Digital Shadows Manage Your Digital Risk Mon, 10 Dec 2018 22:10:27 +0000 en-US hourly 1 ShadowTalk Update – 12.10.2018 Mon, 10 Dec 2018 18:02:02 +0000 In this week’s ShadowTalk, Rick Holland and Harrison Van Riper join Michael Marriott to discuss the implications of the Marriott data breach, as well as a look forward to trends we might see in 2019. Specifically, we dig into ransomware and discuss what you should be considering in 2019. To read more about these trends (and more) read Harrison’s blog, ‘2019 Cyber Security Forecasts’. Alternatively, register for our upcoming webinar with the FBI.



Marriott confirms data of 500 million guests breached

The hotel chain Marriott International confirmed that a data breach by an unknown threat actor exposed approximately 500 million guests’ details. Around 367 million of the records included personally identifiable information (PII), passport numbers and financial information pertaining to guests’ accounts with Starwood, a subsidiary Marriott acquired in 2016. Because the data was sourced from Starwood and unauthorized access had reportedly occurred in 2014, this incident highlights the cyber security risks (including financial loss and reputational damage) an organization can become exposed to through mergers and acquisitions. The breach has also posed various potential political, legal and regulatory challenges for Marriott.

US government indicts SamSam ransomware author-operators

Two individuals reportedly responsible for creating, modifying and distributing the SamSam ransomware have been charged by the United States government. With their Bitcoin wallet addresses publicly attributed to SamSam activity, the individuals have been placed on the Specially Designated Nationals and Blocked Persons List; organizations paying ransomware extortion fees to their addresses risk violating United States economic sanctions.It is realistically possible that SamSam will target other geographies, and/or could set up new Bitcoin addresses that are not linked to the indicted individuals.

thedarkoverlord claims compromise of US insurance company

Extortionist thedarkoverlord has likely obtained an unidentified United States insurance company’s database. The threat actor’s associated Twitter account referred to the breach and a subsequent extortion demand. Given thedarkoverlord’s previous history of successful attacks, it is likely a credible demand. If the affected company does not pay the ransom, thedarkoverlord will likely publish any sensitive information obtained, potentially via the dark Web forum KickAss, on which the threat actor has recently become active.

Energy companies among victims of AutoCAD-based malware espionage

An industrial espionage campaign distributing malware based on the design software AutoCAD has reportedly been targeting the renewable-energy and automotive sectors, among others, since 2014. The perpetrators distributed stolen computer-aided design (CAD) files that were designed to lure victims into installing downloader malware onto their network. AutoCAD is a popular application and includes some auto-loading features, which the attackers also abused to execute malicious scripts.

Using Shadow Search to Power Investigations: Sextortion Campaigns Thu, 06 Dec 2018 12:53:45 +0000 We recently wrote about sextortion campaigns and how they’ve developed their lures over time. As a result of these campaigns, tens of thousands of dollars have been transferred to attacker-controlled bitcoin wallets.

In this blog, I wanted to share how you can power responses to extortion campaigns with Shadow Search (while I’m using the sextortion campaign in this example, any extortion campaign could apply).

Within the long and rambling email, we can identify three elements requiring further investigation:

  1. Exposed credentials listed in cleartext as “claim of compromise”. Including the recipient’s exposed password in extortion message gives it an air of credibility.
  2. Claimed exploitation of recent vulnerability that affects selected Cisco devices (CVE-2018-0296).
  3. Call to action to pay extortion demand to a specific Bitcoin address. The most recent wave appeared to have generated at least $19,000.



Using Shadow Search, we can gain vital context on each of these three elements. For those unfamiliar with Shadow Search, we provide instant access to a range of sources so you can perform your own research and investigations. These include:

  • Dark web pages and marketplaces
  • Criminal forums
  • Paste sites
  • Blog and news sites
  • IRC and Telegram Chat Channels
  • Technical forums
  • DNS lookup
  • WHOIS data
  • Indicator Feeds
  • Curated intelligence from Digital Shadows


Search for Context on Vulnerability

The email states “the hacking was carried out using a hardware vulnerability through which you went online (Cisco router, vulnerability CVE-2018-0296)”. Searching for this CVE number in Shadow Search brings back NIST results, Digital Shadows intelligence reporting, and mentions across criminal forums. The victim would be able to ascertain that this is a Denial of Service vulnerability affecting the Cisco ASA web service, which is unlikely to have been exploited to steal your password – and may not even be in the victim’s environment at all.


Search for Exposed Credentials

Second, the attacker used the recipient’s password as “proof” of compromise (we have obscured the password in Figure 1). When you search for this email address across paste sites and criminal forums, several results demonstrate that this email and password have already been publicly exposed. This indicates that the extortionist may well have sourced the password from pre-existing breaches, rather than having compromised your personal computer. This should also be a cue for the victim to change this password if it’s still being used on any other online services.

Search for Bitcoin Address

The third nugget of information is the bitcoin address (1GXazHVQUdJEtpe62UFozFibPa8ToDoUn3). Again, searching for this on Shadow Search brings back copies of the exact same message that have been published on paste sites – most likely posted by another recipient of the extortion email. Furthermore, if the bitcoin address was associated with a known threat actor, then these results would also appear in ShadowSearch as part of our curated intelligence Actor Profiles.


Make More Informed Decisions

Gaining context across these three characteristics gives a strong indication that the extortion attempt is bogus, and organizations can use this insight to inform their defenses. Within minutes you can make a call on whether this extortion threat is credible, and whether additional resources are needed to protect your organization and its employees.


Interested in Shadow Search? You can read more about the service in our datasheet, or you can try it for yourself by signing up for a test drive.


To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

2019 Cyber Security Forecasts: Six Things on the Horizon Wed, 05 Dec 2018 16:19:07 +0000 The new year is upon us! 2018 brought us Spectre and Meltdown, Russian GRU indictments, and the exposure of 500 million Marriott hotel goers. 2019 is sure to throw us a few curveballs as well. For this blog, we looked at trends and events that have shaped the digital risk landscape this year and how they might play out in 2019.

1. GDPR watchdogs start to bite. Expect new fines for data breach incidents

2018 was the year of GDPR; 2019 will be the year of GDPR fines. Under the European General Data Protection Regulation, or GDPR, organizations can now be legally required to pay a fine for mishandling company-held personal information.

The first GDPR notice was issued in September 2018 to Aggregate IQ, one of the companies involved in the Facebook–Cambridge Analytica controversy. However, the first actual fine was not issued until November to a German messaging company called Knuddels. Following a breach of its database in July, the company subsequently detected customer email addresses and plain-text passwords on data sharing sites (Digital Shadows detected the breach when it was uploaded to Pastebin in September – see Figure 1). According to Germany’s data protection watchdog, the company knowingly violated its duty to protect customer data by storing passwords in clear text, although due to several factors, including the company’s internal responses and transparency with the officials, the fine was set at 20,000.
  Knuddels breach Digital Shadows

Figure 1: Digital Shadows Shadow Search result for Knuddels breach

Under GDPR, authorities can issue a maximum fine of either 20 million or 4% of total global revenue (whichever is higher). As with Knuddels, transparency and clear communication with officials can give organizations some bonus points and potentially reduce a fine. Nevertheless, GDPR is here. Expect to see the frequency and value of data breach fines to increase next year.   

2. Ongoing nation-state cyber espionage between the US and China

Geopolitical tensions can lead to an increase in cyber activity from nation-state threat actors, and the ongoing trade disputes between the United States and China are no different. Digital Shadows expects that cyber espionage attacks between the two countries will continue into 2019, further fuelled by the disputes which began in early 2018. As such, attacks from China against US companies which hold precious intellectual property are likely. Though the United States’ plans are little less clear, these can also be expected.  

The US-CERT publicly acknowledged (or shamed, depending on how you look at it) multiple Russian nation-state sponsored cyber activity, including ongoing targeting of US infrastructure. Suspected North Korean-sponsored Lazarus Group activity was also reported by US-CERT throughout the year. Both countries were at odds politically with the US all through 2018, which likely had some influence on the decisions by US authorities to directly call out these campaigns. As such, we may see similar types of finger pointing from the US towards Chinese nation-state threat actors if current tensions continue.

In an interesting turn, a Chinese intelligence official was indicted and subsequently extradited to the United States in October to face the US criminal justice system. The indictment related to criminal charges of gaining unauthorized access to aviation companies with the goal of stealing trade secrets. This is significant; it’s the first time a Chinese intelligence official has been extradited to the US…ever. Unsurprisingly, the extradition wasn’t voluntary or sanctioned by the Chinese government.  Instead, the official was allegedly lured to Belgium, arrested, and then sent to Ohio’s southern district. This indictment, coupled with others that have been published since, will do little to aid the relationship between the two countries.

3. Business Email Compromise campaigns will continue to increase as businesses struggle to manage their online exposure

According to the FBI, Business Email Compromise (BEC) and Email Account Compromise (EAC) have caused $12 billion in losses since October 2013. Even more alarmingly, between December 2016 and May 2018, there was a 136% increase in identified global exposed losses, with BEC and EAC scams reported in all 50 US states and in 150 countries. In November, we learnt that the Dutch brand of the Pathé cinema chains had lost more than 19 million euros (US$21.5m) through a BEC attack.

As we highlighted in our research report, Cybercriminals on the Outlook for your Emails, the barriers to entry for these types of scams continue to lower, with attackers able to take advantage of accounting and finance email credentials available in public data breaches and leaked data. Less sophisticated actors can even solicit the help of a BEC-as-a-service provider online. Unfortunately, cybercriminals don’t even have to compromise accounts to gain access to the sensitive information stored in inboxes; we identified over 12 million publicly accessible email archives exposed through misconfigured rsync, FTP, SMB, S3 buckets, and NAS drives. By improperly backing up these archives, individuals, employees and contractors are unwittingly exposing sensitive, personal, and financial information.

In more positive news, BEC compromise and account takeovers can be mitigated with measures such as multiple person authorizations to approve significant wire transfers and multi-factor authentication. Unintended file exposure can also be reduced by ensuring any online file-sharing services, like rsync, FTP and SMB are not inadvertently misconfigured and exposing sensitive emails or files. Organizations grappled with data exposure in 2018 and this will continue throughout 2019. Let’s hope that more and more organizations will finally focus on understanding and reducing their own external digital footprint – perhaps this can be a new year’s security resolution for many this holiday season? 

4. Emotet banking trojan will be modified and used for new purposes

Emotet has been the thorn in the side of organizations across the globe, with the malware involved in a high-volume of activity throughout 2018. What once started as a banking trojan has evolved into something more sophisticated. With the ability to download additional modules, Emotet has been observed as the initial stage downloader for other banking trojans such as IcedID and TrickBot. As of November 2018, the malware once again updated its capabilities, adding full email message harvesting to its toolbox.

Looking ahead, just as Emotet evolved from banking trojan to downloader, another shift may be occurring. Emotet could continue being used as a downloader to facilitate the spread of banking trojans or other malware, but its capability of harvesting emails could also be used to conduct more convincing spearphishing campaigns against target organizations. Additionally, due to its popularity among cybercriminals, Emotet could be adopted by threat actors motivated by information gathering. This would open Emotet’s door of possibilities even wider, allowing it to be used by other types of actors. Either way, Emotet is likely here to stay and continue its streaks across various sectors. You can bet that further updates to this malware will be observed in the first quarter of 2019.

5. MITRE ATT&CK framework will become an information security standard

Having a common vocabulary is key to any productive discussion. This is where the MITRE ATT&CK framework comes into play. If I say apple and you’re thinking orange (or I say spearphishing attachment and you’re thinking spearphishing link), we’re both thinking about fruit, but are we talking about the same thing? Having a universal set of terminology and standards that security practitioners can easily understand, which are mapped to specific techniques that can be assessed and hopefully controlled, will contribute to better defences and mitigation strategies by security teams in 2019. Interest in ATT&CK has increased substantially throughout 2018, as can be seen from Google search trends for the last two years (Figure 2).

 MITRE ATTACK Digital Shadows

Figure 2: Searches for MITRE ATT&CK between December 2016 and December 2018 (Source: Google)

Digital Shadows loves the ATT&CK framework, and we plan to include it in more of the things that we do. Take a look at our very popular ATT&CK blogs here and here.

6. Traditional ransomware attacks will continue their decline

 Time for some good news! 2017 was potentially the apex of financially motivated ransomware attacks; this was a year in which both the WannaCry and NotPetya attacks occurred, bringing ransomware to the forefront of not only cybersecurity professionals, but mainstream users as well. 2018 experienced sharp declines in terms of the number of reported attacks involving new ransomware variants (Figure 3), coinciding with the rise of cryptocurrency miners. Despite this, more sophisticated variants such as GandCrab or SamSam came to the fore.

ransomware figure 3

Figure 3: Detected ransomware from 2016 to 2018 (Source: McAfee Labs)

Our forecast is that 2019 is likely to experience a continued decline in ransomware activity, as cybercriminals look to monetize in different ways such as cryptomining. This is likely due to several factors:

  • Organizations implementing mitigation strategies such as data and system backups
  • Easier ways for criminals to monetize infections
  • Increasing user security and awareness (Keep up the good work, everyone!!)

Ransomware is designed to be loud and noticeable on an attacked system, while cryptocurrency miners remain stealthy. The attacker has the same goal of gaining cryptocurrency from their victims; however, ransomware clearly has more points of failure as it relies on several more interactions from potentially non-tech savvy users. Victims need to have at least a vague understanding of cryptocurrency to purchase any, then they must deal with cryptocurrency wallet addresses which are far from user-friendly. After all this, an attacker may or may not actually send a decryption key to the victim. Cryptocurrency miners are quite the opposite in this sense, as they require almost no additional user input other than the initial infection. For these reasons, we think 2019 will experience further decrease in ransomware activity.

There you have it! Six of Digital Shadows’ trends or events to keep track of in the new year. Be sure to check out our upcoming webinar with Supervisory Special Agent Elvis Chan of the FBI’s Cyber Division, where he will be sharing his forecasts for 2019. Happy holidays!


To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

ShadowTalk Update – 12.03.2018 Mon, 03 Dec 2018 17:29:55 +0000 Michael Marriott, Dr Richard Gold and Simon Hall discuss our recent findings on threat actors using cracked versions of Cobalt Strike to conduct their attacks in this week’s ShadowTalk. Cobalt Strike is a powerful platform for performing offensive cyber operations, containing a wide variety of tools for conducting spear phishing and web drive-by attacks to gain initial access. While it’s used widely by security teams – including in Digital Shadows’ own internal Purple Team assessments – we’ve seen it being used for illegitimate purposes by threat actors as well. Listen to this week’s episode to find out how defenders can use this knowledge to inform their defense.


Open-source tools exploited in supply chain attacks

The United States-based cryptocurrency wallet “Copay” was recently subject to a highly targeted supply chain attack. An attacker initially used social engineering techniques to gain developer access to “event-stream,” an open-source code library that is widely used by organizations across the globe. By targeting the specific subset of Copay developers relying upon event-stream, the attacker injected malicious code that sought to intercept and steal data from Copay users when pushed to consumers. Although the specific amount of data stolen remains unreported, this attack exemplifies a possible trend of attackers targeting not only third-party suppliers but also open-source code repositories, on which many organizations rely.


New corporate cyber espionage campaigns attributed to APT10

The Chinese-state-associated threat group APT10 has reportedly intensified its targeting of Australian businesses for the purpose of corporate espionage. This activity likely indicates a broader trend of increased Chinese cyber espionage efforts worldwide; the United States recently accused China of conducting espionage operations. Such activity is likely to provoke a reaction from Western governments, which could include public attribution claims and indictments against Chinese nationals allegedly involved.


Mirai shifts focus from IOT devices to Linux servers

The Mirai botnet has targeted non–Internet-of-Things (IoT) devices, with attackers compromising Linux servers by abusing a recently disclosed Hadoop YARN vulnerability. This represents a shift in Mirai’s capabilities and an increase in its threat level. Such Linux servers can be valuable targets for attackers, particularly when used in datacenters with access to large amounts of data and bandwidth. The distribution and infection techniques are consistent with previous Mirai campaigns. Other botnet malware have similarly shifted focus away from IoT devices; this trend is likely to continue.


New variant of Pterodo backdoor indicates renewed Russian cyber campaign

The Ukrainian Computer Emergency Response Team (CERT) has released information on a new version of Pterodo, a custom backdoor malware developed by the Russian state and associated with the Gamaredon threat group. The backdoor has been updated to target systems localized to former Soviet Union countries and to generate unique command-and-control URLs for each infected device, allowing threat actors to determine which tools to use on a case-by-case basis. Given current heightened tensions between Russia and Ukraine following the Russian seizure of Ukrainian warships, it is realistically possible that the new variant of Pterodo could indicate an impending Russian cyber campaign.


To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

Threat Actors Use of Cobalt Strike: Why Defense is Offense’s Child Thu, 29 Nov 2018 17:22:27 +0000 I’m a big fan of the Cobalt Strike threat emulation software. Here at Digital Shadows, it’s a staple of our internal Purple Team assessments and we’re always impressed by its capabilities. However, it appears that we are not the only ones to feel this way and we have seen how Cobalt Strike is used for illegitimate purposes by threat actors. It is therefore important for network defenders to familiarize themselves with the capabilities of this offensive toolset. We would like to stress here that Raphael Mudge, the creator of Cobalt Strike, is firmly against this unauthorized usage of his creation and we applaud his commitment to doing the right thing.

What is Cobalt Strike

Cobalt Strike is a powerful platform for conducting offensive cyber operations. It contains a wide variety of tools for conducting spear phishing and web drive-by attacks to gain initial access. Through the artefact kit, Cobalt Strike also has a flexible obfuscation framework. However, it is in the arena of post-exploitation that Cobalt Strike really shines. It has a custom implant, called Beacon, which can handle command and control (C2) communications via HTTP(S), DNS and even SMB named pipes. Beacon has numerous options for lateral movement, e.g., WMI and psexec as well as the ability to load PowerShell and .Net assemblies for additional modules such as mimikatz.

An Attractive Tool for Threat Actors

All these features mean that Cobalt Strike is also attractive tool of choice for criminal and nation-state actors who use Cobalt Strike illegitimately. One way in which this is achieved is by taking the Trial version of Cobalt Strike and cracking it to remove the copy protection, as well as the deliberate artefacts which are present in the Trial version. For example, the Trial version of the Beacon implant contains the EICAR Anti-Virus Test File!

On the popular messaging platform Telegram, there is a dedicated channel for sharing information about cracked versions of Cobalt Strike for unauthorized uses.


Figure 1 – Telegram channel offering cracked versions of Cobalt Strike


An example posting from the channel can be seen below.


Figure 2 – Example posting of the latest Cobalt Strike with Chinese-language support


Following the links in the channel leads to a Chinese-language posting on Github which contains the instructions on how to crack Cobalt Strike:


Figure 3 – Chinese-language instructions for cracking Cobalt Strike


The above approach also attempts to remove some of the artefacts which are present in the Trial version of Cobalt Strike which can be used by defensive technologies to detect or block Cobalt Strike activity.

The post also links to another Github repository that contains the necessary files:


Figure 4 – Github repository hosting the Cobalt Strike Trial files for crackers


Suspicious Cobalt Strike Team Servers

We have uncovered instances of Cobalt Strike team servers (the server component of Cobalt Strike) being hosted in China, Russia, France and other countries. While some of these may be legitimate purchases of Cobalt Strike, we assess that some are not.


Figure 5 – Example of Cobalt Strike teamserver being run from China

From open source reporting it is clear that there are many threat actors who use Cobalt Strike for their network intrusions. This is an opportunity for network defenders as not only is it possible to legitimately get access to Cobalt Strike itself for testing, but there is also a wealth of documentation and training material online about Cobalt Strike’s capabilities and how to use it as an operator.


Defense is Offense’s Child

A popular maxim in security is “defense is offense’s child”. With such a popular toolset like Cobalt Strike being used by threat actors as well as legitimate Red Teams and Penetration Testers, it is valuable for network defenders to assess how their security controls prevent or detect Cobalt Strike’s behavior. While Cobalt Strike provides threat emulation capabilities in terms of being able to mimic particular malware C2 traffic or in-memory artefacts, it is also important to be able to detect and prevent Cobalt Strike in its default configuration as used by threat actors today. In particular, Cobalt Strike’s built-in privilege escalation, lateral movement and command and control capabilities are worth understanding and assessing how security controls can either prevent or detect this activity. The “Advanced Threat Tactics” online course provided for free by Raphael Mudge is an excellent place to start learning.

When considering network defenses, it is worthwhile to consider that even moderately sophisticated threat actors can easily gain access to advanced offensive tooling and while they may not be as capable as others in terms of their ability to operate Cobalt Strike effectively, the range of functionality which is available and its comparative ease of use mean that it is a force to be reckoned with.

Mapping the ASD Essential 8 to the Mitre ATT&CK™ framework Tue, 27 Nov 2018 15:57:14 +0000 Australian Signals Directorate Essential 8

The Australian Signals Directorate (ASD) has published what it calls the “Essential 8”: a set of fundamental mitigation strategies as a baseline for securing an organization. It is intended to be a pragmatic set of mitigation strategies designed to address the most common adversary behaviors. They are:

  1. Application whitelisting. This ensures that only approved programs can run, and is intended to prevent the execution of not only binaries (.exes, etc.) but also scripts
  2. Patch applications. This is to prevent exploitation of vulnerable software
  3. Configure Microsoft Office macro settings to block macros from the Internet. Attackers still often use Microsoft Office macros to trick users into installing malware
  4. User application hardening. Many features are often unnecessary and pose a security risk; for example, OLE object embedding in Microsoft Office documents
  5. Restrict administrative privileges. Invoking the principle of least privilege, so only users who require administrative privileges for their work should have them
  6. Patch operating systems. Operating system vulnerabilities are often exploited by attackers to elevate their privileges
  7. Multi-factor authentication. Remote access services such as Virtual Private Networks (VPNs) require multi-factor authentication to prevent credential reuse attacks
  8. Daily backups. When confronted with ransomware attacks, backups become part of an organization’s cyber security program

There is often a feeling of “security nihilism” when it comes to reporting around intrusions, especially those conducted by nation-states or other types of APT threat actor groups. However, pragmatic approaches such as the Essential 8 framework go a long way to mitigating many typical adversary behaviors. That is, it increases the costs for an attacker to attack a particular organization. This is the name of the game. In order to demonstrate this, we took our recent work on the Mitre ATT&CK framework and various indictments of cyber criminals and nation state actors and mapped them to the Essential 8 framework:



Lessons learned

The mapping exercise was very instructive and yielded a number of key insights:

  1. Prevention only gets you so far. There are multiple gaps in the ATT&CK framework that cannot easily be addressed by prevention and therefore require detection mechanisms to be in place in order to catch adversary behavior, particularly in the later stages of the attack lifecycle.
  2. Essential 8 addresses many common adversary techniques present in the middle of the attack lifecycle. For example, how the attackers gain code execution, how they persist in the target environment, how they escalate privileges, and how they gain code execution.
  3. Essential 8, by virtue of necessity, does not address to the same extent the work done by the attackers before they attempt code execution. Spear phishing is a TTP used by the four threat actors we looked at, but the Essential 8 doesn’t contain any preventative measures against it. Prevention is focused on stopping malicious code from being executed when it arrives at the user’s endpoint.
  4. Essential 8 maps very well to the Enterprise ATT&CK framework. There are, however, still missing mitigation strategies for the PRE-ATT&CK framework. This is something that Digital Shadows wishes to address in 2019.

Essential 8 is an excellent framework for mitigating many common adversary behaviors. By mapping some well-known adversaries to the ATT&CK framework we can see how, by using Essential 8, an organization can significantly obstruct adversaries. However, Essential 8 is just the beginning of a cyber security program. As the above mapping clearly demonstrates, detection is an important part of a cyber security program, especially at the earlier and later stages of the attack lifecycle.

ShadowTalk Update – 11.26.2018 Mon, 26 Nov 2018 17:19:51 +0000 With Black Friday kicking off the holiday spending season, Harrison Van Riper, Jamie Collier, and Rafael Amado focus on cyber security threats faced by retailers and online shoppers. Despite increased sales for retailers and bargain opportunities for consumers, Black Friday has had the unintended consequence of emboldening and enabling profit-seeking cybercriminals. The team discuss continuing activity by the Magecart group, as well as the ways in which cybercriminals are gearing up for the holidays from our investigations of online forums and messaging applications.



Double trouble for Russian banks in new spearphishing attacks

Two sophisticated cybercrime groups have been observed targeting unnamed Russian banks in new spearphishing campaigns. The campaigns have been attributed to the Silence and MoneyTaker threat groups, which have both historically targeted Russian banks to conduct large-scale thefts. While the groups employed similar tactics and techniques, there was no indication they collaborated on these attacks.


Researchers attribute new RAT campaign to TA505 threat group

Security researchers have attributed a new remote-access trojan (RAT) called tRat to the threat actor “TA505.” The RAT has been observed in malicious campaigns targeting commercial banking institutions during September and October 2018. tRat is likely in a testing phase as its full capabilities have not been deployed in the wild to date. The malware can retrieve additional modules designed to target different browsers and platforms, meaning the RAT can be tailored to the attacker’s objectives.


DarkGate malware offers variety of functions for financially-motivated attackers

An unknown threat actor has deployed a new malware variant dubbed DarkGate against Windows-based devices in Europe to conduct financially-motivated attacks. This sophisticated multifunctional malware can steal and mine cryptocurrency, deploy ransomware and facilitate the remote control of infected devices. To date, DarkGate has only targeted online users in Europe but could feasibly be deployed against additional geographies in future.


Active campaign targets Linux-based Drupal systems with DirtyCOW and Drupalgeddon2 exploits

Threat actors are targeting two popular vulnerabilities in Linux-based Drupal systems to secure root access or perform remote code execution on devices. Attackers identified vulnerable systems running outdated versions of Drupal and attempted to exploit Drupalgeddon2 to establish a foothold on the network. If unsuccessful, they next attempted to exploit DirtyCOW to obtain root access privileges. Both vulnerabilities have been patched but a significant number of devices remain at risk. The Drupal content management system is a lucrative target because of its popularity, with an estimated 2.3% of all websites using this system. Attribution for the attacks was unconfirmed at the time of writing.


To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

Black Friday and Cybercrime: Retail’s Frankenstein Monster Tue, 20 Nov 2018 18:28:18 +0000 With every year that passes, Black Friday seems to morph into a creation its original proponents could not have even envisioned. Not so long ago, it was simply the day following Thanksgiving in the United States (US), when retailers would offer sales and discounts to mark the beginning of the holiday shopping season. Now, Black Friday has become a global phenomenon that stretches over weeks, if not months, rather than a single day.

Technological advances have brought new opportunities and challenges for retailers, particularly at this time of year. The emergence of Cyber Monday, for example, highlights the change in consumption habits, with retailers looking to maximise their sales opportunities by dedicating a day just to online shopping. According to some estimates, consumers in the US spent over $14.5 billion in online transactions over the Black Friday-Cyber Monday weekend in 2017, while sales in the UK hit £3.1 billion.

Although consumers and retailers may benefit from the discounted goods and spike in online trade, Black Friday has had the unintended consequence of emboldening and enabling profit-seeking cybercriminals. We’ve monitored a range of online sources to find out how cybercriminals are preparing to take advantage of the sales this year.

Figure 1: Mentions of “Black Friday” across chat messages, forum posts and dark web pages since May 2018 (taken from Digital Shadows’ Shadow Search)


  1. Trading online carding tutorials

Like most seasoned shoppers, online carders are always on the lookout for a good deal. In advance of Black Friday, these fraudsters will typically identify the retailers and items on their wish list (hitlist), with electronic goods such as mobile phones and laptops most in demand given their high price point and resale value. A subsidiary market has therefore developed within the carding community, where sellers will advertise tailored carding tutorials for each individual retailer (Figures 2 and 3).



Figure 2: Carding tutorials advertised on Telegram (screenshots taken from Shadow Search portal)


Figure 3: Carding tutorials for individual retailers advertised on Telegram


  1. Purchasing stolen payment cards

With targets and items in sight, fraudsters need to ensure they have valid stolen payment cards to hand once Black Friday gets underway. In this Portuguese-language Telegram channel, the group administrator highlights the impending Black Friday and Cyber Monday sales, before reminding users to take advantage of the fresh payment cards being sold on their automated vending cart (AVC) store, singularity[.]ws.


Figure 4: Telegram channel for singularity[.]ws


  1. Arranging drops and pickups

A “drop” is a location that the carder uses for the shipping address in the carding process. In preparation for Black Friday, carders are after individuals who will sell their PO boxes or empty homes, so goods can be delivered. Likewise, carders also take to online forums and messaging applications to employ “pickers” – an individual recruited to collect the carded item from the drop address (Figure 5).

Figure 5: Forum user requesting both drop locations and pickers in advance of Black Friday


  1. Pooling resources

While some carders may choose to go it alone, some may instead opt to rally together on joint carding schemes. In one particular Telegram channel, the user “Life Support” offered to bulk buy a range of carded items during Black Friday that they could then sell on for a profit (Figure  6). All participating users would have to contribute $60 to Life Support to cover their time and the cost of materials such as stolen payment cards.


Figures 6: Joint carding schemes advertised on Telegram channel


  1. Embracing the holiday spirit

Rather than target retailers through carding, some users will instead try and get in on the action by providing their own discounted products under the Black Friday banner. In Figures 7 and 8 below, respective users offered botnets ranging between $60-1000 depending on the location, and Black Friday “coupons” for discounted proxy services.

Figure 7: Supr3me using “Black Friday” name to offer their own botnet services on crdclub[.]ws

Figure 8: Forum user offers Black Friday coupons for purchasing proxy services


 Responding to Retail Threats

While online fraud will certainly be a feature of Black Friday for the foreseeable future, there are several steps payment card companies, online retailers and consumers can take to protect themselves.

  1. Payment card companies should monitor for permutations of their domain name that could indicate criminals seeking to harvest information from customers. They should also monitor carding sites for Bank Identification Numbers (BINs) and Issuer Identification Numbers (IINs) that are offered for sale on forums, paste sites and AVCs.
  2. Merchants should monitor for mentions of their company name on “cardable” sites, which indicate their sites have been identified to have lax security controls and are deemed easier targets. Google Alerts and open source web crawlers like Scrapy can help. If you want to search across dark web pages, criminal forums and Telegram channels, you can test drive SearchLight for 7 days.
  3. Merchants should consider using 3D Secure as an additional layer of security which has proven to be a real obstacle for criminals and is deployed by Visa and Mastercard.
  4. Consumers can try and reduce the risk of payment card theft by transacting with known retailers, and – if shopping somewhere new – ensuring the merchant uses 3D Secure.


Carding isn’t the only threat facing consumers and retailers at this time of year. We’ve previously reported on how criminals will use the increased footfall in stores and online transactions to conduct Point of Sale (POS) malware attacks, account takeovers, and denial of service (DoS) extortion attempts. For more details on the wide range of threats to the holiday period, check out our whitepaper, Cybercrime and the Holiday Season.


To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

Sextortion 2.0: A New Lure Tue, 20 Nov 2018 15:23:16 +0000 Back in September we released a blog about the large volume of sextortion email campaigns that were hitting people’s inboxes. We have continued to monitor the campaigns and have seen a recent change in tactics, with some unusual approaches being favoured by the sextortionists this time around.


Cisco ASA vulnerability lure – too long; didn’t read

Previously the emails were simple and straightforward for the target – “I have your password this is proof that I have access to your computer”. The recent shift in tactics for these campaigns is to suggest that they have access to the user’s email by spoofing the sender’s email address. This is an easy trick to pull off, though it does increase the risk of the email being flagged as spam or dropped completely by the recipient mail server.

The other significant change was to make mention of a recent 2018 vulnerability that affects selected Cisco devices (CVE-2018-0296), which relates to a Denial of Service (DoS) vulnerability affecting the Cisco ASA web service. Once again, this seems too specific and is more likely to reduce the chances of a successful campaign, as most users know whether they have a Cisco or a generic broadband router. Moreover, these days an increasing amount of corporate email domains are being configured with security solutions such Sender Policy Framework (SPF) to reduce the risk of email spoofing.

The body of text has also changed and differs between variants of the email. Certain words appear and then disappear, while some emails provide the passwords and others do not. Some even have spelling mistakes throughout. All of these may be techniques used to avoid simple keyword and pattern matching.

Figure 1 – TLDR: Latest sextortion email with Cisco vulnerability lure


Figure 2 – Closeup of latest sextortion email with Cisco vulnerability lure


Who has been targeted?

As in the previous campaigns we investigated, the target information (email/password) is being picked from breached or leaked data, with Anti Public and Exploit[.]in combination lists being the preferred choices.

With demands ranging from $550 to $899, the attacker(s) have been able to amass over $19,000 so far based on the number of transactions made to the associated Bitcoin addresses we’ve tracked.


What is the scale looking like this time around?

We’ve noticed the campaign(s) using these newer methods over the last month; however most of the emails using the Cisco vulnerability tactic have been a feature of the last week, with a huge spike occurring on 10 November.

Figure 3 – CVE-related campaign volume since 10 November, 2018


Figure 4: Comparison between previous sextortion campaigns and recent CVE-related variation



While the attempts seem to be a bit over the top, current indications are that the campaign(s) are receiving Bitcoin, or they are shifting Bitcoin around in an attempt to add some kind of credibility. As we have discussed previously, these scams are a volume game; with large enough target lists the campaigners will continue to receive payments. The best thing that users can do is:

  • Stay vigilant and inspect your email with a bit more caution and suspicion. Look out for the tell-tale signs that you are being targeted by a mass scam campaign
  • Make sure you are refreshing passwords and aren’t reusing them across sensitive accounts, particularly as these email and password pairs appear to have been sourced from breached data and public combination lists
  • Enable two-factor authentication where possible to help prevent account takeovers even if your password is leaked publicly.

If these emails are making their way into your corporate inbox, then it’s probably time to speak to your IT teams and work on that email security! In future blogs from the Security Engineering Team, we’ll be focusing on ways practitioners can improve their organization’s email security and risk reduction processes.


To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

ShadowTalk Update – 11.19.2018 Mon, 19 Nov 2018 15:36:21 +0000 Leaked court documents surfaced this week detailing how Italian authorities tried and ultimately failed to identify and convict the vigilante hacker, Phineas Fisher, best known for the infamous breach against the Italian surveillance and technology company, Hacking Team. Dr. Richard Gold and Harrison Van Riper join Rafael Amado in this week’s edition of ShadowTalk. The team discuss the history of Phineas Fisher, the techniques used to break into the Hacking Team network, and the operational security (OPSEC) practices that allowed Phineas Fisher to remain at large.



New nation-state threat actor uses advanced TTPs to target Pakistan

A newly-observed cyber espionage threat group dubbed The White Company has reportedly been conducting an ongoing campaign called Operation Shaheen against Pakistan’s government and military entities. The campaign used complex obfuscation techniques and incorporated active antivirus detection avoidance measures. Due to the campaign’s technical complexities and apparent goals, the group is likely nation-state–sponsored, though concrete attribution is unknown at the time of writing.


Lazarus Group’s FASTCash malware operations detailed

Security researchers published new details of the TTPs employed in the Lazarus Group malware operation dubbed FASTCash. Using an unknown method, the group first compromised an application server that handles the ATM transaction process and then installed the FASTCash malware, which monitors all monetary withdrawal requests. Once installed, the malware intercepts requests from Lazarus Group operators and issues fake approval commands, distributing money at the ATM. The threat from the FASTCash campaign is assessed to be high because of the campaign’s widespread nature (the malware has affected over 30 countries to date) and the resultant direct financial loss.


Cryptojacking campaign targets Canadian university

An unidentified threat actor targeted a Canadian university in a cryptojacking attack that abused the university’s computational resources to mine Bitcoin. Xavier University disabled their entire network and reset all user passwords in response to the attack. Universities are lucrative targets for cryptojacking campaigns due to their significant computational resources and relatively low levels of cyber security maturity (when compared to other similarly-sized organizations).

Law Firm Uncovers Exposed Sensitive Details About Top Attorney Online Thu, 15 Nov 2018 14:49:23 +0000 VIPs and executives who are critical to your company and brand can be targeted by threat actors or groups who exploit their personal information to cause financial, brand or reputational damage – or even physical harm. Law firms are among the targets for this type of criminal activity as they possess sensitive data that threat actors can monetize, including: intellectual property (IP), merger and acquisition (M&A) details, as well as strategy and financial insights about their corporate clients.

A regional law firm recently discovered key employee details exposed online for its Chief Counsel. A closer look revealed information that left the top attorney’s family vulnerable.

Data Loss Can Leave VIPs Exposed

Social media spoofing, over-sharing or personally identifiable information (PII) exposed in data breaches can leave corporate executives, board members, key technical employees and public figures exposed with damaging consequences. The exposed data is used for profit by the attackers or sold on the open, deep, and dark web for others to use as they wish. Below are just a few examples of how this data is obtained and used.

VIP Exposure attack techniques

Figure 1: Some examples of the attack techniques and risks associated with VIP Exposure.

Detecting and Mitigating VIP Exposure

In the case of this law firm, the sensitive information found online would have been extremely useful for attackers performing spear phishing or doxing campaigns.

Upon further investigation, the information found in Pastebin – including family names and home addresses – was confirmed to be valid. The law firm took swift action and removed the content, thereby mitigating the risk. They also used the experience to update employee training and provided tips for how best to reduce the risk.

See how Digital Shadows SearchLight™ helps clients monitor for, investigate and mitigate digital risks, including VIP Exposure: Test drive SearchLight™ free here.


To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

A Look Back at the ENISA Cyber Threat Intelligence-EU Workshop 2018 Tue, 13 Nov 2018 14:07:28 +0000 I recently attended the ENISA (European Union Agency for Network and Information Security) Threat Intelligence Workshop held in Brussels on 4-5 November, 2018. ENISA organized the event to bring experts, researchers, practitioners and academics together to promote dialogue and envision the future of Cyber Threat Intelligence (CTI) as a key cybersecurity practice.

Several experts joined the workshop from both the public and private sectors in an effort to connect EU institutions, the CTI industry and academia. Digital Shadows participated in the event, representing the industry view for future CTI development and current best practices.


Source: ENISA (


The following topics were discussed during both presentations and networking sessions at this year’s event:

  • AI (Artificial Intelligence): Both the EU and private sector gave their approaches of how to use AI to improve CTI operations. It seems that AI is a research area that will attract significant interest for the foreseeable future. Some different implementations were presented such as IBM’s Watson and ENISA’s Open CSAM that promise advanced searching and results with applicable AI techniques.


  • CTI Capabilities Framework and maturity level: It is commonly accepted that CTI is a cyber security area where more expertise is needed and where specific capabilities need to be defined to reflect operational, strategic and tactical goals. At the same time, the CTI maturity level is considered poor across EU institutions and member states. Participants recognized that a designated effort for further improvement is needed in these areas. Another commonly agreed upon topic was that CTI is a necessity and should be a function in security operations, fitting within or alongside any applied models such as Security Operations Centres (SOCs) or Incident Response Teams.


  • MITRE ATT&CK Framework: Across several presentations and one-on-one conversations, I heard participants point to the MITRE ATT&CK framework as the main reference model for mapping adversary actions and providing additional context to intelligence data. All the vendors agreed that it is the right approach to explaining and describing adversaries’ operations and tactics, techniques and procedures (TTPs). Digital Shadows presented a practical approach of how a publicly available source for adversary TTPs can be mapped to the MITRE ATT&CK framework (in this case the GRU indictment for the DNC and DCCC attacks).


  • CTI Analyst Competencies: What makes a CTI Analyst a real expert? A presentation about CTI analyst competencies revealed the expertise gap and raised the question of how this could be resolved. Part of the problem is that the CTI analysts’ skills have yet to be widely established and accepted. A skillset around computing fundamentals, information security, data collection and examination, and critical thinking were defined as the core required background for a successful CTI Analyst. ENISA expressed its interest in investing more resources on CTI training, and asked the industry community for further and active contribution. The European Defense College was also pointed as a potential education provider.


  • Automation: Large scale security event data, analysis and fast processing requirements, increasing needs, and an evolving threat landscape require much more effort of CTI analysts. Part of the solution that was recommended is automation at every stage (collection, processing, reporting). AI will be again a significant factor to this solution.


  • STIX2: Presented by its own creator, the STIX2 project highlighted the weakness of traditional intelligence data (IP lists, file hashes) and the strength of structured and contextualized data provided by STIX2. Some former STIX1 weaknesses have been sorted and the protocol is more interoperable than ever before. A STIX2 certification program is ongoing to confirm compatibility and standardization for information exchange. Despite this, there are several CTI components that miss standards and need to be addressed accordingly in the future.


  • CTI Defense Research: The European Defense Agency (EDA) described the opportunities and future goals of EU defense authorities and how CTI will play a significant part. Most industry people do not know the EDA’s role, which is to promote research for defense, including Cyber. Future budget for research will be focused on cyber security.


ENISA and EU institutions are really focused on improving CTI operations. Those at the event agreed that the field lags behind other cyber security operations like incident handling or log monitoring, but there is a common willingness to put in the extra effort to fill that gap. The event itself was impressive and a big success with the way it covered every important topic around CTI. The participants showed a high level of interest and interaction with the speakers and other delegates, and the overall quality of the presentations was excellent.

This year’s workshop further demonstrated that the EU is at the forefront of establishing how CTI and Cybersecurity in general should be handled!


Isidoros Monogioudis has 15 years experience working in CIS, with the last 10 focused on Cyber Defence and Security. Prior to joining Digital Shadows, he was a Military Officer in Greek Armed Forces having served in multiple positions (retired as Colonel). Starting as a team member, he ended as Head of Cyber Operations Section in Greek MOD, being responsible for multiple cyber security operations including active engagement in plan and design national and international cyber defence exercises like NATO Cyber Coalition, Locked Shields, Cyber Europe, and Panoptis. He was also the National Subject Matter Expert for Cyber Defence in several NATO and EU workgroups. He holds a MSc in Computer and Information technologies and multiple security certifications (GIAC, OSCP).


To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

ShadowTalk Update – 11.12.2018 Mon, 12 Nov 2018 09:12:24 +0000 In this week’s ShadowTalk, we discuss the big vulnerability and exploit stories of the week. The team discuss the Cisco denial- of-service vulnerability affecting its Adaptive Security Appliance (ASA), as well as a vulnerability in Oracle’s VirtualBox technology posted to GitHub. Dr. Richard Gold, Rafael Amado and Michael debate the benefits and drawbacks of bug bounty programs, how you should consider operational value when assessing vulnerabilities, and the U.S. Cyber Command’s publication of malware samples to VirusTotal.



TrickBot updated with password stealing module

A password grabber module that enables the theft of login credentials from several applications and popular browsers has been added to the TrickBot banking trojan. TrickBot traditionally targets banks by using stolen credentials to facilitate fraudulent transactions; the password grabber will likely be used for these purposes in the next six months.

The addition of the password grabber module exemplifies TrickBot’s continuous evolution: The trojan’s modular structure simplifies the frequent addition of new capabilities and functions while also facilitating the use of TrickBot in conjunction with other malware, such as the Emotet banking trojan. The TrickBot toolkit’s diversity has enabled its use in campaigns beyond the banking sector. As TrickBot continues to evolve, its targets will highly likely continue to diversify, representing an extremely credible threat to a range of sectors.


Sensitive documents stolen from French third-party supplier

An unknown threat actor reportedly accessed a data server managed by French engineering and consultancy firm Ingérop. The attacker stole around 65GB of sensitive files, including technical plans and documents for nuclear energy plants and high-security prisons. Third-party suppliers, such as Ingérop, are popular targets for threat actors given their potential access to sensitive data from a variety of organizations; they will likely be victims of future data breaches.

Majority of Pakistani banks reportedly affected in recent data breach incident

A recent data breach reportedly impacted almost all Pakistani banks and led to the fraudulent transfer of funds from customers’ accounts. Although investigations are ongoing, the campaign allegedly involved more than 100 separate incidents. It does not appear that the interbank communication system was compromised; the campaign more likely involved a large-scale “skimming” campaign that targeted Pakistani bank customers directly. The identity of the threat actor(s) involved is unknown, but the campaign was highly likely conducted for financial gain.


To Pay or Not to Pay: A Large Retailer Responds to DDoS Extortion Thu, 08 Nov 2018 17:04:34 +0000 Fans of The Sopranos or Goodfellas are well-versed in the world of extortion. Whether it is paying off Tony Soprano or Paulie Cicero, the bad guys get their money. Cyber extortion is the digital version of what “wise guys” have been doing for centuries, and there are various tactics threat actors employ.

A large retailer experienced one of the most popular cyber extortion tactics when an executive received an email from a known attack group demanding a large sum of money to prevent a distributed denial of service (DDoS). If they failed to pay by the deadline, the ransom would increase over time. The retailer decided not to pay. What led to that decision and what were the results?

Cyber Extortion through DDoS

When executing a DDoS attack, threat actors set their sights on any organization that relies heavily on its website to generate revenue. This makes retailers ideal targets. The threat actor’s success depends on their capabilities and credibility. While the accessibility of off-the-shelf tools to execute DDoS attacks has lowered barriers to entry, low-credibility, low-capability actors do exist. With business continuity, revenue and brand integrity at stake, navigating an extortion attempt can be agonizing.

To Pay or Not? A High-stakes Decision

Responding appropriately to a DDoS attack threat is impossible without understanding the legitimacy of the attack. There are three main steps that go into making an informed decision about whether to pay the ransom.

Step 1. Gather data from the extortion email – IP address, Bitcoin address (this is usually how the attacker demands payment), and unique strings – and launch an investigation. When it comes to our clients at Digital Shadows, either our analysts help perform these types of investigations on their behalf, or in-house intelligence teams can utilize our Shadow Search tool to perform the investigations themselves.

Step 2.  Assess if the actor is who they claim to be and understand their tactics, techniques and procedures (TTPs). At Digital Shadows, we offer an intelligence repository of threat actors, TTPs and events to search against to help determine whether the actor has shown credible capability in the past to carry out a DDoS attack.

Security response planning

Figure 1: Search reveals vital context on threat actors for security response planning


Step 3. Based on the findings of the investigation, make an informed decision. In this case, the retailer took action to triage the incident and decided not to comply with the ransom demand. They never experienced a DDoS attack or future extortion demand.

Curious how this type of investigation actually unfolds? See how Digital Shadows SearchLight helps clients investigate digital risks such as cyber extortion and enables organizations to make an informed decision on mitigation: Test Drive SearchLight™ Free Here.


To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

Security Analyst Spotlight Series: Adam Cook Wed, 07 Nov 2018 16:22:34 +0000 Organizations rely on our cyber intelligence analysts to be an extension of their security team. Our global team of analysts provide relevant threat research, much needed context, tailored remediation advice and managed takedown support to make our clients’ jobs easier and more efficient. Crucially, by having analysts within the intelligence and collection cycle, we’re able to minimize the real-time false positives that cause nightmares for most organizations.

In our Security Analyst Spotlight Series, we bring our analysts out of the shadows and into the spotlight, showcasing their expertise and interests so you can learn a bit more about a “day-in-the-life” of a Digital Shadows Intelligence analyst.

Name: Adam Cook
Team: Managed Services Intelligence
Title: Team Lead, Cyber Intelligence Analyst


Q: How did you get into cybersecurity?

After attempting to liven up my Criminology course at Liverpool I started to take an interest in contemporary geo-political issues, which led to an interest in studying for an MA in Intelligence. During this course I focused on cyber security issues and the emerging field of cyber intelligence.


Q: What’s your favourite part of the job?

The chance to research into things that you are interested in for work is something I consider invaluable, so that would have to be my favourite aspect. I am also excited for the future. The need for cyber security professionals isn’t going to fade anytime soon – this is gold dust in terms of motivation. Besides that, my team are awesome, and people take a genuine interest when you tell them what you do for work.


Q: What advice would you give someone wanting to become an intelligence analyst?

For any students thinking of studying intelligence or applying for graduate jobs: forget everything you know about trying to turn a small number of ideas and references into many thousands of words! Analysing intelligence requires the exact opposite: turning multiple ideas, facts and observations into short, concise judgements. This is something I struggled with at first having spent so long writing heavily theoretical essays, but am now glad to have both as a skill.


Q: What areas of cybersecurity are you most interested in and why?

Developments in Internet of Things (IoT) technology was one of my first interests as I started to get to grips with cyber security. In particular, I was drawn to the idea that as our devices become “smarter” they also increase our attack surface and make us more vulnerable.

I was able to combine this with my passion for sports when completing my dissertation thesis for my Masters, which looked at cyber security risks to major sporting events. Here I explored some of the growing risks to these events as they introduce, and become more reliant on, smart technology. IoT expansion now stretches across areas such as athlete performance, spectator experience and the optimization of venue infrastructure. Data can be shared and accessed through IoT devices more easily with the use of smart watches and tablets used by players and coaches; the same technology can now enhance a viewer’s experience through the provision of live stats and player tracking. Stadiums now use ‘connected’ systems to provide suitable sporting environments that aid lighting, temperature and recovery facilities. The dissertation highlighted future scenarios where these may be able to result in tangible physical harm to those involved.


Q: What has been your favourite project or investigation to work on?

I’ve been lucky enough to have worked on a variety of investigations and projects. Specifically, I enjoy investigations into attacker infrastructure such as the email accounts and domains they use to conduct their campaigns. Here I get to use our Shadow Search product and a variety of open source tools to perform my investigations. Every now and again you find yourself following an interesting trail along WHOIS records, cached website pages and DNS lookups that you can combine with our own intelligence repository to paint a picture for the client of how a threat actor operates and structures their campaign.

In terms of projects, achieving consistency and assuring the quality of the incidents we produce for our clients is something I am very passionate about, so being in a position to help train and guide the team in identifying false positives and producing high-grade reporting is something I love to do.


Q: What are the most significant cybersecurity trends that organizations should be aware of?

Data exposure is something that is becoming increasingly significant and is seemingly gaining more mainstream coverage year on year. It seems that we are hearing of these incidents on a much larger scale now; from the Equifax breach, to the Cambridge Analytica scandal, and now with high profile breaches such as those that affecting the sales intelligence firm Apollo. Both people and large organizations are affected by these. While basic cyber hygiene such as good password practices are a necessity, it seems these can only go so far, especially when large firms that are in the business of collecting data on people are being compromised and that information is then exposed publicly. The nature of these concerns is credit to the work we do at Digital Shadows as we try to give our clients an insight into their online exposure and manage that risk.

Aside from this, I am personally interested in how smart devices and systems are being securely configured as they continue to offer increased connectivity in our everyday lives. The use of the IoT in transport, power grids, fire safety systems, building temperature control and POS machines, despite being at the early stages of development, is something I think we should be attentive towards in the future to ensure security is at the forefront of these innovations.


Bio: Adam is a Lead Cyber Intelligence Analyst in the Managed Services Intelligence team. He is responsible for delivering tactical and operational threat intelligence, context, and recommended actions based on the most critical and relevant risks collected through the SearchLight platform. Adam completed an undergraduate degree at Liverpool University and then went on to study for a Masters in Intelligence at Brunel University London.


Interested in hearing more from our intelligence team? Check out our blogs or subscribe to our weekly threat intelligence podcast, ShadowTalk.

ShadowTalk Update – 11.05.2018 Mon, 05 Nov 2018 16:14:38 +0000 In November 2016, Tesco Bank suffered a series of fraud attacks that allowed cybercriminals to check out with £2.26m (roughly $3 million) in customer funds. Two years on, Dr Richard Gold and Simon Hall join Rafael Amado to discuss the UK Financial Conduct Authority’s (FCA) investigation into the attacks, which resulted in a fine of £23,428,500 (approximately $30 million). The team discuss the FCA’s findings, what financial services organizations need to know about the techniques used, and why incident response processes can fail in the heat and panic of an attack.


Magecart targets zero-day vulnerabilities to steal data

Security researcher Willem de Groot has observed the threat group Magecart targeting multiple zero-day vulnerabilities in popular e-commerce platform extensions, with undetermined results. The group’s aim is to facilitate the theft of sensitive and card payment information from websites that use the Magento e-commerce platform. De Groot confirmed that most of the vulnerabilities were previously unreported and unpatched. Magecart’s high success rate over the past few years in conducting data breaches, and continued development of their tactics, techniques and procedures (TTPs), suggest the group will remain a highly credible threat to e-commerce platforms for the foreseeable future.


Pakistani bank suffers data breach, potentially substantial theft of funds

The Pakistan-based bank Bank Islami reportedly suffered a data breach affecting its payment card system. Unverified allegations cited the total loss of funds as $6 million. The incident was detected on October 27, 2018, when suspicious transactions were observed on debit cards in locations outside Pakistan. Bank Islami claimed a total of $19,528 was stolen from customers, all of whom have been reimbursed, but international payment providers reported a significantly greater loss of funds. Additional information will likely become available after investigations conclude.


New Cobalt Group activity tracked by security researchers

The financially motivated “Cobalt Group” have been associated with a new campaign after researchers found matching document identification values in the metadata of malicious files. The researchers observed the use of a macro builder to create malicious Microsoft Word documents for distribution by spearphishing emails; the messages possessed similar components to previously reported spearphishing emails. This type of builder allows threat actors to develop payloads for social engineering attacks. It is not known whether the macro builder is used exclusively by that threat group. The tool’s public identification may discourage Cobalt Group from using it in future attacks. Cobalt Group continues to demonstrate high levels of activity despite the arrest of its alleged leader earlier this year.


Russian national indicted for aiding disinformation campaigns

The United States Department of Justice indicted a Russian national on charges of “conspiracy to defraud the United States” for their involvement in funding disinformation campaigns since 2014. The most recent alleged campaign targeted the forthcoming United States mid-term elections. The indictment detailed the abuse of social media platforms to distribute messages that were designed to cause confusion and disruption. Such activity is almost certain to continue as entities seek to incite political change or public dissonance.


To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

81,000 Hacked Facebook Accounts for Sale: 5 Things to Know Fri, 02 Nov 2018 17:37:46 +0000 This morning, the British Broadcasting Corporation (BBC) published an article detailing how online actors had obtained and advertised at least 81,000 Facebook user accounts for sale. Digital Shadows assisted the BBC with its investigation, which included verifying the dataset in question. With so much confusion around the origins of these accounts and the potential impact on Facebook users, here are five things to know that will help you cut through the noise:

  1. The dataset contains 257,256 profiles, of which 81,208 have private messages included. The dataset provided to us by BBC journalists was a searchable repository of Facebook profiles sorted by location. Profile information such as names, addresses, contact numbers, and interests were included, along with friends, groups and private messages in some cases. Although the repository had a tab for user photos, the dataset we analyzed did not contain any images.
  2. The majority of the profiles belong to users located in Ukraine. The data repository is divided by user geography, meaning you can select the particular country from which you want to view profiles. Roughly 30 percent of the profiles in the 257,256 dataset are Ukraine-based. Nine percent located in Russia. Users in the United States, the United Kingdom, and Brazil are also represented.
  3. The sellers claimed to have access to 120 million accounts and offered these on the BlackHat SEO forum. The seller provided the 257,256 profiles we analyzed as a sample. The seller, “FBSaler” advertised the accounts on BlackHat SEO, and online forum primarily used for sharing tips and tools on search engine optimization and online marketing techniques (Figure 1). The majority of threads on this site involve users discussing different ways of boosting search rankings. The type of goods generally sold are proxies, old social media accounts, and web-hosting services.


fbsaler post

Figure 1: FBSaler post published on BlackHat SEO forum


Digital Shadows cannot confirm whether the seller genuinely has access to the 120 million accounts that they claim. We have only been able to analyse the 250,000+ profiles provided to us as part of this investigation. While unconfirmed, it would be unlikely that the compromise of such a large number of accounts (over 5% of Facebook’s entire active userbase) would go unnoticed by Facebook.

  1. There is no indication that these accounts are related to the Cambridge Analytica controversy. When Facebook account compromises make the news, there is now always a rush to connect it to the Cambridge Analytica controversy that came to light last year. It is tough to say anything definitive about attribution for this data. Although Cambridge Analytica allegedly had access to approximately 1,500 accounts with private messages, the 81,000 accounts with private messages included in this dataset, as well as the geography of these profiles and the timing don’t support a Cambridge Analytica connection. The dataset we obtained appears to be from this summer, with messages and accounts dated in 2018. The Cambridge Analytica data came from a survey app operated by a researcher named Aleksandr Kogan, compiled in 2015.

The title of the data repository we analyzed claimed it was a Cambridge Analytica archive. With no evidence to corroborate these claims, it seems the seller was merely attempting to make the dataset more attractive by using the Cambridge Analytica name.

  1. The method used to obtain the accounts remains unconfirmed, though Facebook believe malicious browser extensions could have been used. Facebook have still not been definitive about this, though it said it had contacted browser makers to ensure that known malicious extensions are no longer available to download in their stores. A rogue survey application as used by Kogan is known to have worked in the past; however, account takeovers achieved through credential harvesters, for example, are also a possibility. While a variety of separate breaches may have been used to compile the dataset, it is more likely a single approach was used given the consistency of the data in the dump.

In September 2018 Facebook announced that at least 50 million user accounts might have been at risk after a bug allowed attackers to obtain access tokens. Facebook stated it had reset access tokens of all users affected. It also claimed its investigations had not indicated that the tokens were used to access private messages or posts related to these accounts. At this moment, there is nothing to suggest the 257,256 profiles we observed are associated with the aforementioned bug.

Political motives seem at odds with how this data is publicly available unless the data was stolen or subsequently passed on from those who originally collected it. Regardless of attribution, motives and the method of collection, the exposure of private messages where people share information they would not usually post publicly on their Facebook feeds is a potentially worrying development. Sensitive information may be used for extortion of identity fraud, while it’s not unheard of for individuals to share financial information such as banking details over private messages.

That said, this discovery should not be a cause for paranoia or unnecessary hysteria. It’s important to remember that simple security precautions still apply. Not reusing passwords across sensitive accounts (personal and business emails, social media sites, and online banking) and making sure these aren’t easy to guess are still effective ways of mitigating account takeovers. Facebook also enables two-factor authentication, which is another measure you’d be remiss to ignore.


We’ve also recorded a ShadowTalk podcast episode on this topic. Listen here:

To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

Choosing the Right Cyber Security Partner for your Business: A glimpse through Digital Logistix journey searching for a Digital Risk Protection Solution Wed, 31 Oct 2018 20:49:06 +0000 This blog was written by Ricardo Martinez, Director of Business Development for Latin America at Digital Logistix.

With more than 20 years of experience as a leading distributor of cybersecurity products and services for Latin America and the Caribbean, Digital Logistix takes it very seriously when it comes to choosing which industry vendors we partner with. We evaluate all market players: what they have to offer, their current and historical reputation as a solution provider, their expertise, scale, and reach.

At Digital Logistix we understand the current threat landscape in Latin America and the Caribbean, and how to succeed in this market today, organizations are under pressure to innovate and adapt to new digital practices, faster than ever before. We understand no single partner can offer all the security capabilities an organization needs, as fast as they need them. So, as a trusted security advisor, we strive to partner with the best-in-class security vendors to help our customers protect their most valuable assets.

Our recent journey searching within the emerging market of Digital Risk Protection for a vendor who would be the best fit for our customers in the region was truly exciting. We couldn’t have ended with a better vendor to partner with: Digital Shadows, a top leader in the market due to its robust digital risk data and ability to deliver on an aggressive product roadmap.

During our extensive research, we weighed risk analytics and automated remediation as the most important key differentiating features needed for a solution to effectively detect and resolve. We were looking for a solution able to provide the broadest breadth of coverage and the deepest level of analysis of threats across the open, deep, and dark web.

Digital Shadow’s great traction and reputation, within the market was evident and clearly indicated they should be our solution of choice. Just the very fact that Digital Shadows was named a “Leader” in the July Forrester New Wave™: Digital Risk Protection report and awarded the highest rating possible was a ‘clincher’ for us. We were also very impressed by its analyst team’s existing Spanish language expertise, a key qualification needed to operate in such market.

We’re very excited to be the first partner in Latin America and the Caribbean to join the Digital Shadows Channel REV program. This partnership now allows us to offer the tools our business partners need to quickly build their own professional services around SearchLight™, the industry leading digital risk protection solution from Digital Shadows that was recently awarded a maximum 5-star rating by US publication CRN.

Digital Logistix is thrilled about its partnership with Digital Shadows to bring its Digital Risk Protection and relevant threat intelligence to the region. Our expertise in the market is a key advantage in our partnership and we’re confident that by working together, we guarantee our customers will experience quick deployments, reduced costs, greater protection, and improved compliance.

The Dark Web: Marketers’ Trick or Threat Intelligence Treat? Wed, 31 Oct 2018 14:49:45 +0000 At this time of the year, you can’t go anywhere without encountering something dark, spooky and mysterious. It all reminds me of misconceptions about the dark web, the area of the web that everyone is convinced they need to monitor but don’t quite know why.

While the dark web is overhyped, it’s not all a load of hocus pocus. Nevertheless, you shouldn’t be waiting until data is offered for sale on the dark web – there’s plenty you can be doing to prevent sensitive data getting into criminals’ hands.

What is the dark web?

In order to understand the value of the dark web as a source, it’s important to properly define it. The dark web refers to web content that has been intentionally obscured and may only be accessed through the introduction of an overlay network technology. The most common are Tor and i2P, although there are others. This is different to the deep web, which is anything that is not indexed by traditional search engines (such as a forum with a password). Criminal forums are hosted on the open, deep or dark web, so it would be wrong to view the dark web and criminality as synonymous. Similarly, the increased anonymity offered by the dark web can be a positive thing for whistleblowers, journalists, or individuals working under repressive conditions.

Accounts and Credentials for Sale

The trade of accounts and credentials is common across dark web sites and forums. A small number of these are new breaches of organizations, although these are more frequently shared in closed communities away from the dark web due to their high value. Only after a smaller, select group of criminals have leveraged this information will it be sold and shared more widely. More often, the accounts for sale on dark web forums and marketplaces occur from credential stuffing. This involves taking already-exposed credentials and testing them on another site. These can be sold piecemeal (as in Figure 1), or amalgamated into a broader package. These accounts often hold existing balances or loyalty points, which can then be used by fraudsters to pay for goods.

dark web Empire Market

Figure 1: A screenshot from the dark web Empire Market


Payment Card Information

Payment card information is another core commodity traded in the criminal underground, and the dark web is no exception. Some dark web markets breach and sell their own breached payment cards, but it’s more common for them to act as resellers. One such market, Trumps Dumps, is shown in Figure 2. Monitoring these sites for your payment card information is relevant for three reasons:

  1. Retailers and restaurant chains can gain insight into new breaches on sites like Jokers Stash. By correlating samples of the breached data with store locations and transaction data, you can ascertain if the breach originated from your stores. and take the appropriate actions.
  2. By monitoring for BIN numbers, banks can combine this exposure with their existing fraud monitoring.
  3. Organizations can monitor for the payment card details of company cards and VIPs, and detect potential fraudulent use.

dark web Trumps Dumps

Figure 2: A screenshot of the dark web “Trumps Dumps” credit card store



Insiders looking to sell sensitive information or access will turn to a number of online locations, including dark web sites. Figure 3 illustrates an individual selling insider access to a large mortgage company. If you’re looking to protect intellectual property and prevent data breaches, then monitoring the dark web (as well as the open and deep web) for insider threats is a sensible approach.

dark web insider selling access

Figure 3: An individual selling access to a large mortgage company


Detect data loss before it’s sold on the dark web

Why wait until your information is exposed on the dark web? Given the amount of files exposed on misconfigured file sharing services (1.6 billion by our last count), it’s no surprise that criminals are taking this sensitive information and looking to sell it on the dark web. For example, Figure 4 shows an accounting firm’s misconfigured NAS drive containing tax return information of hundreds of their clients. By monitoring for exposed data across S3 buckets, rsync, SMB and FTP, you can prevent this information from getting into malicious hands in the first place.

dark web tax return information misconfigured NAS drive

Figure 4: Tax return information available via a misconfigured NAS drive


See for yourself

The dark web doesn’t have a monopoly of cybercrime but omitting this source from your collection efforts would be remiss.

Want to explore it for yourself? You can search across dark web sources (among many others) for free with a 7-day free Test Drive of our SearchLight service.


To learn more about the latest dark web trends, register for our upcoming webinar: Mitigating the Top 7 Dark Web Threats to Your Enterprise.


