ShadowTalk Update – Typosquatting and the 2020 U.S. Election, Honeypots, And Sudo VulnerabilityOctober 18, 2019
Kacey, Charles, Harrison, and Alex kick off this week’s episode talking about our Fall Dallas team event (an amateur version of Chopped). Then the team dives into this week’s hot topics including:
- Typosquatting and the 2020 Elections
- The Sudo Vulnerability
- Security Bsides Workshop
Listen below 👇👇👇
Updates from this week’s Intelligence Summary
- In the spotlight this week is the “Simjacker” exploit, publicly disclosed in September 2019 and now potentially affecting entities across 29 countries. Due to the scale at which Simjacker could be exploited―and the potential to abuse it for wider espionage activity with a bigger impact―the exploit will likely influence future mobile-device security practices.
- Weekly highlights include: updates to the toolkit of “Fin7”, links between “Lazarus Group” and a fake cryptocurrency trading app, and a covert cyber-espionage operation against Iran that was attributed to the United States.
Simjacker exploits fragility of ageing technology
Reporting on the Simjacker exploit has revealed that entities in 29 countries are likely vulnerable to attacks. The exploit abuses a vulnerability in SIM card technology to compromise mobile-device users via a specifically designed SMS message. This grants threat actors access to mobile-device location data, but Simjacker also offers the potential for other malicious activity that would cause a greater impact. Simjacker’s development has been attributed to a private-sector surveillance firm, which raises questions about the legality of private and state collaboration in espionage activity. Regardless of who uses it and why, the exploit likely represents a new form of threat to mobile-device security, which inherently relies on legacy systems and services. Simjacker is likely to remain exploitable into the mid-term future (next six months).
Fin7 boosts toolkit to sniff out payment-card data
The financially motivated threat group Fin7 has been observed using two new tools in recent campaigns. The first, BoostWrite, is a memory-only dropper that can decrypt embedded payloads. One malware sample was signed and validated by a certificate authority, likely adding to the tool’s ability to evade detection by appearing legitimate to the victim. One BoostWrite variant purportedly contained the “RDFSniffer” payload, which targets tools that are designed to manage and troubleshoot systems that process payment-card data. Efforts to update the group’s toolkit suggest that Fin7 is likely to remain active.
Lazarus Group linked to spoofed cryptocurrency trading app
A fake cryptocurrency trading app named JMT Trader, which installs backdoor malware onto a victim’s machine, has been linked with the Lazarus Group. The attribution was based on overlaps with previously attributed malicious applications. It is realistically possible that Lazarus Group is responsible; the likely North Korean state-associated group has previously demonstrated a propensity for targeting cryptocurrency traders and exchanges.
US conducts covert cyber espionage against Iran
A covert cyber espionage campaign that targeted Iranian infrastructure and physical hardware, purportedly to spread propaganda, has been attributed to the United States. It is realistically possible that the United States Cyber Command was responsible for the attack, in response to offensive Iranian activity against Saudi Arabian oil facilities, and incentivized by ongoing tension between the United States and Iran.
For more details, read the full Weekly Intelligence Summary here: