Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

There’s never been a better time to be into cyber security podcasts. Our Podcasts page on got a facelift this week to make room for our new show, Talos Takes. Now, Beers with Talos and Talos Takes live on the same page, where you can get caught up on your cyber news each week.

During each episode of Talos Takes, our researchers and analysts will boil down a complicated topic into a minutes-long explainer that everyone from your parents to the CEO of your company will understand. You can subscribe to Talos Takes on Apple Podcasts, Spotify, Stitcher and Pocket Casts.

As if that wasn’t enough, we also released a new Beers with Talos episode Friday, where the guys discuss why PowerShell has been so widely used in malware.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Upcoming public engagements

Event: A World of Threats: When DNS becomes the new weapon for governments at Swiss Cyber Security Days
Location: Forum Fribourg, Granges-Paccot, Switzerland
Date: Feb. 12 - 13
Speakers: Paul Rascagnères
Synopsis: In this presentation, Paul will present two threat actors Cisco Talos has been tracking who are manipulating the DNS system. On Jan. 22, 2019, the U.S. DHS published a directive concerning this attack vector. We will present the timeline for these events and their technical details. One of the actors is behind the campaign we named “Sea Turtle.” This actor is more advanced and more aggressive than others we’ve observed in the past. They do not hesitate to directly target registrars and one registry. The talk will break down these two actors and the methodology used to target the victims.

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Makuhari Messe, Tokyo, Japan
Date: April 13 - 15
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

  • Problems with an election results-reporting app led to the delay of Democratic presidential primary results in Iowa this week. Election officials in the state say the app, developed by company Shadow Inc., was not hacked, though security experts say they discovered several flaws in the software that left it open to attack.
  • The Iowa debacle was embarrassing for the Democratic party and the state, since Iowa prides itself on being the first state to host primary elections, setting the stage for the rest of the presidential election. After the mishap, other states are looking into what types of backup plans they need to have in place for their own elections.
  • Amazon CEO Jeff Bezos may have met with FBI investigators as far back as April 2019 regarding the hacking of his iPhone. The interview reportedly took place as part of the FBI’s investigation into the Israeli technology company NSO Group.
  • Gamaredon, an APT with pro-Russian ties, is growing its capabilities. New research shows the group has stepped up its operations so far this year, targeting a larger number of victims and focusing even more on disrupting the Ukrainian government.
  • The EKANS ransomware recently added new capabilities to make it more effective against industrial control services. However, researchers believe the malware’s capabilities are still somewhat primitive.
  • Cargo shipments across Australia are on hold after the logistics company Toll was hit with a ransomware attack. The company says it’s seen no evidence to suggest any personal data was lost.
  • The U.S. government is pushing tech companies and government agencies to develop an alternative to Chinese company Huawei’s 5G service. Huawei’s been locked in a battle with America for years over security concerns.
  • A vulnerability in Google Photos could have allowed anyone to view and download other users’ private videos. Google Takeout, a service that allows users to download archives of their Google data, mistakenly included the wrong videos in some files.
  • Google released the latest update for its Chrome web browser this week, fixing 56 vulnerabilities. The new version also forces more content through HTTPS rather than the less secure HTTP.
  • The NSA’s decision to publicly disclose an urgent bug in Microsoft Internet Explorer could point toward bigger changes for the agency. Traditionally, the NSA has held onto vulnerabilities it discovers that it believes could be used to spy on other state-sponsored actors.

Notable recent security issues Title: NetWire RAT reappears with financial motivations
Description: Security researchers recently discovered a new variant of the NetWire remote access trojan being spread via fake business emails. Attackers are sending supposed invoices from legitimate-looking emails that download the RAT. Once infected, NetWire carries out a series of malicious actions that all appear aimed at stealing users’ financial information and logins. NetWire first emerged in 2012, and has since gone through various iterations across multiple adversaries.
Snort SIDs: 53026 – 53030
 Title: Cisco small business switches open to denial of service attacks
Description: Cisco disclosed two high-severity vulnerabilities in some of its small business switches. An attacker could exploit these vulnerabilities to carry out denial-of-service attacks or obtain sensitive information. The Series Smart Switches, Series Managed Switches and Series Stackable Managed Switches are all vulnerable, though a patch is now available. Cisco said in its vulnerability advisory that it was unaware of the active exploitation of any of these vulnerabilities.
Snort SIDs: 52993 - 52998

Most prevalent malware files this week