Shadow Talk Update – 05.14.2018
May 14, 2018
In this week’s episode Shadow Talk we look at the Winnti Umbrella group, asking what this means for organizations. We discuss vulnerabilities in Microsoft Office (CVE-2018-8174) and basestriker. And, finally, we outline the fall out surrounding the Olympus dark web marketplace.
Chinese state-associated threat actors linked under one umbrella
Individual threat groups and actors conducting politically motivated operations have been identified as working in one Chinese state-associated collective, known as the Winnti umbrella group. Identification of this group was made possible by operational security mistakes made by some of the actors and groups, which revealed overlapping command-and-control (C2) infrastructure used in operations previously seen as unrelated. One favored tactic among the attackers was the theft of code-signing certificates from software companies, which were then used in later attacks to obfuscate malicious components. The collective demonstrated varying technical capabilities but were persistent in their approach, and should be considered a highly credible threat.
Patch delay leaves Intel CPUs vulnerable to exploitation
Technology company Intel has delayed the release of security patches designed to address newly identified flaws affecting their CPUs. The delay means the vulnerabilities may be publicly disclosed before patches are made available. These “Spectre-NG” vulnerabilities relate to previous “Spectre” and “Meltdown” vulnerabilities, and could be exploited by attackers to secure control of a compromised system. The initial patches were due to be released on 21 May 2018, with additional patches to be released in August 2018.
Cryptocurrency miners target multiple exploits
A new cryptocurrency mining campaign is targeting three exploits to distribute a variant of mining malware. The vulnerabilities affected the Oracle WebLogic Server, Apache Struts 2 and the Server Message Block v1 server in the Microsoft Windows operating system. The third flaw is known as “ETERNALBLUE”, an exploit previously assessed to have been developed by the United States National Security Agency and publicly released by the “Shadow Brokers” threat group in April 2017. Patches are available for all the vulnerabilities.
Zero-day exploitation of CVE-2018-8174 attributed to DarkHotel group
Security company Qihoo360 reported that espionage group DarkHotel (aka APT-C-06) has exploited a zero-day vulnerability to target China-based foreign trade entities. The patch for the flaw was released by Microsoft on 08 May 2018, and is the first observed use of the URL Moniker programming architecture to load an Internet Explorer exploit. The flaw enables an attacker to render a webpage using the Internet Explorer engine, even if Internet Explorer is not set as the default browser on the device.
Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.