db672d50a17a
Typical Filename: LwssPlayer.scr
Claimed Product: 梦想之巅幻灯播放器
Detection Name: Auto.125E12.241442.in02