ShadowTalk Update – 17.10.2018
December 17, 2018
Following from our recent research, Tackling Phishing: The Most Popular Phishing Techniques and What You Can Do About It, the team discuss the phishing techniques favoured by all types of attackers, whether sophisticated criminal, nation state or low-level hacker. By looking at details revealed in law enforcement indictments, as well as the tips and tools being shared by actors on cybercriminal forums and messaging applications, the team discuss how organizations can prioritize the right controls and training policies to best protect themselves in the coming year.
Sextortion campaign shows attackers’ zeal for new tactics
A recent sextortion cyber campaign has been observed using new tactics to increase effectiveness. In a typical sextortion-themed email, attackers included a malicious URL that purportedly linked to a PowerPoint file with compromising images of the recipient. Instead, the link directed victims to a downloader that installed the “GandCrab” ransomware, prompting victims to pay in order to decrypt their files. Threat actors will likely continue to conduct similar campaigns within the next six months. They can further adapt techniques to install other malware, such as remote-access trojans, banking trojans or spyware, depending on an attacker’s objective. Using multi-pronged techniques can increase the potential payout of already-lucrative campaigns.
Phishing campaign exploits Adobe Flash zero-day vulnerability
An ongoing phishing campaign dubbed Operation Poison Needles has targeted a Russian healthcare facility attended by high-ranking members of the Russian Federation. The zero-day vulnerability, identified as CVE-2018-15982, exists in Adobe Flash and enables attackers to execute malicious code on a victim’s computer. To avoid detection, the attackers signed the malicious payload with a legitimate, but now revoked, security certificate. Attribution for the campaign is unconfirmed; zero-day vulnerabilities are usually associated with advanced persistent threat groups that have the technical sophistication to exploit such flaws.
Malicious botnet attacking WordPress websites
A botnet composed of infected WordPress websites has recently been used to attack other sites on the content publishing platform. The botnet campaign takes advantage of the “multicall” functionality of WordPress’s XML-RPC interface to gain access to privileged accounts and attack other vulnerable WordPress websites. A patch has been released to address this threat, and developers have blocked over five million malicious authentication attempts associated with this campaign. However, malicious actors are likely to target this flaw to exfiltrate data from vulnerable websites in the immediate future (next few days or weeks).
DanaBot adopts spam-sending capabilities
To stay up to date with the latest in digital risk protection, subscribe to our threat intelligence emails here.