ShadowTalk Update – 11.26.2018
November 26, 2018
With Black Friday kicking off the holiday spending season, Harrison Van Riper, Jamie Collier, and Rafael Amado focus on cyber security threats faced by retailers and online shoppers. Despite increased sales for retailers and bargain opportunities for consumers, Black Friday has had the unintended consequence of emboldening and enabling profit-seeking cybercriminals. The team discuss continuing activity by the Magecart group, as well as the ways in which cybercriminals are gearing up for the holidays from our investigations of online forums and messaging applications.
Double trouble for Russian banks in new spearphishing attacks
Two sophisticated cybercrime groups have been observed targeting unnamed Russian banks in new spearphishing campaigns. The campaigns have been attributed to the Silence and MoneyTaker threat groups, which have both historically targeted Russian banks to conduct large-scale thefts. While the groups employed similar tactics and techniques, there was no indication they collaborated on these attacks.
Researchers attribute new RAT campaign to TA505 threat group
Security researchers have attributed a new remote-access trojan (RAT) called tRat to the threat actor “TA505.” The RAT has been observed in malicious campaigns targeting commercial banking institutions during September and October 2018. tRat is likely in a testing phase as its full capabilities have not been deployed in the wild to date. The malware can retrieve additional modules designed to target different browsers and platforms, meaning the RAT can be tailored to the attacker’s objectives.
DarkGate malware offers variety of functions for financially-motivated attackers
An unknown threat actor has deployed a new malware variant dubbed DarkGate against Windows-based devices in Europe to conduct financially-motivated attacks. This sophisticated multifunctional malware can steal and mine cryptocurrency, deploy ransomware and facilitate the remote control of infected devices. To date, DarkGate has only targeted online users in Europe but could feasibly be deployed against additional geographies in future.
Active campaign targets Linux-based Drupal systems with DirtyCOW and Drupalgeddon2 exploits
Threat actors are targeting two popular vulnerabilities in Linux-based Drupal systems to secure root access or perform remote code execution on devices. Attackers identified vulnerable systems running outdated versions of Drupal and attempted to exploit Drupalgeddon2 to establish a foothold on the network. If unsuccessful, they next attempted to exploit DirtyCOW to obtain root access privileges. Both vulnerabilities have been patched but a significant number of devices remain at risk. The Drupal content management system is a lucrative target because of its popularity, with an estimated 2.3% of all websites using this system. Attribution for the attacks was unconfirmed at the time of writing.
To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.