Kacey and Alex join Harrison to walk through this week’s threat intelligence stories. Alex walks us through the highlight story this week: TA505 uses new tools, old tactics in global attacks. Kacey then digs into the zero-day vulnerability identified in Zoom’s macOS software. We also discuss new Magecart activity, the Sodinokibi ransomware, and what our ShadowTalk-ers would name their own ransomware.
Listen below 👇👇👇
We also had a deep dive conversation this week on Marriott facing GDPR fines with co-founder and Data Privacy Officer, James Chappell, and CISO, Rick Holland. Listen below 👇👇👇
Marriott Faces GDPR Fines – A DPO and CISO Discussion
Weekly highlights include: a new zero-day vulnerability identified in the macOS version of the popular video-conferencing application Zoom; a new campaign attributed to the “Magecart” threat umbrella, which has compromised 962 online stores using automated techniques; and new features in the “Sodinokibi” ransomware that allow it to exploit a Windows vulnerability to conduct privilege escalation.
TA505 uses new tools, old tactics in global attacks
The financially motivated threat group TA505 was recently named as responsible for a widespread, ongoing cyber attack campaign that incorporates old tactics but new tools. “AndroMut” and “FlowerPippi” are two previously unseen malware variants that have facilitated the group’s activity, but the final payload in most attacks has been the “FlawedAmmyy” remote-access trojan (RAT), which TA505 has used repeatedly since 2018. Although these recent attacks used new tools, initial infection methods were largely limited to classic phishing tactics. An overwhelmingly common tactic, email phishing is used by unsophisticated threat actors and highly capable advanced persistent threat (APT) groups alike. Having demonstrated consistent effectiveness, it will likely continue to be used in the long term (beyond one year).
Zero-day vulnerability identified in Zoom’s macOS software
On 08 Jul 2019 security researchers publicly disclosed a vulnerability affecting the macOS version of the Zoom video-conferencing application. The vulnerability reportedly allows anyone to forcibly join another user’s Zoom call and activate their video camera without their permission. A preliminary patch for this vulnerability was released on 26 Mar 2019. There is no indication that the vulnerability has been exploited in the wild, but proof of concept exploits have been published, making it realistically possible that threat actors will attempt to exploit the vulnerability over the next few weeks.
New automated Magecart campaign compromises 962 e-commerce stores
Security researchers have reported a new campaign attributed to the Magecart threat umbrella, which has successfully compromised 962 online stores using automated techniques. The data compromised reportedly includes complete customer credit card data, full names, telephone numbers, and physical addresses. The affected entities have not been named, but are reportedly small-scale organizations. Magecart groups 2, 4, 5, and 7 have all previously targeted small entities opportunistically, but there is a realistic possibility that other Magecart groups have changed operational methods and are conducting this new campaign.
Sodinokibi ransomware feature elevates Windows vulnerability for privilege escalation
The Sodinokibi (aka Sodin) ransomware has recently been observed targeting unidentified organizations in the Asia-Pacific region, including Taiwan, Hong Kong, and South Korea. New features allow Sodinokibi to elevate Windows privileges to the highest level by exploiting CVE-2018-8453 and using legitimate processer functions to avoid detection. Privilege escalation is uncommon in ransomware and highlights the sophisticated nature of Sodinokibi and its developers. This ransomware has previously been used to target customers of managed service providers and has also reportedly uninstalled antivirus products to avoid detection. Future Sodinokibi campaigns incorporating increasingly sophisticated tactics are likely over the next 3 to 12 months.
For more details, read the full Weekly Intelligence Summary here:
And to stay up to date with the latest from Digital Shadows, subscribe below.