Shadow Talk Update – 04.23.2018
April 23, 2018
This week’s Shadow Talk discusses Russia’s attempts to ban the social messaging app, and also read between the lines of the joint US and UK advisory on network infrastructure compromises by Kremlin-backed actors. We also outline new ransomware payloads incorporated into the Magnitude exploit kit and we bring you the latest news on vulnerabilities in the Drupal Platform and Cisco’s WebEx software.
Russian threat actors compromised network infrastructure
On 16 April the US-CERT and the United Kingdom NCSC published a joint technical advisory regarding the compromise of network infrastructure in multiple sectors by Russian state-backed threat actors. Since 2015 threat actors have scanned the internet to find infrastructure devices with legacy protocols or weak security, using default, stolen or brute-force cracked credentials to authenticate onto target devices. This allowed network mapping, man-in-the-middle operations and modification of firmware. Attackers may have obtained sensitive information, or secured a foothold for future operations.
The advisory release was likely to demonstrate cyber defense as well as political solidarity between the United States and United Kingdom—given political tension with Russia. The current threat activity level associated with this campaign is unknown and although security firms detected increases in scanning for some target devices, this was not independently attributed to Russian threat actors. Network infrastructure is a target for multiple threat groups, and considering the many unsecured devices and tools available to exploit them, this is likely to continue.
Drupal vulnerability exploited
PoC code for an RCE vulnerability (CVE-2018-7600) affecting the Drupal content management system was released online. Exploitation of the vulnerability was detected by security companies shortly after the PoC was published. Exploitation allows the compromise of legitimate and trusted websites, which can then be used to conduct malicious activity. Users should upgrade their Drupal systems to the most recent version.
RCE vulnerability affects Cisco WebEx
Certain Cisco WebEx products are vulnerable to a newly identified RCE vulnerability. If CVE-2018-0112 is exploited, an attacker could run arbitrary code on an infected system. Cisco has released upgrades to address the flaw; there are no reports of the vulnerability having been exploited in the wild to date.
Magnitude exploit kit switches ransomware payload
The Magnitude exploit kit was identified distributing the GandCrab ransomware, an updated payload for this exploit kit. Magnitude previously distributed “Magniber” and “Cerber” ransomware variants. There were no changes to distribution methods or target geographies. GandCrab was the delivery payload of multiple campaigns in 2018 and it appears to be relatively popular with threat actors, likely due to its nature as a ransomware-as-a-service. At the time of writing, there is no decryption tool publicly available for the version of GandCrab deployed in this campaign.