Digital Shadows

Alex and Christian join HVR this week to discuss the Linux malware “HiddenWasp” (along with HVR’s hatred of the insect), the BlackSquid malware, and updated campaign activity from TA505 and Turla threat groups. Then, Harrison sits down with Dr. Richard Gold, head of Security Engineering at Digital Shadows, to discuss Photon Research’s most recent report Too Much Information: The Sequel. Be sure to download the full report at https://info.digitalshadows.com/TooMuchInfoTheSequel-podcast.html and the intelligence summary at https://resources.digitalshadows.com/weekly-intelligence-summary/weekly-intelligence-summary-30-may-06-jun-2019

Alex Guirakhoo and newcomer to the pod Travis Randall (@puppyozone) join HVR this week to discuss updates to the JasperLoader malware loader, APT28’s newly observed link shortening technique, Gnosticplayers allegedly stole information from an Australian graphics design companies, and APT10 malware loaders. After that, Richard Gold (@drshellface) and Simon Hall (@5ecur1tySi) discuss the Remote Desktop Protocol vulnerability that everyone has been hyped up about in the last couple of weeks. Be sure to download the full intelligence summary at resources.digitalshadows.com. In more news, Photon Research Team has published a new report! The overall main finding of the paper is that Photon found there were 2.3 billion files currently being exposed online via file shares like SMB or Amazon S3 buckets. We are going to do a deep dive episode about that for next week’s episode. (Report) Too Much Information: The Sequel: https://info.digitalshadows.com/TooMuchInfoTheSequel-podcast.html(Blog) 2.3 billion files exposed ac

Jamie Collier and Phil Doherty join HVR on this week’s ShadowTalk, discussing the RDP vulnerability that has everyone sweating, CVE-2019-0708. Patch those systems, because there’s a few different proof of concept exploits circulating around online. Then, the guys discuss a new MuddyWater obfuscation technique, updates to the Trickbot banking trojan, and there’s some sad MongoDB owners out there following a wipe of over 12,000 databases by an extortionist. Then, happy anniversary, GDPR! Digital Shadows’ Chief Innovation Officer James Chappell sits down with James Boyle of Taylor Vinters, a law firm who focuses on supporting technology rich businesses and the entrepreneurs who make great things happen, for an extended discussion of the current state of GDPR one year on and all things data privacy related. Follow @digitalshadows, @photon_research, @pseudohvr, @thecollierjam, and @jimmychappell on Twitter. Be sure to download the full intelligence summary at https://resources.digitalshadows.com/weekly-intelligenc

Alex and Christian join Harrison this week to discuss the attribution of the ElectricFish malware to the "Lazarus Group" and the highlights from this week included the exploited vulnerability in WhatsApp, the dark web sale offering access to major antivirus companies, and the "Plead" malware being distributed via ASUS software updates. Then, Dr. Richard Gold and Simon Hall join the show to discuss the NCSC's password expiration guidance and share their opinions on the topic. Read the full findings athttps://resources.digitalshadows.com/digitalshadows/weekly-intelligence-summary-09-may-16-may-2019.

Kacey and Alex join HVR to talk through the key stories this week including a new threat group called “Mirrorthief” conducting “Magecart”-like digital skimming attacks against university websites, various code-sharing repositories being targeted and held for ransom by an unknown threat actor; and new ransomware, “Sodinokibi”, which used a zero-day vulnerability in Oracle WebLogic. Simon Hall and Dr. Richard Gold then join to dive deeper into the “Buckeye” APT group, which has recently been said to develop its own version of a tool that was likely created by the U.S. National Security Agency (NSA) prior to being leaked by the “ShadowBrokers” in 2017. Read the full findings at https://resources.digitalshadows.com/weekly-intelligence-summary/weekly-intelligence-summary-02-may-09-may-2019.

