Coming to you from Dallas this week – we’ve got Charles, Kacey, Harrison, and Alex. First up – 3 data breaches this week:

  1. Decathlon Spain (and also potentially their UK entity)
  2. Clevguard
  3. Department of Defense’s Defense Information Systems Agency (DISA)

Then we look at the Dopplepaymer ransomware, who launched a site this week. Finally Harrison shares some details around his new blog mapping MITRE ATT&CK to the Equifax Indictment.

Listen below 👇👇👇


Google Play-linked PayPal accounts used for fraudulent charges 

An unspecified threat actor has been exploiting a vulnerability that allowed them to make fraudulent charges to PayPal accounts linked to Google Play. The operation targeted German users through Target and Starbucks stores in the United States. Fraudulent transactions reportedly ranged from EUR 173 to EUR 1,800. German media outlets speculated that the fraudulent transactions could have exploited a known vulnerability, referred to as iblue, that was reported a year ago, although this cannot be confirmed.  


Multiple states blame Russia for Georgian cyber attacks 

Multiple states publicly attributed a cyber attack on Georgia in October 2019 to the Russian GRU military service, and linked it to the “Sandworm threat group; the Russian government has issued a statement denying any involvement. The attack against Georgia, which defaced more than 2,000 websites, was already publicly known and extensive technical details were not published in recent attribution statements. The statements did not provide technical or operational value to cybersecurity teams, such as details on TTPs or indicators of compromise. However, they did confirm that Sandworm remains active. It is unlikely that such statements will significantly deter Russia from conducting more cyber operations against political targets.  


Fake game launcher used to spread Lokibot infections 

Threat actors impersonated a popular game launcher to trick users into downloading and executing the Lokibot malware variant. The infection started with a file that imitated the installer of the Epic Games store and used the Epic Games logo to increase perceived legitimacy. The incident shows that threat actors using Lokibot continue to develop new delivery methods to trick users into downloading the malware. More adaptations and social engineering tactics are likely to occur in the mid-term future.  


For more details, read the full Weekly Intelligence Summary

Weekly Intelligence Summary 28 Feb 2020