AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 04/15/2022

DHS investigators say they foiled cyberattack on undersea internet cable in Hawaii

Federal agents in Honolulu last week “disrupted” an apparent cyberattack on an unnamed telecommunication company’s servers associated with an underwater cable responsible for internet, cable service and cell connections in Hawaii and the region, the agency said in a statement Tuesday. Hawaii-based agents with Homeland Security Investigations, an arm of the Department of Homeland Security, received a tip from their mainland HSI counterparts that led to the disruption of a “significant breach involving a private company’s servers associated with an undersea cable.” The investigation revealed that “an international hacking group” was behind the attack, and “HSI agents and international law enforcement partners in several countries were able to make an arrest.”


“Your AppIe ID has been locked” spam email takes you on a website mystery tour

Spam which claims your account has been locked out and needs to be fixed are common. They drive people to phishing campaigns on a daily basis. The mail below follows the same pattern with one key difference. It looks like a phish, but goes somewhere else entirely. Clicking the big grey “verify account” button should, in theory, lead you to an Apple phishing page. However, that’s not the case here. The link directs people to completely random domains. Some of them appear to be advertisements. Others run the full range of everything from wall cladding services and polytechnics to hotels.


Cisco’s Webex app phoned home audio telemetry even when muted

Boffins at two US universities have found that muting popular native video-conferencing apps fails to disable device microphones – and that these apps have the ability to access audio data when muted, or actually do so. The research is described in a paper titled, “Are You Really Muted?: A Privacy Analysis of Mute Buttons in Video Conferencing Apps,” [PDF] by Yucheng Yang (University of Wisconsin-Madison), Jack West (Loyola University Chicago), George K. Thiruvathukal (Loyola University Chicago), Neil Klingensmith (Loyola University Chicago), and Kassem Fawaz (University of Wisconsin-Madison). The paper is scheduled to be presented at the Privacy Enhancing Technologies Symposium in July.


Lazarus Targets Chemical Sector

Symantec, a division of Broadcom Software, has observed the North Korea-linked advanced persistent threat (APT) group known as Lazarus conducting an espionage campaign targeting organizations operating within the chemical sector. The campaign appears to be a continuation of Lazarus activity dubbed Operation Dream Job, which was first observed in August 2020. Symantec tracks this sub-set of Lazarus activity under the name Pompilus. Operation Dream Job involves Lazarus using fake job offers as a means of luring victims into clicking on malicious links or opening malicious attachments that eventually lead to the installation of malware used for espionage. Past Dream Job campaigns have targeted individuals in the defense, government, and engineering sectors in activity observed in August 2020 and July 2021.


Filing your taxes? Be wary of help found through search engines

The deadline for filing your taxes in the US is nearly upon us. April 18 is the very last date that you can afford to hand your tax returns in to the IRS. People will naturally gravitate toward all manner of filing tools to get the job done. But it’s worth noting that sites are lurking in search engine results to potentially make it harder to file, not easier. One such tool used to complete tax returns is TurboTax. This product requires a registration code to activate, and this is where the search engine results come into play. Some folks have issues registering or installing software for a variety of reasons. Maybe it’s hardware, perhaps it’s the software. Incompatibility frequently rears its head, and sometimes other third-party software may be interfering with installation.


New ‘Enemybot’ DDoS Botnet Targets Routers, Web Servers

A recently identified DDoS botnet has targeted several router models and various types of web servers by exploiting known vulnerabilities, Fortinet warns. Dubbed Enemybot, the botnet appears to be the work of Keksec, an established cybercrime group that specializes in DDoS attacks and cryptocurrency mining. The malware was built using the source code of the Gafgyt (Bashlite) botnet – which leaked in 2015 – with some modules borrowed from the infamous Mirai botnet, including the scanner module and a bot killer module. Enemybot employs several obfuscation techniques meant not only to prevent analysis, but also to keep it hidden from other botnets, and connects to a command and control (C&C) server on the Tor network. The new botnet targets numerous architectures used within Internet of Things (IoT) products and can also target x86, which increases its chances of infection.

Related Posts