Shadow Talk Update – 02.26.2018

Shadow Talk Update – 02.26.2018
Digital Shadows Analyst Team
Read More From Digital Shadows Analyst Team
February 26, 2018 | 3 Min Read

In this week’s podcast, the Digital Shadows Research Team discuss attacks against banks using the SWIFT network, business email compromise (BEC) threats, the state of ransomware, as well as new activity by thedarkoverlord and APT-37.

 

 

Two new thefts using SWIFT network confirmed

Over the past week, an unidentified Russian bank and India’s City Union Bank confirmed that recent fraudulent SWIFT banking transfer requests had been submitted, attempting to steal $8 million. Specifics of malware deployment, and the perpetrators’ tactics, techniques and procedures (TTPs), are among the many unknown details. Previous SWIFT attacks have been attributed to “Lazarus Group”, although several financially motivated actors have likely made similar theft attempts. Targeting this transfer system remains profitable, and further theft attempts are likely.

 

Business email compromise campaign targets Fortune 500 companies

Fortune 500 companies—ranked among the highest-revenue companies in the United States – have been subject to an ongoing BEC campaign. Targets operated in the retail, healthcare, financial and professional services sectors. Campaign operators have allegedly stolen “millions of dollars” using spearphishing, as well as advanced social engineering techniques; no malware was involved.

 

Extortion actor thedarkoverlord publicizes new targets

The threat actor thedarkoverlord has returned after a three-month hiatus. Recent Twitter activity suggests targeting of a US public school union, a US law firm, and un-specified Hollywood companies. Thedarkoverlord has previously conducted a number of extortion campaigns, largely against the United States healthcare sector. Digital Shadows cannot establish the veracity of these new claims, but it is likely that thedarkoverlord is attempting to gain new publicity by threatening high-profile targets.

 

Ransomware remains a threat to organizations in all industries

The “Saturn” ransomware-as-a-service (RaaS) variant has been active in February. Saturn RaaS does not require a sign-up fee, instead, developers request 30% of extortion fees generated from each successful infection. In other ransomware news, the Colorado Department of Transportation (CDOT) was affected by a SamSam ransomware infection on 21 February 2018. This infection reportedly caused disruption to 2,000 computers owned by CDOT; however, CDOT stated it will not pay the ransom and is using system backups.

 

North Korea-linked espionage group APT-37 continues to evolve

Cyber security company FireEye reported the continued activity and evolution of “APT-37” (aka Reaper), an allegedly North Korea-linked threat group motivated by information theft and espionage. FireEye’s research also linked APT-37 activity to that reported for other threat actors, including “Group 123” and “ScarCruft”, although exact details were unclear. APT-37 has mainly targeted the technology and healthcare sectors in South Korea, but has also implicated Japan, Vietnam and the Middle East. APT-37 will likely continue their information-gathering campaigns for the short- to mid-term future (one to six months) and more information about the group may arise during that time.

Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

Connect with us

Related Posts

It’s even easier to initiate takedowns in SearchLight

It’s even easier to initiate takedowns in SearchLight

August 12, 2020 | 3 Min Read

When faced with infringing content, phishing...
Escrow systems on cybercriminal forums: The Good, the Bad and the Ugly

Escrow systems on cybercriminal forums: The Good, the Bad and the Ugly

August 11, 2020 | 15 Min Read

Just a few short months ago, the...
Saving the SOC from overload by operationalizing digital risk protection

Saving the SOC from overload by operationalizing digital risk protection

August 5, 2020 | 4 Min Read

As you may have seen last week, the latest...