ShadowTalk Update – 10.22.2018
October 22, 2018
In this week’s ShadowTalk, following on from last week’s conversation on how managed service providers can increase your attack surface, Simon Hall and Richard Gold join Rafael Amado to discuss supply chain risks. With so much to cover, the team break this topic down into hardware, software and third-party service risks, including examples such as the MeDoc-NotPetya campaign and the recent SuperMicro hardware allegations. We provide good practices for those looking to improve their risk management processes.
Exposure of fitness database illuminates risk to all sectors
In early October 2018 security researchers identified an exposed database belonging to the fitness performance tracking company FitMetrix, left vulnerable to malicious threat actors. The database contained 113–122 million records (119GB of data), including names, email addresses and birthdates. A ransom note was found in the database, likely indicating an unsuccessful ransomware attempt, given that the data was left intact. Threat actors have automated tools that can search for and access vulnerable Internet-facing databases in all sectors, and those of many third-party suppliers. Stolen data can be used for extortion or sold on criminal marketplaces and forums, presenting financial and reputational risks to victim organizations.
New CartThief malware attacks similar to those of Magecart
Security researchers have identified the new “CartThief” malware, which has similarities with the tools of notoriousthreat group“Magecart”and has, similarly, targeted payment pages of Magento-hosted retail websites. CartThief has been deemed more sophisticated, having two main features that increase its covert capabilities:It can encode collected data on its command-and-control (C2) server and it deliberately excludes user-identifying cookies. Given the reportedly smaller target list than seen with Magecart attacks, there is a realistic possibility that the observed CartThief attacks were part of a malware testing phase.
Ryuk ransomware targets North Carolina utility provider
The Onslow Water and Sewer Authority (ONWASA), a water utility company in the United States county of Onslow, North Carolina, announced it was severely affected by a ransomware attack on 13 Oct 2018. Starting nine days prior, ONWASA experienced attacks from the “Emotet”malware, which subsequently installed the “Ryuk”ransomware. The ransomware spread across different systems of the organization, encrypting files and disrupting services. Customer information was reportedly not affected, but several critical operations, such as service orders and account creation, were reduced to manual processes. Although technical details were not provided, it is likely that malicious emails were used as an initial infection vector. Ryuk has previously been linked to the “Lazarus Group”, although it is not known whether that threat group was involved in this attack.
Data breach of Pentagon’s commercial vendor potentially affected 30,000 individuals
On 13 Oct 2018 it was reported that an unnamed commercial vendor of the Pentagon, the headquarters of the United States Department of Defense, experienced a data breach by an unknown threat actor. The breach could have affected up to 30,000 individuals, compromising potentially sensitive information and credit card data of government workers and civilians. The defense department has since confirmed it has taken steps to have the vendor “cease performance under its contracts.” No classified data was reportedly exposed, and affected individuals have been informed and offered fraud protection services. Government and defense organizations are likely to continue to attract financially motivated and espionage-motivated threat actors.
To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.