AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 01/11/2022

FluBot’s Authors Employ Creative and Sophisticated Techniques to Achieve Their Goals in Version 5.0 and Beyond

In early 2020, a new sophisticated malware for Android called FluBot began to appear. On infected devices, the malware can take full remote control of the device; access victim’s contact lists; send, intercept, and hide SMS messages; log the victim’s keystrokes; steal one-time passcodes; collect personal information; carry out overlay attacks and more. Originally, the malware authors mainly targeted Spanish banks but later expanded their targets to include Australian, German, Polish, and UK banks (HSBC, Santander, Lloyds, Halifax, and others). FluBot spreads in several ways, often via SMS messages that include a link to track a parcel by a delivery company.


Russian harm to underwater cables could be ‘act of war’, UK defence chief warns

A Russian attempt to damage underwater cables that are crucial to communication systems around the world might be considered an “act of war”, the UK’s recently appointed head of the armed forces has warned. Speaking to The Times in his first interview since assuming the role, Admiral Sir Tony Radakin said the undersea cables that transmit internet data are “the world’s real information system,” adding that Russia’s ongoing underwater operations have placed this system under threat. Sir Tony – who has formerly served as the head of the Navy – was appointed chief of the defence staff in October. He says Russian submarine and underwater operations have surged over the last 20 years. Russia’s underwater programme is about “more than…submarines,” according to Sir Tony. It is actually about being able to “put at risk and potentially exploit the world’s real information system.”


FBI warns cybercriminals have tried to hack US firms by mailing malicious USB drives

A prolific Eastern European cybercriminal group has tried to hack US companies in the transportation, defense and insurance sectors by mailing those organizations malicious USB drives, the FBI warned US businesses this week in an advisory obtained by CNN. The unnamed companies received a series of fake letters via the US Postal Service and UPS from August to November impersonating the Department of Health and Human Services in some cases, and Amazon in others, according to the FBI. But instead of an actual Amazon gift card, or authorized guidance about the coronavirus pandemic, the letters came with a USB stick laced with malicious software. If inserted into a computer, the USB stick could have given the hacking group access to an organization’s networks to deploy ransomware, the FBI said. It’s unclear if any of the firms were compromised in the incidents, but it’s a reminder of the long reach and clever tactics of a cybercriminal group that US law enforcement have pursued for years.


China puts Walmart in the naughty corner, citing 19 alleged cybersecurity ‘violations’

“It is reported that the public security organs discovered nineteen exploitable network security vulnerabilities in Walmart’s network system on November 25, 2021, and [the company] did not deal with system vulnerabilities in a timely manner,” said China Quality News, a mouthpiece for the country’s State Administration for Market Supervision (SAMR) regulatory agency, in a canned statement in Chinese. It claimed this was a breach of the country’s Internet Security Law of the People’s Republic of China. The news outlet said an administrative penalty warning was issued in addition to an order to the US parent firm to correct their network sins, handed to Walmart in “December 2021.” There is no evidence of a financial penalty issued at this time.


Microsoft Discovered New ‘Powerdir’ macOS Vulnerability, Fixed in 12.1 Update

Apple already addressed the CVE-2021-30970 vulnerability in the macOS Monterey 12.1 update that was released in December, so users who have updated to the latest version of Monterey are protected. Those who have not done so should update. Apple in its security release notes for the 12.1 update confirmed the TCC vulnerability and credited Microsoft with its discovery. According to Microsoft, the “Powerdir” security flaw could allow a fake TCC database to be planted. TCC is a long running macOS function that lets users configure the privacy settings of their apps, and with the fake database, a malicious person could hijack an app installed on a Mac or install their own malicious app, accessing the microphone and camera to obtain sensitive info. Microsoft has a detailed outline of how the vulnerability works, and the company says that its security researchers continue to “monitor the threat landscape” to discover new vulnerabilities and attacker techniques that affect macOS and other non-Windows devices.


T-Mobile begins blocking iPhone users from enabling iCloud Private Relay in the US

Earlier today, a report indicated that some European carriers were blocking the Private Relay feature introduced by Apple with iOS 15. This feature is designed to give users an additional layer of privacy by ensuring that no one can view the websites that they visit. Now, in addition to some carriers in Europe, it appears that T-Mobile/Sprint in the United States is also blocking iCloud Private Relay access when connected to cellular data. Apple says that Private Relay is a feature designed to give users another layer of privacy when browsing the web. The first relay is sent through a server maintained by Apple, and the second is a third-party operator. The feature was announced at WWDC last June and initially slated for inclusion in iOS 15. Apple ultimately shipped the feature as a “public beta,” meaning that it is disabled by default in the newest iOS 15 and macOS Monterey releases. You can manually enable it by going to Settings on your iPhone, tapping your name at the top, choosing iCloud, and choosing “Private Relay.”


500M Avira Antivirus Users Introduced to Cryptomining

Many readers were surprised to learn recently that the popular Norton 360 antivirus suite now ships with a program which lets customers make money mining virtual currency. But Norton 360 isn’t alone in this dubious endeavor: Avira antivirus — which has built a base of 500 million users worldwide largely by making the product free — was recently bought by the same company that owns Norton 360 and is introducing its customers to a service called Avira Crypto. Founded in 2006, Avira Operations GmbH & Co. KG is a German multinational software company best known for their Avira Free Security (a.k.a. Avira Free Antivirus). In January 2021, Avira was acquired by Tempe, Ariz.-based NortonLifeLock Inc., the same company that now owns Norton 360.

Related Posts