In this week’s ShadowTalk, we dig into ATM fraud. Digital Shadows (now ReliaQuest)’ Strategic Intelligence manager Rose Bernard joins Rafael Amado to discuss four separate ATM stories making headlines this week. In Part I, they’ll cover an alert on an impending “ATM cash-out” campaign issued by the FBI, and how India’s Cosmos Bank lost $13.5m in cyberattacks after actors bypassed the internal ATM switch system. In Part II, Rafael and Rose will look into flaws discovered in NCR ATM currency dispensers, and a new Bitcoin ATM malware advertised for sale on the dark web. For more on how actors acquire and then use stolen payment card information, check out Digital Shadows (now ReliaQuest)’ Five Threats to Financial Services blog series, available on


Evolving ATM attacks prey on cryptocurrency users

A variant of malware targeting Bitcoin ATMs has appeared for sale on a dark Web forum. Although the technical details of the malware are unknown, positive seller reviews indicate it is likely a functioning product. Attacks targeting Bitcoin ATMs are less common than those against standard ATMs, likely due to the machines’ relative scarcity; as Bitcoin ATMs become more prevalent, the rate of such attacks will likely increase.


Intel processors vulnerable to Foreshadow flaw

On 14 Aug 2018 security researchers released information on a flaw affecting Intel processors from 2015 onward, dubbed Foreshadow. There are two versions: Foreshadow uses a speculative execution attack to exfiltrate information from Intel SGX enclaves; Foreshadow Next Generation (Foreshadow-NG) can be used to exfiltrate any information on the operating system (OS) kernel memory and System Management Mode (SMM) memory, plus potentially any information on virtual machines linked on the same cloud. “Spectre” and “Meltdown”, two previous flaws affecting Intel chips, both enabled speculative execution attacks. Intel released a patch for both versions of Foreshadow on 13 Aug 2018. Foreshadow has been assigned CVE-2018-3615, Foreshadow-NG for OS kernel and SMM mode has been assigned CVE-2018-3620, and Foreshadow-NG for virtual machines has been assigned CVE-2018-3656.


DarkHydrus linked to another spearphishing campaign

Newly identified threat group DarkHydrus was observed using open-source tool Phishery in a spearphishing campaign seeking to harvest Microsoft Windows credentials. The attack targeted a Middle Eastern educational institute and appears to be part of an ongoing campaign. Given the consistent activity of campaigns by DarkHydrus, more attacks targeting the government and education sectors are likely.


Lazarus Group: Historical analysis reveals malware code re-use; new research into RAT

Malware analysis has identified significant code re-use in campaigns attributed to North Korean threat groups, including Lazarus Group. One of the examples cited was code used in the “WannaCry” (aka WCry) attacks in 2017, which was also identified in malware samples dated from 2009. Code re-use saves time for attackers but also assists analysts in linking attacks and assigning attribution. Another incident was reported this week involved the United States Computer Emergency Readiness Team publishing a technical advisory on the malware variant “KEYMARBLE”, attributed to the North Korea-linked threat actor “HIDDEN COBRA” (aka Lazarus Group). The advisory detailed one malware sample of a malicious 32-bit Windows executable file, which functions as a RAT. No targeting data related to the malware was published.