Phil and newcomer Benjamin Newman join Harrison for another edition of the Weekly Intelligence Summary. The guys cover two distinct attack campaigns which used uncommon and underreported social engineering and malware delivery techniques, as well as attempts to automate these attacks in the future. Other highlights from this week include a cryptojacking campaigns using the ETERNALBLUE and DOUBLEPULSAR exploits, new reports of Magecart activity, and more extortionists leaking sensitive information following failed ransom attempts. To download the full intelligence summary, please visit resources.digitalshadows.com.

Jamie and Alex are back with Harrison this week to talk about the leak of information related to APT34 on Telegram, including victim data, personally identifiable information and the group's tools. Other highlights from this week include a phishing campaign delivering RevengeRAT, more information about the Wipro breach, and details about the threat actors responsible for the previously reported ASUS server compromise. Get the full intelligence summary at https://resources.digitalshadows.com/weekly-intelligence-summary.

This week the team discusses an unidentified threat actor that has obtained data from various personal Outlook, MSN, and Hotmail email accounts by compromising a Microsoft customer support account. Also, the “Triton” malware was detected at a critical infrastructure facility, an IT outsourcing company experienced a potential network intrusion linked to a supply-chain attack, and a new trojan referred to as Hoplight has been attributed to the “Lazarus Group”. Check out the full intelligence summary at https://resources.digitalshadows.com/weekly-intelligence-summary/weekly-intelligence-summary-11-apr-18-apr-2019

Christian and Jamie join Harrison for another week of ShadowTalk to discuss the FIN6 threat actor reportedly widening its range of attacks to include ransomware, potentially inciting the threat group to extend targeting beyond retail and hospitality entities. The highlights from this week include a Chinese advanced persistent threat (APT) campaign against a German pharmaceutical company, likely to steal intellectual property; a mass phishing campaign that used US servers to host malware; and a Domain Name Server (DNS) hijacking campaign aimed at online services and Brazilian financial institutions. No Zuko this week unfortunately, and we ask Christian what his theory is for Game of Thrones which starts up on Sunday.Download the full intelligence summary at https://resources.digitalshadows.com/weekly-intelligence-summary/weekly-intelligence-summary-04-apr-11-apr-2019.

Jamie, Alex and Zuko sit down with Harrison to talk about a story that flew a little under the radar this week; Russia has allegedly been conducting a widespread satellite spoofing campaign since 2016, sending false positional data to ships and planes. Other highlights from this week include APT33 activity targeting engineering and manufacturing organizations, popular restaurant chains report some point of sale malware attacks, and South Korean websites being used in watering hole attacks. Also, Game of Thrones theories, Alex realizes he’s way late to the #GoT party, and more on this week’s ShadowTalk. Download the full intelligence summary at https://resources.digitalshadows.com/weekly-intelligence-summary/weekly-intelligence-summary-28-mar-04-apr-2019.

Christian and Jamie sit down with Harrison to talk about the compromised Asus server used to distribute backdoor malware to at least 500,000 users’ devices, more LockerGoga ransomware attacks, a new Magecart skimming attack, and FIN7 back in the news. Busy week! Also, Jamie gives hair product tips and the guys discuss what Twitter handle they would choose in an ideal world.Read this week’s intelligence summary here: https://resources.digitalshadows.com/weekly-intelligence-summary/weekly-intelligence-summary-21-mar-28-mar-2019

With new research this week warning that state-sponsored cyber attacks against financial systems are on the rise, the ShadowTalk team focus on one area of the financial services sector in particular: high-frequency trading (HFT). Richard Gold and Rafael Amado are joined by a guest HFT expert to discuss mergers and acquisition information, sharing insider secrets, and manipulating stock prices. The team look at what attacks are possible, what the consequences would be for the financial services industry at large, and why attacks against trading platforms and the industry itself have been so few and far between.

