Welcome to this week’s edition of the Threat Source newsletter.

Tuesday was an absolute hammer for the infosec community. Not only did we have the US elections but we had Emotet returning and a regular Microsoft Tuesday release. That release always leads me to think about the bug hunting ecosystem and the importance and value of vulnerability research. I admit that the phrase bug hunting ecosystem does lead you to think of the magical days in school. A tv rolled in the classroom on the big AV cart to show a documentary - the salad days. We were masters of our domain. Enough oldguy rambling, vulnerability research is absolutely vital to the security of the internet. Researchers dig into software and operating systems, identifying vulnerabilities in order to discover them before malicious threat actors do. A discovered and responsibly disclosed vulnerability can nullify possibly disastrous public exploitation before the attackers ever get their campaigns off the ground. It may also be before the threat actors have found the vulnerability at all. Ensuring that the vendor can create patches or remediation before attackers can leverage the vulnerability in the wild is a massive win for defenders, but it's often not discussed widely. So this is me saying "thank you so much" to those researchers that are undertaking the arduous process of identifying vulnerabilities and coordinating disclosure with the vendors

The one big thing

Emotet is back. Did it ever truly go away? Emotet has been disrupted by law enforcement only to return over and over again. Tracking Emotet as it evolved from banking trojan to modular botnet has been interesting. To me it’s not unlike the Whac-A-Mole adventure that was Talos v. Angler as they developed and implemented new techniques to not only exploit end users but attempt to avoid detection.

Why do I care?

Emotet has been very successful for a very long time and it’s likely that if you are reading this you are already aware of Emotet and may have had to deal with them firsthand. History shows us that they aren’t going away so being aware of the active research from Talos is vital in attempting to stay secure.

So now what?

Same as it ever was. Ensure that end users are educated as much as possible but understand that they will click the link. You need to verify that all security devices are up to date with the latest coverage releases, and that you follow the Talos blog where you will always find IOCs in clear text or appended via the Talos GitHub. Make sure you have implemented a strong patch management keeping systems up to date, as well as performing general system hardening that includes removing services or protocols that are unnecessary.

Top security headlines from the week

More than two dozen Lenovo notebook models are vulnerable to exploitation that disables the UEFI secure-boot process. Once exploited unsigned UEFI apps or load bootloaders can be run that permanently backdoor the device. Researchers from ESET disclosed the vulnerabilities as Lenovo released security updates for 25 vulnerable models. Vulnerabilities that undermine the UEFI secure boot make it possible for attackers to install malicious firmware that survives multiple operating system re-installations and avoids detection. (Ars Technica)

Zimperium zLabs recently identified a malicious extension that lets attackers control Google Chrome remotely. Cloud9, a malicious browser extension, is not only capable of stealing the information from a browser session, it can also install malware on a user’s device and subsequently assume control of the entire device, effectively a remote access trojan (RAT) for the Chromium web browser (Google Chrome and Microsoft Edge for example). The extension was not available on the official Chrome store but instead delivered via websites pushing fake Adobe Flash Player updates. (Bleepingcomputer)

Can’t get enough Talos?

Upcoming events where you can find Talos

BSides Lisbon (Nov. 10 - 11)
Cidade Universitária, Lisboa, Portugal

SIS(Security Intelligence Summit), 2022.ON (Nov. 29)
Josun Palace, Seoul

CactusCon (Jan 27-28)
Mesa, AZ

Most prevalent malware files from Talos telemetry over the past week

SHA 256:
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Typical Filename: VID001.exe
Detection Name: Simple_Custom_Detection

SHA25
1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d
MD5: 26f927fb7560c11e509f0b8a7e787f79
Typical Filename: Iris QuickLinks.exe
Detection Name: W32.DFC.MalParent

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: IMG001.exe
Detection Name: Simple_Custom_Detection

SHA 256:
e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg