In this week’s episode, Jamie starts by talking about his recent blog, Cyber Threat Intelligence Frameworks, with 5 rules for integrating these frameworks within your organization.

Viktoria and Jamie also discuss:

  • APT34, where Iranian hackers targeted U.S. Gov vendor, Westat
  • Wawa Breach Developments
  • Coronavirus Phishing Scams
  • Winnti Group targeting Hong Kong universities

Listen below 👇👇👇

Rapid abuse of Citrix flaw signals need for faster patching

The recent disclosure of a vulnerability in Citrix devices was quickly followed by multiple exploitations before patches were introduced, reflecting the danger of announcing a critical vulnerability without a readily available patch. Citrix’s staggered rollout of patches over the month of January enabled threat actors to take rapid advantage; they exploited the vulnerability to infiltrate Citrix systems and deliver at least three variants of ransomware. The large-scale use of Citrix systems worldwide brings high risks: of more attacks on remaining vulnerable systems, and of previously uninterested threat actors shifting their focus to capitalize on this vulnerability.


Winnti Group goes after two universities in Hong Kong

Security researchers reported that the Chinese state-associated “Winnti Group” targeted two universities based in Hong Kong in November 2019. The “Winnti” malware had been discovered on the networks of those universities during an October 2019 cyber-threat campaign. In the more recent attacks, the threat group delivered an updated variant of the “ShadowPad” backdoor it has used previously. The incident indicates that Winnti Group remains highly active and its members will likely continue developing their toolkit to make more improvements in the mid-term future (next 3 to 12 months).


30 million-plus US customer payment details up for sale online

The payment details of more than 30 million individuals in the United States were advertised for sale on the Automated Vending Cart service Joker’s Stash, under the name BIGBADABOOM-III. Security researchers have traced the list of card details to the United States-based convenience-store chain Wawa. The data was probably obtained from Wawa in December 2019, after a threat actor installed malware on its point-of-sale systems that collected card details from its customers.


Iranian threat group attacks research-company employees

Security researchers reported on a new campaign by the Iran-linked threat group “APT34”, targeting the United States-based research company Westat. The attackers used a file masquerading as an employee satisfaction survey to deliver the “ToneDeaf 2.0” malware. Attacks featured updated malware variants from APT34’s existing tool set, indicating the group’s continual development of its tool set to evade detection during operations. Based on the group’s growing technical capabilities and activity level, and increased political tension between the United States and Iran, it is highly likely that APT34 campaigns will continue into the short-term future.


For more details, read the full Weekly Intelligence Summary here:

Weekly Intelligence Summary 07 Feb 2020

And to stay up to date with the latest from Digital Shadows (now ReliaQuest), subscribe below.