Harrison chats with Jamie and Alex this week on an attack on Norwegian aluminum and renewable-energy company Norsk Hydro ASA. The team also looks at threat group “APT-C-27” exploiting a flaw in WinRAR software, a fourth batch of breached data offered for sale on the dark web by “Gnosticplayers”, and a spam campaign exploiting the recent events surrounding the grounding of multiple Boeing 737 aircraft. Download the full intelligence summary here: https://resources.digitalshadows.com/weekly-intelligence-summary/weekly-intelligence-summary-14-mar-21-mar-2019

Harrison sits down with Rose and Christian for a quick chat about APT40 targeting educational maritime research, as well as other highlights from this week. Rose also gives us the breakdown of an inspiring trip to NASA; also space vampires make a brief appearance. Download the entire intelligence summary at https://resources.digitalshadows.com/weekly-intelligence-summary/weekly-intelligence-summary-07-mar-14-mar-2019.

Senior security engineer, Simon Hall joins Rafael Amado to explain how IT teams and defenders can combat email spoofing, one of the most popular techniques used by phishers. Simon discusses why spoofing is so prevalent and relatively simple for attackers to carry out, as well as how measures such as SPF, DMARC, and DKIM can be used to reduce spoofing risks. For more on this topic, read our Security Practitioner’s Guide to Email Spoofing and Risk Reduction, available at https://www.digitalshadows.com/blog-and-research/security-practitioners-guide-to-email-spoofing-and-risk-reduction/

In this week’s episode, the team looks at Fin6, who has begun regularly targeting card-not-present data on e-commerce websites. Other highlights from this week include Topps disclosing a data breach incident linked to Magecart, the Farseer malware, and more. Read the full intelligence summary here: https://resources.digitalshadows.com/weekly-intelligence-summary/weekly-intelligence-summary-28-feb-07-mar-2019

This week Rose and Phil join Harrison to discuss a three-stage cryptocurrency mining attack using Mimikatz and Radmin in tandem. The team also discusses the Cr1ptTor ransomware, an unknown North Korean threat actor targeting US universities, and MarioNet. Some of the team is heading to RSA Conference next week so make sure to stop by Booth 4421 in the North Hall to say hello. Get the Intellgence Summary at https://resources.digitalshadows.com/weekly-intelligence-summary/weekly-intelligence-summary-22-feb-01-mar-2019.

This week, Phil and Alex join Harrison to discuss a new malware delivery technique using the Outlook preview panel. Also, threat actor Gnosticplayers was offering large data sets for sale on Dream Market, the Blind Eagle APT group swooped into the news, and Gandcrab is back trying to pinch its victims in new ways. Finally, the guys try to find a new nickname for Alex. Full Intelligence Summary here: https://resources.digitalshadows.com/weekly-intelligence-summary/weekly-intelligence-summary-14-feb-21-feb-2019

The Photon Research Team’s Rafael Amado, Richard Gold and Harrison Van Riper get together to discuss Digital Shadows’ latest research report, A Tale of Epic Extortions: How Cybercriminals Monetize Our Online Exposure. Whereas many of the cyber security issues covered by researchers may seem obscure and irrelevant to the majority of businesses and individuals out there, extortion is a topic with a real human impact, and one that can have physical, psychological and financial consequences. The team look at how extortionists are diversifying their methods, emboldened by the credentials, sensitive documents and technical vulnerabilities that we leave exposed online. Download the latest report at https://info.digitalshadows.com/ExtortionResearchReport-Podcast.html, and listen to the podcast to learn how to properly manage your online exposure and reduce extortion risks.

Alex and Jamie matched with Harrison in this Valentine’s week episode of ShadowTalk. We discuss why four different APT groups were observed using the same tooling, vulnerabilities in Apple’s iOS, and what everyone did for Valentine’s Day. Also, we have launched the Photon Research Team at Digital Shadows! Visit our announcement blog to learn more (https://www.digitalshadows.com/blog-and-research/photon-research-team-shines-light-on-digital-risks/) and follow the team on Twitter @photon_research!Full intelligence summary: https://resources.digitalshadows.com/weekly-intelligence-summary/weekly-intelligence-summary-07-feb-14-feb-2019