AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 01/13/2023

Microsoft retracts its report on Mac ransomware 

Microsoft published on Jan. 5 — and then redacted on Jan. 6 — a report that detailed four ransomware families hitting macOS devices. When it comes to cybersecurity threats such as ransomware, most systems affected are usually Windows or Linux, so the news made a splash because it was about macOS devices. But Patrick Wardle, founder of the Objective-See Foundation, pointed out on Twitter that the report had no citations and closely aligned with similar reporting done in his book The Art of Mac Malware, published in July 2022. 


Euro-cops shut down crypto scam that bilked millions from unwitting punters 

European cops arrested 15 suspected scammers and shut down a multi-country network of call centers selling fake cryptocurrency that law enforcement said stole upwards of hundreds of million euros from victims. The scammers tricked their victims into investing large sums of money into fake cryptocurrency schemes according to Europol, which became involved in the investigation in June 2022 at the behest of German law enforcement agencies. The criminals advertised these phony investment opportunities on social media, luring the victims to websites that were controlled by the miscreants that promised too-good-to-be-true crypto investment opportunities. The crooks first convinced the victims to invest low, three-digit sums. Then, using the lure of fake price hikes and lucrative profits, the criminals enticed their victims to transfer larger amounts. 


FAA outage that grounded flights blamed on old tech and damaged database file 

A Notice to Air Missions system outage that grounded flights across the US yesterday morning seems to have been caused by a damaged database file, the Federal Aviation Administration said last night. “The FAA is continuing a thorough review to determine the root cause of the Notice to Air Missions (NOTAM) system outage,” the FAA statement said. “Our preliminary work has traced the outage to a damaged database file. At this time, there is no evidence of a cyber attack. The FAA is working diligently to further pinpoint the causes of this issue and take all needed steps to prevent this kind of disruption from happening again.” 


Twitter didn’t block child sex abuse hashtags until journalists pointed them out 

Elon Musk said in November that Twitter’s top priority is eliminating content that sexually exploits children. But Twitter apparently didn’t take action against a series of hashtags and keywords used to promote the sale of child sex abuse material (CSAM) until after NBC News identified the problem in a report published FridayTwitter blocked searches for the hashtags and keywords on Saturday, NBC News wrote yesterday“NBC News found that a series of hashtags on the platform related to the file-sharing service Mega served as rallying points for users seeking to trade or sell CSAM. NBC News observed the hashtags over a period of several weeks, and counted dozens of users who collectively published hundreds of tweets daily,” the report said. “The accounts used thinly veiled keywords and terms related to CSAM to promote the content they said was stored on Mega, which they said was available for purchase or trade.” 


Blockbuster NYTimes Story Accidentally Leaked Phone Numbers of Russian Soldiers Criticizing War 

A blockbuster investigation from the New York Times in September, 2022, inadvertently exposed the apparent phone numbers of Russian soldiers as well as the apparent civilian family members they were speaking to, Motherboard has learned. Some of these people were providing a frank assessment of the ongoing Ukraine war, and blunt criticisms of their superiors including President Putin himself. The exposure potentially put the people at risk of reprisal from their own government and other third parties. 


Google Chrome ‘SymStealer’ Vulnerability Could Affect 2.5 Billion Users 

The Chromium vulnerability (tracked CVE-2022-3656) discovered by Imperva security researchers in July 2022 and patched in September could still affect 2.5 billion users if they don’t update their browsers. The warning comes from Imperva’s security researcher Ron Masas, who published a blog post about the flaw (commonly known as “SymStealer”) on Wednesday. In particular, the vulnerability allows for the theft of sensitive files, including crypto wallets and cloud provider credentials, by exploiting how browsers process symbolic links (symlinks). “[Symlinks] can be useful for creating shortcuts, redirecting file paths, or organizing files in a more flexible way,” Masas wrote. “However, [they] can also introduce vulnerabilities if they are not handled properly. In the case of the vulnerability we disclosed to Google, the issue arose from the way the browser interacted with symlinks when processing files and directories.” 

Related Posts