We're Moving! - Websites, That Is
Threat Intelligence / Shadow Talk Update – 03.05.2018

Shadow Talk Update – 03.05.2018

Shadow Talk Update – 03.05.2018
Digital Shadows Analyst Team
Read More From Digital Shadows Analyst Team
March 5, 2018 | 3 Min Read

On this week’s Shadow Talk podcast, the Research Team cover CVE-2018-4878 being used in a spam campaign, the HTTPS certificate chaos between Trustico and DigiCert, more ransomware reporting on the SamSam and DataKeeper variants, and the threat of large-scale distributed denial of service (DDoS) attacks using Memcached servers.

Spam enables Flash vulnerability exploit

An Adobe Flash vulnerability tracked as CVE-2018-4878 is being exploited through a spam email campaign. Lure emails contained a shortened link that, if clicked, accessed a Web domain hosting weaponized Microsoft Word documents. If documents were opened, the attack attempted to exploit the vulnerability, enabling remote code execution. CVE-2018-4878 was previously exploited as a zero-day vulnerability in targeted espionage; the spam campaign shows its rapid uptake by other threat actors. Proof of concept exploit code was released publicly, meaning CVE-2018-4878 will likely continue to be targeted by operations using multiple entry vectors, despite a patch being available.


Thousands of website certificates revoked after private key exposure

23,000 Symantec-issued HTTPS website certificates resold by Trustico will be revoked after associated private keys were exposed via email. This may result in website service interruptions unless owners quickly replace certificates. Affected customers were notified, with both DigiCert – the entity responsible for revoking the certificates – and Trustico offering free replacement certs. Although both DigiCert and Trustico are likely to suffer some reputational damage due to conflicting reporting and their public dispute, this is unlikely to impact trust in the certification system.


Update on SamSam ransomware attack

The Colorado Department of Transportation, in the United States, took 2,000-plus staff computers offline after an attack by ransomware “SamSam”. No crucial systems were reportedly affected, and only computers running Windows operating systems were disrupted. The attack vector is not known, but SamSam usually targets vulnerable software applications or servers. The “Gold Lowell” threat group has previously used SamSam and accrued a significant profit from attacks.


New DataKeeper ransomware variant detected

The “DataKeeper” ransomware-as-a-service (RaaS) variant is distinct for its ability to conduct lateral movement. At the time of publication, there had been no transactions into the Bitcoin address associated with this RaaS, indicating that any attempted extortions using the address were ineffective. However, given its accessibility, profit share and capacity for lateral movement, this ransomware will likely be adopted by a variety of actors.


Memcached servers used for DDoS reflection attacks

There is a new DDoS reflection attack method that uses Memcached internet-facing servers. Memcached is a memory caching system that, by default, “listens” on UDP port 11211. More than 90,000 of these servers were discovered on Internet of Things search engine, Shodan, as of 28 February. The code repository site GitHub was targeted by this method, with the peak attack volume recorded at 1.35 terabits per second. Blocking, filtering or modifying Memcached configuration to only listen on localhost is recommended.


Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

Related Blog Posts

We’re Moving! – Websites, That Is

We’re Moving! – Websites, That Is

December 15, 2022 | 1 Min Read

We’re excited to announce the next phase of...
APT Spotlight Series: Sandworm

APT Spotlight Series: Sandworm

December 8, 2022 | 4 Min Read

This blog is the latest in our series taking a...
Vulnerability Intelligence Roundup: Five lessons learned since Log4Shell

Vulnerability Intelligence Roundup: Five lessons learned since Log4Shell

November 29, 2022 | 4 Min Read

As the holiday season approaches, my family has...