Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to
get caught up on all things Talos from the past week.
No one really likes talking about election security. It’s a sticky
subject, costs lots of money and doesn’t come with an easy fix. But that
doesn’t mean the conversation shouldn’t happen.
With another presidential election just around the corner, we decided to
take up the topic and examine the approach a potential attacker may take
to disrupting a democratic election. Matt Olney took a deep dive into
and wrote about what may happen in a real-life attack scenario.
He and the rest of the Beers with Talos crew broke down these scenarios
more in this week’s Beers with Talos
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: "DNS on Fire" at Black Hat USA\
Mandalay Bay, Las Vegs, Nevada\
Date: Aug. 7\
Speaker: Warren Mercer\
Synopsis: In this talk, Warren will go over two recent malicious threat actors targeting DNS protocol along with the methodology used to target victims, timeline, and technical details. The first is a piece of malware, "DNSpionage," targeting government agencies in the Middle East and an airline. The second actor, more advanced and aggressive than the previous one, is behind the campaign we named “Sea Turtle.”
Event: “It’s never DNS...It was DNS: How adversaries are abusing
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.
CYBER SECURITY WEEK IN REVIEW
Facebook confirmed in its latest earnings report that it reached a
with the U.S. Federal Trade Commission over data privacy violations,
the largest fine in the history of the U.S. over online privacy. The
social media network also said it would create “a comprehensive new
framework for protecting people’s privacy.”
Attackers are using file-sharing network
to bypass email security. Security researchers have discovered
multiple attacks where malicious actors are sending emails to users
with a WeTransfer link that leads to an HTM or HTML file redirecting
to a phishing landing page.
Former FBI special counsel Robert Mueller warned that Russia made
multiple attempts to disrupt the 2016 presidential
During Congressional testimony, Mueller said "They're doing it as
we sit here, and they expect to do it during the next campaign."
Certain LG and Samsung phones are open to an attack that could allow
a malicious user to listen in on
The attacks exploit the devices’ accelerometer to eavesdrop on any
audio played through the speaker.
The U.S. Federal Trade Commission fined Equifax up to $700
a 2016 data breach. However, privacy advocates and some lawmakers
say the punishment doesn’t go far enough.
The latest round of security updates from Apple fixes a critical
in the Apple Watch’s walkie talkie app that could allow an attacker
to listen in on conversations. There were also fixes to
vulnerabilities in the iOS operating system.
U.S. Attorney General William Barr stepped up his fight against
saying tech firms “can and must” put backdoors on their devices to
bypass encryption. Barr argued that encryption allows criminals to
operate unnoticed and can stall law enforcement agencies’
The National Security Agency says it is working on a cybersecurity
that aims to align America’s offensive and defense cyber
capabilities. The directorate will begin operating on Oct. 1 under
the direction of Anne Neuberger, who helped establish U.S. Cyber
NOTABLE RECENT SECURITY ISSUES
Title: Attackers spread AZORult trojan, attempts to steal
Description: Attackers recently began spreading the AZORult trojan AZORult through a series of phony cheat codes for video games, such as "CounterStrike: Go and Player Unknown's Battlegrounds. The attackers embedded links to the supposed cheats in YouTube videos and other social media sites. Once installed, the trojan attempts to steal users' passwords. This Snort rule fires when AZORult attempts to make an outbound connection to its command and control server.
Snort SIDs: 50771 (Written by Tim Muniz)
Title: New protection rolled out for Microsoft vulnerability
exploited in the
Description: Attackers continue to exploit a previously disclosed vulnerability in Windows' win32k.sys component. The escalation of privilege bug, identified as CVE‑2019‑1132, was exploited in a series of targeted attacks in Eastern Europe. An APT installed espionage malware on victim machines through this bug. Two new Snort rules activate when a user attempts to corrupt a machine's memory using this vulnerability.
Snort SIDs: 50734 – 50737 (Written by Joanne Kim)
MOST PREVALENT MALWARE FILES FROM THIS WEEK
Typical Filename: maftask.zip
Claimed Product: N/A
Detection Name: PUA.Osx.Adware.Advancedmaccleaner::tpd
Typical Filename: FYDUpdate.exe
Claimed Product: Minama
Detection Name: W32.E062F35810-95.SBX.TG
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.