ShadowTalk Update – 09.24.2018
September 24, 2018
In ShadowTalk this week, Richard Gold, Simon Hall and Rafael Amado focus on the trade-offs between security and usability, as well as the practice of security layering that can often make us more insecure. The team look over security measures such as regular complex password expiry policies that create headaches for organizations and end users. They also discuss why it’s not easy to make security usable, whether we are damaging security with some of the measures and devices we implement in the name of security, and what alternative, more effective system defences can bridge the gap between security and usability.
Ransomware in the limelight
Ransomware has taken center stage in the arena of cyber threats, with five campaigns active in the past week and notorious, large-scale cyber campaigns throughout 2016 and 2017. Ransomware remains one of the most popular tools on criminal forums, and new variants emerge frequently. This has created a diverse palette of ransomware strains used by a variety of threat actors. Tactics, techniques and procedures (TTPs) of these campaigns are generally similar, but as awareness continues to spread and defense mechanisms become more robust, ransomware developers are likely to seek novel capabilities, focusing on evasion and anti-analysis.
APT10 hits Japanese media sector with backdoor
In July 2018 the Chinese nation-state group APT10 was observed targeting the Japanese media sector. The campaign used spearphishing emails that installed the “UPPERCUT” backdoor malware. Given previous APT10 campaigns, the motives were likely espionage or data exfiltration. The campaign used a new version of UPPERCUT, which had been updated to use the Blowfish encryption key to obfuscate the group’s presence on the network, indicating that APT10 is active in maintaining and updating its malware.
New multi-function malware targets Linux and Windows devices
Cyber-security researchers discovered the new malware variant Xbash, which has botnet, cryptocurrency-mining and data-wiping capabilities and which targets Linux and Windows devices. Analyzed variants of Xbash indicated it remains in development, and they included an inactive component that enabled self-propagation using worm-like capabilities. Xbash has been attributed to the “Iron” threat group, which has previously conducted ransomware attacks. The malware’s development could indicate that Iron is expanding or strengthening its capabilities.
Stolen research from British universities for sale on criminal forums
On Farsi-language criminal marketplaces, cyber-security researchers detected research content from British universities being advertised for sale. The content likely comes from a previous breach of Cobalt Dickens, an Iranian nation-state-associated group that has been attributed with attacks targeting the education sector globally. The sellers indicated that they could facilitate specific requests, indicating that they continue to have access to university networks, or that they are confident they could conduct future attacks. More attacks against the education sector are likely in the long-term future (beyond one year).
To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.