Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Cisco Talos from the past week.
You’ve probably heard about the “Cyber Moonshot” that the U.S. recently released and approved. But what is it, actually? Should you care? Is it going to actually help anyone? We answer those questions — and vent some more — in the most recent episode of the Beers with Talos podcast.
On the malware front, we have a new report out outlining a new campaign we’re calling “DNSpionage.” This is a two-part study which looks at a new malware family, as well as a DNS redirect campaign that’s targeting governments in the Middle East and a Lebanese airline.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
Synopsis: Join Ashlee Benge as she takes part in a day-long education event on all things Cisco. Ashlee will specifically highlight the work that Talos does as part one of the many breakout sessions offered at Cisco Connect. This session will cover a brief overview of what Talos does and how we operate. Additionally, he'll discuss the threats that are top-of-mind for our researchers and the trends that you, as defenders, should be most concerned about.
Description: Cisco Talos discovered two new campaigns targeting the Middle East originating from the same actor. A malware, known as “DNSpionage,” is spreading via malicious Microsoft Office documents. So far, government agencies in Lebanon and the United Arab Emirates have been hit, along with a Lebanese airline company. Snort SIDs: 48444, 48445
Description: A new variant of the Olympic Destroyer malware has been active over the past month with new IOCs and samples that indicate the actor behind the campaign is evolving. The malware now contains a dropper that features anti-analysis measures and delayed execution. Snort SIDs: 48435, 48436
Description: The Sednit APT is rolling out two new components of the Zebrocy malware, targeting countries in Central Asia and Eastern Europe. Zebrocy is a set of downloaders, droppers and backdoors. The newer components exfiltrate gathered information by using protocols related to mail services, such as POP3 and SMTP. Snort SIDs: 48431, 48432
Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.