ShadowTalk Update – Ryuk Ransomware, Twitter rids SMS tweets, and Facebook Records Exposed
September 9, 2019
Alex, Alec, and Harrison are in the room today discussing 3 top stories from the week. First up – a hacker deploys Ryuk ransomware against the city of New Bedford, Massachusetts, demanding $5.3 million. What was interesting, though, was that the city tried to negotiate with the attackers for a lower ransom of $400k, but the attackers didn’t want it and ended up cutting off communications.
Next the guys chat through the suspension of Twitter’s SMS-based tweet function after the news of Twitter CEO Jack Dorsey’s Twitter account was “hacked”. An interesting attack surface incident for phone numbers.
Finally the team discusses an exposure incident where 419 million Facebook records were exposed.
Listen below 👇👇👇
Updates from this week’s Intelligence Summary
- In the spotlight this week: A surge in financially motivated cyber-attack campaigns has been attributed to “Silence”, which is a probably Russian cybercriminal group. Its members have purportedly conducted 16 new campaigns targeting banks around the world. Silence attacks have grown in maturity and sophistication, and the group should be considered a credible threat to the financial services sector for the short- to mid-term future (3 to 12 months).
- Weekly highlights include: a recent campaign by “APT28” using a Dynamic Link Library (DLL) backdoor; continued activity attributed to the “Magecart” threat umbrella, which remains active in the retail sector; and more targeting of South Korean cryptocurrency exchanges by the “Lazarus Group”.
Growing threat of Silence heard around the world
An increase in financially motivated cyber-attack campaigns against banks in various countries has been attributed to the Russia-linked “Silence” threat group. Attacks have shown: expanded target geographies; continuous updates of the group’s tool set, focused on obfuscation; and increasing operational sophistication. Silence has moved beyond emulating other threat groups toward building their own custom attack methods and procedures. Finance institutions worldwide are likely targets, and new campaigns are almost certain to emerge in the short- to mid-term future.
Dynamic Link Library backdoor opens up full control to APT28
The Russian state-associated threat group APT28 has reportedly used DLL backdoor malware in a recent campaign targeting unnamed entities. The group disguised the malicious exports used to implant the backdoor by renaming them to known benign exports in Microsoft DLL, allowing for full access and control of a target machine following successful compromise. Although the states or organizations targeted by the backdoor remain unconfirmed, the focus on obfuscation is consistent with espionage activity and the campaign was likely politically motivated, based on APT28’s previous targeting.
Magecart umbrella targets 80 more e-commerce websites
Eighty e-commerce websites have reportedly been compromised in activity attributed to Magecart, indicating that the threat group umbrella, and its associates, have remained active against the retail sector. All sites affected were using an outdated version of Magento, making them vulnerable to card skimming, formjacking, remote code executions, and cross-site scripting. The targeted websites remain unidentified. Similar activity will likely be attributed to Magecart in the short term (three to six months).
Lazarus Group casts spearphishing line to Korean cryptocurrency exchanges
The North Korean state-associated Lazarus Group has been observed targeting South Korean cryptocurrency exchanges. Spearphishing emails were delivered with malicious attachments that, when opened, installed a backdoor that began communication with a C2 server. This aligns with previous Lazarus Group activity that has favored (albeit not exclusively) cyber-threat activity against South Korean cryptocurrency exchanges.
For more details, read the full Weekly Intelligence Summary here: