This week Alex and Jamie chat with Harrison on a cyber-threat campaign involving the abuse of legitimate features in Google Calendar. Then they dive into other highlights from the week including the expansion of sector targeting by destructive threat group “Xenotime”, exploitation of a vulnerability affecting Exim email servers, and continued targeting of the transportation sector by the Iran-associated threat group “APT39”.
Then we hear Part II of Rick Holland and Harrison’s interview with Ryan Kovar of Splunk. This time they talk about badass women in cybersecurity, mentorship, and how to become a bigger advocate for diversity in infused.
Highlights from the week: the expansion of sector targeting by destructive threat group “Xenotime”, exploitation of a vulnerability affecting Exim email servers, and continued targeting of the transportation sector by the Iran-associated threat group “APT39”.
Abuse of legitimate services persists despite mitigation
A recent phishing campaign exploited features in the Google Calendar service to harvest Gmail users’ personal and financial information, highlighting an ongoing trend of cybercriminals abusing legitimate services. Millions of Internet users rely on readily available legitimate tools like Google Calendar, providing attackers with a broad selection of individual and organizational targets. In the face of increased security awareness and more effective technical countermeasures, threat actors have adapted to exploit users’ trust in online services. This has boosted the likelihood of successful attacks, including ones that incorporate tried and tested tactics from traditional social engineering campaigns.
Xenotime threat group extends attack focus to electric utilities
The Xenotime threat group, which previously focused attacks on the oil-and-gas sector, has been conducting reconnaissance operations against electric utility companies. This activity, ongoing since February 2019, has focused on organizations in the United States and the Asia-Pacific region. It is potentially an extension of a broader campaign against the energy sector that was first detected in late 2018. Xenotime’s attacks include a destructive element, seeking to disable critical infrastructure and cause widespread disruption. It is realistically possible that this reconnaissance activity is a precursor to a future attack.
Exim email servers targeted with malicious scripts
Two threat groups have actively targeted a flaw affecting Exim email servers, which account for 57 percent of all Internet email servers. The “Return of the Wizard” flaw allows attackers to send emails with malicious scripts to vulnerable Exim servers and insert post-exploitation scripts that provide root access via SSH. Because of the ubiquity of Exim servers, this flaw is likely to be targeted in additional attacks. System administrators should upgrade to Exim version 4.92 to mitigate attacks.
APT39 goes after more transportation entities with espionage operations
The Iran-associated threat group APT39 has continued to conduct cyber espionage operations against transportation companies, likely to bolster surveillance of individuals. The identities of the targeted victims are not known, but the activity aligns with previously reported APT39 activity, and that group typically conducts espionage in the Middle East against transportation, government, technology, and aerospace companies. The Iranian government has recently been accused of (and vehemently denies) conducting sabotage attacks on oil tankers in the Gulf of Oman. Considering the geo-political tensions involving Iran, the United States, and alleged sabotage attacks on oil tankers, attention to Iranian cyber activity will likely increase in the immediate future (next few weeks)―particularly as groups like APT39 are targeting transportation entities.
For more details, read the full Weekly Intelligence Summary here:
And to stay up to date with the latest from Digital Shadows, subscribe below.