Shadow Talk Update – 04.30.2018April 30, 2018
In this week’s episode of Shadow Talk, we cover the targeting of healthcare organizations by Orangeworm, BGP hijacking, vulnerabilities in MikroTik routers, DDoS market shutdowns, and the profitability of cryptocurrency mining.
Orangeworm actively targets healthcare via supply chain
Security software company Symantec reported on a newly identified threat group called Orangeworm, observed targeting entities in the healthcare industry with custom backdoor malware. Multiple geographies have been affected, which is likely the result of Orangeworm attacking international organizations. Orangeworm conducted information theft and reconnaissance, but the group’s exact motives are unconfirmed at the time of writing.
Spam campaign drops multiple payloads
A new spam campaign is targeting multiple geographies with a quartet of malware that comprises the “Adwind” RAT, backdoors “XTRAT” and “DUNIHI”, and the information stealer “Loki Bot”. All the payloads are highly configurable and enable various malicious activities, including information theft and remote-access tasks. This is the first reported instance of the malware being bundled together in a spam campaign, having previously been distributed in separate attacks.
Botnet exploits Drupal vulnerability
A botnet is actively targeting six exploits, including the remote code execution (RCE) vulnerability affecting the Drupal CMS. Its aim is to perform DoS attacks and mine cryptocurrencies. CVE-2018-7600 was classified as “highly critical” when publicly announced, and security updates have been released to address the flaw. This is the first identified incident of a threat actor targeting this vulnerability. Based on the popularity of RCE exploits, additional targeting is highly likely in the immediate future (next few weeks).
Threat actor zeroes in on Internet Explorer zero-day vulnerability
Security company Qihoo360 reported the exploitation of a zero-day vulnerability affecting the Internet Explorer browser’s kernel code by an unidentified threat actor. The vulnerability was labeled a “double play” loophole, but Microsoft has yet to release more technical details or information pertaining to the exploitation. The flaw reportedly affects all current versions of Internet Explorer and applications using the kernel.
The critical code of the kernel is usually loaded into a separate area of memory, which is protected from access by application programs or other, less critical parts of the operating system.