ShadowTalk Update – BlueKeep Attacks, Megacortex Ransomware, and Web.com BreachNovember 11, 2019
This week the London team looks at the following stories:
- BlueKeep Exploit Could Rapidly Spread
- Megacortex Ransomware Changes Windows Passwords
- Japanese Media Company Nikkei – $29 million lost to BEC scam
- Web.com Breach
- 21 million employee accounts for Fortune 500 companies offered on the dark web
Listen below 👇👇👇
Updates from this week’s Intelligence Summary
- In the spotlight this week: A string of data breach incidents affecting perceptively smaller organizations this week has outlined the need for all companies, regardless of size, to take a proactive security stance in preference to reactive responses.
- Weekly highlights include: The “Trik” botnet was observed distributing the “Nemty” ransomware; a cryptocurrency mining campaign highlights the first successful exploitation of the “BlueKeep” vulnerability in the wild; “APT41” has a new tool in their arsenal.
Breached company details spread across open, dark web
More than 21 million login credentials and accounts were recently identified as being advertised for sale across various platforms, including dark web marketplaces, sourced from some of the most established Fortune 500 organizations. Digital Shadows frequently identifies data breaches affecting small and mid-sized organizations. Most media reports focus on dark web activity, but open-source platforms often house the greatest volume of compromised information and data sets. Despite the prevalence of data breaches and exposed credentials, many companies still rely predominantly on reactive measures to contain the level of data exposure. In contrast, a proactive approach is arguably more suitable, and could even be an effective means of preventing a breach.
Trik distributes Nemty ransomware
In November 2019, the Trik (aka Phorpiex) botnet delivered the Nemty ransomware primarily to individuals within the People’s Republic of China (PRC), Korea, and the United States. Trik’s delivery methods are not overly sophisticated compared to other targeted attack methods, as it relies on the Server Message Block (SMB) protocol and a list of weak, hardcoded credentials to remotely connect over port 139. Nemty has received several updates since its first recorded use in August 2019. Although both the delivery mechanism and sophistication of Nemty are low, cyber security awareness remains a significant problem for organizations, which subsequently provides Nemty and Trik opportunities for successful infections.
BlueKeep facilitates cryptocurrency campaign
A new cryptocurrency mining campaign is using the Microsoft Remote Desktop Protocol (RDP) BlueKeep vulnerability to deliver an unnamed cryptocurrency miner. Previously, only proof of concept (PoC) attacks outlined the potential impact of the successful exploitation BlueKeep could have, and this instance is the first confirmed exploitation. Fortunately, the attack does not exploit BlueKeep’s self-propagating (wormable) features, and patches are available for BlueKeep in Microsoft’s latest Windows versions; updating systems that use RDP likely mitigates compromises that attempt to exploit it.
APT41 is back with new malware
The PRC-associated APT41 threat group has added a new tool to their arsenal called MessageTap. This malware monitors and harvests SMS message traffic from targeted phone numbers and call data records and it was observed in attacks targeting the telecommunications sector in August 2019. This type of information is highly lucrative for state-associated threat actors that conduct surveillance and espionage operations globally, and targeting telecommunications organizations likely provides the platform for this. MessageTap itself is most effective in highly targeted attacks and requires separate initial access to be executed.
For more details, read the full Weekly Intelligence Summary here: