ShadowTalk Update – 1.28.19

ShadowTalk Update – 1.28.19
Digital Shadows Analyst Team
Read More From Digital Shadows Analyst Team
January 26, 2019 | 3 Min Read

This week Rose, Jamie, and Alex talk with Harrison on a huge data dump called “Collection #1”, containing over 770 million email addresses and passwords. The team also looks at other stories including DarkHydrus observed using a new method to communicate with command and control servers, technology and social networking companies continuing to remove accounts associated with influence campaigns, and threat actors observed uninstalling cloud protection services in order to distribute cryptocurrency mining malware. Read the full intelligence summary here.

Highlights from the week include: DarkHydrus were observed using a new method to communicate with command and control servers, technology and social networking companies continue to remove accounts associated with influence campaigns, and threat actors were observed uninstalling cloud protection services in order to distribute cryptocurrency mining malware.

Who says you can’t teach old data new tricks?

On 17 Jan 2019, various sources including the data breach aggregation site “Have I Been Pwned” (HIBP), reported on the existence of a data dump titled “Collection #1”. The data set reportedly contained over 770 million email addresses and passwords, and was being openly advertised for sale on an online hacking forum for USD 45. Although the size of the breach has drawn significant media and news coverage, the information itself appears to be relatively old (at least two to three years), and primary analysis indicates it is a collation of older breaches all merged together to create one larger dump. This subsequently diminishes the value of the information for credential stuffing or account takeovers, but will almost certainly be abused for social engineering and spam campaigns.

APT group utilizes Google Drive API as a backup command and control channel

A new campaign targeting government organizations in the Middle East and dubbed “Lazy Meerkat” was identified and attributed to the DarkHydrus threat group. The campaign used a variant of the RogueRobin trojan, likely to conduct credential-harvesting. The campaign also used Google Drive as a backup communication system to send system information and receive commands from the command and control (C2) server. Although DNS tunneling remained the primary C2 channel, the use of Google Drive could indicate the group were testing its effectiveness for future campaigns.

Technology companies continue efforts to counter foreign influence campaigns

The social media platforms “Facebook” and “Instagram” recently removed over 500 pages, profiles and groups from their sites which had allegedly been involved in two public influence campaigns. The first campaign targeted Asian and Easter European online users promoting articles with anti-NATO sentiment. The second targeted users in Ukraine promoting various biased articles and blogs on civil affairs, politics and healthcare.

New tactic identified in attacks targeting Cloud protection products

The “Rocke” threat group have been observed uninstalling Cloud security protection products in order to distribute cryptocurrency mining malware. This tactic has not previously been observed; threat actors often “kill” or modify a product rather than completely uninstalling it. Uninstalling is considered to be a more effective method to negate the product’s monitoring and detection capability, and is a technique likely to be adopted by other threat actors and malware distributors in future campaigns.

 

For more details, read the full Weekly Intelligence Summary here:

Weekly Intelligence Summary 17 Jan - 24 Jan 2019

To stay up to date with the latest in digital risk protection, subscribe to our threat intelligence emails here.

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

Connect with us

Related Posts

Targets and Predictions for the COVID-19 Threat Landscape

Targets and Predictions for the COVID-19 Threat Landscape

January 14, 2021 | 7 Min Read

Note: This blog is part of our ongoing...
Tracing the Rise and Fall of Dark Web Marketplaces and Cybercriminal Forums

Tracing the Rise and Fall of Dark Web Marketplaces and Cybercriminal Forums

January 13, 2021 | 9 Min Read

It’s often the case that a sequel to a...
ShadowTalk Update: SolarWinds Updates, TicketMaster Fraud, Apex Cyber Attack, and More!

ShadowTalk Update: SolarWinds Updates, TicketMaster Fraud, Apex Cyber Attack, and More!

January 11, 2021 | 2 Min Read

ShadowTalk hosts Stefano, Adam and Dylan...
ICYMI: SolarWinds Compromise Update

ICYMI: SolarWinds Compromise Update

January 8, 2021 | 7 Min Read

Note: This blog is a follow-up of our...