ShadowTalk Update – 3.18.19
March 18, 2019
Harrison sits down with Rose and Christian for a quick chat about APT40 targeting educational maritime research, as well as other highlights from this week. Rose also gives us the breakdown of an inspiring trip to NASA; also space vampires make a brief appearance.
Highlights from the week include the targeting of universities’ research facilities by Chinese threat group “APT40”, the attribution of a data breach against a Singapore healthcare center in 2018 to the threat group “Whitefly”, and new backdoor malware observed abusing the collaboration software Slack for command-and-control (C2) processes.
Chinese threat group infiltrates universities’ research facilities
The Chinese threat group APT40 (aka Mudcarp, TEMP.Periscope, Leviathan) has allegedly conducted a sustained cyber espionage campaign against American universities. The targeted entities all have departments focused on sub-maritime technology, as well as connections to the same not-for-profit research facility focused on maritime science and engineering. APT40 reportedly sent phishing messages with weaponized attachments to compromise university employees’ email accounts. The group also targeted students enrolled in fellowship programs, likely to pivot from victims’ compromised devices onto the not-for-profit company’s networks. Chinese threat groups have previously been blamed for commercial and cyber espionage, likely conducted to improve their own capabilities across various sectors. Additional attacks with this associated motive are likely to continue for the long-term future (over the next year).
Nation-state espionage group breached major Singapore healthcare group
A data breach from July 2018 affecting prominent Singaporean healthcare organization SingHealth has been attributed to the cyber espionage group Whitefly. The group has been known to conduct cyber attacks against healthcare, telecommunications, media, and engineering entities across multiple countries. Whitefly uses spearphishing emails with malicious attachments that, when opened, abuse a technique known as “search order hijacking” to execute a trojan on a victim’s device. This technique exploits the Windows operating system procedure of searching for a Dynamic Link Library (DLL) path to load a document if a default path is not provided. Whitefly is regarded as affiliated with an unconfirmed nation-state.
New backdoor malware pioneers abuse of Slack software
New backdoor malware, dubbed SLUB, has been observed using the Slack collaboration software for C2 communications. Abuse of legitimate services for C2 purposes is not uncommon, and is intended to evade detection by security products, but this is the first reported abuse of Slack for this activity. The attackers compromised a website that provides news on South and North Korean political affairs, and appeared interested in files used by Korean word processing software, suggesting the potential targets were South Korean users of Slack.
For more details, read the full Weekly Intelligence Summary here:
To stay up to date with the latest in digital risk protection, subscribe to our threat intelligence emails here.