Go Back

ShadowTalk Update – Universities still attracting espionage from Iran, SimJacker exploit, NCSC Threat Trends, and Ransomware Updates

September 20, 2019
ShadowTalk Update – Universities still attracting espionage from Iran, SimJacker exploit, NCSC Threat Trends, and Ransomware Updates

It’s Harrison and Alex this week for your threat intelligence updates. The guys first dig into the NCSC’s recent threat trends report, the first of these that the NCSC has put out. It’s UK-specific, so just like we’ve shared thoughts around the FBI IC3 annual report in the past, which is heavily geared toward the US, it’s good to look across the pond as well. The team digs into 3 main areas:

  • Office365
  • Ransomware trends including updates on Emotet, Ryuk, LockerGoga, Bitpaymer, Nemty, and GandCrab
  • Supply Chain Attacks

The team also digs into some recent research around B.Wanted. A few weeks ago, there was a story that Brian Krebs reported on: essentially a user on a dark web forum was offering to sell access to a federal contractor who managed 20+ different federal agencies. Specifically we were looking into the threat actor responsible for selling the access, who goes by the name B.Wanted. The guys dig into some different theories.

Finally we round out the episode with some top shows on Netflix to add to your lists. Enjoy your weekends!

Listen below 👇👇👇

Updates from this week’s Intelligence Summary

  • In the spotlight this week: The Iran-linked cyber-threat group “Cobalt Dickens” targeted 60-plus universities worldwide with a phishing campaign designed to capture credentials. Higher-education institutions have been popular in espionage over the past few years, offering attackers a wealth of valuable data.
  • Weekly highlights include: A new mobile surveillance campaign has been abusing an exploit dubbed SimJacker, a phishing campaign has been distributing the “AgentTesla” information-stealing malware, and an Elasticsearch database inadvertently exposed 20.8 million records of Ecuadorian citizens.

 

Universities still attracting espionage from Iran, elsewhere

The Iran-linked cyber-espionage group Cobalt Dickens (aka Silent Librarian) has been named as responsible for a phishing campaign targeting more than 60 universities in multiple countries worldwide. The group used relatively unsophisticated social engineering techniques to entice users to access malicious links, with similar tactics to a Cobalt Dickens campaign from 2018. Universities have consistently been targeted by nation-state–associated threat groups from Iran and the People’s Republic of China (PRC), among other countries. A university highly likely presents an attractive espionage target because of its presumed political ties, access to sensitive and personal information, broad attack surface, and reputation―all of which can be exploited for cyber attacks. Similar activity from Iran-linked threat actors is likely to continue over the next year, particularly as tension in the Middle East persists.

 

 SimJacker exploit allows stealthy control of mobile devices

Security researchers have reported on a new surveillance campaign spanning several unnamed countries, conducted by an as-yet-unknown threat actor. The attacker abused an exploit dubbed SimJacker to gain access to victims’ mobile devices. Successful exploitation allowed them to execute commands on a device and then carry out a range of actions, including: accessing messages, location data, and service information; sending messages; and launching a phone’s web browser. SimJacker reportedly does not require any interaction from the victim, increasing the likelihood of a successful attack.

 

AgentTesla infostealer sent via emails impersonating Asian bank

On 11 Sep 2019 security researchers reported a new email-based attack campaign using the AgentTesla information-stealing malware (infostealer). AgentTesla masqueraded as a bank transfer payment notification from “Hongkong and Shanghai Banking Limited”, with the apparent aim of gathering generic login credentials. The email message included a malicious compressed-file (RAR) attachment named Transfer Copy swift.bat, which contained a Microsoft Windows PowerShell script. Once executed, the PowerShell script downloaded and ran the AgentTesla installer. AgentTesla is widely available and has been commonly used since at least 2014.

 

 Elasticsearch server leaked 20.8 million records of Ecuadorian citizens

On 16 Sep 2019 it was reported that an exposed Elasticsearch server had leaked around 20.8 million user records containing the personal data of Ecuadorian citizens. Potentially compromised data included names, dates of birth, addresses, marital status, national identification numbers, financial and work details, phone numbers, family information, civil registration data, and car ownership details. Approximately 6.77 million data entries reportedly pertained to children under the age of 18; there is no indication that this data has been accessed by any threat actor(s) so far.

 

 

For more details, read the full Weekly Intelligence Summary here:

Weekly Intelligence Summary 12 Sep - 19 Sep 2019

And to stay up to date with the latest from Digital Shadows, subscribe below.