Go Back

ShadowTalk Update – Tortoiseshell Targets IT Providers, the Tyurin Indictment, and Emotet’s Return

September 27, 2019
ShadowTalk Update – Tortoiseshell Targets IT Providers, the Tyurin Indictment, and Emotet’s Return

Viktoria hosts this week’s episode in London with Phillip Doherty and Adam Cook. After a quick debate around the top trending sports at the moment, the team digs into the first story of the week: Tortoiseshell Group (a newly identified threat group) has reportedly conducted some supply chain attack campaigns against 11 IT providers in Saudi Arabia.

Next they look at two new malware variants that have emerged, attributed to North Korean-associated Lazarus Group. Emotet botnet has been hot in the news lately, so the team also talks about its emergence.

Finally the team rounds up the week with the Tyurin indictment, where Andrei Tyurin pleaded guilty to one of the largest computer hacking crimes involving US financial institutions, financial services, and news publishers. Our own Richard Gold published a blog mapping the indictment to the MITRE ATT&CK framework – definitely worth a read.

Listen below 👇👇👇

Updates from this week’s Intelligence Summary

  • In the spotlight this week is a newly identified threat group named Tortoiseshell, which has reportedly conducted supply-chain cyber attack campaigns against 11 IT providers in Saudi Arabia. The emergence of this previously unidentified group aligns with trends of supply-chain attacks in the past 12 months, carried out by threat groups with varying motives and capabilities.
  • Weekly highlights include new malware variants attributed to the North Korea-associated “Lazarus Group”, the re-emergence of the “Emotet” botnet, and Microsoft patching two critical vulnerabilities in Internet Explorer and Windows Defender.

 

Tortoiseshell attacks show growing appeal of supply chains

The newly identified threat group Tortoiseshell has been targeting IT providers in Saudi Arabia in supply-chain attacks. This activity is consistent with trends observed over the past 12 months: A diverse set of groups of varying capability have displayed the intent to target suppliers. There are likely growing opportunities to do so, fueled by the availability of data in the modern Internet economy and greater access to sophisticated tools, enabled by the growing malware-as-a-service (MaaS) market. Various threat actors are apparently targeting supply chains, rather than organizations directly, and groups with a range of motives will likely continue to do so for the mid- to long-term future (beyond 12 months).

 

New malware from North Korea’s Lazarus Group aimed at sensitive data

The use of two new malware variants has been attributed to the North Korea-associated Lazarus Group in new attack campaigns likely conducted for financial gain and cyber espionage. The malware dubbed ATMDtrack was reportedly used to target Indian ATMs to steal credit-card information, and was initially observed in late 2018. The other malware, called Dtrack, is a variant of ATMDtrack that was subsequently discovered behaving as an effective information stealer with remote-access trojan capabilities. Both tools are purportedly similar in code that was used in a previous Lazarus Group campaign.

 

Emotet wakes from slumber, strikes German and Polish email users

The Emotet botnet has re-emerged in new attack campaigns after four months of inactivity. German- and Polish-speaking email users were targeted by the downloader malware that was distributed in spam email messages. The malware was deployed to compromise the victims’ machines and add them to the botnet. It remains unclear why Emotet has lay dormant for the past four months, but these new campaigns suggest a broadening of its target list.

 

Microsoft zero-day vulnerabilities patched

Two zero-day vulnerabilities affecting the Microsoft products Internet Explorer and Windows Defender have been identified and patched. Microsoft released patches for the remote code execution (RCE) vulnerability CVE-2019-1367 in Internet Explorer and the DoS security vulnerability CVE-2019-1255 in Windows Defender on the same date. The RCE vulnerability is known to have been exploited in the wild, and requires a manual update that can be downloaded from the Microsoft Update Catalog. It is unclear whether the DoS vulnerability has been exploited, but users need take no action against it, given that Microsoft manages it automatically. Both vulnerabilities have been deemed critical, and users should update their software.

 

For more details, read the full Weekly Intelligence Summary here:

Weekly Intelligence Summary 19 Sep - 26 Sep 2019

And to stay up to date with the latest from Digital Shadows, subscribe below.