Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Sure, all anyone wants to talk about is coronavirus. But what about cyber security? We’ve still got cool stuff, like this huge write-up on the Bisonal malware and how it’s changed over the past 10 years. While its victimology has always stayed the same, we walk through how its creators have added on new features over time to avoid detection.

There’s also another entry in our Incident Response “Stories from the Field” video series. This time, Matt Aubert discusses ransomware infections he’s seen in the wild and passes on some lessons to you.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Upcoming public engagements

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Makuhari Messe, Tokyo, Japan
Date: April 13 - 15
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

  • The U.S. Federal Communications Commission proposed new fines against wireless carriers that sell customers’ location information $200 million. T-Mobile faces the highest fine at $91 million.
  • Two Chinese nationals face new charges of helping a North Korean state-sponsored actor steal millions of dollars of cryptocurrency. The U.S. Justice Department said it believes the two men funneled money stolen in cryptocurrency mining campaigns and then sent the money back to North Korea to help pay in part for additional malicious cyber capabilities.
  • The Super Tuesday round of presidential primaries in the U.S. went off without a publicly disclosed cyber attack, though several questions remain before November’s general election. Election officials are still being encouraged to use paper ballots, and state-sponsored actors may still be saving their best efforts.
  • Facebook’s new “Off Facebook Activity” tracking feature allows users to see what apps are receiving their personal information, even when they’re not using Facebook. One reporter discovered that more than 60 health apps were sharing her information with the social media site, including prescriptions and menstrual cycles.
  • T-Mobile is warning customers that it recently suffered a data breach, and that some users’ information may be affected. Individualized text messages are telling customers if their financial information was accessed, and if so, T-Mobile is offering a free two years of identity theft protection.
  • American intelligence officials warned members of the Senate of potential security concerns with the popular social media app TikTok. One FBI official even went as far to say that the app is “basically controlled by a state-sponsored actor.”
  • Netgear disclosed a critical bug in its popular Nighthawk line of wireless routers that could allow a remote attacker to take complete control of the device. The company also released fixes for 21 medium-severity vulnerabilities and two of high severity.
  • The U.S. pledged to send $8 million to Ukraine to help bolster its cyber defenses. The two countries met this week to discuss security, after which the Americans agreed to invest a total of $38 million over the coming years.
  • A Chinese cyber security company accused the CIA for an 11-year hacking campaign against the country. Qihoo 360 says Americans targeted the Chinese aviation and oil industries, as well as some government agencies.

Notable recent security issues Title: Details of new Mozart malware family unveiled
Description: A new malware family known as “Mozart” uses DNS to communicate with a command and control seemingly belonging to its creators. It also evades detection by disguising itself and executing specialized JSScript files. Once infected, Mozart can download other types of malware onto the victim machine, including ransomware and cryptocurrency miners. This malware is typically spread through spam campaigns with malicious PDF attachments. If a victim opens the PDF, it displays a message saying that the PDF reader doesn’t support a specific font, and asks the user to download a font, which actually points to a malicious ZIP file.
Snort SIDs: 53364 - 53373

Title: Ryuk ransomware strikes across the globe
Description: Several reports surfaced over the past week of the Ryuk ransomware being used in attacks over the course of the past year. Notable recent infections include an attack on a Fortune 500 company that specializes in mechanical and electrical construction, a local library system and police department in Florida and a school district in New Mexico. Ryuk primarily spreads through phishing emails and contains a number of capabilities, including credential theft and the downloading of a cryptocurrency miner.
Snort SIDs: 53333, 53334, 53336, 53337

Most prevalent malware files this week