ShadowTalk Update – 4.22.19
April 22, 2019
This week the team discusses an unidentified threat actor that has obtained data from various personal Outlook, MSN, and Hotmail email accounts by compromising a Microsoft customer support account. Also, the “Triton” malware was detected at a critical infrastructure facility, an IT outsourcing company experienced a potential network intrusion linked to a supply-chain attack, and a new trojan referred to as Hoplight has been attributed to the “Lazarus Group”.
- In the spotlight: An unidentified threat actor has obtained data from various personal Outlook, MSN, and Hotmail email accounts by compromising a Microsoft customer support account. The incident highlights the risks of high-privilege accounts; future uses for the stolen data could include phishing campaigns, resale on cybercriminal markets and forums, or direct monetization and extortion.
- Also this week, the “Triton” malware was detected at a critical infrastructure facility, an IT outsourcing company experienced a potential network intrusion linked to a supply-chain attack, and a new trojan referred to as Hoplight has been attributed to the “Lazarus Group”.
Microsoft breach invited personal email account hack
An unknown threat actor reportedly used a high-privilege Microsoft customer support email account to compromise various Outlook, MSN, and Hotmail personal accounts. The perpetrator reportedly accessed message subject lines, folder names, user contacts, and, in some cases, the body content of messages. How the stolen email data will be used is not known, but possibilities include sale on cybercriminal markets and forums, use in future phishing campaigns, or use in direct monetization and extortion. The incident highlights the risks high-privilege accounts carry, and the necessity for organizations to effectively manage and review group policies.
Triton malware strikes another critical infrastructure facility
It was recently reported that another intrusion targeting an additional unspecified critical infrastructure facility used the Triton malware. Triton was used to target industrial control systems in December 2017 and has been attributed to a Russian government-owned technical research institute. The second intrusion saw a combination of custom and commodity intrusion tools used to gain and maintain access to the facility, with a focus on remaining undetected. It is unclear whether the timing of the second incident coincided with the December 2017 attack.
Threat actor abuses IT company network to target customers
Indian IT outsourcing company Wipro was reportedly compromised by an unknown threat actor after they attained unauthorized network access. The network abuse allowed the perpetrator to target at least 12 Wipro customers, potentially via phishing attacks using Wipro’s compromised corporate email system. Malicious emails sent from Wipro would inherently be considered trustworthy by a customer receiving them, increasing the chances that they would click on links or attachments.
Development of new Hoplight trojan pinned on Lazarus Group
The North Korean state-associated Lazarus Group has reportedly developed a new trojan referred to as Hoplight. The variant includes nine malicious files that can install backdoors and collect system information (including operating system version, volume information, and time zone). The malware also contains proxy applications used to mask traffic between the malware and remote operators. Although the targeted sectors and geographies are not yet known, the Lazarus Group typically conducts financially motivated attacks against financial institutions and cryptocurrency exchanges to generate income for North Korea’s economy; these are the sectors that will most likely be targeted by Hoplight.
For more details, read the full Weekly Intelligence Summary here:
To stay up to date with the latest in digital risk protection, subscribe to our threat intelligence emails here.