ShadowTalk Update – Jingle Bell Ryuk: NOLA Ransomware, Ring Doorbells, and 2020 PredictionsDecember 23, 2019
CISO Rick Holland joins our ShadowTalk hosts (Viktoria, Alex, and Harrison) for our holiday special! This week the team covers:
- Ring Doorbell security
- New Orleans victim of Ryuk Ransomware
- Predictions for 2020 in cybersecurity
- A lightning round of holiday questions
Thanks to all of you listeners for tuning in each week in 2019! We’ve had a blast chatting each week across the globe, and we’re looking forward to another great year of ShadowTalk in 2020.
Listen below 👇👇👇
Updates from this week’s Intelligence Summary
- In the spotlight this week: Despite a decline in overall exploit kit activity during 2018 and 2019, several new variants have emerged with new techniques and a geographical focus, making them likely to retain their threatening potential in a shifting cyber-threat landscape.
- Weekly highlights include: A phishing campaign sought to capture the credentials of international government procurement companies, the “Ryuk” ransomware was likely involved in an attack against the City of New Orleans, and the “Gallium” group has been named as responsible for targeting telecommunications providers.
Down but not out―exploit kits cling to their threat potential
The new exploit kit “BottleEK” has been observed performing geo-location checks during its infection process, to specifically target Japan-based users. BottleEK is one of several exploit kits to emerge during 2019, despite a recent decline in exploit kit use by threat actors brought on by improved patching responses and attackers’ preference for other infection vectors. The new kits are unlikely to prompt a significant popularity revival, but the persistence of several of them, the creation of new variants, and the evolution of some techniques points to exploit kits remaining a credible threat for individuals and organizations worldwide.
Threat actors go after government procurement service credentials
A now-inactive phishing campaign was identified targeting international government procurement services using emails that masquerade as various government departments, email services, and third-party couriers. The messages contained documents with links to spoofed login pages seeking to capture user credentials. The domains that redirected the victims to the spoofed pages were legitimate, and were likely used to lend an air of trustworthiness.
Attack on City of New Orleans probably used Ryuk
A malicious executable uploaded to the open-source analysis tool VirusTotal on 14 Dec 2019 contains references to the City of New Orleans and the ransomware variant Ryuk, indicating this variant was likely involved in a recent attack on services within the United States city. Ryuk has previously been dropped by the trojans “Emotet” and “TrickBot”, but it has not been established whether either of these trojans was involved in this particular attack.
Telecommunications providers victimized by newly identified Gallium
Microsoft has identified the recently named threat group Gallium as the perpetrators of a cyber-threat campaign targeting telecommunications providers from 2018 to mid-2019. Gallium reportedly secured initial access by exploiting flaws in Internet-facing services, and deployed publicly available tools to move laterally within compromised networks. The techniques were relatively unsophisticated, but the scale of the campaign signifies great intent and operational capability.
For more details, read the full Weekly Intelligence Summary here: