Alex, Kacey, Charles, and Harrison host this week’s ShadowTalk for threat intel updates including Maze ransomware updates, a warning of an imminent threat from the Czech NCISA, priorities for third party risks assessments, and the Nulled Cracking Forum going mobile.

Finally, Harrison passes the torch to Alex for hosting ShadowTalk. We’ll miss you, HVR!

Listen to this week’s episode now 👇

Maze ransomware infiltrates IT company Cognizant

On 18 Apr 2020 cyber-security researchers reported that the IT company Cognizant was targeted by a ransomware attack using the Maze variant. Cognizant provides IT services to many firms, and it is likely that any disruption to its internal network caused by ransomware would have also affected its clients. The Maze variant’s developers reportedly denied involvement in the attack, although forensic data indicates that Maze infrastructure was used in the attack. Maze operators have previously threatened to publish stolen data, but in this case it is not clear whether data was stolen from Cognizant. Maze has been highly prevalent during 2020, and will very likely remain so in the short-term future.

Winnti Group behind South Korean, German company breach attempts

On 20 Apr 2020 security researchers reported that the Chinese state-associated threat umbrella “Winnti Group” was responsible for attempting to breach the internal network of South Korean gaming company Gravity, as well as an unnamed German chemical company. Winnti Group is an advanced and persistent threat collective, able to employ sophisticated tools for maximum effect. Due to their association with the Chinese state, Winnti Group likely carried out the attacks to gain information that could grant or negate a competitive state advantage. The threat umbrella is associated with previous attacks on German and South Korean entities; more attempts are realistically possible in the short-term future and are likely in the mid-term future (next three to six months). 

Nulled forum user shares file to help target Zoom users

On 01 Apr 2020 a user of the English-language cracking forum Nulled shared a configuration file that can be deployed in credential stuffing attacks targeting the Zoom videoconferencing software to steal meeting URLs, IDs, and host keys. The file contained source code for use with the credential stuffing tool “OpenBullet” to target virtual meetings through Zoom. It is realistically possible that attackers will attempt to use this method to gain access to Zoom meetings in the short-term future.  Some cracking forums have recently revised their forum regulations to prevent the uploading and sharing of threads that provide details of Zoom meeting IDs and emails.

For more details, read the full Weekly Intelligence Summary:

Weekly Intelligence Summary 24 Apr 2020