Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Never assume that a malware family is really dead. We’ve done it time and time again with things like Emotet, and Gustuff is proving it once again. The banking trojan, after we first discovered it earlier this year, is back with a version 2, targeting a new round of victims and deploying new anti-detection techniques.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Upcoming public engagements with Talos Event: Talos at BSides Belfast
Location: Titanic Belfast, Belfast, Northern Ireland
Date: Oct. 31
Synopsis: Several researchers from Talos will be on hand at BSides Belfast to deliver four different talks. Martin Lee will provide a general overview of the benefits of threat hunting, Nick Biasini and Edmund Brumaghin will walk through a recent wave of supply chain attacks, then, Brumaghin and Earl Carter will deliver their “It’s Never DNS....It Was DNS” talk, and, finally, Paul Rascagneres walks through his recent research into attacks on iOS.
Event: “It’s Never DNS…. It Was DNS: How Adversaries Are Abusing Network Blind Spots”  at SecureWV/Hack3rCon X
Location: Charleston Coliseum & Convention Center, Charleston, WV
Date: Nov. 15 - 17
Speakers: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.

Cyber Security Week in Review

  • Popular VPN service NordVPN confirmed a rumored data breach this week. Researchers first reported that the company left an expired internal private key exposed, which could allow anyone to start their own servers and disguise them as legitimate NordVPN servers.
  • The U.S. military continues to search for skilled hackers as it thinks about the future of cyber warfare. U.S. Cyber Command was even recently elevated to be considered one of America’s 11 “unified combatant commands.”
  • Amazon’s Echo and Kindle devices are open to a Wi-Fi vulnerability that could allow attackers to conduct man-in-the-middle actions. Malicious users could carry out denial-of-service attacks, intercept information sent to the devices and decrypt information processed by the victim machine.
  • Security experts are critical of members of U.S. Congress who entered an ultra-secure area with their cell phones. Republicans were attempting to disrupt a hearing regarding the impeachment of U.S. President Donald Trump, entering an area that has restrictions against using mobile devices.
  • An internal memo says the White House’s wireless network could be open to attack. The Trump administration is forcing out many longstanding IT staff, which a report says could leave the White House vulnerable to a “network compromise.”
  • Researchers discovered a Vietnamese student was behind 42 malicious apps uploaded to the Google Play store. The apps would eventually display malicious apps a few minutes after users initially opened them.
  • Apple removed 17 malicious apps from its iOS store. The apps all contained malicious trojans that would eventually carry out click fraud and delivering malicious web pages.
  • Business-to-business payment provider Billtrust says it is still recovering from a ransomware attack. The company has yet to disclose the exact strain of the malware, but says most of its services are back online roughly a week after initial infection.
  • Democratic Congressional representatives introduced a new bill this week to strengthen the security of internet-of-things devices. The measure would establish a new panel of experts that would create “cyber benchmarks” for IoT devices.

Notable recent security issues Title: Gustuff V2
Description: The Gustuff banking trojan is back with new features, months after initially appearing targeting financial institutions in Australia. Cisco Talos first reported on Gustuff in April. Soon after, the actors behind Gustuff started by changing the distribution hosts and later disabled its command and control (C2) infrastructure. The actor retained control of their malware since there is a secondary admin channel based on SMS. The latest version of Gustuff no longer contains hardcoded package names, which dramatically lowers the static footprint when compared to previous versions.
Snort SIDs: 51908 - 51922
 Title: Attackers use malicious GIFs to attack WhatsApp
Description: The WhatsApp messaging app contains a double-free vulnerability. An attacker could exploit this vulnerability, identified as CVE-2019-11932, to carry out a variety of malicious activities, including memory leaks and arbitrary code execution. The exploitation of this bug requires the attacker to send a WhatsApp user a specially crafted GIF. These rules prevent attackers from carry out remote code execution through these GIFs.  
Snort SIDs: 51953 - 51956 (By Tim Muniz)

Most prevalent malware files this week SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.WNCryLdrA:Trojan.22k2.1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201