AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 02/11/2022

Mac malware spreading for ~14 months installs backdoor on infected systems

Mac malware known as UpdateAgent has been spreading for more than a year, and it is growing increasingly malevolent as its developers add new bells and whistles. The additions include the pushing of an aggressive second-stage adware payload that installs a persistent backdoor on infected Macs. The UpdateAgent malware family began circulating no later than November or December 2020 as a relatively basic information-stealer. It collected product names, version numbers, and other basic system information. Its methods of persistence—that is, the ability to run each time a Mac boots—were also fairly rudimentary. Over time, Microsoft said on Wednesday, UpdateAgent has grown increasingly advanced. Besides the data sent to the attacker server, the app also sends “heartbeats” that let attackers know if the malware is still running. It also installs adware known as Adload.


Spain dismantles SIM swapping group who emptied bank accounts

Spanish National Police has arrested eight suspects allegedly part of a crime ring who drained bank accounts in a series of SIM swapping attacks. They presumably spoofed the targets’ bank in phishing messages via email, SMS, or direct messages on social media platforms, according to a press release published today. By means of phishing, the suspects obtained the sensitive personal information needed to impersonate the potential victims and deceive phone store employees into issuing new SIM cards with the same number. Finally, they used the victims’ phone numbers to obtain the one-time passwords that protect e-banking accounts, accessed them, and promptly drained up all the available funds by transferring them to accounts under their control.


Web Skimmer Injected Into Hundreds of Magento-Powered Stores

What made the attack stand out was the clever use of a combination of SQL injection and PHP object injection, which ultimately provided the attackers with control of the Magento store. On all infected websites, the payment skimmer was being loaded from the naturalfreshmall(.)com domain. The initial intrusion vector was a known vulnerability in the Quickview plugin, which attackers typically use to inject rogue admin users into vulnerable Magento stores. In this case, however, the weakness was abused to add a validation rule that resulted in a file containing a simple backdoor being added to the database. The validation rules for new customers would then be used to trigger the code execution by simply browsing the Magento sign up page. According to Sansec, the attackers deployed no less than 19 backdoors on the compromised system, meaning that affected sites need to eliminate all of them to make sure they won’t fall victim to follow-up attacks.


This malware gang plants incriminating evidence on PCs, gets victims arrested

For the past decade, unidentified miscreants have been planting incriminating evidence on the devices of human-rights advocates, lawyers, and academics in India seemingly to get them arrested. That’s according to SentinelOne, which has named the crew ModifiedElephant and described the group’s techniques and targets since 2012 in a report published on Wednesday. “The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of ‘evidence’ – files that incriminate the target in specific crimes – prior to conveniently coordinated arrests,” said Tom Hegel, threat researcher at SentinelOne, in a blog post. Hegel said the group has operated for years without attracting the attention of the cybersecurity community because of its limited scope of operations, its regionally-specific targeting, and its relatively unsophisticated tools.


France Rules That Using Google Analytics Violates GDPR Data Protection Law

French data protection regulators on Thursday found the use of Google Analytics a breach of the European Union’s General Data Protection Regulation (GDPR) laws in the country, almost a month after a similar decision was reached in Austria. To that end, the National Commission on Informatics and Liberty (CNIL) ruled that the transatlantic movement of Google Analytics data to the U.S. is not “sufficiently regulated” citing a violation of Articles 44 et seq. of the data protection decree, which govern the transfers of personal data to third countries or international entities. Specifically the independent administrative regulatory body highlighted the lack of equivalent privacy protections and the risk that “American intelligence services would access personal data transferred to the United States if the transfers were not properly regulated.”


The IRS U-turn on facial recognition could spell trouble for biometric ID

The US Inland Revenue Service this week backtracked on plans to use facial recognition for online identity checks, following criticism from members of Congress and privacy advocates. The decision points to a rocky road ahead for the many public and private sector organisations planning to use biometrics as part of their digital identity plans, and the start-ups hoping to capitalise on the opportunity. This week, the IRS announced that it would “transition away” from using digital ID provider ID.me for online identity checks. Last year, it awarded the company a contract to provide facial recognition checks for taxpayers accessing their records online. ID.me’s service requires users to record a video selfie in order to authenticate their identity, the New York Times reported.

Related Posts