AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 01/13/2021

Mac malware uses ‘run-only’ AppleScripts to evade analysis

A cryptocurrency mining campaign targeting macOS is using malware that has evolved into a complex variant giving researchers a lot of trouble analyzing it. The malware is tracked as OSAMiner and has been in the wild since at least 2015. Yet, analyzing it is difficult because payloads are exported as run-only AppleScript files, which makes decompiling them into source code a tall order. A recently observed variant makes analyzing even more difficult as it embeds a run-only AppleScript into another scripts and uses URLs in public web pages to download the actual Monero miner. OSAMiner typically spreads via pirated copies of games and software, League of Legends and Microsoft Office for macOS being among the more popular examples.

 

Some ransomware gangs are going after top execs to pressure companies into paying

A new trend is emerging among ransomware groups where they prioritize stealing data from workstations used by top executives and managers in order to obtain “juicy” information that they can later use to pressure and extort a company’s top brass into approving large ransom payouts.  ZDNet first learned of this new tactic earlier this week during a phone call with a company that paid a multi-million dollar ransom to the Clop ransomware gang. Similar calls with other Clop victims and email interviews with cybersecurity firms later confirmed that this wasn’t just a one-time fluke, but instead a technique that the Clop gang had fine-tuned across the past few months. The technique is an evolution of what we’ve been seen from ransomware gangs lately.

 

Hackers Taunt FireEye’s Kevin Mandia At Home With Postcard

Hackers attempted to troll FireEye CEO Kevin Mandia with a postcard that called into question the company’s ability to attribute cyberattacks to the Russian government, Reuters reported. The FBI is investigating a mysterious postcard sent to Mandia’s home days after FireEye found initial evidence of a suspected Russian hacking operation on U.S. government agencies and private businesses, according to Reuters. Federal officials said Jan. 5 that a Russian Advanced Persistent Threat (APT) group is likely behind colossal hacking campaign, but FireEye hasn’t publicly attributed the attack to Russia. U.S. officials familiar with the postcard are investigating whether it was sent by people associated with a Russian intelligence service due its timing and content, according to Reuters.

 

‘Largest illegal darknet marketplace’ DarkMarket taken offline

German prosecutors in the cities of Koblenz and Oldenburg said on Tuesday that they had shut down what was “probably the largest illegal marketplace on the Darknet” called DarkMarket and arrested the man believed to operate it near Germany’s border with Denmark.  The detained man, believed to be DarkMarket’soperator, is a 34-year-old Australian national. Authorities say drugs, counterfeit money, stolen credit card data, anonymous SIM cards and malware were all traded on the site, which had a half a million users and transacted business in cryptocurrencies equivalent to a value of €140 million ($170 million).  Oldenburg police said the raid took place over the weekend. “Investigators were able to shut down the marketplace and turn off the server on Monday,” prosecutors said.

 

SolarWinds hackers linked to known Russian spying tools, investigators say

The group behind a global cyber-espionage campaign discovered last month deployed malicious computer code with links to spying tools previously used by suspected Russian hackers, researchers said on Monday. Investigators at Moscow-based cybersecurity firm Kaspersky said the “backdoor” used to compromise up to 18,000 customers of U.S. software maker SolarWinds closely resembled malware tied to a hacking group known as “Turla,” which Estonian authorities have said operates on behalf of Russia’s FSB security service. The findings are the first publicly-available evidence to support assertions by the United States that Russia orchestrated the hack, which compromised a raft of sensitive federal agencies and is among the most ambitious cyber operations ever disclosed. Moscow has repeatedly denied the allegations. The FSB did not respond to a request for comment.

 

Space Force joins US Intelligence Community to secure outer space

Director of National Intelligence John Ratcliffe announced that the US Space Force (USSF) is the ninth Department of Defense component to join the US Intelligence Community (IC). The USSF is a military service tasked with missions and operations in the space domain, the first new one established in the last 70 years, after the establishment of the US Air Force in 1947, and the first new intel element to join the IC since 2006.  “Today, we took action to elevate space intelligence missions, tradecraft, and collaboration to ensure the success of the Space Force, the Intelligence Community, and ultimately our National Security,” Chief of Space Operations Gen. John W.  Raymond said. “This is a significant milestone, a clear statement that America is committed to a secure and accessible space domain.”

 

Amazon and Facebook staff warned of threats to safety

Amazon and Facebook have warned staff about threats to their safety amid fears of a backlash against “big tech”. Amazon Web Services (AWS) employees were told to “be vigilant” after the firm removed Parler from its web-hosting service. The app is popular with some supporters of President Donald Trump. Facebook staff were also instructed not to wear company-branded clothing in public following its ban of the US President’s account. The companies cited the deadly siege on US Congress and civil unrest as reasons for concern. “In light of recent events, and to err on the side of caution, global security is encouraging everyone to avoid wearing or carrying Facebook-branded items at this time,” an internal Facebook memo obtained by The Information, said.

 

SmartDot radiation-protection phone stickers ‘have no effect’

Stickers supposed to protect users against mobile-phone radiation have no effect, scientists have found. Energydots says they “counteract the harmful energy emitted by wireless and electronic equipment” to aid sleep, cure headaches and give a clearer mind. But University of Surrey tests for BBC News found no evidence of any effect. The Devon-based company told BBC News the stickers were programmed with “scalar energy”, which the scientists’ equipment would be unable to detect. Energydots markets a range of stickers, including the SmartDot, the SleepDot and even the PetDot.  BBC News bought five SmartDots – a special offer for £55 – and sent them to the university’s 6th Generation Innovation Centre. Researchers tested 4G mobile phones and wi-fi access points with and without the stickers applied to them. 

Related Posts