ShadowTalk Update – 4.8.19
April 8, 2019
Jamie, Alex and Zuko sit down with Harrison to talk about a story that flew a little under the radar this week; Russia has allegedly been conducting a widespread satellite spoofing campaign since 2016, sending false positional data to ships and planes. Other highlights from this week include APT33 activity targeting engineering and manufacturing organizations, popular restaurant chains report some point of sale malware attacks, and South Korean websites being used in watering hole attacks. Also, Game of Thrones theories, Alex realizes he’s way late to the #GoT party, and more on this week’s ShadowTalk.
Highlights from the week include: “APT33” targeting American and Saudi engineering and manufacturing organizations, Earl Enterprises restaurants being affected by point of sale (POS) malware, and watering hole attacks waged on South Korean websites.
Russia conducts widespread navigation satellite spoofing
Russia has been found to have waged a GNSS spoofing campaign that is more indiscriminate and persistent, larger in scope, and more geographically diverse than previous public reporting suggested. Tactics involved sending false positional data to ships and planes, reportedly affecting at least 1,311 civilian vessels. GNSS spoofing poses the most severe threat to the transportation sector, presenting indirect risks for organizations that depend on shipping for their supply chain and daily operations. It will likely become more popular in attacks, and can affect any of the various industries that use GNSS data in their technologies.
APT33 goes after US and Saudi engineering and manufacturing targets
The Iranian state -associated threat actor APT33 (aka Elfin) has reportedly targeted unnamed engineering, manufacturing, and finance organizations in Saudi Arabia and the United States since February 2019. They exploited a vulnerability in the popular archiver software WinRAR (CVE-2018-20250) via spearphishing emails that contained job vacancy lures. The targeting aligns with previous Iranian campaigns, which have sought to exfiltrate sensitive commercial information to aid domestic economic investments and production.
Earl Enterprises restaurants affected by point of sale malware
Restaurant brands owned by the United States-based hospitality company Earl Enterprises Inc were targeted by POS malware between 23 May 2018 and 18 Mar 2019 by an unknown threat actor. The malware was used to steal sensitive customer payment data, which reportedly included credit and debit card numbers, expiration dates, and cardholder names. Earl Enterprises did not disclose how many locations or customers were affected. A separate report by a third party indicated that as many as two million customer details were likely compromised from one of the targeted brands: They were detected for sale on criminal marketplaces.
Watering hole attacks aimed at South Korean websites