ShadowTalk Update – Magecart Five Widens Attack Vectors, Suspected Chinese Threat Actor Targets Airbus Suppliers, and Tortoiseshell Developments
October 4, 2019
Coming to you from London this week, Jamie Collier, Philip Doherty, and Josh Poole join Viktoria Austin for our weekly threat intelligence updates. The team kicks off with a discussion around the top story of the week – Magecart Five Widens Attack Vectors.
Listen below 👇👇👇
Updates from this week’s Intelligence Summary
- In the spotlight this week is a variety of new attack methods demonstrated by “Magecart Five”. The threat group is probably testing them out, and will highly likely implement the most successful methods in future operations. These developments highlight a broader trend related to members of the Magecart umbrella, which have evolved and integrated multiple new tactics, techniques, and procedures (TTPs) into their attacks during the past year.
- Weekly highlights include: a suspected Chinese threat group, which may have been “APT10”, attacked European suppliers of aerospace company Airbus; the “Tortoiseshell” threat group targeted United States military veterans; and a newly identified malware variant, dubbed Nodersok, was detected.
Broader Magecart Five attack vectors could hit bigger victim base
Suspected Chinese threat actor targets Airbus suppliers
A suspected Chinese cyber threat actor―APT 10 (aka Stone Panda) is a realistic possibility―targeted European suppliers of the aerospace company Airbus during the past 12 months, reportedly in an attempt to obtain commercial secrets. They conducted at least four attacks, targeting: technical documents linked to the certification process for Airbus aircraft, documents related to the turboprop engines used on the Airbus military plane A400M, the propulsion systems for the Airbus A350 passenger jet, and the avionics systems controlling that jet. Reporting did not provide extensive technical details, but did state that the attackers targeted the VPNs of supplier companies connected to the Airbus network.
Tortoiseshell lures American military-veteran job seekers
The threat actor Tortoiseshell targeted United States military veterans by creating a veteran hiring website that spoofed the legitimate United States Chamber of Commerce website. The illegitimate site prompted users to install a desktop application that contained malware. Tortoiseshell was recently reported to have targeted IT organizations in the Middle East; this latest incident indicates that the group has expanded to a wider range of sectors and geographies.
New Nodersok fileless malware attacks healthcare and other sectors in US, Europe
A recent attack campaign, affecting United States and European education, professional services, and healthcare victims, delivered the newly identified malware variant Nodersok. This is a type of fileless malware that uses LotL binaries to infect machines. Researchers suspect that malicious browser advertisements were used to distribute the malware. Once the payload was executed, Nodersok attempted to disable virus detection software. This incident highlights the growing popularity of fileless malware techniques during the past year.
For more details, read the full Weekly Intelligence Summary here: