Go Back

ShadowTalk Update – Avast Breach Attempt, NordVPN Breach, and Wifi Security Risks

October 25, 2019
ShadowTalk Update – Avast Breach Attempt, NordVPN Breach, and Wifi Security Risks

We’ve got all 3 ShadowTalk hosts in Dallas this week: Harrison Van Riper, Viktoria Austin, and Alex Guirakhoo.

The team first looks at Avast, which encountered a cyber espionage attempt. Then NordVPN announced that a hacker had breached servers used by NordVPN. And finally Dr. Richard Gold put out a new blog this week on dispelling the myths around using public wifi, so the team helps summarize some of the key points.

Listen below 👇👇👇

 

Updates from this week’s Intelligence Summary

  • In the spotlight this week: Russia-linked threat group “Turla” was reported to be using cyber-attack tools associated with Iran-linked threat group “APT34”, in conjunction with Turla’s own tools. Using tools from another state-linked group means Turla could conduct false-flag operations in the mid- to long-term future (3 months to beyond 12 months).
  • Weekly highlights include a campaign dubbed Operation Ghost being linked to “APT29”, targeting foreign-affairs entities in Europe; the “Winnti” threat group umbrella using a previously undocumented backdoor, known as skip-2.0; and the “Gustuff” banking trojan receiving an update.

 

Russia-linked Turla attacks with tools traced to Iran’s APT34

The United Kingdom’s National Cyber Security Centre (NCSC) and the United States’ National Security Agency (NSA) have warned that the Russia-linked threat group Turla is carrying out attacks using tools and infrastructure associated with the Iran-linked APT34 group. The tools include malware implants known as Neuron and Nautilus. The source code of some of APT34’s tools was leaked on Telegram in April 2019, but Turla―being highly capable and having conducted sophisticated attacks―is probably able to source or create tools without harvesting them from a leak; it has not been confirmed how they obtained APT34’s tools. Regardless, their access to these tools suggests that Turla will likely conduct false-flag operations, inviting erroneous attribution to the tools’ original developers.

 

APT29’s Operation Ghost haunts European foreign-affairs entities

On 17 October 2019 security researchers linked a campaign dubbed Operation Ghost to the Russia-linked threat group APT29. Operation Ghost targeted foreign-affairs entities in at least three countries in Europe, as well as the embassy of an EU member state in Washington, DC. Three new malware types, tracked as “PolyglotDuke”, “RegDuke”, and “FatDuke”, were used in the operation, suggesting that APT29 continues to develop malware and compromise high-value targets.

 

Winnti threat groups slams backdoor on Microsoft SQL

Security researchers reported on previously undocumented backdoor malware, skip-2.0, that has been used by the Winnti threat group umbrella. The backdoor targets Microsoft SQL (MSSQL) Server 11 and 12. It allows attackers to maintain a discreet foothold in a compromised organization, by allowing attackers to connect to any MSSQL account and automatically hiding the user sessions from connection logs.

 

Gustuff banking trojan updated but sticking with SMS-led infections

The latest version of the banking trojan Gustuff no longer contains hard-coded package names: an update that diminishes the static footprint of the malware’s activity. Gustuff now includes a scripting engine that allows an operator to execute JavaScript against Android devices. However, the trojan continues to rely on malicious SMS messages to infect users. Gustuff was first detected targeting financial institutions in Australia.

 

 

For more details, read the full Weekly Intelligence Summary here:

Weekly Intelligence Summary 17 Oct - 24 Oct 2019

And to stay up to date with the latest from Digital Shadows, subscribe below.