Threat Intelligence / ShadowTalk Update – 5.06.19

ShadowTalk Update – 5.06.19

ShadowTalk Update – 5.06.19
Digital Shadows Analyst Team
Read More From Digital Shadows Analyst Team
May 13, 2019 | 4 Min Read

Kacey and Alex join HVR this week to talk through the key stories this week including a new threat group called “Mirrorthief” conducting “Magecart”-like digital skimming attacks against university websites, various code-sharing repositories being targeted and held for ransom by an unknown threat actor; and new ransomware, “Sodinokibi”, which used a zero-day vulnerability in Oracle WebLogic. Simon Hall and Dr. Richard Gold then join to dive deeper into the “Buckeye” APT group, which has recently been said to develop its own version of a tool that was likely created by the U.S. National Security Agency (NSA) prior to being leaked by the “ShadowBrokers” in 2017.

Highlights from the week include a new threat group called Mirrorthief, which has been conducting “Magecart”-like digital skimming attacks against university websites; various code-sharing repositories being targeted and held for ransom by an unknown threat actor; and new ransomware, “Sodinokibi”, which used a zero-day vulnerability in Oracle WebLogic.


Chinese APT group used Equation Group tool before 2017 leak

Cyber attacks in Europe and Asia during 2016 were recently attributed to the Chinese advanced persistent threat (APT) group APT3. The group allegedly used a variant of a tool that was initially reportedly created by the United States NSA.  Because this tool was only leaked from the NSA in 2017, the attacks indicate that APT3 had used it at least a year earlier. It is likely that the group members were able to build the tool variant using components from the network traffic of a United States attack against Chinese infrastructure. Although APT3 has reportedly been inactive since 2017, it is possible that another Chinese group has, or will, adopt and continue to develop the same tool; Chinese APT groups are known to share tools and infrastructure.

 Mirrorthief makes debut with digital skimming on online university stores

Security researchers have identified a new threat group, Mirrorthief, which has been observed conducting attacks on 201 university store payment webpages in the United States and Canada. The attackers injected malicious skimming scripts into the shared JavaScript libraries of sites using the e-commerce platform PrismWeb. Card payment and personal information was reportedly compromised for an unspecified number of customers. Although these attacks showed similarities with activity attributed to the Magecart threat umbrella, it is not known whether these two groups are linked. Digital skimming is likely to remain a popular attack vector over the next 12 months.

Code-sharing repositories on 3 platforms held for ransom

On 02 May 2019 developers of the code-sharing platforms GitHub, GitLab, and Bitbucket reported that at least 1,000 repositories had been compromised by an unknown threat actor. The repositories were reportedly deleted, and their contents replaced with a ransom note demanding payment of 0.1 in Bitcoin (BTC 0.1; USD 564.46). The attacker(s) threatened to make the victims’ code public if the demand was not met. How the attacker/s gained access to the repositories is not known, but the hosting services have reported that it is likely credentials were inadvertently exposed via configuration files. As a result, it is likely these attacks were opportunistic. Although the full impact of this attack cannot yet be assessed, affected users were reportedly able to restore their repositories via a backup.

Zero-day vulnerability exploited by Sodinokibi ransomware

On 30 Apr 2019 security researchers reported on the new ransomware Sodinokibi, which used a zero-day vulnerability in the Oracle WebLogic application server (now tracked as CVE-2019-2725) and enabled attackers to bypass victim interaction to allow the malware to run on a target device. In addition to encrypting victims’ data, Sodinokibi targeted and attempted to delete default Windows backup mechanisms to prevent the victims from recovering their data. At the time of writing, the threat actor(s) responsible, as well as their target geography, have not been publicly reported. The specific use of a zero-day vulnerability indicates a higher level of sophistication than seen with typical ransomware campaigns. Details of additional attacks targeting CVE-2019-2725 will likely be reported over the next three months.


For more details, read the full Weekly Intelligence Summary here:

Weekly Intelligence Summary 02 May - 09 May 2019
To stay up to date with the latest from Digital Shadows, subscribe below.