Our social media content and promotion are on pause this week as there are more important issues being discussed and other voices that need to be heard. However, we still wanted to provide users with the latest IOCs and threats we’re seeing.

Upcoming public engagements

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020

Location: Streaming on the conference's website
Date: June 10 - 12
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Event: Cisco Live U.S.
Location: Streaming online
Date: June 15 - 17
Speakers: Craig Williams and Sean Mason
Synopsis: Join the free, virtual Cisco Live U.S. conference. There will be many talks spread across two days. Specific to Talos, Craig Williams of the Outreach team will give an overview of recent threats and provide viewers with an update on Talos’ latest research efforts. Sean Mason, the head of Cisco Talos Incident Response, will also give a separate talk on IR’s advancements over the past year and go over how CTIR can help you prepare for the worst.

Cyber Security Week in Review

  • Hackers targeted the city of Minneapolis’ government over the weekend in response to the death of George Floyd in police custody. Twitter accounts claiming to be related to the Anonymous hacking group were quick to take credit.
  • Some groups even leaked the email addresses of many police officers in the Minneapolis department. But there’s reason to doubt the attribution to Anonymous.
  • Some far-right groups have also used cyber attacks to try and silence Black Lives Matter activists. Many community organizations had their websites targeted by denial-of-service attacks as there’s been an increase in charitable giving and education.
  • Many leaders in cyber security pledged this week to improve diversity in their organizations. Other prominent researchers also promised to help activists using their tech knowledge.
  • Congress is working on new legislation to regulate COVID-19-tracing apps. Lawmakers have concerns about what data the apps would collect and how that information is stored.
  • As more workers return to their offices, companies are using tracking apps to monitor employees’ health and location. Many of the apps ask employees to enter any COVID-19 symptoms they may have and alerts them if they’ve been around someone else who’s tested positive.
  • A new version of the Strandhogg malware could silently steal information off Android devices. The malware only affects version 9 of Android and earlier.
  • GitHub warned users that a malware strain is spreading through Java projects on the site. At least 26 projects on GitHub have been infected with the so-called “Octopus Scanner.”
  • Google disclosed dozens of vulnerabilities in the Android operating system. Among the fixes were patches for two remote code execution vulnerabilities that the company considered critical.
  • Attackers are increasingly using fake resumes to lure victims into downloading trojans and information stealers. The new infection vector comes as more people across the globe are looking for work due to the COVID-19 pandemic.

Notable recent security issues

Title: Fake certificate expiration notices used to plant Mokes malware
Description: Attackers are infecting websites and displaying fake notifications that the site’s certificate is expired. The URL bar still displays the legitimate URL, but a fake image is displayed in the entire window stating that “Security Certificate is out of date.” If the user clicks on a button to download the updated certificate, they are infected with the Buerak downloader and Mokes malware.
Snort SIDs: 54097 - 54106
 Title: Variant of ZeuS malware available for sale online
Description: Attackers are selling a new fork of the infamous ZeuS banking trojan. Known as “Silent Night,” security researchers discovered the malware that appears to date back to November. Silent Night is for sale currently on a Russian dark web forum. It fetches the core malicious module and injects it into other running processes, showing very similar techniques and code to ZeuS.
Snort SIDs: 54093, 54094

Most prevalent malware files this week