ShadowTalk Update – 10.29.2018

ShadowTalk Update – 10.29.2018
Digital Shadows Analyst Team
Read More From Digital Shadows Analyst Team
October 29, 2018 | 3 Min Read

In this week’s ShadowTalk, Harrison Van Riper and Rafael Amado join Michael Marriott to discuss the latest stories from the week. This week’s podcast has a strong Guy Richie flavor, with a focus on lock, stock and ru smoking barrels. We begin by discussing October’s hot ransomware activity, including the most popular variants, common targets, and mitigation advice. Second, we discuss sliding stock value amid reports of data breaches: we dig into the Cathay Pacific and Facebook breaches. And, finally we discuss the recent attribution of Triton malware to a Russian entity and why it’s TTPs you should care about.

 

 

Waves of ransomware attacks strike rural America

Three public-sector entities were targeted by ransomware attacks this week, highlighting an ongoing trend of recent campaigns against small entities in rural areas of the United States. Such ransomware attacks have typically occurred within a short period across small public-safety, medical and local government entities, peaking and ebbing at similar times over the past six months. Education entities have also been targeted. Although very few victims have been confirmed as paying ransom demands, this pattern of attacks will likely continue. In particular, local government entities are increasingly vulnerable, almost certainly because cyber threat actors regard their systems as exploitable.

 

Vietnamese espionage group perfects obfuscation tactics

Suspected Vietnamese cyber espionage threat group OceanLotus (aka APT32) has been observed using updated tactics to increase obfuscation during attacks, including custom RATs, PowerShell commands and the Cobalt Strike penetration framework. These facilitated the downloading and deployment of malware against as-yet-unidentified targets. Historically the group has conducted attacks against organizations in China, the Philippines, Cambodia and Laos, as well as other countries of political interest to Vietnam. OceanLotus was particularly active in the final quarter of 2017, but will likely continue conducting attacks in the next three to six months.

 

SEO poisoning lures Web users who search for US mid-term elections

Security researchers have discovered a search-engine optimization (SEO) poisoning campaign targeting the United States mid-term elections. SEO poisoning involves threat actors creating fake, malicious webpages that include keywords attractive to Internet search-engine users they want to target; the keywords trick search engines into listing the fake page higher in search results. The malicious pages reportedly led users to domains associated with malware-as-a-service, although the specific service was not identified. SEO poisoning is a frequently used technique by threat actors attempting to use high-profile events (such as the United States elections) to entice unsuspecting users to click on malicious links. This activity will likely continue in the immediate future, as the elections draw closer.

 

Future Investment Initiative website defaced by anti-Saudi threat actors

The website of the Future Investment Initiative conference, an annual investment forum, was defaced by unknown threat actors on 22 Oct 2018, prior to the start of the event on 24 Oct 2018 in Riyadh, Saudi Arabia. The defacement message contained imagery of Saudi Arabia’s crown prince and claims that the Saudi government is responsible for the recent disappearance and death of Saudi journalist Jamal Khashoggi. There has been an increase in hacktivist activity associated with Khashoggi’s death, and it will likely continue for the immediate future.

 

To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

Connect with us

Related Posts

Saving the SOC from overload by operationalizing digital risk protection

Saving the SOC from overload by operationalizing digital risk protection

August 5, 2020 | 4 Min Read

As you may have seen last week, the latest...
The story of Nulled: Old dog, new tricks

The story of Nulled: Old dog, new tricks

August 4, 2020 | 9 Min Read

It is often said that old dogs have a hard...
ShadowTalk Update – Garmin ransomware attack, QSnatch malware, and ShinyHunters Stage 2

ShadowTalk Update – Garmin ransomware attack, QSnatch malware, and ShinyHunters Stage 2

August 3, 2020 | 3 Min Read

This week it’s a full house with ShadowTalk...
Dark Web Travel Agencies Revisited: The Impact of Coronavirus on the Shadow Travel Industry

Dark Web Travel Agencies Revisited: The Impact of Coronavirus on the Shadow Travel Industry

July 29, 2020 | 10 Min Read

Back in February, Digital Shadows published...