ShadowTalk Update – 4.15.19
April 15, 2019
Christian and Jamie join Harrison for another week of ShadowTalk to discuss the FIN6 threat actor reportedly widening its range of attacks to include ransomware, potentially inciting the threat group to extend targeting beyond retail and hospitality entities. The highlights from this week include a Chinese advanced persistent threat (APT) campaign against a German pharmaceutical company, likely to steal intellectual property; a mass phishing campaign that used US servers to host malware; and a Domain Name Server (DNS) hijacking campaign aimed at online services and Brazilian financial institutions. No Zuko this week unfortunately, and we ask Christian what his theory is for Game of Thrones which starts up on Sunday.
Weekly highlights included: a Chinese advanced persistent threat (APT) campaign against a German pharmaceutical company, likely to steal intellectual property; a mass phishing campaign that used US servers to host malware; and a Domain Name System (DNS) hijacking campaign aimed at online services and Brazilian financial institutions.
Fin6 adds ransomware to tactic arsenal
The cybercriminal group Fin6 has reportedly broadened its tactic range to include ransomware, specifically using the “Ryuk” and “LockerGoga” variants. The group’s previous tactics focused on targeting point of sale (POS) terminals and e-commerce platforms to steal card payment and financial information. If Fin6’s use of ransomware is confirmed as accurate, this would represent a significant shift in modus operandi: including as targets organizations that do not manage or process card data. It would also indicate a new tactic developed relatively quickly since Fin6 began to target e-commerce organizations in 2018. The group is likely still developing new methods to use in attack campaigns in the long term (beyond one year).
German pharmaceutical company targeted by Chinese APT campaign
The German pharmaceutical company Bayer reportedly identified and contained an attack that used the “Winnti” malware and was attributed to Chinese state-associated group “Wicked Panda”. The attack reportedly began in 2018. Wicked Panda is linked to the “Winnti Umbrella”, a collection of Chinese APT threat groups known to collaborate and share infrastructure (including the Winnti malware). Bayer was likely targeted for sensitive intellectual property that could assist in developing the domestic pharmaceutical sector in the People’s Republic of China. Given the highly active nature of Winnti-associated groups, more attacks are likely in the next 12 months.
Mass phishing campaign exploits US web servers to host malware
Cyber security researchers identified a mass phishing campaign that has been active since at least May 2018 and is reportedly continuing. The campaign has been using 12 command-and-control servers to host 10 distinct malware variants. That the servers were based in the United States is unusual, because the United States routinely takes law-enforcement action when servers/hosting providers are found to be used for malicious purposes. It is realistically possible that the perpetrators did so to improve their success rate against American targets: Organizations are less likely to block traffic coming from countries within their typical traffic profile.
New DNS hijacking attacks on online services and Brazilian financial institutions
Researchers have identified an ongoing DNS hijacking campaign targeting online domain hosting providers; commercial websites, such as for Netflix, Uber, PayPal, and Google; and various Brazilian financial institutions. The campaign likely began in December 2018. The identity and motive of the threat actor(s) responsible is not known, although Brazil, and South America in general, is often targeted by financially motivated DNS hijacking campaigns, due to the prevalence of vulnerable devices. More attacks are considered likely in the short-term future (within three months).
For more details, read the full Weekly Intelligence Summary here:
To stay up to date with the latest in digital risk protection, subscribe to our threat intelligence emails here.