Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

It’s nearly holiday shopping season, which means it’s prime scam season. On the latest Beers with Talos episode, we run down the best ways to stay safe while shopping online and how to detect phony emails. It’s also election season, which makes for some good discussion.

And, as it’s time to look back on the year that was, we have a new feature from Talos Incident Response where we take a quarter-by-quarter look at the top threats we’ve seen in the wild. In Q4 of Cisco’s fiscal year, our IR analysts mainly saw ransomware and cryptocurrency miners.

IR also had another exciting announcement this week, with the unveiling of a new cyber range that can help train employees to avoid common scams that can lead to malware infection. The cyber range now comes with any IR retainer.

The Threat Source newsletter is getting a week off next week for the Thanksgiving holiday in the U.S., so we’ll talk to you again in December.

Upcoming public engagements with Talos Event: “Reading Telegram messages abusing the shadows” at BSides Lisbon
Location: Auditorio FMD-UL, Lisbon, Portugal
Date: Nov. 28 - 29
Speakers: Vitor Ventura
Synopsis: One of the cornerstones of privacy today is secure messaging applications like Telegram, which deploy end-to-end encryption to protect the communications. But several clone applications have been created and distributed with the intent of spying on their users. In this talk, Vitor will demonstrate how the Telegram registration process became abused, allowing message interception on non-rooted Android devices without replacing the official application. This is another example on how encryption is not a panacea, and that side-channel attacks like this are a real problem for otherwise secure applications.

Event: “Signed, Sealed, Compromised: The Past, Present, and Future of Supply Chain Attacks” at CactusCon
Location: Charleston Coliseum & Convention Center, Charleston, WV
Date: Dec. 6 - 7
Speakers: Edmund Brumaghin and Earl Carter
Synopsis: This talk will discuss the common techniques we’re seeing in supply chain attacks. Supply chain attacks are a broad topic, but one that has continued to evolve and mature over the last decade. Nick and Edmund will walk through what a supply chain attack constitutes, the history of how these attacks have evolved, and where we see this attack technique moving in the future.

Cyber Security Week in Review

  • The highly publicized Checkra1n jailbreak for iOS devices has been on the market for a week now. Here’s what that means for iPhone users and security researchers, and why it poses such an ethical dilemma.
  • Google and Samsung recently patched a vulnerability in some of their smartphones that could allow an attacker to take over the device’s camera. But other Android devices may still be at risk.
  • Several government services in Louisiana were taken down due to a ransomware attack. Two days post-infection, the state’s motor vehicles department was still closed. But state officials say no one has paid the ransom requested by the attackers.
  • The Australian government released a proposal to secure internet-of-things devices. It is a voluntary code the country is asking companies to abide to, including devices like "everyday smart devices that connect to the internet, such as smart TVs, watches, and home speakers.”
  • Numerous popular apps on the Google Play store are still vulnerable to long-known remote code execution vulnerabilities. A study found that while these apps do have recent updates, they don’t necessarily protect against publicly disclosed bugs.
  • The Russian government is eager to bring an alleged hacker back into its country after he appeared in a U.S. court to face charges. Research indicates the man may be one of the most well-connected hackers in Russia and the government fears he knows too much.
  • Microsoft says there is “no evidence” that the Dopplepaymer malware is spreading through Microsoft Teams. The company said after extensive research, it believes the only way Dopplemaymer can spread is through remote human operators using existing Domain Admin credentials.
  • Many user accounts for the newly launched Disney+ streaming service have been stolen and listed for sale on the dark web. However, Disney says there is no evidence to indicate its servers were breached.

Most prevalent malware files this week