Alex, Kacey, Charles and Rick host this week’s ShadowTalk to bring you the latest threat intelligence stories. This week they cover:
- Torigon – What was Torigon and how did it fail to survive?
- Nulledflix – The Nulled-focused streaming service taken down immediately for maintenance
- BlueLeaks exposing private law enforcement files
- DevSecOps and how it can be useful to your organization
Listen to this week’s episode now 👇
TCP/IP flaws ripple through Internet of Things devices
Security researchers discovered 19 zero-day vulnerabilities in TCP/IP code developed by Treck Inc, which develops software that is implemented by many networking protocols and used by millions of Internet of Things devices. Four of the flaws were classified as critical, given a CVSS score above 9, and could allow an attacker to remotely execute code on victims’ devices. The vulnerabilities, dubbed Ripple20, were fixed on Treck stack (version 126.96.36.199 or later).
NCSC updates details of mass credential harvesting campaign
The United Kingdom’s National Cyber Security Centre (NCSC) released an update regarding a credential harvesting campaign active since at least July 2018. There has reportedly been a recent spike in phishing emails linked to the campaign, which have indiscriminately targeted United Kingdom entities. Reporting suggests that the emails are sent from the accounts of users known to the victims, and use content that mirrors recent email exchanges, plus a malicious link disguised as a notification alert.
Tor2Mine returns after quiet year
After a year’s hiatus, the threat group “Tor2Mine” was observed targeting six unnamed organizations with additional malware and new TTPs, to harvest victims’ credentials and conduct theft. Between January and June 2020, the group was linked to attacks deploying “AZORult”, an information-stealing trojan; “XMRig”, a cryptocurrency miner; “Remcos”, a remote-access tool; “DarkVNC”, a backdoor trojan; and an unnamed clipboard cryptocurrency stealer. Tor2Mine used domains and IP addresses previously attributed to the group, as well as a PowerShell command to download files from two new domains, asq.r77vh0[.]pw and asq.d6shiiwz[.]pw, that were hosted on a new IP address, 185.10.68[.]147. It remains unclear whether the attackers were successful against the six organizations.
For more details, read the full Weekly Intelligence Summary: