ShadowTalk Update – 10.29.2018
October 29, 2018
In this week’s ShadowTalk, Harrison Van Riper and Rafael Amado join Michael Marriott to discuss the latest stories from the week. This week’s podcast has a strong Guy Richie flavor, with a focus on lock, stock and ru smoking barrels. We begin by discussing October’s hot ransomware activity, including the most popular variants, common targets, and mitigation advice. Second, we discuss sliding stock value amid reports of data breaches: we dig into the Cathay Pacific and Facebook breaches. And, finally we discuss the recent attribution of Triton malware to a Russian entity and why it’s TTPs you should care about.
Waves of ransomware attacks strike rural America
Three public-sector entities were targeted by ransomware attacks this week, highlighting an ongoing trend of recent campaigns against small entities in rural areas of the United States. Such ransomware attacks have typically occurred within a short period across small public-safety, medical and local government entities, peaking and ebbing at similar times over the past six months. Education entities have also been targeted. Although very few victims have been confirmed as paying ransom demands, this pattern of attacks will likely continue. In particular, local government entities are increasingly vulnerable, almost certainly because cyber threat actors regard their systems as exploitable.
Vietnamese espionage group perfects obfuscation tactics
Suspected Vietnamese cyber espionage threat group OceanLotus (aka APT32) has been observed using updated tactics to increase obfuscation during attacks, including custom RATs, PowerShell commands and the Cobalt Strike penetration framework. These facilitated the downloading and deployment of malware against as-yet-unidentified targets. Historically the group has conducted attacks against organizations in China, the Philippines, Cambodia and Laos, as well as other countries of political interest to Vietnam. OceanLotus was particularly active in the final quarter of 2017, but will likely continue conducting attacks in the next three to six months.
SEO poisoning lures Web users who search for US mid-term elections
Security researchers have discovered a search-engine optimization (SEO) poisoning campaign targeting the United States mid-term elections. SEO poisoning involves threat actors creating fake, malicious webpages that include keywords attractive to Internet search-engine users they want to target; the keywords trick search engines into listing the fake page higher in search results. The malicious pages reportedly led users to domains associated with malware-as-a-service, although the specific service was not identified. SEO poisoning is a frequently used technique by threat actors attempting to use high-profile events (such as the United States elections) to entice unsuspecting users to click on malicious links. This activity will likely continue in the immediate future, as the elections draw closer.
Future Investment Initiative website defaced by anti-Saudi threat actors
The website of the Future Investment Initiative conference, an annual investment forum, was defaced by unknown threat actors on 22 Oct 2018, prior to the start of the event on 24 Oct 2018 in Riyadh, Saudi Arabia. The defacement message contained imagery of Saudi Arabia’s crown prince and claims that the Saudi government is responsible for the recent disappearance and death of Saudi journalist Jamal Khashoggi. There has been an increase in hacktivist activity associated with Khashoggi’s death, and it will likely continue for the immediate future.
To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.