Digital Shadows

For this week’s ShadowTalk deep dive, we called in Doctor Richard Gold to discuss the major healthcare breach affecting SingHealth, Singapore’s largest group of healthcare organizations. Richard and Rafael Amado discuss how threat actors might use the 1.5million patient records that were stolen, how the attack occurred and where the incident response process failed. To view the report in full, visit: https://www.mci.gov.sg/coireport

Harrison Van Riper hosts this week’s Intelligence Summary with guests Rose Bernard (Strategic Intelligence Manager) and Alex Guirakhoo (Strategic Intelligence Analyst). Our main story involves the leak of personal information from several German political parties. We also discuss the other big threat intelligence stories from the week and find out what everyone would name their APT group. Subscribe to ShadowTalk on iTunes and follow us @digitalshadows, use #ShadowTalk to submit a question for next week!The full intelligence summary can be downloaded at https://resources.digitalshadows.com/weekly-intelligence-summary.

Welcome to ShadowTalk's new track on our Weekly Intelligence Summary. Host Harrison Van Riper invites Digital Shadows' analysts to discuss the week's top threat intelligence news. To download the full Weekly Intelligence Summary, visit https://resources.digitalshadows.com/weekly-intelligence-summary.

Rafael Amado and Richard Gold talk cybersecurity end of year predictions, but with a twist. Rather than focus on the threats and worrying trends on the horizon, the team instead concentrate on the positive developments that we can all look forward to in 2019. Richard and Rafael discuss open source tools that can help all of us become more secure, improvements to browser security, and long overdue changes in security awareness, education and diversity that should make 2019 an altogether better year for the information security community. You can see Richard’s full list of 10 predictions on https://twitter.com/drshellface/status/1072803919020154880?s=21

Simon Hall and Richard Gold join Rafael Amado to wade in on the topic of phishing. By looking at details revealed in law enforcement indictments against nation state and organized criminal groups, as well as the tips and tools being shared by actors on cybercriminal forums and messaging applications, the team discuss how organizations can prioritize the right controls and training policies to best protect themselves in the coming year. For more on this topic, read our recent research blog, Tackling Phishing: The Most Popular Phishing Techniques and What You Can Do About It, available on digitalshadows.com/blog-and-research/tackling-phishing-the-most-popular-phishing-techniques-and-what-you-can-do-about-it/

Rick Holland and Harrison Van Riper join Michael Marriott to discuss the implications of the Marriott data breach, as well as a look forward to trends we might see in 2019. Specifically, we dig into ransomware and discuss what you should be considering in 2019. To read more about these trends (and more) read Harrison’s blog (https://www.digitalshadows.com/blog-and-research/2019-cyber-security-forecasts-six-things-on-the-horizon/). To register for our upcoming webinar with the FBI, https://info.digitalshadows.com/LiveWebinar-CyberThreatstoWatchin2019-Registration.html?Source=podcast.

The dynamic duo of Dr Gold and Simon Hall join Michael Marriott to discuss our recent findings on threat actors using cracked versions of Cobalt Strike conduct attacks, and how defenders can use this to inform their defense. Read the blog to learn more: https://www.digitalshadows.com/blog-and-research/threat-actors-use-of-cobalt-strike-why-defense-is-offenses-child/. Building on this theme, in part two, Richard Gold outlines the benefits of mapping the Mitre ATT&CK framework to the ASD Essential 8. You can read Richard’s blog here: https://www.digitalshadows.com/blog-and-research/mapping-the-asd-essential-8-to-the-mitre-attck-framework/.

For this special mid-week edition of ShadowTalk, Harrison Van Riper, Jamie Collier, and Rafael Amado focus on cyber security threats over the Black Friday weekend and holiday season. Despite increased sales for retailers and bargain opportunities for consumers, Black Friday has had the unintended consequence of emboldening and enabling profit-seeking cybercriminals. The team discuss continuing activity by the Magecart group, as well as the ways in which cybercriminals are gearing up for the holidays from our investigations of online forums and messaging applications. For more, check out our Black Friday blog at: https://www.digitalshadows.com/blog-and-research/black-friday-and-cybercrime-retails-frankenstein-monster/

Some called him a hero. Some called him the most dangerous man to the defense industry. In today’s ShadowTalk, Dr. Richard Gold and Harrison Van Riper join Rafael Amado to discuss the vigilante hacker known as Phineas Fisher. Leaked court documents surfaced this week, detailing how Italian authorities tried and ultimately failed to identify and convict Phineas Fisher for the infamous breach against the Italian surveillance and technology company, Hacking Team. The team dive into the history of Phineas Fisher, the techniques used to break into the Hacking Team network, and the OPSEC practices that allowed Phineas Fisher to remain at large.

