Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

No one really likes talking about election security. It’s a sticky subject, costs lots of money and doesn’t come with an easy fix. But that doesn’t mean the conversation shouldn’t happen.

With another presidential election just around the corner, we decided to take up the topic and examine the approach a potential attacker may take to disrupting a democratic election. Matt Olney took a deep dive into their psyche here, and wrote about what may happen in a real-life attack scenario.

He and the rest of the Beers with Talos crew broke down these scenarios more in this week’s Beers with Talos episode, too.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Upcoming public engagements with Talos Event: "DNS on Fire" at Black Hat USA
Location: Mandalay Bay, Las Vegs, Nevada
Date: Aug. 7
Speaker: Warren Mercer
Synopsis: In this talk, Warren will go over two recent malicious threat actors targeting DNS protocol along with the methodology used to target victims, timeline, and technical details. The first is a piece of malware, "DNSpionage," targeting government agencies in the Middle East and an airline. The second actor, more advanced and aggressive than the previous one, is behind the campaign we named “Sea Turtle.”
Event: “It’s never DNS...It was DNS: How adversaries are abusing network blind spots” at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.

Cyber Security Week in Review

  • Facebook confirmed in its latest earnings report that it reached a $5 billion settlement with the U.S. Federal Trade Commission over data privacy violations, the largest fine in the history of the U.S. over online privacy. The social media network also said it would create “a comprehensive new framework for protecting people’s privacy.”
  • Attackers are using file-sharing network WeTransfer to bypass email security. Security researchers have discovered multiple attacks where malicious actors are sending emails to users with a WeTransfer link that leads to an HTM or HTML file redirecting to a phishing landing page.
  • Former FBI special counsel Robert Mueller warned that Russia made multiple attempts to disrupt the 2016 presidential election. During Congressional testimony, Mueller said "They're doing it as we sit here, and they expect to do it during the next campaign."
  • Certain LG and Samsung phones are open to an attack that could allow a malicious user to listen in on conversations. The attacks exploit the devices’ accelerometer to eavesdrop on any audio played through the speaker.
  • The U.S. Federal Trade Commission fined Equifax up to $700 million over a 2016 data breach. However, privacy advocates and some lawmakers say the punishment doesn’t go far enough.
  • The latest round of security updates from Apple fixes a critical flaw in the Apple Watch’s walkie talkie app that could allow an attacker to listen in on conversations. There were also fixes to vulnerabilities in the iOS operating system.
  • U.S. Attorney General William Barr stepped up his fight against encryption, saying tech firms “can and must” put backdoors on their devices to bypass encryption. Barr argued that encryption allows criminals to operate unnoticed and can stall law enforcement agencies’ investigations.
  • The National Security Agency says it is working on a cybersecurity directorate that aims to align America’s offensive and defense cyber capabilities. The directorate will begin operating on Oct. 1 under the direction of Anne Neuberger, who helped establish U.S. Cyber Command.

Most prevalent malware files this week

SHA 256: 6dfaacd6f16cb86923f21217ca436b09348ee72b34849921fed2a17bddd59310
MD5: 7054c32d4a21ae2d893a1c1994039050
Typical Filename:
Claimed Product: N/A
Detection Name: PUA.Osx.Adware.Advancedmaccleaner::tpd
 SHA 256: e062f35810260a1406895acff447e412a8133380807ef3ddc91c70c01bd34b50
MD5: 5a315fdaa14ae98226de43940630b147
Typical Filename: FYDUpdate.exe
Claimed Product: Minama
Detection Name: W32.E062F35810-95.SBX.TG

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510

MD5: 4a50780ddb3db16ebab57b0ca42da0fb

Typical Filename: xme64-2141.exe

Claimed Product: N/A

Detection Name: W32.7ACF71AFA8-95.SBX.TG  

SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08

MD5: db69eaaea4d49703f161c81e6fdd036f

Typical Filename: xme32-2141-gcc.exe

Claimed Product: N/A

Detection Name: W32.46B241E3D3-95.SBX.TG