ShadowTalk Update – 07.09.2018
July 9, 2018
In this week’s ShadowTalk, Richard Gold and Simon Hall join Rafael Amado to discuss SSL (Secure Sockets Layer) interception, a technique used to inspect HTTPS (Hyper Text Transfer Protocol Secure) traffic sent between a client and a webserver.
On 30 June, an important Payment Card Industry deadline passed that requires all websites that accept payment cards to stop supporting TLS 1.0 (Transport Layer Security). With man-in-the-middle attacks and data interception being one of the primary security concerns for TLS 1.0 and older protocols such as SSL, the pod looks into how organizations are also employing interception techniques for their own security and monitoring purposes. We’ll look into how SSL interception is done, the different reasons for deploying it, and the overall trade-offs for organizations looking to implement these methods.
Listen on Soundcloud:
Typeform breach signifies rising threat to data-collection companies
Data-collection and -analysis company Typeform stated that an unknown cyber-threat actor breached the company’s partial backup data, relating to client names, email addresses, employers and salaries, among other details. The breach affected a wide variety of companies and information. Personally Identifiable Information (PII) is an increasingly valuable and monetizable commodity for threat actors, who can sell it on criminal marketplaces; use it to commit fraud, such as financial theft or identity theft; or extort the company that held it. With the growing amount of data placed online by individuals, and held online by companies, data collection and aggregation companies are increasingly being targeted. In addition, new requirements set out in the EU’s General Data Protection Regulations (GDPR) mean there will simply be more breaches publicly reported.
Hamas aims malicious apps at Israel’s military forces
A new cyber campaign targeting members of the Israeli Defense Forces has been attributed to the Palestinian Sunni-Islamist organization Hamas. The attackers exploited users’ trust in the Google Play store to upload fraudulent apps. The apps either referred to the 2018 FIFA World Cup or impersonated dating and fitness apps. Once downloaded, the apps collected sensitive information stored on the devices. Hamas conducted similar attacks against the IDF in January 2017.
Database of 340 million records left exposed by Exactis
Data-marketing and -aggregation firm Exactis left exposed a database of 340 million records containing PII of 230 million United States citizens and 110 million businesses. It is not known whether malicious actors were able to gain access to this database. Such data is likely to be valuable to threat actors for targeting spearphishing and spam campaigns, as well as in general attacks, such as brute-force cracking account security questions.
RIG exploit kit uses PROPagate to deliver cryptocurrency miner
The “RIG” exploit kit has been observed using a rare injection technique called PROPagate, which abuses a Windows operating function, to deliver a variant of Monero cryptocurrency mining malware. Because PROPagate is considered a form of evasion technique, rather than a security flaw, it will probably continue to be used for malware delivery, as it is unlikely to be patched. Exploit kits are widely used to distribute variants of cryptocurrency mining malware, and this trend will likely continue for the medium- to long-term future (for three months or at least a year).