ShadowTalk Update – 07.02.2018
July 2, 2018
In this week’s ShadowTalk, following news that a database containing 340 million records has been publicly exposed to the internet, Richard Gold and Simon Hall join Michael Marriott to discuss how (and why) you can reduce your attack surface.
Listen on Soundcloud:
Necurs botnet updates delivery payloads and evasion techniques
The Necurs botnet has received multiple updates to its delivery payload mechanism distributed from spam campaigns as well as the evasion techniques designed to circumvent mitigation solutions. According to analysis by TrendMicro, the botnet delivered the FlawedAMMYY backdoor trojan by exploiting Microsoft’s Dynamic Data Exchange (DDE) protocol. Security researchers at Cyber Security Strategists detected Necurs delivering the Ursnif banking trojan to companies in Italy, in a first for Ursnif. Ongoing Necurs activity and additional evolution of its tactics and techniques are expected in the short to medium term future.
SamSam ransomware introduces new feature to hinder analysis attempts
A new version of the SamSam ransomware has been observed in which the ransomware’s distributors must now manually enter a password in the command-line to execute the payload. This feature is unique to SamSam, and appears to have been introduced to prevent security researchers from analyzing the payload’s binary code. Thus far, several lucrative attacks have been attributed to SamSam, with future attacks considered highly likely. SamSam has been active since at least December 2015 and was recently responsible for significantly disrupting operations at Colorado’s Department of Transportation and services for the government of the City of Atlanta.
United States immigration policy attracts muted hacktivist response
The United States presidential administration’s recent “zero tolerance” immigration policy has attracted a limited hacktivist response, including claims of data leaks and denial of service attacks. However, no evidence supports assertions that targeted websites had been taken offline, and alleged leaked data appeared to be publicly available rather than sourced from a data breach incident.
Lazarus group likely responsible for Bithumb cryptocurrency exchange theft
Recent distribution of the Manuscrypt trojan via malicious Hangul Word Processor (HWP) lure documents has been attributed to the Lazarus group. Several similarities between the malware used during the June 2018 cryptocurrency theft from the South Korean exchange Bithumb and in this latest campaign, combined with references to the Bithumb theft in one Hangul lure document, may indicate the group’s involvement in the Bithumb attack. Lazarus has previously been accused of attacks against cryptocurrency exchanges, so the targeted sector and the tactics used are consistent with their modus operandi. Although attribution has not been confirmed at time of writing, the evidence from this latest malware campaign adds credibility to the assessment that Lazarus group was likely responsible for the cryptocurrency theft.