Shadow Talk Update – 02.19.2018February 19, 2018
In this week’s Shadow Talk podcast, the Digital Shadows Research Team analyses new activity from the Lazarus Group, attacks on the Winter Games opening ceremony, the theft of $170 million from the Bitgrail cryptocurrency exchange, and two Outlook vulnerabilities.
Lazarus Group continues to pursue theft and espionage
New Lazarus Group activity reported this week shows that the threat group remains highly active and motivated by financial and information theft, as well as espionage. The group was attributed with the financially motivated HaoBao campaign, targeting Bitcoin users, and the development of two trojan variants, “HardRain” and “BadCall”. The targeting of cryptocurrency marks a relatively recent evolution in Lazarus Group’s tactics, techniques and procedures (TTPs). The trojan malware indicates the group’s sustained interest in espionage tools. Digital Shadows expects the group to continue to target cryptocurrency trading platforms within the next one to six months.
Winter Olympics ‘targeted with Olympic Destroyer’ malware
Cyber security researchers have identified a sample of what they assess to be the malware used during the opening ceremony of the 2018 Olympic Winter Games. The malware attacks suspended Wi-Fi in the stadium and press center. Despite having limited effects, the malware appears technically complex with varied techniques, including hardcoded credentials within its source code to allow lateral system movement. Competing and conflicting reports have linked the campaign to North Korea, China and/or Russia, but there has been insufficient evidence to definitively implicate any threat actor.
BitGrail reports USD 170 million cryptocurrency loss
The BitGrail cryptocurrency exchange suffered an attack in which 17 million Nano Tokens (USD 170 million) were allegedly lost. Prior to the disclosure of the attack, BitGrail suspended all withdrawals and deposits of several cryptocurrencies and announced new security measures. Subsequently, a series of heated disagreements have sprung up between the creators of Nano Token and the BitGrail exchange, with neither accepting responsibility for the loss, and both accusing the other of suspicious behavior. Such disagreements will likely prevent customers from reclaiming the value of their tokens. The fallout from the attack will likely strengthen the call to regulate cryptocurrencies and their methods of exchange.
RCE vulnerability affects MS Outlook
Microsoft (MS) has released descriptions of two vulnerabilities affecting its Outlook software. One is CVE-2018-0852, a memory corruption vulnerability allowing arbitrary remote code execution (RCE) if users access a crafted malicious file. The second is CVE-2018-0850, a privilege escalation vulnerability. Although neither has been detected as being exploited in the wild, both affect multiple version of MS Outlook; given their ubiquity, it is likely that criminals will seek to exploit them.
Listen to the full podcast here:
Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.