Dallas is packing up the podcast… don’t fret. The team is just moving offices. RIP (rest in podcast).

The team also packs a ton of news updates in this week. (Yeah, we went there). Here’s this week’s highlights:

  • Necurs Botnet Indictment
  • TA505
  • SMB Vulnerability: Cve 2020 0796
  • Coronavirus Scams, Fraud, and Misinformation
  • New cybercrime findings from the team on Envoy and Kilos

Rounding up this week, we have some Pi Day history (and jokes of course!). Thanks for listening.

MuddyWater drops new credential-stealer ForeLord via email

Security researchers reported on new credential-stealing malware, “ForeLord”, which was allegedly distributed by the Iranian threat group “MuddyWater” (aka Cobalt Ulster) in a spearphishing campaign. They found that the group sent spearphishing emails with attached, macro-embedded Excel documents, targeting organizations across multiple sectors in Turkey, Jordan, Iraq, Georgia, and Azerbaijan from mid-2019 to mid-January 2020. ForeLord differs from MuddyWater’s previous malware in that some of its C2 server was deployed via domain name system text fields, to increase the chances of circumventing intrusion detection systems.

Visser Precision files exposed online after ransomware hit

Security researchers reported on a “DoppelPaymer” ransomware attack against Visser Precision, a manufacturer for several industries, including automotive, defense, and aeronautics. Before encrypting a victim’s data, DoppelPaymer exfiltrates company data to its C2 server. The ransomware was first observed in July 2019 and has a website, Dopple Leaks, where victims’ company data is available for download if the victim fails to pay the ransom; a sample of files stolen from Visser Precision can be downloaded, including non-disclosure agreements and a partial schematic for a missile antenna marked as containing “Lockheed Martin proprietary information”.


APT actors found exploiting Microsoft Exchange Control Panel flaw

Cyber-security researchers reported the exploitation of a Microsoft Exchange Control Panel (ECP) vulnerability (CVE-2020-0688), which was patched as part of Microsoft’s Patch Tuesday on 11 Feb 2020. According to the report, “multiple APT [advanced persistent threat] actors” conducted attacks shortly after security researchers posted technical details of the vulnerability and potential ways it could be exploited. The flaw enables a threat actor to gain access to an organization’s ECP interface with a simple user credential or old service account; this could allow them to perform management tasks, including creating and delegating users, managing mailboxes, making configuration changes, and delegating permissions to users.


For more details, read the full Weekly Intelligence Summary

Weekly Intelligence Summary 13 Mar 2020