Shadow Talk Update – 06.11.2018
June 11, 2018
In Shadow Talk this week, Dr Richard Gold joins us to discuss the issue of security debt, a term used to refer to the accumulation of security risks over time, such as missed patches, misapplied configurations, mismanaged user accounts. Richard looks into how many of the attacks we see on a regular basis are actually a result of security risks that build up over time, and how security debt is a ticking time bomb for most organizations. In Part II, Harrison Van Riper covers the recent website defacement attack and data breach incident targeting the event ticketing company, Ticketfly.
Data breach and website defacement rock Ticketfly
Event ticketing company Ticketfly took all operations offline pending investigation into a website defacement attack and reported data breach. Ticketfly confirmed the data, which had been uploaded to a public server, was legitimate. The threat actor claiming responsibility has previously been associated with a hacktivist group known for conducting ideologically motivated defacement attacks. However, the attack on Ticketfly appears to be financially motivated since the attacker reportedly demanded payment from Ticketfly in return for disclosure of details regarding the exploitable vulnerability.
Group 123 target South Korean Naver users with new RAT variant
Distribution of new remote access trojan (RAT) variant, NavRAT, has been attributed to the North Korean threat group known as Group 123. The group sent South Korean users phishing emails that referenced the upcoming United States–North Korea summit and contained a Hangul Word Processor document featuring malicious macros. Group 123 used the Naver email platform to communicate with its infrastructure and exfiltrate data. Although abusing such legitimate email platforms for this purpose is not a new tactic, this is the first observed campaign to use the popular Naver platform.
RIG exploit kit incorporates new remote code execution flaw
The RIG exploit kit has recently incorporated CVE-2018-8174, a vulnerability affecting VBScript. The vulnerability was originally identified as a “zero day” exploit named Double Kill, with exploitation in the wild attributed to the espionage threat group Dark Hotel. RIG’s quick incorporation of this vulnerability exemplifies threat actors’ rapid uptake of exploits enabling remote code execution, favored due to their increased ability to compromise networks and devices. The exploitation was likely enabled by the release of proof of concept code recently on GitHub for the flaw. A patch has been released to address this vulnerability.
North Korean threat group ceases attacks on United States energy sector
Covellite, an alleged North Korean threat group attributed with targeting entities in the energy sector, has reportedly ceased attacks against United States–based targets. While the reason for this was unconfirmed, the timing coincides with the United States and North Korean governments’ efforts to improve geopolitical relations. Covellite is a credible threat to the energy sector: it has continued to attack entities in other regions, including Europe and East Asia, and more attacks are considered likely in the short- to mid-term future (next six months).
Security debt resources:
To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.