AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 02/01/2023

Researchers Uncover Packer Used by Several Malware to Evade Detection for 6 Years 

A shellcode-based packer dubbed TrickGate has been successfully operating without attracting notice for over six years, while enabling threat actors to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil over the years. “TrickGate managed to stay under the radar for years because it is transformative – it undergoes changes periodically,” Check Point Research’s Arie Olshtein said, calling it a “master of disguises.” Offered as a service to other threat actors since at least late 2016, TrickGate helps conceal payloads behind a layer of wrapper code in an attempt to get past security solutions installed on a host. Packers can also function as crypters by encrypting the malware as an obfuscation mechanism. 

 

Microsoft Defender can now isolate compromised Linux endpoints 

Microsoft announced today that it added device isolation support to Microsoft Defender for Endpoint (MDE) on onboarded Linux devices. Enterprise admins can manually isolate Linux machines enrolled as part of a public preview using the Microsoft 365 Defender portal or via API requestsOnce isolated, threat actors will no longer have a connection to the breached system, cutting off their control and blocking malicious activity like data theft.  

 

Anker Admits Eufy Cameras Did Not Offer End-to-End Encryption as Promised, Pledges to Do Better 

Back in November, Anker’s Eufy brand made headlines after security consultant Paul Moore discovered that Eufy security cameras were sending data to the cloud, even when cloud storage upload settings were disabled. Further, Eufy camera streams were allegedly able to be watched live through an app like VLC, which presented a glaring security issue. That the Eufy cameras were uploading content to the cloud was problematic because Anker has long touted the security of its Eufy devices, claiming that they feature local-only storage and end-to-end encryption for those who want a more private camera solution. Following this debacle, The Verge began trying to get answers about Eufy camera security from Anker, and Anker was providing deliberately unclear and often misleading answers about how Eufy cameras worked. 

 

New Sh1mmer ChromeBook exploit unenrolls managed devices 

A new exploit called ‘Sh1mmer’ allows users to unenroll an enterprise-managed Chromebook, enabling them to install any apps they wish and bypass device restrictions. When Chromebooks are enrolled with a school or an enterprise, they are managed by policies established by the organization’s administrators. This allows admins to force-install browser extensions, apps, and to restrict how a device can be used. Furthermore, once enrolled, it is almost impossible to unenroll the device without the organization’s admin doing it for you. 

 

Microsoft disables verified partner accounts used for OAuth phishing 

Microsoft has disabled multiple fraudulent, verified Microsoft Partner Network accounts for creating malicious OAuth applications that breached organizations’ cloud environments to steal email. In a joint announcement between Microsoft and Proofpoint, Microsoft says the threat actors posed as legitimate companies to enroll and successfully be verified as that company in the MCPP (Microsoft Cloud Partner Program). The threat actors used these accounts to register verified OAuth apps in Azure AD for consent phishing attacks targeting corporate users in the UK and Ireland. 

 

Google Fi warns customers that their data has been compromised 

Google has notified customers of its Fi mobile virtual network operator (MVNO) service that hackers were able to access some of their information, according to TechCrunch. The tech giant said the bad actors infiltrated a third-party system used for customer support at Fi’s primary network provider. While Google didn’t name the provider outright, Fi relies on US Cellular and T-Mobile for connectivity. If you’ll recall, the latter admitted in mid-January that hackers had been taking data from its systems since November last year. T-Mobile said the attackers got away with the information of around 37 million postpaid and prepaid customers before it discovered and contained the issue. Back then, the carrier insisted that no passwords, payment information and social security numbers were stolen. Google Fi is saying the same thing, adding that no PINs or text message/call contents were taken, as well. The hackers only apparently had access to users’ phone numbers, account status, SMS card serial numbers and some service plan information, like international roaming.  

Related Posts