To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

ShadowTalk Update – 10.29.2018 Mon, 29 Oct 2018 14:19:38 +0000 In this week’s ShadowTalk, Harrison Van Riper and Rafael Amado join Michael Marriott to discuss the latest stories from the week. This week’s podcast has a strong Guy Richie flavor, with a focus on lock, stock and ru smoking barrels. We begin by discussing October’s hot ransomware activity, including the most popular variants, common targets, and mitigation advice. Second, we discuss sliding stock value amid reports of data breaches: we dig into the Cathay Pacific and Facebook breaches. And, finally we discuss the recent attribution of Triton malware to a Russian entity and why it’s TTPs you should care about.



Waves of ransomware attacks strike rural America

Three public-sector entities were targeted by ransomware attacks this week, highlighting an ongoing trend of recent campaigns against small entities in rural areas of the United States. Such ransomware attacks have typically occurred within a short period across small public-safety, medical and local government entities, peaking and ebbing at similar times over the past six months. Education entities have also been targeted. Although very few victims have been confirmed as paying ransom demands, this pattern of attacks will likely continue. In particular, local government entities are increasingly vulnerable, almost certainly because cyber threat actors regard their systems as exploitable.


Vietnamese espionage group perfects obfuscation tactics

Suspected Vietnamese cyber espionage threat group OceanLotus (aka APT32) has been observed using updated tactics to increase obfuscation during attacks, including custom RATs, PowerShell commands and the Cobalt Strike penetration framework. These facilitated the downloading and deployment of malware against as-yet-unidentified targets. Historically the group has conducted attacks against organizations in China, the Philippines, Cambodia and Laos, as well as other countries of political interest to Vietnam. OceanLotus was particularly active in the final quarter of 2017, but will likely continue conducting attacks in the next three to six months.


SEO poisoning lures Web users who search for US mid-term elections

Security researchers have discovered a search-engine optimization (SEO) poisoning campaign targeting the United States mid-term elections. SEO poisoning involves threat actors creating fake, malicious webpages that include keywords attractive to Internet search-engine users they want to target; the keywords trick search engines into listing the fake page higher in search results. The malicious pages reportedly led users to domains associated with malware-as-a-service, although the specific service was not identified. SEO poisoning is a frequently used technique by threat actors attempting to use high-profile events (such as the United States elections) to entice unsuspecting users to click on malicious links. This activity will likely continue in the immediate future, as the elections draw closer.


Future Investment Initiative website defaced by anti-Saudi threat actors

The website of the Future Investment Initiative conference, an annual investment forum, was defaced by unknown threat actors on 22 Oct 2018, prior to the start of the event on 24 Oct 2018 in Riyadh, Saudi Arabia. The defacement message contained imagery of Saudi Arabia’s crown prince and claims that the Saudi government is responsible for the recent disappearance and death of Saudi journalist Jamal Khashoggi. There has been an increase in hacktivist activity associated with Khashoggi’s death, and it will likely continue for the immediate future.


To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

Cyber Security Awareness Month: Week 4 – Privacy Thu, 25 Oct 2018 15:28:50 +0000 This week in Brussels, Apple’s chief executive Tim Cook somewhat surprisingly castigated how personal data is handled by businesses and organizations. Aside from praising Europe’s General Data Protection Regulation (GDPR) and calling for similar measures to be brought to the U.S., Cook warned of how our data was being “weaponized against us with military efficiency”.

Now, Cook’s public overtures are likely to have been motivated by a variety of factors, including the need for large technology companies to win back user trust in the wake of the data breaches and data misuse controversies that have become public knowledge over the past 12 months. Whatever the intentions behind his pronouncements, Cook’s words – which coincide with Cyber Security Month’s final theme, Emerging Technology and Privacy – prompt us to pay closer attention to how we can play a more active role in controlling how much of our personal data is shared with third parties.


Technology and privacy: How much to share?

The privacy debate itself is a timely one that I simply cannot do justice to in this blog post. Briefly, for context, there are several overlapping lines of argument. First, there are those of an Orwellian persuasion who forewarn the dangers of state and corporate surveillance resulting from mass data collection. Conversely, there are those who sanction data collection in the name of security and combatting threats to our daily lives. A third approach is one often taken by technology providers, who claim they can improve user experience by providing more targeted content and marketing using their users’ personal data.

Regardless of where you stand, at the heart of the debate is the question of how much of our personal data we are willing to share, and with whom. When it comes to technology providers in particular, we should always question what data the service or application needs from us, and for what reason.

Mobile applications are a great example: is it appropriate that the app I’m installing requires access my device location? Or worse, does it need screen overlay permissions to capture my text messages and other personal activities?

Regulations such as GDPR have made it easier for individuals to request information from companies on what, why and how they are collecting and processing data on their users. The hope is that these measures will kick organizations into gear and make them more transparent about the uses of their technology. We shouldn’t, however, become complacent. Next time you sign up to a new online service or install an application:

  • Check the permissions and settings required. If something doesn’t seem right, then trust your instinct and don’t allow or install.
  • Consider whether you want to register using your personal or corporate email. For certain services such as online banking you will, but for others you may be better off using a temporary or secondary email along with an online handle/moniker.
  • Don’t reuse passwords. When registering for a new service, don’t use the same password that you use for your personal email or online banking. As I’ll explain later on, this increases the risk of account takeovers.
  • Always operate under a cloak of suspicion and caution. Think twice about what information you’re posting online and who might be able to view it, particularly on social media. Just because you are using the “private message” function doesn’t mean that your communications are secure. If you need to send sensitive data or discuss confidential matters, opt for communication platforms and email providers with end-to-end encryption.


Cybercriminals and privacy

Time and time again, when there is a major breach of a well-known organization, concerns quickly shift to how cybercriminals might look to weaponize or monetize user data.

Depending on the type of data compromised, attackers can use:

  • Email addresses for phishing and spam
  • Exposed passwords for account compromises
  • Personally Identifiable Information (PII) and payment details for various types of fraud
  • Behavioral data such as interests and social networks for microtargeting.

These datasets are often traded on criminal forums, marketplaces and chat channels (Figure 1).


Figure 1: Two file sharing links containing Facebook data posted on the Exploit[.]In criminal forum in October 2018


Whether you are an organization or an individual, every service you use increases your attack surface, providing more opportunities for breaches and for attackers to access your personal data. Our latest ShadowTalk podcast covered some of the risks associated with third parties and suppliers, and will be useful listening for organizations battling with third party risk management.


Privacy from the broadest possible perspective

Both this week’s Cyber Security Awareness theme and announcements such as Tim Cook’s should serve as a reminder to consider our privacy practices from the broadest possible perspective. Without negating its importance, data privacy is not simply about how much data we hand over to large bodies such as technology companies. We also need to be cognisant of what data we are exposing ourselves, what data we are leaving within easy reach of cybercriminals, and what security practices we are or aren’t implementing to make their jobs harder.

Some practices to reduce your online exposure include:

  • Limit how widely you share your email address and use multi-factor authentication. An exposed email on Facebook or a particular forum might be all the invitation someone needs to target you with phishing emails. Ensure you use multi-factor authentication (MFA) where possible to help prevent account compromises.
  • Ensure file sharing services such as FTP, rsync and SMB are authenticated and configured correctly. The same goes for NAS drives and cloud storage solutions such as Amazon S3 buckets where you might back up or archive your data.
  • Restrict access to important data to only those who are required to have it. For individuals, this could be the permissions requested by mobile applications or online services. For businesses, avoid unauthorised users from accessing sensitive data by ensuring read/write access is only granted where there is an explicit business requirement.
  • Look for your compromised data online. You can use sites like to detect when your data has appeared in publicly available breaches or leaked datasets.


To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.


Bank Discovers Customer Credit Card Numbers Traded Online Tue, 23 Oct 2018 01:11:13 +0000 Payment card fraud costs banks and merchants nearly $23 billion a year and rising. As consumers spend more money online, the opportunities for fraud increase and so does the level of sophistication threat actors employ to conduct card fraud. These cybercriminals don’t operate in a vacuum. They rely on a broad ecosystem and support network that provides a range of credit card details, fraud tools and online tutorials to hone their skills and increase their chances for success.

A SOC manager of a retail bank discovered that customer credit card numbers were being traded online and took a proactive approach to preventing fraud. Here’s how it unfolded.

IRC Channels – A Tool for Criminals…

Among the participants in the payment card fraud ecosystem, fraudsters are the individuals who use card details to buy goods and services for their own use or to resell at a discounted price. They run the greatest risk of getting caught by law enforcement and seek ways to stay below the radar. One tactic is to make sure cards have a worthwhile balance before using them. To do this, they take advantage of services offered on the Internet Relay Chat (IRC) channel that check the validity of credit card numbers in exchange for a nominal fee ($0.15).

IRC Channel

Figure 1: An IRC channel used to check balances of payment cards.

…and a Tool for Defenders

With annual online card spending expected to reach $6 trillion by 2021, detecting and stopping fraudulent transactions is a priority for banks and merchants worldwide. But the volume of activity to monitor can seem overwhelming. By understanding how this ecosystem operates, there are steps defenders can do to mitigate risk. In this case, the retail bank:

  • Monitored IRC channels to check for Bank Identification Numbers (BINs) and Issuer Identification Numbers (IINs).
  • Detected their customers’ credit card details being tested.
  • Disabled the impacted cards to prevent further fraud from occurring.
  • Alerted their customers, taking a proactive approach to preventing fraud.

It’s not only IRC channels where payment cards are tested and shared online. In order to gain good visibility into where your customers’ payment cards are being shared online, you also should monitor criminal forums and marketplaces.

Want to learn more about how this underground economy operates and how to use that knowledge to your advantage? See how Digital Shadows SearchLight™ helps clients investigate digital risks such as payment card fraud and enables organizations to proactively mitigate risk: Test Drive SearchLight™ Free Here.


To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

ShadowTalk Update – 10.22.2018 Mon, 22 Oct 2018 14:51:41 +0000 In this week’s ShadowTalk, following on from last week’s conversation on how managed service providers can increase your attack surface, Simon Hall and Richard Gold join Rafael Amado to discuss supply chain risks. With so much to cover, the team break this topic down into hardware, software and third-party service risks, including examples such as the MeDoc-NotPetya campaign and the recent SuperMicro hardware allegations. We provide good practices for those looking to improve their risk management processes.



Exposure of fitness database illuminates risk to all sectors

In early October 2018 security researchers identified an exposed database belonging to the fitness performance tracking company FitMetrix, left vulnerable to malicious threat actors. The database contained 113–122 million records (119GB of data), including names, email addresses and birthdates. A ransom note was found in the database, likely indicating an unsuccessful ransomware attempt, given that the data was left intact. Threat actors have automated tools that can search for and access vulnerable Internet-facing databases in all sectors, and those of many third-party suppliers. Stolen data can be used for extortion or sold on criminal marketplaces and forums, presenting financial and reputational risks to victim organizations.


New CartThief malware attacks similar to those of Magecart

Security researchers have identified the new “CartThief” malware, which has similarities with the tools of notoriousthreat group“Magecart”and has, similarly, targeted payment pages of Magento-hosted retail websites. CartThief has been deemed more sophisticated, having two main features that increase its covert capabilities:It can encode collected data on its command-and-control (C2) server and it deliberately excludes user-identifying cookies. Given the reportedly smaller target list than seen with Magecart attacks, there is a realistic possibility that the observed CartThief attacks were part of a malware testing phase.


Ryuk ransomware targets North Carolina utility provider

The Onslow Water and Sewer Authority (ONWASA), a water utility company in the United States county of Onslow, North Carolina, announced it was severely affected by a ransomware attack on 13 Oct 2018. Starting nine days prior, ONWASA experienced attacks from the “Emotet”malware, which subsequently installed the “Ryuk”ransomware. The ransomware spread across different systems of the organization, encrypting files and disrupting services. Customer information was reportedly not affected, but several critical operations, such as service orders and account creation, were reduced to manual processes. Although technical details were not provided, it is likely that malicious emails were used as an initial infection vector. Ryuk has previously been linked to the “Lazarus Group”, although it is not known whether that threat group was involved in this attack.


Data breach of Pentagon’s commercial vendor potentially affected 30,000 individuals

On 13 Oct 2018 it was reported that an unnamed commercial vendor of the Pentagon, the headquarters of the United States Department of Defense, experienced a data breach by an unknown threat actor. The breach could have affected up to 30,000 individuals, compromising potentially sensitive information and credit card data of government workers and civilians. The defense department has since confirmed it has taken steps to have the vendor “cease performance under its contracts.” No classified data was reportedly exposed, and affected individuals have been informed and offered fraud protection services. Government and defense organizations are likely to continue to attract financially motivated and espionage-motivated threat actors.


To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

Cyber Security Awareness Month: Week 3 – Recognize Cyber Scams Fri, 19 Oct 2018 15:15:51 +0000 This week we move onto theme three of Cyber Security Month: recognize cyber scams. The important point here is that you do not have to be technical to recognize a cyber security scam. In this blog I’ll cover some simple security practices that will make you cyber savvy in no time.

What should I look out for?


1. Domain Infringement

Typo-squats and domain squats use variations or misspellings of a legitimate domain name to target potential victims. Once registered, these domains are used to achieve phishing attacks by sending emails and/or acting as the host location for fake sites.

However, don’t sweat. These attacks often can be easily identified. When looking at a domain name:

  • Spot misspellings. This can include the use of numbers instead of letters – such as “1” instead of “l”
  • Beware of incorrect top-level domains (TLDs). Would your bank really email you using a .biz or .xyz domain?
  • Don’t be fooled by redirects since typo-squats, particularly those used to send emails or capture payment details, may redirect to a legitimate site to trick users into believing the domain is safe.
  • Hover your mouse (without clicking) over links AND images within emails to check whether they lead to a potential domain-squat
  • Use a URL unraveller to expand tinyurl, ly,,, and other short URLs that potentially hide a phishing site or malicious download
  • Manually type out the URL in your browser – especially for important sites. This will prevent you from falling victim to a “punycode” phishing attack, where letters in the Greek, Cyrillic and other alphabets are used to imitate the Roman alphabet in the registration of phishing sites. As these domains look identical to legitimate domains to the naked eye, they are tricky to spot
  • Search for the domain on an open source WHOIS database to see who registered the domain. The use of a personal email address for a supposed corporate domain is often an indicator that it may be illegitimate.


Figure 1: WHOIS information for a malicious domain retrieved using Shadow Search. This particular domain has previously been used to host the Trickbot banking trojan.

2. Sub-domains

Though sub-domains (e.g. are commonly used by legitimate organizations and are not bad in themselves, they can be used by scammers to distribute malicious file downloads or host phishing sites.

The guidelines listed above for identifying typo-squats all apply to spotting malicious sub-domains. In addition, alongside scrutinizing super long URLs from left to right to identify the main domain, you can also run it through a WHOIS database search. A WHOIS search will remove all the page extensions and “dot” drivel from a URL, revealing the (true) main domain name – tadaaa!

When running a WHOIS search, you may find that the site itself is registered to a legitimate organization even though the sub-domain appears suspect. This could be because attackers have hijacked a legitimate domain as the host site of a malicious sub-domain.


3. Phishing emails

Scammers use phishing emails to steal sensitive user data. This may involve social engineering techniques to impersonate a real individual or organization and trick a user into giving confidential information away – such as through a crafted login page to collect passwords or a request to transfer sensitive documents. Alternatively, they may include direct blackmail threats and demand a ransom payment from a potential victim. Do not fear. Scammers who craft these emails are often lazy or make sloppy mistakes that are easy to spot.

Virus protection software and spam filters are good foundational measures for identifying and blocking phishing emails. But, when still in doubt, a useful way to determine whether you have received a phishing email is to pick the email apart with the following questions:

  • Who is the email from? Always expand the pane at the top of an email so you can see the sender’s email address in full. This will enable you to catch any illegitimate sender emails addresses, including those that use typo-squats, or are from an unknown address
  • Who was the email sent to? Expanding the pane at the top of an email also often allows you to see who else the email was sent to. Since untargeted phishing or ransom email campaigns are commonly sent on a mass scale to individuals from multiple organizations, checking who the other recipients of the email are is a good way to identify whether you’re being scammed
  • What is in the email? Poor or incoherent email layout and formatting are great scam giveaways, as are hidden links. Always hover over the images and contents of an email to catch any concealed activity, such as a site URL or malicious download, and lookout for layouts that do not align with an organization’s official branding
  • Does the email include an unusual request? Always be wary of emails that demand payment or personal identifiable information (PII) such as an “update user account” request. Most legitimate organizations will NOT ask you to hand over sensitive information over email
  • How is the email written? Watch out for spelling and grammatical errors in an email – again, these are a tell-tale sign of lazy scammer behaviour. Tone and sentence structures can also be an indicator that something isn’t right; this is one check you can perform to detect a business email compromise (BEC) attack, i.e. when an employee’s email account has been taken over by an attacker and is being used for malicious purposes.

4. Malicious mobile applications

Mobile applications (“apps”) are becoming an increasingly common entry vector used by cybercriminals; this is mostly because apps provide a new attack surface that organizations sometimes struggle to have oversight across. Be wary of:

  • Unauthorized third-party app stores. The iOS and Google Play stores are generally trusted stores that have protocols in place to detect and prevent the spread of malicious apps. However, as seen in recent “bankbot” malware campaigns, attackers are continually finding new ways to bypass Google Play security measures – very annoying, we know. As such, it is best to use the app store download link that is provided by a legitimate organization on their official site (where possible)
  • Apps that request authorization for unusual permissions. For example, question whether an app really needs screen overlay permissions so that it can capture your text messages and other personal activities…
  • Clumsy app descriptions. App descriptions that have spelling and grammar mistakes and are “slapdash” in nature are a hallmark sign of malicious mobile campaigns. The same is true for apps that use incorrect or outdated organizational branding
  • Apps that do not reference a legitimate organization in the developer name. Again, lazy authors of malicious apps often fail to put a legitimate organization down for the developer name – look out for this!

Although the tips listed above do not cover all the different cyber scams, they provide a pretty good foundation for detecting the most prevalent ones out there. And, as important as security best practices may be, gaining a basic understanding of your attack surface and what it is that attackers want, are equally crucial steps in the pre-emption and detection of cyber scams.


To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

12.5 Million Email Archives Exposed: Lowering the Barriers for BEC Thu, 18 Oct 2018 17:17:39 +0000 Digital Shadows’ latest research report, Pst! Cybercriminals on the Outlook for Your Emails, highlights the different ways cybercriminals can access corporate email accounts to perform business email compromise (BEC) attacks. Our previous two blogs looked at how attackers can outsource this work to other online actors, or even try their luck with previously compromised credentials for finance and accounting departments. Both these approaches create opportunities for actors, often with lesser-capabilities, to conduct BEC operations without the need to conduct their own phishing campaigns or use information stealing malware.

If that wasn’t enough, there is a third method available to cybercriminals, with companies and individuals inadvertently exposing entire email inbox archives across misconfigured file sharing services. Building on our research paper, Too Much Information, we searched for emails and email archives across FTP, rsync, SMB, S3 buckets, and network attached storage (NAS) drives. All in all, we discovered 12,556,810 email archives exposed across these services. Why go to a dark web market and pay for access when you can get sensitive information for free on the open web?


Pst! Email Archive Exposure

To determine the level of email archive exposure, we searched across misconfigured SMB, rsync, FTP, S3 buckets, and NAS drives for the following email file types:

  • EML: EML is a file extension for an e-mail message saved to a file in the MIME RFC 822 standard format by Microsoft Outlook Express as well as some other email programs.
  • MSG: MSG is a file extension for a mail message file format used by Microsoft Outlook and Exchange. MSG files may be exported for the purposes of archiving and storage or scanning for malware.
  • PST. Personal Storage Table – Outlook (.pst) Data Files are used for POP3, IMAP, and web-based mail accounts
  • OST. Outlook (.ost) Data Files are used when you have an Exchange account and want to work offline or use the default Cached Exchange Mode.
  • mBox. MBOX stands for MailBOX. The MBOX file is the most common format for storing email messages on a hard drive

 In total, we detected over 12 million exposed files, with EML and MSG the most popular. The full breakdown is provided in Figure 1.


Figure 1: Number of exposed files for different email file formats


A BEC Goldmine

Gaining access to a corporate email account can be highly lucrative for an attacker. Contracts, invoices and purchase orders will all be stored in these inboxes – perfect for conducting BEC campaigns. We detected over 50,000 email files that contained “invoice” (27,000), “payment” (21,000) or “purchase order” (7,000) in the subject line across unauthenticated or misconfigured file stores.

In some instances, these were worryingly sensitive. In Figure 2, a whole accounting firm’s email correspondence with clients was publicly-available online, including thousands of invoices and tax returns – a gold mine for a BEC campaign or fraudster looking to sell documents on forums and marketplaces.


Figure 2: Accounting firm exposing client information, including emails with tax return information. Redacted by Digital Shadows


We all archive and store emails somewhere, but this level of exposure prompts us to ask ourselves many questions: are you securing email archives appropriately? Have your employees been given training on the risks of using home NAS drives? And what about your 3rd parties and contractors?


To learn how to reduce the risk of BEC for you and your organization, download a copy of our latest research report, Pst! Cybercriminals on the Outlook for Your Emails.


We’ve also created an infographic around our BEC research. Here are 5 ways that cybercriminals gain access to emails without conducting a phishing campaign or network intrusion.

To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

Cyber Security Awareness Month: Week 3 – It’s Everyone’s Job to Ensure Online Safety at Work Wed, 17 Oct 2018 15:41:41 +0000 This week, National Cyber Security Awareness Month (NCSAM) focuses on accountability and responsibility within the information security space: “It’s Everyone’s Job to Ensure Online Safety at Work.” This theme underlines the importance of a communal effort to achieve strong security awareness within an organization – it takes a village.


“We must accept human error as inevitable – and design around that fact.” – Donald Berwick


People are naturally conditioned to be helpful and polite. Unfortunately, this innate characteristic does not play well into established cyber defense strategies, and cybercriminals have gainfully benefitted from it. The majority of executed cyberattacks come from the inside of an organization. Educating employees on how to respond to potential email-based attacks and other social engineering tactics, maintain successful operational security, stay on top of password management and actively use the implemented incident response and escalation plan can radically decrease an organization’s attack surface.

Being a security awareness advocate can occasionally feel like herding cats. You may feel that you are trying to push water uphill when you repeat, “trust, but verify,” but this concept is crucial to keep in mind throughout your daily doings. On the bright side, maintaining a thorough and concise security policy, while avidly reinforcing employee awareness training, can successfully ease the confusion and obscurity of security policies that many professionals face today. Organization-wide security training and compliance can be the differentiator between a secure environment and a breach, data leakage or financial loss.


Email-Based Attacks

Mimecast reports that email-based attacks are the number-one vector cybercriminals leverage to deliver phishing attacks, malware and impersonations. Further, almost 90% of organizations have observed an increased or static number of phishing attacks within the last year. Email-based attacks are not a new phenomenon and the ubiquity of such attacks implies that they are not going away any time soon.


Phishing Attacks


The 2018 Phishing Trends and Intelligence Report by PhishLabs suggests that, “users are the most prominent and exploitable vulnerability.” This issue highlights the unfortunate, but true, concept that humans are the weakest link within the information security risk model. It appears that cybercriminals are beginning to shift focus from attacking individuals to attacking entire organizations.

Phishing emails can be delivered to users, imitating a trusted source. For example, an attacker may attempt to send an email from email-google[.]com to trick a user into thinking the email is from Google services. The email may maintain a link to reset a password that was purportedly “compromised.” The link within the email can direct users to email-google[.]com where the victim may be prompted to enter credentials or personally identifiable information. At this point, the attacker has a valid email and password combination that may be useful on other accounts owned by the victim. Further, the number of phishing sites located on HTTPS websites has significantly increased since 2016. Phishers believe that HTTPS sites are more likely to be trusted by users, which can lead to more successful outcomes – unfortunately, they are right on the money.

The best way to avoid phishing attacks is to implement multiple system defenses, and as paramount, strictly follow and enforce established security policies.


Malware, Ransomware and Trojans – oh my!

Over time, malware and ransomware and trojan delivery via phishing emails has increased significantly. Malware is defined as software that is intended to damage or disable computers or computer systems. Ransomware and trojans are subtypes of malware that can masquerade as harmless attachments, but when executed, can deliver malicious code or lock the victim out of their workstation. Emails can be sent with what appears to be an innocent attachment; however, unbeknownst to the user, the attachment is embedded with malware. Users can avoid these nefarious traps by disabling automatic attachment downloads and using an up-to-date antivirus software to scan attachments prior to download.



In our latest whitepaper, Pst! Cybercriminals on the Outlook for Your Emails, we highlight how attackers can use exposed credentials to make illegitimate and malicious requests to colleagues, dig through the victim’s inbox to identify more potential targets or configure rules to silently forward emails to the attacker or delete nefarious emails from the sent box.

Historically, impersonation attacks have mostly targeted individuals within the same company; however, organizations have seen increased impersonation attacks where the attacker acts as a trusted third-party or partner. When it comes to alleviating impersonation attacks, employee education is key. Applying technical controls, improving employee training, and augmenting negligent email practices are imperative to mitigating these attacks.


Social Media Compliance

Top social media security risks include network or data breach, data leakage, loss of customer trust and negative publicity. Attackers can create an illegitimate account, act as a legitimate company support contact and fraudulently direct customers to a phishing page to enter credentials or personally identifiable information. Social media “account hacks” can also pose as an attack vector; bad actors may successfully gain access to an organization’s social media page and begin posting malicious or defamatory content. Unfortunately, this issue does not stop with corporate social media accounts. As an individual, employees can be misled in releasing confidential information to “trusted sources” via social engineering attacks. Malicious actors can create spoof profiles to act under a different persona and reach out to potential targets, which may appear to be a friend, colleague or third-party vendor.

To mitigate these potential threats, make a point to understand the potential risks and how your organization may be targeted. Collaborate and build a plan to maintain a safe and secure environment while propagating an effective social media presence for business needs. Further, make employees aware of the risks they may experience and how to avoid social media attacks. This can be accomplished by periodically assessing potential vulnerabilities within the company and teaching personnel to be critical when accepting connection requests, clicking on links or identifying spam.


Clean Desk Policy

Implementing a clean desk policy reinforces security awareness among employees and elevates the necessity of protecting sensitive information. The  SANS Clean Desk Policy report suggests that, “a Clean Desk policy is not only ISO 27001/17799 compliant, but it is also part of standard basic privacy control.” Employees should securely stow sensitive or critical information to avoid data, information or financial loss. Further, when users are not directly in control of their workstation, it is imperative to lock their machine to avoid potential bad actors (colleagues or other) from accessing sensitive data or maliciously acting on the user’s behalf.


Password Management

Implementing a password policy and using a credible password manager is essential in maintaining account security. For best password practice, it is safest to create a new password for each account. We are all human, so remembering these passwords can be tough, but this is where a password manager becomes a very handy tool. Check out our previous blog on Credential Hygiene for recommendations on password length, re-use and multi-factor authentication (MFA).


Security Awareness and Training

The 2018 SANS Security Awareness Report recommends that maintaining qualified and dedicated cyber security awareness staff is essential. Finance and operations departments are reportedly the largest road block for security awareness teams. Transparent communication about the value and benefits of a successful security awareness program, from a business perspective, can minimize gaps in understanding and emphasize effectiveness.

Gartner suggests that ineffective security policies are too long and obtuse, do not address business concerns, are not tailored to specific organizations and are too technical for non-technical personnel within an organization. It is essential for companies to create a concise security policy that is easily understandable and easily applicable to all individuals, professions and ranks within an organization; thoroughness and simplicity is key. Templating a generic security policy can be detrimental to an organization’s risk; creating a security policy based off an organization’s perceived and potential risks is more suitable and valuable. It is important that we do not make security policy compliance an afterthought – build a security awareness culture where employees can understand and carry out established plans and incident response procedures accordingly.


In the end, security awareness and compliance are everyone’s job. After all, we are all in this together.


To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

ShadowTalk Update – 10.15.2018 Mon, 15 Oct 2018 15:29:22 +0000 In ShadowTalk this week, Digital Shadows’ CISO Rick Holland, Richard Gold and Simon Hall join Rafael Amado to discuss the Hidden Cobra FASTCash ATM campaign. The team also look over the Five Eyes joint report into publicly available hacking tools, and debate whether companies who use MSPs are at greater risk of attack.


China said to have tampered with hardware for espionage  

The Chinese government has been blamed for compromising Supermicro hardware to conduct cyber espionage in the United States. Media reports claimed that hardware was allegedly altered in Chinese factories during the manufacturing process, although the story has been heavily refuted. Although there is not currently evidence of any wider campaign, hardware implants and supply chains are very effective attack vectors and will highly likely continue to be targeted during the next year.


Sales intel firm Apollo exposed 200 million-plus records

Sales intelligence firm Apollo experienced a data breach that exposed more than 200 million records with details of individuals and entities. The firm aggregates information from a variety of public sources (including social media) in a database that is used to identify individuals and demographics for advertising. The information was reportedly accessed by external threat actors, whose identities and motives are unknown at this time. Organizations can check whether their data was exposed through the HaveIBeenPwned database. The stolen database will most likely be used for social engineering and spearphishing campaigns.


US, UK, Netherlands call out GRU hacking activity

Several Western states have claimed hacking activity by the GRU: the foreign military intelligence agency of the General Staff of the Armed Forces of the Russian Federation. The United States Department of Justice unsealed a court filing accusing seven GRU agents of being involved in hacking, influence and disinformation operations between December 2014 and May 2018, which mostly targeted sports and anti-doping institutions. The United Kingdom’s National Cyber Security Centre also published details on the attribution of several Russian cyber attack operations, and the Netherlands accused the GRU of targeting the world’s chemical weapons watchdog, the Organisation for the Prohibition of Chemical Weapons.


FruityArmor APT group blamed for zero-day attacks in Middle East

Cyber security researchers have claimed that the APT group FruityArmor exploited a zero-day vulnerability in targeted attacks against unknown entities in the Middle East. The attacks, first observed in August 2018, were intended to secure privileges on compromised devices. Microsoft has released a patch to address the vulnerability, but future attacks are likely.


To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.


Cyber Security Awareness Month: Week 2 – Aiming for Apprenticeships Thu, 11 Oct 2018 14:59:45 +0000 This week’s theme for National Cyber Security Awareness Month (NCSAM) is based around encouraging ‘students and others to seek highly fulfilling cybersecurity careers’. I thought this would be a great opportunity to talk about my experience here at Digital Shadows over the past two years as an apprentice.


Why university degrees aren’t always the right target

At 18 years old, I was expected to go to university and told a degree is the most important aspect of your future employment prospects. However, with the recent increase in tuition fees in the UK, I decided to explore alternative options and, in doing so, came across apprenticeships. After some research, these are the reasons I decided to follow this route:

  • I didn’t like the prospect of being in debt and the idea of ‘earn while you learn’ appealed to me much more
  • I wasn’t entirely sure what I wanted to do and felt as if degrees were only required for certain careers, most of which I wasn’t interested in
  • Going to university was seen as the default and only choice for me and my peers. I wanted to be different and explore other options
  • If the apprenticeship didn’t work out, it was a good opportunity for me to learn some skills, as well as experience working in a professional environment. I could always go to university following year

After discussing this with my careers advisor, she was unable to offer much support, especially after mentioning my interest in cybersecurity, a “niche” sector. I kept seeing cybersecurity being mentioned more and more in the news. I was fascinated by how individuals or small groups could cause major disruption to millions of people worldwide – I still have memories of the now infamous Lizard Squad taking down gaming servers – as well as the use of social engineering as a method of attack. It dawned on me that these were the issues individuals and businesses would be grappling with in the future, yet careers advisors and schools were still directing people towards conventional jobs in traditional sectors.

I realised how fast the industry was growing with a limited workforce, potentially offering job security and rapid career progression. With that in mind, I decided to contact some companies and offer to work over summer to gain experience in the sector. Luckily, an opportunity arose with Digital Shadows, who were happy for me to start my career path here and ended up offering me an apprenticeship!

Since working here my main role comprises of offering IT support internally to over 150 employees across three continents; however, I have also undertaken projects involving cybersecurity. I am in regular contact with our internal security team as they continue to evolve our security tools and processes, and am involved in the detection of malware on our endpoints. Producing reports and working out how malware ends up on our systems has increased my understanding of the latest social engineering techniques and how important it is to both educate users and have appropriate technical controls in place.

Being involved in a start-up has also greatly improved my social skills and knowledge in other areas of business. I have been able to work closely with other teams and gain insights into their daily tasks – such as assisting with on-boarding projects and learning from the intelligence analysts and security engineers as they perform their roles. This has allowed me to consider career paths that I wouldn’t have experienced in a larger company. As the company grows you feel a sense of accomplishment and quickly become one of the more experienced employees, making it easy to fit in, especially as a young person. Interacting with the entire company has drastically improved my confidence when meeting new people, which will undoubtedly help with my employability in the future.

Over the last two years, I have greatly increased my knowledge of IT systems while providing support to customers on a help desk, which I believe to be a great foundation to my career. There’s no substitute to hands-on experience of how company networks are set-up, how hardware and software are deployed, and how employees interact with IT systems on a daily basis. I would now like to specialise and gain qualifications to now take my career to the next level.


Advice to a younger self

Apprenticeships may not be for everyone, but neither is university. For young people looking for an alternative, I’d highly recommend looking at all the different options available to you, speaking to as many people as possible in your target industry, and getting hands on experience to see if you’d actually like the job. My tips for young people wanting to get into this industry would be:

  • Contact companies even if they don’t have jobs advertised. If you like the culture of a company or the goal they are trying to achieve, there is no harm in asking for job roles that are not yet advertised.
  • Companies are looking for keen learners who they can train. Don’t be put off from applying because you feel as if you lack knowledge in the area.
  • Get your foot in the door. Opportunities will arise for you to change job roles internally. You may even discover careers you hadn’t considered previously.
  • For those interested in cybersecurity, there are a number of apprenticeship and education schemes now available to encourage people to join the industry. For those in the UK, check out the government security and Cyber security CNI apprenticeship schemes. In the US, look into the National Initiative for Cybersecurity Education (NICE) strategic plan and the Department of Labour website to see what options are available to you.
Phishing Site Impersonates Financial Services Institution Wed, 10 Oct 2018 17:18:15 +0000 If the infamous bank robber, Willie Sutton, were alive today and honed his cyber skills, he might turn his attention to phishing and domain spoofing. Why? Because, as he once said about banks, “that’s where the money is.”

An IT manager of a multinational financial services (FinServ) holding company experienced this first-hand. He discovered malicious actors targeting his organization through a phishing site impersonating their brand and had the site taken down.


Catching Big Phish

Phishing sites are a common way for threat actors to harvest credentials and defraud customers. The barriers to entry for phishing have lowered even more now as attackers can purchase phishing toolkits and phishing pages on criminal forums and marketplaces.

Figure 1: Screen shot of criminal forum listing offering phishing pages for sale (Source: n0va[.]shop)


Posing as the official site of the financial institution, they trick users into entering credentials and other valuable information that they can sell on dark web marketplaces or online forums or use themselves to steal from customers or launch subsequent attacks. Whichever way the threat actor chooses to monetize that information, the FinServ institution can lose revenue and suffer reputational damage. Here’s how it works.


Figure 2: Screen shot from Digital Shadows SearchLight™ alert of site impersonating Digital Shadows’ website


The Hook, Line and Sinker of Domain Spoofing

Hook. Bad actors put significant effort into developing a façade that can fool the casual user. In this case they registered two domains and used typosquatting to make a small change in the URL, changing an “m” to an “rn”, and for the second domain added the suffix “finance”. The content on the landing page of the spoofed site was an exact mirror of the FinServ company’s site.


Line. With the site up and ready, the next step is to lure customers or staff to the sites. The threat actors used social engineering to tailor emails and make them as compelling as possible, so unsuspecting recipients would click on a link to the spoofed domain.


Sinker. To increase their return on investment, the attacker limited the actual functionality on the site to only what they needed to accomplish their mission. When the user input their username and credentials in the login box, they received an error and were asked to try again later. But the damage was done – the attacker had the credentials in hand to monetize in a variety of ways.


How did the IT manager learn their domain was being spoofed and what are they doing to keep it from happening again? See how Digital Shadows SearchLight™ enables organizations to detect and mitigate this type of risk: Test Drive SearchLight™ Free Here.


To learn more about identifying which cyber threats to prioritize, where to monitor for leaked intellectual property, and how to access hard-to-reach areas like the dark web, subscribe to our newsletter here.

33,000 Accounting Inbox Credentials Exposed Online: BEC Made Easy Tue, 09 Oct 2018 15:04:41 +0000 Last week, I wrote about how cybercriminals are looking to trade corporate emails in their pursuit of conducting Business Email Compromise scams (BEC). In particular, these individuals sought the credentials of CFOs, CEOs, and accounting and finance departments. However, as our latest report, Pst! Cybercriminals on the Outlook for Your Emails, shows, many of these credentials have already been exposed through through breaches or leaks of third party sites.

One approach to conducting BEC is to gain access to a corporate email account directly (shown in Figure 1). Recent research found that 44% of organizations were victims of targeted email attacks launched via a compromised account.


Figure 1: One approach to conducting Business Email Compromise


Once the company email account is compromised, the attacker will hijack the account to make fraudulent requests to colleagues, accounting departments and suppliers. Once inside a business email account, the attacker can perform reconnaissance by searching the mailbox for targets as well as learning how money moves around the organization. Another popular tactic is to alter mailbox rules so that the victim’s email messages are forwarded to the attacker, or emails sent by the attacker are deleted from the sent list.


33,568 Exposed Credentials

In order to understand the extent to which email accounts of finance departments are exposed, we searched for compromised credentials in our data breach repository. Digital Shadows’ breach repository holds nearly 5 billion credentials exposed through more than 280,000 different data breaches and leaks, obtained from a variety of open and closed sources.

By searching for known email formats of finance departments such as “”, “”, “”, “”, “”, we detected over 80,000 credentials. After duplicates and personal email addresses were removed, this left 33,568 exposed finance department email addresses – eighty-three percent (27,992) of which had passwords associated. This exposure was global in nature, as shown by the distribution of Top Level Domains (TLDs).


Top Level Domain Credentials Exposed
.com 18,163 4,953
.au 4,855
.za 3,000
.de 404
.edu 116
.nl 61
.my 48
.gov 24
.hk 23
Total 33,568


What about Multi-Factor Authentication?

There are, of course, measures that organizations can implement that will hamper the success of these account takeovers. These include implementing multi-factor authentication (MFA) and single sign-on solutions (SSO). However, there have been reports about the ability to bypass single sign-on or MFA and use brute force methods to steal corporate Microsoft Office 365 login credentials and log into enterprise systems.

In addition to implementing MFA, there are various email controls help to limit BEC campaigns. The three email authentication standards DMARC, DKIM and SPF can help other organizations to recognize fraudulent emails purporting to come from your domain. SPF controls who is allowed to send from your domain, DKIM ensures that sent emails are authenticated, and DMARC what others should do about reporting spoofing attempts. This will go a long way to helping protect against BEC, although it should be noted that these controls will not help against attackers spoofing domains with a variation on the original domain – for example, these will help to deal with google[.]com spoofing but not google-email[.]com.

With the large number of accounting and finance email credentials exposed, organizations should detect when their accounting emails are compromised, and ensure the passwords are not re-used for corporate accounts. Furthermore, finance departments should limit the extent to which they sign up for third party services with the department email account. To read more about BEC, download a copy of our latest research report, Pst! Cybercriminals on the Outlook for Your Emails.

We’ve also created an infographic around our BEC research. Here are 5 ways that cybercriminals gain access to emails without conducting a phishing campaign or network intrusion.


To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.


ShadowTalk Update – 10.08.2018 Mon, 08 Oct 2018 15:11:58 +0000 In this week’s Shadow Talk, Rafael Amado joins Michael Marriott to discuss Digital Shadows’ latest research on Business Email Compromise, Pst! Cybercriminals on the Outlook for Your Emails. We discuss how criminals are outsourcing this work, and how the exposure of 33,000 finance department credentials is increasing the ease for attackers. However, even without taking over accounts, criminals can get their hands on sensitive financial information. We dig into the 12.5 million exposed email archives that are available through misconfigured online file stores, including invoices, purchase orders, and payments. Finally, we provide advice for mitigating these risks.



APT-28 proves hypothetical threat with UEFI rootkit

The first observed use of a UEFI rootkit has been attributed to the APT-28 (aka Fancy Bear, Sofacy, Sednit, Strontium) threat group. Previously the rootkit was known only as a hypothetical proof of concept with no evidence of successful deployment. APT-28 used a trojanized version of the legitimate LoJack anti-theft software to embed the rootkit in a machine’s UEFI firmware, allowing persistence and serving as a backdoor to deliver additional malicious payloads. The campaign reportedly targeted government organizations in the Balkans, as well as Central and Eastern Europe. Security researchers at ESET have dubbed the malware LoJax.


Facebook access tokens harvested by unknown attackers

On 25 Sep 2018 social media company Facebook detected a vulnerability in one of its site’s features that potentially allowed attackers to take over accounts. Unidentified attacker(s) reportedly exploited the vulnerability in the site’s platform to harvest user access tokens for approximately 50 million Facebook accounts. These tokens contain the security credentials for a login session and identify the user. It is not known whether the attackers used the tokens to gain control of individual accounts. The vulnerability has since been patched, and the tokens for 90 million users have been reset. Facebook is conducting investigations, and more information is likely to become available in the immediate future.


Second port falls prey to cyber attack

A ransomware attack has affected the administrative processes of California’s Port of San Diego in the United States. The ransom note demanded an undisclosed sum in Bitcoin (a cryptocurrency) after being delivered to the port via an unknown ransomware variant by an unidentified threat actor. This is the second recently reported incident affecting a port authority: On 24 Sep 2018 it was reported that the computer servers at Spain’s Port of Barcelona had been targeted, although the attack caused no impact on its maritime or land-based services. Ports are lucrative targets for threat actors wishing to obtain sensitive or financial information, or to cause disruption to daily operations. Due to the criticality of maritime operations, attacks against ports will likely continue in the long term.


New APT group theft attribution lets Lazarus Group off the hook

Researchers cited a financially motivated North Korean espionage group, dubbed APT38, as responsible for several high-profile thefts from financial institutions beginning in 2014. The thefts were previously attributed to Lazarus Group, and researchers believe APT38 operates closely with the Lazarus Group’s operations but is distinctly separate from them. The newly identified group is thought to focus only on financial gain for North Korea.



To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

Business Email Compromise: When You Don’t Need to Phish Thu, 04 Oct 2018 11:16:51 +0000 According to the FBI, Business Email Compromise (BEC) and Email Account Compromise (EAC) have caused $12 billion in losses since October 2013. Financially-sensitive information constantly flows through company emails, such as contract scans, purchase orders, and payroll information. All these make inboxes lucrative targets for attackers, who use social engineering and intrusion techniques to gain access to business email accounts.


Decreased Barriers to Entry

In our latest research report, Pst! Cybercriminals on the Outlook for Your Emails, we outline the declining barriers to entry for this type of fraud. There are three main ways for cybercriminals to gain access to these emails without conducting a phishing campaign or network intrusion: 1) pay for access to a corporate account, 2) get lucky with previously compromised credentials, and 3) leverage email archives already exposed through misconfigured backups and file sharing services. In this blog post, I’ll outline how actors turn to the cybercriminal forums to gain access to these accounts.


Business Emails Offered on Criminal Forums

It’s common for accounts to be shared and sold across criminal forums, with actors looking to take over customer accounts for a variety of fraud purposes. The emails of finance departments and CEO/CFOs are no exception, and so it’s unsurprising that online criminal forums are replete with individuals requesting access to corporate email accounts.

We identified numerous examples of the demand and supply of these accounts. For example, in Figure 1 we detected individuals on a Russian-speaking, closed source criminal forum specifically searching for company emails that contained “ap@”, “ar@”, “accounting@”, “accountreceivable@”, “accountpayable@”, and “invoice@”.


Figure 1: Corporate emails requested on a closed source Russian-speaking criminal forum


As-a-service offerings exist, and the prices can be low. As well as those offering services for acquiring business emails, services are offered for as little as $150 per compromised business email (see Figure 2), although closed web-based services will start at $200.


Figure 2: Corporate email hacking service advertised on a criminal forum


HUMINT Engagement Uncovers Targeted Campaigns

Not all requests and transactions will be handled on criminal forum boards, conversations will often move to private channels to finalize the details. Through HUMINT interaction with a Russian-speaking actor, we identified an individual seeking emails from the accounting departments of companies in specific industries and geographies, searching for “accountspayable@”, “accountsreceivables@”, “payables@”, and “receivables@” (see below).


Figure 3: A Jabber conversation with a Russian-speaking criminal planning a BEC campaign. (Source: Digital Shadows HUMINT).


After engaging on a criminal forum, the conversation quickly moved to a private jabber channel to discuss specific targets. Rather than paying a set fee for credentials, the actor offered to pay 20% of the proceeds they would make from their campaigns. With a specified list of 100 targets, most commonly in construction, property, public services, and higher education, this has the potential to be highly lucrative for threat actors. Construction and property services will be handling a large number of size-able transactions on a daily basis, and so the potential for BEC is significant. In this case, the majority (79%) of these targets were in the United Kingdom, Australia, and Singapore – demonstrating the global nature of BEC.


The potential to monetize access to the email boxes of financial departments is clear, and cybercriminals are looking to capitalize on this. In following blogs, I’ll discuss the extent to which previously compromised credentials can leave email inboxes exposed, and how the exposure of email archives across misconfigured online file stores even renders this unnecessary. If you can’t wait for that, download a copy of our report, Pst! Cybercriminals on the Outlook for Your Emails.


We’ve also created an infographic around our BEC research. Here are 5 ways that cybercriminals gain access to emails without conducting a phishing campaign or network intrusion.


To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

Cyber Security Awareness Month: Week 1 – Credential Hygiene Wed, 03 Oct 2018 15:12:37 +0000 It’s the opening week of the annual National Cyber Security Awareness Month (U.S.) and Cyber Security Month (Europe). While good security shouldn’t be something we only think about on one month of the year, it’s a good opportunity to educate the general public about the importance of information security. For practitioners and organizations, it’s also a reminder to reflect on the practices we are already implementing and how we can improve these in future. Throughout October, we’ll be posting a series of blogs covering some of the weekly themes in the US and European 2018 campaigns.

Figure 1: National Cyber Security Awareness Month (U.S.) and Cyber Security Month (Europe) 2018 themes


Week One’s theme is Practice Basic Cyber Hygiene, which aims to assist the public in establishing and maintaining the daily practices to stay safe online. With this in mind, I’m going to discuss one element of cyber hygiene in particular: credential hygiene.


What is credential hygiene?

Credential hygiene refers to the way we handle credentials in our environments, whether on an individual or organizational level. In the past, exploit kits for popular services such as Flash were a prevalent method of gaining access to victim environments; however, nowadays phishing kits and credential harvesters that steal user password and username combinations are the preferred way. This has many advantages for an attacker, none more so than it’s harder to detect anomalous activity if the attacker is logging into an environment using legitimate credentials from a trusted user. Why pick the lock when you can find the key?

When assessing your credential hygiene practices, it’s useful to consider how attackers can target and acquire our credentials in the first place. Broadly speaking, we can group these into three categories:


  1. Stolen credentials. Attackers can use tools such as phishing kits, keyloggers and credential harvesting malware to steal credentials. Usually, they’ll use social engineering techniques to trick victims into visiting sites or entering details into specially-crafted phishing pages that collect your usernames and passwords. Pony is an example of a credential harvester that has been used to steal information out of browsers. Usernames, passwords and personal information collected by the Pony malware have also been released publicly and traded among criminal actors.

The Pony malware logs are also an example of how stolen credentials can end up in public datasets, providing a further opportunity for attackers to acquire credentials. These include: historic breaches such as LinkedIn, Adobe and Yahoo; exposed credentials found on public sources such as anti-combo lists, criminal forums and marketplaces; credential sets located on paste sites; and breached datasets acquired from closed sources, such as gated forums and peer-to-peer chat channels.


  1. Default credentials. Devices such as routers, modems and many Internet of Things (IoT) devices come with default passwords issued by manufacturers. Users of these devices often forget to change these passwords, and with leaving themselves open to attack. Default password and username lists for many devices are available online, meaning attackers can compromise your machines without needing to phish for credentials. This extends beyond individual devices to much larger, critical applications. In a recent research report on threats to ERP applications, we discovered many adversaries leveraging weak default passwords of SAP applications.


  1. Weak credentials. Even if you do change your passwords, using simple, easily-guessable credential combinations also plays into an attacker’s hands. With brute forcing and credential stuffing tools a dime a dozen, attackers are able to use automated means of breaking into your account. We covered this in more detail in our our Account Takeover: Protect Your Customer and Employee Accounts report.

Something else to consider is the way in which your passwords are being stored. Typically, passwords are stored in a hash format, meaning they are cryptographically secured using a one-way function. However, hashing is not a fool-proof solution, and some hashing methods are stronger than others. SHA1 and MD5 hashing algorithms are easy for computers to test, and a powerful set of CPUs can do this very quickly. Other hashing functions such as scrypt and bcrypt are far harder to brute force, so it’s worth checking with your IT and security teams to ensure you are using the best methods available.

Top credential hygiene tips

Both on an individual and organizational level, there are many measures you can put in place to improve your credential hygiene. While not exhaustive, some of the most important are:

  1. Create strong passwords. “Strong” means it would be difficult for someone to guess your password. Ideally your passwords should include at least 12 characters, both upper and lowercase letters, at least one number and symbol. You should also avoid using single dictionary words as these are easy to guess and bruteforce.


  1. Use unique passwords across each sensitive account. If you re-use a password on different sites and it gets stolen from one, an attacker could get access to all those accounts. Consider having separate accounts for different activities: such as an account for work emails, one for personal use, and another one for sites which bombard you with marketing material. Remembering multiple complex passwords, however, is impossible for most of us, so consider using a password manager to avoid having to write them down.


  1. Use multi-factor authentication (MFA) where available. Many sites now offer MFA (aka 2FA), so a secondary, one-time proof of identity is needed alongside the password to log in. This can be a device (e.g. SecureID token), software (e.g. Google Authenticator) or an SMS message.


Credential hygiene is a big topic. For more discussion on best practices, particularly for security teams trying to improve credential management across their organizations, check out our previous episode of ShadowTalk – Episode 39: Credential Hygiene.


To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

Security Analyst Spotlight Series: Christian Rencken Tue, 02 Oct 2018 14:39:07 +0000 Organizations rely on our cyber intelligence analysts to be an extension of their security team. Our global team of analysts provide relevant threat research, much needed context, tailored remediation advice and managed takedown support to make our clients’ jobs easier and more efficient. Crucially, by having analysts within the intelligence and collection cycle, we’re able to minimize the real-time false positives that cause nightmares for most organizations.

In our Security Analyst Spotlight Series, we bring our analysts out of the shadows and into the spotlight, showcasing their expertise and interests so you can learn a bit more about a “day-in-the-life” of a Digital Shadows Intelligence analyst.

Name: Christian Rencken
Team: Managed Services Intelligence
Title: Senior Cyber Intelligence Analyst

Q: How did you get into the field of cybersecurity?

A: I began my cybersecurity career in Sales in San Francisco and it wasn’t long before I realized I wanted to be on the ground floor looking for threats. Intelligence analysis grants me the bird’s-eye-view of our customer’s risks, and we can see threats developing from all different areas, including the dark web. The proliferation of devices connected to the Internet increases the average user’s experience to a whole new world of cyber exposure, which easily can begin to snowball and turn into a threat.


Q: What areas of cyber security are you most interested in?

A: I’m most interested in the structure of different groups, whether nation-state or criminal. This has been somewhat of a newfound interest, but as I’ve been studying the threat landscape I’ve come to learn how important each group’s structure is to both accomplishing their tasks and maintaining anonymity.

Regarding the intelligence analysis job itself, I really enjoy the exposure to the open and deep web and understanding how to maintain operational security in this new cyber world we are so quickly rushing into. Nearly every action I take while surfing the web, whether it’s using my credit card on point of sale systems or communicating on social media, is influenced by what I see working here at Digital Shadows.


Q: What has been your favorite online investigation to work on? 

A: During the Winter Olympics in 2018 we conducted daily intelligence briefings with a client that was sponsoring the event. Every morning we briefed the client on cyber events from the previous day as well as possible threats in both the South Korean region as well as the broader cyber landscape. On the final day of the call we worked with a team of security and intelligence analysts from different organizations to assess the threats that had emerged over the course of the games, locate where the attacks were coming from, and make recommendations for how the client could mitigate against these threats both at the time and for future events.


Q: What are the most recent cybersecurity trends that people should be aware of?

A: One of the most recent and significant cybersecurity trends has been the different ways to monetize off of cryptocurrency related campaigns, but I predict this to start to slow down as we see the decrease of the “cryptomania”.

Going forward from here I’d say that collectively we need to be aware of the continued interference and influence campaigns on the United States elections coming up in November. This one is particularly interesting to me because for something like this, it’s not as if we can simply focus on dealing with a new tactic, technique or procedure (TTP) or vulnerability; this isn’t something that can be fixed just with a patch. As recent indictments have shown, threat actors targeting elections use a variety of techniques – often traditional and common ones such as social engineering and spearphishing – in aggregation and over a prolonged period of time. It is this persistence and operational sophistication that makes it so difficult to defend.


Q: What advice would you give someone wanting to become an intelligence analyst?

A: My first bit of advice is to be open-minded. Intelligence analysis isn’t something that you only do at work, but it is something that you adopt outside in life as well. Principles like not following your emotions, but following the facts, interrogating evidence, being happy with being wrong, admitting your mistakes quickly, and objective reasoning are all crucial tenants of this position.

My second bit of advice is to familiarize yourself with the intelligence industry you’re in. Obviously in this case it’s cyber intelligence, so for this job specifically I would recommend learning as much about cybersecurity fundamentals as you can. And don’t worry about being confused at first because of the complexity.


Q: Tell us one thing that most people won’t know about you?

A: There’s probably a lot, but one thing that surprises people is just how much I like to turn on live feeds of African wildlife videos. Often times when I’m in need of a breather or relaxation, I will throw on a live feed of a watering hole in Africa and watch the animals go by. I love being outdoors and I’ve always been obsessed with African animals, so watching them peacefully pass by is a form of meditation for me.


Bio: Christian Rencken is a Cyber Intelligence Analyst at Digital Shadows, which he joined in mid-2016. Christian has a passion for intelligence analysis and all things global affairs. He holds a BA in Anthropology, a minor in Political Science and a Certificate in Applied Business from the University of Colorado. He also has a certificate in Entrepreneurship Essentials from Harvard’s HBX Business School.


Interested in hearing more from our intelligence team? Check out our blogs or subscribe to our weekly threat intelligence podcast, ShadowTalk.

ShadowTalk Update – 10.01.2018 Mon, 01 Oct 2018 15:02:32 +0000 Rick Holland, CISO of Digital Shadows, joins Richard Gold and Michael Marriott to discuss the possible implications of Facebook security flaws affecting 50 million accounts. In part two, one year after reports of the Equifax breach surface, the UK arm has been fined £500,000 by the Information Commissioner’s Office (ICO). We look at the lessons learned.


Black Rose Lucy redefines threat of malware-as-a-service (MaaS)

Security researchers identified a new MaaS botnet bundle targeting users of Android mobile devices in France, Israel and Turkey. Dubbed Black Rose Lucy and attributed to the Russian-speaking threat group Lucy Gang, the malware features an easy-to-use interface that could appeal to low-level threat actors who purchase malware services. What’s more, this MaaS allows threat actors to upload and deploy their own malware for distribution among infected devices. Black Rose Lucy has exhibited persistence and profiling capabilities, and several improved versions have also been identified, suggesting its creators are actively developing it and seeking a global customer base. The trend of threat groups or threat actors purchasing MaaS will likely continue in the mid-term future (between three months to a year).


Virobot ransomware uses botnet tricks to spread

The ransomware strain “Virobot”, originally identified on September 17, 2018, has been found to use botnet capabilities to propagate. Virobot can encrypt a mobile device or machine’s files and post a ransom demand to the victim’s home. It can also access the victim’s Microsoft Outlook account, attaching a copy of itself to distribute via email to further victims. Virobot has not been attributed to any known ransomware family or known threat actor.


Port of Barcelona withstands cyber attack by unknown threat actors

On September 20, 2018 several servers belonging to Spain’s Port of Barcelona were targeted in a cyber attack. Maritime and land-based operations were reportedly unaffected, including the delivery and distribution of goods and the scheduling of ships docked at the port, making the overall attack impact low. A motive and attribution for the attack are unknown at the time of writing. Due to the volume and potential value of goods handled, shipping ports and transport hubs make lucrative targets for attackers wishing to obtain sensitive or financial information, or to cause disruption and subsequent revenue loss.


Cryptocurrency heist hits Japan with USD 60 million theft

On September 14, 2018 6.7 billion Japanese yen (approximately $60 million) was stolen in a cyber attack on the Japanese cryptocurrency exchange Zaif, which is owned by Tech Bureau Corp. The targeted attack occurred over two hours and saw the theft of Bitcoin, Monacoin and Bitcoin Cash currencies. Approximately 67 percent of the stolen funds belonged to customers, and the rest belonged to Zaif. Attribution and technical details of the attack are not known at the time of writing. Cryptocurrency exchanges will continue to be a popular target for cybercriminals and financially motivated state-affiliated threat actors in the mid-term future.


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.


Cybercriminal Marketplaces: Olympus Has Fallen Fri, 28 Sep 2018 15:00:52 +0000 The Olympus cybercriminal marketplace has been caught up in another PR disaster, with the owners reportedly conducting an exit scam and stealing user funds. Early this month, discussions on the online Dread forum hinted that the highly regarded (emphasis on the past tense) Olympus went offline, though this was unconfirmed. Reasons for its sudden inactivity remained unclear at the time, although Hugbunter – a respected user in the community – suggested that an exit scam had taken place as the site admins were unreachable and order finalization was no longer working. With an exit scam appearing likely, Hugbunter issued warnings to vendors, imploring them to withdraw their money.

One of the sites moderators, Ori, reached out to Hugbunter two weeks later confirming that the site admins had disappeared; the suspicions became a reality. The Olympus exit scam is a telling illustration that the marketplace model continues to struggle in a post-Alphabay and Hansa Age.

Figure 1: Ori, Olympus moderator, confirms that Olympus has shut down


Olympus’ woes: (dis)trust, poor execution & Dread-ful PR

Olympus was one of the bookmaker’s favorites when it came to dark web markets, with some going far as claiming it would be the next generation market to replace AlphaBay and Hansa. So, with the odds in its favour, why did Olympus make an exit? We look at the three potential reasons:


  1. (Dis) trust

In a post- Alphabay and Hansa age, the fall of Olympus has become a symbol of the shifting behaviour in dark web vendors. As we’ve highlighted before, trust is one of many important factors that determine the success of a marketplace. Users don’t naturally trust new markets, often for fear that they’re law enforcement in disguise. A new market like Olympus would not have been immune from such suspicion and scrutiny.

To overcome this obstacle and appear legitimate, HugBunter alleged that Olympus listed fake sales, bloating the market to make the market appear bigger than it was.


Figure 2: Hugbunter performs a post-analysis of the exit scam

  1. Poor execution

Olympus went into the market either underprepared or underfinanced, or both. Like any business, you need a wealth of resources to kick things off the ground, including start-up capital, e-commerce skills (for user experience) and marketing budget (you’ve got to get your name out there). You might need multiple employees to execute jobs such as moderators, customer service and site maintenance. These employees need to be paid, and that means more costs. Finally, marketplaces and forums need to protect themselves from attackers, rival sites and law enforcement, so security services such as bullet-proof hosting are also a financial consideration.

Olympus may have underestimated the hidden costs associated with a dark web market and failing to accumulate such capital stifled both its ability grow and succeed.  We don’t know this for sure, but an exit scam may have been the easy way out of such a scenario.

  1. Dread-ful PR

Customers are your biggest advocates. Olympus was only shooting itself in the foot when it claimed it was in the process of hacking Dread, a reddit-style community with a big cult following, earlier this year. The claim only served to irk Olympus vendors, rallying them behind Dread.  Though Olympus admins retracted their claim and added they would hire ‘good PR’, how they handled the situation impacted the way Olympus was perceived, and its reputation never recovered.


What does the future look like?

Vendors may flock to other markets, with Rapture market and Berlusconi offering some appeal to former Olympus advocates.


Figure 3: One user highlights how Olympus vendors may move to other markets


Culture of fear

That said, vendors are vying for a secure, trusted and respectable market to fill the hole left by AlphaBay and Hansa, but the sudden rise and fall of Olympus demonstrates that new markets are very volatile. Vendors may choose to stick with what they know – whether that be an older, established marketplace, or alternative platforms altogether.


Figure 4: Dreddit user suggests all new markets should be distrusted


Distrust is rife within the cybercriminal ecosystem. When Olympus went offline with no direct communication to the vendors, this only heightened tension and suspicion. And although Ori, one of Olympus moderators, reached out two weeks later apologising for the situation, the message was long overdue. The silence that followed Olympus’ inactivity would have been enough for users to assume that law enforcement had infiltrated the market. Timing is everything.

Adding to that, vendors are claiming that the Olympus admins have stolen credentials. Whether true or not, such claims can only perpetuate suspicion within the community and vendors will approach new markets with even more apprehension.


Figure 5: Reddit user claiming Olympus credentials were stolen and reused on rival markets


Another nail in the marketplace coffin

Time, money and fear of getting caught are proving to be a high price to pay for vendors whose dark web markets just vanish. Such behaviour will only mean that vendors will turn to more secure and reliable methods of communication – just look at our blog which highlights that cyber criminals are switching to messaging platform, like Telegram and Discord.

Olympus’ fall consolidates Digital Shadow’s assessment that the traditional marketplace model is rapidly in decline. Whether it recovers remains to be seen.

To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Thedarkoverlord Out to KickAss and Cash Out Their Data Thu, 27 Sep 2018 15:19:32 +0000 A user claiming to be the notorious darkoverlord extortionist threat actor has appeared on a dark web cybercriminal forum offering breached datasets for sale. In this blog, Digital Shadows analyzes whether this is a case of a copy-cat actor hoping to profit from thedarkoverlord name, or whether this marks a genuine return for the group that has been the scourge of healthcare and pharmaceutical companies since 2016.


What happened?

In September 2018 Digital Shadows observed a user on ‘KickAss’, a closed-source dark web cybercriminal forum, referring to themselves as ‘thedarkoverlord’. This user announced that they had joined the forum to sell large datasets from previous attacks and breaches. Around the same time the user opened a thread in the marketplace section of the forum advertising nearly 200,000 records, including personally identifiable information (PII) and protected health information (PHI) from six medical entities and one dentistry. The bulk of the information – 131,00 records – came from an undisclosed gaming company.


Figure 1: Introductory post by ‘thedarkoverlord’ on KickAss marketplace


Figure 2: Marketplace listing for US dentistry


The user did not disclose prices, stating that these were negotiable; however, the option was given for individuals to buy the datasets exclusively at a higher price.


Who is thedarkoverlord?

thedarkoverlord is an English-speaking threat group that has been active since June 2016. During that time, it has targeted large data sets, typically from healthcare and pharmaceutical companies, and used the pressure of social media and exposing the data on open sources to extort money from companies and individuals. thedarkoverlord has also been responsible for a number of high-profile attacks against media companies, including against Netflix in June 2017, which led to the release of unaired episodes of ‘Orange is the New Black’.

thedarkoverlord began by selling data sets on the criminal forum The Real Deal in June 2016. The group advertised a number of healthcare datasets valued between $16,000 and $490,000. Following several instances of The Real Deal being taken offline, either from denial of service attacks or law enforcement action, the group appears to have migrated to Twitter, where it used its first Twitter account (@tdohack3rs) to extort companies into paying by threatening to release their data. This period, between September 2016 and September 2017, saw the group perform several well-publicized attacks, and built up the its reputation as a legitimate threat actor.


Figure 3: A timeline of mentions and activities of thedarkoverlord between September 2016 and September 2018.


This Twitter account was taken down by Twitter in September 2017. Following this, the current account (@tdo_hackers) was subsequently set up. However, a change in tactics, techniques and procedures (TTPs) led to a reassessment of the group’s capability, and questions around the legitimacy of the account itself. The group no longer tweeted links to leaked data, or tweeted links that quickly became inactive or where taken down, and started compounding extortion threats with physical threats to schools and the education sector to encourage payment. The new Twitter account also only had 245 followers, as opposed to over 9,000 followers on the previous account. It’s plausible that the new account was run by a member of the group striking out on their own, or by an unconnected threat actor seeking to capitalize on the reputation of the group.


