ShadowTalk Update – 12.03.2018
December 3, 2018
Michael Marriott, Dr Richard Gold and Simon Hall discuss our recent findings on threat actors using cracked versions of Cobalt Strike to conduct their attacks in this week’s ShadowTalk. Cobalt Strike is a powerful platform for performing offensive cyber operations, containing a wide variety of tools for conducting spear phishing and web drive-by attacks to gain initial access. While it’s used widely by security teams – including in Digital Shadows’ own internal Purple Team assessments – we’ve seen it being used for illegitimate purposes by threat actors as well. Listen to this week’s episode to find out how defenders can use this knowledge to inform their defense.
Open-source tools exploited in supply chain attacks
The United States-based cryptocurrency wallet “Copay” was recently subject to a highly targeted supply chain attack. An attacker initially used social engineering techniques to gain developer access to “event-stream,” an open-source code library that is widely used by organizations across the globe. By targeting the specific subset of Copay developers relying upon event-stream, the attacker injected malicious code that sought to intercept and steal data from Copay users when pushed to consumers. Although the specific amount of data stolen remains unreported, this attack exemplifies a possible trend of attackers targeting not only third-party suppliers but also open-source code repositories, on which many organizations rely.
New corporate cyber espionage campaigns attributed to APT10
The Chinese-state-associated threat group APT10 has reportedly intensified its targeting of Australian businesses for the purpose of corporate espionage. This activity likely indicates a broader trend of increased Chinese cyber espionage efforts worldwide; the United States recently accused China of conducting espionage operations. Such activity is likely to provoke a reaction from Western governments, which could include public attribution claims and indictments against Chinese nationals allegedly involved.
Mirai shifts focus from IOT devices to Linux servers
The Mirai botnet has targeted non–Internet-of-Things (IoT) devices, with attackers compromising Linux servers by abusing a recently disclosed Hadoop YARN vulnerability. This represents a shift in Mirai’s capabilities and an increase in its threat level. Such Linux servers can be valuable targets for attackers, particularly when used in datacenters with access to large amounts of data and bandwidth. The distribution and infection techniques are consistent with previous Mirai campaigns. Other botnet malware have similarly shifted focus away from IoT devices; this trend is likely to continue.
New variant of Pterodo backdoor indicates renewed Russian cyber campaign
The Ukrainian Computer Emergency Response Team (CERT) has released information on a new version of Pterodo, a custom backdoor malware developed by the Russian state and associated with the Gamaredon threat group. The backdoor has been updated to target systems localized to former Soviet Union countries and to generate unique command-and-control URLs for each infected device, allowing threat actors to determine which tools to use on a case-by-case basis. Given current heightened tensions between Russia and Ukraine following the Russian seizure of Ukrainian warships, it is realistically possible that the new variant of Pterodo could indicate an impending Russian cyber campaign.
To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.