Digital Shadows

Rick Holland jumps in to kick-off this week’s episode to recap the 2020 SANS CTI Summit with Harrison. Then Harrison, Alex, Kacey, and Charles talk through other top stories of the week including: - Snake Malware- Competitions we’re seeing on Russian-language cybercriminal forums- Citrix Vulnerability Update - New ‘CacheOut’ Attack Targets Intel CPUsRounding off the episode, the team shares their favorite infosec twitter post of the week to spice up the episode. Have a great week! ***Resources From this Week*** - SANS CTI Summit Recap: https://www.digitalshadows.com/blog-and-research/sans-cyber-threat-intelligence-summit-2020-a-recap/- Competitions on Russian-language cybercriminal forums blog: https://www.digitalshadows.com/blog-and-research/competitions-on-russian-language-cybercriminal-forums-sharing-expertise-or-threat-actor-showboating/- Cyber Threat Intel Frameworks blog: https://www.digitalshadows.com/blog-and-research/cyber-threat-intelligence-frameworks-5-rules-for-integrating-these-frameworks/- CVE

Following on from last week, Citrix released a first set of patches to fix a vulnerability (CVE-2019 -19781) affecting the company’s NetScaler ADC Application Delivery Controller and it’s Citrix Gateway. Viktoria and Richard Gold discuss how organizations can mitigate the risk.Adam and Phil then join Viktoria to discuss other top stories of the week including 250 million Microsoft customer service and support records exposed on the web. The team also discusses a story where a list of Telnet credentials for more than 515,000 servers, home routers, and IoT devices was published on a hacking forum last week and how this story demonstrates the risk posed when threat actors are able to compromise large collections of IoT devices. ***Resources from this week***Charles’ Blog: https://www.digitalshadows.com/blog-and-research/cve-2019-19781-analyzing-the-exploit/Weekly Intelligence Summary: https://resources.digitalshadows.com/weekly-intelligence-summary/weekly-intelligence-summary-24-jan-2020

Kacey, Charles, Alex, and Harrison host this week’s threat intelligence update from Dallas. We kick off with vulnerabilities from the week. This includes both the NSA CVE and Citrix CVE. The team talks through what the vulnerabilities are and why they’re important. Then the team talks through ransomware updates including Cryptonite ransomware as a service, Sodinokibi operators threatening to release Travelex data, and Nemty operators threatening to release victim data. Finally Harrison gives a quick update around Iran.To access this week’s intelligence summary, visit https://resources.digitalshadows.com/weekly-intelligence-summary***Resources from this Week***Rick’s Blog on NSA Vulnerability Disclosure: https://www.digitalshadows.com/blog-and-research/nsa-vulnerability-disclosure-pros-and-cons/CVE-2019-19781: Analyzing the Exploit: https://www.digitalshadows.com/blog-and-research/cve-2019-19781-analyzing-the-exploit/Cryptonite Ransomware as a Service: https://www.digitalshadows.com/blog-and-research/cryptonit

We’re back with our weekly ShadowTalk episodes! Viktoria hosts this week and introduces the episode bringing Sammy on to provide some regional insight and context around the Iranian cyber threat and discusses whether a cyber response is likely. Then Adam and Viktoria discuss other tops stories from the week including a ransomware outage for Travelex, Xiaomi Mijia camera data exposed, and bc[.]monster updates on Exploit forum.Check out our Intelligence Summary at https://resources.digitalshadows.com/weekly-intelligence-summaryExcited for what 2020 will bring - thanks for listening! ***Resources from this Week***Practical Advice around Iranian Cyber Threats: https://www.digitalshadows.com/blog-and-research/iranian-cyber-threats-practical-advice-for-security-professionals/Iranian APT Groups’ Tradecraft Styles: https://www.digitalshadows.com/blog-and-research/iranian-apt-groups-tradecraft-styles-using-mitre-attck-and-the-asd-essential-8/Iran and Soleimani: Monitoring the Situation: https://www.digitalshadows.com/

Rick Holland (CISO at Digital Shadows) joins Harrison to share his thoughts on the Iranian cyber threat and what it means for cyber defenders. What should security practitioners be concerned with within the cyber sphere? Rick and Harrison discuss:- How threat du jour thinking isn’t an adequate defense model- Communicating up the chain of command effectively - Attack Techniques used by Iranian State Actors - What you can do proactively as a Security Practitioner- Why haven’t we seen any significant cyberattacks yet? We’re continuing to monitor the situation, so check back at https://www.digitalshadows.com/blog-and-research/ for more info from our team. ***Resources This Episode***Rick’s blog on the topic: https://www.digitalshadows.com/blog-and-research/iranian-cyber-threats-practical-advice-for-security-professionals/ Rich Gold’s blog on Mapping the ASD Essential 8 to the Mitre ATT&CK™ framework: https://www.digitalshadows.com/blog-and-research/mapping-the-asd-essential-8-to-the-mitre-attck-framework/