So what?

thedarkoverlord has not been active on dark web markets since the group’s presence on The Real Deal in 2016, indicating that perhaps this was an unconnected threat actor seeking to capitalize on their name; however, on 18 September, shortly before the initial advert went up on KickAss, the Twitter account currently associated to thedarkoverlord (@tdo_hackers) tweeted the word ‘KickAss’ (see Figure 4). This tweet was left up for several hours and then taken down.


Figure 4: A tweet from “tdo_hackers” from 18th September 2018. The post has since been removed.


The association of the KickAss account with the tweet on the group’s current Twitter feed indicates that the three entities (the first and second Twitter accounts, and the KickAss account) are linked. Although unconfirmed, activity on the KickAss forum very likely represents a return to form for the group. Its current offerings appear to be data sets from historic breaches, likely attacks between September 2016 and September 2017. If the group get more attention in the KickAss forum than with its current Twitter account, we anticipate that it will sell data breaches online rather than attempting to extort companies first.

Closed forums are, of course, more challenging for organizations to monitor; you need to either be vouched for or pay a fee to enter. However, exclusively focusing on the darkoverlord’s Twitter account as a source of intelligence will miss significant activity. A blend of open and closed source collection is required to get the full intelligence story. Furthermore, if this proves to be a profitable move for the group, we would anticipate more high-profile attacks, similar to those seen in the first phase of activity against healthcare and pharmaceutical companies.

To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

10 Things You Didn’t Know You Could Do with Shadow Search™ Tue, 25 Sep 2018 21:43:10 +0000 You may have seen that we’ve recently released Shadow Search, a new tool that gives you immediate access to both raw and curated intelligence from the open, deep and dark web. Whether you’re involved in a security operations, threat intelligence, or fraud role, the ability to search across criminal forums, dark web marketplaces, or criminal telegram channels without worrying about your own operational security is pretty powerful. Now imagine combining this with finished intelligence reporting, bulk WHOIS information, vulnerability databases and indicator feeds. That’s exactly what Shadow Search does.

However, there’s a lot more to Shadow Search than simply the access to a vast range of sources. Here are my top ten tips for getting the most out of Shadow Search.

  1. Filter your searches. Make the most of the vast coverage of different sources by refining your searches. You can filter by source type, data range, and then use Boolean operators to combine these with keywords or phrases. When setting up searches, try entering “type=” to filter by these different source types (see below). The returned search results can then be filtered by time, relevancy, or source-type.

Shadow Search 1

  1. Set up alerts to save you time. You don’t want to be repeating the searches you care about every day. If there’s something you want to continuously monitor for, you can save the search and set up alerts that will be delivered to your email inbox. Think of it as Google Alerts but with more relevant sources to your day job. You can then choose the frequency of the alert mentions (you can choose from Immediate, Daily, Weekly and Monthly). If you don’t want to receive email alerts but still want to keep up-to-date, you can also opt to re-open tabs the next time you run a search. For example, you might want to set up alerts for any activity of a certain username that you have previously observed selling access to corporate databases within your industry.

Shadow Search 2

  1. Extract and export observables. Configuration files for banking trojans such as Trickbot are often posted on paste sites. Not only will Shadow Search enable you to detect these, but it also parses IP addresses, domains, and other observables. This gives you the ability to export this information in CSV format. (It’s worth noting at this point that all Shadow Search information is also available through our API).

Shadow Search 3

  1. Enrich searches with our “Highlight and Pivot” feature. When you’re in the middle of investigating something, it’s likely that you’ll spot an identifier you’ll need further context around. You can highlight and pivot on any search term within our portal, enabling you to enrich your search with sources like Webroot, AlienVault, PhishTank and Cylance Infinity. For example, you may have identified an IP from a suspicious domain and want to know what external sources have mentioned this IP address.

Shadow Search 4

  1. Toggle between results, summary, and timelines views. I like my information to be presented in different formats, as pages of mentions aren’t always useful for distilling information and trends. You can toggle between views to see summary pages and timeline views. This is great for including in reports you may be working on. You can see the summary and timelines for “thedarkoverlord” below.

Shadow Search 5

Shadow Search 5.1

  1. Identify exposed credentials. Consider entering your company’s email domain, and setting up alerts for any time credentials are exposed online. While you’ll need the full SearchLight™ subscription to detect credentials exposed on closed sources, this is a great starting point to give you visibility into exposure on criminal forums, dark web pages, or paste sites.

Shadow Search 6

  1. Use insight from the deep and deep web to prioritize vulnerabilities in your third-party software. You can search for mentions of CVEs to develop an understanding of where cybercriminals are developing or sharing exploits online. As Shadow Search allows you to granularly filter by source type, you can get back high-fidelity results. You can monitor sites like 0day to identify exploits against software your business uses. For example, here I’ve specified 0day’s onion address with AND any mentions of SAP.

Shadow Search 7

  1. Stay on top of breaking news by monitoring for your favorite news and blogs sites. We all like to focus on criminal forums and dark web pages, but often news sources can be just as valuable. Search for topics that interest you, and get alerted on a cadence that suits you. For example, I might want to know about any revelations that relate to “ransomware” on bleepingcomputer[.]com, or anything from

Shadow Search 8

  1. Expand screenshots to save you time. Our spiders take screenshots of the pages they index, which means you don’t need to waste time booting up your virtual machine to access the page itself. Click on the magnifying glass to view the full screenshot.

Shadow Search 9

  1. Quick access to recent and saved searches. If you forget to save a particular search term, don’t worry. Simply clicking in the search tab allows you to view your recent and save searches. This is particularly useful if you have used the “highlight and pivot” function, and wish to recall the suspicious IP addresses you searched for.

Shadow Search 10

We also have a new demo video here:


I hope you find these tips to be useful, but let us know if you have any more questions. Email us at or try Shadow Search for yourself on Test Drive.

To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

ShadowTalk Update – 09.24.2018 Mon, 24 Sep 2018 15:44:39 +0000 In ShadowTalk this week, Richard Gold, Simon Hall and Rafael Amado focus on the trade-offs between security and usability, as well as the practice of security layering that can often make us more insecure. The team look over security measures such as regular complex password expiry policies that create headaches for organizations and end users. They also discuss why it’s not easy to make security usable, whether we are damaging security with some of the measures and devices we implement in the name of security, and what alternative, more effective system defences can bridge the gap between security and usability.


Ransomware in the limelight

Ransomware has taken center stage in the arena of cyber threats, with five campaigns active in the past week and notorious, large-scale cyber campaigns throughout 2016 and 2017. Ransomware remains one of the most popular tools on criminal forums, and new variants emerge frequently. This has created a diverse palette of ransomware strains used by a variety of threat actors. Tactics, techniques and procedures (TTPs) of these campaigns are generally similar, but as awareness continues to spread and defense mechanisms become more robust, ransomware developers are likely to seek novel capabilities, focusing on evasion and anti-analysis.


APT10 hits Japanese media sector with backdoor

In July 2018 the Chinese nation-state group APT10 was observed targeting the Japanese media sector. The campaign used spearphishing emails that installed the “UPPERCUT” backdoor malware. Given previous APT10 campaigns, the motives were likely espionage or data exfiltration. The campaign used a new version of UPPERCUT, which had been updated to use the Blowfish encryption key to obfuscate the group’s presence on the network, indicating that APT10 is active in maintaining and updating its malware.


New multi-function malware targets Linux and Windows devices

Cyber-security researchers discovered the new malware variant Xbash, which has botnet, cryptocurrency-mining and data-wiping capabilities and which targets Linux and Windows devices. Analyzed variants of Xbash indicated it remains in development, and they included an inactive component that enabled self-propagation using worm-like capabilities. Xbash has been attributed to the “Iron” threat group, which has previously conducted ransomware attacks. The malware’s development could indicate that Iron is expanding or strengthening its capabilities.


Stolen research from British universities for sale on criminal forums

On Farsi-language criminal marketplaces, cyber-security researchers detected research content from British universities being advertised for sale. The content likely comes from a previous breach of Cobalt Dickens, an Iranian nation-state-associated group that has been attributed with attacks targeting the education sector globally. The sellers indicated that they could facilitate specific requests, indicating that they continue to have access to university networks, or that they are confident they could conduct future attacks. More attacks against the education sector are likely in the long-term future (beyond one year).


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

The 2017 FSB indictment and Mitre ATT&CK™ Thu, 20 Sep 2018 14:18:03 +0000 On  February 28th, 2017 the US Department of Justice indicted a notorious hacker, Alexsey Belan, and his FSB (Russia’s internal security service) handlers for a massive hacking spree that compromised Yahoo and used that access to attack many additional targets. In response to the indictment, Chris McNab wrote an essential guide to the tactics, techniques and procedures (TTPs) used by Alexsey Belan that he and his colleagues observed in their incident response work.

As with our previous work on the GRU, FIN7, and North Korean indictments, we’ve used the Mitre ATT&CK™ framework to play back the findings from the indictment. In future blogs in this series, we’ll continue to use ATT&CK to map some of the biggest cyber indictments to come out in the last few years. We’ll also end with a review of the most common TTPs used by these attackers and top mitigation tips for defending against them. One key difference is that this blog details more attacker activity in production service environments rather than attacks against user endpoints in corporate environments.

Threat Model

The indictment names Yahoo as the chief target for Alexsey and his FSB handlers (we use “Alexsey” and “attackers” interchangeably throughout this blog post). As one of the world’s most popular email services, Yahoo held the email accounts for several FSB targets, namely, “email accounts of Russian journalists; Russian and U.S. government officials; employees of a prominent Russian cybersecurity company; and numerous employees of U.S., Russian, and other foreign webmail and internet-related service providers whose networks the conspirators sought to further exploit”. As well as this, “the conspirators sought access to accounts of employees of commercial entities, including executives and other managers of a prominent Russian investment banking firm; a French transportation company; U.S. financial services and private equity firms; a Swiss bitcoin wallet and banking firm; and a U.S. airline”. Yahoo was targeted due to the data that they held, rather than being the end goal for the attackers. Organizations should consider how their data or access could be used by attackers against other targets.

Note: the numbered “Stages” below reflect the ATT&CK framework ordering



Stage 0 – PRE-ATT&CK

Technical Information Gathering

  • Acquire OSINT data sets and information

Technical Weakness Identification

  • Analyze application security posture; Analyze data collected; Identify vulnerabilities in third-party software libraries; Research relevant vulnerabilities/CVEs

Alexsey used Google searches to identify web servers associated with target companies. Once he discovered some web servers, he would profile them to look for weaknesses. Additionally, he used LinkedIn to research employees working for target companies and discovered personal websites run by those employees that he then exploited to gain initial access.

People Information Gathering

  • Analyze social and business relationships, interests, and affiliations

While not directly related to the breach of Yahoo, the attackers used their access to Yahoo to develop their targeting options. The indictment states: “The conspirators frequently sought unauthorized access to the email accounts of close associates of their intended victims, including spouses and children, to gain additional information about and belonging to their intended victims”.

DS Mitigation advice: Awareness of an organization’s security posture at the perimeter and beyond is critical for understanding where attackers might begin targeting an organization. Employees need to be informed that their personal assets such as email accounts or Internet-connected devices may well be targets for attackers looking to then pivot up into corporate or other environments.

Stage 1 – Initial Access

ATT&CK TTP: Exploit Public-Facing Application (T1190)

Chris McNab observed that Alexsey used a known bug in WordPress, specifically CVE-2011-4106, for which there was a publicly available exploit to gain access to a server in the marketing department of a company he targeted. Most likely this server was not considered to be a high value asset but was a crucial foothold for the attack. In the case of the employee’s personal website, Alexsey exploited a custom file upload flaw (likely Local File Inclusion or Remote File Inclusion) to gain access to the environment.

DS Mitigation advice: Publicly available exploits represent a very high risk to an organization running vulnerable software that is Internet-facing. This is because the capability is now available to any interested attackers. It is recommended that patches for publicly available exploits should be prioritized. In the cases where patching is not feasible, additional compensating controls such as access control lists or firewalling should be applied to mitigate the risk. Employee’s personal systems should not contain any corporate credentials.

ATT&CK TTP: Spearphishing attachment (T1193), Spearphishing Link (T1192)

The indictment states that: “Spear phishing messages typically were designed to resemble emails from trustworthy senders, and to encourage the recipient to open attached files or click on hyperlinks in the messages”. This is a common technique for attackers. By assuming the identity of a trusted source, they can take advantage of pre-existing trust relationships. This adds legitimacy to their malicious emails and significantly increases their chances of successfully phishing their victim. Alongside spearphishing with attachments, the attackers also sent “Other spear phishing emails[that] lured the recipient into providing valid login credentials to his or her account(s), thereby allowing the defendants to bypass normal authentication procedures”.

DS Mitigation advice: Use of an email filtering system or service can help to identify some spearphishing threats, particularly around malicious attachments. Office365 users should consider Microsoft’s Advanced Threat Protection (ATP), a cloud-based email filtering service. Employees need to be made aware that even emails from trusted sources should be treated as untrusted and caution is needed when opening attachments. Additional controls can be used to transform risky attachments to safer file formats. Black lists for web traffic can be used to detect and block known malicious URLs if they happen to be opened.

Stage 3 – Persistence

ATT&CK TTP: Web Shell (T1100)

An innovative TTP used by the attackers was to compromise Internet-facing source control systems using recovered credentials and to use that access to commit a JSP (Java Server Page) web shell, which gives the attackers control of the web server, to the production code base. Due to how the code deployment process was constructed, the attackers were able to self-approve the code commit and therefore the web shell was deployed into production. Chris McNab details this process in the “Lack of 2FA + The Cloud =” section of the Medium article.

DS mitigation advice: An effective code review process is essential for security as well as general code quality. Requiring a “four-eyes” process where multiple code reviewers are mandated can mitigate the risk associated with developers wittingly or unwittingly self-approving code changes. Code reviewers need to look for security issues as well as concerns relating to performance, stability, correctness, etc.

Stage 4 – Privilege Escalation

ATT&CK TTP: Exploitation for Privilege Escalation (T1068)

Once Alexsey gained unprivileged access to a Linux environment, he would use a publicly available exploit (CVE-2010-3856) for the Linux kernel to gain privileged access, that is, root user access. This process is described in the “Use of LinkedIn to Target Peripheral Systems” section of the Medium article.

DS Mitigation Advice: As with gaining initial access, publicly available exploits are one of the highest risks for organizations. With privilege escalation exploits in the kernel (affecting any operating system), the affected machine must be rebooted after patching for the patch to be applied. The use of a patch management solution can help to keep an environment patched to an appropriate level.

Stage 5 – Defense Evasion

ATT&CK TTPs: Clear Command History (T1146)

The indictment states: “BELAN downloaded to Yahoo’s network from the BELAN Computer a program known as a “log cleaner.” This program sought to remove traces of the intrusion from Yahoo’s records (logs) of network activity, to make the conspirators more difficult to track”.

DS Mitigation advice: Attempts to modify system logs, such as the Event ID 1102 on Windows, should be logged wherever possible. Centralized logging where logs, such as syslog, are automatically forwarded to central location can mitigate an attacker attempting to alter the logs on a local system.

Stage 6 – Credential Access

ATT&CK TTPs: Exploitation for Credential Access (T1212), Hooking (T1179), Credentials in Files (T1081), Private Keys (T1145)

Once Alexsey had elevated his privileges to be root on a Linux system, he would grab the password hashes from the /etc/shadow file, which is where Linux stores the hashes for its user accounts. Alexsey would also backdoor the authentication system, most likely to log cleartext credentials for when users logged into the system.

Alexsey also used non-technical means to uncover credentials for a particular environment. Specifically, he accessed internal resources like wikis, ticketing, bug tracking, and version control systems in order to steal credentials for VPNs and cryptographic material that was used for further exploitation. The Medium article section “Technical Details” describes this attack.

An effective technique used by the attackers to gain access to inboxes of targets was to use cookie “minting”, specifically, “the conspirators engaged in the manual creation of account authentication “cookies” known as “minting,” to gain unauthorized access to victim webmail accounts”. Effectively the attackers were creating fraudulent session cookies and using them to gain access to the target inboxes. As session cookies are typically created after the authentication process had succeeded, this approach had the benefit of bypassing any two factor authentication (2FA) used by the targets. This cookie minting approach was a significant component of the attackers’ post-exploitation activities and one of the main ways that they made use of their access to the Yahoo environment.

The attackers also discovered that the same cookies created in the staging environment were also valid in the production environment. This reflects a standard attacker approach of looking for the less well-protected systems that which are easier to compromise instead of starting with the most hardened and protected systems.

DS Mitigation advice: Storing directly reusable credentials in wikis and other information systems is not advised. Usage of a password manager for secure password storage and sharing is recommended. Logging user logins to accounts on customer-facing services is essential for detecting anomalous behavior. Corporate VPNs should use strong 2FA solutions such as TOTP or U2F for the second factor rather than relying on information which can be stolen from inside of the corporate environment. Cryptographic material needs to be separated between production and staging environments.

Stage 7 – Discovery

ATT&CK TTP: Network Service Scanning (T1046), Remote System Discovery (T1018)

Once Alexsey gained access to an environment he used the well-known and powerful nmap tool to enumerate the machines on the internal network. This is standard technique to discover internal resources and this was part of the approach that Alexsey used to find the corporate wiki and other systems. The Medium article describes this process in the “Technical Details” section.

DS Mitigation advice: Network segmentation can be used to limit which systems an attacker can interrogate after a successful compromise.   This can be achieved with host and network firewalls and/or VLANs (Virtual Local Area Networks). While internal IDS (Intrusion Detection System) systems can detect nmap and other scans, there are standard evasion techniques used by attackers – for example, slowing the scan down to the extent that it becomes difficult to differentiate from legitimate traffic.

Stage 9 – Collection

ATT&CK TTP: Data from Local System, Data from Network Shared Drive, Data Staged, Data from Information Repositories

According to the indictment, the attackers stole a copy of the Yahoo User Database (UDB): “The UDB was, and contained, proprietary and confidential Yahoo technology and information, including, among other data, subscriber information, such as: account users’ names; recovery email accounts and phone numbers, which users provide to webmail providers, such as Yahoo, as alternative means of communication with the provider; password challenge questions and answers; and certain cryptographic security information associated with the account”. This UDB was then used to:

  • target users on other web platforms by stealing passwords and analyzing the security questions
  • steal financial information by searching for CVV codes
  • steal gift card information

DS mitigation advice: Monitoring account activity, including admin accounts, is important for uncovering anomalous and/or malicious behavior.


Alexsey and his FSB handlers represent a class of motivated and capable attackers. They were comfortable using existing attack tools but were also capable of discovering their own flaws where required. They were also skilled enough to identify that cookies minted in the staging environment worked in production and how this could be taken advantage of. The attackers showed tactical flexibility and intent, which was a dangerous combination.


To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

Non-traditional State Actors: New Kids on the Block Tue, 18 Sep 2018 15:08:29 +0000 Cyber threat reporting sits at a dichotomy. On the one hand, much furor is made of the role of non-state actors – the way in which criminal groups, proxies, hacktivists and even individuals can have an outsized impact in the threat that they pose. On the other hand, discussion of state campaigns is largely restricted to a handful or prevalent (and typically advanced) actors, with reporting focused on the usual suspects of Russia, China, Iran and North Korea. Yet, for an industry that has brought attention to both advanced state campaigns and script kiddies, the space in between remains chronically under-analyzed. This blog post seeks to redress this imbalance by exploring the emerging role of non-traditional state actors.


New kids on the block

Our understanding of state actors is set to broaden given the emerging role of other state-affiliated actors and campaigns that have operated in the shadows for too long. Vietnam-based APT 32 (also known as Ocean Lotus) provides one example of an actor that possesses an impressive capability and a willingness to target a range of entities in a manner that reflects Vietnamese state interests, but has operated largely under the radar (although firm attribution to the Vietnamese Government has yet to be established).

Similar stories will continue to arise as other ‘new kids on the block’ emerge in the coming years. Yet, merely acknowledging the rise of new state actors only takes us so far; the strategic implications that arise from such a shift, however, are an altogether more interesting question. Crucially, the rise of other state actors poses significant challenges both for the cyber threat landscape and the role of threat intelligence analysts.

At the most obvious level, the emergence of non-traditional state campaigns will create an increasingly complex threat environment. This relates not only to the number of active threat actors, but also the breadth of aims and intentions pursued through cyber campaigns. We might have assumed that a threat actor using ransomware and other financially-motivated campaigns was a criminal group only a few years ago – then North Korea emerged as a state actor turning to cyber campaigns as a means of generating funds.

Threat intelligence analysts will need to remain open-minded going forward. As more states come to the fore, they will likely use cyber campaigns to achieve a variety of ends (not all of which may be immediately obvious right now). Conversely, other emerging states might seek to directly emulate current threat actors. Similarly, destitute governments might look to North Korean cyber campaigns as a paragon for efficient government revenue raising.  If a variety of states pursue similar strategies, confirmation bias will increasingly risk leading analysts down blind alleys – reinforcing the need for teams to approach intelligence questions with structured techniques and an awareness of the psychological bear traps that exist in intelligence analysis.

Figure 1: Richards J. Heuer’s Psychology of Intelligence Analysis warns of the conscious and unconscious biases that can limit good intelligence analysis


Chaos and the new cyber threat landscape

The strategic immaturity of emerging state actors also represents a serious concern. Many of the current established players have invested a lot of time thinking about questions of deterrence, norm-building, and other strategic questions, yet these issues have proved consistently awkward to resolve. Capability management provides a good example of such a challenge in practice. Despite its sophistication, the US National Security Agency (NSA) has struggled to keep its operations and capability covert (think Edward Snowden, Reality Winner and Harold Martin).

Recent exposures have gone beyond a PR headache to creating materially destructive outcomes. After all, it was the NSA toolkit that was weaponized by North Korea in the WannaCry ransomware outbreak that went on to hamper hundreds of thousands of systems worldwide, including the British National Healthcare Service. If issues such as capability management have proved a real challenge for even the most sophisticated state actors, they are certain to apply to strategically immature state groups – thereby injecting more chaos into the cyber threat landscape. Cyber threats will therefore become increasingly unpredictable as more states enter the fray.


Local, regional and global implications

Current reporting has focused largely on how non-Western states are targeting Western entities. Yet, many emerging states’ ambitions will not reach so far afield. An increasing number of cyber campaigns are likely to instead reflect local geopolitical disputes. For emerging states in regions like the Middle East or the South China Sea, cyber campaigns will often be pointed towards their neighbors. This should not belie their significance, however: with many organizations operating in global environments, regional conflicts will be just as important as their intercontinental counterparts.


What this means for the threat intelligence community

The emergence of non-traditional states will therefore put new burdens on threat intelligence vendors and analysts. This shift will demand adaptation – a need to understand more cultures, languages and local political situations. A more diverse threat landscape should be reflected in the makeup of analyst teams with a variety of perspectives increasingly important. Other communities will also represent an increasingly important resources – whether this be area studies academic centers that work with analysts to understand new contexts, or institutions including The Citizen Lab that explore state campaigns targeting the most vulnerable portions of civil society. In adapting to the arrival of the new kids on the block, the cyber security community will need to respond with what it has always needed in the face of a new challenge: a desire to learn and a strong dose of humility.


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

ShadowTalk Update – 09.17.2018 Mon, 17 Sep 2018 15:07:53 +0000 In this week’s ShadowTalk, Richard Gold and Simon Hall join Michael Marriott to discuss the latest spate of attacks by the threat actor known as Magecart. We dig into the history of Magecart, different approaches to web skimming, and provide advice on how organizations can best protect against this threat.

Fallout exploit kit identified distributing GandCrab ransomware

The Fallout exploit kit has distributed the GandCrab ransomware against entities in the Middle East via a malvertising campaign. The final payload of the exploit kit, which targeted CVE-2018-8174, was dependent on the victim’s operating system. Microsoft Windows users received the ransomware and macOS users were redirected to social engineering pages. This latest campaign’s use of a different payload and targeting of new geographies indicate an increase in Fallout’s capabilities. While the vulnerabilities exploited by Fallout remain the same as previously reported, the addition of GandCrab suggests that developers will likely add more exploits for ransomware-as-a-service attacks.


APT group Silence increases TTP capabilities, targets financial sector

The advanced persistent threat (APT) group Silence has significantly developed its tactics and tools since 2016. In attacks on financial institutions in over 25 countries, Silence has attempted to compromise interbank communication systems, ATMs and card processing platforms to steal information. The emergence of tools developed by Silence likely suggests an increase in the group’s capability and sophistication. Additional incidents involving custom tools, developed and operated by Silence, will likely be observed within the next six to twelve months.


Recently identified threat actor “PowerPool” exploits Windows zero-day vulnerability

A recently identified threat actor named PowerPool has exploited a previously identified Windows zero-day vulnerability. The threat group manipulated the vulnerability’s binary source code to escalate its privileges and subsequently replace a target file’s contents with malicious code. This file provides PowerPool with persistence within a system and can be remotely removed if detected. Additional technical details were unavailable at the time of writing. Historically, PowerPool has used unnamed backdoor variants for reconnaissance purposes; they likely used this methodology for this latest vulnerability. The use of a legitimate Windows utility allowed PowerPool to minimize their risk of detection and obfuscate their code delivery.


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Airline Discovers Trove of Frequent Flyer Accounts Compromised and Posted for Sale Online Fri, 14 Sep 2018 01:47:38 +0000 Reward program fraud has been rising in recent years across the aviation industry as well as the entire transportation sector. Some experts theorize that because Europay, Mastercard and Visa (EMV) chip technology has made physical credit card fraud more difficult, it has instead led to the global rise of reward point theft.

A major airline recently needed further expertise in identifying which cyber threats to prioritize, where to monitor for leaked intellectual property, and how to access hard-to-reach areas like the dark web without adding staff to their IT and security team. What they found was more than 300 compromised reward accounts posted for sale online.

Why Reward Fraud is on the Rise with Cybercriminals

Loyalty points are almost like cash, used not only for airline travel and rental cars but also for merchandise, gift cards, and live entertainment. Although reward accounts contain sensitive data like name, address, credit card, and even password numbers, they can be overlooked and even forgotten by customers over time. Account owners may not always be vigilant in monitoring accounts for suspicious activity – an easy win in cybercriminals’ minds.

wall street marketplace

Figure 1: Wall Street marketplace – user offering flight discounts

Password hygiene can also be lax, with reward account passwords shared across family members or reused by customers across several accounts. The many data breaches that have previously occurred likely mean that customer email addresses and passwords are already posted for sale online. Reward program thefts and prosecutions have rarely been publicized by airlines, although that is changing as seen by the notable prosecution of a college student recently for award point theft as a more public deterrent.

How Reward Fraud Occurs

Cybercriminals use a variety of techniques to compromise and monetize stolen reward accounts. They can resell the account owner’s fully-vetted identity, or sell the reward points themselves. There are hundreds of criminal locations across the open, deep, and dark web that offer user account credentials for hotel and airline points.

airline points for sale online

Figure 2: Screenshot from Digital Shadows SearchLight™ – Forum post offering airline loyalty points and accounts

Here are some ways reward fraud occurs:

  • Phishing Emails: Cybercriminals will often use phishing emails to harvest credentials by duping account holders to upload sensitive information or to click on a link purporting to be a password reset.
  • Account Takeover: By using credential stuffing tools which are readily available online and traded on criminal forums, fraudsters can automatically inject username and password pairs from public lists to gain access to reward/award accounts.
  • Insiders: Fraudsters can enlist insiders to provide access to compromised airline ticket and loyalty systems
  • Re-selling Points: Legitimate reward account owners can attempt to resell their very own points, but that is generally against airline terms of service and an excellent way to get caught and face confiscation of reward points.

Want to see how this airline found the 300+ compromised reward accounts posted for sale online? See how Digital Shadows SearchLight™ enables organizations to mitigate this type of risk: Test Drive SearchLight™ Free Here.


To learn more about identifying which cyber threats to prioritize, where to monitor for leaked intellectual property, and how to access hard-to-reach areas like the dark web, subscribe to our newsletter here.

MITRE ATT&CK™ and the North Korean Regime-Backed Programmer Thu, 13 Sep 2018 15:16:45 +0000 On 6th September the US Department of Justice (DOJ) unsealed an indictment against a North Korean regime-backed programmer who is a suspect in many significant network intrusions. It is assessed as likely that this programmer is a part of a larger organization, typically referred to as the Lazarus Group. Many attacks are described in detail in the 179-page indictment, including the Sony Pictures Entertainment (SPE) attack, the Bangladesh bank heist and the WannaCry outbreak. You can listen to our podcast from last week on this topic but, for the purposes of this blog, we will dive into the intrusions using the MITRE ATT&CK™ framework and leave WannaCry aside for the time being.

Threat model

The attackers targeted a wide-range of different types of organizations, including:

  • Sony Pictures Entertainment (SPE)
  • Lockheed Martin (although it appears they were unsuccessful in this attack)
  • Bangladesh Central Bank
  • Vietnam Central Bank
  • One U.S. university
  • U.S. academic researchers
  • U.S. energy companies
  • Virtual currency exchanges

The indictment also states that “Other evidence indicates that the subjects conducted significant internet reconnaissance for employees of United States and South Korean military entities, including for employees of specific fleets and divisions within each”.



Stage #0: Reconnaissance

According to the indictment, the attackers spent a considerable amount of time on reconnaissance and “that online reconnaissance included research relating to the victim company or entity that the subjects were targeting, as well as relating to individual employees of the victim company. The subjects have also used the services of websites that specialize in locating email accounts associated with specific domains and companies, and the subjects have registered for business records search services that offer career postings, business searches, and marketing services”. As we will see later in the blog, the attackers relied heavily on spearphishing, which was driven by this reconnaissance phase. In the attack against SPE “one of the pieces of malware contained the names of approximately 10,000 individual SPE hostnames (i.e., the names of specific computer workstations) “hard coded” into the malware”. This implies that the attackers conducted extensive work both inside and outside of the network for them to discover their targets.

The attackers also performed reconnaissance against the third-party services used by their targets. Before the SPE attack, the attackers had signed up to the WatchDox secure collaboration service used by SPE, presumably to identify how the system works and how SPE used it.

For the spearphishing pretexts, the attackers sometimes used names and addresses of legitimate companies and the names of employees who worked at those legitimate companies to make their social engineering attacks more convincing. In some cases, the attackers would reference the personal interests of employees in their spearphishing emails. For targeting some organizations, the attackers would not only attempt to find their employees, but also the generic email and social presence, for example, inboxes or accounts used for general enquiries from the public or prospects, of the organizations in question to use as spearphishing targets. Information was gathered on multiple targets of differing types in order to maximize the success of their operation.

In addition to technical and personal information, the attackers gathered organizational information that would help them in their attacks. For example, “The user of the account also researched the time zone of a correspondent bank that the subjects intended and attempted to use for a fraudulent transfer from a victim bank in 2016, days before the cyber-heist there” and “[t]he user of the account also visited a SWIFT online user guide” as well as BIC (Bank Identifier Code) numbers for the target and destination banks they were planning to use for fraudulent transactions.

PRE-ATT&CK TTP: Compromise 3rd party infrastructure to support delivery

One of the notable TTPs from the indictment was the use of a worm, named Brambul, for gathering credentials from SMB servers. This worm has been in existence since at least 2009 and conducts bruteforce attacks against SMB servers to gain access. Once access had been gained, the worm emailed the credentials and server information back to the attackers, who would then use the compromised servers for hop points and other activities. The worm would then self-replicate and look for additional SMB servers to bruteforce. Having a long-running and autonomous system in place to discover fresh servers to use as deniable operational infrastructure meant that the attackers had a constant supply of infrastructure for future attacks and campaigns.

PRE-ATT&CK TTP: Acquire and/or use 3rd party infrastructure services

In addition to the Brambul-infected servers, the attackers also made use of proxy services to obscure their true originating IP addresses. With only 1,024 IP addresses directly assigned to North Korea, obfuscating the origin of their traffic was a key requirement of the attackers.


So that the malware was able to connect back to the attacker-controlled command and control (C2) service, the attackers made use of dynamic DNS services where they could easily control which IP address was returned for a particular DNS hostname. One interesting trick performed was that the IP address that was returned by the Dynamic DNS service was not the IP address used by the malware to connect to the C2 server. The malware transformed the returned IP address with a hard-coded key to produce the correct IP address. This obfuscation technique meant that even if the Dynamic DNS hostname was discovered, the defenders would be unable to derive the actual IP address without the hard-coded key.

PRE-ATT&CK TTP: Map network topology

The indictment states that “one of the pieces of malware contained the names of approximately 10,000 individual SPE hostnames (i.e., the names of specific computer workstations) “hard coded” into the malware. In other words, the subject or subjects who wrote the malware’s code had learned and then written into the malware the names of individual SPE computers”. This indicates that the attackers spent a considerable amount of time learning about the internals of the SPE network. This could have been performed through a preliminary intrusion, a third-party breach or some other unknown method.

DS mitigation advice: much of the information gathered by the attackers was required to be publicly available. However, an OPSEC program, that is, a structured assessment of the risk to an organization of publicly available data, can be useful for understanding the risk profile of an organization. Inform employees that their social media profiles may be of interest to adversaries and provide advice on how to lock down profiles if requested. Ensure that network services are patched and running supported versions of software. Credentials, especially for admin accounts, should use strong passwords and two-factor authentication (2FA) should be enabled wherever possible.


Stage #1: Initial Access

ATT&CK TTP: Spearphishing attachment, Spearphishing link, Spearphishing via Service

As with many other intrusion groups, the attackers relied heavily on spearphishing as their go-to technique for achieving that initial access into a target environment. One technique used by the attackers was to post links created with a URL shortener to social media that masqueraded as a downloadable screen saver. The link would redirect the target to an executable that would function ostensibly as a screen saver, while dropping a set of malicious files in the background. The attackers used a similar technique of a URL shortener to hide a malicious executable when spearphishing targets via email. The attackers often “will give their malware files names that distract from the fact that the file is an executable file, i.e., a file with an .exe ending that will install a new program on the computer”.

In addition to malicious links, the attackers also sent malware to targets via attachments to spearphishing emails. The attachments were sent as Microsoft Office documents, e.g., .ppsx PowerPoint slideshow files as well as compressed zip files.

The attackers preferred to use well-known webmail providers such as Google’s Gmail and Microsoft’s service to send their emails rather than running their own email infrastructure for phishing.

DS mitigation advice: an email filtering service is crucial for mitigating the impact of spearphishing with both malicious attachments and links. Certain file types, such as archives, should be blocked unless there is an explicit business reason to allow them. Risky file types, such as Microsoft Office documents, can be transformed by an email filtering service into file types like PDF that do not contain active content such as macros. Public-facing employees may require dedicated tools to open potentially malicious attachments safely, such as sandboxes or cloud services.

ATT&CK TTP: Drive-by Compromise

In January 2017 the attackers compromised the website of the Polish Financial Supervision Authority (KNF) to target Polish financial institutions. As the KNF was a trusted institution with a website regularly visited by the employees of Polish financial institutions, it made for a compelling target. The attackers had compiled a whitelist of IP addresses that would be served malware, specifically the NESTEGG implant. If an IP address on the whitelist connected to the infected website, it would be redirected away from the legitimate, but infected, website to a compromised site under the attacker’s control that would serve up the malware.

DS mitigation advice: application whitelisting can be used to limit which binaries are executed in an environment. Browser sandboxing solutions can be used to ensure that malware only executes in a low privilege environment without any further access to an organization’s assets. Hardening browsers and operating systems to prevent script execution and reduce the number of plugins and/or extensions can further serve to mitigate this risk.

Stage #2: Execution

ATT&CK TTP: User Execution

The attackers used a variety of pretexts to convince targets to click on the link in their phishing emails, for example, masquerading as Facebook or Google official notification emails. An example from the indictment is shown below:


Figure 1 – Facebook phishing email (page 22 of the indictment)


One specific technique the attackers used was to impersonate security-related emails from Google and Facebook, e.g., the detection of malicious account activity. These emails were likely successful in part because they took advantage of a situation where the target would be concerned about a potential security incident.  The victim would be unlikely to pay close enough attention to the email as their priority would be to remediate the security issue.

Impersonation of people seeking employment and recruiters offering jobs was another impersonation tactic regularly used by the attackers. They approached their targets not only by email but also by social media sites such as LinkedIn. They provided a link to their supposed resume or job description, which would be a piece of malware. An example phish taken from the indictment can be seen below:


Figure 2 – Spearphish impersonating a prospective employee

On occasion the attackers also created impersonation accounts for recruiters and high-level employees at certain companies, and used these impersonation accounts to spearphish employees at competitor companies. The attackers often used impersonation accounts that mimicked themes that were contextually relevant to their targets; for example, phishes sent to movie companies had attachments called “”. The attackers also made some of these spearphishes very personal. In one example from the indictment, the attackers used a hobby from the target’s publicly available social media profile to create a contextually relevant lure. As the employee mentioned they were interested in art, the attackers sent a fake screensaver to the target that allegedly contained the sender’s own art work.

The attackers also used malicious URLs on social media posts related to actors in the film “The Interview”, which the attackers were attempting to suppress. The URLs impersonated a piece of screensaver software supposedly with nude models that was, in fact, a piece of malware. The ultimate destination of the malicious URL was obfuscated by the attackers through the usage of a URL shortening service.

One technique the attackers used to trick targets into believing that the payload was innocuous was to use the name of established pieces of software, e.g., Adobe Flash, in the file name. An example from the indictment was “[REDACTED NAME OF BUSINESS] Advertising Video Clips (Adobe Flash).exe”. The purpose of this deception is to disguise the true nature of the file, namely, that it is an executable, from the target.

The attackers also used the persona of a journalist from a known TV network to deceive targets into installing malware. The lure was the soliciting of opinion for a TV show, which would be a common task for certain professionals.

DS mitigation advice: specifically educating users about the dangers of URL shorteners alongside general security awareness training may help with mitigating this common technique. Providing avenues for users to report attempting phishing attacks and to seek guidance and support is useful for early detection of phishing campaigns. Specific types of employees who regularly deal with the public and have a business requirement to open attachments from unknown senders may require additional training to educate them about the specific risks that they face.

Stage #5: Defense Evasion

ATT&CK TTP: Deobfuscate/Decode Files or Information

In one attack, the attackers asked the target to “to open an attachment containing a screensaver with the sender’s drawings. The screensaver was password protected, and the sender stated the password was simply ‘1.’”. The purpose of the password protection was to prevent security appliances from having visibility into the contents of the zip file.

DS mitigation advice: some email filtering technologies provide the capability to block password-protected zip files. Where there is no business requirement to allow such attachments, they should be blocked. In other cases, it may be prudent to alert the recipient that a particular attachment type is risky, and that the email has originated from outside of the organization.

ATT&CK TTP: Exploitation for Defense Evasion

Once the attackers had reached their target machine, in the case of the Bangladesh bank heist, “the subjects were able to impersonate bank employees who were authorized to create and transmit messages through the SWIFT system on behalf of that bank, making those messages falsely appear as if they were authorized by employees of the bank” and “the subjects also took measures to conceal their activities and cover their tracks”. The indictment does not go into the details of how this was achieved; however, additional open source reporting from BAE Systems shows that the attackers patched the liboradb.dll file used by the Oracle database server component of SWIFT’s Alliance software suite.

DS mitigation advice: advanced EDR (Endpoint Detection and Response) systems should be deployed to detect in-memory patching attacks being used by malware to manipulate existing code. In general, code should not be attempting to interfere with other processes and this behavior can be considered as suspicious.

ATT&CK TTP: Masquerading

In the attack against the Vietnamese bank, the attackers took a different approach to covering their tracks. The SWIFT system in that bank would create PDF receipts that the employees would review to ensure that the transfers were correct. The indictment states: “The end result was that documents that contained records of the fraudulent SWIFT messages sent by the subjects would be modified so that the bank employee viewing the record would remain unaware of the fraudulent message”. Additional open source reporting from McAfee states that “The malware installs itself in the original Foxit installation directory and renames the original file to FoxltReader.exe”. It appears from the indictment that the malware would check each PDF for certain criteria to see if the PDF was referring to a fraudulent transaction carried out by the attackers. If it was, “the malware would first make certain modifications to the document, then instruct the legitimate FoxIt Reader software to open the modified document so that the user would be unaware that anything unusual had occurred”.

DS mitigation advice: application whitelisting can be used to restrict which code can execute inside an environment. This can be used to detect the attempted installation of malware by an adversary and prevent the execution of this malware.

Stage #8: Lateral Movement

ATT&CK TTP: Windows Admin Shares

The indictment states that “Once a spear-phishing message had been successful and the subjects had gained access to the bank’s computer network, they moved through the bank’s network in order to access one or more computers that the bank used to send or receive messages via the SWIFT communication system”. The indictment does not provide any additional details about how exactly this lateral movement was performed; nevertheless, additional open source reporting from Kaspersky indicates that the attackers abused legitimate admin credentials to create a scheduled task to spawn their malware on a remote host. This process allowed the attackers to spread throughout a compromised environment.

DS mitigation advice: applying the principle of least privilege and restricting admin account access as much as possible can increase the difficultly of attackers in gaining admin privileges in the first place. Once an attacker has admin privileges, detection can be used to uncover malicious behavior. Windows event logs register the creation, updating and removal of scheduled tasks. Application whitelisting can be used to restrict the execution of certain file types in an environment.

Stage #9: Collection

ATT&CK TTP: Automated Collection, Data from Local System

The main target for the Bangladesh bank heist was the SWIFTLIVE system; “That system was the core component of Bangladesh Bank’s SWIFT processing environment. It used the SWIFT Alliance Access application, which was a customer-managed gateway to the SWIFT network that transmitted and received messages from other banks that create and confirm financial transactions“. As part of the Bangladesh bank heist, the attackers “used malware that interfered with each of those processes at the victim banks (presumably to avoid alerting the victims of the subjects’ activities)”. One of these processes was the use of “an Oracle database to retain a record of messages sent using SWIFT”. The data collected by the malware from the Oracle database was then used to delete the record of the fraudulent transactions, thereby assisting the attackers in covering their tracks.

DS mitigation advice: security reviews of log files of critical systems, such as payment systems, is important to detect malicious activity. Specifically, anomalous behavior such as log deletion should warrant closer inspections.

Stage #11: Command and Control

ATT&CK TTP: Commonly Used Port, Custom Command and Control Protocol, Custom Cryptographic Protocol, Data Encoding, Multi-hop Proxy, Remote File Copy

The attackers routinely used a Command and Control (C2) system referred to as FakeTLS in the indictment. This protocol communicated outbound on TCP port 443 to appear like SSL/TLS traffic. However, the indictment states that “The “FakeTLS” signature that is referenced is a protocol that mimics authentic encrypted TLS traffic, but actually uses a different encryption method”. The hypothesis in the indictment is that the attackers used this approach because many security technologies will assume that they cannot decrypt the encrypted communications and will allow the outbound traffic to egress the network. The attackers used a range of leased and/or hacked servers as their C2 servers and in some cases used multiple hops to further obscure their identity.

DS mitigation advice: in certain circumstances, SSL inspection can be used to have visibility into encrypted communications. If SSL inspection is deployed, traffic that cannot be inspected should not be able to egress the network unless explicitly whitelisted.


The intrusions described in the indictment are significant due to their scale and the high-profile nature of the targets. The attackers were motivated, persistent, and used a wide-variety of well-known and reliable techniques to gain initial access in target environments. Once inside, the attackers demonstrated a deep understanding of the business processes in place in the specific environments and used several techniques that were heavily customized for their targets. They were able to not only achieve their goals but also deploy several defense evasion techniques to mask their activities. Organizations should pay close attention to the TTPs used by the adversaries as they are the hallmarks of successful attacks.

To listen to more of our insights on this DoJ complaint, check out our recent podcast:


To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

GAO’s Equifax Post-mortem Report Tue, 11 Sep 2018 10:24:29 +0000 It’s common for the exciting and novel issues that confront security professionals on a daily basis to be hyped up. Very often the reporting and discussion focuses on 0day exploits, nation state actors, sophisticated intrusions and theoretical attack classes. The reality, however, is much more mundane. This point is driven home by the GAO (General Accounting Office) post-mortem report of the 2017 Equifax breach. The GAO was asked to prepare a report detailing how the breach had occurred and what federal agencies could do to respond. There are lessons in the report for all types of organizations.



The intrusion is described in Figure 1:

Figure 1 – How the Equifax breach occurred

The reporting to date has focused on the Apache Struts vulnerability, which was known for two months before the intrusion happened. However, that wasn’t the only security issue that affected Equifax. The breach was undetected for four months, during which time the attackers were able to exfiltrate data from 51 databases. While the attackers did exhibit some tradecraft prowess by blending in with existing traffic flows to make detection harder, many mistakes were made, including the presence of unencrypted usernames and passwords in the environment, which greatly assisted the attackers.


Attacker Goals

According to the report, the attackers were searching for Personally Identifiable Information (PII). Specifically, the attackers made off with dates of birth, social security numbers (SSN), addresses, phone numbers, email addresses, driver’s license numbers, tax identification numbers, credit card data, as well as passport scans and other government issued IDs. Once found, the attackers exfiltrated the data in small chunks to better evade detection.


What went wrong?

The GAO report details two fascinating findings that give real insight into the security challenges that all organizations face.

1.     Certificate expiration leads to loss of network visibility


Equifax had installed an SSL inspection device for monitoring encrypted communications in its networks. The attackers used encryption, presumably SSL/TLS, to conceal their activities. The SSL inspection appliance was intended to prevent such countermeasures. However, the certificate for the appliance had expired 10 months before the breach occurred. The consequence of the expiration was that the SSL inspection appliance “failed open”. That is, it continued to pass traffic uninspected. This greatly assisted the attackers in achieving their goals by not alerting the defenders to their presence in the network.


2.     Communication failures lead to known vulnerabilities being exploited


The Apache Struts vulnerability that was used to gain initial access to the environment received much attention in the coverage of the breach. However, the GAO report adds some important nuance. According to the report, Equifax knew of the vulnerability in March 2017 when they were notified by the US-CERT (United States Computer Emergency Readiness Team) and circulated the notice to their systems administrators. Unfortunately, the distribution list for the notices was out-of-date, which resulted in the persons responsible for patching the affected systems not being notified.

Equifax also scanned their own network one week after the notice had been received. Yet, the scan failed to detect the presence of Apache Struts on their online dispute portal. Apache Struts is not as straightforward to detect on a web server as some other software where there is a clear banner or other information available to accurately fingerprint which software is running.


What can be done?

The following processes would have helped to mitigate the impact of the breach:

  1. Patch process: the GAO report stated that identification was part of the difficulty that Equifax faced when trying to patch their systems. Hardware and software asset inventory are the top two CIS critical controls for good reason but are very difficult to implement in practice due to the dynamic nature of modern IT environments. This is especially true when considering 3rd party software development, outsourced IT systems and mergers & acquisitions (M&A). Effective communication is essential for systems administrators to know about security-related issues.
  2. Monitoring process: protective monitoring is critical for detecting security breaches. Issues that can affect this, such as certificate expiration on a security appliance, should be prioritized. Proactive work is often required to ensure the health and correct functioning of security appliances. This also applies to tuning so that the number of false positives can be kept to an appropriate level.

The GAO rightly reports on the lack of network segmentation between the Internet-facing systems and the internal systems holding PII as a factor that enabled the attack. Inhibiting lateral movement with segmentation via firewall rules or private virtual LANs (VLANs) is a powerful defensive technique for obstructing adversary movement.



The GAO report details several findings that contributed to the severity of the attack on Equifax. The remediation advice, while sensible and appropriate, is not surprising. Implementing the advice successfully requires the mindset of the “Cyber Janitor”. Rather than infosec rockstars, janitors are required to maintain and clear up our environments. Paying attention to the small but important details such as members of a distribution list and expired certificates pays dividends!


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

ShadowTalk Update – 09.10.2018 Mon, 10 Sep 2018 15:57:06 +0000 In this week’s ShadowTalk, Richard Gold and Rafael Amado join Michael Marriott to discuss the latest Department of Justice complaint against an individual working for Chosun Expo, an alleged front for the North Korean state. The individual is accused of involvement in a host of campaigns, including attacks against Sony Pictures Entertainment, banks, defense contractors, and the many victims of the WannaCry ransomware variant. We discuss the most interesting revelations, outlining the different techniques used, and what this all means for organizations.



Simplistic Asacub takes top spot among mobile banking trojans

The Asacub banking trojan has emerged as the most active banking trojan of the past 12 months, surpassing other prolific variants including “Svpeng” and “Faketoken”. Its capabilities and distribution tactics are relatively simplistic, relying on social engineering to target users in Russia, the United States, Germany and former Soviet nations.

Ties alleged between APT10 and China’s security ministry

Individual members of the threat group APT10 (aka STONE PANDA) have allegedly been identified and associated with a department of China’s Ministry of State Security. Although the allegations do not cover all relevant details,  the bloggers who released the incriminating information have previously provided valid information about another Chinese nation-state affiliated group. If accurate, the revelations represent a significant security breach regarding the threat group’s operations; an adjustment to, or cessation of, APT10 activity is a likely response.

MagentoCore script steals payment card data from e-commerce sites

A malicious script dubbed MagentoCore has been detected targeting e-commerce websites using the Magento payment platform to steal customers’ payment card information. The attackers responsible have successfully infected more than 7,300 individual shops to date, and are actively targeting 50-plus additional shops per day. The attacks demonstrate the same tactics as another financially motivated campaign conducted by the threat group “MageCart”, which has been active since 2015. That campaign and the MagentoCore attacks are likely operated by the same threat actors.

New Fallout exploit kit shows potential for popularity

Researchers at cyber-security company Nao Sec identified a new exploit kit, “Fallout”, which is closely related to the “Nuclear Pack” exploit kit. Fallout was observed on 29 Aug 2018 targeting the vulnerabilities CVE-2018-4878 and CVE-2018-8174. The exploit kit is customizable and will probably become a popular tool for threat actors due to its remote capabilities; there are no reports of Fallout having been used in a malicious attack to date.


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Sextortion – When Persistent Phishing Pays Off Thu, 06 Sep 2018 16:14:45 +0000 You may have heard of a recent surge in sextortion-based phishing campaigns. These campaigns seek to extort victims by threatening to publicly embarrass them for engaging in a sexually-explicit act, using previously-exposed passwords as proof of compromise.

This is not new; users have reported these intermittently since late 2017. However, the recent scale and persistence of this campaign has led to some success. As part of this campaign, we collected and analyzed a sample of emails sent over a two-month period, in which 8,497 email addresses were bombarded with over 60,000 emails. So how did they do it, why did they do it, and was it worth their time?


Old passwords; new ways to make money

Of the emails we detected, they all followed a similar pattern to that shown below in Figure 1. The extortionist would:

  1. Provide the user with a known password as “proof” of compromise.
  2. Use the suspicion of compromise as a platform to extort the user.
  3. Claim to have video footage of the victim watching adult content online.
  4. Urge victim to pay ransom to Bitcoin address.


Figure 1: A screenshot of one sextortion-based phishing attempt


The “proof”, of course, is flimsy. These known passwords are relatively easy to obtain for cybercriminals. Breaches often consist of rows of username, email, password hash, userid and so on, but the passwords are very rarely in plain-text. However, some services store passwords with weak hashing algorithms, making the identification of user passwords possible, given enough time and resources.

The cracked passwords and email combinations are normally combined into lists and sold on through forums. These lists are initially sold online, but inevitably end up being made public. Across our sample, the most popular breaches for these passwords were the Anti Public and the Exploit[.]in leaks. 5585 (66%) of the credentials listed in this campaign matched the Anti Public breach list, compared to 4907 (58%) across Exploit[.]in breach. (Note that the total exceeds 100% as a number of credential sets appear in multiple breaches).


Different capabilities running different campaigns

Some of the campaigns were clearly well-coordinated. For example, many of the emails were sent from newly created email addresses. When we investigated some of the sender email addresses, we found that, in certain cases, the local-part of the email address of the sender/attacker ( appeared to be randomly generated, and that the email had not appeared in previous public breaches, indicating that some of the sending addresses may have been specifically created for the purpose of distribution rather than via compromised accounts.

On the other hand, a great deal appeared to be opportunists who have little understanding around crafting and distributing emails on scale, and are sending out malformed emails that would never make it past a mail server or spam filter. Some had attempted to send emails through open relays with missing or malformed fields.


Persistence pays off

These sextortion phishing campaigns seem easy enough to detect and dismiss, so it may seem unlikely that victims will pay the ransom. Over a period of two months, we detected more than 60,000 emails sent using this approach. If you send out enough emails, you’re more likely to get the attention of a recipient that:

  1. Reuses their passwords
  2. Has recently watched adult content on their computer
  3. Has a webcam

With 8,497 victims targeted by over 60,000 emails in our sample, it’s no surprise we identified some success. Of all the Bitcoin addresses detected in this sample, 26 transactions matching the demands were made, totaling $28,000.

The attackers experimented with different methods to maximize their return. For example, by tracking one Bitcoin address, we can see the same one targeted 49 email addresses with demands ranging from $1,100 to $11,000. Eventually the attacker got lucky with a payment of $1,100 (0.1512 BTC).



While this sample set represents a small percentage of the total recipients of these sextortion campaigns, it’s clear that attackers are turning to new ways to monetize breached credentials. In reality, if an attacker had access to your computer and were able to get hold of your password and record your actions, it’s unlikely that sextortion would be the most profitable tactic. Instead, we might expect attackers to monitor your online activity for banking and other services, where financial details or Personally Identifiable Information (PII) can be harvested and sold.

We talk about this a lot in the industry (and we focused on this in a recent ShadowTalk podcast), but credential hygiene is a must. If you receive an email and it contains your one and only password, then you are a prime target. Strong unique passwords for each service, with multifactor authentication where possible, is a must these days.

Online Risks to Fortnite Users Tue, 04 Sep 2018 13:56:13 +0000 With an enticing array of viral dance moves, tough weekly challenges and fresh skins, people are going bananas for Fortnite. The number of players increased from 30 million in December 2017 to 125 million in June 2018.

For those who are (somehow) unfamiliar, Fortnite is an online video game made by Epic Games. Last month, Epic Games irked Google by deciding not to host its app on the Google Play Store. Instead, buoyed by the inexorable rise in users and reluctance to pay the thirty percent of revenue to Google, Epic Games opted to provide downloads through its own site.

Naturally, Google prefers game developers to host applications on their own store, believing their security controls provide the necessary defenses to protect users. Indeed, on 15th August, an engineer at Google discovered a vulnerability in the recently released Fortnite app, a bug that has subsequently been fixed.

But what exactly are the security risks? We’ve observed malware, phishing sites, and account takeovers targeting Fortnite users.


A growing interest from the criminal underground

This increased interest around Fortnite is reflected in the criminal underground. Figure 1 shows mentions of the game across criminal forums and dark web pages in the past year. While there were 265 mentions in January 2018, this swelled to over 500 in August 2018. Some will be avid gamers themselves, but many of these discussions are more nefarious.


Figure 1: Mentions of Fortnite across forums, dark web pages and chat messages in the past year.


Malware targeting Fortnite users

Spoof domains are something we come across a lot at Digital Shadows, and Epic Games is no exception. However, given Epic Games’ decision to bypass the Google Play Store and host through its own site, the risk of a spoof domain tricking users into downloading a malicious file is that much more acute. Consider one site, fortnight-apk[.]com, which appears to look legitimate (assuming you’ve ignored the “Not secure” notice in the browser address bar indicating the website doesn’t use encryption to protect the data you are sending it). Downloading the game from this site will likely be a nasty surprise for budding gamers, as this particular APK appears to be loaded with a known piece of spyware.


Figure 2: “Early access” to Fortnite offered on fortnite-apk[.]com



It’s also not just game downloads that can pose risks to users. Cybercriminals are looking to leverage the increased interest in Fortnite by offering merchandise and other branded goods. As tempting as it may be to get a flashy new Fortnite wallpaper, sites like my-fortnite[.]com are looking to exploit users. In this case, downloading the wallpaper will look to install a malicious Windows executable file (for more information, see the Virus Total page here:


Figure 3: Fortnite desktop wallpapers offered on my-fortnite[.]com




Spoof domains are not only registered to convince a victim to download malware; they are also looking to harvest the credentials of Fortnite users. Numerous sites have been registered that seek to trick users into entering their credentials, such as the one shown in Figure 4. These accounts can then wind up for sale across criminal forums.

We all know how often users reuse passwords across different sites and so, by entering your password into these sites, you may be leaving your other accounts exposed. By exploiting this increased interested in Fortnite, attackers seek to gain credentials that could be monetized at a later date.


Figure 4: A phishing site for Epic Games


This is just one example of many sites impersonating the Epic Games login pages, made easier by the html for the site being publicly available after it was posted to Pastebin in late March 2018.


Figure 5: HTML for the Epic Games login page


Account Takeovers

Fortnite has been lauded for its approach to multifactor authentication, as it rewards users for enabling this feature. However, if a new dance isn’t motivation enough to implement multifactor authentication, the trade of tools to takeover Fortnite accounts should be.

Credential stuffing is a type of brute force attack whereby large sets of credentials are automatically inserted into login pages until a match with an existing account is found. One such tool Sentry MBA. In order for attackers to successfully attempt these logins, a configuration file is required for the target site. Attackers create, share and sell these online – including those for (Figure 6). It even appears that a configuration file has been uploaded to Pastebin in July 2018 (Figure7), further lowering the barrier.


Figure 6: A user sharing a configuration file for on sentry[.]mba forum in July 2018


Figure 7: A configuration file posted to Pastebin in July 2018


Cybercriminals are aware of the hype around Fortnite, and have been busy creating ways to trick users into exposing their password or download malicious files. With this in mind, users should:

  1. Enable multifactor authentication. It’s easy, you get rewarded, and it’ll save you a lot of bother down the line.
  2. Don’t reuse passwords. Try not to reuse credentials across multiple sites, as one breach may leave you exposed across other services.
  3. Verify the website. Be wary about where you download the game or merchandise from, ensuring it is

To read more about how criminals perform account takeovers, you can download a copy of our report, Protect Your Customer and Employee Accounts.

ShadowTalk Update – 09.03.2018 Mon, 03 Sep 2018 15:48:23 +0000 Not a week goes by without an example where credential stealing, credential reuse, or poor password practices contributed heavily to a successful attack. With this in mind, Dr Richard Gold and Simon Hall join Rafael Amado to discuss the age-old problem of credential hygiene. In this week’s ShadowTalk we covered the ways in which attackers steal and take advantage of credentials, what most companies are getting wrong, and the steps you can take to improve your overall credential hygiene practices.

OilRig adds to its social-engineering bag of tricks

The OilRig threat group has continued to target entities in the oil-and-gas industry via a spearphishing and information-gathering campaign. In the 2017 campaign the group introduced a new tactic to its modus operandi by spoofing an online human resources portal. This demonstrates an increase in the effort, resources and intent OilRig is expending to achieve its goal: the acquisition of credentials and personal information.


Cyber security researcher discloses unpatched Windows zero-day vulnerability

Details of a Microsoft Windows zero-day vulnerability, recently announced by a cyber-security researcher, could enable exploitation by an attacker before a patch is released. A threat actor could use the vulnerability, which can exploit a fully patched 64-bit Windows 10 system, to escalate privileges locally on a target user’s computer. The vulnerability will likely be fixed as part of Windows’ next monthly patch update, due on 11 Sep 2018.


Lazarus Group’s FallChill backdoor can now target macOS

Backdoor malware associated with the Lazarus Group has been developed to target macOS devices and was used in an attack against a cryptocurrency exchange. Dubbed FallChill, this appears to be the first known instance of Lazarus Group-associated malware targeting this operating system. The cryptocurrency exchange was targeted with a trojanized cryptocurrency trading application. The tactics and techniques in this incident, as well as the targeting, are all consistent with historical Lazarus Group activity.


T-Mobile subject to breach potentially impacting 2 million customers

Telecommunications company T-Mobile was subject to a breach by an unauthorized third party on 20 Aug 2018. No financial data or social security numbers were said to have been compromised. However, the threat actor was allegedly able to access names, ZIP codes, phone numbers, email addresses, account numbers and account types for two million customers. Speculation about the compromise of passwords has been denied by T-Mobile and has yet to be confirmed.


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Security Analyst Spotlight Series: Heather Farnsworth Thu, 30 Aug 2018 17:33:41 +0000 Organizations rely on Digital Shadows to be an extension of their security team. Our global team of analysts provide relevant threat research, much needed context, tailored remediation advice and managed takedown support to make our clients’ jobs easier and more efficient. Crucially, by having analysts within the intelligence and collection cycle, we’re able to minimize the real-time false positives that cause nightmares for most organizations.

In our Security Analyst Spotlight Series, we bring our analysts out of the shadows and into the spotlight, showcasing their expertise and interests so you can learn a bit more about a “day-in-the-life” of a Digital Shadows analyst.

Name: Heather Farnsworth
Team: Trials
Title: Cyber Intelligence Analyst

Q: How did you get into the field of cybersecurity?

A: Throughout my college career, I was very passionate about Criminology. I was fascinated by the ideology of criminals, predictive crime and behaviours, and in what way social class, social economic status and hundreds of other variables influence crime. I also developed a passion for technology during this time, and four years working for a major tech company in IT support allowed me to understand the newest software, the whys behind the product, and how these components are compiled to morph into user friendly functions for a variety of purposes. It wasn’t until the end of my Senior year as an undergraduate that I started to think about what was next for me. I asked myself: why not pursue a career where I could utilize both talents? So, I did, without hesitation. Instead of simply leaving The University of Texas at Dallas with a Bachelor’s in Criminology, I decided to continue my education and pursue a Master of Science in Criminology in conjunction with a Certificate in Cybersecurity Systems: Internal Audit and Information Management.

Q: What areas of cybersecurity are you most interested in?

A: I have a particular interest in the influence geopolitics has on the targeting of public distribution systems. Cyberwarfare is undoubtedly influenced by geopolitics, so it’s fascinating to see how the response mechanisms of cyberwarfare are carried as repercussions of political events. Often times when critical infrastructure is targeted – such as power grids, water supply systems or mass transit systems – it’s a result of a group’s furtherance of political or social objectives. Take the attacks on Ukrainian infrastructure since the annexation of Crimea in 2014. Since then Ukraine’s energy infrastructure was targeted using BlackEnergy malware, including KillDisk, that had been attributed to the ATP group Sandworm. Then as recently as 2017 a new malware variant of BlackEnergy was used to target Ukrainian financial institutions. 

Q: What’s the best part of your job?

A: I enjoy being engaged with the client from the very beginning, because this is where I help to identify what’s most important to them. A lot of mutual learning and understanding happens in these early stages. Sometimes, clients don’t know the full extent of their risks, which is where I can add real value. A big part of this is showing the client their digital footprint. Often they’re surprised by how much we can find, or simply didn’t realise exactly what sensitive information had been exposed online for so long. There’s always something new to learn and that’s something I don’t get tired of, it keeps things interesting to say the least.

Q: What do you do outside work that helps with your job?

A: Outside of work, I like to keep up on upcoming technology trends, and especially enjoy listening to cyber podcasts. Currently I have a plan in place to start my Security + certificate along with other training tools that help develop and fine tune my Open Source Intelligence (OSINT) and Closed Source skills.

Q: What has been your favorite project to work on?

A: Recently, a prospective client was in the process of building out a new team and didn’t have the resources to fully identify and understand their current exposure. Using open and closed intelligence sources, I was able to identify and contextualize actors on various forums and sites through the incidents I was producing, to show a much fuller representation of their digital risk. In doing so I was able to help the client understand what actors were a risk to their organization and, specifically, what tools and techniques they used. This then allowed the client to improve their security and mitigation measures accordingly.

Q: What’s one thing that most people won’t know about you?

A: I like to study cold cases in my off time. I know it sounds odd, but I like to attempt to understand the mind of all sorts of criminals, their crimes, and victims. You can never truly predict crime, but understanding how different variables can influence crime is a great way to start. This easily translates into how we understand other phenomena such as financial crimes, terrorism, extortion, warfare, and so much more.


Heather is a University of Texas at Dallas alumna with a BA in Criminology, MS in Criminology, and Certificate in Cybersecurity. She is passionate about intelligence analysis and understanding the “why” and “how” behind campaigns, actors and their targets. She currently works directly with clients to help identify their risks and showcase Digital Shadows’ SearchLight capabilities. Outside of work, Heather enjoys camping and venturing to new record shops when the opportunities arise.


