Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We need to start things off by wishing a Happy Birthday to Beers with Talos! The first episode was released on May 12, 2017. To celebrate, we have a new episode out this week and are working on another “In Between” for next week.

Send in your questions on Twitter to @TalosSecurity to have them answered on the show.

Upcoming public engagements

Event: Cisco Live U.S.
Location: Streaming online
Date: June 2 - 3
Speakers: Craig Williams and Sean Mason
Synopsis: Join the free, virtual Cisco Live U.S. conference. There will be many talks spread across two days. Specific to Talos, Craig Williams of the Outreach team will give an overview of recent threats and provide viewers with an update on Talos’ latest research efforts. Sean Mason, the head of Cisco Talos Incident Response, will also give a separate talk on IR’s advancements over the past year and go over how CTIR can help you prepare for the worst.

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Streaming on the conference's website
Date: June 10 - 12
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

  • New research indicates military personnel can be tracked through their check-ins on the popular beer-rating app Untappd. One example showed a list of users who visited the Pentagon.
  • German Chancellor Angela Merkel confirmed she was the target of a spying attempt from a Russian actor. A group reportedly stole emails from her office in 2015.
  • Facial recognition technology is already trying to adapt to the age of coronavirus. Privacy experts believe these pieces of software are using pictures of individuals’ in face coverings to train their algorithms as people across the globe are required to wear them in public.
  • A group of hackers released a jailbreak for iPhones they say works on every version of iOS since 10. A phone case manufacturer has already purchased advertising inside the jailbreak.
  • A bill set to renew several surveillance powers for the federal government is in limbo. The U.S. president asked all Republicans in Congress to vote against the bill, citing an unknown political scandal during the Obama era.
  • Germany and Taiwan have seen the most COVID-19-related spam campaigns of anywhere in the world, according to new research. However, experts indicate that every country is still at risk while more employees are forced to work from home.
  • Qatar’s COVID-19 contact-tracing app leaked the personal details of more than a million users. The government there is threatening jail time to anyone who does not download the app.
  • A Chinese tech company says it's taken steps to eliminate one of the largest botnets in the country. The DoubleGuns trojan reportedly infected millions of victims over the past several years.
  • The infamous Hacking Team IT group is officially dead, according to its founder. Hacking Team was one of the first companies anywhere to develop tools to spy on computers and mobile devices.
  • A newly discovered vulnerability that affects nearly every version of Android could allow adversaries to disguise malicious apps. Researchers are calling Strandhog 2.0 “nearly undetectable.”

Notable recent security issues

Title: Threat actors keep updating the EVILNUM malware to carry out various attacks across the financial sector
Description: The EVILNUM malware family is continuously adding anti-detection techniques as its owners target various organizations in the financial sector. The actors use EVILNUM in conjunction with Cardinal RAT to infect systems. In the past, the actors have targeted organizations in Israel, but researchers say there are no clues to where they may strike next. As of earlier this month, only eight anti-virus detection engines on VirusTotal were detecting this malware.
Snort SIDs: 54040 - 54045
 Title: Adversaries use SaltStack vulnerabilities to go after data centers
Description: Attackers are using two recently disclosed vulnerabilities in the SaltStack automation software to target data centers. Adversaries quickly reverse-engineered the exploits after SaltStack disclosed the bugs. So far, victims have only been hit with cryptocurrency mining malware, but users are still urged to patch SaltStack, an open-source, Python-based software, as soon as possible.
Snort SIDs: 54030 - 54033

Most prevalent malware files this week