Newsletter compiled by Jon Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
Despite tensions starting to fizzle between the U.S. and Iran, people are still worried about cyber conflict. What would that even look like? Is it too late to start worrying now, anyway? That’s the main topic of the latest Beers with Talos podcast.
You should probably know this already, but you should actually never count out any type of cyber threat. Despite the declining popularity of virtual currencies, we are still seeing adversaries who want to hijack victims’ computing power to farm them. Take Vivin, for example. The latest cryptominer actor we discovered has been active since 2017, and is just getting started with its malicious activities in 2020.
Over at the Snort blog, you’ll want to keep an eye out for some changes we have coming to Snort.org. We’ll spare you the details for now, but please bear with us if the search function isn’t working correctly for you or you see anything else wonky on the site.
And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.
Upcoming public engagements
Event: Talos Insights: The State of
Cyber Security at Cisco Live Barcelona
Location: Fira Barcelona, Barcelona, Spain
Date: Jan. 27 - 31
Speakers: Warren Mercer
Synopsis: Cisco Talos specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. We are responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk, we will perform a deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies.
Event: A World of Threats: When DNS becomes the new weapon for governments at
Swiss Cyber Security Days
Location: Forum Fribourg, Granges-Paccot, Switzerland
Date: Feb. 12 - 13
Speakers: Paul Rascagnères
Synopsis: In this presentation, Paul will present two threat actors Cisco Talos has been tracking who are manipulating the DNS system. On Jan. 22, 2019, the U.S. DHS published a directive concerning this attack vector. We will present the timeline for these events and their technical details. One of the actors is behind the campaign we named “Sea Turtle.” This actor is more advanced and more aggressive than others we’ve observed in the past. They do not hesitate to directly target registrars and one registry. The talk will break down these two actors and the methodology used to target the victims.
Cyber Security Week in Review
Notable recent security issuesTitle: Microsoft cryptogrophy vulnerability lingers after Patch Tuesday
Description: The U.S. National Security Agency released a warning late last week, urging users to update their Microsoft products as soon as possible to fix a vulnerability in its cryptographic certificate-signing function. Attackers could use this bug to sign a program, and make it appear as if it is from a trusted source, without the user ever knowing about the adversary’s actions. A security researcher was even able to create a proof of concept “Rick Rolling” the NSA’s website to display a popular internet meme. The NSA’s statement says that it believes “the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.”
Snort SIDs: 52617 - 52619
Title: Emotet continues to grow, spike in spam to start off 2020
Description: Emotet continues to infect individuals and organizations all over the world, but Cisco Talos recently discovered a new relationship between Emotet and the .mil (U.S. military) and .gov (U.S./state government) top-level domains (TLDs). When Emotet emerged from its summer vacation back in mid-September 2019, relatively few outbound emails were seen directed at the .mil and .gov TLDs. But sometime in the past few months, Emotet was able to successfully compromise one or more persons working for or with the U.S. government. As a result of this, Talos saw a rapid increase in the number of infectious Emotet messages directed at the .mil and .gov TLDs in December 2019.
Snort SIDs: 51967-51971, 52029