ShadowTalk Update – 3.25.19
March 25, 2019
Harrison chats with Jamie and Alex this week on an attack on Norwegian aluminum and renewable-energy company Norsk Hydro ASA. The team also looks at threat group “APT-C-27” exploiting a flaw in WinRAR software, a fourth batch of breached data offered for sale on the dark web by “Gnosticplayers”, and a spam campaign exploiting the recent events surrounding the grounding of multiple Boeing 737 aircraft.
Highlights from the week include: Threat group “APT-C-27” exploiting a flaw in WinRAR software to target users in the Middle East, a fourth batch of breached data offered for sale on the dark web by “Gnosticplayers”, and a spam campaign exploiting the recent events surrounding the grounding of multiple Boeing 737 aircraft.
Norwegian company attack shows strength of ransomware trend
Norwegian company Norsk Hydro ASA (Hydro) reportedly suffered a ransomware attack on 19 Mar 2019. Recent reporting has focused on successful ransomware attacks against smaller organizations, which attackers may see as more vulnerable, but the Hydro attack illustrates that large, mature corporations are not immune to ransomware. Several reports about the Hydro attack suggested the involvement of the ransomware LockerGoga, which was used to target the French IT solutions company Altran Technologies (Altran) in January 2019. Recently observed samples of LockerGoga suggest it is undergoing consistent development; a sophisticated threat group may be behind the ransomware’s development and deployment, likely motivated by financial gain. Hydro restored most of its operations the day after the attack, and the overall impact of the event is yet to be assessed.
Decades-old software flaw manipulated to attack WinRAR users
On 19 Mar 2019 the threat group APT-C-27 was observed using a 19-year-old vulnerability affecting the popular file archive software WinRAR to target users in the Middle East. The group distributed Arabic-language lure documents in a compressed format; when uncompressed, they opened and extracted the “njRAT” backdoor. The backdoor executes after an affected device is restarted or the user logs in again. APT-C-27 has previously conducted cyber espionage against users in Syria; it is realistically possible that this attack campaign was politically motivated. Due to the high volume of attacks exploiting the WinRAR flaw, it is almost certain that this vulnerability will continue to be exploited by threat actors over the next few weeks and months.
Gnosticplayers advertises fourth batch of breached records on dark web
Following the advertisement of 841 million data records in February 2019, the threat actor Gnosticplayers is now advertising a fourth batch of data sets for sale on the dark web marketplace Dream Market. Sourced from six different companies, the data sets consist of more than 26 million user records in batches ranging from 1.12 million to 13 million records each, including customer credentials. Gnosticplayers had reportedly breached five of the six victim companies in February 2019. The records they are offering for sale do not likely comprise the entirety of data Gnosticplayers has stolen in various attacks. Some companies have met extortion demands following breaches, resulting in their data being withheld from the advertised records. Additional records will likely be put up for sale over the next few weeks or months.
New spam campaign exploits recent Boeing 737 crashes
A new spam campaign is exploiting interest in the recent crashes involving Boeing 737 aircraft to deliver the “Adwind” trojan and “Houdini H-worm” RAT. The emails are purportedly from an intelligence analyst claiming to possess confidential documents regarding the affected aircraft. Real-world events are increasingly abused by threat actors for financial gain; they seek to capitalize on the media coverage, public interest, and/or altruistic nature of individuals wishing to make charitable donations. For example, the United States Computer Emergency Readiness Team has warned of potential scams concerning the New Zealand mosque shootings on 15 Mar 2019.
For more details, read the full Weekly Intelligence Summary here:
To stay up to date with the latest in digital risk protection, subscribe to our threat intelligence emails here.