ShadowTalk Update – SANS CTI Summit, Snake Ransomware, CacheOut, and Citrix Vuln UpdateFebruary 3, 2020
Rick Holland jumps in to kick-off this week’s episode to recap the 2020 SANS CTI Summit with Harrison. Then Harrison, Alex, Kacey, and Charles talk through other top stories of the week including:
- Snake Malware
- Competitions we’re seeing on Russian-language cybercriminal forums
- Citrix Vulnerability Update
- New ‘CacheOut’ Attack Targets Intel CPUs
Listen below 👇👇👇
Fractured Statue campaign reveals cracks in definitive attribution
The “Fractured Statue” cyber-threat campaign of 2019 has highlighted the difficulties in naming perpetrators based on overlapping tools and tactics. The campaign, carried out over four months and targeting a United States government agency, was linked to the “Konni Group”, whose operations align with North Korean interests. But researchers have pointed out that the amount of technical detail published about the Konni Group could have enabled other threat actors to learn about their tactics, techniques, and procedures (TTPs) and use them in emulative attacks, confusing attribution.
Citrix vulnerability exploited in ransomware operations
Threat actors are exploiting a recent Citrix vulnerability to gain access to corporate networks and install ransomware. CVE-2019-19781 is a vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway systems. The threat actor behind the “REvil” and “Sodinokibi” ransomware variants was involved in a campaign exploiting the vulnerability, and it has also been reported that the “Ragnarok” and “Maze” ransomware variants have recently targeted the vulnerability. Patches are available for CVE-2019-19781, meaning organizations should update their systems as soon as possible.
Purported Turkey-backed attacks claim 30-plus victims
At least 30 organizations based in Europe and the Middle East were reportedly targeted in a series of cyber attacks allegedly conducted by Turkish state-backed actors from late 2018 to 2020. The threat actors used Domain Name System hijacking to redirect users to impersonating domains and phishing sites, which prompted users to enter their credentials, including email addresses and passwords. Attacks targeting Cypriot and Greek infrastructure reportedly occurred from mid-2018 to early 2019, during heightened political tension related to territorial disputes in the Aegean Sea.
New variant of Ryuk-linked information stealer detected
A new variant of an information stealer has cropped up showing an overlap with the “Ryuk” ransomware. An earlier version of the information stealer was detected in September 2019, but whether the malware was developed by the Ryuk developer or a third party is not known. The new sample analyzed by researchers searches for keywords that indicate the information stealer is being used to target governments, military operations, and law-enforcement entities.
For more details, read the full Weekly Intelligence Summary here: