ShadowTalk Update – 12.03.2018

save
Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

Michael Marriott, Dr Richard Gold and Simon Hall discuss our recent findings on threat actors using cracked versions of Cobalt Strike to conduct their attacks in this week’s ShadowTalk. Cobalt Strike is a powerful platform for performing offensive cyber operations, containing a wide variety of tools for conducting spear phishing and web drive-by attacks to gain initial access. While it’s used widely by security teams – including in Digital Shadows’ own internal Purple Team assessments – we’ve seen it being used for illegitimate purposes by threat actors as well. Listen to this week’s episode to find out how defenders can use this knowledge to inform their defense.

 

Open-source tools exploited in supply chain attacks

The United States-based cryptocurrency wallet “Copay” was recently subject to a highly targeted supply chain attack. An attacker initially used social engineering techniques to gain developer access to “event-stream,” an open-source code library that is widely used by organizations across the globe. By targeting the specific subset of Copay developers relying upon event-stream, the attacker injected malicious code that sought to intercept and steal data from Copay users when pushed to consumers. Although the specific amount of data stolen remains unreported, this attack exemplifies a possible trend of attackers targeting not only third-party suppliers but also open-source code repositories, on which many organizations rely.

 

New corporate cyber espionage campaigns attributed to APT10

The Chinese-state-associated threat group APT10 has reportedly intensified its targeting of Australian businesses for the purpose of corporate espionage. This activity likely indicates a broader trend of increased Chinese cyber espionage efforts worldwide; the United States recently accused China of conducting espionage operations. Such activity is likely to provoke a reaction from Western governments, which could include public attribution claims and indictments against Chinese nationals allegedly involved.

 

Mirai shifts focus from IOT devices to Linux servers

The Mirai botnet has targeted non–Internet-of-Things (IoT) devices, with attackers compromising Linux servers by abusing a recently disclosed Hadoop YARN vulnerability. This represents a shift in Mirai’s capabilities and an increase in its threat level. Such Linux servers can be valuable targets for attackers, particularly when used in datacenters with access to large amounts of data and bandwidth. The distribution and infection techniques are consistent with previous Mirai campaigns. Other botnet malware have similarly shifted focus away from IoT devices; this trend is likely to continue.

 

New variant of Pterodo backdoor indicates renewed Russian cyber campaign

The Ukrainian Computer Emergency Response Team (CERT) has released information on a new version of Pterodo, a custom backdoor malware developed by the Russian state and associated with the Gamaredon threat group. The backdoor has been updated to target systems localized to former Soviet Union countries and to generate unique command-and-control URLs for each infected device, allowing threat actors to determine which tools to use on a case-by-case basis. Given current heightened tensions between Russia and Ukraine following the Russian seizure of Ukrainian warships, it is realistically possible that the new variant of Pterodo could indicate an impending Russian cyber campaign.

 

To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
Follow
3 Followers
About Digital Shadows
Digital Shadows monitors and manages an organization’s digital risk, providing relevant threat intelligence across the widest range of data sources within the open, deep, and dark web to protect their brand, and reputation. The Digital Shadows SearchLight™ service combines scalable data analytics with human data analysts to manage and mitigate risks of an organization’s brand exposure, VIP exposure, cyber threat, data exposure, infrastructure exposure, physical threat, and third party risk, and create an up-to-the minute view of an organization’s digital risk with tailored threat intelligence.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel