ShadowTalk hosts Kacey, Alec, Charles and Digital Shadows (now ReliaQuest) CISO Rick bring you the latest in threat intelligence. This week they cover:

  • The US Department of Treasury sends a message about negotiating with ransomware operators
  • APT28 compromises a US federal agency
  • Foreign spies use fronts to hide cyber espionage operations
  • Iranian nation-state threat actors leverage Zerologon flaw to carry out attacks

Listen below 👇👇

Spearphishers impersonate US Democratic body to drop Emotet

A new spearphishing campaign delivering the “Emotet” trojan has been reported. The malicious email messages are purportedly from the US Democratic National Committee (DNC), and have been sent to hundreds of organizations around the US. The messages contain false information about the DNC’s volunteer recruitment program, Team Blue, and urge users to open an attached Microsoft Word document, which will install Emotet after malicious macros are enabled.

Ransomware “vaccine” shuts down deletion of Windows shadow copies

On 03 Oct 2020, a security researcher released a ransomware “vaccine” that monitors for the deletion of shadow copies[1]. Dubbed Raccine, the program terminates processes that are attempting to delete shadow copies using the vssadmin.exe command. Some ransomware variants are likely to be immune to Raccine, especially those that do not use vssadmin.exe, or use other commands, to delete shadow copies. Any legitimate software that uses vssadmin.exe as part of a backup routine is also at risk of being terminated by Raccine.

[1] System backup files that can be used to recover files if they are mistakenly changed or deleted

Iran-linked MuddyWater group exploiting ZeroLogon flaw

On 05 Oct 2020, Microsoft released an alert, warning that the Iranian state-linked “MuddyWater” cyber-espionage group was observed exploiting the ZeroLogon vulnerability (CVE-2020-1472): an elevation privilege vulnerability with a 10/10 severity rating. When exploited, the flaw allows attackers to elevate their privileges to that of a domain administrator, which enables them to take control of the entire domain, change any user’s password, and execute any command. Even though Microsoft patched this flaw in its August Patch Tuesday update, many organizations are unlikely to have applied fixes, remaining vulnerable to attacks.

For more details, read the full Weekly Intelligence Summary here:

Weekly Intelligence Summary 09 October 2020