ShadowTalk Update – 06.18.2018June 18, 2018
In ShadowTalk this week, Dr Richard Gold and Simon Hall join Rafael Amado to discuss misconceptions around vulnerabilities and exploits, other techniques for gaining code execution, and how organizations can prioritize the patching of vulnerabilities.
Banco de Chile attackers used wiper malware to obfuscate theft
Fresh analysis of Banco de Chile’s reported 24 May 2018 cyber attack has shed light on the initial tactic, which disrupted online, in-branch and telephone banking services to obfuscate the theft of approximately USD 10 million. The attackers apparently used destructive malware potentially connected to the “Buhtrap Group”, a cyber threat group active between 2015 and 2016. That group formerly targeted financial institutions to conduct financial fraud. However, the Banco de Chile attack cannot be definitively attributed, as the “Buhtrap” malware was publicly released in February 2016. Multi-stage attacks that use disruptive and destructive malware to obfuscate or distract from financial theft will likely continue, as will the exploitation of interbank communication systems for financial gain.
Sensitive data on U.S. Navy projects exposed
Chinese state-affiliated threat actors reportedly stole 614GB of sensitive data from the United States Navy by exploiting an unclassified network a contractor used in January and February 2018. The stolen data included information on active United States military projects, signals and sensor data, cryptographic systems and an electronic warfare library for the Navy’s development unit. No technical details are currently available, nor could the breach be definitively attributed; however, the type of data exfiltrated would likely be attractive to nation-state actors, or China-linked groups that have previously conducted targeting with objectives similar to this campaign. Contractors’ access to sensitive data will likely continue to present a threat to government and military entities.
UrSnif trojan targets U.S. and Canada
A campaign using tax-related phishing lures to deliver the “URSnif” banking trojan to bank customers in North America has been identified. Victims were tricked into accessing a URL for more information on overdue taxes. Visiting this URL prompted a download of a ZIP file that contained UrSnif, and checked for the presence of anti-virus products on the victim’s system. The URL was only accessible from IP addresses in the United States and Canada, and research into the sample injection payload indicated that the malware affected only victims who were customers at North American banks, demonstrating that this was a targeted campaign. UrSnif has been widely used since the release of its source code in 2010, and has been aimed at the finance, retail, shipping and manufacturing industries. It will likely continue to be used across a variety of campaigns. Similarly, threat actors are likely to continue to use the North American tax seasons to simulate legitimate communications.
Dixons Carphone reports customer data breach
On 13 June 2018, United Kingdom electronics retailer Dixons Carphone reported a data breach that compromised 5.9 million of its customers’ cards and 1.2 million of customers’ records, which contained personally identifiable information (PII). Although most of the cards had Chip and PIN protection, approximately 100,000 were vulnerable and may be used for financial fraud or sold on criminal forums. Moreover, customers’ exposed PII may be used for a variety of malicious purposes, including social engineering and phishing.
To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.