ShadowTalk Update – 1.28.19
January 26, 2019
This week Rose, Jamie, and Alex talk with Harrison on a huge data dump called “Collection #1”, containing over 770 million email addresses and passwords. The team also looks at other stories including DarkHydrus observed using a new method to communicate with command and control servers, technology and social networking companies continuing to remove accounts associated with influence campaigns, and threat actors observed uninstalling cloud protection services in order to distribute cryptocurrency mining malware. Read the full intelligence summary here.
Highlights from the week include: DarkHydrus were observed using a new method to communicate with command and control servers, technology and social networking companies continue to remove accounts associated with influence campaigns, and threat actors were observed uninstalling cloud protection services in order to distribute cryptocurrency mining malware.
Who says you can’t teach old data new tricks?
On 17 Jan 2019, various sources including the data breach aggregation site “Have I Been Pwned” (HIBP), reported on the existence of a data dump titled “Collection #1”. The data set reportedly contained over 770 million email addresses and passwords, and was being openly advertised for sale on an online hacking forum for USD 45. Although the size of the breach has drawn significant media and news coverage, the information itself appears to be relatively old (at least two to three years), and primary analysis indicates it is a collation of older breaches all merged together to create one larger dump. This subsequently diminishes the value of the information for credential stuffing or account takeovers, but will almost certainly be abused for social engineering and spam campaigns.
APT group utilizes Google Drive API as a backup command and control channel
A new campaign targeting government organizations in the Middle East and dubbed “Lazy Meerkat” was identified and attributed to the DarkHydrus threat group. The campaign used a variant of the RogueRobin trojan, likely to conduct credential-harvesting. The campaign also used Google Drive as a backup communication system to send system information and receive commands from the command and control (C2) server. Although DNS tunneling remained the primary C2 channel, the use of Google Drive could indicate the group were testing its effectiveness for future campaigns.
Technology companies continue efforts to counter foreign influence campaigns
The social media platforms “Facebook” and “Instagram” recently removed over 500 pages, profiles and groups from their sites which had allegedly been involved in two public influence campaigns. The first campaign targeted Asian and Easter European online users promoting articles with anti-NATO sentiment. The second targeted users in Ukraine promoting various biased articles and blogs on civil affairs, politics and healthcare.
New tactic identified in attacks targeting Cloud protection products
The “Rocke” threat group have been observed uninstalling Cloud security protection products in order to distribute cryptocurrency mining malware. This tactic has not previously been observed; threat actors often “kill” or modify a product rather than completely uninstalling it. Uninstalling is considered to be a more effective method to negate the product’s monitoring and detection capability, and is a technique likely to be adopted by other threat actors and malware distributors in future campaigns.
For more details, read the full Weekly Intelligence Summary here:
To stay up to date with the latest in digital risk protection, subscribe to our threat intelligence emails here.