Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

It’s what — week 5 of this quarantine in the U.S.? Week 6? We’ve lost count. And so did the Beers with Talos guys. But lucky for you, that led to a — shall we say — unique podcast episode.

This week was Microsoft Patch Tuesday. The company disclosed more than 100 vulnerabilities and more than a dozen that were considered critical. We have our complete rundown here, as well as in-depth information on one of the vulnerabilities our researchers discovered.

We also have our latest Incident Response quarterly recap, as we reflect on the major incidents CTIR responded to between November 2019 and January 2020.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Upcoming public engagements

Event: “Hiding in Plain Sight: Analyzing recent evolutions in malware loaders” at Hack in the Box Security Conference Lockdown Livestream
Location: Streaming live on YouTube
Date: April 25 - 26
Speakers: Holger Unterbrink and Edmund Brumaghin
Synopsis: Over the past year, Talos observed a significant increase in the volume and variety of malware loaders being distributed worldwide. Rather than leveraging malvertising and extensive TDS infrastructure, adversaries are now distributing loaders and creating new botnets that can be monetized to perform the spread of malware payloads for criminals seeking to deploy RATs, stealers and banking trojans. This new generation of malware loaders features increased obfuscation, modularization, and maximum flexibility for the operators of these botnets. This talk will describe this recent shift in malware distribution, how these loaders are being leveraged, and how obfuscation and multi-stage delivery is being used to maximize efficiency and evade detection. We will also cover techniques for hunting these loaders in a corporate environment and ways to more easily analyze them.

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Makuhari Messe, Tokyo, Japan
Date: June 10 - 12
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

  • Apple and Google say the two companies are working together to create a COVID-19 tracking app that will alert users if they’ve been in contact with someone who’s tested positive for the disease. This location tracking has raised questions over privacy, but the companies say they are prepared to put users’ minds at ease.
  • The Czech government is warning the country’s hospitals that adversaries are preparing to launch cyber attacks in the coming days and weeks. The second-largest hospital in the country was already targeted by a campaign in February.
  • More details have emerged regarding a trojan on Android devices that can reinstall itself. New research suggests a trojan known as Triada reinstalls files on the device even after reboot and even prevents deletion.
  • Adversaries are selling usernames, passwords and email addresses for Zoom users are for sale on the dark web. One data set that recently sold reportedly totaled more than 530,000 accounts.
  • The popular video conferencing app also offered users the ability to choose which countries their calls are routed through. However, the new feature is only available to paid users.
  • Currency exchange firm Travelex paid a multi-million-dollar ransom to attackers earlier this year after a data breach. The firm would later run into additional financial troubles in the U.K.
  • A major Portuguese energy company says attackers are asking for an $11 million extortion payment after a data breach. EDP reportedly was hit with the Ragnar Locker ransomware.
  • Oracle released patches for 405 vulnerabilities across its range of products this week. The Fusion Middleware alone had 49 bugs that could be exploited remotely without authentication.
  • A new report suggests the U.S. Pentagon is far behind on improvements to cyber security. The Department of Defense set three goals five years ago, but none of them have been met yet, according to the Government Accountability Office.

Notable recent security issues Title: Microsoft releases monthly security update
Description: Microsoft released its monthly security update this week, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 113 vulnerabilities. Eighteen of the flaws Microsoft disclosed are considered critical, while one is considered “moderate.” The remainders are scored as being “important” updates. This month’s security update covers security issues in a variety of Microsoft services and software, including SharePoint, the Windows font library and the Windows kernel.
Snort SIDs: 53489 - 53492, 53619 - 53630, 53652 - 53655
 Title: DrayTek routers, switches open to attack
Description: Tech company DrayTek recently patched two zero-day vulnerabilities in some of its routers and switches that could allow malicious actors to monitor traffic and install backdoors on affected networks. DrayTek worked with security researchers to discover the vulnerabilities and active exploitations in December, and patches were made available in late March. Users are encouraged to patch their devices as soon as possible or disable remote admin access.
Snort SIDs: 53591, 53592

Most prevalent malware files this week