ShadowTalk Update – More BlueKeep updates, FSB contractor hacked, and the Enigma Market
July 29, 2019
Christian and Travis sit down with Harrison to discuss even more BlueKeep updates since last week, as a technical presentation gets uploaded to Github, inching us closer to a full-blown public PoC. The breach and subsequent release of documents from a contractor working with Russia’s FSB intelligence services, and research from the Digital Shadows team about a new marketplace we’ve had our eye on for a few months called Enigma.
Listen below 👇👇👇
Weekly highlights include: The notorious “Pegasus” spyware is reportedly capable of targeting information held on cloud servers, the Federal Bureau of Investigation (FBI) has released master decryption keys for the “GandCrab” ransomware, and the threat group “Magecart” has used servers in a conflict zone to hinder law-enforcement efforts to stop their attacks.
Contractor breach exposes Russian surveillance projects
The networks of a contractor for Russia’s national intelligence service, the FSB, were compromised by a cyber threat actor known as 0v1ru$, who stole 7.5TB of files and defaced the contractor’s website. These files included details of private projects developed on behalf of the Russian government, which can enable online surveillance and espionage activity. The projects theoretically enable the monitoring of individual email accounts, collection of information on users of various social networking platforms, and the penetration and monitoring of certain peer-to-peer networks. The information was shared with another threat group known as Digital Revolution, which previously claimed responsibility for a cyber attack on a Russian research institute in 2018.
Pegasus spyware capable of targeting cloud servers
The “Pegasus” spyware of NSO Group, an Israeli technology firm focused on cyber intelligence, can reportedly identify, harvest, and exfiltrate device data, location information, and personally identifiable information from cloud servers. This includes the cloud servers of Apple, Google, Facebook, Amazon, and Microsoft. Pegasus works to clone the authentication keys of services, bypassing two-factor authentication by impersonating the target’s device. NSO Group denies the existence of these capabilities, which would likely be in direct conflict with the European Union’s General Data Protection Regulation and represent an increased surveillance capability.
Master decryption keys released for GandCrab ransomware
The FBI has publicly released the master decryption keys for the GandCrab ransomware, enabling individuals and organizations infected by versions 4, 5, 5.0.4, 5.1, and 5.2 of the ransomware to recover encrypted files. Since 2018 GandCrab has been one of the most active ransomware variants, offered as a ransomware-as-a-service and also used in big game hunting. The threat actors who developed GandCrab recently claimed to have ceased operations, so unless the ransomware’s source code is leaked, any new versions of GandCrab are highly unlikely to be released in the wild.
Magecart uses bullet-proof hosting provider in conflict zone
A new campaign attributed to Magecart threat umbrella group involved servers in the Luhansk region of Ukraine that were hosted by a so-called bullet-proof hosting provider. Such providers rent out servers that are difficult for law-enforcement officials to take offline, such as in countries where legal jurisdiction has less influence or, in this case, in a conflict zone. This provides longevity for attacks, and Magecart has continuously demonstrated high persistence and activity levels to date.
For more details, read the full Weekly Intelligence Summary here:
And to stay up to date with the latest from Digital Shadows, subscribe below.