CISO Rick Holland joins our ShadowTalk hosts (Viktoria, Alex, and Harrison) for our holiday special! This week the team covers:- Ring Doorbell security- New Orleans victim of Ryuk Ransomware- Predictions for 2020 in cybersecurity- A lightning round of holiday questionsThanks to all of you listeners for tuning in each week in 2019. We’ve had a great time chatting each week across the globe, and we’re looking forward to another great year of ShadowTalk in 2020!Cheers!P.S. Check out our holiday photo on Twitter @digitalshadows! ***Resources From the Week***2020 Cybersecurity Forecasts blog from Alex: https://www.digitalshadows.com/blog-and-research/2020-cybersecurity-forecasts-5-trends-and-predictions-for-the-new-year/Download our intelligence summaries at https://resources.digitalshadows.com/weekly-intelligence-summary

Alex, Harrison, Kacey, and Charles chat this week on some dark web and cybercriminal updates, data leakage stories that have hit the news, plus a GDPR story where an ISP was hit with a €9.6 Million Fine.We’ve got a new format for our weekly intelligence summary report. Check it out at https://resources.digitalshadows.com/weekly-intelligence-summaryThanks for listening and look out for our special (holiday-themed) final ShadowTalk episode of the year next week! ***More Resources This Week***TMI blog on data leakage: https://www.digitalshadows.com/blog-and-research/2-billion-files-exposed-across-online-file-storage-technologies/ Over One Billion Email-Password Combos Leaked Online: -https://www.infosecurity-magazine.com/news/one-billion-email-password-combos/ Data Leak Exposes 750K Birth Certificate Applications https://www.infosecurity-magazine.com/news/data-leak-exposes-750k-birth-cert/ Microsoft: 44 Million User Passwords Have Been Breached https://www.infosecurity-magazine.com/news/microsoft-44-million-pass

Viktoria invites Stewart Bertram to kick-off this week’s episode around new cybercrime research we put out on the Modern Cybercriminal Forum and how the rise of alternative technologies hasn’t spelled the end of forums, which seem to be prospering against all odds.You can check out the research findings here: https://www.digitalshadows.com/blog-and-research/forums-are-forever-part-1-cybercrime-never-dies/Next Adam Cook joins to discuss the weekly highlights including the Mixcloud Breach and an international crackdown on RAT spyware. Finally, our Intelligence team gives a wider analytical piece on the topic of social media exposure and security standards in this week’s intelligence summary report (INTSUM), so make sure to check out that piece in this week’s report. Weekly Intelligence Summary (INTSUM): https://resources.digitalshadows.com/weekly-intelligence-summary***More Resources From this Week***Modern Cybercriminal Forum Research Report: https://resources.digitalshadows.com/whitepapers-and-reports/the-mod

Adam Cook and Viktoria Austin talk through the security and threat intelligence stories of this week including an update around Phineas Fisher, where the hacker offered up to $100k in what they called the “Hacktivist Bug Hunting Program”. The team also chats through a recent ransomware attack on Veterinary hospitals in the U.S., and some other ransomware updates. Then Viktoria and Adam touch upon some research from our own threat intelligence team (Photon Research), specifically around the dark web, including research into Black Friday deals on the dark web, and a look at DarkMarket. To see more threat intelligence updates from the week, make sure to check out this week’s intelligence summary report at https://resources.digitalshadows.com/weekly-intelligence-summary.Heads-up! We’re taking a break next week with the U.S. Holiday, so we’ll be back in 2 weeks. Have a great Thanksgiving! ***Resources From this Week***Phineas Fisher Manifesto - https://www.vice.com/en_us/article/vb5agy/phineas-fisher-offers-dolla

