In this week’s episode, Viktoria is joined by Kim, Dylan and Demelza to discuss:

  • Ransomware negotiations between CWT and cyberattackers
  • Impact and severity of passwords leaked for 900+ pulse secure enterprise servers to criminal forum
  • The Ghostwriter/disinformation campaign overview: series of disinformation campaigns, aligned to Russian security interests – activity and attribution
  • EU issues first sanctions against Russian and Chinese cyber actors: Impact, effectiveness and reasoning behind this

Listen below 👇👇

Analysis reveals active attack server used by Maze affiliate

On 22 Jul 2020, security researcher analysis revealed that an active attack server had been used by a threat-actor affiliate of Maze ransomware operations. Reportedly the Maze affiliate gained initial access by using an infected system with remote desktop protocol opened to the Internet for scanning. They then looked for other systems and mapped out the network before using an unnamed loader to distribute the Maze ransomware. Observations indicated that the threat actor used the following tools: GMER, Mimikatz, Metasploit, Cobalt Strike, PowerShell, AdFind, Koadic, and PowerShell Empire.

Cyber-mercenary group Deceptikons uncovered

On 29 Jul 2020, security researchers reported on hacker-for-hire group “Deceptikons”, which has provided hacking services for almost a decade. The cyber-mercenary group’s targeting of commercial entities―specifically, targets not involved in government―is unusual for an APT group. Deceptikons was likely responsible for a spearphishing attack on multiple European law firms in 2019, deploying PowerShell scripts and using modified link files to compromise systems and execute a PowerShell backdoor. The group is not considered technically advanced, but the infrastructure and malware it uses focuses on gaining persistence on infected hosts.

US government bodies warn of Chinese Taidoor malware

On 03 Aug 2020, the US Department of Homeland Security, Department of Defense, and FBI published a joint alert regarding a malware variant that has been used by threat actors linked to the People’s Republic of China. According to the government agencies, the “Taidoor” RAT has been used in attacks since 2008, and has specifically targeted entities having an interest in Taiwan. The malware was allegedly distributed through spearphishing emails containing malicious attachments.

Weekly Intelligence Summary 07 August 2020