ShadowTalk Update – 10.08.2018
October 8, 2018
In this week’s Shadow Talk, Rafael Amado joins Michael Marriott to discuss Digital Shadows’ latest research on Business Email Compromise, Pst! Cybercriminals on the Outlook for Your Emails. We discuss how criminals are outsourcing this work, and how the exposure of 33,000 finance department credentials is increasing the ease for attackers. However, even without taking over accounts, criminals can get their hands on sensitive financial information. We dig into the 12.5 million exposed email archives that are available through misconfigured online file stores, including invoices, purchase orders, and payments. Finally, we provide advice for mitigating these risks.
APT-28 proves hypothetical threat with UEFI rootkit
The first observed use of a UEFI rootkit has been attributed to the APT-28 (aka Fancy Bear, Sofacy, Sednit, Strontium) threat group. Previously the rootkit was known only as a hypothetical proof of concept with no evidence of successful deployment. APT-28 used a trojanized version of the legitimate LoJack anti-theft software to embed the rootkit in a machine’s UEFI firmware, allowing persistence and serving as a backdoor to deliver additional malicious payloads. The campaign reportedly targeted government organizations in the Balkans, as well as Central and Eastern Europe. Security researchers at ESET have dubbed the malware LoJax.
Facebook access tokens harvested by unknown attackers
On 25 Sep 2018 social media company Facebook detected a vulnerability in one of its site’s features that potentially allowed attackers to take over accounts. Unidentified attacker(s) reportedly exploited the vulnerability in the site’s platform to harvest user access tokens for approximately 50 million Facebook accounts. These tokens contain the security credentials for a login session and identify the user. It is not known whether the attackers used the tokens to gain control of individual accounts. The vulnerability has since been patched, and the tokens for 90 million users have been reset. Facebook is conducting investigations, and more information is likely to become available in the immediate future.
Second port falls prey to cyber attack
A ransomware attack has affected the administrative processes of California’s Port of San Diego in the United States. The ransom note demanded an undisclosed sum in Bitcoin (a cryptocurrency) after being delivered to the port via an unknown ransomware variant by an unidentified threat actor. This is the second recently reported incident affecting a port authority: On 24 Sep 2018 it was reported that the computer servers at Spain’s Port of Barcelona had been targeted, although the attack caused no impact on its maritime or land-based services. Ports are lucrative targets for threat actors wishing to obtain sensitive or financial information, or to cause disruption to daily operations. Due to the criticality of maritime operations, attacks against ports will likely continue in the long term.
New APT group theft attribution lets Lazarus Group off the hook
Researchers cited a financially motivated North Korean espionage group, dubbed APT38, as responsible for several high-profile thefts from financial institutions beginning in 2014. The thefts were previously attributed to Lazarus Group, and researchers believe APT38 operates closely with the Lazarus Group’s operations but is distinctly separate from them. The newly identified group is thought to focus only on financial gain for North Korea.
To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.