ShadowTalk Update – More Sodinokibi Activity, Imperva Breach, and Weirdest Food at the Texas State Fair
September 2, 2019
CISO Rick Holland and Alex Guirakhoo join Harrison Van Riper this week to talk through more Sodinokibi activity. Just yesterday, a cloud hosting provider for Digital Dental Records was hit with Sodinokibi, apparently affecting around 400 different dental providers around the US. It seems like were hearing about more and more people actually paying out these ransom demands. Do we think it’s just a reporting bias or do we think they’re actually paying out more often?
Then the team looks at the Imperva breach, where its Incapsula Web Application Firewall product was inadvertently exposing some data, including email addresses, hashed and salted passwords, API keys and SSL certificates.
Google’s Project Zero also discovered a series of 0-day exploits being actively used in the wild targeting iPhones. The team discuses how this will factor into risk models moving forward.
We close out with everyone’s top (and weirdest) choices at the Texas State Fair. Yummmmm.
Listen below 👇👇👇
Updates from this week’s Intelligence Summary
Weekly highlights include: A new campaign by the “Gamaredon” group may have targeted Ukrainian government bodies, a new ransomware variant dubbed Nemty was likely distributed through compromised remote desktop protocol (RDP) connections, and “TA505” conducted multiple campaigns against unnamed finance entities.
Foreign ministry, think tank attacks likely linked to North Korea
Security researchers identified a new campaign of cyber attacks on foreign-affairs entities and think tanks across the Europe and Asia Pacific regions, which was likely associated with North Korea. The campaign was initially revealed through a fake website, masquerading as the legitimate login page of the French Ministry of Europe and Foreign Affairs (MEAE). The site’s infrastructure, and the tactics, techniques, and procedures (TTPs) the attackers used, were previously associated with North Korean threat actors. The motive of the campaign was unclear, but the attackers probably sought information related to nation-state nuclear policies and programs, suggesting a cyber espionage operation.
Gamaredon spearphishing emails likely aimed at Ukrainian government entities
Security researchers reported on a new spearphishing campaign conducted by the threat group Gamaredon, which has probably targeted Ukrainian law-enforcement and government agencies. The group delivered malicious Russian-content documents that referred to ongoing military conflict in Ukraine. When the malicious documents were opened, an executable script began downloading three separate files, masquerading as Google Chrome application shortcuts. The motive of the campaign is unknown.
Nemty ransomware probably spread through compromised RDP connections
Security researchers reported on a new ransomware variant, Nemty, that was likely distributed via compromised remote desktop protocol connections. Nemty affects unspecified Microsoft Windows operating systems, and checks whether a target system is based in Russia, Belarus, Kazakhstan, Tajikistan, or Ukraine. However, systems based in the listed countries are not exempt from being affected.
TA505 strikes unnamed financial and banking entities in multiple campaigns
Multiple attack campaigns by the threat group TA505 have been observed targeting unnamed organizations in the financial services sector, including banks. In these campaigns, TA505 used new variants of the “FlawedAmmyy” remote-access trojan (RAT) and “ServHelper”, which were delivered via phishing emails. Attached ISO images served as the initial entry vector. TA505 also attacked target geographies new to the group, including Turkey, Serbia, Romania, South Korea, Canada, the Czech Republic, and Hungary.
For more details, read the full Weekly Intelligence Summary here:
And to stay up to date with the latest from Digital Shadows, subscribe below.