Good afternoon, Talos readers.

We recently decided to replace our use of the terms "blacklist" and "whitelist" with "block list" and "allow list.” Even though these terms are commonly in use in the security industry, we will not go along with casually assigning positive connotations to "white" while assigning negative connotations to "black.”

Elsewhere, we have new episodes of Beers with Talos and Talos Takes up. Check them out on our podcasts page or download them on your favorite podcast app.

Upcoming public engagements

Event: “Help! We need an adult! Engaging an external IR team” at DFIR Summit & Training 2020
Location: Streaming online
Date: July 16 - 25
Speakers: Liz Waddell
Synopsis: Too often, the decision to bring in a third-party forensic team occurs when an incident has reached crisis level. As an Incident Commander for such a team, Liz has seen many people handle this crisis engagement well, and others – not so much. This presentation will prepare you for what happens when you need additional surge support. We will discuss what to expect during the engagement “how to properly scope and set objectives with your firm, how to prep for both remote and onsite forensics, tool deployment, what data/logs may be asked for and establishing command centers.

Cyber Security Week in Review

  • The BlueKai software, which tracks users' web usage to help serve targeted ads, left a server unprotected on the web. While the vulnerability has since been fixed, anyone could have exploited this server to gain access to millions of records.
  • Adversaries are increasingly requiring users to interact with CAPTCHAs to eventually download their payloads. The goal is to bypass automated detection platforms security researchers use.
  • The U.S. Internal Revenue Service used cell phone location data to try and track down criminal suspects. Investigators paid for access to a commercial database that stored millions of Americans’ mobile device locations.
  • The FBI used Facebook and the online maker space Etsy to track down an arson suspect in the middle of peaceful protests in Minnesota earlier this month. A report later indicated that the FBI was scanning Facebook to look for “potential flashpoints for violence.”
  • A recent survey from IBM uncovered the many security concerns with more Americans working from home during the COVID-19 pandemic. The company found 52 percent of respondents are using their personal computers to work remotely, and 48 percent have not received new security training from their employers.
  • More than 1,600 Google employees wrote a letter to their management asking for the company to stop selling its technology to police departments. “Google is profiting off of these racist systems, and we believe this means Google is part of the problem,” the letter reads.
  • Attackers who steal users’ login credentials to websites are now turning on multi-factor authentication to make it more difficult for the accounts to eventually be recovered. Users are encouraged, as always, to enable multi-factor authentication as soon as possible.
  • A new collection of records called “BlueLeaks” claims to contain thousands of documents from law enforcement agencies. The hacking group Anonymous claims to be behind the leak, which includes memos and financial records of more than 200 state, local and federal police and law enforcement offices.
  • China and Australia continue to trade barbs over accusations that state-sponsored Chinese actors were behind a cyber attack on Australian parliament. The U.S. also supported these claims, denouncing China’s actions.

Notable recent security issues

Title: IndigoDrop spreads via military-themed lures to deliver Cobalt Strike
Description: Cisco Talos has observed a malware campaign that utilizes military-themed malicious Microsoft Office documents (maldocs) to spread Cobalt Strike beacons containing full-fledged RAT capabilities. These maldocs use malicious macros to deliver a multistage and highly modular infection. This campaign appears to target military and government organizations in South Asia. Network-based detection, although important, should be combined with endpoint protections to combat this threat and provide multiple layers of security.
Snort SIDs: 54373 - 54376
Title: Qbot reemerges, goes after American banks
Description: The ever-changing Qbot information-stealing malware is back again and going after U.S.-based banks. Researchers say the malware family has a six-hour cycle that is uses to adapt and avoid detection. Attackers are spreading the malware via phishing emails, publicly reported exploits or malicious file shares. Qbot waits quietly on the victim machine until they visit a bank’s website, and then it activates to steal the users’ login credentials.
Snort SIDs: 54384 - 54387

Most prevalent malware files this week

SHA 256: 8e03f05ecd08cb78f37ccd92c48cd9d357c438112b85bd154e8261c19e38a56e
MD5: 60ba2a4b8ea5982a3a671a9e84f9268c
Typical Filename: Diagnostics.txt
Claimed Product: N/A
Detection Name: Win.Dropper.Shadowbrokers::222044.in02

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.