Dallas is sound effects and all this week with Kacey, Charles, Alex, and Harrison. The team discusses their recent OSINT workshop at BSidesDFW and how you can access the training materials, plus Harrison reviews his latest research into dynamic CVVs within the security realm. Finally the team looks at the recent news around the Facebook camera bug and how the public is reacting. Download the full intelligence summary at https://resources.digitalshadows.com/weekly-intelligence-summaryHave a great week, everyone, and check out our resources below for more details. ***Resources from this week****BSidesDFW 2019 Recap: https://www.digitalshadows.com/blog-and-research/bsidesdfw-2019-osint-workshop-recap/* BSidesDFW OSINT GitHub: https://github.com/digitalshadows/virtualwhale-osint-ctf * Orca: https://github.com/digitalshadows/orca Dynamic CVV Blog* https://www.digitalshadows.com/blog-and-research/dynamic-cvvs-2fa-2furiousFacebook Camera Bug* https://www.scmagazine.com/home/security-news/vulnerabilities/system-bug-g

This week the London team looks at the following stories:- BlueKeep Exploit Could Rapidly Spread- Megacortex Ransomware Changes Windows Passwords- Japanese Media Company Nikkei - $29 million lost to BEC scam- Web.com Breach- 21 million employee accounts for Fortune 500 companies offered on the dark web Get the full intelligence summary at https://resources.digitalshadows.com/weekly-intelligence-summary***Resources from this week***https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/https://www.cyberscoop.com/nikkei-email-scam-bec-29-million/https://krebsonsecurity.com/2019/10/breaches-at-networksolutions-register-com-and-web-com/

Adam Cook, Philip Doherty, and Viktoria Austin host this week’s ShadowTalk update around an unsecured Elasticsearch database exposing account information of about 7.5 million Adobe Creative Cloud users. The team then looks at the news story around the City of Johannesburg experiencing a ransomware attack as well as APT28 (aka Fancy Bear) targeting anti-doping authorities and sporting organizations. ***Resources from this week’s episode***- BriansClub Blog from Viktoria: https://www.digitalshadows.com/blog-and-research/cybercriminal-credit-card-stores-is-brian-out-of-the-club/ - Understanding Different Cybercriminal Platforms: https://www.digitalshadows.com/blog-and-research/understanding-the-different-cybercriminal-platforms-avcs-marketplaces-and-forums/- Too Much Information - The Sequel: https://resources.digitalshadows.com/whitepapers-and-reports/too-much-information-the-sequel- Adam’s World Cup Blog: https://www.digitalshadows.com/blog-and-research/threats-to-the-2018-football-world-cup/ News Stories:http

We’ve got all 3 ShadowTalk hosts in Dallas this week: Harrison Van Riper, Viktoria Austin, and Alex Guirakhoo. The team first looks at Avast, which encountered a cyber espionage attempt. Then NordVPN announced that a hacker had breached servers used by NordVPN. And finally Dr. Richard Gold put out a new blog this week on dispelling the myths around using public wifi, so the team helps summarize some of the key points. Check out the full blog at https://www.digitalshadows.com/blog-and-research/wifi-security-dispelling-myths-of-using-public-networks/To check out our weekly intelligence summary, visit https://resources.digitalshadows.com/weekly-intelligence-summary/weekly-intelligence-summary-17-oct-24-oct-2019More Resources from this week’s episode:- Avast breach attempt: https://blog.avast.com/ccleaner-fights-off-cyberespionage-attempt-abiss- NordVPN breach & PR nightmare: https://nakedsecurity.sophos.com/2019/10/23/hacker-breached-servers-used-by-nordvpn/- Krebs: https://krebsonsecurity.com/2019/10/avast-

Adam Cook, Philip Doherty, and Xueyin Peh join Viktoria Austin for a special ShadowTalk episode around the Singapore Cyber Threat Landscape. The team looks at the heightened threat level for Singapore, why it’s being targeted, and the types of organizations being impacted. Read the full analysis in our blog post here: https://www.digitalshadows.com/blog-and-research/singapore-cyber-threat-landscape-report-h1-2019/

Fall is upon us! Kacey, Charles, Harrison, and Alex kick off this week’s episode talking about our Fall Dallas team event (an amateur version of Chopped). We’re now all professional chefs. Then the team dives into this week’s hot topics:- Typosquatting and the 2020 Elections: https://www.digitalshadows.com/blog-and-research/typosquatting-and-the-2020-u-s-presidential-election/- Honeypots: https://www.digitalshadows.com/blog-and-research/honeypots-tracking-attacks-against-misconfigured-or-exposed-services/- The Sudo Vulnerability: https://threatpost.com/sudo-bug-root-access-linux/149169/- Security Bsides Workshop Talk: http://www.securitybsides.com/w/page/134870340/DFW_2019- Orca: https://github.com/digitalshadows/orcahttps://twitter.com/maxdose_/status/1184429401338982401?s=12 Finally with the Chopped event on our minds, we round off the episode with our favorite dishes we want to learn to cook. Thanks for listening and don’t forget to rate us on iTunes and let us know how we’re doing.

