ShadowTalk Update – 07.30.2018
July 30, 2018
Richard Gold and Rose Bernard join Michael Marriott to talked about updates to the Satori botnet, which has expanded to incorporate new IoT devices using TCP port 5555. Amid news of a new wave of OilRig attacks, a Middle Eastern espionage campaign, we dive into PowerShell security risks and provide advice on best practices for those using PowerShell. For more information on PowerShell Security Best Practices, check out our blog https://www.digitalshadows.com/blog-and-research/powershell-security-best-practices/. Finally, we assess the Dragonfly campaign against U.S. power grids, and understand what it all means.
Dragonfly attributed to further attacks targeting energy sector in Europe and North America
The United States Department of Homeland Security has only recently released details of a 2017 campaign that targeted undisclosed United States energy companies. The campaign was orchestrated by suspected Russian nation-state threat group “Crouching Yeti” (aka Dragonfly). The group’s members allegedly conducted spearphishing and watering hole attacks to steal credentials from third-party suppliers, enabling access to United States utility networks. The details may have been released to strengthen the political credibility of United States intelligence services in the eyes of the public and the media; the release occurred during a period of conflict between the intelligence services and the presidential administration about the severity of the Russian cyber threat.
APT-28 parallels attacks on 2016 Presidential elections with attacks on US midterms
Microsoft reported that Russian nation-state linked threat group “APT-28” (aka Fancy Bear) has targeted the United States 2018 mid-term political elections through a phishing campaign against certain undisclosed candidates. The phishing emails were similar to those sent in previous APT-28 campaigns against the Democratic National Committee (DNC) in 2016 prior to the presidential election: both used fake Microsoft domains as command-and-control sites.
LabCorp hit by SamSam ransomware infection
LabCorp, one of the largest clinical laboratories in the United States, was subjected to a “SamSam” ransomware attack. Attackers reportedly accessed the laboratory’s network via brute-force cracking password attempts against remote desktop protocol ports exposed to the Internet. The attack infected approximately 7,000 systems and 1,900 servers, but remediation efforts were implemented quickly; no data was reportedly stolen or misused during the incident. SamSam has a lucrative history in use against healthcare entities, as well as government systems in the United States city of Atlanta and the state of Colorado’s Department of Transportation.
Attackers steal 1.5 million patient records from Singapore healthcare group
Singapore’s Ministry of Health released a statement detailing the theft of 1.5 million patient records from a healthcare group in that country. Attackers used privileged credentials to access a database, although the original infection vector remains unknown. Attacks on healthcare providers are increasing, as financially motivated threat actors seek information that is easily monetized on the dark Web; patient details can be re-sold and used for other fraudulent activities, or to tailor spearphishing campaigns.