AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 04/22/2022

REvil resurrected? Ransomware crew appears to be back. Keyword: Appears

The notorious REvil ransomware gang appears to have returned from the bowels of the dark web, three months after the arrest of 14 of its suspected members, with its old website forwarding to a new operation that lists both previous and fresh victims. Back in January, Russia said it dismantled the crime ring’s networks and raided its operators’ homes amid the arrests of 14 of its alleged members. The takedown seemed to have worked, and infosec firms say they haven’t seen any sign of REvil activity since. That changed this week, when security researchers on Twitter, pancak3 and Soufiane Tahiri, caught the latest REvil leak site – a website where the extortionists brag about their victims and disclose data stolen from them – being promoted on RuTOR, a Russian-language forum-slash-marketplace.


LemonDuck botnet plunders Docker cloud instances in cryptocurrency crime wave

Operators of the LemonDuck botnet are targeting Docker instances in a cryptocurrency mining campaign. LemonDuck is cryptocurrency mining malware wrapped up in a botnet structure. The malware exploits older vulnerabilities to infiltrate cloud systems and servers, including the Microsoft Exchange ProxyLogon bugs, EternalBlue, and BlueKeep. As noted by Microsoft’s security team in 2021, the threat actors behind the malware are known to be selective when it comes to timing and may trigger an attack when teams are focused on “patching a popular vulnerability rather than investigating compromise.”


Google is banning third-party call recording apps from the Play Store

Google is introducing a new Play Store policy that will effectively block third-party call recording apps from the Play Store by May 11th, according to a Reddit post seen by 9to5Google. Such apps currently use the Accessibility API (designed for people with disabilities) to gain access to the audio functions on Android devices. “Apps with a core functionality intended to directly support people with disabilities are eligible to use the IsAccessibilityTool,” the policy states. “Apps not eligible for IsAccessibilityTool may not use the flag and must meet prominent disclosure and consent requirements. The Accessibility API is not designed and cannot be requested for remote call audio recording. “


Binance tells Russian users with over €10k to withdraw everything

Binance has announced some significant changes in its services for Russia-based users, which mark the company’s effort to align with European Union’s fifth wave of sanctions against Russia. Earlier this month, the EU adopted a new set of restrictions targeting deposits to crypto-wallets of any person, entity, or body linked to Russia and Belarus. Binance is one of the world’s largest cryptocurrency exchange platforms with operations in Europe. The company’s legal team evaluated the sanctions in the past weeks and decided to green light the measures targeting Russia-based investors.


Criminals Abuse Apple Pay in Spending Sprees

Criminals are abusing Apple Pay and other contactless payment systems to go on spending sprees with stolen credit and debit card numbers, according to a Motherboard review of various Telegram channels used by fraudsters. One fraudster said that Apple Pay is the “easiest way” to make money with a recently developed hacking tool available in the digital underground that focuses on stealing victims’ multi-factor authentication tokens. Recently criminals have started using bots that automatically place phone calls to victims and trick people into handing over their multi-factor authentication codes. Now, various fraudsters selling access to these underground bots are highlighting a particular money making scheme: using the bots to link stolen credit cards to contactless payment systems like Apple, Samsung, and Google Pay and then buying items at the victim’s expense.


FBI warns of ransomware attacks targeting US agriculture sector

The US Federal Bureau of Investigation (FBI) warned Food and Agriculture (FA) sector organizations today of an increased risk that ransomware gangs “may be more likely” to attack them during the harvest and planting seasons. While ransomware groups regularly target the US agriculture sector, the FBI noted that the number of attacks against such entities during such critical seasons stands out. The FBI revealed this in a joint flash alert released on Wednesday in coordination with the United States Department of Agriculture (USDA) and the Cybersecurity and Infrastructure Security Agency (DHS/CISA).


AWS’s Log4j patches blew holes in its own security

Amazon Web Services has updated its Log4j security patches after it was discovered the original fixes made customer deployments vulnerable to container escape and privilege escalation. The vulnerabilities introduced by Amazon’s Log4j hotpatch – CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071 – are all high-severity bugs rated 8.8 out of 10 on the CVSS. AWS customers using Java software in their off-prem environments should grab the latest patch set from Amazon and install. “We recommend that customers who run Java applications in containers, and use either the hotpatch or Hotdog, update to the latest versions of the software immediately,” the cloud giant said in a security bulletin on Tuesday.

Related Posts