Learn more about our Intelligence Analysts in our Security Analyst Spotlight Series.

Interested in hearing more from our intelligence team? Check out our blog or subscribe to our weekly threat intelligence podcast: ShadowTalk.

Understanding Threat Modelling Wed, 29 Aug 2018 16:03:16 +0000 What is a threat model?

Threat modelling, as defined by OWASP, “works to identify, communicate, and understand threats and mitigations within the context of protecting something of value”. It is a way of structuring thinking around what critical assets an organization has and which are the likely threats to that organization. There are many different ways of applying threat modelling; in our latest podcast, we discussed a more general approach that is relevant for any company that has assets they wish to protect.

Define critical assets

A company’s own measure of criticality may not match the thought process of an attacker, which means that it can be tricky to understand what constitutes a “critical asset”. Social media accounts may not be considered a critical asset by the business, but they are routinely targeted by attackers. One useful place to start is with the regulator who will often mandate this themselves. PCI compliance around payment card information is a one example of this, but there are many others; financial services, pharmaceuticals, oil and gas and many other industries have their own compliance and regulation considerations.

Common examples of critical business assets are databases holding customer data, payment processing systems, employee access systems, trading platforms or exchanges, or Enterprise Resource Planning (ERP) applications (you can read more on threats to ERP applications in our joint research with Onapsis ERP Applications Under Fire).

Understand what attackers want

With critical assets defined, it’s then important to understand how these assets may be targeted. FIN7, for example, went after payment card data and non-public information. The GRU sought emails, analytics and internal documents. The Syrian Electronic Army (SEA) targeted social media accounts.

This might not be immediately obvious as your data may be appealing as a stepping stone in a much larger operation. Some actors, such as the Winnti Umbrella, targeted gaming companies to steal cryptographic material that would be used to sign malware in subsequent attacks. In fact, adversaries target organizations for a wide range of reasons, many of which we outlined in a previous blog Keep Your Eyes on the Prize.

Understand threat actor capability and intent

The next stage is to gain an understanding of the threat landscape. A first stage would be to list different types of threat actors, including:

  • Hacktivists such as Anonymous hacking HBGary
  • Insiders (both intentional and accidental) such as the various NSA leaks and HMRC leaks.
  • Competent individual hackers such as Phineas Fisher targeting Hacking Team
  • Criminal groups, such as FIN7, went after payment card data and non-public information.
  • Nation-state actors, such as the GRU, sought emails, analytics and internal documents.
  • Nation-state proxies such as the Syrian Electronic Army (SEA) targeted social media accounts.

For each type of attacker, you need to know their capability and intent.

  1. Develop an understanding of the adversaries’ tactics, techniques and procedures (TTPs). To understand a group’s capability, Mitre ATT&CK, which helpfully maps adversary campaigns to known techniques and software, is a great resource.
  2. Consider why a particular type of threat actor would target your organization? What do they hope to gain? What are their goals?

Develop scenarios

With critical assets and the most likely adversaries identified, scenarios must be developed. Work on the premise that an example threat actor typically targets one of the organization’s critical assets and map out the typical attack path using known TTPs. These scenarios could be played out as a red team, purple team or even as a table-top exercise.

The most important aspect of these scenarios is to identify which security controls are in place to mitigate, prevent and detect the specific threat actor’s tradecraft. This enables you to uncover gaps in controls and work out a remediation plan.


Not all organizations will be the target of a nation state or an organized crime group, but their assets could still be valuable to an adversaries’ longer term goal. By identifying assets, understanding the threat landscape and developing scenarios, organizations are able to know how their defenses stack up to the most likely threats to their assets. Most importantly, they can then focus on improving the areas most relevant to the risks they face. Check out the podcast to hear the discussion in full!


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

ShadowTalk Update – 08.27.2018 Mon, 27 Aug 2018 14:54:24 +0000 With November’s U.S. midterm elections fast-approaching, we dive into the latest threats and discuss how organizations can understand the threat posed to them by such malicious actors. Dr Richard Gold, Head of Security Engineering at Digital Shadows, joins Mike Marriott to discuss threat modeling; outlining the steps organizations can take to define their critical assets, understand the threat landscape, and create scenarios based on these. This enables organizations to identify security controls that are in place to mitigate, prevent and detect a specific threat actor’s tradecraft, as well as uncover gaps in controls and establish a remediation plan.



Microsoft seizes six domains attributed to APT-28

Six Web domains spoofing the United States Senate and two Republican think tanks have been seized by Microsoft. The domains were attributed to the Russian threat group APT-28 (aka Fancy Bear), although reporting has cited no evidence to corroborate this assessment. In the prelude to the 2018 mid-term elections, Microsoft has increased efforts to identify and block malicious websites. After the 2016 United States presidential election spoofed domains were detected, which had allegedly been used as conduits for phishing attacks and were attributed to Russian threat actors.


Malware strikes finance industry via Necurs botnet and TA5

The Necurs botnet and the TA505 threat group featured in recently reported cyber incidents and are interlinked: TA505 has relied heavily on the botnet’s infrastructure for its spam campaigns, and Necurs’ periods of dormancy have coincided with decreased TA505 activity. Between 15 and 16 Aug 2018, two campaigns were identified that specifically targeted the finance industry. The first sought to coerce victims into opening malicious attachments to distribute the “FlawedAmmyy” remote-access trojan (RAT) via Necurs. The second involved the distribution of a new modular malware variant, “Marap”, and has been attributed to TA505 by security researchers at Proofpoint.


CyberBerkut outlines sabotage plan in Ukrainian documents

Pro-Russian hacktivist group CyberBerkut released a series of Ukrainian-language documents on 15 Aug 2018, allegedly outlining a sabotage plan headed by the Special Forces of Ukraine to contaminate the waters of the Donets river with radioactive material. The group did not provide details as to how the documents were obtained. The release of allegedly classified documents is consistent with previous CyberBerkut activity; however, the group has a history of releasing fraudulent information, so the legitimacy of the documents could not be independently confirmed. CyberBerkut will likely remain active, given the geopolitical climate surrounding Ukraine and Russia, and Ukraine’s Independence Day on 24 Aug 2018.


DarkHotel targets newly patched Internet Explorer vulnerability

A newly patched vulnerability in Microsoft Internet Explorer has been actively targeted by the threat group “DarkHotel”. CVE-2018-8373 can be exploited by an attacker to execute arbitrary code, as the vulnerability affects how scripting engines handle objects in memory. Recent versions of Internet Explorer disable the execution of Visual Basic Script as default, but older versions are susceptible; Microsoft has released a patch to address this flaw. DarkHotel has been known to target zero-day and new vulnerabilities as standard modus operandi; reporting did not specify which industry this particular campaign targeted.



To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Online Cybercrime Courses: Back to School Season Thu, 23 Aug 2018 14:16:43 +0000 It’s that time of year again. Summer is drawing to a close and retailers are making the most of the rush to stock up on supplies and learning materials before classes begin. However, as we highlighted last year in our Inside Online Carding Courses Designed for Cybercriminals report, a market has emerged for a very different type of university experience.

Cybercriminals have been offering their own e-learning hacking and carding courses, complete with webinars, tutors and reading lists for some time. These types of courses were traditionally advertised across a wide range of marketplaces and forums; however, with the takedowns of AlphaBay and Hansa marketplaces in 2017, cybercriminals are incorporating other platforms to publicize their services.


The University of Cybersecurity and Anonymity: Promoting Academic Excellence

In a recent development to the cybercrime university ecosystem, our Russian-language specialists unearthed new high-spec courses and tutors being advertised. Rather than rely on dark web marketplaces, however, sellers of these courses host free lecture videos on Telegram and then use these to further promote their cybercrime services. In Figure 1 below, a tutor held a botnet-related lecture on Telegram and then advertised their new University of Cybersecurity and Anonymity programme, complete with a dedicated website.

Figure 1: Plastikcash University of Cybersecurity and Anonymity website

With a slick website, experienced tutors, and course structure that would not look out of place for the most established and legitimate education providers, this example demonstrates how cybercriminals are looking to further professionalize their offerings and monetize their expertise by training less-sophisticated actors. To further entice students, the University of Cybersecurity and Anonymity has even produced its own minute-long video advertisement, which has been played over 3,000 on mainstream video sharing platforms. This particular programme is priced at 75,000 Rubles ($1,100 USD), payable in Bitcoin, and offers four different global courses, three practising tutors, 70 unique lectures and over 40 educational days.

Figure 2: Carding University course topics as advertised on Plastikcash website

Fraudsters within the carding industry will not necessarily remain fraudsters forever, often looking to move up the criminal hierarchy. This programme seemingly acknowledges this, with the courses offering much more than basic carding techniques; instead it includes lectures and workshops on currency laundering, cash withdrawal schemes, social engineering, botnet creation and use of exploits.


University League Tables

The University of Cybersecurity and Anonymity is a further example of the broad range in online courses and tutorials available to aspiring amateur criminals. As we detailed in our Online Carding Course whitepaper, there is a variety in quality and price of such services. At the lower end of the scale are guides offered for as little as $1, which typically involve no tutor interaction or course material. These are self-paced and generic tutorials, unlike the University of Cybersecurity and Anonymity, which claims to offer a fully-comprehensive, immersive and tutor-led experience.


Online Tutorials as a System of Exchange

While these course packages allow cybercriminals to make money from their expertise, online tutorials are also used as a bartering medium between actors on forums. In Figure 3 the forum user offers free carding tutorials specifically for eBay and PayPal, including both theory and practical elements. However, rather than asking for a pecuniary fee, users have to instead promise to write positive reviews of the user’s services on various platforms.

Figure 3: Free eBay and PayPal carding tutorials offered on a Russian-language forum


In the above example, the user ‘truefalk’ also attempts to upsell their other services. Here they request that carding tutees should purchase stolen payment card information directly from truefalk. This practice of using online tutorials as a freebie to then advertise a wider array of services is not uncommon. The user ‘Smart666tiger’, who was previously an active seller on the AlphaBay and Hansa marketplaces, has offered free carding tutorials on several online forums, and then used these posts to provide links to paid tutorials and carding services on their Satriale Silk Road marketplace shop.

Figure 4: smart666tiger advertising carding tutorial shared on Satriale’s Silkroad 3.1

Figure 5: smart666tiger paid carding tutorials offered for sale on Silkroad 3.1

The evolution of online cybercrime and carding courses is a worrying trend for organizations and consumers, with more amateur actors having access to the training needed to embark on a cybercriminal career. Nevertheless, a knowledge of these trends and the techniques being advertised in these courses gives us a valuable insight into the methods being used to target individuals and businesses. With this understanding, defenders can look to increase friction at every stage of the cybercriminal process – whether it’s training employees on how to avoid being the victim of the latest social engineering tricks or how criminals are bypassing anti-fraud and banking checks.


To learn more about the carding ecosystem, download our whitepaper, Inside Online Carding Courses Designed for Cybercriminals.

Mitre ATT&CK™ and the FIN7 Indictment: Lessons for Organizations Wed, 22 Aug 2018 15:57:44 +0000 On August 1, 2018, the US Department of Justice unsealed an indictment against three members of the international cybercrime group known as FIN7. We previously wrote about what FIN7 is, the implications of this indictment and some of the fascinating details of their campaigns, such as the use of a front company that was used to mask the criminal operations. As we did before with the GRU indictment, we wanted to maximize the lessons learned for defenders and therefore used the Mitre ATT&CK framework to replay the FIN7 indictment.

Threat model

FIN7 clearly applied Sutton’s Law when it came to their targeting; a law named after the infamous bank robber, Willie Sutton, who is reported to have explained his choice of targets as “that’s where the money is.”

According to the indictment, FIN7 targeted the following types of company, which, among many others, typically had a high frequency of payment card transactions:

  • credit union
  • hotel & casino
  • restaurant chain
  • automotive retail and repair chain

The above is but a small slice of the 120 identified businesses that were targeted by the criminal group. The relevance of this to the target’s threat model is that although the targets may well have been expecting attacks against the payment card data and other proprietary and non-public information, they may not have been expecting such a motivated and capable attacker.


Stage #0: Reconnaissance


People Information Gathering

Organizational Information Gathering

Organizational Weakness Identification

People Weakness Identification


FIN7’s primary method for gaining access to their targets was through social engineering. In order for this to be effective, the attackers looked for two main types of target and gathered information on them accordingly:

  • Employees that regularly dealt with customers or external partners were prime targets. For restaurants in particular, FIN7 looked for employees who dealt with catering requests, hotel or table reservations, or complaints about quality or service. In certain cases, FIN7 would then make a follow up phone call to walk the target through the process of opening the malicious attachment containing malware.
  • FIN7 also “sent phishing emails to personnel at victim companies who had unique access to internal proprietary and non-public company information, including, but not limited to, employees involved with making filings with the United States Securities and Exchange Commission (“SEC”)”. One such FIN7 campaign targeted several hundred organizations and specifically targeted employees with the “Financial Filing [Reporting] Analyst” job title who would have the responsibilities mentioned.

The challenging aspect with these kinds of attacks for a defender is that they target people whose job it is to open emails from strangers on the Internet all day. The technical information that was used, email addresses and phone numbers, is information that needs to be publicly available for the business to operate.

DS mitigation advice: Care and awareness should be taken when determining what information about the organization and its employees is made public, in particular, email and telephone contact details. Certain job titles may be of more interest to attackers due to the responsibilities and access that specific employees may have; these employees may require dedicated training to educate them of the threats that they face as part of their job. Social media searches can be used by attackers to uncover these employees; however, public documents, such as SEC filings, can also reveal these employees and their contact details.

Stage #1: Initial Access

ATT&CK TTP: Spearphishing attachment

FIN7’s typical TTP was a spearphishing email with a malicious attachment, usually a Microsoft Word .doc, .docx or .rtf document. The documents used a variety of pretexts to convince the target to open the attachment. Two examples of pretexts include:

  1. “when targeting a hotel chain, the purported sender of the phishing email might falsely claim to be interested in making a hotel reservation”
  2. “when targeting a restaurant chain, the purported sender of the phishing email might falsely claim to be interested in placing a catering order or making a complaint about prior food service at the restaurant”

These pretexts follow directly from the reconnaissance phase of the campaign and requires that the attackers understand the business processes of their targets.

When FIN7 were conducting their SEC-based spearphishing attacks, they impersonated the SEC to their targets. According to the indictment “these emails used an email address that spoofed an email address associated with the SEC’s electronic filing system”.

FIN7 also used phone calls to increase the likelihood of their malicious attachments being opened. Masquerading as customers or business partners, FIN7 called up their targets and walked them through the process of opening the malicious attachments to gain their initial access.

DS mitigation advice: Security teams need to understand attackers and their goals as well as the business processes of their own organizations. Organizations which operate inside a regulated environment may need to implement additional security controls (both technical and procedural/administrative) to verify communications with the regulator. Public-facing employees may require dedicated tools to open potentially malicious attachments safely, such as sandboxes or cloud services.

Stage #2: Execution

ATT&CK TTP: User Execution

In order to deploy their malware, “FIN7 used a variety of malware delivery mechanisms in its phishing attachments including, but not limited to, weaponized Microsoft Word macros, malicious Object Linking and Embedding (OLE) objects, malicious visual basic scripts or JavaScript, and malicious embedded shortcut files (LNK files)”. It is notable here that FIN7, a very successful threat actor, did not routinely use exploits as part of their campaigns. Their tactical flexibility in switching to different methods to gain code execution via social engineering is what made them so dangerous.

According to the indictment, FIN7 used the Carbanak malware as part of their attacks. Open source reporting indicates that FIN7 also used the BATELEUR, HALFBAKED, BIRDDOG and GRIFFON malware and, in the case of the SEC-based attacks, the POWERSOURCE and TEXTMATE malware were used as well at the Cobalt Strike Beacon payload.

DS mitigation advice: Attack surface reduction through the disabling of Windows scripting systems where appropriate is a powerful technique for mitigating against email-borne threats. The ACSC (Australian Cyber Security Centre) has detailed guidance available for how to disable macros, including considering business processes and legitimate business requirements for macros and how to mitigate the risk incurred by them. OLE package activation can also be disabled where possible. LNK files can be blocked by email filtering gateways to prevent the files from reaching targeted users. Windows Script Host (WSH) can be disabled if possible or restricted where not to mitigate its risks. However, it is worth noting that FIN7 digitally signed their spearphishing documents, which had scripts enabled to bypass security controls designed to prevent the execution of untrusted macros, so this needs to be incorporated into an organization’s threat model.

Stage #3: Persistence

ATT&CK TTP: Application Shimming

While not explicitly detailed in the indictment, FIN7 used a variety of techniques for maintaining persistence in a compromised environment. This includes the use of application shimming, where a built-in technology was used to in-memory patch the Microsoft Windows services.exe. The report also states that this technique was used by FIN7 for persisting in the payment card environment.

DS mitigation advice: Microsoft (as of 2017) has been blocking the loading of arbitrary DLLs as shim DLLs. Microsoft has also released an optional patch update (KB3045645) that will remove the “auto-elevate” flag within the sdbinst.exe. This will prevent use of application shimming to bypass UAC.

Stage #5: Defense Evasion

ATT&CK TTP: Obfuscated Files or Information

FIN7 used a wide range of novel obfuscation techniques for their payloads to evade detection. Daniel Bohannon built the Invoke-DOSfuscation tool inspired by the encoding tricks used by FIN7 as they were so novel at the time. The energy expended by FIN7 into obfuscation clearly demonstrates how key defense evasion was to their operations.

DS mitigation advice: Ensuring that antivirus and other detection mechanisms are fully up-to-date with the latest signatures and heuristics is essential for increasing the likelihood that obfuscated payloads are detected and quarantined appropriately. Organizations may wish to investigate the usage of EDR systems for advanced endpoint protection. Microsoft’s AMSI can be used to capture obfuscated PowerShell scripts after they have been deobfuscated. Script Block Logging for PowerShell can also be used to capture PowerShell scripts after they have been deobfuscated.

Stage #6: Credential Access

ATT&CK TTP: Input Capture

As part of their post-exploitation activities, FIN7 stole employee credentials in order to move around the internal networks of their targets. One of the techniques detailed in the indictment is the use of video recording and screenshot capturing to steal credentials. It can safely be assumed, due to the types of attack tools that FIN7 used (such as Cobalt Strike), that other techniques such as Credential Dumping were also used, but this is not explicitly mentioned in the indictment. Capturing legitimate credentials and reusing them, in conjunction with effective social engineering techniques, were crucial to FIN7’s success.

DS mitigation advice: Improving credential hygiene by using a password only once reduces the impact of credential theft. While the attacker can still access the system that they have captured the credentials for, lack of password reuse means that the damage is limited only to that affected system.

Stage #8: Lateral Movement

ATT&CK TTP: Remote Services

According to open source reporting, FIN7 used the Windows administration tool psexec from inside of the Cobalt Strike threat emulation software. Psexec allows a privileged user to execute commands on a remote system and is a common tool for lateral movement used by attackers. Additional reporting indicates that psexec is how FIN7 moved from the corporate environment into the payment card environment.

DS mitigation advice: John Lambert of Microsoft’s Threat Intelligence center recommends defeating psexec remote attacks by changing the security descriptor of the Service Control Manager (SCM). Such changes require testing and possible adaptation to the local environment as they may interfere with existing administration techniques. In general, lateral movement should be restricted as much as possible via restricting workstation-to-workstation communication (via firewalling or even private VLANs) and principle of least privilege to ensure that only the necessary personnel have the administration privileges required for certain actions. Additional guidance for securing Active Directory against typical attacks can be found on the excellent, in particular “The Most Common Active Directory Security Issues and What You Can Do to Fix Them”.

Stage #9: Collection

ATT&CK TTP: Data from Local System/Network Shared Drive, Input Capture, Screen Capture, Data Staged

FIN7 spent a great deal of effort on post-exploitation activities. Once the initial access had been gained and the target systems implanted with malware, FIN7 would then perform the following activities:

  • capturing screen shots and videos of victim computer workstations that provided the conspirators with additional information about the victim company computer network and non-public credentials for both generic company accounts and for actual company employees”.
  • install and manage additional malware, conduct surveillance, map and navigate the compromised computer network, compromise additional computers, exfiltrate files, and send and receive data”.

The goal of this post-exploitation activity was twofold:

  1. Locate and extract payment card data (which was later resold on Joker’s Stash and other carding sites or used by FIN7 themselves to make fraudulent purchases)
  2. Locate and extract internal company information

It is currently unclear what FIN7 did with the internal company information it purloined; however, non-public information on a company regulated by the SEC may be useful for front running and other types of fraud.

According to the indictment “FIN7 often utilized various ‘off-the-shelf’ software and custom malware” and “FIN7 configured malware to extract, copy, and compile the payment card data”. This implies that FIN7 had access to the Point of Sale (POS) devices that were used to accept payment card transactions, possibly via a RAM scraper.

DS mitigation advice: FIN7 compiled the payment card data inside of the compromised environment. Sudden anomalies in the amount of storage used by particular machines could be an indication of unusual activity and may be worth investigating. Application whitelisting can be used to prevent the execution of unauthorized code in an environment and can prevent the execution of certain types of malware.

Stage #10: Exfiltration

ATT&CK TTP: Data Compressed, Data Encrypted, Exfiltration Over Other Network Medium

The indictment does not provide details of exactly how FIN7 exfiltrated stolen information out of compromised environments. However, it is likely that they were capable of using most standard exfiltration techniques such as HTTPS. FIN7 used leased servers, most likely from cloud providers, as part of their operations and so it is highly probable that they used these servers to move their stolen data too.

DS Mitigation advice: Blocking egress traffic that is not necessary for the organization’s requirements can assist with limiting an attacker’s options in terms of communicating outside of the organization. Web proxies can provide granular controls for restricting egress traffic types and destinations. DNS traffic can be used by attackers for moving data out of environments where other controls are present, as such, DNS traffic should be inspected for malicious activity. Although it is slow, it is effective.


While the information presented in the indictment is not exhaustive (details of the Discovery and Command and Control phase were not present, for example), it presents a view of a motivated, persistent and capable adversary. FIN7 used a wide-range of tactics and took many steps to ensure the effectiveness of their social engineering techniques. Organizations should look to the TTPs used by FIN7 as an example of what financially-motived adversaries are capable of and what steps can be taken to mitigate the risk posed by these groups. Security teams are advised to consider the business processes of the organization that they are protecting and consider how attackers may exploit them.

ShadowTalk Update – 08.20.2018 Mon, 20 Aug 2018 14:31:34 +0000 In this week’s ShadowTalk, we dig into ATM fraud. Digital Shadows’ Strategic Intelligence manager Rose Bernard joins Rafael Amado to discuss four separate ATM stories making headlines this week. In Part I, they’ll cover an alert on an impending “ATM cash-out” campaign issued by the FBI, and how India’s Cosmos Bank lost $13.5m in cyberattacks after actors bypassed the internal ATM switch system. In Part II, Rafael and Rose will look into flaws discovered in NCR ATM currency dispensers, and a new Bitcoin ATM malware advertised for sale on the dark web. For more on how actors acquire and then use stolen payment card information, check out Digital Shadows’ Five Threats to Financial Services blog series, available on


Evolving ATM attacks prey on cryptocurrency users

A variant of malware targeting Bitcoin ATMs has appeared for sale on a dark Web forum. Although the technical details of the malware are unknown, positive seller reviews indicate it is likely a functioning product. Attacks targeting Bitcoin ATMs are less common than those against standard ATMs, likely due to the machines’ relative scarcity; as Bitcoin ATMs become more prevalent, the rate of such attacks will likely increase.


Intel processors vulnerable to Foreshadow flaw

On 14 Aug 2018 security researchers released information on a flaw affecting Intel processors from 2015 onward, dubbed Foreshadow. There are two versions: Foreshadow uses a speculative execution attack to exfiltrate information from Intel SGX enclaves; Foreshadow Next Generation (Foreshadow-NG) can be used to exfiltrate any information on the operating system (OS) kernel memory and System Management Mode (SMM) memory, plus potentially any information on virtual machines linked on the same cloud. “Spectre” and “Meltdown”, two previous flaws affecting Intel chips, both enabled speculative execution attacks. Intel released a patch for both versions of Foreshadow on 13 Aug 2018. Foreshadow has been assigned CVE-2018-3615, Foreshadow-NG for OS kernel and SMM mode has been assigned CVE-2018-3620, and Foreshadow-NG for virtual machines has been assigned CVE-2018-3656.


DarkHydrus linked to another spearphishing campaign

Newly identified threat group DarkHydrus was observed using open-source tool Phishery in a spearphishing campaign seeking to harvest Microsoft Windows credentials. The attack targeted a Middle Eastern educational institute and appears to be part of an ongoing campaign. Given the consistent activity of campaigns by DarkHydrus, more attacks targeting the government and education sectors are likely.


Lazarus Group: Historical analysis reveals malware code re-use; new research into RAT

Malware analysis has identified significant code re-use in campaigns attributed to North Korean threat groups, including Lazarus Group. One of the examples cited was code used in the “WannaCry” (aka WCry) attacks in 2017, which was also identified in malware samples dated from 2009. Code re-use saves time for attackers but also assists analysts in linking attacks and assigning attribution. Another incident was reported this week involved the United States Computer Emergency Readiness Team publishing a technical advisory on the malware variant “KEYMARBLE”, attributed to the North Korea-linked threat actor “HIDDEN COBRA” (aka Lazarus Group). The advisory detailed one malware sample of a malicious 32-bit Windows executable file, which functions as a RAT. No targeting data related to the malware was published.


Five Threats to Financial Services: Part Five, Hacktivism Wed, 15 Aug 2018 16:08:18 +0000 OK, so it’s not a sexy as insider threats, banking trojans, phishing campaigns or payment card fraud, but hacktivism is still a threat that organizations should be concerned with. In this final post on threats to financial services, we’ll outline recent developments in the hacktivist world and focus on the threat posed by one campaign in particular: OpIcarus.


What is Hacktivism?

Hacktivism is the extension of activism into the information security sphere, using tactics like defacement, doxing and denial of service (DoS) to achieve political or ideological goals. The success of hacktivist operations varies significantly, depending on A) levels of participation and B) levels of organization.

The Anonymous collective has been the main brand of hacktivism since its emergence in 2008, but it has since splintered into smaller, regional hacktivist groups who target companies in line with regional and national geopolitical objectives. (For more on this shift, you can read our blog about the emergence of the Anonymous collective and its subsequent transformation).



Over the past two years, we have published several blogs on the various iterations of OpIcarus, a campaign first launched by Anonymous. OpIcarus began as a planned physical protest on February 8, 2016, calling for action to “shut down the banks” and disrupt the global financial system. With increased user participation, the operation gained traction across a host of online sources. The operation reached its zenith in mid-2016 (as demonstrated by Figure 1) when participants claimed to have successfully performed DoS attacks against over 60 global banks. Orchestrating their attacks through social media and Internet Relay Chat (IRC) groups, OpIcarus encouraged users to use the Low Orbit Ion Cannon (LOIC), a popular tool for performing DoS attacks. Participants freely shared tools and techniques on these channels, hoping to co-opt more supporters for their campaign and, in turn, amplify the potency and impact of their attacks.

Figure 1: Mentions of “OpIcarus” across blogs, criminal forums, paste sites and dark web pages between 2016 and August 2018

While OpIcarus no longer attracts the attention it did in 2016, it should not be discounted. This month, we’ve observed the “doxing” of a VIP of a global bank as part of the 2018 wave of OpIcarus attacks. Furthermore, at the end of May 2018 the online and mobile banking services of Rabobank were taken offline for several hours following a Distributed Denial of Service attack (DDoS). Shortly after this announcement, a post on Pastebin claimed responsibility for the attack as part of OpIcarus. The post also referred to 57 other global banks designated as OpIcarus targets, as well as advice on which tools to use. Unlike in 2016 when LOIC was recommended, individuals are now advised to steer clear of the tool, instead preferring other DoS or “Stresser” services such as “xerxes”, “Slowloris”, and “Ufonet” (see Figure 2). For financial institutions – particularly those named on the OpIcarus target list – this shift in tooling is significant for understanding the threat level posed by the campaign and what defensive measures should be implemented to ward off DDoS attacks.

Figure 2: A post claiming responsibility for the Rabobank DoS attack on May 24, 2018

In this Pastebin post claiming responsibility for the Rabobank attack, the author includes the OpIcarus hashtag along with references to other hacktivist operations, including OpPayback, a campaign focused on the Netherlands. This tagging of attack claims under multiple operational banners is common within the hacktivist community. With Anonymous devolving into smaller, more regional groups and operations, hacktivist actors will often use hashtags from large, well-known operations to solicit support for their attacks and objectives.

These operations are no longer centrally coordinated by an influential core of hacktivists who decide on suitable targets, timing of attacks and overall campaign objectives. Whereas OpIcarus began with global aims to shut down the financial system, in 2018 it is more commonly used in regional operations with narrower and more localized ambitions – in this case being specifically targeted at financial institutions in the Netherlands and aligned with OpPayback. Similarly, a version of OpIcarus, OpIcarusNi, seeks to apply the operation to Nicaragua in the wake of recent political and economic tensions in the country. With this decentralization, it’s unlikely that OpIcarus will garner the levels of support and orchestration seen in its 2016 heyday.

Figure 3: Pastebin posts referencing “OpIcarus” in the past 12 months


The Future of OpIcarus: Down but not Out

It’s clear that OpIcarus has changed considerably since its emergence in 2016. The 2018 operation is often performed in tandem with local hacktivist operations, with participants encouraging the use of different DoS and stresser tool sets. Despite a perceived decline in threat level and a shift to a more regional approach, the successful Rabobank DDoS attacks demonstrate that hacktivism still poses a threat to banks across the world. Today, OpIcarus attacks are far more sporadic and unpredictable given the loss of centralized command by the Anonymous collective.

To stay ahead of the threat, financial institutions should begin tracking the online activity of local and regional hacktivist actors in the event that they perform attacks under the OpIcarus banner; it’s no longer sufficient to rely on announcements from the most influential global Anonymous social media accounts, as attack claims are often performed by lesser-known Anonymous offshoots. This includes monitoring paste sites and social media for mentions of their domains and IP addresses, while following developments in hacktivist tooling to ensure DDoS defenses are up-to-date and appropriate.


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Five Threats to Financial Services: Part Four, Payment Card Fraud Tue, 14 Aug 2018 18:04:02 +0000 Payment card information is the lifeblood of the cybercriminal ecosystem. In previous blogs in this series, we’ve focused on how cybercriminals acquire customer banking information using banking trojans and phishing campaigns. However, this merely represents the initial steps that form one part of a wider payment card fraud network. This post focuses on the three steps fraudsters turn to in order to monetize these stolen payment cards. Banks can learn from these steps to inform their own defenses.

How Cybercriminals Use Stolen Payment Cards

Step 1: Learn the latest techniques

As fraud defenses evolve, cybercriminals similarly adapt their tactics to avoid detection and increase their fraud success rate. One such example is the emergence of the Genesis Market, an online marketplace that provides a way to imitate the browser of a victim in a bid to evade fraud solutions. Genesis (shown in Figure 1) has been in development for several years and is currently in Beta mode, but has gained positive reviews across carding forums over the past few months.

Figure 1: A screenshot from the Genesis market

There are many ways fraudsters can learn about the latest trends and gain tips for conducting their activities. Last year we published a whitepaper, Inside Online Carding Courses, on a professional e-learning carding course, complete with webinars, instructors and reading material. The increased professionalization and sophistication of this fraud has negative implications for credit card companies, merchants, and consumers. The course, which costs attendees $1000, included modules advising the best cards to target and which geographies to focus on. By studying these courses, banks can gain an understanding of the extent to which their customers are popular targets for fraudsters.

Figure 2: A translation of the advertised online learning course for carders


Step 2: Buy payment cards from a reputable site

While it’s possible that cybercriminals who harvest payment card information may commit fraud themselves, it’s more common to bulk sell this data to a distributor. Online credit card shops, also known as Automated Vending Carts (AVCs), play a crucial role in selling stolen payment cards. These shops buy bulks set of payment cards and sell them on piecemeal to wannabe fraudsters. AVCs have vast numbers of payment cards for sale, with those in the United States by far the most popular (Figure 3).

Figure 3: Cards for sale on C-v-v[.]su

Most AVCs will often provide a “checker”, an automated feature to check if the card is still active and determine its balance. For those purchasing cards on a site that lacks payment card validation, another method used to check the cards is an Internet Relay Chat (IRC) room for a nominal fee of $0.15. This serves as a reminder that criminals do not need to cash out to make money from carding – there’s plenty to be made from support services too. Banks can monitor for mentions of the Bank Identification Numbers (BINs) to detect early stages of fraud.

This industry attracts the ire of law enforcement and there have been some notable arrests and seizures. AlphaBay, a dark web marketplace that had its own automated credit card shop, was seized over a year ago. Shortly after, members associated with the Infraud Forum were indicted. Most recently, on August 1st, 2018, the US Department of Justice filed criminal charges against three men reported to be associated with the organized criminal group known as FIN7. Despite these clear successes, it would be naïve for us to assume that this spells the end for AVCs.


Step 3: Commit payment card fraud and cash out

With the latest techniques learned and valid payment cards purchased, the final stage is to “cash out” and monetize this data with one of three main tactics:

  1. Direct Purchase of Goods. Fraudsters use sites that are cardable (susceptible to fraudulent purchases as a result of lax security controls) in order to make fraudulent purchases with stolen payment card information. Criminals collaborate and share lists of cardable sites that individuals can turn to that allow goods to be purchased with stolen payment cards. The carder will then purchase goods and resell them for a reduced price in order to receive clean money.
  2. Agent Fraud. A carder impersonates a hotel or airline agent, makes a reservation in the cardholder’s name, waits for the card to authorize, and then changes the reservation name. Social engineering is central to this approach.
  3. Drops and Middlemen. As demonstrated by FIN7, cybercriminals register fake companies that search for unemployed and vulnerable people to take seemingly legitimate jobs as a “Merchandising Manager” or similar. This job involves reshipping fraudulent goods and counterfeit money to safe addresses. Just as with agent fraud, social engineering is key. The websites must look convincing in order to sway the individual to work for the bogus company. It is also a reminder to us that just because a website has https, does not mean it is a legitimate website.

Fighting Payment Card Fraud: En Carde

Cashing out is the final stage within a vast payment card ecosystem. Often criminals will target retailers’ websites to monetize this information, but there are plenty of steps banks can take to detect this fraud and the different stages of the fraud lifecycle. There are three ways banks may gain visibility into payment card fraud:

  1. Benchmark yourself against peers. Understand which card providers fraudsters recommend not using and use this to understand where your company stacks up.
  2. Monitor IRC checking channels. Monitor these channels for Bank Identification Numbers (BINs) and Issuer Identification Numbers (IINs) that are indicative of a criminal testing an individual’s card.
  3. Monitor AVC shops for BINs and IINs. Monitor for BINs and IINs that are offered for sale. In many cases, it is possible to free text search and filter by BIN numbers.

With billions of dollars lost to payment card fraud each year, these steps can help to reduce fraud against your organization. You can read more about cashing out in our whitepaper, Inside Online Carding Courses.

In the final blog of the series, we’ll look into the threat of hacktivism for the financial services industry.


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

ShadowTalk Update – 08.13.2018 Mon, 13 Aug 2018 16:07:30 +0000 In this week’s ShadowTalk it’s all things phishing. Rose Bernard and Simon Hall join Rafael Amado to discuss the recent arrest of three alleged members of the FIN7 organized criminal group. The team look over the United States Department of Justice’s indictment, focusing on how FIN7 use social engineering and sophisticated phishing to great effect, before talking more generally about the threats of business email compromise and malspam.


New tweets weaken credibility of extortionists thedarkoverlord

The thedarkoverlord threat group claimed to have exfiltrated sensitive data from five more companies since their last claim in April 2018. Although the extortionists continue to focus on the healthcare sector, the additional claims include attacks on a tax company and a high-profile United States law firm. TDO’s credibility as a threat group has been based largely upon previous leaks that were confirmed as genuine; however, the group has enacted only three data leaks since September 2017, and the leaked data is currently unavailable, preventing independent verification. Therefore, TDO’s threat profile has changed since 2017 and, although its members will likely continue tweeting claims of data exfiltration in the next two to four weeks, their claims may not be legitimate.


MikroTik routers infected in cryptomining attacks 

Security researchers identified a cryptomining campaign exploiting vulnerable MikroTik network routers in Brazil. Initially the infected routers injected the Coinhive cryptominer script into the code of all Web pages visited through the router. After researchers identified this tactic, the campaign injected the script only into the code of error pages. One Coinhive key was used, indicating that one threat actor was responsible. Companies using MikroTik devices should prioritize patching to mitigate against the campaign.


Semiconductor maker hit by WannaCry ransomware, shuts down systems

The chip manufacturer Taiwan Semiconductor Manufacturing Company (TSMC) was forced to shut down some of its systems due to malware, which was later confirmed to be WannaCry ransomware. TSMC stated that the infection was not the result of a direct attack. Allegedly the malware had transferred to the system via a download, during a routine software update from a presumably compromised third-party supplier. No technical indicators were provided to independently confirm whether this was the variant of WannaCry responsible for global infections in May 2017; regardless, the incident demonstrates the importance of running all software downloads through anti-virus solutions before introducing them to a system, even those from trusted suppliers.


US healthcare provider victim of business email compromise

The United States healthcare provider UnityPoint Health reported that it had been the victim of a phishing attack that allowed access to internal networks between March 14 and April 3, 2018. Despite the company’s claim that attackers had sought access to vendor-payment or payroll systems, the personally identifiable information of approximately 1.4 million patients was compromised in the attack.


Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

Digital Shadows Contributes to Insider Threat Research Thu, 09 Aug 2018 15:08:29 +0000 On July 30, Forrester published its latest research report on malicious insiders, Defend Your Data As Insiders Monetize Their Access. With research content provided by Digital Shadows, the report details how insiders with valuable data or privileged access are using online forums and marketplaces to find buyers. At the same time, cybercriminals are using these same platforms to actively recruit insiders from a variety of industries. As many of these criminal forums are located on the clear web, it’s a reminder that we shouldn’t hyper focus on dark web sources alone.


Risks to financial services, retail and healthcare

One of the findings in Forrester’s report is that organizations in the financial services, retail and healthcare industries have some of the highest risk when it comes to malicious insiders. With organizations in these industries handling so much sensitive customer data (think personally identifiable information (PII), health records and payment card details), this is hardly a surprise.

In one our previous blogs, Five Threats to Financial Services: Part One, Insiders, we looked in greater depth at some of the issues financial services organizations should consider when monitoring for insiders, including cybercriminals on the lookout for accomplices with access to SWIFT banking systems, and the emergence of dedicated sites for individuals looking to sell insider trading information.


Telecommunications insiders and SIM-swapping

While the above industries are extremely valuable from an insider perspective, Forrester also stresses that any number of industries dealing with sensitive intellectual property or customer data can be susceptible to this threat. These include manufacturing, technology and telecommunications.


Figure 1: User on a Russian-language forum requesting healthcare insiders (Translation: “Looking for doctors heading hospital departments or directors of private clinics”)


For the telecommunications industry specifically, there is a demand for insiders who can facilitate SIM-swapping or -hijacking attacks. SIM-swapping plays on a technique that millions of people do every year when transferring phone numbers to a new mobile network. Here an attacker will typically contact a target’s network provider and use social engineering techniques to convince network support staff to switch calls and texts to a new SIM that they control. From here they can bypass two-factor authentication methods such as those used in online banking accounts.

In the criminal forum post below (Figure 2), a user claimed to have multiple workers operating at three large UK network providers who were able to perform SIM swaps.

Figure 2: Criminal forum user offering SIM swapping services (Screenshot taken from Digital Shadows platform)


Don’t forget the accidental insider

One area that was out of the scope of the insider report, but should nonetheless be high on the radar of all organizations, is the risk associated with accidental insiders. Unlike cognizant and malicious individuals looking to peddle their privileged access or sensitive company information, an accidental insider is instead an employee who has unwittingly compromised their organization through poor security practices. In many of the examples of sensitive exposure that we see, it’s the case of innocent staff leaving sensitive systems exposed to the public Internet, misconfiguring their devices, or sending highly confidential data to unsecured locations in the cloud.

Our previous whitepaper, Too Much Information, demonstrated how employees, contractors and third parties are often responsible for some of the most serious security breaches by misconfiguring network file sharing services and storage solutions such as Amazon S3 and Network Attached Storage (NAS) drives. A prime case is that of the contractor performing penetration tests. In the example below (Figure 3), a penetration testing company uploaded a lengthy report detailing all of an organization’s outdated servers, missing patches and network infrastructure. Why go to all of the trouble of recruiting and paying a company insider, along with the risk of exposure that entails, when sensitive company secrets are freely available online?


Figure 3: Screenshot of penetration test report contents page exposed through misconfigured file sharing service


Likewise, in our latest join research paper, ERP Applications Under Fire, we found examples where employees and third parties had left full login credentials for critical Enterprise Resource Planning applications on public Trello boards, a cloud-based project management tool.

Figure 4: ERP credentials left exposed on open Trello board


Securing your organization from accidental insiders

Preventing breaches and exposure through accidental insiders requires a mixture of technology, process and training. For organizations looking to minimize this threat, consider the following:

  1. Provide security awareness training for all staff, including contractors and third parties. This should also cover the risks of using home NAS drives for company data and archiving files using file sharing services.
  2. If employees and contractors need to use NAS devices, then users should add a password and disable guest/anonymous access, as well as opt for NAS devices that are secured by default. If possible, you should look to offer backup solutions so that contractors and employees don’t feel the need to back-up their devices at home.
  3. Ensure two-factor authentication (2FA) is enabled across the organization where possible. This will help prevent unintentionally leaked credentials being leveraged by malicious actors.
  4. Restrict access to important data to only those who are required to have it. Read/write access should only be granted where there is an explicit business requirement.
  5. Monitor your external footprint for cases of accidental data loss and exposure. Document Loss Prevention solutions can help identify cases where sensitive information has left your estate.
Five Threats to Financial Services: Phishing Campaigns Wed, 08 Aug 2018 16:00:38 +0000 In our last blog, we highlighted how banking trojans are a threat to banking customers and small businesses, normally delivered via phishing emails containing malicious attachments. While phishing is a threat to businesses and individuals in all industries, attackers targeting financial services organizations often use highly-crafted social engineering tactics to make sure they hit their mark. In the third blog of the series, we’ll take a deeper look into the techniques used to phish financial organizations, as well as ways in which you can mitigate these attacks.


What is phishing?

Phishing is a tactic where the attacker poses as a legitimate individual or service to gather sensitive information such as credentials or payment card information, or install malware on the target’s device. This is usually achieved either with an email containing a malicious attachment, or a URL link that will redirect the victim to a malicious domain where they will be asked to provide sensitive information or install plug-ins.

Email phishing campaigns can be wide and indiscriminate in their targeting, hoping that recipients will not recognise the fraudulent nature of the email. In many cases these emails are used to deliver malware such as the banking trojans.


What is Spear Phishing?

Spear phishing is a form of phishing that targets a specific individual or organization.  Frequently, the emails are tailored to the recipient to make it more believable. Two common types of spear phishing are:

  • Business Email Compromise (BEC). There are many different versions of BEC, but in one popular method the attacker will either spoof an executive’s email address and impersonate them, or even used a compromised business email account, to get an employee, customer or supplier to transfer funds or sensitive information to the phisher.
  • Whale phishing (or Whaling). Another form of BEC, although high-level executives are the target. Attackers can use information pertaining to the executive found on public sources, including their name, phone number, email, or professional address when selecting their targets and developing social engineering tactics.

Phishing Financial Organizations

Knowing your target

An attacker will often spend considerable time investigating their target, so they can tailor the email to them and make it as compelling as possible. In recent years we’ve seen threat groups specializing in specific industries and geographies, resulting in a high level of sophistication in their attacks.

Let’s take the example of the Carbanak malware, which has been associated with several different campaigns against financial institutions, retail businesses, ATM systems and point-of-sale service providers. As the malware is in public circulation, it has been attributed to more than one group, including both the Carbanak group and FIN7. It’s unclear whether these groups are associated or simply share use of the malware and similar tools.

Operators of the Carbanak malware use social engineering techniques such as spear phishing in combination with malicious attachments containing the malware. When targeting financial companies, the emails are tailored to employees, appearing to have been written by native English speakers familiar with both investment terminology and the inner workings of public companies (see Figure 1 below). The emails frequently play up shareholder and public disclosure concerns.

Figure 1: Example of FIN7 phishing email (Source: FireEye)


Digital Shadows recently discovered files and source code that were allegedly related to the Carbanak group. Whatever the actual provenance of the leaked source code and files, these findings provided significant insights on how criminal groups target financial organizations with a level of sophistication that displays a strong understanding of the industry. The files not only contained the malware used to target the organizations, but also included detailed information on banking systems, instructions on how to make fraudulent payments and bypass anti-fraud features, and a list of key personnel responsible for payment processing in each of the target banks.

But how can attackers collect the information needed to learn about their targets and make their emails more believable? An open source investigation can provide a lot of information during the reconnaissance phase of the attack. An attacker will try to find any social media accounts pertaining to their victim(s), credentials found in past breaches, email and phone numbers in company material, personal addresses and emails linked to possible domains registered under the individual or provided in public company registries and assets under their name. The most sophisticated attackers, such as the Carbanak group, will often have contacts or insiders within financial organizations who can provide them with more specialized information or even privileged access to perform their operations.


Low barriers to entry

The lack of technical background or unfamiliarity with financial services terminology is not a hindrance to someone who wants to perform a phishing attack. If the attacker cares about harvesting credentials and credit card information from opportunistic targets, ‘finesse’ and technical capability is not a primary requirement. In many criminal marketplaces, aspiring attackers can find listings for complete phishing pages, usually clones of known organizations, that anyone can buy along with instructions on how to use them (See Figures 2 and 3).

Figure 2: Listing offering phishing pages for sale (Source: n0va[.]shop)


Figure 3: Tutorial on how to create a phishing page (Source: xplace[.]com)


Business Email Compromise

During a BEC, the attacker will impersonate a company executive and attempt to get an employee, customer or supplier to transfer funds or sensitive information to the phisher. A 2017 advisory from the Federal Bureau of Investigation’s (FBI) Internet Crimes Complaint Centre (IC3) reported that BEC attacks between October 2013 and December 2016 caused worldwide losses totalling over $5 billion. Recently, a six-month coordinated global law enforcement effort under the name “Operation Wire Wire” targeted business email compromise schemes, which resulted in 74 arrests.

Two highly publicized BEC attacks that hit the news in recent years are those that targeted Xoom and Scoular. Both are financial companies where spoofed emails were sent to their employees, resulting in transfers of millions of dollars to third party accounts. In Xoom’s case the emails targeted their finance department, while in Scoular’s the emails impersonated the company CEO. In some scenarios, if the attacker is familiar with the organization and its processes, they could also take advantage of real life events such as tax deadlines or impending financial deals to make their phishing attempt more believable.


Mitigating phishing attacks

Standard countermeasures such as anti-spam filters and anti-malware protections will usually filter out part of these types of scam emails; however, they are not fool-proof, especially against the most targeted attacks such as spear phishing and whaling. Organizations should therefore look to adopt a broader approach, which can include:

  • Educating your team. Organizations should heavily invest on educating their personnel against these types of attacks and how to recognise them. Update your security awareness training content to include the BEC scenario. This should be a part of new hire training, but you should conduct ad-hoc training for this scenario as well. Additionally, employees should only have access to the infrastructure and resources appropriate for their position and level, that way even if they are compromised the attacker will be limited to that part of the company network. Two-factor authentication should also be required as part of the company’s security policy.
  • Updating your incident response strategy. You need to build BEC into your contingency plans, just as you have built ransomware and destructive malware into your incident response/business continuity planning.
  • Introducing continuous monitoring. Conduct ongoing assessments of your executive’s digital footprints. You can start with using Google Alerts to track new web content related to them.
  • Enhancing company policies around wire transfers. Work with your wire transfer application vendors to build in multiple person authorizations to approve significant wire transfers and prevent successful BEC attempts against your organization.
  • Establishing an OPSEC Program. Formalize an Operations Security (OPSEC) program. Organizations and their employees often, unknowingly, expose detailed personal information or information about the systems and third parties they use on social media and other sources. In the wrong hands, this information can be used effectively to socially engineer a target.


In our next blog of the threats to financial services series, we’ll cover everything you need to know about payment card fraud. Stay tuned.

To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

ShadowTalk Update – 08.06.2018 Mon, 06 Aug 2018 15:29:50 +0000 In this week’s episode, JP Perez-Etchegoyen, CTO of Onapsis, joins Michael Marriott to talk about the exposure of SAP and Oracle applications, the increase in publicly-available exploits, and the threat actors we have observed targeting the sensitive data held within these applications. Download the full report, ERP Applications Under Fire, to learn more.



Kronos or Osiris: both gods spell trouble for banking customers

The once-prolific banking trojan Kronos has resurfaced in three active campaigns, each using different infection techniques and targeting different geographies. This revived activity coincides with an advertisement on criminal forums for a trojan called Osiris, which has similarities to Kronos and is referenced in one of the campaigns. This could indicate an attempt to rebrand the trojan. Read our recent blog on banking trojans to find out more.

Multi-tiered supply-chain attack identified

Unidentified threat actors successfully targeted “the supply-chain of a supply-chain” to distribute cryptocurrency miner malware. A software vendor hosting additional packages for a PDF editing application was compromised, effectively turning the app’s installer into a malware distributor. The campaign’s overall impact was low, as only a small number of users were impacted. However, this attack method was sophisticated and highlights the increasing risks posed by supply-chain attacks.


Thedarkoverlord returns to target Florida healthcare facility

Extortion threat actor(s) thedarkoverlord posted a link on their Twitter account to a downloadable folder containing potentially sensitive healthcare information. The data had allegedly been sourced from a doctor in Florida, United States, and was likely published after a failed extortion attempt. This latest attack is consistent with thedarkoverlord’s previous targeting of the healthcare sector and use of sensitive data for extortion purposes, meaning such tactics may continue.


Middle East remains a target for cyber espionage activities

The threat group “DarkHydrus” targeted government entities in the Middle East with a custom PowerShell backdoor malware. The group sent spearphishing emails containing Excel Web Query files—text files containing a URL automatically opened by Excel. The Necurs botnet recently exploited this same file type in a campaign to deliver a remote access trojan. DarkHydrus has been active since early 2016, and originally abused legitimate open-source tools for malicious purposes. Their custom backdoor “RogueRobin” was potentially pieced together using code from these tools.



To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

FIN7: Arrests and Developments Thu, 02 Aug 2018 16:26:38 +0000 Three alleged members of FIN7 arrested

On August 1st, 2018, the US Department of Justice filed criminal charges against three men reported to be associated with the organized criminal group known as FIN7. The indictment states that FIN7:

  • Targeted 3,600 business locations across the United States, United Kingdom, Australia, and France. This included companies in 47 US states.
  • Compromised 6,500 individual point-of-sale terminals.
  • Stole more than 15 million customer card records.


What is FIN7?

FIN7 is a cybercriminal group that has primarily focused on acquiring payment card information. There has been a little confusion surrounding the naming of this group, conflating FIN7 with both the Carbanak group and the Jokers Stash online credit card store. To add further confusion, the Carbanak group – whose alleged “kingpin” was arrested on 26 March 2018 – also shares its name with the CARBANAK malware, which is used to infiltrate financial institutions and steal funds from the target organization. The malware, however, has been in public circulation since September 2015, meaning that it is in the hands of multiple cybercriminals and groups. FIN7 has used an adapted version of the CARBANAK malware to facilitate the theft of card records, leading to the unconfirmed association between FIN7 and the Carbanak group.

Joker’s Stash refers to an infamous online card shop (which we have discussed in a previous blog on blockchain DNS). While the indictment states that many of the cards stolen by FIN7 have been sold on Joker’s Stash, this is just one of many online card shops available to cybercriminals selling payment card information and should not be considered synonymous with FIN7.

The DOJ’s indictment contains several documents outlining the charges against the three individuals as well as an overview of how FIN7 attacked organizations and stole data. In this blog we’ll provide some key observations on FIN7’s operations and on what these developments will mean to the future of payment card fraud.


1.    Sophisticated phishing and social engineering are the cornerstones of FIN7’s success

As we see time and time again, the most effective technique used to deliver malware and perform network intrusions is phishing, and FIN7 are no different. By sending emails from addresses like “”, FIN7 members were able to convince victims into opening a malicious word document. An example, shown in Figure 1, was provided as part of the indictment. To add further legitimacy, this technique was often accompanied by phone calls to the target business, where the caller would goad the victim into opening the attachment to execute the malware.


Figure 1: An email provided as part of the DOJ indictment:


2.    Shell company established

The indictment states that a shell company, Combi Security, was established “to provide a guise of legitimacy and to recruit hackers to join the criminal enterprise”. Although the site is no longer accessible, there are numerous references to combisecurity[.]com online, showing how FIN7 used a combination of online forums and legitimate job sites to recruit their members. However, it should be noted that many members were likely unaware of the true nature of the shell company.


Figure 2: A screenshot of the combisecurity[.]com site, by a user claiming to have designed their website


Figure 3: A job advert from November 2015 on the Superjob site


Figure 4: A forum post from June 2016 looking for a System Administrator for Combi Security

3.    The online market for payment cards is alive and healthy

The indictment stated that many of the card records were sold on Joker’s Stash. Although there are likely to be many more members of FIN7, the arrests of these three individuals may result in reduced traffic through this site.

Indeed, this follows on from a string of notable arrests in 2018. Back in February 2018, the Department of Justice unveiled another indictment against 36 individuals associated with the Infraud Forum, a cybercriminal forum specializing in payment card fraud.

While these will all be significant blows to the flow of stolen payment cards online, plenty of shops remain. On just one site, c-v-v[.]su, there are over 1.2 million cards for sale, over 400,000 of which have CVVs associated.


Figure 5: Cards for sale on C-v-v[.]su



4.    United States the most popular geography for stolen payment cards

While FIN7 targeted businesses in the United Kingdom, Australia, and France, the group stole more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations in the United States alone. That’s not a surprise, and it’s a trend we see across multiple forums and marketplaces. For example, of the 1,249,234 cards for sale on c-v-v[.]su, 998, 089 (80%) were from the United States.

A similar story occurs if we count up the mentions of payment cards for sale across two closed forums, Exploit and Verified. Here the United States stands out with over 50% of all the mentions.


Figure 6: Geographies of payment cards discussed on Exploit and Verified forums between May and June 2018


The outlook

These latest charges highlight that the DOJ is picking up speed and treating online payment card fraud as a priority. However, as with the Infraud Forum indictment, these arrests should be viewed in the wider context of what is a very large, well-developed and diffuse criminal ecosystem.

Given large array of online stores available for cybercriminals to sell stolen card details, it’s hard to imagine that the arrest of these three individuals will have a noticeable impact to the threat posed to merchants, consumers and financial institutions. Likewise, FIN7 is a large operation and the majority of the group’s members are still at large. Finally, given that the CARBANAK malware is not bespoke any one group, payment card theft and other types of data exfiltration will continue to occur as long as this malware and other, similar tools are in public circulation.

With FIN7 displaying its adeptness for sophisticated phishing and social engineering techniques, look out for our upcoming blogs in our Five Threats to Financial Services series, where we’ll cover both phishing and payment card fraud in greater detail.

Diversity of Thoughts in the Workplace: Are You Thinking What I’m Thinking? Wed, 01 Aug 2018 16:14:22 +0000 In my most recent blog post I discussed Digital Shadows’ Women’s Network and how it is helping us shape wider conversations on diversity and inclusion. In this blog, I want to unpack-diversity of thought and how businesses benefit from a diverse talent pool.

In 2013, Deloitte released a new research report on Diversity of Thought and described this concept as: “The idea that our thinking is shaped by our culture, background, experiences, and personalities”.

By harnessing and promoting the different ways in which we all process information, organizations can reap many tangible benefits. Some of the top being:

Increased employee engagement and retention

You’ve hired a diverse workforce…now what? By promoting diversity of thought within management styles, companies can not only retain employees longer, but also provide a more meaningful experience at work, one that’s more personalized to learning preferences and allows employees to play to their strengths.

Decreased groupthink and cognitive dissonance

Deloitte points out that by increasing diversity of thought, employees are less likely to disregard new information or be afraid to challenge the status quo. Your workforce will feel safer to present new ideas and, more importantly, to disagree. In turn, this may also lower cognitive dissonance (e.g. believing one thing, but doing the other).

Ultimately, diversity of thought fosters one of my favorite concepts, psychological safety, which is a shared belief amongst teams that they perceive they are safe to take risks, and is one of the core indicators of highly effective teams.

Happier clients means more revenue

An article that Glassdoor wrote in 2017 showcases how Diversity and Inclusion programs can directly affect revenue and client success. For example, Hilton empowers leaders to build diverse teams because they are able to harness different skill sets for the unpredictable moments that happen oh so often in a hospitality-driven organization.

As a service-based company ourselves, we value constructive conflict, differences in opinion, and want to further promote the unique backgrounds and traditions our workforce brings.

While the benefits of promoting diversity of thought are clear, it’s not easy to make these changes. Organizations will need strong leadership backing in order to not only train managers on more inclusive management styles, but also to reconsider their organizational policies to ensure they cater to a diverse workforce (flexible working hours, parental leave, etc.).

My most recommended leadership strategy book, Profit from the Positive, promotes the concept of getting the “best” out of your employees, not the “most”. Even more so, keep in mind that the best of one employee is always different than the best of another.


To stay up to date with the latest from Digital Shadows, subscribe to our emails here.

Security Spotlight Series: Dr. Richard Gold Tue, 31 Jul 2018 15:57:48 +0000 Organizations rely on Digital Shadows to be an extension of their security team. Our global team provide the latest tooling, relevant research, much needed context, tailored remediation advice and managed takedown support to make our clients’ jobs easier and more efficient.

In our Security Spotlight Series, we bring our team out of the shadows and into the spotlight. In this edition, we profile Dr Richard Gold, Digital Shadows’ Head of Security Engineering.

Name: Dr. Richard Gold
Team: Security Engineering
Title: Head of Security Engineering

Q: What areas do you focus on as Head of Security Engineering?

A: My team and I work on pre-product development – that is researching interesting and novel security techniques to see how we can integrate them into the product. We also focus on internal security, which includes performing security assessments such as Purple Team exercises, where we model and replicate both offensive and defensive attack techniques in order to learn how to best protect the organization.


Q: How have your past experiences helped you in your role at Digital Shadows?

A: For the last 20 years I have spent a lot of time doing networking, working with operating systems and programming – the three pillars of security engineering. I’ve always had a passion for security since I was a teenager, so working in this field is a dream come true. Doing a PhD also taught me the value of persistence, to keep going even though the solution may be quite far down the line and all hope seems lost.


Q: What have been your highlights working at Digital Shadows?

A: What I really enjoy is having an idea, doing some initial proof-of -concept work and then taking that into production alongside our engineers. Seeing that go live and then provide value to our customer is really exciting. Also, we’ve done a lot of large-scale reconnaissance projects for major financial institutions and enterprise organizations; these were always really instructive experiences to learn what organizations look like from the outside and how attackers use this information to perform their attacks.


Q: How do you see Digital Shadows’ work providing value to customers?

A: Our goal is to protect our clients and help our clients protect themselves. In Security Engineering we try to emulate attacker tradecraft as closely as possible and automate that in a scalable fashion to deliver to our customers. Through our research we seek to reduce our clients’ uncertainty around the risks that they face online.


Q: In your experience, what is the single biggest threat or risk that organizations fail to deal with effectively?

A: Two words: security debt. This is the accumulation of missed patches, unchanged credentials, misconfigurations, and the lack of attack surface reduction typically caused by the scaling issues that appear as organizations grow. These things add up over time to cause some very significant risks to organizations.


Q: What is the most commonly misunderstood problem in cyber security?

A: That you can buy your way to security without putting the time in to really get to know your environment or your tools. Security is all about the details, and that’s a big job. You need to understand how your environment operates, where the flaws are, and how attackers can then take advantage of those flaws.


Q: What advice would you give someone starting out as a security engineer?

A: Learn networking, operating systems and development. Security is really a mindset – it’s about how you view these technical areas. You need to have experience of using, building, maintaining systems to appreciate the challenges.


Q: What is one thing that most people don’t know about you?

A: I have been training traditional Japanese martial arts for over 12 years.


Interested in hearing more from our team? Check out our blogs or subscribe to our weekly threat intelligence podcast, ShadowTalk.


Richard Gold is an information security professional experienced in both offensive and defensive security, as well as security engineering. He has worked for Cisco on web proxies and Secure Development Lifecycles (SDLs), AGT International on Internet of Things/SCADA and, currently, Digital Shadows in various security-related roles. He is particularly interested in open source intelligence (OSINT) reconnaissance, Advanced Persistent Threat (APT) campaigns and offensive security techniques. He is a Certified SCADA Security Architect and holds a PhD in Computer Networking.



ShadowTalk Update – 07.30.2018 Mon, 30 Jul 2018 15:52:34 +0000 Richard Gold and Rose Bernard join Michael Marriott to talked about updates to the Satori botnet, which has expanded to incorporate new IoT devices using TCP port 5555. Amid news of a new wave of OilRig attacks, a Middle Eastern espionage campaign, we dive into PowerShell security risks and provide advice on best practices for those using PowerShell. For more information on PowerShell Security Best Practices, check out our blog Finally, we assess the Dragonfly campaign against U.S. power grids, and understand what it all means.



Dragonfly attributed to further attacks targeting energy sector in Europe and North America

The United States Department of Homeland Security has only recently released details of a 2017 campaign that targeted undisclosed United States energy companies. The campaign was orchestrated by suspected Russian nation-state threat group “Crouching Yeti” (aka Dragonfly). The group’s members allegedly conducted spearphishing and watering hole attacks to steal credentials from third-party suppliers, enabling access to United States utility networks. The details may have been released to strengthen the political credibility of United States intelligence services in the eyes of the public and the media; the release occurred during a period of conflict between the intelligence services and the presidential administration about the severity of the Russian cyber threat.


APT-28 parallels attacks on 2016 Presidential elections with attacks on US midterms

Microsoft reported that Russian nation-state linked threat group “APT-28” (aka Fancy Bear) has targeted the United States 2018 mid-term political elections through a phishing campaign against certain undisclosed candidates. The phishing emails were similar to those sent in previous APT-28 campaigns against the Democratic National Committee (DNC) in 2016 prior to the presidential election: both used fake Microsoft domains as command-and-control sites.


LabCorp hit by SamSam ransomware infection

LabCorp, one of the largest clinical laboratories in the United States, was subjected to a “SamSam” ransomware attack. Attackers reportedly accessed the laboratory’s network via brute-force cracking password attempts against remote desktop protocol ports exposed to the Internet. The attack infected approximately 7,000 systems and 1,900 servers, but remediation efforts were implemented quickly; no data was reportedly stolen or misused during the incident. SamSam has a lucrative history in use against healthcare entities, as well as government systems in the United States city of Atlanta and the state of Colorado’s Department of Transportation.


Attackers steal 1.5 million patient records from Singapore healthcare group

Singapore’s Ministry of Health released a statement detailing the theft of 1.5 million patient records from a healthcare group in that country. Attackers used privileged credentials to access a database, although the original infection vector remains unknown. Attacks on healthcare providers are increasing, as financially motivated threat actors seek information that is easily monetized on the dark Web; patient details can be re-sold and used for other fraudulent activities, or to tailor spearphishing campaigns.

Black Hat USA 2018 Thu, 26 Jul 2018 16:48:41 +0000 Black Hat USA 2018 is quickly approaching! The conference, one of the world’s leading Information Security events, focuses on the latest in research, development, and trends. In this blog, I’ll give a quick overview of what we’ll be up to at this year’s event.

Come Meet The Digital Shadows Team

At Black Hat USA 2018, our team will be available to walk you through how we help our clients quickly identify risks such as data loss, brand impersonation, cyber threats, credential exposure, and more across the open, deep, and dark web. We’ll also be sharing the results from the recent 2018 Forrester New Wave for Digital Risk Protection, in which we were named a “Leader”. Get your free copy of the report here to see the results prior.

If you’re interested in a quick chat with our team, book time with us here or visit us at Booth 1627 in the Business Hall. 

Black Hat Booth Digital Shadows

Learn About Our Research

This week, our research team produced a new report which outlined the threat landscape for ERP applications. Download your copy of the report here or stop by Booth 1627 in the Business Hall at Black Hat to chat with us on these findings and our other threat intelligence research.

