Shadow Talk Update – 02.26.2018February 26, 2018
In this week’s podcast, the Digital Shadows Research Team discuss attacks against banks using the SWIFT network, business email compromise (BEC) threats, the state of ransomware, as well as new activity by thedarkoverlord and APT-37.
Two new thefts using SWIFT network confirmed
Over the past week, an unidentified Russian bank and India’s City Union Bank confirmed that recent fraudulent SWIFT banking transfer requests had been submitted, attempting to steal $8 million. Specifics of malware deployment, and the perpetrators’ tactics, techniques and procedures (TTPs), are among the many unknown details. Previous SWIFT attacks have been attributed to “Lazarus Group”, although several financially motivated actors have likely made similar theft attempts. Targeting this transfer system remains profitable, and further theft attempts are likely.
Business email compromise campaign targets Fortune 500 companies
Fortune 500 companies—ranked among the highest-revenue companies in the United States – have been subject to an ongoing BEC campaign. Targets operated in the retail, healthcare, financial and professional services sectors. Campaign operators have allegedly stolen “millions of dollars” using spearphishing, as well as advanced social engineering techniques; no malware was involved.
Extortion actor thedarkoverlord publicizes new targets
The threat actor thedarkoverlord has returned after a three-month hiatus. Recent Twitter activity suggests targeting of a US public school union, a US law firm, and un-specified Hollywood companies. Thedarkoverlord has previously conducted a number of extortion campaigns, largely against the United States healthcare sector. Digital Shadows cannot establish the veracity of these new claims, but it is likely that thedarkoverlord is attempting to gain new publicity by threatening high-profile targets.
Ransomware remains a threat to organizations in all industries
The “Saturn” ransomware-as-a-service (RaaS) variant has been active in February. Saturn RaaS does not require a sign-up fee, instead, developers request 30% of extortion fees generated from each successful infection. In other ransomware news, the Colorado Department of Transportation (CDOT) was affected by a SamSam ransomware infection on 21 February 2018. This infection reportedly caused disruption to 2,000 computers owned by CDOT; however, CDOT stated it will not pay the ransom and is using system backups.
North Korea-linked espionage group APT-37 continues to evolve
Cyber security company FireEye reported the continued activity and evolution of “APT-37” (aka Reaper), an allegedly North Korea-linked threat group motivated by information theft and espionage. FireEye’s research also linked APT-37 activity to that reported for other threat actors, including “Group 123” and “ScarCruft”, although exact details were unclear. APT-37 has mainly targeted the technology and healthcare sectors in South Korea, but has also implicated Japan, Vietnam and the Middle East. APT-37 will likely continue their information-gathering campaigns for the short- to mid-term future (one to six months) and more information about the group may arise during that time.
Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.