Minimize your digital risk by detecting data loss, securing your online brand, and reducing your attack surface.
A powerful, easy-to-use search engine that combines structured technical data with content from the open, deep, and dark web.
Digital Risk Protection
Research Team Finds 50% Increase in Exposed Data in One Year
New report recognizes Digital Shadows for strongest current offering, strategy, and market presence of 14 vendors profiled
Read Full Report
In this week’s episode Shadow Talk, it’s a vulnerability extravaganza. We cover malicious use of legitimate software, as APT28 is attributed to hijacking LoJack and Blackrouter delivered via AnyDesk software. Vulnerabilities found (and exploited) in GPON home routers, and Loki Bot exploits two remote code execution vulnerabilities in Microsoft Office (CVE-2017-8570 and CVE-2018-0802).
Distributors of the Loki Bot information-stealing malware are exploiting two remote code execution (RCE) vulnerabilities in Microsoft Office: CVE-2017-8570 and CVE-2018-0802. CVE-2018-0802 is associated with another flaw (CVE-2017-11882), and only devices that have applied the patches for that vulnerability can be exploited in the new attacks. Because Loki Bot is widely available on online criminal forums, there has been no attribution for the recent activity. Proof of concept (PoC) code has been released online, which has highly likely enabled attackers to target both vulnerabilities.
News service Bloomberg reported that three Mexican banks were forced to use contingency plans for monetary transfers after a cyber “incident” affected connections with the Interbank Electronic Payment System (SPEI). The SPEI is a nearly real-time hybrid settlement system that enables transfers between participating banks, and is operated by Mexico’s central bank (Banco de México). At the time of writing, few details of any intrusions are publicly available. Attacks targeting specific banks and their internal systems are often conducted by threat actors with a good knowledge of banking payment infrastructure. This incident followed a failed attack on a Mexican bank’s SWIFT platform in January 2018.
A previously unreported RAT, dubbed GravityRAT, allegedly targeted organizations in India, and has been under development for the past two years. GravityRAT has similar functionality to pre-existing RATs, including file extraction and RCE. GravityRAT evaded detection for multiple years despite the C2 infrastructure remaining static throughout its evolution. This likely indicates that there were a few attacks against organizations, and that it was unlikely to have represented a significant threat.
Malware distributors have been using a new crimeware kit, called Rubella Macro Builder, for attacks. The kit is available to rent from Russian-language criminal forums at a relatively low price, and offers a range of functions pertaining to payload execution and encryption. The attack vector relies on social engineering, in sending emails with malicious Microsoft documents attached: an unsophisticated but consistently popular distribution method. Since its emergence in February 2018, the kit has undergone modification and developments, and more improvements are highly likely in the short term.
Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.