We’ve got Adam and Jamie joining Viktoria remotely for this week’s ShadowTalk! The London crew chats through the Slack vulnerability story, the news around the Dutch government losing hard drives with data of 6.9 million registered donors, the Apollon Dark Web Exit Scam, and who should own brand protection within an organization.

Also, don’t miss our special episode this week with CISO Rick Holland, Alex, and Harrison on Coronavirus Threat Intel updates and advice.

Listen to this week’s episode now 👇

Unspecified Chinese threat actor targets Mongolian public sector

On 12 Mar 2020 cyber-security researchers reported on a threat campaign targeting Mongolian public-sector entities, conducted by an unspecified, but reportedly Chinese state-associated, threat actor. Phishing emails contained malicious Rich Text Format (RTF) files that imitated either COVID-19aka coronavirus) health warnings or building purchase documents. The files were weaponized using version 7.x of a tool named RoyalRoad (aka 8.t). That tool is reportedly commonly used by various Chinese attackers and allows them to create customized documents with embedded objects that exploit the Equation Editor vulnerabilities of Microsoft Word. The campaign only targeted the Mongolian public sector, but because Chinese groups share infrastructure, it is realistically possible that the tool could be deployed against other sectors and geographies in the mid-term future (next 3 to 12 months).

US health department suffers DDoS attack

On 16 Mar 2020 security researchers reported that the United States Department of Health and Human Services (HHS) had suffered a distributed denial of service (DDoS) attack on its computer system the previous day, by an unknown threat actor. HHS’s servers were overloaded by millions of hits over several hours, in an attack that was likely aimed at undermining the department’s response to the COVID-19 pandemic. Based on the continuous COVID-19–inspired threat campaigns, similar attacks will very likely be observed in the short-term future.

 

New ransomware strain PXJ discovered in the wild

On 12 March 2020 security researchers at IBM X-Force discovered a new strain of ransomware called PXJ, also known as XVFXGW ransomware. Its code was first discovered being used in the wild in early 2020. PXJ functions similarly to most ransomware, but its code was written differently; PXJ’s encryption process includes double encryption―AES and RSA―to prevent recovery. The threat actor behind PXJ remains unknown, but is highly likely financially motivated. This new strain of the malware will probably be used in operations in the short-term future.

 

For more details, read the full Weekly Intelligence Summary

Weekly Intelligence Summary 20 Mar 2020