Go Back

ShadowTalk Update – 4.8.19

April 8, 2019
ShadowTalk Update – 4.8.19

Jamie, Alex and Zuko sit down with Harrison to talk about a story that flew a little under the radar this week; Russia has allegedly been conducting a widespread satellite spoofing campaign since 2016, sending false positional data to ships and planes. Other highlights from this week include APT33 activity targeting engineering and manufacturing organizations, popular restaurant chains report some point of sale malware attacks, and South Korean websites being used in watering hole attacks. Also, Game of Thrones theories, Alex realizes he’s way late to the #GoT party, and more on this week’s ShadowTalk.

Highlights from the week include: “APT33” targeting American and Saudi engineering and manufacturing organizations, Earl Enterprises restaurants being affected by point of sale (POS) malware, and watering hole attacks waged on South Korean websites.

Russia conducts widespread navigation satellite spoofing

Russia has been found to have waged a GNSS spoofing campaign that is more indiscriminate and persistent, larger in scope, and more geographically diverse than previous public reporting suggested. Tactics involved sending false positional data to ships and planes, reportedly affecting at least 1,311 civilian vessels. GNSS spoofing poses the most severe threat to the transportation sector, presenting indirect risks for organizations that depend on shipping for their supply chain and daily operations. It will likely become more popular in attacks, and can affect any of the various industries that use GNSS data in their technologies.

APT33 goes after US and Saudi engineering and manufacturing targets

The Iranian state -associated threat actor APT33 (aka Elfin) has reportedly targeted unnamed engineering, manufacturing, and finance organizations in Saudi Arabia and the United States since February 2019. They exploited a vulnerability in the popular archiver software WinRAR (CVE-2018-20250) via spearphishing emails that contained job vacancy lures. The targeting aligns with previous Iranian campaigns, which have sought to exfiltrate sensitive commercial information to aid domestic economic investments and production.

Earl Enterprises restaurants affected by point of sale malware

Restaurant brands owned by the United States-based hospitality company Earl Enterprises Inc were targeted by POS malware between 23 May 2018 and 18 Mar 2019 by an unknown threat actor. The malware was used to steal sensitive customer payment data, which reportedly included credit and debit card numbers, expiration dates, and cardholder names. Earl Enterprises did not disclose how many locations or customers were affected. A separate report by a third party indicated that as many as two million customer details were likely compromised from one of the targeted brands: They were detected for sale on criminal marketplaces.

Watering hole attacks aimed at South Korean websites

A new phishing campaign, identified in March 2019 and referred to as Soula, has targeted at least four of South Korea’s most prominent websites to conduct watering hole attacks. Malicious JavaScript code was used to prompt a spoof login screen that would exfiltrate visitor’s login credentials. The campaign demonstrated an emphasis on persistence and obfuscation: The malicious injected code checked whether the user inputting credentials was a bot or threat engine scanner. The end targets of the campaign are unknown at the time of writing.

 

For more details, read the full Weekly Intelligence Summary here:
Weekly Intelligence Summary 28 Mar - 04 Apr 2019
To stay up to date with the latest in digital risk protection, subscribe to our threat intelligence emails here.

Start Free 7-Day Test Drive of SearchLight
Start Test Drive