Weekly Intelligence Summary | 29 May 2020
Updated: Jun 11
In the spotlight this week:
Fortune 500 company NTT discloses security breach. NTT says hackers gained access to its internal network and stole information on 621 customers from NTT Communications. The attack is believed to have originated from an NTT base in Singapore.
Sophos discloses insight into threat actor of Netwalker ransomware and tools.
Christian Beek discloses his findings: this short ‘tipper’ will discuss Kazuar and a universal love for Mark Russinovich’s SysInternal Tools.
Kaspersky's SecureList disclosed the zero-day exploits of Operation WizardOpium.
May 28, 2020 | NTT discloses security breach
The hack took place on May 7, and NTT says it became aware of the intrusion four days later, on May 11. NTT says hackers gained access to its internal network and stole information on 621 customers from its communications subsidiary, NTT Communications, the largest telecommunications company in Japan, and one of the biggest worldwide. The company says hackers breached several layers of its IT infrastructure and reached an internal Active Directory to steal and upload data to a remote server. The attack is believed to have originated from an NTT base in Singapore, the company said today.
May 28, 2020 | Netwalker ransomware tools give insight into threat actor
The Netwalker threat actor has struck a diverse set of targets based in the US, Australia, and western Europe, and recent reports indicate the attackers have decided to concentrate their efforts targeting large organizations, rather than individuals. The tooling we uncovered supports this hypothesis, as it includes programs intended to capture Domain Administrator credentials from an enterprise network, combined with orchestration tools that employ software distribution served from a Domain Controller, common in enterprise networks but rare among home users. Some of the scripts and exploit tools were copied directly from Github repositories. Several of the tools are freely-available Windows utilities, such as Amplia Security’s Windows Credential Editor. Hints they take advantage of well-known, heavily publicized vulnerabilities in widely used, outdated server software (such as Tomcat or Weblogic) or weak RDP passwords.
May 28, 2020 | The zero-day exploits of Operation WizardOpium
The zero-day exploits of Operation WizardOpium back in October 2019 we detected a classic watering-hole attack on a North Korea-related news site that exploited a chain of Google Chrome and Microsoft Windows zero-days. This blog post takes a deep technical dive into the exploits and vulnerabilities used in this attack.
May 27, 2020 | SysInTURLA
Turla is a prolific threat actor that relies on a variety of toolkits (including Skipper, IcedCoffee, KopiLuwak among others). In the past two weeks alone, two distinct clusters of their activities piqued the interest of multiple research groups, but their bag of tricks is hardly exhausted. This short ‘tipper’ will discuss Kazuar and a universal love for Mark Russinovich’s SysInternal Tools.
May 27, 2020 | Chinese Researchers Disrupt Malware Attack That Infected Thousands of PCs
Chinese security firm Qihoo 360 Netlab said it partnered with tech giant Baidu to disrupt a malware botnet infecting over hundreds of thousands of systems. The botnet was traced back to a group it calls ShuangQiang (also called Double Gun), which has been behind several attacks since 2017 aimed at compromising Windows computers with MBR and VBR bootkits and installing malicious drivers for financial gain and hijack web traffic to e-commerce sites.
May 26, 2020 | From Agent.BTZ to ComRAT v4: A ten‑year journey
ESET researchers have found a new version of one of the oldest malware families run by the Turla group, ComRAT. Turla, also known as Snake, is an infamous espionage group that has been active for more than ten years. ComRAT, also known as Agent.BTZ and to its developers as Chinch, is a Remote Access Trojan (RAT) that became infamous after its use in a breach of the US military in 2008. The first version of this malware, likely released in 2007, exhibited worm capabilities by spreading through removable drives. From 2007 to 2012, two new major versions of the RAT were released. Interestingly, both employed the well-known Turla XOR key.