Kacey, Charles, Alex, and Harrison host this week’s threat intelligence update from Dallas. We kick off with vulnerabilities from the week. This includes both the NSA CVE and Citrix CVE. The team talks through what the vulnerabilities are and why they’re important.

Then the team talks through ransomware updates including Cryptonite ransomware as a service, Sodinokibi operators threatening to release Travelex data, and Nemty operators threatening to release victim data.

Listen below 👇👇👇


Extortion operations still going strong

The cyber-extortion landscape has shown real signs of strength and advancement in the past three months: Many operations have been deploying ransomware (including new variants), but the use of denial of service (DoS) or data breaches in ransom attacks has also been increasingly reported. The method of combining two discrete attack methods to increase the probability of a successful extortion was apparently pioneered by operators of the “Maze” ransomware, and has spread to other cybercriminals and types of ransomware. Given the high profitability of ransomware attacks, especially those incorporating data breaches, they are likely to persist.


Dustman malware linked to cyber attack on Bahrain’s Bapco

Saudi Arabia’s National Cybersecurity Authority published a security alert on new wiper malware, dubbed Dustman, that was reportedly used to target the network of Bahrain’s national oil company, Bapco. According to the alert, Dustman shows similarities to the “ZeroCleare” malware variant, which was previously linked to Iran. Although many reports have drawn links between Dustman and the killing of Iranian military general Qasem Soleimani, Dustman was deployed on 29 December 2019, meaning that the attack was not connected to any retaliatory operations from Iran.


Assurance Wireless phones pre-installed with two malicious apps

Two malicious apps were found pre-installed on the UMX U686CL phone provided by United States-funded mobile-phone service provider Assurance Wireless. One is an updater, “Wireless Update”, which can install apps automatically without a user’s consent and is a variant of Adups―malware linked to a China-based company separately found collecting user data. The updater can also create backdoors on mobile devices, and develop auto-installers. In addition, the Settings app on the phone functioned as heavily obfuscated malware that shares characteristics with other variants of mobile trojan droppers.


Proof of concept exploit code for Citrix vulnerability goes public

Security researchers reported that the proof of concept exploit code for a critical vulnerability (CVE-2019-19781) in Citrix enterprise equipment has been publicly released. The vulnerability affects Citrix’s Application Delivery Controller (ADC) and Citrix Gateway. If exploited, CVE-2019-19781 could allow an attacker to gain control of devices and access an affected organization’s internal network. The attacker would not have to provide authentication credentials for the device to conduct the attack. Citrix has provided mitigation advice but has not yet released a patch.


For more details, read the full Weekly Intelligence Summary here:

Weekly Intelligence Summary 17 Jan 2020

And to stay up to date with the latest from Digital Shadows (now ReliaQuest), subscribe below.