Michael Marriott flies in from San Francisco to cover the big vulnerability and exploit stories of the week. The team discuss the Cisco denial- of-service vulnerability affecting its Adaptive Security Appliance (ASA), as well as a vulnerability in Oracle’s VirtualBox technology posted to GitHub. Dr. Richard Gold, Rafael Amado and Michael debate the benefits and drawbacks of bug bounty programs, how you should consider operational value when assessing vulnerabilities, and the U.S. Cyber Command’s publication of malware samples to VirusTotal.

In this bonus edition of ShadowTalk, Dr Richard Gold and Rafael Amado discuss the recent BBC Russian Service investigation into Facebook accounts being sold online. As reported on Friday, at least 81,000 accounts with private messages were being advertised online. Digital Shadows assisted the BBC with its investigation. Richard and Rafael outline what we know so far, as well as answering some of the key questions raised by this story. For more, see our recent blog available at https://www.digitalshadows.com/blog-and-research/81000-hacked-facebook-accounts-for-sale-5-things-to-know/.

Two years on from the Tesco Bank fraud attacks that allowed cybercriminals to check out with £2.26m (roughly $3m) in customer funds, Dr Richard Gold and Simon Hall join Rafael Amado to discuss the UK Financial Conduct Authority’s investigation report. This episode will be crucial listening for anyone involved in the financial services industry, as well as those eager to learn about incident response processes and how poor execution can have disastrous, and costly, consequences. The FCA final notice is available on: https://www.fca.org.uk/publication/final-notices/tesco-personal-finance-plc-2018.pdf

Harrison Van Riper and Rafael Amado join Michael Marriott to discuss the latest stories from the week. This week’s podcast has a strong Guy Richie flavor, with a focus on lock, stock and ru smoking barrels. We begin by discussing October’s hot ransomware activity, including the most popular variants, common targets, and mitigation advice. Second, we discuss sliding stock value amid reports of data breaches: we dig into the Cathay Pacific and Facebook breaches. And, finally we discuss the recent attribution of Triton malware to a Russian entity and why it’s TTPs you should care about.

Following on from last week’s conversation on how managed service providers can increase your attack surface, Simon Hall and Richard Gold join Rafael Amado to discuss supply chain risks. With so much to cover, the team break this topic down into hardware, software and third-party service risks, including examples such as the MeDoc-NotPetya campaign and the recent SuperMicro hardware allegations. As always, Richard and Simon cover some useful good practices for those looking to improve their risk management processes.

Digital Shadows CISO Rick Holland, Dr Richard Gold and Simon Hall join Rafael Amado to cover the Hidden Cobra FASTCash campaign alert issued by US authorities, detailing ATM cash out campaigns performed by North Korean actors. The team look over the Five Eyes joint report into publicly available hacking tools. And, finally, are companies who use MSPs at greater risk of attack? For more on the Powershell blog referenced by the Five Eyes report, visit: https://www.digitalshadows.com/blog-and-research/powershell-security-best-practices/

In this week’s Shadow Talk, Rafael Amado joins Michael Marriott to discuss Digital Shadows’ latest research on Business Email Compromise. We discuss how criminals are outsourcing this work, and how the exposure of 33,000 finance department credentials is increasing the ease for attackers. However, even without taking over accounts, criminals can get their hands on sensitive financial information. We dig into the 12.5 million exposed email archives that are available through misconfigured online file stores, including invoices, purchase orders, and payments. Finally, we provide advice for mitigating these risks.

Rick Holland, CISO of Digital Shadows, joins Richard Gold and Michael Marriott to discuss the latest cybersecurity news. In part one, we discuss the possible implications of Facebook security flaws affecting 50 million accounts. In part two, one year after reports of the Equifax breach surface, the UK arm has been fined £500,000 by the ICO. We look at the lessons learned.

Simon Hall and Richard Gold join Rafael Amado to focus on the trade-offs between security and usability, as well as the practice of security layering that can often make us more insecure. The team look over security measures such as regular complex password expiry policies that create headaches for organizations and end users, why it’s not easy to make security usable, whether certain security measures such as anti-virus software actually make us more insecure, and what alternative system defences can bridge the gap between security and usability. For the NCSC blog on security and usability, visit: https://www.ncsc.gov.uk/blog-post/security-and-usability-you-can-have-it-all

In this week’s ShadowTalk, Richard Gold and Simon Hall join Michael Marriott to discuss the latest spate of attacks by the threat actor known as Magecart. We dig into the history of Magecart, different approaches to web skimming, and provide advice on how organizations can best protect against this threat.

In this week’s ShadowTalk, Richard Gold and Rafael Amado join Michael Marriott to discuss the latest Department of Justice complaint against an individual working for Chosun Expo, an alleged front for the North Korean state. The individual is accused of involvement in a host of campaigns, including attacks against Sony Pictures Entertainment, banks, defense contractors, and the many victims of the WannaCry ransomware variant. We discuss the most interesting revelations, outlining the different techniques used, and what this all means for organizations.