ERP Applications Security

Party with us on Wednesday Night at Eyecandy Sound Lounge

On Wednesday night, we’re throwing a big party in the center of the casino floor at Mandalay Bay. Stop by our Security Leaders VIP Party at Eyecandy Sound Lounge from 8-10pm for food, music, and a full open bar. We do expect to hit capacity, so make sure to get on the list now!

Black Hat Party 2018

For all further information regarding Black Hat 2018, check out our dedicated event page here. Hope to see you in Las Vegas!

Cyber Threats to ERP Applications: Threat Landscape Tue, 24 Jul 2018 22:52:17 +0000 What are ERP Applications?

Organizations rely on Enterprise Resource Planning (ERP) applications to support business processes. This includes payroll, treasury, inventory management, manufacturing, financial planning, sales, logistics and billing. All of this can be an attractive target for threat actors. In our joint research report with Onapsis, ERP Applications Under Fire, we assess the threat landscape for two of the largest ERP applications: SAP and Oracle E-Business. The report outlines the scale of Internet-facing applications out there, the growing number of exploited vulnerabilities, and specific campaigns targeting these applications.

History of Attacks

It’s no surprise that actors target these ERP applications, particularly given the trove of sensitive data they provide access to, as well as the increasing number of public exploits available; through our research we observed a 100% increase of public exploits for SAP and Oracle ERP applications over the last three years. One of the most well-known instances occurred back in March 2014, when it was revealed that the breach of the United States Information Service (USIS) began through an exploited SAP vulnerability. The investigation found that Chinese actors exploited a zero-day vulnerability, resulting in the exposure of thousands of sensitive records on individuals’ security clearance applications. But how has the threat landscape developed aside from these campaigns? A variety of different actors, including hacktivists, cybercriminals and nation state-affiliated groups, have continued targeting SAP and Oracle ERP applications. In this blog, I’ll just focus on the cybercriminal element.

Banking Trojans Expand to Target Credentials of ERP Users

Banking trojans typically target banking customers with the aim of harvesting their online banking credentials. It’s common for the trojan to include configuration files that inform what URLs (normally bank logon urls) to redirect to. However, given the sensitive financial information that ERP platforms hold, trojans have also targeted the logon information of SAP platforms.

One of the most common banking trojan variants is Dridex, which has undergone multiple iterations since its emergence in 2014. In February 2017, one Dridex botnet updated its configuration to target SAP users. This was extended in February 2018 to include two more botnets that distributed the Dridex trojan. In this particular campaign, a malicious Microsoft Word document was delivered that downloaded Dridex on a victim’s machine. With “saplogon” in the configuration files, the malware would look for users running this software, and then harvest their credentials.

configuration file of Dridex examples

Figure 1: A Dridex 4 configuration file posted online in February 2018

Poor Password Hygiene Offers Opportunities for Cybercriminals

With criminal sites like UAS-Service and Xdedic, there’s long-standing market for hacked Remote Desktop Protocols (RDPs). Access to RDP servers offers cybercriminals a wealth of options, including installing keyloggers and ransomware. In this instance, the password exposed was a default SAP password – reminding us that criminals often gain access to these servers through weak or default passwords. SAP applications are no exception, especially when organizations use legacy platforms that were installed with weak default passwords.

In October 2017, users on a criminal forum shared details of a hacked Remote Desktop (RDP) from an SAP Hana application. The given password for the RDP was sap123, a default password, demonstrating the need for good password hygiene.

compromised remote desktop protocol criminal forum

Figure 2: Compromised Remote Desktop Protocol offered on criminal forum, including the use of a default SAP password


Cybercriminals are only one type of actor to have displayed a propensity to target ERP applications. Download the full report, ERP Applications Under Fire, to learn more about the exposure of ERP platforms, other types of adversaries targeting them, and ways to mitigate these threats.

To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

ShadowTalk Update – 07.23.2018 Mon, 23 Jul 2018 14:05:51 +0000 In this week’s ShadowTalk, we discuss the Robert Mueller indictment against 12 Russian individuals for alleged US election interference. However, rather than dwell on issues of attribution and geopolitics, we focus on the detailed tactics, techniques and procedures laid out in the indictment. Katie Nickels, a member of the MITRE team, joins Rafael Amado and Richard Gold us to discuss the ATT&CK™ framework in greater detail, as well as the key lessons that organizations can takeaway.


APT-28 shifts focus to Italian defense sector with new X-Agent variant

A new variant of the “X-Agent” backdoor malware was identified in a campaign targeting defense entities in Italy. The highlyprogrammable malware has been associated with APT-28 (aka Fancy Bear, Sofacy, Pawn Storm, Sednit), and was previously observed in attacks targeting the Democratic National Committee in 2016.

Banking trojans distributed via Google Play store

Malware distributors used downloaders hosted on the Google Play store to target Turkish-speaking Android users with variants of the Marcher and BankBot Anubis banking trojans. Placing downloaders on an app store rather than the malware is a tactic adopted by cyber criminals as downloaders are less likely to trigger the app store’s security measures, as they appear innocuous. This campaign was potentially part of a cybercrime-as-a-service offering, as significant resources were invested in to the fraudulent apps that masked the downloaders. Official download stores remain a prized target for malware distributors, as they offer a wider audience of potential victims, and abuses the trust users place in the legitimate download resource.


Theft at cryptocurrency exchange raises questions over regulations

An unknown threat actor has stolen approximately USD 13.5 million from Israeli cryptocurrency exchange, Bancor. Although no details about the attacker’s tactics have been released, some security researchers have alleged that the attackers exploited permissioned backdoors used by Bancor to freeze and control transactions. This has highlighted the lack of regulation of exchanges, something which is likely to continue to drive criminal attacks against the sector, which they perceive to be a low-risk high-reward target.


Sub-group of Lazarus Group observed conducting reconnaissance against South Korean government entities

Trend Micro identified reconnaissance activity which was likely a prelude to a watering hole attack targeting government entities in South Korea. The activity was attributed to a branch of the Lazarus Group, known as “Andariel Group”, and aligns with previous Lazarus Group activity. The attackers sought information on specific ActiveX objects, including two software programs known to be used by South Korean government institutions. The group were previously observed conducting similar reconnaissance in January 2017, following which, a targeted watering hole attack using a zero-day exploit was conducted in April 2017.


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Five Threats to Financial Services: Banking Trojans Thu, 19 Jul 2018 16:42:51 +0000 A couple of weeks ago, we learned about a new phishing campaign that delivered Trickbot in an attempt to harvest the credentials of online banking customers. This latest wave targeted UK users, pretending to come from HRMC (HM Revenue & Customs). The actors exploited a vulnerability in Internet Explorer (CVE-2018-8174), for which a patch was released in May 2018. Banking trojans constitute a significant threat to banking customers and small businesses. In this blog – the second in a series on threats to financial services – we delve into the threat of banking trojans in more detail.

What is a Banking Trojan?

A banking trojan is a form of malware that seeks to collect the credentials of online banking customers from infected machines. The malware is delivered through a variety of mechanisms, exploits a range of vulnerabilities, and increasingly incorporates additional functionality.

One of the oldest variants is Zeus, a trojan first spotted in 2007 in a campaign targeting the US Department of Transportation, that has since grown in popularity. Zeus’ author reportedly retired in 2010 and the Zeus source code was leaked the following year, giving way to a swathe of alternative variants.

Trickbot is one of many banking trojans active in 2018, others include UrSnif, Dridex, Retefe and Panda. As shown below, these can be delivered in a variety of ways, including botnets (often through phishing campaigns) like Necurs and exploit kits (often drive-by downloads from a compromise website or malvertising) such as RIG. Once delivered – often through spam emails – many variants rely on users downloading malicious Microsoft Word Documents. Some variants, such as Retefe, have leveraged ETERNALBLUE (an exploit for CVE-2017-0199).


Variant Delivery Distribution Recent Targets Exploited Vulnerabilities
Ursnif Spam Emails Necurs Botnet; RIG exploit kit Japan; New Zealand; Australia; US; Canada; Italy CVE-2018-10730; CVE-2018-10731
Dridex Spam Emails; Malicious Microsoft Office documents Necurs Botnet; Compromised FTP servers UK, United States CVE-2017-0199
Retefe Spam Emails; Malicious Microsoft Office documents Unknown UK; Switzerland; Austria CVE-2017-0144
Trickbot Spam Emails; IcedID downloader Qtbot; RIG Exploit Kit Global CVE-2018-8174; CVE-2017-0144; CVE-2017-11882
Panda Zeus Spam Emails; Msg attachments Social media phishing; DeLoader malware dropper Japan; United States CVE-2014-1761; CVE-2012-0158


Table 1: Overview of most prominent banking trojans in 2018

 Protecting Yourself Against Banking Trojans

With malware developers rapidly adding new functionality to these variants, it can be challenging to keep up-to-date with the threat posed by banking trojans. However, by understanding the common ways in which the trojans are delivered and infect your machine, it can help you make more informed about security controls and patch priorities.

Organizations should look at deploying a defense-in-depth strategy to protect against initial infection and for post-infection. A strategy for defense should use a blend of technical and non-technical controls in order to be most effective. Some of the components that should be used include:

  1. Provide awareness and training for staff who may be the end users targeted by banking trojans. Staff should be made aware of the threat of banking trojans (and malware in general), how it is delivered, and information security principles and techniques.
  2. Open channels for staff to be able to report suspected phishing attempts. This should be a way for users to openly and easily report suspect emails and files, and receive validation prior to opening. This ensures that the user does not infect themselves or the organization, but can also provide security operations signatures to better protect others in the organization.
  3. Ensure operating systems, software and firmware on devices are kept patched and updated as vulnerabilities are discovered. A centralized patch management system may facilitate this process. Prioritizing recently exploited vulnerabilities, such as CVE-2018-8174, should be a focus.
  4. Use an email filtering system or service to identify phishing threats, particularly around malicious attachments. Office365 users should consider Microsoft’s Advanced Threat Protection (ATP), a cloud-based email filtering service. This will help prevent malware delivery through email phishing campaigns with malicious payloads or links.
  5. Ensure anti-virus (AV) software is installed on end-points and kept regularly updated with scans carried out regularly. Most AV solutions can be set to automatically update and scan.
  6. Manage the use of privileged accounts and ensure the “principal of least privilege” is implemented. Administrative access should be reserved only for those who require this. Those employees should only use the accounts when required and use regular user accounts for daily tasks. The principle of least privilege should also be implemented for file, directory, and network share permissions.
  7. Disable macros from Office files transmitted via e-mail. Consider using the Outlook preview pane to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.
  8. Prevent access to malicious websites, including the downloading of the malware installed during these attacks. Blocking access to the Tor network and I2P sites may also be a useful technique in blocking the malware’s command and control (C&C) communications and can help prevent the initial malware drop.


For finance organizations, banking trojans targeting their employees and customers will be a concern. By taking these steps, organizations and individuals can better protect their sensitive logon information.


Stay tuned for our future blogs on other threats to financial services.


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Mitre ATT&CK™ and the Mueller GRU Indictment: Lessons for Organizations Tue, 17 Jul 2018 16:37:24 +0000 A recent indictment revealed how the GRU (Russia’s Military Intelligence agency) used both influence operations and network intrusions to achieve its policy aims. More precisely, the GRU weaponized the use of the network intrusions in its influence operations. The indictment goes into detail about the TTPs (Tactics, Techniques and Procedures) used by the attackers and it is worthwhile to pay careful attention to the adversary tradecraft that was used and how it can be defended against. For this blog we have used the MITRE ATT&CK™ framework as our methodology to play back the findings of the indictment. In doing so, we aim to provide key lessons organizations can take away from this indictment.

Not all organizations share the same threat model and so not all organizations are high-profile targets for nation-state cyber operations. However, the TTPs used are shared among many different classes of actors, including cybercriminals, and also provide a taste for what many actors will be using to perform intrusions in the future.


Stage #0: Reconnaissance

PRE-ATT&CK TTPs: All techniques

The GRU performed the following tasks:

  • Social media reconnaissance to identify targets for spearphishing emails
  • “[R]esearched the DCCC (Democratic Congressional Campaign Committee) and DNC (Democratic National Committee) computer networks to identify technical specifications and vulnerabilities”
  • “[R]an a technical query for the DCCC’s internet protocol configurations to identify connected devices”

DS Mitigation advice: Inform employees that their social media profiles may be of interest to adversaries. Provide advice on how to lock down profiles if requested. Ensure that network services are patched and running supported versions of software. Credentials, especially for admin accounts, should use strong passwords and two factor authentication (2FA) should be enabled wherever possible.


Stage #1 Initial Access

Four TTPs were used by the GRU to perform the initial compromise:

1.   ATT&CK TTP: Spearphishing attachment, Spearphishing link

Unsurprisingly spearphishing is still the go-to tactic of many threat actor groups as it has proven to be so successful in the past. The GRU uses spearphishing in a variety of ways.

  1. A target company was compromised and that company’s branding, and by assumption the address book, was used to target its customers. The branding reuse is an effective technique to provide legitimacy to a social engineering attack.
  2. A URL-shortener service was used in order to masquerade as a legitimate service and to redirect targets to credential harvesting sites. These credentials were then reused in later stages of the attack.
  3. The targeting of personal accounts.
  4. Fake document lures.

DS Mitigation advice: Use of an email filtering system or service can help to identify some spearphishing threats particularly around malicious attachments. Office365 users should consider Microsoft’s Advanced Threat Protection (ATP), a cloud-based email filtering service. 2FA is essential for email accounts, especially with a security key where possible. Employees should be made aware that personal accounts are regularly targeted by certain adversaries and to not enter credentials online unless they are expecting to do so.


2.   ATT&CK TTP: Trusted Relationship

Once the GRU had gained access to the DCCC network, it then proceeded to use that access to attack the DNC network. It used the keylogging and screenshot capabilities of their X-Agent malware in order to capture the credentials which it then proceeded to reuse.

DS Mitigation advice: 3rd parties, such as suppliers and partner organizations, typically have privileged access via a trusted relationship into certain environments. These relationships can be abused by attackers to subvert security controls and gain unauthorized access into target environments. Managing trusted relationships, like supply chains, is an incredibly complex topic. The NCSC (National Cyber Security Center) has an excellent overview of this challenging topic.


3.   ATT&CK TTP: Valid Accounts

The GRU used credentials stolen through a spearphishing attack to login to the DCCC network. Our assessment is that RDP (Remote Desktop Protocol) is an ideal targeting for reusing stolen credentials.

DS Mitigation advice: Access to RDP servers and other servers that provide remote access should be limited. IP whitelisting where appropriate is an effective control. Another method is to ensure that RDP is only accessible via a VPN that supports strong authentication.


4.   ATT&CK TTP: Drive-by Compromise

The GRU edited the target’s own website and “the Conspirators registered the domain actblues[.]com, which mimicked the domain of a political fundraising platform that included a DCCC donations page. Shortly thereafter, the Conspirators used stolen DCCC credentials to modify the DCCC website and redirect visitors to the actblues[.]com domain”.

DS Mitigation advice: Change management and file integrity monitoring (FIM) for websites and other external assets is an important part of ensuring that no unauthorized changes are made. For users, ensuring that browsers are patched to the latest version, vulnerable plugins are disabled and an adblocker is used, are important steps to staying safe while browsing.

Stage #2 Execution

ATT&CK TTP: Exploitation for Client Execution

Once the GRU successfully compromised its targets, it deployed its malware implants to establish a foothold. The use of exploits in the GRU spearphishing campaigns was discussed in open source reporting from Microsoft.

The indictment describes this occurring after a successful spearphishing campaign. Most likely a variety of complementary techniques were used. The GRU used a custom, cross-platform toolkit called “X-Agent”, which was developed in-house for this purpose. X-Agent is a Remote Access Trojan (RAT) that has the ability to “to monitor individual employees’ computer activity, steal passwords, and maintain access to the DCCC network”. 

One key finding is that the GRU relied on the Linux version of the toolkit, which remained undetected on the target’s network after the Incident Response effort had begun four months previously.

DS Mitigation advice: Up-to-date antivirus and other Endpoint Detection & Response (EDR) systems can provide protection against some malware variants. Protective monitoring can help detect unauthorized behavior both on the endpoint and on the network. Ensure that security teams have knowledge and understanding of all environments assists with rooting out adversaries which are capable of operating on different platforms.


Stage #3 Persistence

ATT&CK TTP: Bootkit, Login Item, Modify Existing Service, Valid Accounts, Launch Agent, etc.

As mentioned previously, the GRU deployed implants for a variety of systems, which allowed it to persist in the target environment despite active Incident Response (IR) processes. The indictment does not go into detail as to how the GRU maintained persistence to survive reboots etc. during their standard operational procedure. However, open source reporting shows that the GRU also used a number of other persistence mechanisms, such as modifying logon scripts, modifying registry keys, and scheduled tasks.

DS Mitigation advice: Maintaining presence in a target environment typically requires the use of administrator privileges. Following the advice in Stage #4, as well as monitoring for the creation of new scheduled tasks, as an example, can limit the adversary’s options. The NCSC Windows 10 End User Device (EUD) guidance provides advice on how to securely configure Windows devices. The website has excellent advice on how to securely administer a Windows network.


Stage #4 Privilege Escalation

The indictment does not contain any directly obvious reference to privilege escalation. This fact in itself is interesting. For the GRU’s mission, that is, data theft, privilege escalation was not necessary in order to achieve its goals.

DS Mitigation advice: Patching operating systems and applications to prevent privilege escalation is important, as well as limiting who has access to admin accounts. It is worth keeping in mind that adversaries may not always need administrative access in order to achieve their goals. Privileged Identity Management (PIM) and Privileged Access Management solutions can provide added oversight to prevent accounts being misused and abused.


Stage #9 Collection

ATT&CK TTP: Data from Local System/Network Shared Drive, Email Collection, Input Capture, Screen Capture, Data Staged, Data from Information Repositories

The GRU team’s mission was to steal data (in particular, research and planning documents) for later use in influence operations. In order to complete this mission, it performed the following actions:

  • Took keylogs and screenshots of targets including capturing the DCCC’s online banking information and passwords in use.
  • “[R]esearched PowerShell commands related to accessing and managing the Microsoft Exchange Server”. This activity was directly related to the theft of thousands of emails from the target organizations.
  • Gained access to the target’s analytics machines that were hosted by a cloud provider. “These computers contained test applications related to the DNC’s analytics. After conducting reconnaissance, the Conspirators gathered data by creating backups, or “snapshots,” of the DNC’s cloud-based systems using the cloud provider’s own technology. The Conspirators then moved the snapshots to cloud-based accounts they had registered with the same service, thereby stealing the data from the DNC”.

DS Mitigation advice: Large amounts of storage being used up unexpectedly is another signal that something potentially suspicious is occurring. Monitoring of key servers to ensure that only specific scripts, such as PowerShell scripts, are able to run and that the appropriate logging is in place to monitor PowerShell and other scripting activity is important. Audit logs for cloud services (e.g., Amazon Cloudtrail for AWS) need to be periodically reviewed to ensure that sensitive data is not subject to unauthorized access.

Stage #10 Exfiltration

ATT&CK TTP: Data Compressed, Data Encrypted, Exfiltration Over Other Network Medium

Once the GRU had collected its targeted data, it needed to move that data out of the target environments for analysis. The GRU then:

  • Compressed and exfiltrated the files that it gathered out of the target networks using the custom “X-Tunnel” tool to an external machine.

DS Mitigation advice: Blocking egress traffic that is not necessary for the organization’s requirements can assist with limiting an attacker’s options in terms of communicating outside of the organization. Web proxies can provide granular controls for restricting egress traffic types and destinations.


The GRU tradecraft presented in the indictment is not necessarily the most technically sophisticated in terms of 0day exploits and exotic command and control (C2) techniques. However, it points to an exceptionally determined adversary. It uses a variety of TTPs in order to compromise its targets and is constantly hunting for the weak points in its targets’ defenses.

Digital Shadows recommends a defense in depth approach to dealing with high-capability adversaries. That is, multiple, partially overlapping security controls that mutually reinforce each other in order to provide increased resiliency to network intrusions. While it may not be possible to keep out all types of adversaries, the more difficult they find it to compromise an organization, the fewer adversaries will be capable of successfully breaching the organization’s defenses.

To learn more, listen to our podcast episode on this topic below:

Digital Risk Protection: Avoid Blind Spots with a More Complete Risk Picture Tue, 17 Jul 2018 01:20:08 +0000 “Digital Shadows leads the pack for digital risk protection providers.” Digital Shadows’ customers have been telling us this for years, and now Forrester Research has included us among the vendors who “lead the pack” in the recently released report The Forrester New Wave™: Digital Risk Protection Q3 2018. The Forrester Research report also stated, “Customers extol Digital Shadows for its robust digital risk data and ability to deliver on an aggressive product road map, citing a new queryable deep and dark web search feature as evidence.”

This recognition as a “Leader” continues Digital Shadows’ leadership in digital risk management. We were also named a leader in The Forrester Wave™: Digital Risk Monitoring, Q3 2016.

digital risk protection

For me, this milestone and the previous recognition as a leader have been very satisfying. When I left Forrester Research, I wanted to help security leaders and security practitioners to better understand their external risks. Digital Shadows is doing this, and I’m proud to make our customers’ lives easier.

What is Digital Risk Protection?

Digital risk protection consists of monitoring and remediating external risk exposure online. Forrester describes DRP solutions as those that “offer rapid event detection and remediation capabilities so companies can fix issues before bad actors exploit them…. and to limit the effects of successful attacks when they occur.” In this blog, I take a look at the current state of digital risk protection and where I see its future.

The Current State of Digital Risk Protection

One of the topics I frequently discuss with my fellow CISOs is the urgent need to have the most comprehensive view of risks possible. We have such limited resources, and if we are going to effectively leverage our people and budget, we need a more complete risk picture. If you look back over the years, we have an affinity for risk blind spots:

  • Virtual servers. When VMware ESX started getting deployed, the security teams were hands-off as there weren’t any “mission critical workloads” running on them. How long did that last?
  • iPhone (mobile phones). We didn’t fully appreciate the amount of sensitive data that would be on the iPhones. Containerization and Mobile Device Management solutions emerged to address these risks.
  • iPad (tablets). Ever hear stories about radiologists using iPads with unencrypted personal health data on them? Yeah, me neither. #Sarcasm.
  • “We aren’t using the cloud?” Ever hear this? I hear it frequently. Meanwhile: Box, Dropbox, iCloud and others are running with little understanding of the risks. Cloud Access Security Brokers emerged to address these risks.

I place external digital risks and digital risk protection in this category. If we don’t have a better understanding of our digital footprints and what is happening beyond our boundary, we are once again putting our heads in the sand.

Forrester Research discusses these challenges: “Security and risk professionals face an intimidating task: protect vital, incredibly distributed digital footprints without direct control or ownership. It’s a major challenge just to understand an organization’s far-reaching digital ecosystem, let alone protect it.” – New Tech: Digital Risk Protection, Q2 2018In this new Digital Risk Protection Wave, Forrester adds “Security pros are turning to digital risk protection (DRP) solutions to deal with the heightened exposure their organizations’ digital infrastructure, assets, and accounts face online.”

I’m delighted with how Digital Shadows fared in this report, especially in terms of what we consider to be validation that our service, SearchLight, received from Forrester and our clients. You can download your own copy of the Forrester New Wave here, but here are my takeaways from the report and thoughts on Digital Shadows:

  • Digital Risk Protection Breadth and Depth in One Tool. We’ve always believed that Digital Risk Management needs to encompass a wide range of sources and should not be siloed to specific areas of online activity. Our coverage of criminal forums, dark web pages, Telegram, social media, search engines, code-sharing sites, paste sites (to name a few) helps us to excel in this area.
  • Strong Dark Web Visibility and Recon Capabilities. As organizations seek to better understand their exposure, we understandably get a lot of questions about the dark web. We’ve been monitoring dark web pages and criminal forums since before it was trendy. More recently, we’ve released Shadow Search; a new feature in our portal that allows our customers to query this information and set up their own alerts.
  • Leading Risk Remediation. It’s great to be able to detect risks online, but if a provider can’t help to remediate this, then you haven’t solved much. In every alert, our analyst team provides context and recommended actions, including the use of our templated and managed takedowns.
  • Industry-Leading Dashboard. We deliver our clients a quick and visual way of understanding their digital risks. Our main dashboard showcases the latest customer-specific alerts so that our clients can immediately identify their top priorities. Extra tabs for our intelligence database, incidents, reporting, and takedowns are also easily-navigable.
  • Rich Partner Ecosystem. Organizations shouldn’t be penalized for consuming our intelligence in ways that make the most sense for them. That’s why we’ve been building our a rich partner ecosystem over the past 2 years. This provides organizations with turnkey integrations into SIEMs, Threat Intelligence Platforms, Ticketing systems and automation platforms.
  • Global Reach and Analyst Expertise. Technology is important, but the true power comes when it is combined with analyst expertise. Our analysts help to remove false positives (freeing up time for you), add context, and respond to Requests for Information (RFIs).

If you want to read more on digital risk protection, download the full Forrester New Wave Report.

ShadowTalk Update – 07.16.2018 Mon, 16 Jul 2018 19:09:12 +0000 In this week’s ShadowTalk, Digital Shadows’ Russian-speaking security specialist discovered files and source code allegedly related to the Carbanak organized criminal group. The Carbanak malware is a backdoor used by the Anunak (Carbanak) Group to infiltrate financial institutions and steal funds. Richard Gold and Simon Hall join Rafael Amado to discuss the implications for financial services from these revelations. We ask whether this leak represents a threat to organizations, and how businesses can best defend themselves from the techniques used by sophisticated financial criminal groups such as Carbanak. Listen to the latest podcast or read our blog to find out more. 



Middle Eastern entities continue to attract cyber attacks

Two APT phishing campaigns have recently been targeting Middle Eastern institutions. Iranian APT group “Charming Kitten” has been linked to a phishing campaign that used a spoofed version of the website of Israeli cyber-security company ClearSky. Charming Kitten used the spoofed website to host login fields to harvest credentials, but the site was rendered offline within three hours of creation. Also during the past week, an APT spearphishing campaign targeted the Palestinian National Authority, along with other Middle Eastern entities. Malicious emails containing a decoy document were sent in conjunction with a malicious executable file. That campaign has not been attributed to a specific group, but there are several similarities to the work of cyber espionage group “Gaza Cybergang”. Given the political climate in the Middle East, comparable activity will likely occur for the medium- to long-term future (three months or at least a year).


Ransomware adopts cryptocurrency miner as alternative payload

A new variant of the Rakhni ransomware was reported on 05 Jul 2018 by cyber security company Kaspersky. Rakhni, first identified in 2013, uses emails containing weaponized documents to entice victims into inadvertently launching a malicious executable. However, the new variant also scans systems to determine the presence of a Bitcoin folder and confirm whether they have one or two logical processors. Depending on the victim’s machine, the malware would encrypt files and demand a ransom, install a cryptocurrency miner or deploy a worm to spread to additional devices. The incorporation of an alternative cryptocurrency payload into a traditionally ransomware-focused variant means that threat actors are still targeting cryptocurrencies, finding this method profitable and effective.


Alleged Carbanak Files and Source Code Leaked: Digital Shadows’ Initial Findings Wed, 11 Jul 2018 23:02:30 +0000 Digital Shadows’ Russian-speaking security team discovered a post from 6 July 2018 on exploit[.]in that provided files and source code that were allegedly related to the Carbanak group. On 11th July, these download links were added to Pastebin. We reviewed these files to understand the implications for financial services organizations. Here are our initial findings.

Confusion surrounding the source of the leaks

The Carbanak malware is a backdoor used by the Anunak (Carbanak) Group to infiltrate financial institutions and to exfiltrate funds from the target organization. Since September 2015, a new version of the malware was in circulation (dubbed Carbanak 2.0), and its use was not limited to the activity of the Anunak Group. For example, Carbanak 2.0 has been for sale for $6, 000 on criminal forums since 2016 (see Figure 1.)  In March 2018, law enforcement, who estimated the Carbanak made over $1 billion, claimed to have caught the mastermind of the Carbanak group.


Figure 1: Carbanak 2.0 offered for sale on Altenen[.]con on 23 July 2016


In this latest development, source code and files that purport to be from the group’s campaigns has been leaked, although there are significant doubts as to whether the malware is actually from Carbanak or another malware.

We also do not know enough about the actors behind the leak and the motivations behind leaking these files and source code. Another post on the same forum, from 10 July, purported to be an archive for Buhtrap (meaning “Accountant Trap”), which also contained code. While this was reportedly leaked several years back, it had not become public.

Malware source code is leaked for a variety of reasons, including by competitors or law enforcement. In the case of the Nuclear Bot banking trojan, this was leaked by the author to gain community trust.


Observations from the alleged Carbanak Leak

Regardless of the identity of the group behind these exposed files, or whether this is Carbanak, this data provides insight into how financial organizations are targeted by criminal groups. After analyzing these files and code, our key findings are:

1. Pegasus (the name of the leaked malware) leverages a range of features to get the job done. Pegasus is a toolset for generating fraudulent payment requests that contain a host of features, including: full-featured Remote Access Trojan (RAT) with credential harvesting, a modified version of Mimikatz, SMB named pipe communication, and a KBRI module for intercepting KBR (a Russian payment system) data exchanges.


Figure 2: A screenshot of a leaked text file

Translation: “”mod_KBRI

Module of substitution of payments in the CBD


Module-injector to intercept the process of CBD data exchange and receive from mod_KBRI the swapped data”

2. The group behind the malware have detailed knowledge of bank systems. The leaked files contained a detailed set of instructions into how bank’s fraud detection systems work. This included a 99-point checklist of fraud detection mechanisms and details on how transactions are blacklisted, for example, if the sender’s passport is registered as lost. Organizations should be mindful of information they are exposing on their anti-fraud solutions, which evidently provide a key resource for attackers.

3. The group shares detailed instructions into how to make fraudulent payments. The dump included instructions on how to use the toolset for making fraudulent payments. This includes details on the payment workflow regarding how payments are made and approved. Further details are provided on how payment files are moved through the payment system via the transport gateway. The instructions describe under which circumstances a payment is automatic or requires manual approval (the significance of this is provided in observation #5).


Figure 3: A screenshot of the text file containing detailed advice on making fraudulent payments

Translation: “In general, to send your payment through the Central Bank client automated workstation it is necessary:

      1) Find related to the exchange with the Central Bank client automated workstation for the key process uarm.exe and the gateway sending type Astra (AstraC.exe) or UTA (Program Files \ Bank of Russia \ UTA)

      2) In large banks, one or both components may be missing, and their role is to perform specialized software. Either the installation location may not be visible. In such cases, it is necessary to investigate the bank automation solutions (RS-Bank, Diasoft, etc.), file servers, to find out how the payment file is exchanged.

      3) From the Central Bank client automated workstation merge logs (uarm \ log \ folders with date) for the last 7-14 days. On the basis of logs find out the on-off time, the frequency of flights, the settings for file sharing. Depending on the settings, the Central Bank client automated workstation can perform file signing automatically when it appears in certain folders, or the operator (or some other person) may require some intervention to move the file to the desired folder.”


4. Full development cycle used to produce their malware. The campaign appears to produce custom malware kit for specific audiences. There is a large amount of code as part of Pegasus, but it’s clear that they are happy to integrate more tools, should it be appropriate for the job.

5. Key personnel of banks listed. Several spreadsheets were in the dump, including active directory backups and a separate list of over 1,000 individuals responsible in senior positions across a range of banks.


The threat to organizations

Despite the source code being available to the public, it’s unlikely that other cybercriminals will make use of the advice for targeting banks’ anti-fraud solutions given the complexity and specificity of the code base. As for the Mimikatz source code, there are indications that the code only affects older versions of Windows (Tweet from the author of Mimikatz:

While the source of the leaked files and source code is unknown, they do provide a good insight into the extent of information attackers collect on their targets, and how the groups bypass their controls.

Although many of these targets were Russian-based banks, global banks should consider paying attention to suspicious logs that have previously been dismissed, review permissions and revoke as necessary. As always, we advocated defense-in-depth as the best form of mitigation.

Furthermore, it’s important to remember the human factor. The exposed spreadsheets of individuals in influential positions reminds us of how criminals target people, as well as technology. This information is particularly important for those individuals responsible for handling payments which make attractive targets. Organizations should ensure that privileges are reviewed and revoked if necessary.

This post details our initial findings, and we will look to be producing further analysis in the coming week.

Listen to our podcast on this topic here:

To stay up to date with the latest Digital Shadows threat intelligence and research, subscribe to our emails here.

Security Analyst Spotlight Series: Harrison Van Riper Tue, 10 Jul 2018 16:05:10 +0000 Organizations rely on our cyber intelligence analysts to be an extension of their security team. Our global team of analysts provide relevant threat research, much needed context, tailored remediation advice and managed takedown support to make our clients’ jobs easier and more efficient. Crucially, by having analysts within the intelligence and collection cycle, we’re able to minimize the real-time false positives that cause nightmares for most organizations.

In our Security Analyst Spotlight Series, we bring our analysts out of the shadows and into the spotlight, showcasing their expertise and interests so you can learn a bit more about a “day-in-the-life” of a Digital Shadows Intelligence analyst.

Name: Harrison Van Riper
Team: Strategic Research
Title: Senior Analyst

Q: How did you get into the field of cybersecurity?

A: While I was earning my bachelor’s degree in Criminal Justice, I took a cybercrime class and it was like something clicked in my head: there was this whole other side of crime that was relatively understudied, but becoming increasingly important. So, when I decided to pursue my graduate degree in Information Technology, I chose to focus on cybersecurity.

One of my professors during my graduate program introduced me to the idea of cyber intelligence analysis, and that’s when I discovered that “cyber threat intelligence” was a relatively new function that businesses and governments were incorporating, and it seemed like a natural entry point with my background.


Q: What areas of cyber security are you most interested in?

A: I’m really interested in how geopolitics affects the cyber security threat landscape, so Advanced Persistent Threat (APT) groups that are linked to nation-states fascinate me. Usually, these groups are linked with espionage activity, driven by the objectives of their respective country governments. Government entities usually receive the brunt of media coverage, but all kinds of organization could be targeted by a nation-state group; for instance, Chinese APT groups have been observed conducting intellectual property theft to support the Chinese government’s manufacturing needs. While these types of actors are most famously linked to activity against Presidential campaigns (i.e. APT-28, Guccifer 2.0 and the 2016 United States Presidential election), political entities are not the only targets.

Recently, I have been looking into cryptocurrency, researching not only how and why criminals use it, but the risks that financial services companies take on by exposing themselves to this new technology. One of our financial services forecasts we put together at the beginning of 2018 incorporated the sudden rise of cryptocurrencies and blockchain technology as well as the increased discussions regarding potential adoption by financial institutions. There are a lot of different threat vectors that exist within these areas, some of which aren’t fully understood yet even by the cybersecurity industry. But that’s why I am so interested!


Q: What has been your favorite online investigation to work on?

A: A customer came to us with a request for information regarding a publicly reported data breach. An extortion email was sent to the customer stating that as a result of the breach, the attackers had stolen several internal and confidential assets. I’ve done plenty of online investigation training, and I used these skills to analyse the email headers from the extortion letters for an IP address that was linked to infrastructure that had previously been used by a high-profile espionage threat actor. I also discovered that the usernames associated with the extortion email addresses were loosely linked to an identifiable individual through their social media accounts and other email addresses they used. From here we were able to do further profiling of the individual to determine whether they were a credible threat. That was definitely a great feeling to have a tangible and observable line of research that produced a good deliverable for a customer.


Q: What do you do outside work that helps with your job?

A: I try and stay as up to date with current events outside of the cybersecurity bubble as I can. A lot of research goes into cybersecurity reporting, but it’s important to remember that events don’t operate in a vacuum. I think it’s important to look at outside factors that could influence something like a corporate espionage campaign or a denial of service (DoS) attack – such as an increase in geopolitical tensions between states. I also try to work on my technical proficiency by improving my Maltego, Kali Linux, Wireshark skills.


Q: What’s the biggest lesson you’ve learned while training as an intelligence analyst?

A: Be comfortable with receiving criticism for your writing, especially in the beginning. The job of an intelligence analyst is to produce reports that are (usually) heavily text-based, and it would be extremely rare to get something just right on the first draft. But that’s okay! You learn from criticism. I know that I am a better writer today because of the amount of feedback of received on all my reports. At Digital Shadows the analysts all receive specific training on how to produce intelligence reports, learning about the need to be concise and, crucially, precise. Clients don’t have time to read through streams of prose trying to work out what you might be saying.

Additionally, every intelligence shop will have their own “house style guide”. Different reports will be geared for different audiences; if I’m writing a report for a security operations centre (SOC) team then the content will be far more technical than a presentation for a Chief Information Security Officer or board member. The latter are more focused on the broader, more strategic business risks, and it’s important to frame your reporting along these lines so that they see the most value in it.


Interested in hearing more from our intelligence team? Check out our blogs or subscribe to our weekly threat intelligence podcast, ShadowTalk.


Harrison Van Riper is a Senior Analyst for the Strategic Research team at Digital Shadows. He earned his Bachelor’s degree in Criminal Justice and Master’s degree in Information Technology and Management. Harrison is fascinated in the crossover between technology and crime and provides Digital Shadows’ clients with up-to-date threat intelligence.

ShadowTalk Update – 07.09.2018 Mon, 09 Jul 2018 15:28:17 +0000 In this week’s ShadowTalk, Richard Gold and Simon Hall join Rafael Amado to discuss SSL (Secure Sockets Layer) interception, a technique used to inspect HTTPS (Hyper Text Transfer Protocol Secure) traffic sent between a client and a webserver.

On 30 June, an important Payment Card Industry deadline passed that requires all websites that accept payment cards to stop supporting TLS 1.0 (Transport Layer Security). With man-in-the-middle attacks and data interception being one of the primary security concerns for TLS 1.0 and older protocols such as SSL, the pod looks into how organizations are also employing interception techniques for their own security and monitoring purposes. We’ll look into how SSL interception is done, the different reasons for deploying it, and the overall trade-offs for organizations looking to implement these methods.

Listen on iTunes:

Listen on Soundcloud:


Typeform breach signifies rising threat to data-collection companies

Data-collection and -analysis company Typeform stated that an unknown cyber-threat actor breached the company’s partial backup data, relating to client names, email addresses, employers and salaries, among other details. The breach affected a wide variety of companies and information. Personally Identifiable Information (PII) is an increasingly valuable and monetizable commodity for threat actors, who can sell it on criminal marketplaces; use it to commit fraud, such as financial theft or identity theft; or extort the company that held it. With the growing amount of data placed online by individuals, and held online by companies, data collection and aggregation companies are increasingly being targeted. In addition, new requirements set out in the EU’s General Data Protection Regulations (GDPR) mean there will simply be more breaches publicly reported.


Hamas aims malicious apps at Israel’s military forces

A new cyber campaign targeting members of the Israeli Defense Forces has been attributed to the Palestinian Sunni-Islamist organization Hamas. The attackers exploited users’ trust in the Google Play store to upload fraudulent apps. The apps either referred to the 2018 FIFA World Cup or impersonated dating and fitness apps. Once downloaded, the apps collected sensitive information stored on the devices. Hamas conducted similar attacks against the IDF in January 2017.


Database of 340 million records left exposed by Exactis

Data-marketing and -aggregation firm Exactis left exposed a database of 340 million records containing PII of 230 million United States citizens and 110 million businesses. It is not known whether malicious actors were able to gain access to this database. Such data is likely to be valuable to threat actors for targeting spearphishing and spam campaigns, as well as in general attacks, such as brute-force cracking account security questions.


RIG exploit kit uses PROPagate to deliver cryptocurrency miner

The “RIG” exploit kit has been observed using a rare injection technique called PROPagate, which abuses a Windows operating function, to deliver a variant of Monero cryptocurrency mining malware. Because PROPagate is considered a form of evasion technique, rather than a security flaw, it will probably continue to be used for malware delivery, as it is unlikely to be patched. Exploit kits are widely used to distribute variants of cryptocurrency mining malware, and this trend will likely continue for the medium- to long-term future (for three months or at least a year).


Reducing Your Attack Surface: From a Firehose to a Straw Thu, 05 Jul 2018 16:28:33 +0000 What is Attack Surface Reduction?

Attack Surface Reduction is a powerful tool used to protect and harden environments. It’s a broad term that means many things to different people. In this case, we use the OWASP definition: “attack surface describes all of the different points where an attacker could get into a system, and where they could get data out”. Using this definition, it becomes clear that the reduction of this surface is imperative. Removal of unnecessary features is a big part of this process. Why? Because features means code, which means bugs, which means vulnerabilities, which means exploits. Exploitation of vulnerable code is not the only issue; if a feature has credentials associated with it then good credential hygiene must be applied otherwise the risk of default, weak or stolen credentials becomes a major problem. It is also a regular occurrence that features end up being misconfigured, which can also result in security issues.

When discussing modern IT environments, we typically focus on networked services such as web sites, operating systems and associated applications. However, in the modern era, we also have to deal with cloud and mobile environments. In this blog, we’ll look at how each of these conspire to increase our overall attack surface, while also outlining specific tools and measures that can be used to implement an attack surface reduction program.


One of the biggest challenges with reducing the attack surface of cloud deployments is discovering that there is a cloud deployment at all! Often asset inventory systems are not fit for purpose, particularly when it comes to modern cloud features like AWS Lambdas or Azure functions. Development teams need to work with security teams when it comes to spinning up new cloud infrastructure. If API keys are being generated, then they need to be locked down to the minimal set of permissions required to get the job done.


Corporate mobile phones need to be enrolled into a Mobile Device Management (MDM) system so that they can be centrally managed for patching, visibility and application of policies. Employee personal devices can be placed into an internet-only Wi-Fi network separated from the corporate IT network. This allows employees to still access personal resources while not compromising the security of the corporate IT network.


The first step for reducing the network attack surface is to disable all services that are unnecessary. However, in order to do even this first step, it is necessary to know which IP addresses you own, which services are necessary for the business, which are available on these IP addresses, and so on. Many networks we see are locked down to only allow ports 80 and 443 through. Nonetheless, it’s worth keeping in mind that admin panels for Content Management Systems (CMS) are often available over these standard HTTP(S) ports and, similarly, configuration panels for network equipment like firewalls, VPNs, load balancers, etc. can be inadvertently exposed in this way too.

In situations where there is a limited number of IP addresses connecting to a particular service like a business-to-business (B2B) service or a Remote Desktop Protocol (RDP) service, then IP whitelisting can be an effective approach to reducing the attack surface. Obviously, this approach does not scale to consumer-to-business (C2B) services such as retail operations, which require open access.

It is worth considering here that although your network may be sufficiently hardened, connections into your environment from third party suppliers or partners can be a concern. The ACSC 2017 Threat Report states that: “As it has become more difficult for adversaries to directly compromise their targets, adversaries have sought secondary or tertiary access into primary targets”. It is, therefore, worth keeping in mind that an organization may be a target for the sole reason of their connectivity into other environments.


For hosts, such as those running the Windows operating system, there are many built-in tools that can be used to reduce the attack surface. The “hardentools” application from Security Without Borders disables many of the risky features that are part of Microsoft Windows and Office.

Figure 1: HardenTools application used to disable risky Microsoft Windows features (Source: Security Without Borders)

The tool can be used as a standalone tool or simply as inspiration for internal Group Policy Object (GPO) or other policies that can be deployed. Some of the key features it disables are:

  • Windows Script Hosting (JavaScript & VBScript), which is often used by attackers to gain code execution in an environment.
  • Macros, OLE, ActiveX and DDE for Microsoft Office, as active content is often abused by attackers.
  • Autorun/autoplay for removal media like USB sticks. Although disabling removal media entirely is preferable, there are often cases where it is the only solution for moving files between machines.

As well as the operating system and office applications, browsers are another key attack surface. Exploit kits and other drive-by download techniques are frequently used by both opportunistic and more targeted, sophisticated groups. Browser attack surface can be reduced by the following measures:

  • Disable unnecessary browser plugins such as Adobe Flash, ActiveX controls, Oracle Java applets and Microsoft Silverlight. Most multimedia is delivered by HTML5 rather than by these other formats.
  • If there is a business requirement for a particular technology or site, then whitelisting the site or technology where appropriate reduces the amount of options that an attacker has.
  • If even this is not possible, then use click-to-play, which Google Chrome – for example – supports, where there has to be explicit user interaction in order for the attacker to gain code execution.


By keeping in mind that unnecessary features are providing more options for attackers to enter an environment, an attack surface reduction program helps to increase attacker costs by denying them the straightforward methods for achieving access. Digital Shadows customers will be informed by our infrastructure incidents product feature of services listening on potentially risky external ports.

To find out more about protecting and hardening your environments, listen to our recent ShadowTalk podcast: Episode 29: Reducing Your Attack Surface: From a Firehose to a Straw.


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.


ShadowTalk Update – 07.02.2018 Mon, 02 Jul 2018 15:43:25 +0000 In this week’s ShadowTalk, following news that a database containing 340 million records has been publicly exposed to the internet, Richard Gold and Simon Hall join Michael Marriott to discuss how (and why) you can reduce your attack surface.

Listen on Itunes:

Listen on Soundcloud:


Necurs botnet updates delivery payloads and evasion techniques

The Necurs botnet has received multiple updates to its delivery payload mechanism distributed from spam campaigns as well as the evasion techniques designed to circumvent mitigation solutions. According to analysis by TrendMicro, the botnet delivered the FlawedAMMYY backdoor trojan by exploiting Microsoft’s Dynamic Data Exchange (DDE) protocol. Security researchers at Cyber Security Strategists detected Necurs delivering the Ursnif banking trojan to companies in Italy, in a first for Ursnif. Ongoing Necurs activity and additional evolution of its tactics and techniques are expected in the short to medium term future.

SamSam ransomware introduces new feature to hinder analysis attempts

A new version of the SamSam ransomware has been observed in which the ransomware’s distributors must now manually enter a password in the command-line to execute the payload. This feature is unique to SamSam, and appears to have been introduced to prevent security researchers from analyzing the payload’s binary code. Thus far, several lucrative attacks have been attributed to SamSam, with future attacks considered highly likely. SamSam has been active since at least December 2015 and was recently responsible for significantly disrupting operations at Colorado’s Department of Transportation and services for the government of the City of Atlanta.

United States immigration policy attracts muted hacktivist response

The United States presidential administration’s recent “zero tolerance” immigration policy has attracted a limited hacktivist response, including claims of data leaks and denial of service attacks. However, no evidence supports assertions that targeted websites had been taken offline, and alleged leaked data appeared to be publicly available rather than sourced from a data breach incident.

Lazarus group likely responsible for Bithumb cryptocurrency exchange theft

Recent distribution of the Manuscrypt trojan via malicious Hangul Word Processor (HWP) lure documents has been attributed to the Lazarus group. Several similarities between the malware used during the June 2018 cryptocurrency theft from the South Korean exchange Bithumb and in this latest campaign, combined with references to the Bithumb theft in one Hangul lure document, may indicate the group’s involvement in the Bithumb attack.  Lazarus has previously been accused of attacks against cryptocurrency exchanges, so the targeted sector and the tactics used are consistent with their modus operandi. Although attribution has not been confirmed at time of writing, the evidence from this latest malware campaign adds credibility to the assessment that Lazarus group was likely responsible for the cryptocurrency theft.

Diversity and Digital Shadows Women’s Network Tue, 26 Jun 2018 15:08:51 +0000 If you haven’t already watched RBG – a movie about the incredible life of U.S. Supreme Court Justice Ruth Bader Ginsburg – you should. Amongst the brilliant quotes Ginsburg brings us, one sticks out: “I ask no favor for my sex, all I ask of our brethren is that they take their feet off our necks”. Gender inequality remains shockingly prevalent, and cybersecurity is far from an exception.

Last week, after months of planning, the Digital Shadows Women’s Network held its first event. It’s was a great way to share experiences and advice from a range of women in the company; from the developers who built the product six years ago, to the latest hires across the globe. The goal? To promote inclusivity and diversity to create equal opportunities within and outside Digital Shadows. With upcoming events in London, Dallas and San Francisco, I’m excited for the impact this can have.

In a recent podcast, I chatted with colleagues about our experiences in security, as well as the challenges, opportunities and future of women in security. Here’s the three areas that stuck out most for me:


1.    Progress is not quick enough

One of the top ongoing studies in this field is the Women in Cybersecurity report, published every two years. The latest 2017 report found that the global cybersecurity workforce is 11 percent female, up from 10% in 2015. That’s not a quick enough, or substantial enough change. Even the more progressive companies, such as Google, are less than a third female. This must change at a quicker rate for all levels within organizations; from interns to the board.

2.    Diversity of thought has business benefits

With a smaller pool of talent to choose from, businesses feel the strain of this inequality too. With more and more demand for an increasingly limited talent pool, having a culture that doesn’t encourage diversity puts off a sizable chunk of potential recruits.

But there’s more to it than the size of the talent pool. With different perspectives, we’re better able to address challenges differently and avoid groupthink (this is a topic I’ll be addressing in future blogs, so watch out for those!).


3.    Using gender as springboard for wider diversity

It’s important that this isn’t just about women; gender equality applies equally to males. In fact, it was encouraging to see so many males offering support for the Women’s Network.

We should also think of this as a springboard for wider diversity. “Women” in security is not a homogenous block; women of different ethnicities will typically experience different forms of discrimination than their white counterparts. For all involved, we need to be providing equal opportunities, as well as a good work life balance that allows for flexibility amid varying commitments.



To hear more of our thoughts, listen to our podcast on the Women’s Network Launch, and stay tuned for my next blog on the importance of diversity as a whole.


ShadowTalk Update – 06.25.2018 Mon, 25 Jun 2018 14:38:13 +0000 In this week’s ShadowTalk, Simon Hall and Richard Gold join Michael Marriott to discuss the merits and perils of attribution, including the number of characteristics and variables required for a strong attribution, instances where attribution has succeeded, and whether organizations should care.


In the spotlight: TG-3390 deemed responsible for watering hole attacks

A national data center in Mongolia was reportedly compromised by the Chinese state-linked threat group TG-3390 (aka Emissary Panda, APT-27, Lucky Mouse) to conduct watering hole attacks. Legitimate websites were compromised to infect their visitors’ machines with the “HyperBro” trojan. The group used an anti-detection launcher and decompressor for obfuscation, developed by penetration testing software company Metasploit.


Olympic Destroyer threat group switches target sectors

The Olympic Destroyer threat group, attributed with attacks in February 2018 on entities associated with the 2018 Winter Olympic Games, has changed its focus. Recent information-gathering attacks were observed against financial institutions in Russia and biological and chemical threat-prevention laboratories in Europe. Reporting did not specify which companies have been targeted to date. The true intentions and motives of the threat group are unknown; information gathering is often conducted as an early stage, so additional attacks attributed to Olympic Destroyer will likely be observed in the short-term future (next three months).


Financial services provider extorted following data breach

South Africa-based financial services provider Liberty Life was subjected to a data breach and extortion attempt by an unidentified threat actor. The company confirmed an individual had requested payment after alerting them to vulnerabilities affecting their systems. Liberty Life subsequently detected unauthorized access to its IT infrastructure, and the theft of sensitive information. This incident highlights a trend of financially motivated threat actors seeking reward for identifying flaws, then exploiting the flaws when payment is not forthcoming. Liberty Life has publicly stated it has no intention of meeting the payment demands.


PoC code released for Adobe Acrobat vulnerability

PoC code for a remote code execution vulnerability affecting Adobe Acrobat, CVE-2018-4990, was published to GitHub on 18 Jun 2018. The flaw was first reported as having been exploited in the wild in March 2018, alongside a Microsoft Windows privilege escalation vulnerability (CVE-2018-8120). If exploited together, the vulnerabilities allow an attacker to gain an initial foothold and bypass sandbox protection mechanisms. The publication of the PoC code is highly likely to encourage its adoption by threat actors with varying motives for other attacks in the immediate future (next few days or weeks).

How Cybercriminals are Using Messaging Platforms Thu, 21 Jun 2018 15:49:15 +0000 Alternative Ways Criminals Transact Online: A Moving Target

Last week, the cracking forum (specialized in tools for gaining unauthorized access to accounts) known as sentry[.]mba announced they were shifting their communication platform from Discord to Internet Relay Chat (IRC), a move caused by a “sudden ban wave” across the Discord platform. But why bother setting up a messaging platform in the first place? As we detailed in our latest report, Seize and Desist, such platforms offer an alternative way of transacting online and a departure from the centralized market model offered by AlphaBay and its predecessors.

In previous blogs, we’ve discussed how the takedowns of AlphaBay and Hansa have led to the adoption of new technologies, such as blockchain DNS, by cybercriminals. This blog focuses on how messaging platforms are another potential route for cybercriminals.


Figure 1: Sentry MBA Twitter account announces move to IRC network


Messaging Platforms Offer Ways to Avoid Detection

Chat networks can be utilized in a number of ways, and are certainly not mutually exclusive from the forum-based approach. Often sellers will advertise their service or product on a particular forum, but rather than communicate directly with sellers on the forum or through its private messaging service, buyers are encouraging interested parties to reach out to them directly on alternative chat networks and messaging platforms. With buyers and sellers spread widely across an increasingly decentralized community, the belief is that it will be more difficult for law enforcement operations such as Operation Bayonet to succeed again, which was facilitated by having users congregated into a single, central location such as a marketplace. There are many messaging platforms to choose from, including Discord, Skype, Jabber, and IRC, but the most popular is Telegram. While these platforms pre-dated the takedowns of AlphaBay and Hansa, actors have increasingly turned to them to transact online.


Popularity of Telegram Continues to Grow

Of all the messaging platforms, it’s Telegram that appears to be experiencing the most growth, with over 5,000 Telegram links shared across criminal forums and dark web sites over the past six months. Of these, 1,667 were invite links to new groups. These covered a range of services, including cashing out, carding, and crypto currency fraud. Within these Telegram channels, sellers post advertisements of their products and services as they would normally do on a marketplace or forum.

One such example is the OL1MP marketplace, a Telegram-based marketplace that provides cashing out services. Cashing out is a way to monetize stolen payment card information. Users can easily select the type of good or service, like drugs or vacations, they wish to purchase with their stolen cards. OL1MP ties in this automated effort with a human touch. As with most marketplaces, reviews are important for attracting new customers. In fact, extra discounts are available for those individuals who post pictures and positive comments from their carded vacations.


Figure 2: OL1MP Telegram channel


In the same way as Tor and I2P are not inherently criminal, nor are messaging platforms. Rather, criminals benefit from the added trust provided by the platforms. While this is an ongoing trend that pre-dates Operation Bayonet, it is yet another example of how criminals have shifted away from the concept of a centralized marketplace. Organizations who wish to track criminal activity online should consider messaging platforms alongside the more traditional forums, message boards and dark web marketplaces.

To find out more about how cybercriminals are shifting away from the marketplace model towards alternative channels, download our report Seize and Desist: The State of Cybercrime in the Post-AlphaBay and Hansa Age.

To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Five Threats to Financial Services: Part One, Insiders Tue, 19 Jun 2018 15:09:41 +0000 The sensitive and financial data held by banks and financial institutions, as well as their centrality to national infrastructure, makes them an attractive target for cybercriminals and hacktivists. In this blog series, we’ll be shining the light on some the latest tactics and techniques used as part of insiders, banking trojans, phishing campaigns, and payment card fraud. In future posts, we’ll also peer beyond the cybercrime world to understand if hacktivism poses a viable threat to the financial sector. Let’s start with insiders.

Criminal forum discussions

It’s not uncommon for insiders to offer their access and information across dark web and criminal sites. These discussions include users asking about the best places to sell insider information, others asking where it can be found, individuals claiming to sell insider access, and other users attempting to recruit insiders. It’s something that we will alert our customers to (read the our insider use case for more information). The site Intel Exchange (Figure 1), for example, has a dedicated section for insider information discussions. Similarly, Figure 2 illustrates an individual selling insider access to a large mortgage company.


Figure 1: Insider information discussion board on Intel Exchange site


Figure 2: Posts made by user offering insider access to mortgage company


Keyword searches across our dark web spider coverage over only the past six months returned 8,425 mentions of insider trading keywords and phrases on our tracked sites. This data and supplementary manual searches indicate there is substantial interest in insider trading within the online criminal ecosystem.

For example, back in February 2017, an AlphaBay forum (when the site was still operational) user named “asad1199” made multiple posts to the forum claiming to have access to a Society for Worldwide Interbank Financial Telecommunications (SWIFT) payment gateway and sought experienced users to help them monetize it.


Figure 3: Post made to AlphaBay forum by user asad1199 offering SWIFT access


The user claimed to possess “data” that provided full administrator access to this system. The posts claimed that asad1199 would provide information as to where SWIFT transfers should be sent and offered to provide any potential partners with 10-20% of any profits in exchange for their services.  

This user had previously added similar posts to the “Wanted” section of AlphaBay claiming to have access to an Automated Clearing House (ACH) system at a logistics company and an automobile dealership in the United States. In these posts the user offered a bank drop service wherein they would receive payments and then transfer to another account specified by the customer, charging 50% commission.

Specialized insider marketplaces on the dark web

Despite these examples, the most valuable insider information is not typically advertised openly online. Insider access is often a very case-based and demand driven process that is not well suited to online marketplace or forum models.

Those with privileged access or information will most likely conduct their business in person to avoid raising the suspicions of law enforcement. Large datasets containing personally identifiable information or credit card details, on the other hand, are more easily monetizable and likely to be shared and sold across online forums and marketplaces.

Exclusivity and a level of closed- or limited -access is significant in the trade of insider access on cybercriminal locations. Insider information only remains valuable while access to it is limited to a small, restricted and trusted group, hence why specialist dark web sites such as The Stock Insider (Figure 4) and KickAss (Figure 5) have ostensibly developed access restrictions to maintain the appearance of legitimacy. Moreover, these restrictions also provide inside sources and buyers with a level of perceived protection as they will feel their identities are less likely to be exposed or compromised by having too many members in these networks.


Figure 5: Stock Insiders forum homepage



Figure 6: KickAss marketplace homepage advertising insider trading


Of course, we should take these forums with a pinch of salt. The focus on insider trading on KickAss has since been scaled back and the site appears to now cater to a more general criminal community. Threads on other criminal forums and Reddit pages also regularly claim that KickAss is a scam and users were not receiving valid insider trading tips for the membership fee. Membership of the forum requires a monthly fee of 0.25 BTC.

How to Detect Insiders: Don’t Hyper Focus on the Dark Web

Sites like KissAss and The Insider are illustrative of the interest in insider trading across the dark web and criminal forums. However, you shouldn’t hyper focus on these sources alone. Organizations should start on the inside, implement the principles of zero trust, know where your toxic data resides, and understand how an insider would monetize that data. Once you have understood this, you can:

  1. Monitor the open, deep, and dark web for mentions of your brand and toxic information.
  2. Work with legal teams to determine the appetite for purchasing items and services sold by potential insiders on criminal forums and market places.
  3. Purchase or use a third party to acquire items and services sold by potential insiders.
  4. Conduct investigations on recruiters and the sellers of goods and services. For example: history of individual, reputation of individual, OSINT research, gathering meta data where possible to aid in investigation.
  5. Don’t forget about the accidental insider; the chances are that you are more likely to have someone send toxic data in a spreadsheet to a third party than to have a malicious insider selling the keys to your kingdom.

Stay tuned for our future blogs on other threats to financial services.


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

ShadowTalk Update – 06.18.2018 Mon, 18 Jun 2018 15:34:31 +0000 In ShadowTalk this week, Dr Richard Gold and Simon Hall join Rafael Amado to discuss misconceptions around vulnerabilities and exploits, other techniques for gaining code execution, and how organizations can prioritize the patching of vulnerabilities.



Banco de Chile attackers used wiper malware to obfuscate theft

Fresh analysis of Banco de Chile’s reported 24 May 2018 cyber attack has shed light on the initial tactic, which disrupted online, in-branch and telephone banking services to obfuscate the theft of approximately USD 10 million. The attackers apparently used destructive malware potentially connected to the “Buhtrap Group”, a cyber threat group active between 2015 and 2016. That group formerly targeted financial institutions to conduct financial fraud. However, the Banco de Chile attack cannot be definitively attributed, as the “Buhtrap” malware was publicly released in February 2016. Multi-stage attacks that use disruptive and destructive malware to obfuscate or distract from financial theft will likely continue, as will the exploitation of interbank communication systems for financial gain.


Sensitive data on U.S. Navy projects exposed

Chinese state-affiliated threat actors reportedly stole 614GB of sensitive data from the United States Navy by exploiting an unclassified network a contractor used in January and February 2018. The stolen data included information on active United States military projects, signals and sensor data, cryptographic systems and an electronic warfare library for the Navy’s development unit. No technical details are currently available, nor could the breach be definitively attributed; however, the type of data exfiltrated would likely be attractive to nation-state actors, or China-linked groups that have previously conducted targeting with objectives similar to this campaign. Contractors’ access to sensitive data will likely continue to present a threat to government and military entities.


UrSnif trojan targets U.S. and Canada

A campaign using tax-related phishing lures to deliver the “URSnif” banking trojan to bank customers in North America has been identified. Victims were tricked into accessing a URL for more information on overdue taxes. Visiting this URL prompted a download of a ZIP file that contained UrSnif, and checked for the presence of anti-virus products on the victim’s system. The URL was only accessible from IP addresses in the United States and Canada, and research into the sample injection payload indicated that the malware affected only victims who were customers at North American banks, demonstrating that this was a targeted campaign. UrSnif has been widely used since the release of its source code in 2010, and has been aimed at the finance, retail, shipping and manufacturing industries. It will likely continue to be used across a variety of campaigns. Similarly, threat actors are likely to continue to use the North American tax seasons to simulate legitimate communications.


Dixons Carphone reports customer data breach

On 13 June 2018, United Kingdom electronics retailer Dixons Carphone reported a data breach that compromised 5.9 million of its customers’ cards and 1.2 million of customers’ records, which contained personally identifiable information (PII). Although most of the cards had Chip and PIN protection, approximately 100,000 were vulnerable and may be used for financial fraud or sold on criminal forums. Moreover, customers’ exposed PII may be used for a variety of malicious purposes, including social engineering and phishing.


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Security Analyst Spotlight Series: Rafael Amado Thu, 14 Jun 2018 16:27:42 +0000 Organizations rely on Digital Shadows to be an extension of their security team. Our global team of analysts provide relevant threat research, much needed context, tailored remediation advice and managed takedown support to make our clients’ jobs easier and more efficient. Crucially, by having analysts within the intelligence and collection cycle, we’re able to minimize the real-time false positives that cause nightmares for most organizations.

In our Security Analyst Spotlight Series, we bring our analysts out of the shadows and into the spotlight, showcasing their expertise and interests so you can learn a bit more about a “day-in-the-life” of a Digital Shadows analyst.


Name: Rafael Amado
Team: Strategy and Research
Title: Senior Strategy and Research Analyst

Q: What sparked your interest in cyber security and intelligence?

A: I took a less-direct route into the industry, coming from a political economy and policy background. As a predoctoral researcher I focused on military and intelligence relationships during the Cold War, particularly between western nations and those undertaking economic liberalization policies. While working in public policy, I realized there’s a widening knowledge and generational gap between current policy makers and the issues facing the modern world. One of these is technology, and in the realm of international relations where my primary interests lie, the realities of cyber security and cyber warfare are, in general, very misunderstood. I therefore decided I could contribute a lot more to the policy debate in future if I had a strong cyber security background from working several years in the industry.


Q: What areas of research do you focus on?

A: My research areas are very varied, and I’ve covered a lot in my time at Digital Shadows, including looking at how disinformation campaigns are carried out and facilitated by the variety of easily-accessible tools and platforms available online. This research came off the back of the U.S. election activity in 2016, and we were keen to demonstrate how disinformation – which is not a new phenomenon by any means – is more than simply a political issue and affects business as well. Threat actors knowingly spread misleading information for reasons other than politics – for example financial gain or prestige.

Other areas I’ve been heavily involved in include the evolution of cybercrime and threats to major sporting events. Given my language capabilities, I worked closely with sponsors and organizers of the 2016 Olympic Games in Rio de Janeiro, Brazil, to develop monitoring plans for a wide range of threats affecting events of this scale. This included hacktivist activity against government organizations and sponsors, as well as financial crime affecting visitors to Brazil. My area studies knowledge and language capabilities were very useful here to make sense of the very distinctive Brazilian criminal ecosystem, which meant cybercriminals developed bespoke malware and phishing techniques to achieve their goals.  


Q: You’ve recently co-authored a paper on cybercrime following the AlphaBay and Hansa takedowns. What are the most significant developments to come out of that research?

A: The main takeaway here is that the Operation Bayonet, the joint law enforcement effort to seize AlphaBay and Hansa, has not made consumers and organizations safer when it comes to cybercrime. The takedown efforts have had some noticeable effects, namely further damaging trust between users of marketplaces and criminal forums. However, cybercriminals are resourceful and determined, and they’ve reacted by moving away from the marketplace model altogether. Instead, they favour more specialized forums depending on the services they need; those wanting payment cards visit carding forums and Automated Vending Carts, while those in the market for tools and software tend to go to more technical hacking forums. From here a seller will advertise their services, before asking interested buyers to move onto one of many peer-to-peer channels to discuss business and arrange payment.

Rather than an alternative marketplace taking AlphaBay’s place, we’re seeing encrypted messaging platforms such as Telegram and Discord growing in popularity for this type of activity. I should stress that use of these platforms, as well as others such as Jabber and ICQ, pre-date Operation Bayonet, but it’s definitely where cybercriminals operating at this type of level are flocking at this moment in time.


Q: What have been your highlights working at Digital Shadows?

A: Two things stand out. The first would be the recent research paper we produced looking at file exposure through misconfigured network services such as SMB, FTP, NAS drives and S3 cloud storage, Too Much Information Misconfigured FTP, SMB, Rsync, and S3 Buckets Exposing 1.5 Billion Files. We received great feedback for this from both our customers and the wider security community. What I loved most here was joint effort that was required to produce this paper. In all honesty, writing it was the easy part. The major difficulty was building the scanning tool in the first place, and we have an incredible team of security engineers and data scientists who built this mammoth tool able to identify over 1.5 billion exposed files in just under three months. I can’t take any credit for that. The research ignited some much-needed conversation about risks emanating from your supply chain and third parties. A vast majority of the examples of exposed files we detected were a result of contractors backing up sensitive documents – such as penetration tests and security audits – on misconfigured NAS drives, but this is often overlooked when people discuss ways to secure their businesses.

The second highpoint would be my work on the WannaCry ransomware attack from 2017. While the days of the attack were stressful and hectic, when things had settled somewhat I was able to put some of my intelligence tradecraft training to use. I composed what we call an Analysis of Competing Hypotheses table that looked at the goals and objectives of the attackers behind the attack. This structured analytic technique is a great way to identify all the available data points for a given problem and then assess their relevance and the reliability of your sources. The table and accompanying blogs were a big success, being featured by SANS and reposted across various industry publications. When colleagues have had briefings with international law enforcement and security organizations around the world, the latter have commented on the strength and nuance of our analysis in that piece. Having that sort of support and recognition from industry peers is both rewarding and motivating.


Q: How do you see Digital Shadows’ research providing value to customers?

A: From a research and public intelligence perspective, being able to understand and translate the goals, motives and modus operandi of threat actors can be very useful to organizations trying to mitigate risks within their business. If you can recognize what an attacker’s objectives are, you are then better placed to identify which of your systems are most at risk. Knowing how threat actors – be it organized cybercriminal groups, nation states or individual hackers – operate means you can systematically develop of a model of their behaviour, much like a playbook of their tactics, techniques and procedures. From here you can then identify what critical assets you need to secure, and draw up a defensive security controls checklist that you can apply directly to your environment so these weak points don’t exist. We refer to this as threat modelling.

The other benefit of this type of approach is that organizations often struggle to picture themselves from an attacker’s perspective. A business may be compromised for its own assets – to steal its sensitive data or disrupt its critical systems – but it may also become a secondary victim if its assets can help an attacker reach their primary target. For example, a smaller organization may assume that it is of no interest to a large cybercriminal outfit or sophisticated attacker, but in reality, these attackers may look to the organization’s infrastructure as a staging post or pivot point to achieve their loftier objectives.


Q: What are some of the challenges working in the security research space?

A: Cutting through a lot of the noise in this space and providing insight that is relevant and operationally empathetic isn’t easy, but this is one of the guiding missions for the work that we do at Digital Shadows. In my area specifically, there are a lot of exaggerations and idealized concepts when it comes to what makes “useful intelligence”. Take Common Vulnerabilities and Exposures (CVEs) and patching as an example. Lots of CVEs are being created and reported, but the difficulty for organizations lies in how to prioritize what you patch. There’s an emerging common wisdom that discussions of CVEs on underground forums and chat channels are a good indicator of what vulnerabilities are the most significant and in need of attention. The reality though is that most of these conversations are by individuals who lack the capability to ever exploit a vulnerability, and they are merely sharing news articles between them the same way we do as colleagues in the office. Activity on the dark web and criminal underground generates headlines and looks impressive, but it shouldn’t be the only place researchers look to for their data.

Instead, organizations and their security teams are much better off prioritizing patches of vulnerabilities that are actually being exploited in the wild, not just discussed online. In particular, the focus should be on vulnerabilities that allow for remote code execution and local privilege escalation against ubiquitous applications such as Office, web browsers, content management systems and operating system kernels. Simplifying and narrowing the focus for security teams means they can divert their resources to the right problems. This should be the aim for anyone serious about producing quality security research, but of course, that’s easier said than done.


Interested in hearing more from our intelligence team? Check out our blog, our Security Analyst Spotlight Series, or subscribe to our weekly threat intelligence podcast: ShadowTalk.



Rafael joined Digital Shadows in 2015 and works as a Senior Strategy and Research Analyst. He has written several articles and papers, and his research regularly features in the international press. His previous research areas include threats to the 2016 Rio Olympics, the 2017 WannaCry attacks, and how organisations and individuals can combat the spread of disinformation and fake news. Alongside Michael Marriott, he co-hosts and produces the Digital Shadows podcast, Shadow Talk. Rafael has a background in International Relations and Political Economy. See his blog posts here

How Cybercriminals are using Blockchain DNS: From the Market to the Bazar Tue, 12 Jun 2018 15:28:14 +0000 Since the takedowns of AlphaBay and Hansa in 2017, the cybercriminal community has been incorporating alternative technologies to improve both security and trust for those conducting illicit business online. Our latest report, Seize and Desist: The State of Cybercrime in the Post-AlphaBay and Hansa Age, looks at what technologies and processes have been the most popular. In this blog, we focus on one in particular, the use of blockchain DNS, which has seen steady, but not explosive, growth among cybercriminal users.  

What is Blockchain DNS?

Traditionally, when we type a website into an Internet browser, a computer will query a DNS server for an IP address. Essentially, this is the Internet equivalent of a phone book. For example, if we search for digitalshadows[.]com, the computer will perform a look up against a DNS server for the corresponding IP address, The final part of the domain (.com, .de, .uk, .org) is known as a Top Level Domain (TLD) and is controlled by a central authority such as Internet Corporation for Assigned Names and Numbers (ICANN), Nominet or DENIC.

Blockchain DNS, on the other hand, is an example of a decentralized DNS. Blockchain TLDs – including .bit, .bazar and .coin – are not owned by a single central authority. DNS lookup tables are shared over a peer-to-peer network and use a different technology from traditional DNS requests.

Decentralized DNS offers many benefits such as countering censorship by authorities (for example if a government orders all Internet Service Providers in a country to stop redirecting domains to a relevant IP address), or preventing DNS spoofing, where attackers can insert corrupt DNS data so that the name server returns an incorrect IP address and redirects traffic to an attacker computer. However, decentralized DNS can also be abused by attackers for malicious purposes.   

Experimenting with Decentralized DNS: Securing Your Stash

In July 2017, the Joker’s Stash, a popular Automated Vending Cart (AVC) site used to purchase stolen payment card details, began using blockchain DNS alongside its established Tor (.onion) domain. Users wanting to access the .bazar version of the site need to install a blockchain DNS browser extension or add-on.

  Jokers Stash bazar domain

Figure 1: Joker’s Stash .bazar domain

AVCs and other sites used to trade stolen account information have been experimenting with peer-to-peer DNS technology in order to hide malicious activity and, crucially, bullet-proof their platforms. Jokers’ Stash was not the first to experiment with decentralized DNS, a group known as The Money Team also created a .bazar domain back in January 2016, again in an attempt to better secure their operations. As blockchain domains do not have a central authority and registrations contain unique encrypted hashes rather than an individual’s name and address, it is harder for law enforcement to perform site takedowns. 

OpenBazaar and Decentralized Marketplaces

Blockchain technology has also allowed users to realize alternative models for online marketplaces. The site known as Tralfamadore, for example, uses blockchain as its back-end to store the necessary databases and code to support front-end user interfaces. Transactions are made using cryptocurrency and recorded as smart contracts on the blockchain. This theoretically improves trust among users of the site as all transactions are permanently recorded, meaning that scam vendors can be more easily identified.

Another marketplace using blockchain technology is the site OpenBazaar. This project began in April 2016 and its userbase has increased steadily since then. In the first half of 2018, the number of new users on the site has risen by roughly 4,000, while the items for sale have gone up from 18,000 to over 27,000. Despite these gains, OpenBazaar has not been used for cybercriminal activity to any great extent, and the majority of items listed on the site would not be classed as illicit.

OpenBazaar user and items

Figure 2: Number of OpenBazaar user and items since late-January 2018

Overall, support for decentralized marketplaces are in a nascent stage, but several barriers are still holding back its wider adoption among the cybercriminal community. Primarily, the issue of with blockchain-based platforms is that all interactions are publicly recorded, complicating private messaging between users. Users prefer to use more secure instant messaging services such as Jabber, which explains why cybercriminals in the post-AlphaBay and Hansa age have reverted to specialized forums where they can interact with buyers and sellers over Jabber, or directly on Telegram and Discord channels used to advertise everything from compromised accounts, stolen payment cards to counterfeit goods. The next blog in this series will look at these messaging platforms in greater depth.

If you can’t wait until then, download our report Seize and Desist: The State of Cybercrime in the Post-AlphaBay and Hansa Age to find out more on how cybercriminals are shifting away from the marketplace model towards alternative channels.


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Shadow Talk Update – 06.11.2018 Mon, 11 Jun 2018 19:11:18 +0000 In Shadow Talk this week, Dr Richard Gold joins us to discuss the issue of security debt, a term used to refer to the accumulation of security risks over time, such as missed patches, misapplied configurations, mismanaged user accounts. Richard looks into how many of the attacks we see on a regular basis are actually a result of security risks that build up over time, and how security debt is a ticking time bomb for most organizations. In Part II, Harrison Van Riper covers the recent website defacement attack and data breach incident targeting the event ticketing company, Ticketfly.


Data breach and website defacement rock Ticketfly

Event ticketing company Ticketfly took all operations offline pending investigation into a website defacement attack and reported data breach. Ticketfly confirmed the data, which had been uploaded to a public server, was legitimate. The threat actor claiming responsibility has previously been associated with a hacktivist group known for conducting ideologically motivated defacement attacks. However, the attack on Ticketfly appears to be financially motivated since the attacker reportedly demanded payment from Ticketfly in return for disclosure of details regarding the exploitable vulnerability.


Group 123 target South Korean Naver users with new RAT variant

Distribution of new remote access trojan (RAT) variant, NavRAT, has been attributed to the North Korean threat group known as Group 123.  The group sent South Korean users phishing emails that referenced the upcoming United States–North Korea summit and contained a Hangul Word Processor document featuring malicious macros. Group 123 used the Naver email platform to communicate with its infrastructure and exfiltrate data. Although abusing such legitimate email platforms for this purpose is not a new tactic, this is the first observed campaign to use the popular Naver platform.


RIG exploit kit incorporates new remote code execution flaw

The RIG exploit kit has recently incorporated CVE-2018-8174, a vulnerability affecting VBScript. The vulnerability was originally identified as a “zero day” exploit named Double Kill, with exploitation in the wild attributed to the espionage threat group Dark Hotel. RIG’s quick incorporation of this vulnerability exemplifies threat actors’ rapid uptake of exploits enabling remote code execution, favored due to their increased ability to compromise networks and devices. The exploitation was likely enabled by the release of proof of concept code recently on GitHub for the flaw. A patch has been released to address this vulnerability.


North Korean threat group ceases attacks on United States energy sector

Covellite, an alleged North Korean threat group attributed with targeting entities in the energy sector, has reportedly ceased attacks against United States–based targets. While the reason for this was unconfirmed, the timing coincides with the United States and North Korean governments’ efforts to improve geopolitical relations. Covellite is a credible threat to the energy sector: it has continued to attack entities in other regions, including Europe and East Asia, and more attacks are considered likely in the short- to mid-term future (next six months).

Security debt resources:


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Threats to the 2018 Football World Cup: Traditional Rules or a New Style of Play? Thu, 07 Jun 2018 16:47:12 +0000 The tension and excitement that precedes all global sporting events is beginning to build towards the start of this year’s Football World Cup in Russia. Levels of expectation will vary between nations, teams and fans alike; however, those concerned with the cyber-related risks surrounding sporting events may need to consider altering their defensive tactics.

Typical Cyber Threats to International Sporting Events

If trends throughout recent major sporting events are to tell us anything, it is that we should expect to see an array of offensive cyber activity during the World Cup this June. The attacks seen at this year’s 2018 Winter Games in PyeongChang fit the mold for activity previously witnessed across sport’s biggest stages. Threats typical to international sporting events include:

  • Phishing sites. Tournament email lures are often used to trick victims into interacting with malicious emails. For instance, fake lottery win notifications and tickets were combined with counterfeit partner websites to harvest credentials and scam football fans in the buildup to the event. Here, phishing sites and emails that were impersonating FIFA played a key role.

Attackers can also register domains impersonating the tournament brand or sponsors and use these to send phishing emails. Organizations and consumers should, therefore, look out for email addresses and websites that mimic official brands. For example, Digital Shadows detected the following domains that did not belong to official organizers of the event: tbc-russia2018[.]ru, welcome2018[.]info, welcome2018[.]co, ioc2018[.]com and welcome2018[.]cn. Although not currently associated with a particular campaign, as many of these domains had mail exchanger (MX) records, it was possible that they could be used in future in phishing attacks to distribute malware or harvest credentials.

  • Hacktivist campaigns. Online activists, often with a political agenda, coordinate targeted attacks such as denial of service (DoS), website defacements and data leaks against the host nation and sponsors. Examples include OpSochi and OpOlympicHacking, two campaigns conducted by the Anonymous hacktivist group that targeted the Winter Olympics in Sochi and the Rio Summer Games respectively. The long-running OpRussia campaign has yet to target entities associated with the World Cup, but participants could realistically use the event as a platform to further protest against government censorship.


Figure 1: OpRussia defacement claim against Russian telecommunications company from May 2018

  • Disruptive malware – Seen most recently in PyeongChang earlier this year, the ‘Olympic Destroyer’ malware, for example, sought to impede the opening ceremony.
  • Attacks on public Wi-fi users – Tourists and high-value individuals have previously been targeted when traveling by attackers who take advantage of insecure public Wi-Fi connections. The suspected Russian state group, APT-28, used credentials stolen from Wi-Fi networks in hotels to deliver remote access malware to steal information and allow for lateral movement across networks. According to Kaspersky, over a fifth of Wi-Fi hotspots in 2018 World Cup cities were using unreliable networks.
  • Fraud and financial crime – Previous major sporting events have seen a variety of tactics that exploit the large number of tourists that visit host cities. These include ATM skimming, banking scams and infections against point of sale malware used to steal payment card information.

The motivations for targeting the event are clearly unlikely to change in Russia with large crowds and extensive media coverage offering similar rewards to those aiming for disruption or financial gain.

Changing Threat Landscape – New Style of Play

By and large, the traditional offensive techniques seen at previous sporting occasions have been focused on disrupting the event or profiting from those in attendance. The increasing use of Internet-connected technology throughout sport, however, could change the threat landscape in future. Advances in this area have undoubtedly expanded the opportunities available to athletes and spectators, but have also opened new avenues for risk. The result is a maturity of the threat landscape that can potentially damage the integrity of sport and add to spectator, sponsor and athlete safety concerns.

Sport in the Technology Era

Sport’s reliance on ‘smart’ technologies has increased year on year. Now we see the expansion of the ‘Internet of Things’ (IoT) stretch across areas such as athlete performance, spectator experience and the optimization of venue infrastructure. Data can be shared and accessed through IoT devices more easily with the use of smart watches and tablets used by players and coaches; the same technology can now enhance a viewer’s experience through the provision of live stats and player tracking; and stadiums now use ‘connected’ systems to provide suitable sporting environments that aid lighting, temperature and recovery facilities. The appeal of ‘smart’ stadiums’ has likely gone hand in hand with the growing demand for greater profits and prestige for the nations and sponsors that host the biggest sporting events, the implementation of which is only set to continue in the future.

At the turn of the year stadiums in Russia were reportedly being subject to the employment of ‘smart’ technology in order to keep with trending infrastructure at major sporting events. The extent to which these stadiums will be vulnerable as a result of these technologies is somewhat unpredictable, but the risks are certainly present. Concerns are rightly raised around sports facilities and stadia, especially those related to the fire safety and access control functions that form a part of the ‘connected’ infrastructure we often see at global events.

While we are yet to see attacks against critical safety systems in a major sporting tournament, the reality is not completely far-fetched; if an aspiring threat group had the chance to manipulate these systems there is a realistic possibility that they would if it furthered their aims and objectives. If these type of attacks aren’t realized just now, then they will become more likely as these smart stadiums become the norm in the future.

Bringing the Game Into Disrepute

The process of scoring, judging and reviewing decisions is another aspect of competitive sport that could be threatened via new attack vectors provided by the IoT. Central to the success of a World Cup or Olympic games is the integrity of the results, which can often rely on the use of video replays or precise timing systems. This year’s tournament will be the first to make use of Video Assistant Referees (VAR), a procedure that has come under scrutiny during its trials across various leagues and competitions. Football already produces some of the most controversial sporting situations meaning that any interruption to the use of VAR, or any of the referee’s decisions, would likely have significant consequences for the integrity of the game and its reputation worldwide.

In Summary

Overall, this new style of play is likely to affect events of the future and would come as a something of a surprise to those present in Russia this year. Traditional activity, such as phishing sites and World Cup associated fraud, has already begun. If we are to see any activity exploiting IoT vulnerabilities, it is likely to be small in scale and less sophisticated; however, we can’t rule out the possibility that threat actors will use this year’s event to test their capabilities.

The 2020 Olympic Games in Tokyo is set to be one of the most ‘connected’ sporting events, utilizing smart systems throughout stadiums, public transport and the various sports that are to be played. While we may not yet see highly sophisticated attacks directed at these systems in Russia this year, their vulnerabilities may not go unexploited for too long into the future. The on-going opportunities supplied by these technologies are likely to be coupled by a variety of new risks that could endanger any industry that employs their use. Sport will not be exempt from this.


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

]]> Heir to the AlphaBay and Hansa throne? Mon, 04 Jun 2018 20:20:26 +0000 It’s almost one year since the AlphaBay and Hansa dark web marketplace takedowns, also known as Operation Bayonet. Looking back, no single marketplace has managed to fill the AlphaBay-shaped gap left behind, at least among the English-speaking community. Existing sites such as Dream and Trade Route have failed to consolidate this empty space, hampered by a combination of poor communication by administrators and suspicion that these sites could be police honeypots like Hansa had been. Our latest report, Seize and Desist: The State of Cybercrime in the Post-AlphaBay and Hansa Age, looks at how the criminal ecosystem has developed.

This broad sense of fear and mistrust has also stymied new marketplaces. Without a strong reputation new sites often struggle to get off the ground. And when they do, maintaining that trust and standing is difficult to achieve. We recently blogged on the rapid rise and fall of the Olympus marketplace, which tarnished a growing reputation in seconds after its administrator provoked the ire of its customer base by “hacking” a reddit-style online community called Dread.    

Introducing Marketplace 

One alternative that has been patiently developing in the background is market[.]ms, a marketplace run by founders of the prestigious Exploit[.]in hacking forum. Market[.]ms has been in development since 2015, and the current beta mode has a relatively small userbase (451 members and 79 items for sale according to the latest count).



Figure 1: market[.]ms homepage as it appears to registered users


Despite not being fully-developed, there are several reasons why this particular marketplace has better chances of succeeding than those that have gone before: 

  1. Street cred – Marketplaces live and die by their reputation, and Exploit[.]in holds good standing among both the Russian- and English-speaking cybercriminal communities. The site operates strict vetting and access restrictions, adding a greater sense of legitimacy for the goods and services being sold, and also easing some concerns regarding law enforcement operatives posing as normal users.
  2. Deep pockets – As well as overcoming trust issues, new markets have financial obstacles they need to hurdle. Setting up a new marketplace comes with a variety of hidden costs (a more in-depth discussion of the barriers to entry for new marketplaces will follow in a future blog) that include web development, bulletproof hosting services, bug bounty programs and customer support capabilities. As a well-established and highly popular forum, Exploit[.]in is in a stronger position than most to devote the necessary experience and financial resources to maintain a successful marketplace.
  3. Security and trust focused – Given the climate of fear and uncertainty, the developers of market[.]ms have gone to great lengths to demonstrate their dedication to security and privacy for their users. The site has a dedicated FAQ page for its security features, which includes providing “maximum anonymity”, using “encrypted servers”, carrying out “constant security tests” and “only [requiring] minimum data from users”. The site describes itself an “automated safe trading platform”, providing the opportunity for “anyone” to buy and sell on a site with a built-in guarantor using Bitcoin. Funds can allegedly easily be withdrawn from the system, there is a guarantee that goods will be paid for, buyers can challenge low-quality goods and will receive instant receipt or delivery of goods.

In a move that is being mirrored by many other forums, market[.]ms also has its own dedicated customer support and official Telegram channels. This is a trend that we’ve noticed more broadly across the criminal ecosystem, with users retreating from the marketplace model in favor of specialized forums operating chat channels on communication networks such as Telegram, Discord and Jabber.


Figure 2: Market[.]ms Telegram channel


  1. Cautious advertising – As well as taking steps to make their site more secure, the brains behind market[.]ms are also taking a guarded approach to online advertising. Rather than marketing the site as far and wide as possible – and potentially soliciting unwanted attention – the only publicly available references to the marketplace at this time are a post on Exploit[.]in with links to the site and a Pastebin page advertising the platform.
  2. Don’t do drugs kids – One of the main reasons why AlphaBay and Hansa became high-priority targets for law enforcement was the sale of illegal substances on the site, particularly fentanyl, which was associated with a large number of deaths worldwide. Market[.]ms, on the other hand, specifically focuses on digital goods such as databases, compromised accounts, malware, exploits, and counterfeit documents. The site also offers services such as VPN access, socks and proxies. While the sale of these goods will still be of concern to law enforcement, it’s likely that market[.]ms will be less of a priority for takedown operations in comparison to sites selling more high-profile items such as narcotics, weapons and abusive content.


Figure 3: Goods and services offered on market[.]ms Success does not come overnight

While the creators of market[.]ms may be well-placed to succeed, that the site has been in development since 2015 and is still only in beta mode demonstrates how creating and sustaining a prosperous marketplace is a task that takes time and can’t be rushed.  

In our latest research report, Seize and Desist: The State of Cybercrime in the Post-AlphaBay and Hansa Age, we look at the impact that the AlphaBay and Hansa marketplaces have had on the criminal ecosystem. One year on, it appears as if the marketplace model is in decline, at least for the time being, with cybercriminals turning to alternative platforms and technologies to continue their operations. Market[.]ms may buck this trend, but in the post-AlphaBay age sites have to tread carefully in terms of not being too overt with their advertising, making it clear how they protect their users, while still facilitating enough transactions to remain financially viable.


To find out more on how cybercriminals are acclimatizing to this new environment, download our report: Seize and Desist: The State of Cybercrime in the Post-AlphaBay and Hansa Age.

Shadow Talk Update – 06.04.2018 Mon, 04 Jun 2018 14:12:25 +0000 In this week’s Shadow Talk, Dr Richard Gold joins us to discuss the return of the L0pht hackers. In 1998 the L0pht members delivered a cybersecurity hearing to the United States Senate, warning that any one person in their group could take down the Internet within 30 minutes. 20 years on, we look back on what has and hasn’t changed in the world of information security. In Part II, the team covers recent reporting on the use of military-style tactics such as war gaming and intelligence fusion centers in the financial services industry. We ask whether such tactics are effective, and whether smaller organizations can also employ the techniques being used by some of the world’s largest enterprises.


BackSwap malware switches bank transfer recipient

BackSwap deployed browser manipulation techniques against Microsoft Windows-operating machines to target Polish online banking users. The malware was delivered in spam campaigns with the “Nemucod” downloader attached, simulating modified legitimate applications. Once installed, the malware used innovative techniques to identify user browsing information and specific banking transfers by using event hooks in the Windows message loop. A malicious JavaScript file was then injected into the URL address field, then swapped intended transfer recipient details for those of attacker-controlled accounts. The technique works across multiple browsers, and bypasses browser protection mechanisms. The campaign remains active, and BackSwap’s methods will likely be adapted by other banking malware developers.


Canadian banks’ customer data allegedly stolen

In two instances that are likely linked, threat actors reportedly informed the Bank of Montreal and Canadian Imperial Bank of Commerce subsidiary Simplii that they had obtained customer data through an undisclosed method. The legitimacy of the claims could not be independently verified, but statements from the affected banks suggested that the attackers had obtained credible data for up to 90,000 individuals. Some media outlets reportedly received notice of extortion demands against the financial institutions, although the banks did not confirm receiving such demands and they may have been sent to the press by an unrelated, opportunistic threat actor. At the time of writing, any information on TTPs used in any associated breach is unknown, as is the date of any breach that may have occurred.


Chilean bank services disrupted by virus

Banco de Chile confirmed that an undisclosed virus had affected the bank’s networks on 24 May 2018. Reportedly, malware had infected workstations and other assets, thereby disrupting branch and telephone services. Social media posts, apparently made by Banco de Chile customers, also indicated service interruptions to Web platforms, and possible social engineering activity, such as phishing scams. However, the bank stated that customer accounts and transaction security had not been compromised. There have been no details of any TTPs reported, but, given Banco de Chile’s statements, the malware appeared to be disruptive, and could have been used to obscure other malicious activity. It is highly likely that more reporting will emerge in the short to medium term (one week to three months).


US-CERT reveals current Lazarus Group activity

The United States Computer Emergency Readiness Team (US-CERT) released an advisory detailing “HIDDEN COBRA” (aka Lazarus Group) malware that has reportedly been used since 2009. The advisory described “Joanap” (a backdoor trojan) and “Brambul” (a Server Message Block worm), which have been previously associated with the same threat group. US-CERT also highlighted new and ongoing activity associated with the group, including targeted sectors and geographies.

7 Ways The Digital Risk Revolution Changes Risk and Compliance – Webinar Key Insights Wed, 30 May 2018 15:13:35 +0000 Lockpath’s Vice President of Development Tony Rock and I recently conducted a webinar titled “7 Ways the Digital Risk Revolution Changes Risk and Compliance”. Tony is a cyber resiliency advocate who helps organizations assess breakthrough technologies and foster a culture of innovation while protecting intellectual property and managing enterprise risk. If you’re not familiar with Lockpath, their Keylight Platform integrates business processes to simplify risk management and regulatory compliance challenges. In this webinar, we discussed the digital risk trends and real-world enterprise challenges that create serious impacts from a governance, risk and compliance (GRC) perspective. Increased exposure points, things to protect, sophisticated attacks and regulations all create the perfect storm for digital risks and cyber threats.

The world is investing in digital technologies to access more innovative business models, making them more profitable, efficient or effective. This new digital domain, however, features new types of risks that didn’t exist before. Historically enterprises build castle walls around their valuable “crown jewels” be that customer PII (personally identifiable information), intellectual property or critical business operations. This perimeter has dissolved in the digital-by-default era. Organizations have supply chains that are more complex and longer than before, meaning we’re hyper-connected with more data that resides outside our company walls with limited visibility and less control. These gaps pose consequences to revenue, brand reputation and customer loyalty. You need fresh approaches to risk and compliance to understand and adapt to emerging cyber threats.

A few highlights from our webinar include:

1. Recognize Risks Beyond the Perimeter: The de-perimeterization of business due to mobile, cloud computing and an extended supply chain helps multiply risks outside of your organization. Digital risks include cyber threats, data exposure, brand exposure, third party risk, VIP exposure, physical threats and infrastructure exposure. Traditional perimeter-focused security solutions can’t comprehensively address these risks because the boundaries have disappeared. Protecting partner, customer and employee data is more difficult today. This greater attack surface poses challenges for organizations facing a shortage of security staff and skills in IT and security. This requires holistic approaches that consider people, processes and technology to increase visibility and compliance effectiveness.

2. Adopt Integrated Risk Management: Evolving into a digital business has truly transformed the business opportunity and competitiveness of many organizations. But organizations operate in silos and often lack communication and coordination. This accelerates enterprise risk and compliance gaps, to say nothing of wasted staff resources and time. I believe that all businesses are becoming digital enterprises with their “digital footprints” extending online into social media, the cloud and even the dark web. Integrated Risk Management (IRM) overcomes these organizational silos and takes a more holistic approach as Gartner’s John A. Wheeler states in his blog on “Seven Ways to Engage the Board on IRM”. The benefits of Integrated Risk Management include improved risk management and decreased time spent on governance and compliance.

3. Learn from Real-World Digital Risk Examples: Executives often ask how the exposures and breaches they read about in the media take place. I shared several scenarios during the webinar that outline how digital risks have negatively impacted organizations. The last World Cup match illustrates how Digital Shadows used digital monitoring to detect threats leading up to the global event. We monitor for digital footprints, the information that is projected, shared and created online by an organization. Attackers have digital footprints too that are detected for insight and context on cyber threats.

Digital Risk examples

If you turn this perspective to data loss, recent research in our white paper “Too Much Information” outlines how misconfigured cloud storage leaves 1.5 Billion files exposed globally on the Internet that threat actors could then exploit. Early detection of incidents reduces the cost to remediate.

4. Communicate the Importance of Digital Risk: Organizations that have historically been unaware of their digital risks now realize that they can no longer ignore them. There is real world evidence and case studies where financial and reputational damage has led to serious outcomes for organizations. Enhanced visibility and focus also help organizations allocate limited resources and better align security to organizational goals. Tony shared that an organization’s risk culture and security maturity can influence their likelihood to incorporate digital risk indicators into their operational processes. While adopting new technologies can pose digital risk management (DRM) challenges, security and information professionals can become more agile and adapt to the technology landscape and evolving cyber threat preparedness. As the Harvard Business Review states in “Boards Should Take Responsibility for Cybersecurity. Here’s How to Do It” (Curry, 2017):

Ideally, boards should eliminate obstacles that prevent organizations from developing a culture of proactive security. Without strong support from executive management and the board, companies are unlikely to develop strong cybersecurity practices. Directors should make sure that OpEx and CapEx are aligned with risk reduction priorities and projects; security is not done for security’s sake. It’s done for the business.

I’ve also seen that Integrated Risk Management is now being elevated as a board of directors-level initiative to establish cross-entity communication and resource investment. This welcomed executive involvement ensures a more strategic approach to risk management and security for all industry sectors, not just the highly regulated ones.

You can watch the webinar “7 Ways the Digital Risk Revolution Changes Risk and Compliance” to learn more about emerging threats and best practices to keep your business and reputation intact, reduce compliance complexity and mitigate digital risk going forward. Cyber security professionals must be responsive to the demands of agile digital-first businesses that lead our thriving economy.


To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Shadow Talk Update – 05.29.2018 Tue, 29 May 2018 17:49:21 +0000 The focus in this week’s Shadow Talk is on “VPNFilter”, a modular malware with disruptive functionalities has targeted more than 500,000 network infrastructure devices across 54 countries. Recently the malware has been particularly active targeting Ukraine. The team also cover new research on the TRITON malware targeting industrial control systems, changing techniques used by the Roaming Mantis malware family, and vulnerability updates related to VBScript and the Spectre/Meltdown attacks.


VPNFilter malware infects 500,000 devices

The multi-stage, modular malware VPNFilter has been associated with more than 500,000 infections on “small office home office” (SOHO) routers and network-attached storage (NAS) in 54 countries. Active since at least 2016, the malware has showed spikes in activity targeting Ukraine in May 2018. Initial entry is likely accomplished through default credentials and known vulnerabilities. The malware included robust persistence and command and control (C2) mechanisms, plug-ins for C2 communication and traffic sniffing, as well as a “kill” function that can render a device inoperable. The FBI has since seized control of one C2 domain; however, it is a realistic possibility that attackers continue to control some non-rebooted devices. The activity was associated with Russia-linked threat group “APT-28”, although this was not independently confirmed. Users should reboot and reset routers, as well as apply available patches.


XENOTIME threat actor attributed to TRISIS malware 

Security company Dragos published details of a threat actor named XENOTIME, which has been linked to attacks against industrial control systems (ICS). The group was associated with the TRISIS/TRITON malware, which targeted critical national infrastructure with disruptive intent. The group, currently active and operational since 2014, has expanded targeting from the Middle East to other geographies, including the United States. XENOTIME demonstrates in-depth knowledge of ICS, including those outside of the Schneider Electric Triconex system targeted by TRISIS malware. The group’s tactics, techniques and procedures (TTPs) included watering hole attacks, credential capture and reuse, and command line tools for lateral movement. The shift in target geography likely reflects updated operational objectives, and as this group is likely state-backed, activity will likely be influenced by inter-state political relationships.


Roaming Mantis malware family updates TTPs

The “Roaming Mantis” (aka Xloader, MoqHao) malware family has updated TTPs, as well as additional target geographies. The malware’s developers had previously only deployed Android malware to capture banking credentials, first using SMS message phishing and then DNS spoofing to socially engineer victims to download malicious files. The financially motivated group has continued to use DNS re-directions in attempts to deliver Android malware, Apple phishing pages and cryptocurrency mining scripts using host pages in an additional 23 languages. It was not known how the group compromised DNS servers, but default credentials, brute-force cracking attacks or vulnerability exploitation could enable DNS device access.


Proof of concept (PoC) exploit codes published for VBScript vulnerability

Two working PoC exploit codes for CVE-2018-8174 were published to GitHub on 21 and 22 May 2018. This vulnerability affects VBScript scripting language, and can enable remote code execution if targeted through Internet Explorer. It was reportedly previously exploited in attacks attributed to the “DarkHotel” espionage group, and the recent release of public exploit code will likely result in widespread additional targeting. Although this vulnerability could be exploited through drive-by download attacks, it is more likely that attackers will use Word documents to deliver exploits, because a malicious Word file can force Internet Explorer to run and access the exploit code regardless of any default browser settings. Users should apply patches released by Microsoft.


Additional Spectre/Meltdown microprocessor vulnerabilities reported

On 21 May 2018 several sources published details on two additional speculative execution side-channel microprocessor vulnerabilities related to the widely reported Spectre and Meltdown PoC attacks. The vulnerabilities affected Intel, Arm and AMD products, and were tracked as CVE-2018-3640 (Variant 3A) and CVE-2018-3639 (Variant 4). Exploitation could allow attackers access to sensitive data. CVE-2018-3639 is a new vulnerability subclass titled Speculative Store Bypass. No attacks were observed in the wild targeting either vulnerability, or the original Spectre/Meltdown vulnerabilities. Some limited exploit code was published, but would likely require significant development for successful exploitation. Given the complexity of targeting these vulnerabilities, threat groups are likely to continue using less-complex attack vectors. Mitigation advisories were published by several companies, with more information expected over the coming weeks.


Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

Security Analyst Spotlight Series: Rose Bernard Wed, 23 May 2018 15:09:59 +0000 Organizations rely on our cyber intelligence analysts to be an extension of their security team. Our global team of analysts provide relevant threat research, much needed context, tailored remediation advice and managed takedown support to make our clients’ jobs easier and more efficient. Crucially, by having analysts within the intelligence and collection cycle, we’re able to minimize the real-time false positives that cause nightmares for most organizations.

In our Security Analyst Spotlight Series, we bring our analysts out of the shadows and into the spotlight, showcasing their expertise and interests so you can learn a bit more about a “day-in-the-life” of a Digital Shadows Intelligence analyst.

Name: Rose Bernard
Team: Strategic Intelligence
Title: Strategic Intelligence Manager

Q: How did you get into cybersecurity?

A: Before working in cybersecurity I was working in an investigational role, primarily focusing on international counter-narcotics. At the time, the nexus between cyber investigations and cybersecurity strategy was still developing, and so getting involved in it meant that as a relatively junior member of staff I was able to cover a lot of really interesting and complex operational and geopolitical cases I wouldn’t have had the opportunity to otherwise. I was given a lot of freedom and independence to conduct research and create actionable plans, which I really enjoyed.

From there, it was a natural step to take the skills that I’d learnt in an operational context and apply them to cybersecurity research, primarily looking at the deep and dark web. Cybersecurity for me has always been this really interesting space that merges the more traditional geopolitical concepts of power and politics, with this really chaotic space where other threat actors can completely upturn the balance of power.


Q: How have your past experiences prepared you for your role? 

A: Career-wise I’m lucky enough to have worked in a whole spectrum of different roles, so I’ve been able to get a really good understanding of the wider context surrounding cyber incidents. I’ve worked with a wide variety of different people in different countries, so I’ve really been able to soak up a lot of knowledge about things that I wouldn’t necessarily have if I’d stayed on one track. Independent research has always been a big part of my academic career, which has really helped me develop analysis skills. I speak a wide range of languages, including Spanish, French, Italian, German and Portuguese, which is incredibly helpful given the international nature of cybercrime.


Q: What do you do outside work that helps with your job?

A: I’m currently studying for my PhD, where I’m creating a framework for civilian and military organizations to share intelligence and information in pandemics and Public Health Events of International Concern (PHEICs). The practice of independent research is really strengthening my skills, as is the focus on original and critical thought. I’m also learning a lot about the functions of intelligence frameworks, which is helping me provide context to my work at Digital Shadows.


Q: What advice would you give someone wanting to become an intelligence analyst?

A: Get curious. You don’t need to have an academic background in a really niche area to be an analyst (you don’t really need an academic background at all). A lot of the technical skills can be learnt on the job. What you do need is excellent research skills, and to want to join the dots to make sense out of something that might seem unconnected.

Also, get used to hard work, and be prepared to speak up. At times intelligence analysis can be a real slog of just gathering as much information as you can before you start the actual analysis process. And when all that’s done, don’t be afraid to draw conclusions and to have opinions. You’ll have to back them up, but original thinking is one of the most important qualities in intelligence analysis.

Finally, listen. This sector is a real mishmash of people with different skills and experiences, and everyone has a slightly different way of looking at a problem, which can draw out some really interesting and beneficial elements.



Rose Bernard has worked as an intelligence analyst for Digital Shadows since January 2018. Prior to this she worked for Control Risks as a cyber threat analyst, and for the National Crime Agency where she focused on counter narcotics in Afghanistan and Pakistan. Rose holds an MA in History and Languages from University College London and is currently gaining her doctorate at Kings College London, where she is creating a framework for intelligence sharing between civilian and military organizations in the case of public health events of international concern (PHEIC). Her particular interests include the evolution of Latin American cybercrime and mapping the dark web. See her blog posts here

Learn more about our Intelligence Analysts in our Security Analyst Spotlight Series.


Interested in hearing more from our intelligence team? Check out our blog or subscribe to our weekly threat intelligence podcast: ShadowTalk.

A New Approach for Channel Security Consultants Tue, 22 May 2018 15:39:54 +0000 Old school security practices simply don’t fit the new IT environment.  Cloud computing, applications and distributed workforces have changed the security game. The days of building perimeter walls still exist, but the walls are disappearing.  This leaves channel security consultants wondering what the right allocation is for security budgets. As indicated in a 2016 SANS report on security spending trends, the goals of an organization often do not match their actual security spend. Compliance and data protection are some of the key drivers in today’s ideal security spend – but is this really where funds are being concentrated? Of course, we all need standard measures such as authentication, firewalls, end-point and malware protection. The question is, how can channel security consultants recommend a solution that doesn’t take away from what’s needed as a baseline and still addresses the true goals of an organization? 

Modern Day Threats    

Security has become more complex with today’s threats and risks. Big breaches have hit the headlines year after year.  What’s the main cause of these breaches?  According to the 2017 Verizon Data Breach report, 81% of hacking-related breaches leveraged stolen or weak passwords. In the more recent 2018 Verizon report, the use of stolen credentials was the leader in the “top 20 action varieties in breaches” (ahead of memory scraping, phishing and privilege abuse). Today’s threat actors are well connected and communicate effectively across messaging platforms, social media, and the deep and dark web to share compromised information such as passwords. So, what strategies and tactics can a channel security consultant deploy to address these security threats? 

A Preventative Approach to Security

Breaches are never expected, which is the reason why organizations should move to a more proactive approach. One-off assessments fail to provide a continuous method to search and hunt for threats and vulnerabilities. I’m not referring to the SOC hunting done once an attacker is present. That’s an escalated procedure that needs to be addressed and repaired immediately. Instead, I mean identifying and capturing the compromised information, data, credentials or vulnerabilities used before an attacker has entered your environment. Here are some examples:

  • Someone squatting or impersonating a domain to harvest credentials
  • Compromised data or credentials shared and sold on criminal forums
  • Employees inadvertently oversharing on social media
  • Third parties compromising data due to weak policies

Wouldn’t it be great if channel consultants could find nuggets of threat-led information for their clients before they were attacked? Using a preventative approach to security can help. If you know the threat before the attack occurs, it’s easier to combat and set your defense (security). This approach allows the team to become more effective in dealing with modern day risks.

A continuous monitoring and management approach in the open, deep and dark web fits the bill for understanding and applying a preventative approach to these risks. Sifting through mounds of alerts, false-positives and “gotchas” can be cumbersome for any organization or Managed Security Service Provider (MSSP). More so, a common security challenge we all face is talent. Security talent is hard to find and keep. To best ensure a preventative approach, an analyst needs to be there to contextualise and evaluate the relevance and impact of threats to your particular organizations’ circumstances. This can be a member of your security operation team or a vendor’s. Having a client chase their tail on real-time false alerts can cost more money than it’s worth. 

Rebalance Security Spending

Most financial advisors will comment on rebalancing your 401K when the market shifts.  When stocks go up, your allocation is most likely higher due to markets changing.  In the case of security, consultants should consider rebalancing their client’s allocation of security spend to address modern day threats and risks. A consultant approach to security budgets should address the methods of harvesting and capturing data or compromised credentials before they are used in an attack. A little more security allocation in the preventive bucket can greatly reduce the amount the organization would spend if they are compromised and breached.


About Digital Shadows’ Channel REV Partner Program

Digital Shadows enables organizations to manage digital risk by identifying and eliminating threats to their business and brand. Channel partners leverage Digital Shadows to monitor for digital risk across the widest range of data sources within the open, deep and dark web to deliver tailored threat intelligence, context and actionable remediation options that enable security teams to be more effective and efficient. Our partners help their clients protect their data when exposed, if employees or third parties put them at risk, or if their brand is being misused. To learn more, visit








To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Shadow Talk Update – 05.21.2018 Mon, 21 May 2018 13:26:50 +0000 In this week’s episode of Shadow Talk, Digital Shadows’ Head of Security Engineering, Dr Richard Gold, joins the pod to explain the EFAIL vulnerability affecting Open PGP (Pretty Good Privacy) and S/MIME (Secure/Multipurpose Internet Mail Extensions), as well as other flaws identified in encrypted messaging platforms. Dr Gold also outlines the the factors you should be considering to prioritize your patching.

In part two, we look at the 15 million dollar thefts in Mexico and outline the risks facing interbank payment systems.

Millions stolen from Mexican banks using interbank system

More than $15 million was reportedly stolen from Mexico-based banks by unidentified attackers who submitted fraudulent transfer orders via the SPEI, an electronic payment system developed and operated by Banco de México. The April 2018 theft subsequently forced Mexican banks to adopt contingency plans for interbank payments. Flaws in third-party software were likely used to access the SPEI, drawing comparisons to previous thefts that exploited the SWIFT interbank platform. More details are likely to be released in the short-term future (within three months).


SilverTerrier phishing attacks secure USD 3 billion profit to date

A collective of predominantly Nigeria-based threat actors, known collectively as SilverTerrier, have delivered phishing attacks using information-stealing malware and remote-access trojans against targets in multiple sectors and regions. The threat actors demonstrated a range of technical skills, but also some poor operational security practices, including using the same credentials to register malicious domains and personal social media profiles. According to law-enforcement entity estimates, the attacks equate to more than $3 billion in losses from the targeted companies to date.


Proof of concept attacks decrypt PGP and S/MIME encrypted emails

On 14 May 2018 three universities collaborated to outline two proof of concept attacks allowing emails sent using OpenPGP and S/MIME to be displayed in plaintext under certain conditions. PGP is an encryption program that provides cryptographic privacy and authentication and S/MIME is a standard for public key encryption. The “EFAIL” attacks required existing access to encrypted emails. In the first attack, a threat actor could hypothetically use the method that certain email clients use to access Hypertext Markup Language (HTML) in PGP or S/MIME emails, to decrypt and exfiltrate cipher-text to an attacker Web address. The second attack relied on attackers having existing knowledge of a plaintext block, and largely affected the Cipher Block Chaining gadget in S/MIME. This could be used to decrypt multiple emails. Given the potential of access to encrypted data, if deployed, this attack vector would likely be used by threat actors with highly specific intelligence-gathering aims and substantial intent and resources.


Cryptocurrency miner targets Oracle WebLogic vulnerability

Threat actors using the CoinMiner cryptocurrency malware are actively targeting a remote code execution flaw affecting the application server Oracle WebLogic. There has been a recent uptick in attacks targeting the vulnerability, designated CVE-2017-10271. The infection process was like that of another recent attack in February 2018, which distributed mining malware by exploiting a flaw in Apache database software CouchDB; it was possible the same threat actor was responsible for both attack campaigns, though this was unconfirmed. Patches are available to address the vulnerability, but more attempts at exploitation are highly likely.


Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

Patch Priorities: 10 Vulnerabilities You Should Pay Attention To Thu, 17 May 2018 14:30:06 +0000 Not all vulnerabilities are created equal, and those that have been exploited by threat actors carry more weight. Last month, Digital Shadows reported on ten software vulnerabilities that were publicly exploited by threat actors. The motives for these attacks included information theft, espionage, financial profit, and disruption. The three key takeaways were:


  1. Drupal vulnerabilities among the highest severity vulnerabilities. CVE-2018-7600 is a remote code execution (RCE) vulnerability affecting versions of the Drupal content management system (CMS). According to public reports, this was the most targeted vulnerability in April 2018 by actors conducting cryptocurrency mining activity, but the flaw was also exploited to create a botnet to conduct distributed denial of service (DDoS) attacks. Similarly, another vulnerability identified by Drupal was CVE-2018-7602. Security patches have been released, but a threat actor has already reportedly exploited the vulnerability to deface a Ukrainian government website. Both Drupal vulnerabilities are highly likely to continue to be exploited in the near future.
  2. Eternal blues. Attackers continue to exploit the vulnerabilities CVE-2017-0145 and CVE-2017-0143, also known as ETERNALROMANCE and ETERNALBLUE. These exploits were publicly released by the Shadow Brokers threat group in April 2017 and have been used in a variety of campaigns to date. Both attacks exploiting these flaws in April 2018 were financially-motivated; a cryptocurrency and a ransomware campaign.
  3. CVE-2017-11882 has longevity. The Microsoft Office Memory Corruption Vulnerability that allows for remote code execution, has been targeted consecutively since November 2017 when proof of concept code was publicly leaked, despite the release of security patches addressing the flaw. More attempts to exploit this vulnerability are highly likely in the short-term future (next three months).


The table below provides an overview of the vulnerabilities, including an indication of how widely they were discussed across social media and other sources of potential insight into their popularity. Specifically, it shows: 

  • A CVE reference number and hyperlink to the United States National Vulnerability Database (NVD)
  • A description of the vulnerability type and affected system versions
  • The number of incidents Digital Shadows reported on this vulnerability during April2018 
  • The severity of the vulnerability as assigned by the NVD
  • A current status on whether a patch is available, and hyperlink to additional relevant details
CVE Number Description Observed Motivations Number of DS incidents CVE score Patch status
CVE-2018-7600 RCE vulnerability affecting Drupal CMS versions pre-7.58, 8.x before 8.39, 8.4.x before 8.4.6, and 8.5.x before 8.5.1. Financial and Disruption 3 Critical Patch available

CVE-2017-8570 RCE vulnerability in Microsoft Office. Information Theft 2 High Patch available

CVE-2018-7602 RCE vulnerability affecting Drupal Core 7.x and 8.x Financial and Disruption 1 TBD, awaiting analysis Patch available

CVE-2016-3353 RCE vulnerability affecting Microsoft Internet Explorer 9 through 11. Financial 1 High Patch available

CVE-2018-0802 RCE vulnerability affecting Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016. Information Theft 1 High Patch available


CVE-2018-0171 RCE vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software. Disruption 1 Critical Patch available

CVE-2015-3636 Local privilege escalation in the Linux kernel pre-version 4.0.3. Information Theft 1 Medium Patch available

CVE-2017-11882 Vulnerability in Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 permitting an attacker to run arbitrary code. Financial 1 High Patch available

CVE-2017-0145 RCE vulnerability in the Server Message Block (SMB) v1 server in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016. Financial 1 High Patch available

CVE-2017-0143 RCE vulnerability targeting SMB v1 server in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016. Financial 1 High Patch available

Table 1: Summary of vulnerabilities reported as exploited in April 2018


It’s a constant challenge to understand which patches you ought to prioritize applying, but this blog provides information that can help to feed into your decision. If you are running the applications, systems and services listed, these are the 10 vulnerabilities you should be paying attention to. The next post in this series will provide a similar analysis of vulnerabilities for May 2018.


To stay up-to-date with the latest vulnerabilities and threat intelligence, subscribe to our newsletter.

Digital Shadows 7th Anniversary – A Look Back Wed, 16 May 2018 14:26:27 +0000 Today marks the 7th anniversary of Digital Shadows. As James and I looked back on the year, we were amazed in all that the team has accomplished within the last 12 months. We’d like to highlight a few of our accomplishments for the year and recognize our customers and our incredible team who has helped to make this year so successful.

Digital Shadows Raises $26M To Expand and Fuel Global Expansion

On September 20, 2017, we announced $26m in a Series C funding round to expand the capabilities of SearchLight and fuel global expansion. Led by Octopus Ventures, with participation from World Innovation Lab, Industry Ventures and all of Digital Shadows’ existing investors, the funding supports company growth and our continued commitment to protecting organizations with the best and most comprehensive digital risk management solution in the industry.

SearchLight: Shadow Search Announced, 15 New Engineers

From a product standpoint, we continued to enhance our SearchLight service to give customers even more value. Two specific highlights included hiring 15 new engineers to the team as well as announcing Shadow Search,  a feature within Digital Shadows SearchLight ™ that speeds up the security operations process, quickly enabling deeper research and faster investigation. The result is better decision making that gives back valuable time to security operations teams. Organizations have direct access to the vast repository of technical, tactical and strategic threat intelligence, and raw web content, curated and collected by Digital Shadows to investigate threats and take immediate action.

Shadow Search Digital Shadows

Digital Shadows Opens New State of the Art Offices in London and Dallas and Expands into Germany and Singapore

We now have nearly 200 employees across offices in London, San Francisco, Dallas, Singapore, and Frankfurt. With our $26M Series C funding last year, we committed to expand our business into Asia and Europe to support customers on a global basis. Below is a photo from our ribbon cutting ceremony in London.

Digital Shadows Opens New Office London


Women’s Network and Other Diversity Initiatives

With the accelerated growth we’ve seen this year, we’ve also launched a few initiatives to prioritize diversity at Digital Shadows, including our new Women’s Network that we announced just last week. We want talent that is diverse across the board, with different backgrounds, experiences, and opinions to help excel the business forward with more informed decisions. We are proud that women make up over 30% of Digital Shadows and play an incredibly important role in all parts of our business.

Top Research Findings by our Intelligence Team

Our expert Intelligence Team conducted a great deal of interesting threat intelligence research this year. Just a few of the headlines and topics included:

  • Misconfigured FTP, SMB, Rsync, and S3 Buckets Exposing 1.5 Billion Files
  • The New Gold Rush: Cryptocurrencies are the New Frontier of Fraud
  • The Business of Disninformation: A Taxonomy | Fake News is more than a political battlecry
  • Inside Online Carding Courses Designed for Cybercriminals: Credit Card Fraud Gangs Cashing in on $24 billion a year
  • Equifax Breach Lessons Learned

Find all of their great threat intelligence research on our resources center.

Launch of Digital Risk Management Technology Ecosystem, Channel Rev Partner Program + New Partner Portal

Formed from 15+ technology companies, with more about to join the program, the Digital Risk Management Technology Ecosystem partners all share a vision for how security analytics and security information and event management (SIEM), product orchestration and automation, risk & compliance, intelligence and network enforcement, must work together to best protect customers from today’s digital risks. We also launched our channel only partner program – Channel REV – and an associated online Partner Portal, designed to accelerate partner revenue and enhance their customers’ loyalty.

We’ve accomplished quite a lot this year, but we’ve also made sure to have plenty of fun. Take a look below at some of our social events, conference parties, charity functions, and more. Thanks for another great year, everyone!

Shadow Talk Update – 05.14.2018 Mon, 14 May 2018 15:17:24 +0000 In this week’s episode Shadow Talk we look at the Winnti Umbrella group, asking what this means for organizations. We discuss vulnerabilities in Microsoft Office (CVE-2018-8174) and basestriker. And, finally, we outline the fall out surrounding the Olympus dark web marketplace.


Chinese state-associated threat actors linked under one umbrella

Individual threat groups and actors conducting politically motivated operations have been identified as working in one Chinese state-associated collective, known as the Winnti umbrella group. Identification of this group was made possible by operational security mistakes made by some of the actors and groups, which revealed overlapping command-and-control (C2) infrastructure used in operations previously seen as unrelated. One favored tactic among the attackers was the theft of code-signing certificates from software companies, which were then used in later attacks to obfuscate malicious components. The collective demonstrated varying technical capabilities but were persistent in their approach, and should be considered a highly credible threat.


Patch delay leaves Intel CPUs vulnerable to exploitation

Technology company Intel has delayed the release of security patches designed to address newly identified flaws affecting their CPUs. The delay means the vulnerabilities may be publicly disclosed before patches are made available. These “Spectre-NG” vulnerabilities relate to previous “Spectre and “Meltdown vulnerabilities, and could be exploited by attackers to secure control of a compromised system. The initial patches were due to be released on 21 May 2018, with additional patches to be released in August 2018.


Cryptocurrency miners target multiple exploits

A new cryptocurrency mining campaign is targeting three exploits to distribute a variant of mining malware. The vulnerabilities affected the Oracle WebLogic Server, Apache Struts 2 and the Server Message Block v1 server in the Microsoft Windows operating system. The third flaw is known as “ETERNALBLUE”, an exploit previously assessed to have been developed by the United States National Security Agency and publicly released by the “Shadow Brokers threat group in April 2017. Patches are available for all the vulnerabilities.


Zero-day exploitation of CVE-2018-8174 attributed to DarkHotel group

Security company Qihoo360 reported that espionage group DarkHotel (aka APT-C-06) has exploited a zero-day vulnerability to target China-based foreign trade entities. The patch for the flaw was released by Microsoft on 08 May 2018, and is the first observed use of the URL Moniker programming architecture to load an Internet Explorer exploit. The flaw enables an attacker to render a webpage using the Internet Explorer engine, even if Internet Explorer is not set as the default browser on the device.


Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

Offsetting Dunbar by Developing Diversity Tue, 08 May 2018 15:36:30 +0000 Some of you may be familiar with the Dunbar Number, 150, being the maximum amount of relationships one individual can maintain successfully. Having recently surpassed this number ourselves, this is the perfect opportunity to think more about how we foster culture, diversity, and learning.

As we enter into our seventh year as a company, we will be launching a few initiatives to refocus and prioritize diversity and learning at Digital Shadows. Namely, I am excited to announce that we will be launching a Women’s Network.

During our London Office Launch on April 26th, our CEO, Alastair Paterson told the story of his relative being one of the Codebreakers at Bletchley Park during World War II. At that time, over 70% of the individuals involved were women. Now, women make up just over 10% of individuals working within the Cyber Security Industry. That is not progress.

We want to change that. Currently, Digital Shadows is made up of 32% women, but this isn’t enough. A diverse workforce and safe environment is demonstrably the right thing to do, but there are also tangible business benefits to having talent that doesn’t think the same. In order for us to provide best in show intelligence, we need a difference of backgrounds and experiences to make more informed decisions and to rely less on group think. This doesn’t stop at gender, but continues with culture, age, and language as well.

The more we can nurture the exceptional differences we have, the more comfortable we will be to innovate, to challenge the way in which we understand both the cyber world and how we provide service to our clients, and also how we foster the development of the incredible individuals that make Digital Shadows so unique. One of our four values after all is, “All about People”.


To learn more about the company, visit our About Us page.

Shadow Talk Update – 05.07.2018 Mon, 07 May 2018 15:00:26 +0000 In this week’s episode Shadow Talk, it’s a vulnerability extravaganza. We cover malicious use of legitimate software, as APT28 is attributed to hijacking LoJack and Blackrouter delivered via AnyDesk software. Vulnerabilities found (and exploited) in GPON home routers, and Loki Bot exploits two remote code execution vulnerabilities in Microsoft Office (CVE-2017-8570 and CVE-2018-0802).

Microsoft Office flaws exploited to deliver Loki Bot

Distributors of the Loki Bot information-stealing malware are exploiting two remote code execution (RCE) vulnerabilities in Microsoft Office: CVE-2017-8570 and CVE-2018-0802. CVE-2018-0802 is associated with another flaw (CVE-2017-11882), and only devices that have applied the patches for that vulnerability can be exploited in the new attacks. Because Loki Bot is widely available on online criminal forums, there has been no attribution for the recent activity. Proof of concept (PoC) code has been released online, which has highly likely enabled attackers to target both vulnerabilities.

Cyber incident affects Mexican inter-bank money transfers

News service Bloomberg reported that three Mexican banks were forced to use contingency plans for monetary transfers after a cyber “incident” affected connections with the Interbank Electronic Payment System (SPEI). The SPEI is a nearly real-time hybrid settlement system that enables transfers between participating banks, and is operated by Mexico’s central bank (Banco de México). At the time of writing, few details of any intrusions are publicly available. Attacks targeting specific banks and their internal systems are often conducted by threat actors with a good knowledge of banking payment infrastructure. This incident followed a failed attack on a Mexican bank’s SWIFT platform in January 2018.

GravityRAT evades detection for two years

A previously unreported RAT, dubbed GravityRAT, allegedly targeted organizations in India, and has been under development for the past two years. GravityRAT has similar functionality to pre-existing RATs, including file extraction and RCE. GravityRAT evaded detection for multiple years despite the C2 infrastructure remaining static throughout its evolution. This likely indicates that there were a few attacks against organizations, and that it was unlikely to have represented a significant threat.

Rubella Macro Builder crimeware kit used in banking malware campaigns

Malware distributors have been using a new crimeware kit, called Rubella Macro Builder, for attacks. The kit is available to rent from Russian-language criminal forums at a relatively low price, and offers a range of functions pertaining to payload execution and encryption. The attack vector relies on social engineering, in sending emails with malicious Microsoft documents attached: an unsophisticated but consistently popular distribution method. Since its emergence in February 2018, the kit has undergone modification and developments, and more improvements are highly likely in the short term.



Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

The Other Side of the Counter: DDoS, Social Engineering, Spambots and Insider Risks to Criminal Locations Wed, 02 May 2018 14:53:08 +0000 An enduring characteristic of dark web marketplaces is how frequently they’re offline, often through denial of services attacks. While marketplace administrators can stand to make big bucks, they’ve got their own threat models to be worried about:

  • law enforcement,
  • disgruntled consumers,
  • and competitors

Each of these have vested interests in seeing their site inaccessible. Tor sites are anonymous but not necessarily robust; many are vulnerable to DDoS attacks and, more destructively, site hijackings. We have observed that cybercriminals spend as much time attacking other cybercriminals as they do innocent victims. However, we have also observed that the dark web is not a digital ‘wild west’ where anything goes. Far from it. If you publicly take another Tor site offline, you had better have had a good reason to do so.

This infighting can have a negative impact on the trust their customers place in them. Trust is a precious commodity, and there’s a delicate balance between self-preservation and self-destruction. In a move to consolidate their market position within the criminal ecosystem dark web, the promising new kids on the block, Olympus, may have achieved the opposite.


Competing interests and interesting competitions

Be it by rivals or law enforcements, the targeting of marketplaces is common. We’ve observed this for many years and it’s definitely not a new phenomenon. Social engineering is particularly common, spoofing the marketplace’s logon page to harvest the credentials of its users so that another competitor marketplace can expand their own user base. One suspicious onion domain (alphabay2qlxrxff[.]onion) is currently active that appears to be doing just that (Figure 1). Such is the ubiquity of this technique, it’s common to see the list of official mirrors posted on the login pages of marketplaces to inform unsuspecting visitors of the likely risks.


Figure 1: A suspected spoof site targeting the Dream marketplace


But social engineering is just one technique we’ve seen targeting marketplaces. In 2017, we came across Figure 2, a posting on Hansa of a “Alphabay Forum Bot”, a script to spam Alphabay users and benefit from their significant audience. (You know it’s 2017 when 0.1179 BTC is less than a third of the value of bitcoin than it is now.)


Fig 2: A former listing from Hansa, selling a bot to spam AlphaBay users, from 2017


The overall dark web marketplace community hasn’t quite attracted the same amount of traffic (both on the vendor and buyer side) since the takedowns of AlphaBay and Hansa in July 2017. At its zenith, Alphabay was the 900-pound gorilla and boasted hundreds of thousands of users. Just as AlphaBay had done following Evolution market’s 2015 exit scam, their competitors sought to become the dominant market. Many marketplaces have fallen short of filling this this vacuum, including Dream market, Wall Street Market and Tochka. Nonetheless, the race is clearly still on to dominate the market and one of the most promising candidates is Olympus.



Insider threats apply to dark web markets too

After having been slowly develop a good reputation, the admin of Olympus last week claimed that they were in the process of hacking Dread (Figure 3). Dread is – or at least was –  a reddit-style community run by a user infamous for pointing out security flaws in other dark web marketplaces.


Fig 3: The initial claim from Olympus. Screenshot from Deepdotweb


Public apologies and public relations

However, it soon transpired that this was not a “hack” in the traditional meaning. Instead, the admin of Olympus allegedly acquired access to the Dread servers from an insider. You can read a more thorough account of saga in Deep Dot Web. What was significant about this incident was that the user community of Dread rallied behind the designer of the Dread forum, with consensus finally settling that Olympus was in the wrong and Dread was the innocent victim. In the end the moderators of Olympus issued an apology to the Dread admins for their actions (Figure 4). Tellingly Olympus seems to be aware of the damage it has caused to its own reputation stating that it will  hire a “good PR within the next few days”. Just as with legitimate businesses, a positive public image is important to drive revenue.


Fig 4: An apology from an Olympus moderator, from 25 April 2018


Customer trust is as important for criminal as it is legitimate business

When the two tactics of audience attraction (spam and rival forum sabotage) are viewed together an interesting picture of the current state of the cybercriminal dark web emerges.

Trust is hard to build up, but incredibly easy to lose. Just as we’ve seen with bungled responses, the immediate aftermath of a negative event is an important time period. Of course, it’s important not to over inflate this. Just as we’ve discussed in a previous blog,  The Future of Marketplaces, trust is just one factor that determines the success of new marketplaces. User experience, secure communications and content control are all drivers that shape who comes out on top.

There are other lessons that can be applied. This saga also serves as a timely reminder for organizations to consider their threat model. The nature of their customers and the data they hold make marketplaces a target for law enforcement and competitors. Organizations should also consider what data they hold, how their online activities can leave them exposed, and assess which adversaries stand to benefit from targeting this.

To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.

Shadow Talk Update – 04.30.2018 Mon, 30 Apr 2018 15:02:02 +0000 In this week’s episode of Shadow Talk, we cover the targeting of healthcare organizations by Orangeworm, BGP hijacking, vulnerabilities in MikroTik routers, DDoS market shutdowns, and the profitability of cryptocurrency mining.



