ShadowTalk Update – 1.21.19
January 19, 2019
This week, Alex Guirakhoo and Philip Doherty join Harrison Van Riper to discuss two recent, unrelated, financially-motivated cyber attack campaigns involving the use of culturally specific social engineering lures. The team also looks at three new phishing campaigns attributed to the threat group TA505 and decide (in a perfect world) which one cyber threat they would choose to rid forever. Download the full intelligence summary report here.
Highlights from the week include: The threat group “TA505” has been attributed with three new phishing campaigns from November and December 2018; a wave of Domain Name System (DNS) hijacking attacks targeting North America, Africa, the Middle East and Europe have been linked to Iran; and the city of Del Rio, Texas reported a ransomware attack that disrupted automated systems, forcing employees to resort to manual processes.
Cultural cues in phishing messages lure users to aid attacks
Two recent, unrelated cyber attacks against two companies exploited culturally specific social engineering lures to facilitate large-scale thefts. In both campaigns the attackers showed substantial knowledge of their targets and significant cultural awareness. The perpetrators used this information when they contacted employees of the target companies by phone and email, establishing trusted relationships by posing as legitimate entities.
TA505 blamed for spreading new backdoor malware
The threat group TA505 has been attributed with three new phishing campaigns during November and December 2018, against entities in the financial services and retail sectors. The attackers distributed two variants of malware: the newly created “ServHelper” backdoor and the “FlawedGrace” remote-access trojan. The three campaigns used different tactics, including malicious, macro-enabled Microsoft Office documents, direct URLs and malicious PDF attachments. These attacks are consistent with previously reported attacks attributed to TA505. Although target geographies for the recent attacks were not specified, the group has historically targeted organizations throughout Europe. TA505 may continue to show persistence and intent; additional campaigns are likely within the next six months.
Iran linked to two-year DNS hijacking campaign
Security researchers have identified a series of DNS hijacking attacks over two years that have targeted a variety of government, telecommunications and Internet service provider domains. The attacks hit organizations across multiple regions, including the Middle East, North Africa, Europe and North America. The likely politically motivated attack campaign has been linked to Iran, although the perpetrators have not been named. Given the scale of the campaign and the use of three different attack methods, it is possible that multiple threat actors were involved.
Del Rio city government disables Internet after ransomware attack
The government of United States city Del Rio, Texas reported that it had been affected by a ransomware attack on 10 January 2019. To mitigate potential damage, the city’s Management Information Services unit disabled Internet connections for all other city departments and prohibited employees from logging in to any systems. Staff resorted to manual processes where automation would normally be applied. Whether the attack compromised any personal or employee data is not known. A recent influx in ransomware attacks targeting the infrastructure of small to medium-sized local governments has been observed in recent months. Smaller entities may be perceived as less secure and more vulnerable, making them potentially more attractive targets than large ones. It is possible that similar attacks will be conducted throughout the next six months.
For more details, read the full Weekly Intelligence Summary here:
To stay up to date with the latest in digital risk protection, subscribe to our threat intelligence emails here.