ShadowTalk Update – Maze Ransomware Infiltrates Cognizant, Czech NCISA Warning, And Third Party Risk Assessment

ShadowTalk Update – Maze Ransomware Infiltrates Cognizant, Czech NCISA Warning, And Third Party Risk Assessment
Digital Shadows Analyst Team
Read More From Digital Shadows Analyst Team
April 27, 2020 | 3 Min Read

Alex, Kacey, Charles, and Harrison host this week’s ShadowTalk for threat intel updates including Maze ransomware updates, a warning of an imminent threat from the Czech NCISA, priorities for third party risks assessments, and the Nulled Cracking Forum going mobile.

Finally, Harrison passes the torch to Alex for hosting ShadowTalk. We’ll miss you, HVR!

Listen to this week’s episode now 👇

Maze ransomware infiltrates IT company Cognizant

On 18 Apr 2020 cyber-security researchers reported that the IT company Cognizant was targeted by a ransomware attack using the Maze variant. Cognizant provides IT services to many firms, and it is likely that any disruption to its internal network caused by ransomware would have also affected its clients. The Maze variant’s developers reportedly denied involvement in the attack, although forensic data indicates that Maze infrastructure was used in the attack. Maze operators have previously threatened to publish stolen data, but in this case it is not clear whether data was stolen from Cognizant. Maze has been highly prevalent during 2020, and will very likely remain so in the short-term future.

Winnti Group behind South Korean, German company breach attempts

On 20 Apr 2020 security researchers reported that the Chinese state-associated threat umbrella “Winnti Group” was responsible for attempting to breach the internal network of South Korean gaming company Gravity, as well as an unnamed German chemical company. Winnti Group is an advanced and persistent threat collective, able to employ sophisticated tools for maximum effect. Due to their association with the Chinese state, Winnti Group likely carried out the attacks to gain information that could grant or negate a competitive state advantage. The threat umbrella is associated with previous attacks on German and South Korean entities; more attempts are realistically possible in the short-term future and are likely in the mid-term future (next three to six months). 

Nulled forum user shares file to help target Zoom users

On 01 Apr 2020 a user of the English-language cracking forum Nulled shared a configuration file that can be deployed in credential stuffing attacks targeting the Zoom videoconferencing software to steal meeting URLs, IDs, and host keys. The file contained source code for use with the credential stuffing tool “OpenBullet” to target virtual meetings through Zoom. It is realistically possible that attackers will attempt to use this method to gain access to Zoom meetings in the short-term future.  Some cracking forums have recently revised their forum regulations to prevent the uploading and sharing of threads that provide details of Zoom meeting IDs and emails.

For more details, read the full Weekly Intelligence Summary:

Weekly Intelligence Summary 24 Apr 2020


Related Posts

3 Phishing Trends Organizations Should Watch Out For

3 Phishing Trends Organizations Should Watch Out For

May 20, 2020 | 16 Min Read

It’s only May, and is it just me, or has this...
The 2020 Verizon Data Breach Investigations Report: One CISO’s View

The 2020 Verizon Data Breach Investigations Report: One CISO’s View

May 19, 2020 | 6 Min Read

Sadly, Marvel’s Black Widow release date was...
A NEW DECADE OF CYBER THREATS: LOOKING BACK AT THE TRENDING CYBER TOPICS OF Q1 2020

A NEW DECADE OF CYBER THREATS: LOOKING BACK AT THE TRENDING CYBER TOPICS OF Q1 2020

May 14, 2020 | 10 Min Read

Q1 2020 was packed full of significant...