Orangeworm actively targets healthcare via supply chain

Security software company Symantec reported on a newly identified threat group called Orangeworm, observed targeting entities in the healthcare industry with custom backdoor malware. Multiple geographies have been affected, which is likely the result of Orangeworm attacking international organizations. Orangeworm conducted information theft and reconnaissance, but the group’s exact motives are unconfirmed at the time of writing.


Spam campaign drops multiple payloads

A new spam campaign is targeting multiple geographies with a quartet of malware that comprises the “Adwind” RAT, backdoors “XTRAT” and “DUNIHI”, and the information stealer “Loki Bot. All the payloads are highly configurable and enable various malicious activities, including information theft and remote-access tasks. This is the first reported instance of the malware being bundled together in a spam campaign, having previously been distributed in separate attacks.


Botnet exploits Drupal vulnerability

A botnet is actively targeting six exploits, including the remote code execution (RCE) vulnerability affecting the Drupal CMS. Its aim is to perform DoS attacks and mine cryptocurrencies. CVE-2018-7600 was classified as “highly critical” when publicly announced, and security updates have been released to address the flaw. This is the first identified incident of a threat actor targeting this vulnerability. Based on the popularity of RCE exploits, additional targeting is highly likely in the immediate future (next few weeks).


Threat actor zeroes in on Internet Explorer zero-day vulnerability

Security company Qihoo360 reported the exploitation of a zero-day vulnerability affecting the Internet Explorer browser’s kernel code by an unidentified threat actor. The vulnerability was labeled a “double play” loophole, but Microsoft has yet to release more technical details or information pertaining to the exploitation. The flaw reportedly affects all current versions of Internet Explorer and applications using the kernel.

The critical code of the kernel is usually loaded into a separate area of memory, which is protected from access by application programs or other, less critical parts of the operating system.

Digital Shadows Opens New State of the Art London Office in Canary Wharf Thu, 26 Apr 2018 16:52:17 +0000 When myself and James Chappell set the company up six years ago at a kitchen table in Camden, London, we suspected we had a good idea, but we didn’t quite envision just how cybercrime would proliferate and just how hard and complicated it would become for organizations to manage their digital risk. That’s where we feel we can help and why we have made such a bold bet on the future of Digital Shadows. After 6 years of incredible growth, protecting hundreds of customers across the globe, I am excited to announce that Digital Shadows has opened a new state of the art London office in Canary Wharf.

Digital Shadows Office Launch 1


We now nearly have 200 employees across the globe and London remains the beating heart of the operation where all of our product and engineering work occurs. Our new office in Canary Wharf marks a long-term commitment to London and means that we are now set up to expand the business significantly and service our clients even better. As a first step, we expect to create at least 20 jobs in London over the next year.

Today we hosted nearly 100 customers, employees, investors, advisors, media, friends, and family at the new office to celebrate. James helped me kick-off the event with a speech thanking all who have helped us advance Digital Shadows to this point. We then heard from guest speakers Lord Ashton, Sir George Iacobescu, Alex Macpherson, and Ben Brabyn and then we had a ribbon cutting ceremony.


Digital Shadows Office Launch 2

Digital Shadows Office Launch 4

Digital Shadows Office Launch 3


What an event! It was a celebration of what we have accomplished so far and what is to come to help make the world a safer place. Thanks again to everyone who has helped us arrive here. We are excited for the future growth of the company and I can’t wait to see what evolves next. Cheers!

Keys to the Kingdom: Exposed Security Assessments Tue, 24 Apr 2018 15:04:27 +0000 Organizations employ external consultants and suppliers to perform assessments and penetration tests that help to bolster their overall internal security. When carrying out these projects, these contractors are often given a level of privileged access and insight into the most sensitive areas of an organization’s infrastructure. These exercises, however, don’t serve their envisioned purpose if security reports are made available online for anyone to find. Our recent research paper, “Too Much Information”, shines a light on this worrying discovery.

Imagine giving a houseguest or handyworker a set of keys to your home. Now picture these individuals, albeit unwittingly, making copies of these keys and leaving them lying around in public for anyone to get hold of. Similarly, as consultants and pen testers backup and share their work, highly sensitive information such as vulnerability assessments and network diagrams can be left exposed and, crucially, within the reach of malicious actors.

Our analysis of files shared across network sharing services and storage solutions such as Amazon S3 and NAS drives included thousands of instances of security audits (5,794), “network infrastructure” details (1,830) and penetration test reports (694) publicly accessible.  


Figure 1: Results for security assessment files and documents


Ready-made reconnaissance

Coming across this type of sensitive information would be like striking gold for an attacker or cybercriminal. Attackers spend months conducting reconnaissance to learn all about their target’s security posture, infrastructure layout, deployed technologies, and potential vulnerabilities. This exposure would save them precious time and resources. In some cases, it can even provide them with the type of exclusive information that they would never have learned through passive reconnaissance.

In one instance, we found a series of security documents belonging to a leading European supplier of electronic identification services used within the banking industry. These files included in-depth security assessments, source code testing results, and vulnerability scanning reports that revealed details on insecure servers. These reports exposed server locations and hosting IPs, missing software patches, port information, CVE number and vulnerability descriptions (see Figure 2 below). With this intelligence, an attacker would know what specific technologies and services to target, and could then modify data, inject malicious code, or perform man-in-the middle attacks.


Figure 2: Redacted spreadsheet outlining critical vulnerabilities in banking software


Unintentional insiders and supply chain risk

Organizations typically struggle with security issues that lie outside their direct visibility, beyond their perimeter. This includes employees conducting work-related activities using public devices, or a contractor backing up files to their misconfigured NAS drives. Supply chains and company insiders are therefore a thorn in the side with regards to protecting company data.

It’s not just about these individuals work habits when they’re outside company networks, even the very process of managing access restrictions for third parties comes with a host of potential pitfalls. We can all imagine situations where we open up network services to move data around or allow a third party temporary access (for example troubleshooting, software support, reporting), but it never gets revoked. Permissions can be confusing, especially when an S3 bucket needs to be open to a select group of individuals but closed to everyone else. This is when mistakes are made.

Given the amount of data exposed in this way, the long-term solution to this problem lies in training and awareness. Organizations can play their part by educating employees, contractors and consultants about the risks of copying and archiving up work files at home. Offering secure-by-default storage solutions so that these individuals don’t feel the need to backup their devices at home could also go a long way to preventing this level of exposure.  


To learn more about the level of data exposure across the world, as well as useful tips for mitigating these risks, download a copy of our report.

Want more Digital Shadows research? Subscribe to our threat intelligence emails here.


Shadow Talk Update – 04.23.2018 Mon, 23 Apr 2018 15:30:32 +0000 This week’s Shadow Talk discusses Russia’s attempts to ban the social messaging app, and also read between the lines of the joint US and UK advisory on network infrastructure compromises by Kremlin-backed actors. We also outline new ransomware payloads incorporated into the Magnitude exploit kit and we bring you the latest news on vulnerabilities in the Drupal Platform and Cisco’s WebEx software.



Russian threat actors compromised network infrastructure

On 16 April the US-CERT and the United Kingdom NCSC published a joint technical advisory regarding the compromise of network infrastructure in multiple sectors by Russian state-backed threat actors. Since 2015 threat actors have scanned the internet to find infrastructure devices with legacy protocols or weak security, using default, stolen or brute-force cracked credentials to authenticate onto target devices. This allowed network mapping, man-in-the-middle operations and modification of firmware. Attackers may have obtained sensitive information, or secured a foothold for future operations.

The advisory release was likely to demonstrate cyber defense as well as political solidarity between the United States and United Kingdom—given political tension with Russia. The current threat activity level associated with this campaign is unknown and although security firms detected increases in scanning for some target devices, this was not independently attributed to Russian threat actors. Network infrastructure is a target for multiple threat groups, and considering the many unsecured devices and tools available to exploit them, this is likely to continue.


Drupal vulnerability exploited

PoC code for an RCE vulnerability (CVE-2018-7600) affecting the Drupal content management system was released online. Exploitation of the vulnerability was detected by security companies shortly after the PoC was published. Exploitation allows the compromise of legitimate and trusted websites, which can then be used to conduct malicious activity. Users should upgrade their Drupal systems to the most recent version.


RCE vulnerability affects Cisco WebEx

Certain Cisco WebEx products are vulnerable to a newly identified RCE vulnerability. If CVE-2018-0112 is exploited, an attacker could run arbitrary code on an infected system. Cisco has released upgrades to address the flaw; there are no reports of the vulnerability having been exploited in the wild to date.


Magnitude exploit kit switches ransomware payload

The Magnitude exploit kit was identified distributing the GandCrab ransomware, an updated payload for this exploit kit. Magnitude previously distributed “Magniber” and “Cerber” ransomware variants. There were no changes to distribution methods or target geographies. GandCrab was the delivery payload of multiple campaigns in 2018 and it appears to be relatively popular with threat actors, likely due to its nature as a ransomware-as-a-service. At the time of writing, there is no decryption tool publicly available for the version of GandCrab deployed in this campaign.

Out In The Open: Corporate Secrets Exposed Through Misconfigured Services Wed, 18 Apr 2018 14:31:10 +0000 For organizations dealing with proprietary information or assets, one of the greatest concerns is the threat of competitors getting hold of trade secrets. But what if organizations are already leaving their precious Intellectual Property (IP) publicly exposed, within easy reach of attackers?

Our latest research report, “Too Much Information”, highlights the sheer scale of this occurrence. The reality is that a lot of organizations are giving up this information freely, by unintentionally exposing IP through Amazon S3 buckets, rsync, SMB, FTP, NAS drives, and misconfigured websites.


Would you like any secret source with that?

Among the 1.5 billion files we found exposed through these services were over 95,000 examples of source code information, 900 patent applications, and 69 copyright applications.

Figure 1: Types of publicly-available intellectual property

In one instance, we detected a document containing proprietary source code that was submitted as part of a copyright application (Figure 2). The file included code that outlined the workflow and design of a site providing Electronic Medical Records, all of which was uploaded onto a publicly accessible Amazon S3 bucket.

Figure 2: Introductory page for copyright application containing source code for a company’s app

In another example, we came across an archive of patent summaries for a renewable energy technology company (Figure 3). These documents were marked as “strictly confidential” and contained a copious selection of patent applications complete with detailed labelled diagrams, patent application numbers, filing dates and patent descriptions that discussed the advantages and disadvantages of their product.

Figure 3: Redacted page from patent documents belonging to renewable energy company 


Corporate espionage made easy

Of all the data organizations look to control, IP is among the most precious. Loss of IP can have a number of considerable impacts:

  • Financial loss. There are obvious economic consequences to losing your most sensitive IP. First there’s the actual costs associated with dealing with the security incident. Resources will have to be assigned to investigate how the exposure occurred, improving security measures, and dealing with the PR response. Perhaps, more damagingly, the release of product information ahead of schedule can seriously damage an organization’s financial performance. For technology companies, the source code your developers have spent months putting together could suddenly be released by malicious actors ahead of schedule, seriously dampening your sales prospects. For some companies, this could put their future in grave jeopardy.
  • Competitive de-positioning. Imagine a pharmaceutical company that has spent years researching a new drug; all that time and financial input would go to waste if a competitor on the other side of the world now had all the information needed to put that drug into production. Proprietary code, patent applications and copyright information would give your closest business rivals some very timely and useful competitive intelligence.
  • Reputational damage. Loss of IP might cost you customers and contracts, credit ratings, stock market value or brand reputation. No organization wants to be known as a company that can’t keep its own source code under wraps. If companies can’t be trusted to protect their most prized assets, then customers will likely assume that their overall approach to data protection, including protecting personal data, is also lacking.
  • National security risk. Certain industries such as defense, manufacturing and national infrastructure worry of being caught in the midst of great power struggles between states. Nation state or state-affiliated actors conduct espionage campaigns to steal information that can improve a country’s military, market or export trade position. The stakes for properly securing sensitive assets are therefore far higher in certain industries, and extend beyond the immediate concerns of the particular organization involved.


While organizations may worry about corporate espionage conducted through insiders, network intrusions and phishing campaigns, these findings demonstrate that there is already a large amount of sensitive data publicly available. Talk about making the competition’s job even easier.

To learn more about the other types of sensitive data that these services are exposing, download a copy of our report.


Want more Digital Shadows research? Subscribe to our threat intelligence emails here.

When There’s No Need to Hack: Exposed Personal Information Tue, 17 Apr 2018 14:57:11 +0000 With Equifax‘s breach of 145 million records still fresh in everyone’s memory and the recent Facebook data privacy controversy, protecting personal data has become part of the political, economic and cultural zeitgeist. Debates over how data can be misused are now commonplace, and newsfeeds are awash with stores of “yet another breach of personal information”. There’s a reason for this; data is a valuable commodity, and there’s a lot of money to be made from trading personal information or using it for fraud. Cybercriminals are therefore continuing to launch phishing campaigns and network intrusions designed to collect personal data.

However, our latest research report, “Too Much Information”, highlights that there is a large amount of personal data already exposed that puts your employees and customers at risk. This data is unintentionally made public through misconfigured Amazon S3 buckets, rsync, SMB, FTP, NAS drives, and misconfigured websites. Let’s focus on a few examples that illustrate the extent of this exposure.

Tax Returns

Today is tax deadline day, which means there are still people scrambling to submit their tax returns. This window affords criminals opportunities to commit tax return fraud. As we talked about in a previous blog, “It’s Accrual World: Tax Return Fraud in 2018”, criminals go to great lengths to acquire this information. Spoiler alert: there’s plenty of information already out there.

Figure 1: Types of publicly-available personal information

In fact, the most common employee data found in our research was payroll and tax return files, which accounted for 700,000 and 60,000 files respectively. Looking into many of these examples, it was common for this information to be exposed through a contractor – for instance, a boutique accounting firm that backed up their client information. A redacted exposed pay stub is shown in Figure 2.

Figure 2: A redacted example of an exposed pay stub

Unhealthy Exposure

Aside from financial information, there was also a strong medicinal flavor to the findings. Almost 5000 patient lists were publicly available. Most surprisingly, we found over two million .dcm files (2,205,350) exposed on an open SMB port based in Italy. These Digital Imaging and Communications in Medicine (DICOM) files enable the creation and storage of medical tests, like MRIs, that contain personal health information. That’s an awful lot of files, and it doesn’t get much more personal than that.

Personally Identifiable Information versus Personal Data

Personally Identifiable Information (PII) and Personal Data are two terms that are often used interchangeably.  PII is mainly used in the U.S. and is defined by NIST as:

“Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”.

Pretty comprehensive, right? Well, not as comprehensive as “personal data”, which broadens the definition to include things like device ID, IP addresses, and cookies. Personal data is used as part of the General Data Protection Regulation (GDPR) definition, which comes fully into place next month.

Our research found that a significant portion of the exposed data was in the European Union (537,720,919 files). With GDPR firmly on the horizon, organizations must consider how they are protecting employee and consumer information across these services. With employees and contractors often backing up and archiving data on their home networks or using cloud storage solutions, organizations need to ensure they have visibility into all the potential areas their customers’ personal data may be exposed. Out of sight may mean out of mind, but with GDPR coming into force, this could also mean organizations may soon be “out of pocket”.

Figure 3: The top countries making up the 500 million exposed files in the European Union


To learn more about the other types of sensitive data that these services are exposing, download a copy of our report. You can also find out more about the implications of GDPR in our “Path to Compliance” paper.


Want more Digital Shadows research? Subscribe to our threat intelligence emails here.

Shadow Talk Update – 04.16.2018 Mon, 16 Apr 2018 14:32:47 +0000 This week’s Shadow Talk discusses a Cisco Smart Install Client flaw exploited in disruption attack, an information leak vulnerability discovered in Microsoft Outlook, details on OpIcarus and OpIsrael, Verizon DBIR, and why you still should be excited about the RSA Conference.


Cisco Smart Install Client enabled mass disruption

Attackers abused a legitimate Cisco Smart Install Client protocol to target Iranian and Russian switches in a disruptive operation. Through defacements left on start-up configuration of affected devices and statements to journalists, the perpetrators claimed to have acted in defense of the integrity of United States elections, although their identity and origin remains unknown. This activity occurred within the context of escalating political tensions between the United States and the impacted nations. The tools needed to identify and exploit the flaw are readily available, potentially allowing exploitation by attackers with even low capabilities. System administrators should disable the Smart Install Client function and limit access to Port 4786/tcp to mitigate exposure.

New ATM malware variant discovered

A potentially new variant of automated teller machine (ATM) malware, “ATMJackpot”, was documented by security researchers. Its operators attempt to steal cash from ATMs by connecting to cash dispensers and other peripheral devices via a piece of middleware called eXtension for Financial Services (XFS) Manager. Because the initial infection vector for ATMJackpot is not known, a full assessment of its threat cannot be made at the time of writing. If the malware was installed via network intrusion, that would typically require technical capability and would indicate that the wider attack campaign represents a high level of threat. However, if it was installed via physical access to ATMs, fewer skills would be needed and the financial impact would likely be significantly lower. Given the lack of details, the discovery of ATMJackpot does not necessarily represent a dramatic escalation in threat.


Microsoft Outlook flaw allows theft of password hashes

A Microsoft Outlook flaw enables attackers to abuse the way the software renders email messages containing Object Linking and Embedding (OLE) objects, and gather user password hashes and other sensitive information. A patch has been released for this vulnerability (CVE-2018-0950); without it, if an OLE object is hosted on a remote server and embedded in a message, Outlook initiates a connection via Server Message Block (SMB). The result is unauthorized information disclosure, with greater consequences if the technique is combined with other exploits. Digital Shadows has not seen reports of the vulnerability’s exploitation in the wild, although it would not require a high level of capability. Implementing the patch and blocking inbound/outbound SMB connections to the network perimeter, where possible, can be effective. 


Film service customers victims of payment data breach

On 09 Apr 2018, multiple media outlets reported on an allegedly targeted attack against food-service and facility-management company Sodexo’s cinema voucher program, Filmology. Sodexo stated that credit cards used on its website between 19 Mar 2018 and 03 Apr 2018 may have been compromised, and that it continues to investigate. However, a Filmology representative allegedly claimed that “the hack on the payment page was carried out over 2 months and involved many accounts”. Customers of Sodexo’s Filmology service should monitor for fraudulent charges to their credit cards and consider replacing those used during the date range stated by the company.


Compromised websites delivered NetSupport Manager RAT

On 05 Apr 2018 researchers at security company FireEye reported on a campaign delivering the commercially available “NetSupport Manager” remote-access tool (RAT). Threat actors used compromised websites to prompt visitors to download fake Flash, Chrome and Firefox updates. These were JavaScript files that ultimately fetched the RAT payload from a remote server. Digital Shadows’ research into the IP address used in the campaign demonstrated it has likely been used to distribute malware since at least November 2017. The threat actors have likely had some success, given the duration of activity. Their motive is unknown. Indicators of compromise can be found on the Digital Shadows online portal.


New activity sparked by OpIsrael and OpIcarus

Beginning on 07 Apr 2018 multiple hacktivists tweeted attack claims, as part of OpIsrael, an “Anonymous” collective-affiliated operation in support of Palestine. Attack claims typically included website defacements. However, Twitter user LorianSynaro also claimed to have obtained databases of 83 Israeli universities; a sample uploaded to code-sharing website Hastebin contained no sensitive information and was likely obtained from open sources. More OpIsrael claims are likely in the short-term future (within three months). Moreover, an operational announcement has called for a new phase of the OpIcarus hacktivist campaign in June 2018. The type of activity was not stipulated, but will highly likely include denial of service (DoS) attacks and data breach claims against financial entities. Recent iterations of OpIcarus have attracted scant threat actor involvement; thus, this new phase poses a very low risk at this time.


New botnet scanning activity targeting Brazil

Security company Trend Micro identified and reported on scanning activity targeting vulnerable internet of things devices in Brazil. The scanning originated with several compromised devices in China and mirrored the behavior of previously identified “Mirai” botnets, which used default and weak credentials to hijack devices. Mirai’s source code was publicly released in October 2016, which has enabled numerous threat actors to develop their own botnets of varying size. Targeting weak credentials is a common tactic used to create botnets; users should replace these with complex passwords.

Escalation in Cyberspace: Not as Deniable as We All Seem to Think? Thu, 12 Apr 2018 15:01:47 +0000 The recent assassination attempt on former Russian spy Sergey Skripal has led to a deluge of cyber-based conspiracy theories within the London security community. My own personal favourites are that (a) Skripal was targeted for assassination due to his alleged engagement with the UK security services over the Democratic National Congress hack in 2017, and (b) that the UK government considered a cyber-attack on Russia in response to the assassination attempt. To date, both these claims remain completely unsubstantiated. However, that so many theories around the Skripal assassination attempt link cyber operations to a conventional covert operation is symptomatic in my mind of how intertwined with cyber threats modern international relations has now become.


Escalation and de-escalation in international relations

International Relations (IR) is a deeply complex field of study that is increasingly integrating cyber security issues into its analysis. One concept within the field of IR that is particularly useful for understanding issues such as the ones generated by the Skripal event is that of escalation in levels of hostilities between states. Escalation occurs between states during or in the run-up to a period of conflict, and a situation can be seen either to be escalating or de-escalating depending on the situation and the wishes of the states involved.

One of the best examples of escalation is the Cuban missile crisis of 1962, when the construction of ballistic missile launch facilities (silos) on the island led the Kennedy administration to impose a military blockade and demand the withdrawal of all weapons from Cuba. Within this case an important point to note is that the processes of escalating and de-escalating involved signalling between the US and Russia. Examples of signalling within the crisis included the building of missile silos (escalation), Kennedy’s address to the US on the 22 October 1962 (escalation), Soviet withdrawal of missiles (de- escalation), and US public commitment to respect Cuban sovereignty (de-escalation). These are all examples of both provocative and palliative signalling between the states.


Figure 1: Cuban Missile Crisis game tree modelling how US and Soviet actors would have considered their decisions (Source: Wikimedia Commons)


Cyber and the “space between”

Cyber operations are often, I believe incorrectly, portrayed as being desirable precisely because they do not cause escalation between states. As Eric Rosenback former Assistant Secretary of Defence and principle cyber advisor to the Pentagon from 2011 to 2015 commented:

“The place where I think it will be most helpful to senior policymakers is what I call “the space between.” What is the space between? … You have diplomacy, economic sanctions…and the you have military action. In between there’s this space, right? In cyber, there are a lot of things that you can do in that space between that can help us [the United States] accomplish the national interest.”

The “in between” area referred to by Rosenback is symptomatic of the sentiment that cyber operations have a high level of plausible deniability and hence do not have the potential to escalate a conflict in the same way a physical operation does.

However, a historical review of major cyber incidents shows this theory to simply not be true. The distributed denial of service (DDoS) attacks on the Estonian economy circa 2007 are still used to frame Russia as a highly aggressive cyber actor, even though the attribution is thin. After the Sony hack of 2014, the US conducted a  thinly veiled cyber-attack on the North Korean Internet. One of the legacies of the Stuxnet incident of 2010 was Iran prioritizing the development of its own cyber warfare capability that bore its own bitter fruit in 2012 with an attack on Saudi Aramco.

What all these cases show is that far from being a consequence-free way of striking against an enemy, when attributed to a state (no matter how tenuously) cyber-attacks can lead directly to escalation. Herein lies the issue with cyber conflict: signalling between states in physical space such as the Cuban missile crisis is very clear; however, within cyberspace what is an escalating and de-escalating signal is very difficult to interpret.

Coupled with this is the issue of proportionality and what the cyber equivalent of a minor skirmish versus an all-out assault actually is. Here the potential for unplanned escalation between states rises exponentially. As a recent Chatham House paper commented: “there is a risk that any such [cyber] operation could be construed by the targeted state, or even the international community at large, as a use of force, leading to escalation of the situation”.


To conclude, what we have not seen to date is a “cross over event”, where a physical act of violence has provoked a cyber-attack that has in turn escalated to a retaliatory act of physical violence. Nevertheless, the discussions around events such as the Skripal assassination attempt have put this type of scenario on the agenda. Within this context, the idea that cyber is somehow “the space between”, where action has no consequence, is now simply incorrect.


To learn more, subscribe to our threat intelligence emails here.

Leveraging the 2018 Verizon Data Breach Investigations Report Tue, 10 Apr 2018 18:24:15 +0000 Today, the 11th edition of the Verizon Data Breach Investigations Report (DBIR) has been released. This year’s report includes 53,308 security incidents, 2,216 data breaches, 65 countries, and 67 contributors.

I participated in a panel discussion with the Verizon team on BrightTALK earlier today. Listen to the recording here.



The DBIR is one of the most anticipated annual reports and has endured for many years. If you’ll indulge me and take a trip down memory lane, here are some of the events you might remember from the year the first DBIR was written:

  • The first Twilight film was released, and the nation was divided by “Team Edward” or “Team Jacob.”
  • The Dark Knight starring Heath Ledger was released. This serves as a painful reminder of just how terrible Ben Affleck’s Batman is.
  • The stock market crashed on September 29, 2008.

Some of the key findings for me:

  • “68% of breaches took months or longer to detect.” In a world of real time this and real time that, I’d be happy to forgo the real time if I get better fidelity alerting. From both my time at Forrester and my time now as CISO, I generally view “real time intelligence” as “real time false positives” that are going to create more work for my security team. If we are looking at “months or longer” for breaches, I’d be happy to wait a few more hours or days to get better quality reporting that doesn’t DoS (denial of service) my team and reduce my overall time to detect.


  • Ransomware is the top flavor of malicious software, found in 39% of cases where malware was identified. You must have a plan for extortion attempts, and not just ransomware, but also DDoS extortion or intellectual property extortion. Your business continuity planning must take these scenarios into account. My colleague Harriet Gruen and FBI Supervisory Special Agent, Sheraun Howard, recently did a webinar on ransomware that you might find useful. “Emerging Ransomware Threats and How to Protect Your Data


  • I find the “Denial of Service: Storm preparations” section to be particularly relevant. This was a focus area of mine at Forrester and I also have to deal with this in my day job. DDoS “attacks, on average, are more like a thunderstorm than a Category 5 hurricane”. “You will find that most of the attacks are measured in minutes.” The question for CISOs is how much do I invest in a thunderstorm? Do I have enough budget to prep for a Category 5 hurricane? When it comes to budget tradeoffs these are important questions.  Having intelligence on threat actors who conduct these activities against your industry can help with this calculation.


  • JavaScript (.js), Visual Basic Script (.vbs), MS Office and PDF10 tend to be the file types found in first-stage malware. This isn’t breaking news, but it’s a good reminder to make sure we incorporate this into our vulnerability management triage process. We should be tracking the software, technologies and CVEs that malware is exploiting.


Source: Verizon DBIR

Since we are eleven years into the DBIR, I suspect that you are familiar with how to leverage the report, but just in case you aren’t, here are some quick suggestions:

  • The report is filled with great content, and there is a lot of it. The report is nearly 50 pages without the appendices. I found it useful to read through it once in its entirety before I started making notes. I understood the full context and then I could start breaking it down into “byte-sized” bits.


  • Yesterday was National Unicorn Day, and you may very well be a unicorn. Not everything in the DBIR will apply to your business. Make sure to take this into consideration while reading the report.


  • Go to Figure 28 “Industry Comparison” on page 26, look at your industry and the attack patterns that are most common in the DBIR data set. Do you have the appropriate security controls in place to detect and mitigate these attacks?


Source: Verizon DBIR

  • You can use the attack patterns to build intelligence requirements and to kick start your collection plan. For example, if you are in the banking industry you can build or buy collection capabilities around these areas:
    • Banking Trojans (tools, actors, exploits, configuration files)
    • Denial of service (tools, actors, target selection)


I’ve already read through the DBIR multiple times and with each subsequent reading I find something else that is useful. One final recommendation that I’ve been suggesting for many years is to create your own version of the DBIR based on your own intrusion and breach data. Nothing is more relevant than what is happening within your own organization. The DBIR has some great examples of graphics that you can incorporate into your own tailored reports, which you can then use to communicate the threat landscape to your executives.


To learn more, subscribe to our threat intelligence emails here.

Introducing Shadow Search – Quickly enable deeper research and investigation Tue, 10 Apr 2018 01:35:30 +0000 All enterprises face key challenges in their quest to protect their organization from cyber threats. One challenge I hear consistently from security professionals is the difficulty keeping up with the volume of alerts generated by their security controls. The problem they face is that each alert needs to be analyzed and understood before a decision is made. To do that, teams are using a range of tools and information like open source feeds, specialist news or blogs, and threat intelligence sources to enrich their understanding of the alert before they can make a decision. This enrichment takes time. Unfortunately time is perhaps the scarcest commodity for security professionals because there aren’t enough of us, the number of alerts is ever increasing and the pressure is on because the costs of poor decisions are going up.

Shadow Search, the enhanced search capability we are adding to our SearchLight service, is all about giving a bit of time back to security teams. Our customers were telling us that the insight we provided with our Digital Shadow alerts could be really useful in support of their security operations process for alerts from other sources. When we looked at this, we felt there was an opportunity to add more information sources and scope to make the massive amounts of data from the deep, dark, and open web more accessible and discoverable from the SearchLight portal, better supporting these customers as they make decisions.

So I am excited that we have just launched our new “Shadow Search” capabilities, designed specifically to provide the data that security teams need to make decisions faster. Shadow Search transforms the threat intelligence search function, delivering market leading coverage and user experience. Users now have unrestricted access to a vast and expanding Digital Shadows content repository to investigate and pivot between data sources, threat actor information and incidents.



Shadow Search includes security relevant sources as diverse as criminal forums, reputable security blogs and dark web pages, in addition to Digital Shadows cyber threat intelligence (CTI) and third-party threat intelligence feeds. Organizations can use this practical and actionable information to enhance their understanding of threats, in their business context. Examples of use cases include the ability to:

  • Investigate security incidents – pivot from observed incidents on your network to gain further context about a threat or threat actors
  • Monitor global events and industry trends – access to real-time data and finished threat intelligence allows you to track threats associated with geography, sector or area of interest and stay ahead of the unfolding developments
  • Manage third party risk – identify weaknesses in your supply chain, including if a supplier has been the subject of a breach, or vulnerabilities in your software are being commonly exploited in the wild
  • Research threat information to help prioritize resource usage – detect new activity by a tracked threat actors and changes to malware campaigns to support business cases

Analysts can save their searches and return to them or subscribe to receive updates that meet their specific enterprise criteria.

Shadow Search benefits include the following:

  • Immediate access to threat data– Get instant access to raw collection when you need it.
  • Broad coverage – A vast repository of data including curated threat intelligence, content for hard to reach web sources (dark web) and more, including exploits and observables, all in one place opened up for search.
  • Relevant results – Smart filters and powerful search syntax allowing users to focus in on the information that’s most relevant to them.
  • Actionable information – Rich results with associated observables, intuitive interface, and full export enables users to make operational use of the results.

Collaborative development

Having only recently joined Digital Shadows, I got my hands on the capability after it had been extensively trialed by our beta customers; a huge thank you goes to those who collaborated with us on that process. I found the UI intuitive, and the timeline and summary views help put the results in context.

We’ve added features like advanced filtering by source, date range and information type and export capabilities in direct response to the feedback we have had from the beta. See the screen shot above for a view of the Shadow Search interface, but only a hands-on demo really does it justice. It will be at RSA Conference for those who are attending and if you can’t make it, we would be happy to arrange a demo for you.

Our beta clients now tell us it’s easy to investigate an incident and pivot to related research and forums or research threat actors and that the unrestricted access to the original sources and proprietary Digital Shadows cyber threat intelligence (CTI) is very welcome. Most importantly, we are now hearing that it is saving them time.

One beta test meeting with a worldwide manufacturer particularly stands out for me: “You’ve incorporated all my requirements and suggestions; this is awesome. It will save me time and help me focus on priority research and threat investigations.”

In Summary

I think Shadow Search is a truly valuable addition to our SearchLight service and will help our clients to use our wealth of knowledge to investigate threats and make decisions faster, giving back valuable time to the security operations function. Learn more about Shadow Search by downloading our datasheet or requesting a demo. It will be available to all customers in Q2.

Shadow Search for Digital Shadows SearchLight™
Stay up to date with our latest news and threat intelligence. Subscribe to our threat intelligence emails here.

Shadow Talk Update – 04.09.2018 Mon, 09 Apr 2018 20:52:07 +0000 Back from the Easter break, this week’s Shadow Talk discusses what the re-emergence of WannaCry, exposure of Aggregate IQ data, exposure of 1.5 billion files through misconfigured services, as well as lessons learned from the Panera breach, an emerging new criminal market, and much more.

Oil pipeline company disrupted by unidentified cyber attack

Certain parts of the electronic data interchange (EDI) communication system used by a US oil and gas pipeline company were rendered temporarily unavailable by an unspecified online attack. At the time of writing, the attackers’ tactics, techniques and procedures (TTPs) remain undetermined. The victim company, Energy Transfer Partners LP, stated that the flow of natural gas remained unaffected throughout the incident, and that no information was stolen or compromised. Oil and gas companies, including those affiliated with national infrastructure, continue to be prime targets for financially motivated and espionage-seeking threat actors.

Malaysian central bank thwarts SWIFT attack

Bank Negara Malaysia claimed to prevent a theft of funds via the Society for Worldwide Interbank Financial Telecommunication (SWIFT) system. The attackers had tried to make fraudulent wire transfer requests through the SWIFT platform. Bank Negara Malaysia stated that no funds were stolen, and that the payment and settlement systems were not affected or disrupted. In the past six months, several financial entities in Russia and South-East Asia have been targeted by attackers attempting to steal funds via SWIFT. The continued targeting of financial institutions and their geographic concentration indicate a single threat group may be responsible. Given that these attacks target banks’ internal security systems, rather than the central SWIFT system, the perpetrators may be perceiving these locations as having weaker internal security standards.

Boeing production plant infected by WannaCry

The “WCry (aka WannaCry) malware reportedly infected a small number of computers at a Boeing production plant, triggering concerns that airframe testing equipment and software may have been compromised. Boeing later stated that no disruption had been caused to its production programs. It remains unknown whether this version of WCry was the same used in the widespread campaign of May 2017, and therefore whether the same threat actor is responsible. Alternatively, this version may have been spoofed and exploited by different threat actors to encourage swift payment of the ransom through WCry’s notoriety.

Luxury retailers hit by credit card breach

Credit card details held by luxury retailers Saks Fifth Avenue and Lord & Taylor were breached, and a portion of the data was advertised for sale on dark web marketplace Joker’s Stash on 28 Mar 2018. Security research company Gemini attributed the breach to financially motivated threat actor “FIN7; however, evidence for this attribution remains unclear. The retailers’ parent entity, Hudson’s Bay Company, did not specify how many customers were affected, but more information may be released in the near future (next three months).

Millions of Panera customers’ personal details allegedly compromised

On 02 Apr 2018 security researchers reported that a flaw on PaneraBread[.]com, the main website of United States bakery-café-restaurant chain Panera, had potentially left over seven million customer records exposed since Aug 2017. Threat actors could use the data for identity theft and fraud, although Digital Shadows’ research has uncovered no evidence that the records have been used maliciously. The flaw appears to have been fixed on 02 Apr 2018, but prior to that the information could have been downloaded by threat actors and it may remain available.

ChessMaster observed exploiting CVE-2017-11882

Espionage campaign ChessMaster has shown updated TTPs in the ongoing targeting of a variety of industries in Japan, by using an exploit for CVE-2017-11882, which exploits a vulnerability in Microsoft Office’s Equation Editor. Its use has been observed several times over the past five months in campaigns by various threat actors. Enterprises using Microsoft Office 2007 to 2016 should apply relevant security updates from Microsoft.

One CISO’s Recommendations for Making the Most of RSA Conference Sessions Mon, 09 Apr 2018 15:19:15 +0000 Last week, Enterprise Strategy Group (ESG) principal analyst, Jon Oltsik, wrote an article for CSO titled: “RSA Conference: CISOs’ top 4 cybersecurity priorities.” Jon highlighted four areas that security executives will be looking for at next week’s RSA Conference:

  1. Executive-level threat intelligence (Jon highlighted Digital Shadows in this category)
  2. Integrated security platforms
  3. Business risk
  4. Changing security perimeters

In the past, I’ve written my own RSA Conference (RSAC) preview blogs and Jon’s article reminded me that I should do it again. A few things to note before I get started:

  • This blog is going to be focused on conference talks that will resonate with most CISOs.
  • I know there will be many other activities going on next week and you have limited time, let me help you maximize the time you have allotted for talks.
  • You should absolutely take advantage of “hallwaycon” and all the networking opportunities associated with the RSAC week. This will get you the best return on your investment.
  • You could just go to the RSAC “Sessions & Events” page and search by the “Core Topic” of “C-Suite View” or “Security Strategy,” but your time is precious. So, to save you some, I spent the morning going through the RSAC agenda, so you don’t have to.
  • I focused on the following areas: (1) investment, metrics, and communication, (2) GDPR, (3) recruiting and retaining staff, (4) third party risk, (5) cloud native security, and (6) national security.


Here are my recommendations for the RSAC talks you should check out:

  • The Innovation Sandbox. This isn’t a talk, but something I highly recommend nevertheless. I’m a big fan of the Innovation Sandbox, and while I was at Forrester Research I moderated several panels at the event. I admit I could be a bit biased towards it. The Innovation Sandbox is a great way to track startups that could help you solve some of the challenges that CISOs face. It is also fun to watch the pitches, and you can also pick up techniques to improve your own presentation style/public speaking. This can be very useful, particularly as you think about it applying to your own board presentations.
  • Investment, metrics, and communication. This year, there is no shortage of CISO focused talks. I suggest the following as the topics really resonate with me and there are also real work examples from practitioners in the mix. These talks also align with Jon Oltsik’s business risk area from his CSO article.
    • Stop Translating, Start Defending: Common Language for Managing Cyber-Risk TECH-W04
    • Building and Selling Your Security Strategy to the Business STR-W14
    • Creating Order from Chaos: Metrics That Matter GRC-W04
    • Implementing a Quantitative Cyber-Risk Framework: A FinSrv Case Study STR-W02
    • Security Programs. ROI not CYA EXP-R14
    • Charting a Clear Course: Prioritizing Security Investments and Activities STR-T07
    • 10 Tenets of CISO Success STR-W04
    • Inside Cyber-Balance Sheets: A Rare Window on Digital Risk in the Boardroom CXO-R14
  • GDPR. Worried about GDPR? You will be. If you deal with European Union citizen data, this year’s RSAC has you covered and it’s important since GDPR enforcement is now “next month.” I’m almost as excited for GDPR as I am the for Deadpool sequel featuring Thanos, and the new Han Solo movie (please, please save it Donald Glover). While I work on my Privacy Impact Assessments, consider these talks:
    • How to Tackle the GDPR: A Typical Privacy and Security Roadmap PRV-T10
    • The GDPR Is Only for Europe—Right? GRC-R02
    • GDPR Compliance—You Forgot Your Digital Environment GRC-R12
  • Recruiting and retaining staff. I think the “cyber security talent shortage” is a self-fulfilling prophecy. Don’t be a statistic, and don’t succumb to the hype! I think these talks can help you:
    • A NICE Way to Find and Keep Cybersecurity Workers PROF-W04
    • The Cybersecurity Job Seekers Report: Results and Implications AST1-W02
    • The Life and Times of Cybersecurity Professionals AST3-R02
  • Third party risk. I’m always looking for ways to get better at managing third party risk and if you read the headlines, nearly everyone else should be looking as well. I would’ve liked to have seen more talks on this topic. I included some Peer2Peer talks in here as well:
    • Personality Profiling Your Third Parties for Effective Supplier Management STR-T08
    • The Supply Chain Threat GRC-T10
    • Effectively Managing a Third-Party Technology Risk Program P2P4-R05
    • Third-Party Risk Assessment Tilt-A-Whirl. Stop the Ride, I Want to Get Off! P2P3-W04
  • Cloud security. Cloud security is a key component of our security program and the same is likely true for you. I really like the contrast of following two talks. In the first, you have one of, if not the top industry analyst who covers cloud security Rich Mogull (of Securosis fame). In the second, you have the founder and former CEO of Tim Prendergast, who is now the Chief Cloud Officer at Palo Alto Networks. was recently acquired for a cool $300 million.
    • Building and Adopting a Cloud-Native Security Program CSV-W14
    • Is Cloud-Native Security Enough? SPO3-W14
  • National Security. I’m a self-professed national security geek and I think all CISOs need to track geopolitical and national security issues. Check out these talks:
    • Cyberwar Game: Behind Closed Doors with the National Security Council EXP-T07 (I’ll pretty much watch anything Jason Healey is involved in)
    • DARPA R&D Enabling US Cyber-Deterrence PNG-F03R (DARPA is cool, and they are doing this talk twice!)
    • Former NSA and Israeli Intelligence Directors on Resilience EXP-F01 (Despite getting 8200’d/NSA’d to death at Forrester, I still want to see this talk).

Am I missing any talks that resonate with you? Please share.

I know that many people (queue the Infosec Twitterverse) bash big security events like RSAC, my suggestion is to ignore that and make the most of the event. Next week is a great opportunity to gain knowledge that you can bring back to your team and an excellent opportunity to build your professional network.

Next week is also a great time to unwind and step away from the chaos that is being an information security professional.  Digital Shadows is sponsoring the “Security Leaders” party on Tuesday night April 17th at City View @ Metreon. Come join us and have a good time with your peers and make some new friends. You can register here.

RSA Party Digital Shadows

When Sharing Is Not Caring: Over 1.5 Billion Files Exposed Through Misconfigured Services Thu, 05 Apr 2018 12:23:14 +0000 Our recent report “Too Much Information”, discovered over 1.5 billion files from a host of services, including Amazon S3 buckets, rsync, SMB, FTP, NAS drives, and misconfigured websites.


We love data, and we need ways to store, share and transfer this data to other individuals and parties. There are a range of services that are used to do this, and one way that has gained popularity over the last few years is cloud storage, specifically Amazon Simple Storage Service (S3) buckets. Unfortunately, many administrators misconfigure these S3 buckets rendering the contents publicly-accessible. Barely a month goes by without another open S3 bucket being discovered – who remembers the data of 198 million voters being exposed last year?

However, S3 buckets are not alone. In our research we found that they only constituted seven percent (7%) of the exposed files we found. Many other services that are used to store, share, or transfer data are also frequently misconfigured:

  • File Transfer Protocol (A network protocol used to transfer computer files);
  • rsync (A way of transferring and synchronizing files);
  • Server Message Block (A network file sharing protocol);
  • Network-attached storage devices (Devices often used to backup home computers).

Combined, these services expose over 1.5 billion files, with SMB, rsync and FTP accounting for 33, 28, and 26 percent respectively.


What’s the damage?

The amount of exposed data is staggering. Over twelve petabytes of data is exposed (12,000 terabytes). For context, this is over four thousand times larger than the “Panama Papers” leak (2.6 terabytes). It’s also 12 thousand times larger than the Deep Root exposure of 198 million voters in 2017. Almost all countries are affected, but the United States experienced the most exposure with 239,607,590 files.


Figure 1: Geographical distribution of exposed data


Types of Exposed Data

It’s not just the volume but the sensitivity of the data that is a major cause for concern. There were a number of instances of high severity exposure of personal information, intellectual property, and security assessments.

There is an incredible amount of personal data exposed, including payroll, tax return and healthcare information. If we consider how much is exposed (the news that the data of 87 million Facebook users may have been harvested is a good example), this adds significantly to this already rich trove of data, providing more and more information that could be used for malicious purposes such as social engineering and fraud. Furthermore, with GDPR fast-approaching, there are clear regulatory concerns for organizations surrounding the protection of personal data, particularly if employees and contractors are copying and archiving work files using cloud storage and NAS solutions.


 Figure 2: Types of publicly-available personal information


Our report also highlights numerous cases of intellectual property that is also exposed through these services. In one instance, a technology company providing Electronic Medical Records software had their copyright application and full source code publicly-available. In another instance, an energy company had sensitive details and diagrams of their patent-pending technology exposed. Loss of intellectual property can also have considerable financial and reputational impacts.


Figure 3: Types of publicly-available intellectual property


Finally, there were a worrying number of security assessments made available. This includes thousands of penetration tests, network diagrams, and security audits. We found a series of security documents belonging to a leading European supplier of electronic identification services used within the banking industry. These files contained in-depth security assessments, source code testing results, and vulnerability scanning reports that revealed details on insecure servers. These infrastructure reports exposed server locations and hosting IPs, missing software patches, port information, CVE numbers, and vulnerability descriptions that may allow an attacker to modify data, inject malicious code, or perform man-in-the-middle attacks. This type of information is a goldmine for attackers targeting organizations, and an attacker will typically spend weeks, if not a couple of months performing reconnaissance on their targets to glean this exact type of information.


Figure 4: Types of publicly-available security assessments


Download a copy of our report to learn more about the types of sensitive data these services are exposing, and how you can help to reduce this problem.


Want more Digital Shadows research? Subscribe to our threat intelligence emails here.

Genesis Botnet: The Market Claiming to Sell Bots That Bypass Fingerprinting Controls Tue, 03 Apr 2018 15:18:06 +0000 An emerging criminal market, Genesis store, provides more effective ways to impersonate a victim’s browser activity, focusing on individual bots rather than huge botnets, and monetizing them in a completely different way. Such an approach may allow criminals to utilize bots with higher efficiency, thus revealing new attack and fraud methods.


Figure 1: Adverts for the Genesis Store on a carding forum

Evolution of fingerprinting controls

Device fingerprinting collects information about a computer in order to identify an individual user. This is a pretty handy technique for retailers and banks who want to prevent fraudsters. Typically, anti-fraud solutions take known fraudulent activity and seek to block transactions that have a similar device fingerprint. This has become and cat-and-mouse affair, as criminals look to randomize their fingerprint with the help of various online services (many of which were covered in our report, Inside Online Carding Courses Designed for Cybercriminals ). In response, anti-fraud technologies take into account a broader set of characteristics.

Criminals, therefore, look to the machines of their victims in order to evade detection. However, obtaining this array of information is challenging. That’s where Genesis comes in. Genesis Store seeks to provide a single solution to emulate this approach, providing access to victims device footprints, accounts, and personal information. The store – registered in November 2017 and still in beta mode – claims to be the result of research conducted across the antifraud technologies used by 283 major banks and payments systems.


Access to a wide range of data

In order to emulate the legitimate users, Genesis provides customers with a wide range of information such as fingerprints, cookies, logs, saved passwords, and personal information.

This information is acquired from web injects, form grabbers and passwords saved in browsers. As these sources get more detailed or updated data, that data is automatically pushed into the store and made available to users. While this means that not all information is verified, it provides a more scalable business model for the administrators.


Figure 2: A screenshot of the Genesis Store


Browser plugin

For less than fifty dollars, users can buy a bot on the Genesis site, which includes the fingerprint, accounts, and cookies (unsurprisingly, the store does not use or sell any products connected with the Russian Commonwealth). For free you also get the Genesis Application, a browser plugin.

The plug-in claims to work with any operating system on Chrome-like browsers (Chrome, Iron, Iridium and others) and provides a seamless way to access the user fingerprint. The plug-in automatically updates and offers additional information on cookies and login data, as well as holder details, security answers, and card details.


Figure 3: The Genesis Security plugin


Innovative monetization techniques

Instead of focusing on selling large quantities of bots in bulk, Genesis focuses on the individual quality of each bot. The actors behind the botnet also have a very clear idea of how to monetize this. For example, their configurations must be used with their own plugin, and will not work without doing so. This is a similar business model to buying games for a Nintendo – you need to buy their own cartridges.


What to look out for

The site makes big claims about its capabilities and it will live and die by how it matches up to these promises. As with all new marketplaces, its success will also depend on user adoption, quality of goods, site security and user experience. Nevertheless, Genesis is still in beta mode yet appears to have picked up a good amount of interest since it was registered in November 2017. There are over 1500 bots available to buy and, at the time of analysis, eight bots had been purchased in the last 20 minutes.

As the site develops and grows out of beta mode and the claimed capabilities are realised, the shift to using more individual bots could have an impact on organization’s ability to combat fraud.

To keep up with our latest in threat intelligence, subscribe here.

RSA Conference 2018 – Digital Shadows Wed, 28 Mar 2018 05:04:16 +0000 RSA Conference is almost here! This year’s conference theme is “Now Matters,” looking at the quick impact threats can have to enterprises globally if we don’t find them today.

Today we see the perfect storm for digital risk and cyber threats. There are more exposure points, more sophisticated attacks, more things to protect, and increased regulations. Security leaders are faced with new challenges every day including:

  • Constant attacks from cyber criminals
  • Employees and third parties exposing sensitive data
  • Limited resources & security talent
  • Ineffective threat intelligence tools
  • Not knowing which digital risks to prioritize
  • Limited access to data sources and language
  • Disparate point solutions
  • Expanding attack surface

I started Digital Shadows to help organizations quickly identify when they are at risk without needing to deploy tons of threat intelligence resources to scan the open, deep, and dark web for threats to their business.

At RSA Conference 2018, our security specialists will be available to walk through how we help our clients quickly identify risks such as data loss, brand impersonation, cyber threats, credential exposure, and more. If you’re interested in a quick chat, book time with us here or visit us at Booth 5107 in the North Hall.

I’m looking forward to the awesome line up of events and activities at this year’s conference and I hope to see you at our party Tuesday night at City View @ Metreon. Cheers!

RSA Party Digital Shadows

The Five Families: The Most Wanted Ransomware Groups Tue, 27 Mar 2018 15:25:30 +0000 Last week we presented a webinar on “Emerging Ransomware Threats and How to Protect Your Data”. Here we discussed the latest ransomware threats and trends, as well as strategies organizations can take to strengthen their defenses and stay compliant.

The ransomware ecosystem has evolved continuously over recent years. There are new operational models such as ransomware-as-a-service (RaaS), and cybercriminals are leveraging remote entry vectors like remote desktop protocol (RDP) and JBoss application servers. Ransomware operators are also experimenting with self-propagation techniques to increase the impact of their attacks.  

With so many different variants in circulation, it can be hard to make sense of what the most critical ransomware threats are to your organization. Although we shouldn’t discount lesser known or less-popular variants, there are five main ransomware families that are prominent currently.



Locky has been active since early 2016 and has predominantly been delivered using spam emails, although the Nuclear and RIG exploit kits have also been used. This ransomware has been consistently updated, particularly with changes to the way encrypted files are appended, leading media reports to attribute different naming conventions to Locky versions, such as Zepto (named after the .zepto extention). Locky activity increased in December 2017 with the resumption of spam activity by the Necurs botnet, which delivered up to 47 million spam emails per day over the holiday period.



Cerber has been frequently developed and distributed since its inception in February 2016, with at least six different versions of the malware developed. Significantly, Cerber is run using a RaaS model, making it a highly automated operation both for actors using the platform and for servicing ransom payments and distributing decryptors to victims. The ransomware typically uses spam email and drive-by-downloads for delivery and has been associated with the RIG and Magnitude exploit kits. Cerber encrypts victim files with a random four-letter extension. Cerber RaaS customers can alter the specific ransom demands, although average prices for unlocking files fall between $1000 and $2000.



Figure 1: Cerber decryption service homepage


DMA Locker

First detected in January 2016, DMA Locker differs from traditional ransomware variants as it does not add a file extension to encrypted files, but instead adds an identifier to the file header. DMA Locker has been delivered through RDP as well as spam emails and the RIG exploit kit. Following a successful infection, the ransomware begins encrypting files if an Internet connection is available. However, if an internet connection is not available, the ransomware installs itself and waits for a connection to be established before encrypting files.



Crysis is distributed via spam emails and the compromised RDP services. Several variants of the ransomware exist to date. The first had decryption keys publicly released, enabling decryption without payment; however, recent variants that encrypt files with .arena, .cobra and .dharma extensions do not currently have publicly available decryption keys. Crysis also has additional capabilities such as harvesting information from the victim machine to send remotely to a command and control server. This included collecting credentials, instant messaging applications, webcam, and browser information.



Active since at least December 2015, SamSam has been used in targeted attacks against high-profile victims and large organizations in the United States, Europe and Asia. These include transport organizations, such as transit authorities, as well as the healthcare and education sectors. Unlike most variants that use phishing emails and exploit kits, SamSam exploits Internet-facing JBoss application servers, then harvests administrator credentials before self-propagating and infecting all the endpoints within a network. Each infected machine is held to ransom, with demands ranging from approximately $4,000 for one machine and $33,000 for all machines within a network. SamSam is believed to be operated by a group known as Gold Lowell.



Figure 2: Overview of the top five ransomware families


Although some ransomware operators have shifted to cryptocurrency mining to make their money, we’d be wrong to assume that ransomware is no longer a threat in 2018. With the above variants still in circulation, and the Colorado Department of Transportation recently experiencing a SamSam ransomware infection on 21 February 2018, it’s clear that the threat from ransomware is a long way away from subsiding.


To that end, there are several measures organizations should employ to ensure they are well-protected in 2018.  

  1. Regularly backup data and verify its integrity. Ensure that backups are remote from the main corporate network and machines they are backing up. Use cloud-based and physical backups.
  2. As SamSam has relied on vulnerable, external-facing servers, applying relevant patches and updates is recommended.
  3. A defense in depth strategy can aid mitigation. This includes Segmenting networks, firewalling-off SMB traffic, and restricting access to important data to only those who are required to have it.
  4. Develop and practice your ransomware playbook so that all members of the organization (operations, IT, security, legal, PR) know their role should the undesirable occur.

Subscribe to our weekly newsletter to get the latest news and research by Digital Shadows.

Shadow Talk Update – 03.26.2018 Mon, 26 Mar 2018 15:05:01 +0000 This week’s Shadow Talk discusses what the Cambridge Analytica revelations mean for disinformation and personal privacy, updates to Trickbot, Zeus Panda and Remnit trojans, City of Atlanta suffers from ransomware attack, and Dragonfly campaign attribution to Russian Government.

US pins energy-sector attacks on Russia-backed threat group

The United States government has named the threat group “Dragonfly” (aka Crouching Yeti, Energetic Bear) as responsible for attacks on the US energy sector over the past two years. The attribution was published in a technical alert that also connected Dragonfly to the Russian state. The multi-stage intrusion campaign of attacks was highly likely intended to gather intelligence, including credentials and files pertaining to industrial control systems (ICS) and associated systems; there was no indication of sabotage or disruption. The threat group allegedly used trusted third-party suppliers to attack its ultimate targets. The naming of Dragonfly is in line with the United States’ pervasive attribution for attacks, but is unlikely to shame the perpetrators into resisting more attacks. Instead, the attackers will likely adapt their tactics, techniques and procedures (TTPs).

Espionage group culls data from US entities with Asian interests

The suspected Chinese cyber espionage group “TEMP.Periscope” (aka Leviathan) has been cited as responsible for network intrusions of US entities with interests in the South China Sea region. To compromise networks and steal information, the group paired new tools with established tactics and techniques, including spearphishing emails and Microsoft Office exploits. The victims have not been named but, given the geopolitical conflict surrounding the South China Sea, the campaign was highly likely politically motivated and aimed at gathering intelligence. Some of the tools are associated with other suspected Chinese groups, which have also been linked to attacks on entities with interests in the same region. However, there was no indication the groups were actively collaborating, and identification of the groups is unconfirmed because many countries have interests in the South China Sea region. TEMP.Periscope has demonstrated high intent in its campaigns, and more attacks are highly likely.

Mining company extorted by thedarkoverlord

On 16 Mar 2018 breach reporting website DataBreaches[.]net reported that threat actor “thedarkoverlord” (TDO) claimed to have successfully compromised the systems of H-E Parts Morgan, a manufacturer of components for the mining industry. H-E Parts Morgan has not yet publicly commented on the reported breach; information disclosed to DataBreaches[.]net suggests the company refused TDO’s extortion demands. TDO has made no public announcement via social media in reference to this incident. This deviates from the standard modus operandi of the group, which tends to use Twitter to exert pressure on victims to pay an extortion fee.

Adware compromises supply chain, infects millions of Androids

The new adware family “RottenSys” successfully compromised a supply chain process and has infected almost five million Android devices since 2016. The malware masqueraded as a Wi-Fi service application on the devices, and used special permissions to download malicious components via a dropper. To display advertisements on devices, the attackers used a publicly available Android application virtualization framework. The perpetrators have highly likely accrued significant funds from their campaign; an estimated USD 115,000 has been earned since 12 Mar 2018 alone. As well as malvertising, the attackers appeared to be testing a new botnet using RottenSys’ command-and-control (C2) infrastructure. This botnet could be leased to other threat actors to bolster the attackers’ profits.

DDoS attack hits Russian Central Election Commission website

The website of the Russian Central Election Commission was reportedly hit by a distributed denial of service (DDoS) attack on 18 Mar 2018. The DDoS monitoring service DDoSMon reported the site was targeted using the Memcached amplification techniquea method recently adopted by a variety of threat actors. Attribution for the attack was unknown; no hacktivist or threat groups have claimed responsibility at the time of writing. The objective was almost certainly to cause disruption and degradation of service, as the timing coincided with the 2018 Russian presidential election.

APT-28 adopts new anti-sandbox evasion technique

Researchers at security company Palo Alto identified two attacks, on 12 and 14 Mar 2018, respectively, targeting an unnamed European government agency with an updated version of the “DealersChoice” Flash exploitation framework. The attacks were attributed to “APT-28” (aka Fancy Bear, Sofacy). Spearphishing emails referencing a security conference were sent with a Microsoft Word (.docx) document attached. A newly observed anti-sandbox evasion technique loaded a malicious Flash object only after a user had scrolled to the third page of the document. This ensured human interaction, and evolved from the previous tactic of a Flash object loading immediately upon the document’s opening. APT-28’s continued use of this new evasion technique is highly likely.

Pop-up Twitter Bots: The Shift to Opportunistic Targeting Thu, 22 Mar 2018 16:10:39 +0000 Since the furor surrounding Russia’s alleged use of Twitter bots to influence the 2016 presidential election in the United States, social media bots have been most commonly associated with carefully planned, long-term campaigns. However, we have observed a shift whereby automated bots increasingly are established to provide an opportunistic reaction to events or individuals, in very short and targeted campaigns. Advances in artificial intelligence will likely facilitate the creation of more believable throwaway bot networks with less investment needed to deliver expedient effects.

We recently worked on a fascinating Request for Information (RFI) from a client. Without disclosing too much, the organization suspected one of its employees had been targeted by Twitter bots. Following research, it appeared our client’s suspicions were correct: bots had been automatically spamming the employee’s Twitter page. Case closed and on to the next RFI.

However, as the dust settled from the task, we began thinking that this reflected a change in the way bots are used to spread disinformation. Bots and their many variants have been around for years and are used by a range of actors in many different ways, be it ISIS “ghost tweeting” its messages to give the appearance of a wider worldwide following, fake Chinese social media posts on Weibo intended to drown out messages about bad news and politically sensitive issues or celebrities using fake followers to increase their online influence. This particular case was interesting for two reasons:

  1. The focused targeting of an individual outside of significant geopolitical event (albeit with crudely executed content)
  2. The short-term nature of the bots’ activity, initiated in response to a specific event and ended when the campaign’s ostensible goal was achieved

From the Masses to the Individual

Mass targeted disinformation is a well-known phenomenon, given press coverage of the growing number of “troll farms” springing up globally. Since a troll farm is staffed by humans, the farm’s masters can target individual users and engage them in complex and intelligent dialog that appears authentic in its spontaneity. The Holy Grail for this type of malicious actor would be a bot that could engage millions of users with the authenticity of a human troll.

In the case of nation states, campaigns may be part of long-term projects to influence other countries’ public discourse, such as the bots used to influence British politics in the 2016 EU referendum and subsequent election in 2017. This case was different. The bot campaign we were investigating appeared to have been established soon after particular actions by the targeted individual and disbanded immediately after the bots achieved their purpose. The “pop-up” nature of this bot campaign has been reflected in recent media stories: a widespread story about a Muslim woman walking past and ignoring injured victims of the March 2017 terror attack in Westminster has been attributed to a “fake news” bot campaign, and bots were observed attempting to influence the discourse about gun control laws following the February 2017 school shooting in Florida. This suggests actors are establishing bot networks to provide immediate, opportunistic reaction to events.


Where is this trend going in the future?

Technically, the key factor to watch is the development of artificial intelligence (AI), specifically regarding the Turing Test (a computer’s ability to convince a human user they are speaking to another human and not a computer). Given the textual, non-real-time medium of many social media platforms, computers have a distinct advantage in this area, and as early as 2014 some researchers claimed to have AI programs that could pass the Turing Test (Google “Eugene Goostman”).

With this level of authenticity, mass targeted disinformation campaigns become a realistic possibility for the disinformation peddler. These ideas have been expanded upon by authors such as Keir Giles (see: Handbook of Russian Information Warfare), who proposed scenarios whereby bots conduct mass targeted disinformation campaigns on the eve of a large-scale NATO troop mobilization. Such advances in AI also play into the hands of malicious actors creating bots for short-term purposes as they enable more believable bots to be set up swiftly, without spending months teaching bots what to say on a particular topic.

These ideas are not only interesting but important given the current influence that social media-driven news and propaganda currently have across the globe. This applies to nation states at election times, but it also relevant to businesses. You can read more about disinformation campaigns affecting organizations (as well as how to combat them) in a recent research paper of ours, “The Business of Disinformation.”

Subscribe to our weekly newsletter to get the latest news and research by Digital Shadows.

Cyber Security as Public Health Wed, 21 Mar 2018 16:09:19 +0000 Public health, one of the great 20th century ideas, has many instructive lessons for cyber security in the 21st. Let’s recap. Public health was defined by Charles-Edward Winslow in 1920 as:

“Public health is the Science and Art of preventing disease, prolonging life, and promoting health and efficiency through organized community effort for sanitation of the environment, the control of communicable disease, the education of the individual in personal hygiene, the organization of medical and nursing services for early diagnosis and preventive treatment of disease, and the development of the social machinery to insure everyone a standard of living adequate for maintenance of health, so organizing these benefits as to enable every citizen to realize his birthright of health and longevity”

While a lot has changed since 1920, including the use of the singular they, these statements still resonate today. The first statement mentions the interdisciplinary nature of the field. Cyber security truly is both an art and a science, which we will return to at the end of this blog. Let’s break down the key parts of Winslow’s definition:

This mission statement is comprehensive. It mentions both a preventative goal and a longevity goal: we need cyber security to not only be about preventing things but also encouraging the beneficial side effects of security for individuals, communities and marketplaces. The explicit reference to an organized community underlines the need for collective action. No matter how secure you may be as an organization or an individual, we work and play in a shared space. If that space resembles more the “Wild West” rather than an organized society, your experience will suffer irrespective of your own security posture. Winslow goes on to detail what needs to be done:


1.    Sanitation of the environment

  • Security Engineering, especially the definition and application of Secure Development Lifecycles to reduce software maintenance costs and increase reliability of software concerning software security related bugs.
  • Community action, sharing of security-related information, timely action on take down requests, appropriate ingress and egress filtering to prevent malicious traffic.


2.    Control of communicable disease

Hardening of systems to make the initial infection as difficult as possible (e.g., disallowing Macros, DDE-enabled documents, etc.) and in the eventual case of infection, to contain the spread as much as possible through segmenting the networks of key systems and monitoring for security events such as credential reuse.


3.    Education of the individual in personal hygiene

People are often the weakest link in security, not only the individual who clicks on a phishing email, but the system admin who is responsible for patching and secure configuration of systems. Training and education which is essential for individuals to use the Internet safely – both at work and at home – is essential.


4.    Organization of medical services for early diagnoses and preventative treatment of disease

The public and private sector need to work together in order for early signs of infection, e.g., destructive outbreaks like WannaCry or NonPetya, to be picked up and shared. The more collaboration there is, the better place we all are to limit the damage incurred by such incidents. Some public-sector organizations already provided comprehensive alerts, such as US-CERT.

Public health covers many different disciplines, just like cyber security. This stems from the important realization that there is not just one single focus area that is sufficient to improve public health. The success of vaccination programs, for example, depend on a wide range of disciplines. Cyber security, similarly, requires improvements not just in technical fields, although they are sorely needed! Politics, legal issues, regulations, economics, social organization all have a part to play. While we wrestle with the details in our daily work, it’s good to keep in mind the big picture.


Subscribe to our weekly newsletter to get the latest news and research by Digital Shadows.

Shadow Talk Update – 03.19.2018 Mon, 19 Mar 2018 14:15:48 +0000 This week’s Shadow Talk features the latest techniques in tax return fraud, claimed vulnerabilities in AMD chips, Slingshot malware targeting Mikrotik routers, and Greenflash Sundown Exploit Kit delivering Hermes ransomware.



Slingshot espionage campaign undetected for six years

A newly detected cyber espionage campaign used a compromised router as a foothold to drop malicious information-stealing components on to victims’ devices and networks. The “Slingshot” campaign has targeted almost 100 entities to date, predominantly in the Middle East and Africa. The earliest identified samples dated from 2012, which indicates the campaign has avoided detection for six years. Attribution was unconfirmed at the time of writing; however, the attackers appear to be highly skilled and well resourced, indicating they are potentially state-sponsored.


APT-15 observed targeting UK government contractor

On 10 Mar 2018, researchers at NCC Group reported new activity attributed to APT-15. Two operations impacted an unnamed UK government service provider, with attackers harvesting information pertaining to UK military and government departments. The group used two custom backdoors, custom information-gathering tools and native Windows tools to exfiltrate sensitive information. Following the first operation, which resulted in its ejection from the target network, the group used restructured tactics, techniques and procedures to re-enter the target system. The operations indicated a relatively well-resourced threat actor with a high level of intent to obtain precise information. Although APT-15 has previously been linked to China, there are insufficient indicators to support this attribution at the time of writing.


APT-28 updates operational toolkit

On 09 Mar 2018 cyber security company Kaspersky, published a report describing evolutions in the toolkit and activity of APT-28, a threat group associated with the Russian state. The report assessed the group now operates in distinct sub-divisions focused on targeting, development and coding. Researchers noted significant overlap of the group’s operations with other APT groups’ activity, including Russian-state–linked Turla. The report also described updates to the group’s operational toolkit and noted that the group has been observed targeting entities in the Middle East and Asia. APT-28’s operational development and its continued targeting of entities within the political or military landscape correlates to previous activity attributed to the group. Therefore, it remains likely that reports of operational activity and attacks attributed to the group will increase in the short to medium term (one to six months).


CTS Labs discloses 13 alleged AMD processor vulnerabilities

On 14 Mar 2018, CTS Labs detailed 13 vulnerabilities which allegedly allowed an attacker to install malware on AMD processors and permitted access to protected information located in processor chips. CTS Labs claimed it had provided AMD with 24 hours’ notice before publicly disclosing the vulnerabilities. As no technical details were released with the research, Digital Shadows could not analyze the alleged vulnerabilities.


MuddyWater group targets Turkey, Pakistan and Tajikistan

On 12 Mar 2018, Trend Micro, a cyber security company, reported that government and telecommunications entities in Tajikistan, as well as undisclosed sectors in Turkey and Pakistan, were targeted by activity attributed to “MuddyWater”, an espionage group. The group used similar tactics, techniques and procedures to its previous activity: primarily phishing emails with macro-enabled documents to achieve initial compromise. While technical indicators in this attack overlapped with those seen in historical MuddyWater activity, the PowerShell backdoor payload used in the recent attack had been updated, likely in an attempt to remain undetected. At the time of writing there is little information available pertaining to harvested data or the entities affected. The Saudi Arabian NCSC published an advisory on MuddyWater, indicating the group presents a notable threat to targeted entities.


Middlebox HTTP injection redirects deliver spyware

On 09 Mar 2018 the research organization CitizenLab reported two campaigns using PacketLogic deep packet inspection middleboxes to conduct injected HTTP redirects. Internet service provider customers in Egypt were redirected to pages containing cryptocurrency miners in a likely financially motivated attack. Selected Turkish users accessing legitimate domains using HTTP were redirected to download surveillance tools FinFisher or a variant of StrongPity, indicating the attack’s objective was information gathering. The initial infection vector against telecom infrastructure is unknown. Users are encouraged to avoid accessing and downloading content from domains using HTTP, as network traffic is unencrypted and vulnerable to “man in the middle” attacks.


Compromised BitTorrent client distributed by download server

On 13 Mar 2018, Microsoft Defender published research detailing a SmokeLoader campaign delivering CoinMiner, software which can be used to mine cryptocurrency from target systems. The activity produced approximately 500,000 attempted infections within a 12-hour period. The rapid infection rate was due to a compromised executable for BitTorrent client “MediaGet”, that was distributed via a legitimate program download server and operated as a legitimate program with a backdoor capacity which delivered the Smoke Loader downloader and dropped CoinMiner. It was unclear why Smoke Loader and CoinMiner, malware variants with high malicious detection rates by anti-virus solutions, were deployed in an operation which likely required significant planning regarding the initial infection vector.



Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

Anonymous and the New Face of Hacktivism: What to Look Out For in 2018 Tue, 13 Mar 2018 15:03:05 +0000 The Anonymous collective has been the face of activism since 2008. Since then, the group’s membership, operations, and structure have changed significantly. In this blog, we examine the changes in Anonymous and look at how the group will continue to change in the coming years.

The Anonymous collective rose to fame in 2008 and 2009. Emerging from the quagmire of 4chan’s /b/ board, an imageboard for “random” content (Figure 1), the group quickly gained followers after ‘Project Chanology’, a 2008/9 campaign against Scientology. This blended relatively new tactics, like mass distributed denial of service (DDoS) attacks that rendered the main scientology websites offline, with old school phreaking and traditional protests.

Figure 1: The original /b/ post starting Project Chanology

The group continued to gain momentum, targeting opponents of internet piracy and websites of financial institutions that had withdrawn banking facilities from Wikileaks under OpPayback in 2010. The combination of widespread, disruptive DDoS attacks and their ability to publicize their campaigns led to Time magazine naming Anonymous as one of the 100 most influential people in the world in 2012.

Although the collective continued its operations, including OpIsrael and OpIcarus, the popularity and media attention gained by the group peaked in November 2016 during OpIsis and OpParis, both operations targeting supporters of Islamic State.

So, what happened to make “one of the most influential people” in the world fade from consciousness so quickly?

1. Anonymous has reached critical mass

Simply put, the group has become too big to be effective. Contrary to its original advertising and statements, the formative stages of the group were strictly hierarchical. Operations were organized on central forums and Internet relay chat (IRC) channels, with details approved by a series of moderators. This level or coordination enabled the organization and impact of their early operations.

Conversely, the family-friendly tactics (the Anonymous term for an operation that uses only legal tactics, such as reporting accounts for takedown) of OpIsis acted as a membership recruitment drive, leading to a huge influx of members with little to no technical capabilities. With such a large amount of people, focused operations have become harder to organize, as motives and skills divide. Older members talk about the dilution of the brand (Figure 2). The lack of a central organizational points means that operations and attacks are diverse, uncoordinated, and largely small scale.

Figure 2: Reddit users discuss the change in the Anonymous identity

2. Anonymous no longer encapsulates the cultural Zeitgeist

From 2010, Anonymous was synonymous with populist protest for the first half of the decade. The group’s brand – the Guy Fawkes mask from the 1984 ‘V for Vendetta’ graphic novel – was linked with the Occupy movement’s early protests in 2011, and the Million Mask March, held in 2013. Anonymous became associated with anti-establishment protests.

However, in 2018, this zeitgeist has changed. The Occupy movement has largely faded from public consciousness, and global politics has moved on. The proliferation of low level operations has changed the way the public view the collective, and without publicity the impact of their operations is greatly lessened. Furthermore, the lack of media coverage and the dilution of the brand have led to an exodus of the more technically capable members to smaller groups, leaving very little of the original collective behind.

3. Anonymous lacks a popular cause

When Anonymous began, the collective played to a relatively populist agenda. Chanology responded to growing media doubts about the nature of scientology, and OpPayback played on the public profile of Wikileaks. OpIcarus captured the anti-financial sector feeling as the news broke about high financial sector salaries despite austerity and the European debt crisis. OpIsis and OpParis both linked in with huge waves of outrage after the attacks in Paris in November 2015.

Since then, the collective has been unable to find a cause that simultaneously both unites members within the collective and captures the attention of the outside world. Smaller operations have been created – OpSyria, OpTurkey, OpDomesticTerrorism – but the main attack phase has rarely lasted beyond one month, and has not been adopted by more than two or three factions. Although the group originated as a vaguely anarchic collective, there is an inherent hero complex evident in the group’s collective language: without a cause, members are likely to move on.

Given this, what’s next for the collective, and for the threat from hacktivist groups?

1. Family-friendly and opportunistic attacks

It is highly likely that central Anonymous affiliates will continue to conduct legacy operations, such as OpIsis, OpSyria, and OpDomesticTerrorism. However, as the influence and capabilities of the group are waning, these are likely to be confined to “family-friendly” and opportunistic attacks, either reporting social media accounts, or claiming DDoS attacks against smaller companies with weak cyber security.

2. Regional groups

The dilution of the central brand has coincided with the rise of the number of regional and national groups. Factions such as AnonymousBrasil, AnonymousCatalunya, and AnonPlus are all smaller, more focused, and have closer to ties with regional politics. This enables them to mount persistent and targeted campaigns. Operations such as OpOlympicHacking were able to cause real disruption because AnonymousBrasil was able to coordinate activities amongst its members, and was linked to a traditional political objective. Although it is unlikely that the capabilities of these groups will grow outside of DDoS and website defacement attacks, their operations are likely to become longer and more targeted.

Figure 3: OpOlympicHacking banner, October 2016 (source: Twitter)

3. Breakaway Groups

Older members – and more nostalgic members – of the collective have already started to break away into smaller groups reminiscent of 2009. In 2017 there were a significant number of groups claiming to be LulzSec and AntiSec reborn. However, these groups are unlikely to reach the intent of their originals: a lack of media attention and impact mean that the members drift apart relatively quickly.

Figure 4: CyberGuerrilla were the first group to break away in 2014


The capabilities of the Anonymous collective were never technical: instead, they relied on causing disruption and gathering enough media attention to amplify their perceived influence. As we head into 2018 public attention has moved on, directed at threat groups with both the capability and intent to cause both destruction and disruption. The Anonymous brand is likely to live on in smaller, regional hacktivist groups who will target companies in line with regional and national geopolitical objectives, but the days of mass projects and mass campaigns are over.

Subscribe to our weekly newsletter to get the latest news and research by Digital Shadows.

Shadow Talk Update – 03.12.2018 Mon, 12 Mar 2018 15:09:50 +0000 This week’s Shadow Talk features more distributed denial of service (DDoS) attacks using Memcached servers, how disinformation is more than just a political concern, updates on the Spectre vulnerability following the release of a new proof of concept (POC) exploit, and more reporting on the historical network intrusion against the German government.

Memcached DDoS attacks break peak volume records

Attackers using Memcached reflection, a type of DDoS attack, have twice achieved the highest recorded peak volumes since 27 February. An attack on the code-sharing website GitHub reached 1.35Tbps, and a subsequent attack on an unnamed company in the United States peaked at 1.7Tbps. The peak was helped by the availability of internet-facing Memcached servers listening on user datagram protocol (UDP) port 11211 without traffic filtering. The media attention garnered by these attacks likely prompted opportunistic extortion attempts reported in the past week. Efforts have been made to reduce the number of internet-facing Memcached servers susceptible to this attack method, but the threat is unlikely to disappear in the next month.


Disinformation campaign aimed at Persian speakers

A disinformation campaign intended to influence Persian speakers and discredit Western media outlets has been in operation for approximately seven years. The campaign implicated some legitimate media outlets, such as the BBC, by establishing fake websites impersonating them. No malware was delivered in this campaign. Despite the use of disinformation campaigns for political objectives, the wide availability of tools and relatively low costs associated with performing these operations means that disinformation is also a threat to businesses in a variety of industries. Download a copy of our research report, The Business of Disinformation: A Taxonomy, to see tools actors can turn to when waging disinformation campaigns and what it means for organizations in the next year.


Researchers publish PoC exploit for SgxPectre

Researchers at the University of Ohio, in the United States, released PoC code for a vulnerability dubbed SgxPectre, a claimed variation of the “Spectre” vulnerability. SgxPectre enables unauthorized access to sensitive data protected by Intel’s Software Guard eXtensions (SGX). The vulnerability affects runtime libraries, meaning any program using SGX is potentially vulnerable. Release of any PoC code has previously encouraged threat actors to attempt exploitation of vulnerabilities, but in this case no such attempts have yet been detected. It is not known which types of information can be accessed by exploiting this vulnerability, or how easy it is to exploit.


Historical compromise of German government now linked to Turla

Attackers infected 17 computers in the German Federal Foreign Office with an undisclosed malware variant. The malware exfiltrated data and received commands using Microsoft Outlook. The intrusion, first reported 28 February 2018, affected the Foreign Office from March 2017 to December 2017. Attribution was initially made to the threat group “APT-28” (aka Fancy Bear), but journalists later cited the threat group “Turla”. The attack was said to be part of a wider campaign affecting multiple geographies and was likely conducted by a well-resourced group.


Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

Ransomware in 2018: 4 Things to Look Out For Thu, 08 Mar 2018 23:59:00 +0000 Ransomware remains an active threat for organizations into 2018. Last year, large scale attacks like NotPetya and WCry wreaked havoc, shutting systems and costing millions of dollars in recovery. To develop effective mitigation strategies, we need to closely analyze the ever-evolving ransomware landscape. In particular, we expect developments in four broad areas, namely: ransomware delivery mechanisms, lateral movement tools, service models, and payment mechanisms.

Ransomware Developments in 2018

 1. Delivery mechanisms

Ransomware can be delivered by multiple vectors. To limit the need for initial user interaction, threat actors are using exposed internet facing infrastructure, like Remote Desktop Protocol (RDP) as an entry vector. This is partly due to availability, especially as RDP credentials or brute forcing tools are easily purchasable on criminal forums. However, there are also tactical and operational reasons for this: RDP allows machine access, meaning that threat actors can identify specific areas of valuable data or even move laterally across networks.

Ransomware in 2018

Figure 1: RDP brute forcing tool advertised for $4.25 on criminal marketplace

Other remote entry vectors that ransomware operators can target include Internet Information Services (IIS) or JBoss application servers.

 2. Self-propagation

Self-propagation mechanisms leverage the damaging impact of a single endpoint infection. Companies with locked down external networks may have flat internal networks, producing conditions for ransomware to self-propagate. Self-propagation is becoming popular among ransomware operators because:

  • Tools like PsExec and Windows Management Instrumentation Command can use batch script files to automate lateral movement within networks
  • Vulnerability exploits are available, for example SMB exploit “EternalBlue” used during WCry
  • Malicious groups can demand larger extortion amounts with multiple infections, or produce a highly damaging attack like NotPetya

 3. Ransomware as a service (RaaS)

Ransomware as a service (RaaS) models give threat actors without skills or resources the ability to deliver ransomware. Like other as a service models, users can sign up to platforms that provide backend infrastructure to manage operations. While RaaS is not new, the continued emergence of new variants shows the service remains in active development, and that a market still exists for it. This service model opens the ransomware marketplace to a wider variety of threat actors, while still remaining profitable for developers as they generally receive a percentage of each infection.

 4. Payment mechanisms

Ransomware variants deployed in financially motivated attacks live and die by profit generation. Payment mechanisms are currently an area of weakness for ransomware developers as they are not often automated or scalable. Ransomware operators tend to rely on email or TOR sites with cryptocurrency payments, which likely reduces operational effectiveness. Some variants have fully automated payment system infrastructure, from infection to payment, and delivery of decryption keys; however, these are relatively limited. Large, self-propagating attacks to date had poorly implemented payment infrastructure – as seen with the WCry attack that only had three Bitcoin wallets to receive payment due to a bug in the malware’s code.


Building your Ransomware Playbook

Establishing a ransomware playbook can help preparation for an eventual attack. The playbook can be used to define specific roles and functions should the unwanted occur, allowing organizations to establish tactics for managing a ransomware infection, as well as strategies for dealing with the aftermath. An effective ransomware playbook:

  • Requires a whole-of-business approach to planning. Ransomware affects multiple business areas and may result in large scale service disruption
  • Plans responses to extortion demands and identifies “worst case” scenarios
  • Shows an understanding of your playing field and adversaries. Threat intelligence can help to inform approaches to ransomware attacks

For more insight into the ransomware ecosystem, join our live webinar on “Emerging Ransomware Threats and How to Protect Your Data” being held on 15 March 2018. Hear from Digital Shadows’ analysts and the FBI Cyber Division’s leading ransomware investigator about the latest threats and vectors, as well as best practices for protecting you and your organization.

Pressing For Progress This International Women’s Day Thu, 08 Mar 2018 06:27:19 +0000 “Do you think you’re going to be able to handle working with all these men?”

One of the few questions over the course of my career that momentarily stunned me during the interview process, this happened over 20 years ago when I was interviewing for a more technical role in my current company at that time. I say stunned because the question had never occurred to me and this is in spite of growing up during a time when I knew I could be an astronaut (thank you Sally Ride!), but had resigned myself to the fact that “girls can’t be President”.  It sounds ridiculous now to type it, but these were the facts of my life growing up in the southern part of the US, in a very conservative, church-going family and long before the Internet was a thing.

As I ponder our upcoming International Women’s Day and think about the path my own life has taken, I am truly both in awe of how far we’ve come and simultaneously, how far we have yet to go. It has only been in the last few years that I’ve realized a lot of my behaviors have been influenced by unconscious bias, from my parents, teachers, friends, peers and colleagues so I am encouraged to see the dialogue continuing today through the various movements around the world.  

This year’s IWD theme is “Time is Now: Rural and urban activists transforming women’s lives”. I have long looked up to the many amazing and inspiring activists who tackle these challenges on a daily basis. I also think many others are hesitant to call themselves “activist” for fear of reprisal or challenge and I throw my own hat into that ring – I’ve never thought of myself as an activist, despite leading my university’s chapter of N.O.W., marching in “Take back the night” rallies and turning down opportunities for IT employment that had “females must wear dresses” requirements (yes, this really happened). What I’ve learned over the years is that it is less important about what you call yourself – just as our actions shape our destiny, so too do they describe our aspirations and capabilities. For all my male and female friends and colleagues who are nervous about taking up the title activist or feminist, I challenge you to simply “do”. Call out the derogatory jokes when you hear them, challenge your peers to leave discrimination behind them, and turn an eye to your own unconscious bias.

Lastly, in light of the recent RSA keynote conversation and ongoing challenges around having enough women in the cyber security industry, if I could turn the clock back and tell my younger self anything, it would be to build the technical capability, competency and confidence that goes along with that, but also to be open to taking leaps of faith. It took me a long time to realize I could apply for the next challenge or next role without being 110% qualified.

As for that interview question?  My response: “I hope they can handle working with me!” I’m happy to report I got the job.


Interested in reading more on Women in Security? Read my colleague’s blog post, Women in Security: Where We Are And Where We Need To Go.

It’s Accrual World: Tax Return Fraud in 2018 Wed, 07 Mar 2018 17:15:17 +0000 With just over a month until Tax Deadline Day, individuals are scrambling to get their tax returns submitted. This is a proven time of the year for cybercrime, and 2018 has been no exception. The Internal Revenue Service has already outlined new scams targeting consumers this year. Criminals have once again used tax themes as lures to spread malware, as was the case with the Rapid Ransomware campaign.

Tax Fraud in 2018

Tax fraud endures despite countermeasures and increased awareness of the threat. This is largely due to the extent of personally identifiable information (PII) available online. Social Security Numbers (SSNs) are widely advertised and can be purchased for as little as $1; Figure 1 shows a criminal site selling 4,210,341 SSNs, which also include associated names, physical addresses and dates of birth.

Figure 1: Social Security Numbers for sale on cvv[.]me


The Equifax breach in 2017 led to the theft of PII belonging to at least 145 million individuals. Recent revelations suggest that that attackers may have also stolen tax identification numbers, additional driver’s license and credit card details. While it is not clear whether the breach had been conducted by cybercriminals or a nation-state, this data – should it eventually find its way into the criminal market – would provide a wealth of opportunities for tax fraudsters.

Acquiring Tax Information

Tax information – such as W2, 1040 and 1099 forms, as well as company accounts – is valuable data for cybercriminals. This information can be obtained through network intrusions, phishing, and Business Email Compromise. The latter technique typically works by impersonating an employee within the organization. In this tax version of the scam, the victim is asked to transfer tax documents instead of wiring funds. With this data, criminals can then commit fraud or resell the data.

Attackers can also acquire this information through scampages. Tax filing companies are particular targets of these phishing attempts. A recent example of this is turbotax-myintuit[.]com, an imitation of the legitimate turbotax[.]intuit[.]com. While the site is not yet hosting content, it has the potential to be used in phishing campaigns.

At this time of year, fraudsters take to forums requesting help with getting tax information for their scams; meanwhile, more technically capable actors look to profit by providing their services and expertise. In Figure 2, a criminal forum user asks for help in obtaining the relevant documents needed to submit their fraudulent tax return, while in Figure 3 a seller openly advertises their “Hacking Services”, which includes the ability to procure W2 forms.

Figure 2: User on Hack Forums looking to buy W2 and 1040 tax forms (screenshot taken on February 27, 2018)


Figure 3: Seller on Offensive Community forum advertising hacking services


Purchasing Information Online

For a little as $40-50, criminals can bypass these procedures altogether and buy these documents on criminal forums and marketplaces. These include stolen, pre-filled and forged forms (Figure 4), as well as specialist guides for conducting tax return fraud (Figure 5).

Figure 4: Forged W2 form advertised for $52 on Dream Market


Figure 5: Tax return fraud cashout guide for sale on Wall Street marketplace


Social Security Numbers are ubiquitous across dark and deep web marketplaces and criminal shops. In some instances, as seen in Figures 6 and 7, vendors will offer packages that have a range of data on individuals. This can be partial PII or “fullz”, a term that means a combination of financial and personal information. The latter is more valuable for threat actors, but partial of PII can also be used to commit a range of identity frauds, including falsified tax returns.

Figure 6: W2 and SSN information for sale on Wall Street, a darkweb marketplace


Figure 7: “Full profiles” advertised on Dream Market, a dark web marketplace. The posting includes W2 forms, pay-stubs and Social Security Numbers


Of course, there are security measures that make tax fraud more difficult for criminals, such as the IP PIN that is issued to many taxpayers by the IRS. Despite the IRS being vulnerable to compromise in previous years, the system is now more resilient to exposing that information to fraudsters (there is no longer a web interface for forgotten PINs with easy-to-answer questions, for example).

Capitalizing on Dediks

Fraudsters can target the accounts of tax filing companies without the need for phishing or scam pages. In Figure 8, one forum user seeks partners that have control of computers with these pieces of software installed. The term “Dedik” is an abbreviation of “dedicated”, which is used to describe a computer under remote control of a hacker. With control of users’ computers that have this software, malicious actor can capture keystrokes and ultimately gain access to the user accounts.

Figure 8: Actor on a Russian-speaking forum seeking individuals with access to computers that have tax preparation software present (screenshot taken on February 27, 2018)


Staying Safe Online

With actors looking to monetize the vast amount of PII available online during tax season, consumers, organizations and tax filing companies should be extra-vigilant about fraudulent activity. Here are some tips:

  1. Consumers should submit an Identity Theft Affidavit if you have been the victim of identity theft.
  2. IRS provides some great resources for understanding the latest techniques used by attackers, which you can access here, or by following @irstaxpros on Twitter.
  3. Organizations should consider that BEC can be for information as well as to wire funds. Update your security awareness training content to include the BEC scenario. This should be included in new hire training, but you should conduct ad hoc training for this scenario now.
  4. Tax filing companies should monitor for spoofed domains. DNS Twist is a good, free resource to do so.

Subscribe to our weekly newsletter to get the latest news and research by Digital Shadows.

Shadow Talk Update – 03.05.2018 Mon, 05 Mar 2018 16:23:17 +0000 On this week’s Shadow Talk podcast, the Research Team cover CVE-2018-4878 being used in a spam campaign, the HTTPS certificate chaos between Trustico and DigiCert, more ransomware reporting on the SamSam and DataKeeper variants, and the threat of large-scale distributed denial of service (DDoS) attacks using Memcached servers.

Spam enables Flash vulnerability exploit

An Adobe Flash vulnerability tracked as CVE-2018-4878 is being exploited through a spam email campaign. Lure emails contained a shortened link that, if clicked, accessed a Web domain hosting weaponized Microsoft Word documents. If documents were opened, the attack attempted to exploit the vulnerability, enabling remote code execution. CVE-2018-4878 was previously exploited as a zero-day vulnerability in targeted espionage; the spam campaign shows its rapid uptake by other threat actors. Proof of concept exploit code was released publicly, meaning CVE-2018-4878 will likely continue to be targeted by operations using multiple entry vectors, despite a patch being available.


Thousands of website certificates revoked after private key exposure

23,000 Symantec-issued HTTPS website certificates resold by Trustico will be revoked after associated private keys were exposed via email. This may result in website service interruptions unless owners quickly replace certificates. Affected customers were notified, with both DigiCert – the entity responsible for revoking the certificates – and Trustico offering free replacement certs. Although both DigiCert and Trustico are likely to suffer some reputational damage due to conflicting reporting and their public dispute, this is unlikely to impact trust in the certification system.


Update on SamSam ransomware attack

The Colorado Department of Transportation, in the United States, took 2,000-plus staff computers offline after an attack by ransomware “SamSam”. No crucial systems were reportedly affected, and only computers running Windows operating systems were disrupted. The attack vector is not known, but SamSam usually targets vulnerable software applications or servers. The “Gold Lowell” threat group has previously used SamSam and accrued a significant profit from attacks.


New DataKeeper ransomware variant detected

The “DataKeeper” ransomware-as-a-service (RaaS) variant is distinct for its ability to conduct lateral movement. At the time of publication, there had been no transactions into the Bitcoin address associated with this RaaS, indicating that any attempted extortions using the address were ineffective. However, given its accessibility, profit share and capacity for lateral movement, this ransomware will likely be adopted by a variety of actors.


Memcached servers used for DDoS reflection attacks

There is a new DDoS reflection attack method that uses Memcached internet-facing servers. Memcached is a memory caching system that, by default, “listens” on UDP port 11211. More than 90,000 of these servers were discovered on Internet of Things search engine, Shodan, as of 28 February. The code repository site GitHub was targeted by this method, with the peak attack volume recorded at 1.35 terabits per second. Blocking, filtering or modifying Memcached configuration to only listen on localhost is recommended.


Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

The New Frontier: Forecasting Cryptocurrency Fraud Thu, 01 Mar 2018 16:34:51 +0000 Not a week goes by without a new case of cryptocurrency fraud making headlines. The most recent example concerned the BitGrail exchange, which suffered an attack that resulted in the loss of 17 million Nano Tokens ($170 million). Although BitGrail responded by announcing new security measures – highlighting the need for better security practices by both companies and individuals handling cryptocurrencies – this incident has also been marred by a disagreement between Nano Token and BitGrail over liability. This has sharpened calls for strict regulation of cryptocurrencies and their methods of exchange.

Regulation could have a significant impact on the cryptocurrency space, but we need to remember that even with long-stablished regulatory and law enforcement measures, traditional currencies are still targeted by fraudsters, so we shouldn’t expect cryptocurrencies will be any different.

What we can be sure of is that cybercriminals will continue to find new ways of making money as long as there are enough suitable targets available and the financial reward justifies their time and effort. To better model the future of cryptocurrency fraud, it helps to outline the main drivers and assumptions behind this phenomenon, which we have achieved by using the Cone of Plausibility analytical technique (see Figure 1 below). Our recent paper, The New Gold Rush: Cryptocurrencies are the New Frontier of Fraud, provides an analysis of these drivers. These include:

    1. Accessibility – Advances in technology and the wide availability of tools facilitate this type of fraud. Products such as Crypto Jacker lower the barrier to entry, as explored in our previous blog.


    1. Anonymity – Cryptocurrencies and blockchain technology offer a level of anonymity that, while beneficial in many respects, also embolden fraudsters. Currencies like Monero have better privacy features relative to their older cryptocurrency counterparts, which has in part made it increasingly popular on criminal markets and in money laundering operations. The funds accrued during the June 2017 WannaCry attack, for example, were converted from Bitcoin to Monero, likely because this move would make it easier to anonymously convert into fiat currency.


    1. Popularity and hype – The boom in cryptocurrency investment and development in recent years is one of the strongest drivers for this type of fraud. Criminals will always follow the money, looking to take advantage of whatever is most popular and most lucrative. In the mid-nineteenth century, the promise of gold inspired hundreds of thousands of people to make the journey to California in the hope of striking it rich. The cryptocurrency boom can be seen as a new Gold Rush, with countless individuals rushing to get a piece of the action, heartened by the astronomical rise of Bitcoin, which reached $19,343 in mid-December 2017.


    1. Reputation – Once seen as an esoteric countercultural development favoured by libertarians or criminals, the integration of cryptocurrencies into existing payment systems has given them greater legitimacy. Although not widespread, the roll-out of cryptocurrency-backed prepaid cards and plans for private European banks to provide cryptocurrency services increases the reputation of cryptocurrencies – in turn making them a more attractive prospect to investors. If their reputation increases, they will become more popular, increasing the number of targets for fraudsters.


    1. Opportunity – The sheer number of new altcoins, exchanges and coin offerings means that fraudsters have a wealth of potential targets. With over 1,442 cryptocurrencies in circulation, and new alternative coins – “altcoins” – emerging every week, the opportunities for cybercriminals to defraud cryptocurrency enthusiasts only increases. Our previous blog focused on the ways criminals were exploiting the interest in Initial Coin Offerings (ICOs) – a way of crowdfunding cryptocurrencies and platforms – through exit scams, spoof ICOs and price manipulation.


    1. Regulation – The success of price manipulation and scam ICOs is aided by a lack of regulation and oversight. In a regulated market such fraud would be illegal, and the threat of law enforcement action would probably deter many, although not all, criminals. Moreover, exchanges and ICO projects would be under more pressure to improve their security practices as they would face serious consequences for facilitating a breach. The BitGrail case, discussed above, is a clear example where a lack of clarity over who bears responsibility for the attack has meant customers have been so far prevented from reclaiming the value of their tokens.

    Despite more concerted efforts of late by U.S. authorities– the Security and Exchange Commission recently filed charges against PlexCorps, which was accused of defrauding investors through a scam ICO – the future of cryptocurrency regulation is also uncertain and should be seen as a panacea for fraud. Criminals will continue to take risks regardless of the potential legal ramifications of being caught. In addition, regulatory implementation will likely be uneven, with some countries such as China and South Korea choosing to ban ICOs completely. While stricter regulation could have a beneficial effect in reducing fraud, it may also deter would-be investors and drive down the value of cryptocurrencies.


    1. Security – As long as organizations and individuals fail to improve their security measures, opportunities for fraud will continue to exist. Weak password practices enable account takeovers, misconfiguring cloud services facilitates cryptojacking, and failure to patch and update effectively means attackers can continue to exploit known vulnerabilities to deliver cryptomining malware.



    Figure 1: Cone of Plausibility used to forecast future of cryptocurrencies

     One of the greatest benefits of this forecasting approach is that it allows us to clearly outline the drivers behind the rise in cryptocurrency fraud, which in turn then allows us to home in on the factors that we as organizations and individuals can influence. While some changes will be harder and time-consuming to implement, there are several measures that organizations, consumers and exchanges can immediately take to mitigate cryptocurrency fraud risks. These include:


    • Authenticating cloud services like AWS to stop fraudsters from stealing your processing power to mine
    • Replacing factory-default credentials with unique and strong passwords to prevent Internet of Things devices from being incorporated into botnets
    • Enforcing strong password security rules across your organizations – this includes enabling multi-factor authentication (MFA)
    • Patching known vulnerabilities being used to deliver crypto miners. Vulnerabilities in Apache Struts (CVE-2017-5638) and DotNetNuke (CVE-2017-9822) servers have been used to download Monero miners. These miners have also been delivered by exploiting patched vulnerabilities in the popular Apache CouchDB open source database (CVE-2017-12635 and CVE-2017-12636)
    • Having a reputable adblocker in place: the NoCoin browser extension was also developed to block coin miners like Coinhive
    • Checking phishing databases and more specialist cryptocurrency fraud sites such as the Ethereum Scam Database before using any sites that you are unfamiliar with


    Despite their volatility, high valuations, looming regulation measures and the projected adoption of cryptocurrency in both online and physical transactions, cryptocurrency fraud will not go away any time soon. However, greater education about cryptocurrencies and the risks associated with them for consumers and organizations can go a long way to fighting this trend. Digital Shadows will continue to watch this evolving space, providing research and advice that can help users navigate the Wild West that is the cryptocurrency world.

    To learn about other tactics, including account takeover and crypto jacking, download a copy of our research paper, The New Gold Rush: Cryptocurrencies are the New Frontier of Fraud.

    Protecting Your Brand: Return on Investment Tue, 27 Feb 2018 16:29:23 +0000 Last week I was joined by Brett Millar, Director of Global Brand Protection for Fitbit, for a webinar on “Protecting Brands from Digital Risks and the Dark Web”. It was great to hear how Brett works with different business functions to address different risks to the Fitbit brand. Most of all, I loved hearing about the different ways in which Brand Managers can demonstrate a return on investment (ROI).


    Brand Protection

    For organizations looking to safeguard their brands online, there are lots of online sources where this occurs. Within the webinar I spoke about the threats to brands that exist on the dark web -specifically on account takeover and counterfeit goods. Dark web marketplaces, such as Dream Market shown below, have whole sections dedicated the sale of counterfeit goods. Of course, there is a lot more to brand protection than dark web activity. Organizations need to be monitoring a wide range of sources to adequately protect their brands online. (Check out a blog from our CMO, Dan Lowden, on some specific instances of brand exposure that we’ve seen involving spoof domains, fake mobile applications, and fake social media profiles.)


    Figure 1: A dedicated counterfeit category on the Dream Market, with over 2,800 goods for sale


    Affecting the Bottom Line

    ROI (Return on Investment) is common term in security, but effectively demonstrating it is difficult. One reason for this is that ROI is a calculation usually expressed numerically or as a percentage. The impact of your security investment, however, does not always lend itself to quantifiable metrics. It is always trickier trying to show how events that have not happened, like cyber attacks that have been averted, impact a company’s net earnings or bottom line.

    The concept of ROI is just as critical for brand protection; Brand Managers need to be able to show they are impacting the bottom line. The good news is that the result of your brand protection strategy is measurable, and there are three main ways to do just that.

    1. Direct revenue return. This is the most clear-cut way of demonstrating ROI. Investigations launched by an organization’s fraud team in counterfeit sites can lead to proceeds flowing back into the company. This typically occurs through settlements, judgement amounts, and restitution amounts. This approach is pretty easy to quantify.
    2. Loss prevention. This is a different side of the same coin as direct revenue return. Stopping an activity that was costing the company $X million per year prevents this loss from reoccurring.
    3. Indirect revenue. If an increase in revenue for a particular product coincides with an increased effort to remove counterfeits of that product on gray and black markets, it can be inferred that there may have been some sort of causation. This is harder to quantify but it can, nonetheless, be valuable.

    These metrics can be supplemented with other metrics, such as tracking the number of:

    • Cease and Desist letters sent
    • Audits performed
    • Sites taken down
    • Custom site seizures

    With so many areas of security to focus on, demonstrating a return on investment is a constant challenge. However, the intersection of brand management and security offers a real opportunity to demonstrate the economic value of protecting your brand online.

    Watch the webinar on “Protecting Brands from Digital Risks and the Dark Web” to find out more about other types of brand exposure and ways organizations can manage this risk.

    Shadow Talk Update – 02.26.2018 Mon, 26 Feb 2018 15:51:21 +0000 In this week’s podcast, the Digital Shadows Research Team discuss attacks against banks using the SWIFT network, business email compromise (BEC) threats, the state of ransomware, as well as new activity by thedarkoverlord and APT-37.



    Two new thefts using SWIFT network confirmed

    Over the past week, an unidentified Russian bank and India’s City Union Bank confirmed that recent fraudulent SWIFT banking transfer requests had been submitted, attempting to steal $8 million. Specifics of malware deployment, and the perpetrators’ tactics, techniques and procedures (TTPs), are among the many unknown details. Previous SWIFT attacks have been attributed to “Lazarus Group”, although several financially motivated actors have likely made similar theft attempts. Targeting this transfer system remains profitable, and further theft attempts are likely.


    Business email compromise campaign targets Fortune 500 companies

    Fortune 500 companies—ranked among the highest-revenue companies in the United States – have been subject to an ongoing BEC campaign. Targets operated in the retail, healthcare, financial and professional services sectors. Campaign operators have allegedly stolen “millions of dollars” using spearphishing, as well as advanced social engineering techniques; no malware was involved.


    Extortion actor thedarkoverlord publicizes new targets

    The threat actor thedarkoverlord has returned after a three-month hiatus. Recent Twitter activity suggests targeting of a US public school union, a US law firm, and un-specified Hollywood companies. Thedarkoverlord has previously conducted a number of extortion campaigns, largely against the United States healthcare sector. Digital Shadows cannot establish the veracity of these new claims, but it is likely that thedarkoverlord is attempting to gain new publicity by threatening high-profile targets.


    Ransomware remains a threat to organizations in all industries

    The “Saturn” ransomware-as-a-service (RaaS) variant has been active in February. Saturn RaaS does not require a sign-up fee, instead, developers request 30% of extortion fees generated from each successful infection. In other ransomware news, the Colorado Department of Transportation (CDOT) was affected by a SamSam ransomware infection on 21 February 2018. This infection reportedly caused disruption to 2,000 computers owned by CDOT; however, CDOT stated it will not pay the ransom and is using system backups.


    North Korea-linked espionage group APT-37 continues to evolve

    Cyber security company FireEye reported the continued activity and evolution of “APT-37” (aka Reaper), an allegedly North Korea-linked threat group motivated by information theft and espionage. FireEye’s research also linked APT-37 activity to that reported for other threat actors, including “Group 123” and “ScarCruft”, although exact details were unclear. APT-37 has mainly targeted the technology and healthcare sectors in South Korea, but has also implicated Japan, Vietnam and the Middle East. APT-37 will likely continue their information-gathering campaigns for the short- to mid-term future (one to six months) and more information about the group may arise during that time.

    Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

    Threats to the Upcoming Italian Elections Thu, 22 Feb 2018 17:08:26 +0000 On 5 March Italian citizens will vanno alle urne to vote in a general election, following the dissolution of the Italian Parliament by President Sergio Mattarella on 28 December 2017. Italy has been led by a caretaker government under the leadership of Democratic Party (PD) foreign minister Paolo Gentiloni since the resignation of former Prime Minister Matteo Renzi. Renzi stepped down following the loss of a referendum on constitutional reforms in December 2016.

    This March will see the use of a new electoral system, one designed to favor coalitions by requiring the governing party to gain over 40% of the vote, thus making it harder for a single party to win a majority in Italy’s notoriously divided parliament. No party has yet polled above 40%, with a centre-right alliance formed by Silvio Berlusconi currently polling at approximately 35%.

    Under the growing cloud cast by reports of network intrusions against political parties during the 2016 United States presidential election, as well as claims of a Kremlin-backed influence campaign in favour of the Front National in the French elections, political events are coming under more and more scrutiny for nefarious activity. In this blog we will assess the confirmed examples of cyber attacks that we have observed, and look back at activity seen during previous elections to forecast the type of activity we can expect. This includes hacktivism, network intrusions, data leaks and disinformation.


    1. Hacktivism

    Hacktivist actors are most often motivated by public attention, either for themselves, or the issues they claim to represent. Hacktivist attacks generally take the form of denial of service (DoS) attempts, website defacements, and the curation of open source data to appear like a data leak. The Anonymous collective has had an ongoing #OpItaly campaign since January 2017, when Italian law enforcement arrested two individuals charged with cyber espionage against politicians, public institutions, and commercial entities. The activities of the group have not yet targeted political parties, but may use the publicity surrounding the elections as a platform to gain public attention.

    Further factions of the collective, such as the Italian hacktivist group AnonPlus, have specifically targeted the elections, releasing personally identifiable information of regional PD members and defacing PD websites. However, their impact so far has been limited, and is unlikely to have any lasting impact on the elections themselves: the ‘leaked’ was already available on open sources, and their websites defacements did not cause any persistent disruption.

    More sophisticated threat actors have targeted the Rousseau platform used by far-right party Movimento5Stelle (M5S). #Hack5Stelle is a campaign focused on leaking names, passwords, and datasets associated to the platform, and motivated by both financial and political motives.


    Figure 1: Twitter account offering allegedly hacked Movimento5Stelle database for sale


    Figure 2: Landing page for the Rousseau platform


    2. Network Intrusions

    Actors may seek to target political parties or government organizations in order to exfiltrate sensitive data for use in political campaigns. Given alleged Russian involvement in the network intrusions against the Democratic party in the US, and the signing of a collaboration agreement between far-right party Lega Nord and Vladimir Putin’s United Russia party, it is plausible that a similar threat may be present during the Italian elections. Fraught current relations between Russia, NATO, and the EU, combined with the Lega Nord’s anti-EU platform means that the Italian elections are likely to present a target for Russian espionage campaigns. Furthermore, large financial institutions may be targeted given the focus on the economy and currency in this year’s election.

    Social engineering and spear phishing remain the most successful attack vectors for network intrusions, and this is unlikely to change for the Italian elections.


    3. Data leaks

    While a number of activist groups have leaked open source databases of local political parties, a more sophisticated threat actor could release sensitive or confidential information in order to bias political opinion. Such information can be obtained in a number of ways and be used by a variety of threat actors, including both ideologically motivated individuals and nation state groups. Phishing and social engineering attempts, network intrusions, and document theft from insiders are all ways in which threat actors may seek to obtain such data. We detected no data leak campaigns relating to the Italian elections at the time of writing.


    4. Disinformation

    False media reporting, also known as the fake news phenomenon, is being increasingly used by threat actors to sway or alter public political opinion. Such activity uses a wide variety of platforms, including legitimate or spoof social media accounts such as Facebook and Twitter, and interweaves both legitimate and exaggerated or false reporting. During the French elections, we observed a claim of plagiarism, as a spoofed websites of legitimate Belgian newspaper LeSoir published articles alleging that Saudi Arabia was financing Emmanuel Macron’s campaign. We outlined the easy availability of such tools in our previous report, The Business of Disinformation.

    Although no legitimate newspapers have claimed plagiarism during the Italian elections, a number of Twitter accounts related to Wikileaks Italy (@Wikileaks_Ita – to which the main Wikileaks account has denied any official association), have been tweeting news relating to the current Eni bribery investigations. The account uses a combination of real news reports and rumours to allege former Prime Minister Renzi’s involvement with criminal activities. Although Renzi is not standing in this election, such an allegation has a reputational impact for the PD, Renzi’s party.


    Figure 3: Twitter account impersonating WikiLeaks used to spread articles on corruption investigations


    Furthermore, fake accounts on Twitter and Facebook used in the referendum campaign in 2016 have been reanimated in support of Matteo Salvini, leader of the Lega Nord. A number of automated accounts have been linked to the party’s official Twitter feed, @LegaSalvini. Although these bots have not been used to publicize fake news, they have been used to bias or promote political opinions by artificially inflating the support and publicity accorded to Salvini.



    Figure 4: Examples of Twitter bots all used to publish the same posts in support of Matteo Salvini


    E allora?

    Despite ongoing concern surrounding elections, it is unlikely that outside threat actors will seek to interfere in an already chaotic process. Unlike elections in France and Germany in 2017, the Italian electoral process is much more obscure, and the proliferation of smaller parties makes it difficult to definitively outline where an influence campaign could add value. Similarly, it is difficult to understand which party any external threat actor would seek to influence, as none are likely to gain a clear lead, and all have made varying conflicting and public statements about the parties with whom they would be willing to cooperate.

    The most likely threat comes from internal hacktivist campaigns: in addition to defacement attacks, groups may seek to conduct DDoS attacks against election infrastructure or to deface official websites, hindering the voting process.

    While the scenarios above remain unclear, organizations can help protect themselves against many of the techniques and threats described above. Mitigation measures include:

    • Providing adequate training for staff regarding the threat from spear phishing and social engineering attacks. This will mitigate against the most likely, but not the only, attack vectors for network intrusion and public data leaks.
    • Properly securing public facing applications and tracking activist campaigns.
    • Enforcing strong password security practices to reduce the likelihood of account takeovers.
    • Remaining skeptical about reported statistics and stories.

    Subscribe to our weekly newsletter to get the threat intelligence and research by Digital Shadows.

    Prioritize to Avoid Security Nihilism Tue, 20 Feb 2018 15:41:56 +0000 In many situations associated with cyber security, in particular defending an organization, it is easy to get overwhelmed with not only the sheer number of issues but also the complexity of the interconnections between them. Technical issues are inextricably linked with social, cultural and political issues. Confronted with this sea of obstacles, it’s easy to succumb to security nihilism: “nothing is ever good enough”, “offense always wins” or “security is a losing battle”. As a defender, it is crushing to see how even an average Red Team can rip apart your defences, another successful engagement for Team Red as your passwords tumble helplessly out of the Domain Controller!

    It’s a truism, if not a platitude, that “perfect is the enemy of good”, but I believe that this phrase takes on a new meaning in the world of cyber security. The answer to security nihilism is the art and science of prioritization. Since defenders cannot protect everything to an equal standard, trade-offs have to be made. Difficult decisions must be taken. But where to start? I would argue that the best place to start is with the reality of protecting your organization. By which I mean, a pragmatic focus on:

    1. The critical assets that your organization has
    2. The credible threats to those assets

    Threat modelling exercises are useful heuristics for roughly figuring out the critical assets and the credible threats. An organization that handles payment card data will have a different set of assets and threats compared to another organization that handles sensitive government data to another organization that may regularly store Protected Health Information (PHI). An organization’s security posture should be appropriate for the types of threats that they realistically face.

    In order for these threat modeling exercises, which are often table-top exercises, to have meaning, they must be grounded in reality. Not all threats that organizations face wield NSA-grade 0days. Not all organizations are routinely attacked by APT groups. But understanding how attackers you are facing actually operate is essential. As The Grugq is fond of saying, “increase attacker costs!”. As defenders, we need to understand what tasks are costly for attackers and how to make those tasks even more expensive.

    Let’s see how standard TTPs (tactics, techniques, and procedures) used by a wide-variety of different threat actors can be made more expensive. We’ll start with a phishing campaign:



    Outside in, network-based attacks are also widely-used:



    Most organizations have key employees who are high-value targets for attackers and most organizations have externally facing systems, in particular Web applications. These assets are a good place to start. By understanding how attackers operate, we can establish some priorities about which actions as defenders we should take based upon the assets that we have and our knowledge of how attackers operate. As our capability matures, our assets can become more specific and nuanced and our understanding of attacker tradecraft similarly develops. Robust fundamentals, however, never go out of style!


    To get the latest threat intelligence news and research, subscribe to our email list here.

    Shadow Talk Update – 02.19.2018 Mon, 19 Feb 2018 21:42:21 +0000 In this week’s Shadow Talk podcast, the Digital Shadows Research Team analyses new activity from the Lazarus Group, attacks on the Winter Games opening ceremony, the theft of $170 million from the Bitgrail cryptocurrency exchange, and two Outlook vulnerabilities.


    Lazarus Group continues to pursue theft and espionage 

    New Lazarus Group activity reported this week shows that the threat group remains highly active and motivated by financial and information theft, as well as espionage. The group was attributed with the financially motivated HaoBao campaign, targeting Bitcoin users, and the development of two trojan variants, “HardRain” and “BadCall”. The targeting of cryptocurrency marks a relatively recent evolution in Lazarus Group’s tactics, techniques and procedures (TTPs). The trojan malware indicates the group’s sustained interest in espionage tools. Digital Shadows expects the group to continue to target cryptocurrency trading platforms within the next one to six months.


    Winter Olympics ‘targeted with Olympic Destroyer’ malware 

    Cyber security researchers have identified a sample of what they assess to be the malware used during the opening ceremony of the 2018 Olympic Winter Games. The malware attacks suspended Wi-Fi in the stadium and press center. Despite having limited effects, the malware appears technically complex with varied techniques, including hardcoded credentials within its source code to allow lateral system movement. Competing and conflicting reports have linked the campaign to North Korea, China and/or Russia, but there has been insufficient evidence to definitively implicate any threat actor.


    BitGrail reports USD 170 million cryptocurrency loss

    The BitGrail cryptocurrency exchange suffered an attack in which 17 million Nano Tokens (USD 170 million) were allegedly lost. Prior to the disclosure of the attack, BitGrail suspended all withdrawals and deposits of several cryptocurrencies and announced new security measures. Subsequently, a series of heated disagreements have sprung up between the creators of Nano Token and the BitGrail exchange, with neither accepting responsibility for the loss, and both accusing the other of suspicious behavior. Such disagreements will likely prevent customers from reclaiming the value of their tokens. The fallout from the attack will likely strengthen the call to regulate cryptocurrencies and their methods of exchange.


    RCE vulnerability affects MS Outlook

    Microsoft (MS) has released descriptions of two vulnerabilities affecting its Outlook software. One is CVE-2018-0852, a memory corruption vulnerability allowing arbitrary remote code execution (RCE) if users access a crafted malicious file. The second is CVE-2018-0850, a privilege escalation vulnerability. Although neither has been detected as being exploited in the wild, both affect multiple version of MS Outlook; given their ubiquity, it is likely that criminals will seek to exploit them.

    Listen to the full podcast here:

    Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

    Infraud Forum Indictment and Arrests: What it Means Thu, 15 Feb 2018 17:44:48 +0000 On 07 February 2018, the U.S. Department of Justice unveiled an indictment from 31 October 2017 against 36 individuals associated with the Infraud Forum, a cybercriminal forum specializing in payment card fraud. This was a result of an operation known as “Shadow Web” and claimed to make “one of the largest cyberfraud enterprise prosecutions ever undertaken by the Department of Justice.” The members of the forum are alleged to have caused over $500million in actual losses.

    In the context of last year’s seizure of AlphaBay and Hansa dark web marketplaces, what does this mean for the evolution of the criminal ecosystem, and what is the potential impact on organizations?

    Figure 1: A screenshot of infraud[.]wf, one of the latest editions of the Infraud Forum. Screenshot taken on 7 February 2018.


    Humble beginnings

    The Infraud forum has been through many incarnations, and there are several domains still carrying the Infraud name. The term “infraud”, however, first appeared on a WordPress blog known as the “infraud underground carders blog”. The earliest post on this site is dated 31 October 2010. These initial posts mainly provided advice on carding and ATM fraud, as well as reposts of news articles on criminal and fraudulent activity.

    The first reference on this blog to a dedicated Infraud site appeared on 11 November 2010, when a post was added offering downloads for a ZeuS crimeware toolkit. The post contained a url link to a thread on infraud[.]ws.

    On 24 November 2010, a new post was added to the site claiming that the name of the group behind the blog had changed to “Ministry of Fraudulently Affairs”.


    Figure 2: Screenshot of Infraud underground carders blog


    A post added on 07 December 2010 claimed that the infraud[.]ws domain had been blocked as it was reported to host malware and fraudulent content. The next day, the Infraud domain had changed to from infraud[.]ws to infraud[.]su.

    As of 03 March 2011, the blog advised users to only visit hxxps://infraud[.]cc.


    Figure 3: Post made on Infraud blog advising users to visit infraud[.]cc, a domain registered on 30 November 2010


    The name Ministry of Fraudulently Affairs also appears on a separate LiveJournal blog site (hxxp://infraud.livejournal[.]com) where advertisements and links to the infraud[.]cc site were posted.

    The “Infraud Journal” user profile for this blog site contained a link to the infraud[.]cc website, and a Twitter account ( that is now suspended. The user stated their location was Borispol, Ukraine and used the Buddhist symbol Om as a logo. The account was created on 30 October 2010 and was last updated on 05 August 2014.


    Figure 4: infraud profile on Infraud Journal blog


    Online profiles using the “infraud” naming started appearing frequently across several criminal forums in December 2010 and January 2011. Many of these profiles used details and indicators previously used on the WordPress and Infraud Journal blogs, including the names “infraud” or “Ministry of Fraudulently Affairs”, and the Om Buddhist symbol as a profile picture. In this example from 26 January 2011 (below), the user infraud advertised an IP address and domains associated with the Infraud operation.


    Figure 5: Post made to hpc[.]name forum by user “infraud” containing links to various infraud domains


    How it worked

    Between 2010 and 2018, the Infraud Forum switched to several different top level domains and attracted large numbers of members to the forum (Brian Krebs puts this number at almost 11,000).

    The reputation of the forum also grew; a vendor with a presence on Infraud would have added legitimacy.  Even some of the most reputable Automated Vending Carts (AVCs) – such as the popular site Joker’s Stash – sought a presence on the Infraud Forum (see below). While Infraud was not unique in this respect – Verified, Omerta, and Exploit are other examples of forums where vendors look to establish a reputation – it was certainly a significant player.


    Figure 6: Post by JokerStash on wtl[.]pw


    In order to facilitate these vendors, the forum had a specific section for vendors to advertise. Vendors like Unnicat, Dark4sys, and Deputat (all also named in the indictment) had a presence here.

    The site extended beyond being simply a collection of credit card vendors, with separate exchanger and escrow services also available. Users could access these services at different access levels, such as a VIP.


    Figure 7: A screenshot of Infraud[.]cc



    The Infraud Forum is another example of the level of professionalization that exists within the criminal underground. This forum was clearly highly hierarchical and relied on its extensive networks and reputation to make a lot of money.

    Many of the aliases disclosed in the indictment were at one point active across a host of different underground forums, including the AlphaBay forum. Although the full details of the law enforcement operation have not yet been released, it’s possible that the seizure of AlphaBay in 2017 provided valuable intelligence in this operation. Nevertheless, news that 36 prominent cybercriminals – who were active across several sites – have been closely monitored by international authorities will act as a further blow for the criminal community, which is still dealing with the impact of the AlphaBay and Hansa seizures.

    The impact of this announcement should be placed into context. It’s worth noting that of the 36 individuals named in the indictment, only 13 have been apprehended. Indeed, although the site infraud[.]wf appears to have been seized, some sites that were run by vendors on the Infraud Forum remain active such as d4rksys[.]cc (see Figure 8 below), a site allegedly run by dark3r. This is similarly the case for sites run by Unnicat and Debutat. This is a reminder that, although Infraud was a significant player, there are many more forums and AVCs in operation, and the closure of one site will mean criminal actors will migrate to other forums.


    Figure 8: A screenshot of d4rksys[.]cc, taken on 07 February 2018.

    Shifts within the criminal ecosystem

    Given the increased attention from law enforcement, it’s possible we will see more forums turning to new technologies to reduce the likelihood of domain seizure. Joker’s Stash has already moved its site hosting to a blockchain-based domain name system (DNS) provided by the cryptocurrency Emercoin. We’ve seen adverts demonstrating this change since around the end of September 2017, on multiple clear web carding forums.


    Figure 9: Joker’s Stash advert on carding forum with link and instructions to latest Blockchain DNS site


    The adverts direct users to a “Blockchain DNS” browser extension for Chrome and Firefox, which enable their users to connect to top level domains (TLDs) such as .bazar, .coin, .lib, .emc and others. Domains using these TLDs are not typically resolvable through generic browser configurations. As Emercoin’s domain name records are completely decentralized, they cannot be altered, revoked or suspended by any authority; only a record’s owner can modify or transfer it to another owner. The owners of Joker’s Stash therefore likely sought to avoid takedowns or other external disruption by moving to a blockchain solution.

    This is not the first example of threat actors using blockchain-based DNS. Both operators of the botnet Necurs and point of sale (PoS) malware Kasidet have used the Namecoin peer-to-peer network which has no central authority, likely in attempts to avoid law enforcement takedowns of their command and control (C2) infrastructure. For the owners of Joker’s Stash, the use of Emercoin’s DNS might trump traditional DNS for the same reasons, but it still requires visitors to take additional steps in order to visit the site and that might drive away some of its businesses. In the end, as with a lot of security, the benefits might come at the sacrifice of ease-of-use.


    No significant change anticipated

    Unfortunately, the reality is that this latest piece of news constitutes no real decrease in the threat posed to merchants, consumers and financial institutions from card fraud. Nevertheless, we will be keeping tabs on any changes that occur from these latest arrests, as the cybercriminal community bounces back from another setback. To find out more about the underground carding ecosystem, download a copy of our previous research report, Inside Online Carding Courses Designed for Cybercriminals.


    To get the latest threat intelligence news and research, subscribe to our email list here.

    Cryptojacking: An Overview Tue, 13 Feb 2018 17:59:17 +0000 What is Cryptojacking?

    Cryptojacking is the process of hijacking someone else’s browser to mine cryptocurrencies with their computer processing power. There are several pieces of software available that do this, including Coinhive, Authedmine and Crypto-Loot. While such tools are not necessarily illegal, the stealth and lack of user consent associated with them has led many to view crypto jacking software as malware; the security firm Malwarebytes, for example, has blocked coinhive[.]com.

    This week it was announced that a number of government websites, including the NHS, had been serving cryptojacking malware, meaning that visitors had been unknowingly mining cryptocurrency.


    Monero mining is big business; browsers, extensions and mobile apps have all reportedly spread Coinhive in the past few months. Coinhive is a Javascript miner for Monero, a cryptocurrency that has been steadily growing in popularity since 2014. In January 2018, a proof of concept called CoffeeMiner was released, which allows actors to access public Wi-Fi networks and mine cryptocurrencies.

    More recently, a malvertising campaign targeted Google’s DoubleClick advertising tool to compromise adverts and distribute Coinhive. The sharp increase in use of Coinhive miners correlated to an increase in traffic to five malicious domains, which was subsequently linked back to DoubleClick advertisements.

    Crypto Jacker: A New WordPress Plugin

    A new product called Crypto Jacker looks combine Coinhive, Authedmine and Crypto-Loot and incorporate these into a WordPress plugin with added Search Engine Optimization (SEO) functionality. The domain cryptojacker[.]co was registered on November 30th, 2017 and seeks to sell a one-time version of the Crypto Jacker software for $29. With the software purchased, users can install Crypto Jacker on an unlimited number of their domains.


    Figure 1: The Crypto Jacker software


    Crypto Jacker “provides a way to earn crypto currency from people who visit your links, even when you’re sharing other websites that you don’t own. We even cloak your website links for your (sic.) so they look like the original shares on social media.” This is done by using an iframe to clone content from popular website, as shown in Figure 2.

    Figure 2: The user interface of the Crypto Jacker plug-in

    There are a couple of things Crypto Jacker does to increase traffic to the site.

    1. Users can load the Meta Data from the destination url, making it feature highly in search engine rankings.
    2. “Social Cloaking” (as Shown in Figure 3) makes the imitation link appear to be from the original destination source, increasing the likelihood of clicks.

    Figure 3: Crypto Jacker’s “social cloaking” demonstration video

    It’s unsurprising that Crypto Jacker has these SEO features, given other pieces of software under the name Thomas Witek (the author of Crypto Jacker) include “Click Jacker”, “Link Cloaker”, and “Gram Poster”. This shift in the business model to focus on cryptocurrency mining instead of advertising is explicitly referenced on the website: “advertising on the web is difficult to profit from….why shouldn’t you mine crypto coins.” This is part a broader shift towards cryptocurrency fraud by a variety of actors that we have provided a more detailed analysis of in our recent research report, The New Gold Rush: Cryptocurrencies are the New Frontier of Fraud.

    Scam or Legitimate?

    Is this a scam? It’s possible that Crypto Jacker is a ruse to cash in on web developers’ interest in cryptocurrency mining. This review questions the nature of the site itself.

    Our own tests of the demo website (paidallday[.]com/what-you-need-to-know-about-bitcoin), shown on the Crypto Jacker website, shows that cryptocurrency mining is likely taking place. As shown in Figure 4, the website appeared to have the plugin “cj-plugin”, which launched the “” script. When we visited the site, CPU usage increased significantly to 50% (as shown in Figure 5). While this does not confirm the Crypto Jacker product is legitimate, it does add some credibility to their claim.

    Figure 4: The source code of paidallday[.]com/what-you-need-to-know-about-bitcoin, a demo website shown in Crypto Jacker videos

    Figure 5: CPU usage peaking at the time of the visit to the website

    Interest in cryptocurrencies shows no sign of slowing down and, while Crypto Jacker does not appear to have developed a large user base, its emergence – if legitimate – is an attempt to lower the barrier to entry for those looking to use stealthy cryptocurrency mining software.

    Protect yourself from Crypto mining

    1. Have a reputable ad blocker

    Organizations that do not wish to be “crypto jacked” and inadvertently mine cryptocurrency should ensure they have a reputable ad blocker in place. Consider ad blockers such as AdBlock, AdBlock Plus, 1Blocker, and UBlock. The NoCoin browser extension was also developed to block coin miners such as Coinhive.

    2. Apply patches to known vulnerabilities

    Organizations should apply patches and mitigation to known vulnerabilities as these can be used to deliver crypto miners. In December 2017 PyCryptoMiner, for example, began exploiting a vulnerability affecting JBoss servers that was first discovered in October. More recently, a Struts server exploit has been used for Monero mining. Sites such as the US CERT, the National Vulnerability Database and MITRE can provide the latest information on newly disclosed vulnerabilities. Red Hat Software provided mitigation advice for the JBoss vulnerability exploited by PyCryptoMiner. Patches for the Struts vulnerabilities are also available.


    Download our latest research paper The New Gold Rush: Cryptocurrencies are the New Frontier of Fraud to learn more about cryptocurrency fraud, and ways to protect against.


    To get the latest threat intelligence news and research, subscribe to our email list here.

    Shadow Talk Update – 12.02.2018 Mon, 12 Feb 2018 15:23:39 +0000 With the 2018 Winter Games beginning this week, the Digital Shadows Research Team focused on threats to those traveling to South Korea in this episode of Shadow Talk. There was also a roundup of the most recent cyber security news.

    Malware in Winter Olympics spearphishing campaign identified

    Anti-virus security company McAfee published a report detailing four variants of malware linked to the targeting of organizations associated with the XXIII Winter Games in South Korea. The variants were identified as “Gold Dragon”, “Brave Prince”, “Ghost419” and “RunningRat”. During the games themselves, we expect there to be a rise in cybercriminal activity, achieved through point of sale malware infections at hospitality, leisure and retail locations, ATM skimming, banking fraud and scam emails. VIPs travelling to the event are advised to use alternative forms of payment like chip and pin, pre-paid and pre-capped cards. Travellers should also opt for Virtual Private Network (VPN) tunnelling when connecting to company networks and corporate accounts, especially on public Wi-Fi.


    Operation Pzchao: not your typical espionage campaign

    The espionage-driven campaign Operation Pzchao has affected multiple entities across government, technology, education and telecommunications in North America, Russia, Oceania and Asia since 2016. Victims received emails containing a Visual Basic Script (VBScript) file, which retrieved second-stage payloads: a Bitcoin mining application, the credential harvester “Mimikatz”, and variants of the “Gh0st” remote-access trojan (RAT). Digital Shadows analysts casted doubt on the reported attributions to a Chinese state-linked advanced persistent threat (APT) group — the use of a Bitcoin miner, inconsistencies in the reported distribution method and use of a widespread RAT tool with no additional custom malware are not typical of a highly coordinated, state-linked group.


    Adobe zero-day vulnerability exploited in attacks against South Koreans

    The South Korean Computer Emergency Response Team (CERT) warned that a critical Adobe vulnerability was exploited in attacks targeting South Koreans involved in geopolitical research. Spearphishing emails were the only known vector of the attacks, which were attributed to a North Korean threat group. The emails distributed a variant of the “ROKRAT” trojan, which has reconnaissance and information-stealing capabilities. Adobe has issued security updates for the vulnerability, identified as CVE-2018-4878. Further exploitation attempts of this flaw are highly likely.


    Denial of service vulnerability discovered in WordPress platform

    A vulnerability identified in the WordPress online publishing platform could enable an attacker to conduct denial of service attacks. The researcher who identified the flaw claimed that requests for large JavaScript or Cascading Style Sheet files could be sent repeatedly to sites, resulting in the denial of legitimate traffic. WordPress has indicated it does not plan to patch the flaw, although exploitation of this vulnerability could potentially reverse this decision. The researcher released POC code; and secondary reporting suggested a small number of exploitation attempts had been detected. Further attempts are considered highly likely to occur.


    United States authorities charge 36 individuals allegedly behind the ‘Infraud’ cybercrime forum

    On Wednesday 7 February, the U.S. Department of Justice unveiled an indictment from 31 October 2017 against 36 individuals associated with the Infraud carding forum. This was a result of an operation known as “Shadow Web”. Although Infraud was a significant player in the carding ecosystem, there are still many more forums and Automated Vending in operation, and the closure of one site will mean criminal actors will migrate to other forums. Therefore, the threat posed t