ShadowTalk Update – Nightmare Market in Disarray and SEC Investigation into Data Leak at First American Financial Corp
August 16, 2019
Harrison is back! Alex and Christian join this week to discuss how Black Hat and DEFCON went last week, analyze the irregularities of the dark web criminal market, Nightmare, and explore the story reported by Krebs on the SEC investigation into the data leak at First American Financial Corp.
Listen below 👇👇👇
From the intelligence summary – Weekly highlights include: Ongoing activity in South America from the “Machete” threat group; a new campaign attributed to the “Bitter” APT group targeting Chinese government organizations; and identification of two new critical remote code execution (RCE) vulnerabilities in Windows operating systems.
Sextortion continues to pose minimal threat to organizations
Since 2017, sextortion campaigns have consistently and indiscriminately targeted organizations and individuals worldwide. These social engineering attacks seek to exploit human emotion by using empty threats of the exposure of sexually explicit material to encourage individuals to meet an extortion demand. As publicly available data breaches have increased, sextortion attacks have incorporated the use of credentials from these breaches to increase their perceived credibility. Threat actors have also been observed incorporating additional tactics, such as the inclusion of ransomware. However, these types of attacks are rare: The majority of sextortion attempts carry empty threats and pose minimal threat to most organizations.
Machete Group targets South America with new attack methods
Security researchers have reported on ongoing activity related to the Machete threat group, as well as updates to their python-based backdoor malware. There has been minimal public reporting on Machete activity during 2019, but the group has reportedly been persistently active in South America since at least 2018, primarily targeting government entities in Venezuela. The group’s malware—of which they are reportedly the sole operators and developers—has repeatedly incorporated new features which focus on updated obfuscation capabilities and new delivery mechanisms.
New Bitter APT campaign targets Chinese government
A new campaign attributed to the Bitter APT group was reported on 08 Aug 2019. The group reportedly spoofed login portals of multiple Chinese government agencies, using approximately 40 different phishing domains. Phishing lures were associated with various government entities, such as the Chinese Ministry of Foreign Affairs and Ministry of Commerce. The group’s motives were unspecified, but aimed to acquire government employees’ credentials which could realistically be used for further information gathering or account takeovers. Bitter has previously targeted Chinese government agencies, and this campaign demonstrates the group’s ongoing presence in the region.
Patches released for critical Microsoft RCE vulnerabilities
Two critical RCE vulnerabilities were identified in Windows operating systems: Microsoft released a patch to address these on 13 Aug 2019. There is no indication that these vulnerabilities have been exploited in the wild, but threat actors could realistically target unpatched systems to distribute malware. The vulnerabilities have been described as wormable, and successful exploitation could allow for the self-propagation of malware without requiring user interaction.
For more details, read the full Weekly Intelligence Summary here:
And to stay up to date with the latest from Digital Shadows, subscribe below.