Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We know we’ve kept you waiting for a while, but the new Snort Resources page is finally here. We’ve got new and improved documentation, but our most exciting feature is the new Snort 101 video series. In these short tutorials, you’ll learn everything you need to know about configuring Snort 2 and 3, and even dives a little bit into rule writing. Head over to the Snort blog for more.

If you’re hanging out at RSA, what better way to escape the crowds for a few minutes than slinking off to listen to the new Beers with Talos episode. It’s shorter than usual, but we’ve still got plenty of talk of vulnerability research and software licenses.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Upcoming public engagements

Event: Cisco Live Australia
Location: Melbourne Convention & Exhibition Centre, Melbourne, Australia
Date: March 3 - 6
Speakers: Nick Biasini
Synopsis: Cisco Talos specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In Nick's talk at Cisco Live, he will perform a deep analysis of recent threats and show how Talos leverages large datasets to deliver product improvements and mitigation strategies.

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Makuhari Messe, Tokyo, Japan
Date: April 13 - 15
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

  • Cisco announced the new SecureX security platform at the RSA conference earlier this week. The new product aims to simplify the patching process by bringing multiple products under one interface.
  • The actors behind the DoppelPaymer ransomware launched a new site that they say will be used to post the information of victims who do not pay the requested extortion payment. There are already vague references to four different victims along with the information the actors stole.
  • Verizon became the latest company to pull out of the RSA conference right before the conference was slated to begin earlier this week. Several security vendors have cited concerns over travel and coronavirus fears.
  • Several security experts at RSA urged American election officials to switch to paper ballots for voting. Members of a panel suggested that technology be used as a check to audit voting results rather than the first line of defense.
  • More than 120 million employees and customers of French sporting goods company Decathlon had their information leaked. An unsecured server contained information including email addresses and employee contracts.
  • An attacker stole the information of more than 200,000 people connected to the Defense Information Systems Agency. The agency is responsible for overseeing communications between the White House and other defense agencies.
  • Huawei says it is still open to licensing its 5G technology to an American company. Huawei, a large Chinese tech company, is still locked in a battle with the American government over cyber security concerns.
  • Google released a patch for its Chrome web browserthat fixes a type confusion vulnerability in its V8 engine that was being used in the wild. This is the third zero-day discovered in Chrome in the past year.
  • The U.S. Department of Justice is hoping to pass legislation to force tech companies to help them decrypt users’ devices if they are involved in a criminal case. Companies like Apple have rebuked multiple asks from the U.S. Attorney General’s office to unlock iPhones in the past.

Notable recent security issues Title: ObliqueRAT spreads via malicious documents
Description: Cisco Talos has observed a malware campaign that utilizes malicious Microsoft Office documents (maldocs) to spread a remote access trojan (RAT) we're calling "ObliqueRAT." These maldocs use malicious macros to deliver the second-stage RAT payload. Network-based detection, although important, should be combined with endpoint protections to combat this threat and provide multiple layers of security. According to Talos researchers, ObliqueRAT has connections to the adversaries behind the CrimsonRAT discovered last year.
Snort SIDs: 53152 - 53163

Title: Multiple vulnerabilities in Cisco Data Center Network Manager
Description: Cisco Data Center Network Manager contains a privilege escalation vulnerability and a cross-site request forgery vulnerability. Cisco disclosed the high-severity vulnerabilities late last week. In the casea of the privilege escalation vulnerability, an attacker could exploit the Network Manager in a way that would allow them to interact with the API with administrator-level privileges. A successful exploit could allow the attacker to interact with the API with administrative privileges.
References: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200219-dcnm-priv-esc

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200219-dcnm-csrf
Snort SIDs: 53171 - 53176

Most prevalent malware files this week