ShadowTalk Update – 4.1.19
March 29, 2019
Christian and Jamie sit down with Harrison to talk about the compromised Asus server used to distribute backdoor malware to at least 500,000 users’ devices, more LockerGoga ransomware attacks, a new Magecart skimming attack, and FIN7 back in the news. Busy week! Also, Jamie gives hair product tips and the guys discuss what Twitter handle they would choose in an ideal world.
In the spotlight this week, the server of device manufacturer ASUS was compromised by an unknown threat actor, pushing backdoor malware to at least 500,000 users’ devices. Despite the scale, this was likely a highly targeted operation: The threat actor appeared to be only interested in approximately 600 of those devices, whose Media Access Control (MAC) addresses were hard-coded into the backdoor.
Phony software updates infect devices with malware
An unidentified threat actor pushed malicious updates to devices made by ASUS, by compromising the company’s update server. At least 500,000 users’ devices were compromised with a backdoor variant in what simulated a legitimate update, but the perpetrator appeared focus only on approximately 600 devices. The latter were targeted via a pre-defined list of MAC addresses hard-coded in the malware. A successful connection with one of these addresses meant the backdoor would contact the threat actor’s command-and-control (C2) domain to retrieve and install additional malware. Whoever was responsible was likely highly sophisticated and will probably remain active during the next 12 months. Security researchers claimed that the targeting has extended beyond ASUS, to unconfirmed victims, but these claims cannot currently be confirmed.
US chemical companies disrupted by potential LockerGoga ransomware
United States chemical companies Hexion and Momentive are said to have been targeted in a ransomware attack. The ransomware is likely the LockerGoga variant that targeted Norsk Hydro earlier in March 2019. The companies’ manufacturing operations were reportedly not disrupted from the attack because they run on their own network, but the ransomware did disrupt corporate operations. The companies claim to have since adopted procedures to mitigate future attacks.
Magecart blamed for two new attacks against mattress and bedding retailers
Two new attacks conducted by the Magecart threat collective occurred against mattress and bedding retailers MyPillow and Amerisleep. The perpetrators primarily used typo-squatted domains to host their malicious code, and injected scripts onto the legitimate websites that directed users toward the spoofed domains. This was almost certainly done for obfuscation purposes: By reducing the footprint of the added code, attackers minimize the chances of their activity being discovered. Magecart was also observed using the GitHub code-sharing platform to register a spoofed account on which to host malicious code.
FIN7 drops new malware variants and administrator panel in ongoing campaigns
Two new malware variants and a new administrator script-management panel have been distributed in several campaigns attributed to threat group FIN7. Although the motives behind these campaigns are unknown, given FIN7’s previous activity, the malware is likely intended to exfiltrate monetizable and financial data. Because these campaigns are ongoing, and were first observed in January 2018, it appears the threat group was likely unaffected by the arrest of three of its members in August 2018. This indicates that FIN7 is likely a highly organized group operating with various sub-groups. Additional attacks as part of these campaigns will likely be observed within the next three months.
For more details, read the full Weekly Intelligence Summary here:
To stay up to date with the latest in digital risk protection, subscribe to our threat intelligence emails here.