We’re back in London this week! Viktoria chats with Adam Cook, Philip Doherty, and Josh Poole on this week’s top stories:- APT35 Targets Email of US political figures & prominent Iranians - Skimming activity by Magecart 4 reveals potential link to Cobalt Group- Chinese threat group Rancour casts phishing line to South-East Asian government- Emotet Resurgence Resources From This Week: Account Takeover Kill Chain 5 Step Analysis: https://www.digitalshadows.com/blog-and-research/the-account-takeover-kill-chain-a-five-step-analysis/Weekly Intelligence Summary: https://resources.digitalshadows.com/weekly-intelligence-summaryMake sure to subscribe to us wherever you listen to your podcasts for the latest episodes. Thanks for listening!- ShadowTalk team

Director of Security Engineering, Richard Gold, joins Viktoria Austin in this special episode of ShadowTalk to look at the attacker goals, their TTPs, and map this to the Mitre PRE-ATT&CK and ATT&CK framework.Some Background…Between 2012 to mid-2015, U.S. financial institutions, financial services corporations and financial news publishers fell victim to one of the largest computer hacking crimes. The hacking resulted in the theft of information belonging to 100 million customers of the victim companies (including the theft of personal data from 83 million customer accounts at JPMorgan Chase), and securities fraud, in the form of stock market manipulation. While the crimes committed date back to 2015, this week, one of the hackers involved, identified as Andrei Tyurin, pleaded guilty to the following charges:  computer intrusion, wire fraud, bank fraud, and illegal online gambling offenses in connection with his involvement in a massive computer hacking campaign targeting U.S. financial institutions,

Coming to you from London this week, Jamie Collier, Philip Doherty, and Josh Poole join Viktoria Austin for our weekly threat intelligence updates. The team kicks off with a discussion around the top story of the week - Magecart Five Widens Attack Vectors.Recent Magecart Five activity has included loading malicious Javascript files onto commercial-grade Layer 7 routers, injecting malicious code into a free, open-source app module, distributing phishing emails via an unspecified spamming service containing the KPOT trojan, embedding compromised websites with redirect code that results in the download of the RIG or Fallout exploit toolkits onto a target machine, and creating a phishing website imitating “G-Cleaner”, a w Windows garbage cleanup tool. The team also discussed the other top stories of the week including:- Suspected Chinese Threat Actor Targets Airbus Suppliers- Tortoiseshell Lures American military-veteran job seekers- Zendesk discloses 2016 data breachCheck out the full threat intelligence summar

Viktoria hosts this week’s episode in London with Phillip Doherty and Adam Cook. After a quick debate around the top trending sports at the moment, the team digs into the first story of the week: Tortoiseshell Group (a newly identified threat group) has reportedly conducted some supply chain attack campaigns against 11 IT providers in Saudi Arabia. Next they look at two new malware variants that have emerged, attributed to North Korean-associated Lazarus Group. Emotet botnet has been hot in the news lately, so the team also talks about its emergence.  Finally the team rounds up the week with the Tyurin indictment, where Andrei Tyurin pleaded guilty to one of the largest computer hacking crimes involving US financial institutions, financial services, and news publishers. Our own Richard Gold published a blog mapping the indictment to the MITRE ATT&CK framework - definitely worth a read below. To learn more, check out our weekly intelligence summary report at https://resources.digitalshadows.com/weekly-inte

It’s Harrison and Alex this week for your threat intelligence updates. The guys first dig into the NCSC’s recent threat trends report, the first of these that the NCSC has put out. It’s UK-specific, so just like we’ve shared thoughts around the FBI IC3 annual report in the past, which is heavily geared toward the US, it’s good to look across the pond as well. The team digs into 3 main areas: - Office365- Ransomware trends including updates on Emotet, Ryuk, LockerGoga, Bitpaymer, Nemty, and GandCrab- Supply Chain AttacksThe team also digs into some recent research around B.Wanted. A few weeks ago, there was a story that Brian Krebs reported on: essentially a user on a dark web forum was offering to sell access to a federal contractor who managed 20+ different federal agencies. Specifically we were looking into the threat actor responsible for selling the access, who goes by the name B.Wanted. The guys dig into some different theories.Finally we round out the episode with some top shows on Netflix to add to you