Shadow Talk Update – 05.21.2018
May 21, 2018
In this week’s episode of Shadow Talk, Digital Shadows’ Head of Security Engineering, Dr Richard Gold, joins the pod to explain the EFAIL vulnerability affecting Open PGP (Pretty Good Privacy) and S/MIME (Secure/Multipurpose Internet Mail Extensions), as well as other flaws identified in encrypted messaging platforms. Dr Gold also outlines the the factors you should be considering to prioritize your patching.
In part two, we look at the 15 million dollar thefts in Mexico and outline the risks facing interbank payment systems.
Millions stolen from Mexican banks using interbank system
More than $15 million was reportedly stolen from Mexico-based banks by unidentified attackers who submitted fraudulent transfer orders via the SPEI, an electronic payment system developed and operated by Banco de México. The April 2018 theft subsequently forced Mexican banks to adopt contingency plans for interbank payments. Flaws in third-party software were likely used to access the SPEI, drawing comparisons to previous thefts that exploited the SWIFT interbank platform. More details are likely to be released in the short-term future (within three months).
SilverTerrier phishing attacks secure USD 3 billion profit to date
A collective of predominantly Nigeria-based threat actors, known collectively as SilverTerrier, have delivered phishing attacks using information-stealing malware and remote-access trojans against targets in multiple sectors and regions. The threat actors demonstrated a range of technical skills, but also some poor operational security practices, including using the same credentials to register malicious domains and personal social media profiles. According to law-enforcement entity estimates, the attacks equate to more than $3 billion in losses from the targeted companies to date.
Proof of concept attacks decrypt PGP and S/MIME encrypted emails
On 14 May 2018 three universities collaborated to outline two proof of concept attacks allowing emails sent using OpenPGP and S/MIME to be displayed in plaintext under certain conditions. PGP is an encryption program that provides cryptographic privacy and authentication and S/MIME is a standard for public key encryption. The “EFAIL” attacks required existing access to encrypted emails. In the first attack, a threat actor could hypothetically use the method that certain email clients use to access Hypertext Markup Language (HTML) in PGP or S/MIME emails, to decrypt and exfiltrate cipher-text to an attacker Web address. The second attack relied on attackers having existing knowledge of a plaintext block, and largely affected the Cipher Block Chaining gadget in S/MIME. This could be used to decrypt multiple emails. Given the potential of access to encrypted data, if deployed, this attack vector would likely be used by threat actors with highly specific intelligence-gathering aims and substantial intent and resources.
Cryptocurrency miner targets Oracle WebLogic vulnerability
Threat actors using the CoinMiner cryptocurrency malware are actively targeting a remote code execution flaw affecting the application server Oracle WebLogic. There has been a recent uptick in attacks targeting the vulnerability, designated CVE-2017-10271. The infection process was like that of another recent attack in February 2018, which distributed mining malware by exploiting a flaw in Apache database software CouchDB; it was possible the same threat actor was responsible for both attack campaigns, though this was unconfirmed. Patches are available to address the vulnerability, but more attempts at exploitation are highly likely.
Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.