We're Moving! - Websites, That Is
Threat Intelligence / Shadow Talk Update – 05.14.2018

Shadow Talk Update – 05.14.2018

Shadow Talk Update – 05.14.2018
Digital Shadows Analyst Team
Read More From Digital Shadows Analyst Team
May 14, 2018 | 3 Min Read

In this week’s episode Shadow Talk we look at the Winnti Umbrella group, asking what this means for organizations. We discuss vulnerabilities in Microsoft Office (CVE-2018-8174) and basestriker. And, finally, we outline the fall out surrounding the Olympus dark web marketplace.


Chinese state-associated threat actors linked under one umbrella

Individual threat groups and actors conducting politically motivated operations have been identified as working in one Chinese state-associated collective, known as the Winnti umbrella group. Identification of this group was made possible by operational security mistakes made by some of the actors and groups, which revealed overlapping command-and-control (C2) infrastructure used in operations previously seen as unrelated. One favored tactic among the attackers was the theft of code-signing certificates from software companies, which were then used in later attacks to obfuscate malicious components. The collective demonstrated varying technical capabilities but were persistent in their approach, and should be considered a highly credible threat.


Patch delay leaves Intel CPUs vulnerable to exploitation

Technology company Intel has delayed the release of security patches designed to address newly identified flaws affecting their CPUs. The delay means the vulnerabilities may be publicly disclosed before patches are made available. These “Spectre-NG” vulnerabilities relate to previous “Spectre and “Meltdown vulnerabilities, and could be exploited by attackers to secure control of a compromised system. The initial patches were due to be released on 21 May 2018, with additional patches to be released in August 2018.


Cryptocurrency miners target multiple exploits

A new cryptocurrency mining campaign is targeting three exploits to distribute a variant of mining malware. The vulnerabilities affected the Oracle WebLogic Server, Apache Struts 2 and the Server Message Block v1 server in the Microsoft Windows operating system. The third flaw is known as “ETERNALBLUE”, an exploit previously assessed to have been developed by the United States National Security Agency and publicly released by the “Shadow Brokers threat group in April 2017. Patches are available for all the vulnerabilities.


Zero-day exploitation of CVE-2018-8174 attributed to DarkHotel group

Security company Qihoo360 reported that espionage group DarkHotel (aka APT-C-06) has exploited a zero-day vulnerability to target China-based foreign trade entities. The patch for the flaw was released by Microsoft on 08 May 2018, and is the first observed use of the URL Moniker programming architecture to load an Internet Explorer exploit. The flaw enables an attacker to render a webpage using the Internet Explorer engine, even if Internet Explorer is not set as the default browser on the device.


Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

Related Blog Posts

We’re Moving! – Websites, That Is

We’re Moving! – Websites, That Is

December 15, 2022 | 1 Min Read

We’re excited to announce the next phase of...
APT Spotlight Series: Sandworm

APT Spotlight Series: Sandworm

December 8, 2022 | 4 Min Read

This blog is the latest in our series taking a...
Vulnerability Intelligence Roundup: Five lessons learned since Log4Shell

Vulnerability Intelligence Roundup: Five lessons learned since Log4Shell

November 29, 2022 | 4 Min Read

As the holiday season approaches, my family has...