Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
We uncovered the details of a new malware targeting subscribers of a Tibetan email list. The malicious emails delivered a malware we’re calling “ExileRAT,” which appears to be an evolution of the LuckyCat family. Based on the targets and the behavior of the malware, we believe this is an effort by the attackers to spy on the victims.
Now, it’s time to look back. To help put a bow on 2018, we looked at the Snort rules that were triggered the most last year. Spoiler: They mainly blocked cryptocurrency miners and trojans. Here’s a roundup of the five most-triggered Snort rules from 2018.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
Location: Moscone Center, San Francisco, Calif.
Synopsis: Matt Watchinksi, the vice president of Cisco Talos, will partake in one of the keynote addresses at this year’s RSA conference. Watchinski, along with Liz Centoni of Cisco, will discuss how to defend against internet-of-things attacks. As more automated devices are added to our homes every day, it just creates more attack vectors. Watchinski and Centoni will talk about successful defense strategies Cisco has employed in the past.
Location: Hannover Congress Center, Hanover, Germany
Synopsis: The pressure on IT security officers to compete for resistant IT security never ends. Attackers are trying to penetrate companies’ networks with new methods and to monetize deducted data every day. Unterbrink sits at the front and will provide insights into the current threat situation and attack scenarios.
Description: McAfee Labs recently discovered a new ransomware known as “Anatova” that’s been spotted infecting targets in the U.S. and Europe. The malware encrypts users’ files and then demands a payment of roughly 10 DASH — a cryptocurrency — the equivalent of roughly $700. Snort SIDs: 49070 - 49072
Description: The well-known GandCrab ransomware is being spread through a new email campaign. These malicious emails disguise themselves as legitimate emergency plans for the building in which the victim works. The server tied to this campaign previously delivered the Ursnif trojan. Snort SIDs: 49068, 49069
Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.