ShadowTalk Update – 11.12.2018November 12, 2018
In this week’s ShadowTalk, we discuss the big vulnerability and exploit stories of the week. The team discuss the Cisco denial- of-service vulnerability affecting its Adaptive Security Appliance (ASA), as well as a vulnerability in Oracle’s VirtualBox technology posted to GitHub. Dr. Richard Gold, Rafael Amado and Michael debate the benefits and drawbacks of bug bounty programs, how you should consider operational value when assessing vulnerabilities, and the U.S. Cyber Command’s publication of malware samples to VirusTotal.
TrickBot updated with password stealing module
A password grabber module that enables the theft of login credentials from several applications and popular browsers has been added to the TrickBot banking trojan. TrickBot traditionally targets banks by using stolen credentials to facilitate fraudulent transactions; the password grabber will likely be used for these purposes in the next six months.
The addition of the password grabber module exemplifies TrickBot’s continuous evolution: The trojan’s modular structure simplifies the frequent addition of new capabilities and functions while also facilitating the use of TrickBot in conjunction with other malware, such as the Emotet banking trojan. The TrickBot toolkit’s diversity has enabled its use in campaigns beyond the banking sector. As TrickBot continues to evolve, its targets will highly likely continue to diversify, representing an extremely credible threat to a range of sectors.
Sensitive documents stolen from French third-party supplier
An unknown threat actor reportedly accessed a data server managed by French engineering and consultancy firm Ingérop. The attacker stole around 65GB of sensitive files, including technical plans and documents for nuclear energy plants and high-security prisons. Third-party suppliers, such as Ingérop, are popular targets for threat actors given their potential access to sensitive data from a variety of organizations; they will likely be victims of future data breaches.
Majority of Pakistani banks reportedly affected in recent data breach incident
A recent data breach reportedly impacted almost all Pakistani banks and led to the fraudulent transfer of funds from customers’ accounts. Although investigations are ongoing, the campaign allegedly involved more than 100 separate incidents. It does not appear that the interbank communication system was compromised; the campaign more likely involved a large-scale “skimming” campaign that targeted Pakistani bank customers directly. The identity of the threat actor(s) involved is unknown, but the campaign was highly likely conducted for financial gain.