Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Our newest research post focuses on the Aggah campaign. Threat actors are pushing Aggah to victims via malicious Microsoft Word documents, eventually using the infection to install Agent Tesla, njRAT and Nanocore RAT. Here’s what to be on the lookout for, and what you can do to fend off these attacks.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Upcoming public engagements

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Makuhari Messe, Tokyo, Japan
Date: June 10 - 12
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

  • Microsoft patched a vulnerability in its Teams application that could allow an attacker to scrape account information with a specific GIF. Teams has become increasingly popular as more employees work from home and rely on video and text chat for communication.
  • The World Health Organization says it’s seen a five-fold increase in cyber attacks targeted toward its staff. The organization said there were hundreds of emails leaked online connected to workers responding to the COVID-19 pandemic.
  • The American and Australian governments both released warnings that state-sponsored threat actors should not be targeting the health care sector. Citing international cyber laws, the countries issued the statements after the Czech Republic reported its largest COVID-19 testing lab was hit with an attack.
  • U.S. lawmakers are pushing for additional funding for the College of Information and Cyberspace, a component of the National Defense University, as the college inches closer toward closing. There are concerns that the closure of the college could lead to a workforce shortage.
  • A group of apps on the Google Play store have been spreading malware since 2018. The apps have since been removed once researchers notified Google.
  • Sophos warned users of a vulnerability in its firewall that could allow an adversary to inject malicious SQL codes. The company said it does not believe any attackers were able to steal information by exploiting the bug.
  • Adobe patched 21 critical vulnerabilities in its Illustrator and Bridge programs. Illustrator specifically contained five memory corruption vulnerabilities that could allow an adversary to gain remote code execution abilities.
  • Microsoft Office 365 added a new feature that makes it more difficult for phishing scams to be successful. Users can now edit, print and copy Office documents without exiting the “Protected Mode” which usually prevents the docs from executing malicious code.
  • A new poll suggests less than half of Americans would be open to downloading coronavirus-tracking software. Apple and Google are currently developing a service that would alert users if they’ve been in contact with anyone who’s tested positive for COVID-19, information that governments say is key before reopening economies.  

Most prevalent malware files this week