ShadowTalk Update – 06.25.2018
June 25, 2018
In this week’s ShadowTalk, Simon Hall and Richard Gold join Michael Marriott to discuss the merits and perils of attribution, including the number of characteristics and variables required for a strong attribution, instances where attribution has succeeded, and whether organizations should care.
In the spotlight: TG-3390 deemed responsible for watering hole attacks
A national data center in Mongolia was reportedly compromised by the Chinese state-linked threat group TG-3390 (aka Emissary Panda, APT-27, Lucky Mouse) to conduct watering hole attacks. Legitimate websites were compromised to infect their visitors’ machines with the “HyperBro” trojan. The group used an anti-detection launcher and decompressor for obfuscation, developed by penetration testing software company Metasploit.
Olympic Destroyer threat group switches target sectors
The Olympic Destroyer threat group, attributed with attacks in February 2018 on entities associated with the 2018 Winter Olympic Games, has changed its focus. Recent information-gathering attacks were observed against financial institutions in Russia and biological and chemical threat-prevention laboratories in Europe. Reporting did not specify which companies have been targeted to date. The true intentions and motives of the threat group are unknown; information gathering is often conducted as an early stage, so additional attacks attributed to Olympic Destroyer will likely be observed in the short-term future (next three months).
Financial services provider extorted following data breach
South Africa-based financial services provider Liberty Life was subjected to a data breach and extortion attempt by an unidentified threat actor. The company confirmed an individual had requested payment after alerting them to vulnerabilities affecting their systems. Liberty Life subsequently detected unauthorized access to its IT infrastructure, and the theft of sensitive information. This incident highlights a trend of financially motivated threat actors seeking reward for identifying flaws, then exploiting the flaws when payment is not forthcoming. Liberty Life has publicly stated it has no intention of meeting the payment demands.
PoC code released for Adobe Acrobat vulnerability
PoC code for a remote code execution vulnerability affecting Adobe Acrobat, CVE-2018-4990, was published to GitHub on 18 Jun 2018. The flaw was first reported as having been exploited in the wild in March 2018, alongside a Microsoft Windows privilege escalation vulnerability (CVE-2018-8120). If exploited together, the vulnerabilities allow an attacker to gain an initial foothold and bypass sandbox protection mechanisms. The publication of the PoC code is highly likely to encourage its adoption by threat actors with varying motives for other attacks in the immediate future (next few days or weeks).