ShadowTalk Update – 08.13.2018
August 13, 2018
In this week’s ShadowTalk it’s all things phishing. Rose Bernard and Simon Hall join Rafael Amado to discuss the recent arrest of three alleged members of the FIN7 organized criminal group. The team look over the United States Department of Justice’s indictment, focusing on how FIN7 use social engineering and sophisticated phishing to great effect, before talking more generally about the threats of business email compromise and malspam.
New tweets weaken credibility of extortionists thedarkoverlord
The thedarkoverlord threat group claimed to have exfiltrated sensitive data from five more companies since their last claim in April 2018. Although the extortionists continue to focus on the healthcare sector, the additional claims include attacks on a tax company and a high-profile United States law firm. TDO’s credibility as a threat group has been based largely upon previous leaks that were confirmed as genuine; however, the group has enacted only three data leaks since September 2017, and the leaked data is currently unavailable, preventing independent verification. Therefore, TDO’s threat profile has changed since 2017 and, although its members will likely continue tweeting claims of data exfiltration in the next two to four weeks, their claims may not be legitimate.
MikroTik routers infected in cryptomining attacks
Security researchers identified a cryptomining campaign exploiting vulnerable MikroTik network routers in Brazil. Initially the infected routers injected the Coinhive cryptominer script into the code of all Web pages visited through the router. After researchers identified this tactic, the campaign injected the script only into the code of error pages. One Coinhive key was used, indicating that one threat actor was responsible. Companies using MikroTik devices should prioritize patching to mitigate against the campaign.
Semiconductor maker hit by WannaCry ransomware, shuts down systems
The chip manufacturer Taiwan Semiconductor Manufacturing Company (TSMC) was forced to shut down some of its systems due to malware, which was later confirmed to be WannaCry ransomware. TSMC stated that the infection was not the result of a direct attack. Allegedly the malware had transferred to the system via a download, during a routine software update from a presumably compromised third-party supplier. No technical indicators were provided to independently confirm whether this was the variant of WannaCry responsible for global infections in May 2017; regardless, the incident demonstrates the importance of running all software downloads through anti-virus solutions before introducing them to a system, even those from trusted suppliers.
US healthcare provider victim of business email compromise
The United States healthcare provider UnityPoint Health reported that it had been the victim of a phishing attack that allowed access to internal networks between March 14 and April 3, 2018. Despite the company’s claim that attackers had sought access to vendor-payment or payroll systems, the personally identifiable information of approximately 1.4 million patients was compromised in the attack.
Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.