ShadowTalk Update – 3.04.19
March 4, 2019
This week Rose and Phil join Harrison to discuss a three-stage cryptocurrency mining attack using Mimikatz and Radmin in tandem. The team also discusses the Cr1ptTor ransomware, an unknown North Korean threat actor targeting US universities, and MarioNet.
Highlights from the week include: The fifth substantial ransomware report produced in two weeks described how D-Link NAS devices delivered the Cr1ptT0r ransomware; an unknown North Korean threat actor targeted United States national security think tanks and universities in a cyber espionage campaign; and the Service Worker SyncManagement Interface was abused, allowing threat actors to continue in-browser compromises even after the user had navigated away from a malicious domain.
Three-stage cryptocurrency mining attack uses Mimikatz, Radmin
Cyber-security researchers reported on a self-propagating Monero cryptocurrency mining campaign targeting China, Taiwan, Hong Kong, and Italy that has been active throughout January and February 2019. The ongoing campaign incorporates a range of tools—including the Mimikatz and Radmin utilities—in a three-stage attack and targets systems that are vulnerable to the Windows Server Message Block (SMB) vulnerability “MS17-010” over port 445. Established tools built for legitimate purposes and penetration testing utilities are growing ever more popular in malicious attacks. Given that tools’ capabilities are always being developed to aid testers and Red teams, threat actors will highly likely continue to capitalize on these features. This attack highlights the malleability of utilities and how unforeseen combinations of tools may be enough to circumvent security efforts without an attacker being technically sophisticated.
Cr1pT0r ransomware targets D-Link NAS devices for financial gain
A new ransomware dubbed “Cr1ptT0r” has been observed targeting D-Link network access storage (NAS) devices, likely through older vulnerabilities existing within the firmware. The total number of infections and victims’ geographic locations are as yet unreported; however, as Cr1ptT0r can be adapted to suit both Linux and Windows operating systems, it will likely draw attention from threat actors. Additional attacks are considered likely within three months. This is the fifth substantial public report of a ransomware campaign within the last two weeks. Extortion is evidently an ever-popular attack method and the tools used in campaigns are continuously being updated; the threat from ransomware will probably continue beyond one year.
Unidentified North Korean threat actor targets United States universities
An unknown North Korean threat actor has targeted a United States national security think tank and a university planning to host a conference on the denuclearization of the North Korea. The espionage campaign, active since November 2018, used phishing lures impersonating a United States nuclear security expert, enticing victims to manually enable macros that download the “BabyShark” malware. These types of organizations in the United States are consistently targeted by North Korean threat actors, and the attacks typically follow the procedures of nation-state–associated threat groups. The BabyShark malware has been associated with previous North Korean campaigns such as “KimJongRAT” and “StolenPencil.” However, it remains unclear whether the same attacker was responsible at the time.
Service Worked API abused to maintain connection with compromised bots
Cyber-security researchers released a research paper outlining a new proof of concept (PoC)—named MarioNet—that would enable an attacker to continue an in-browser compromise even after the user has closed the implicated tab or navigated away from the originating malicious domain. Attackers could abuse the Service Worker SyncManagement Interface, which persists in case a user returns to the same domain, allowing the attacker to maintain a consistent communication with the device through a side channel. Even though permissions from the infected host would be required to maintain a continued connection after the browser had been rebooted, the PoC demonstrates how a MarioNet attack could persist after a reboot. The PoC affects the majority of desktop and mobile browsers and will likely garner attention from emulative threat actors.
To stay up to date with the latest in digital risk protection, subscribe to our threat intelligence emails here.