ITG18: Operational Security Errors Continue to Plague Sizable Iranian Threat Group
IBM Security X-Force threat intelligence researchers continue to track the infrastructure and activity of a suspected Iranian threat group ITG18. This group’s tactics, techniques and procedures(TTPs) overlap with groups known as Charming Kitten, Phosphorus and TA453. Since our initial report on the group’s training videos in May 2020, X-Force has uncovered additional operational security errors by this group. Our continued analysis led to the discovery of a malicious tool that has not been previously linked to this threat actor, a custom Android backdoor we named “LittleLooter.” LittleLooter has only been observed being used by ITG18. X-Force is not aware of other threat actors leveraging this backdoor.
Motherboard vendor GIGABYTE hit by RansomExx ransomware gang
Taiwanese computer hardware vendor GIGABYTE has suffered a ransomware attack, and hackers are currently threatening to release more than 112 GB of business data on the dark web unless the company agrees to their ransom demands. The Taiwanese company, primarily known for its high-performance motherboards, confirmed the attack in a phone call and in a message on its (now-down) Taiwanese website. A spokesperson said the incident did not impact production systems. Only a few internal servers at its Taiwanese headquarters have been affected and have now been taken down and isolated. The company is currently in the process of investigating how the hackers breached its systems, stole files, and encrypted local copies. Local law enforcement has also been notified.
Scanning for Child Sexual Abuse Material (CSAM) on iPhones
Apple has announced that future versions of its operating system for iPhones, iPads, Watches, and Macs will scan for Child Sexual Abuse Material (CSAM). Apple will be scanning for illegal images on your device before they are uploaded to iCloud Photos, by comparing the hashes (sometimes known as checksums) of your photos with a database of known CSAM image hashes. If the hashes match, then there is a good chance that a child sexual abuse image has been found. If suspected CSAM is found, a “cryptographic safety voucher” containing the match result and additional encrypted data about the image is uploaded to iCloud. Apple says it cannot interpret the contents of the safety voucher unless the user’s account has reached a certain threshold for image matches.
Synology warns of malware infecting NAS devices with ransomware
Taiwan-based NAS maker Synology has warned customers that the StealthWorker botnet is targeting their network-attached storage devices in ongoing brute-force attacks that lead to ransomware infections. According to Synology’s PSIRT (Product Security Incident Response Team), Synology NAS devices compromised in these attacks are later used in further attempts to breach more Linux systems. “These attacks leverage a number of already infected devices to try and guess common administrative credentials, and if successful, will access the system to install its malicious payload, which may include ransomware,” Synology said in a security advisory. “Devices infected may carry out additional attacks on other Linux based devices, including Synology NAS.” The company is coordinating with multiple CERT organizations worldwide to take down the botnet’s infrastructure by shutting down all detected command-and-control (C2) servers. Synology is working on notifying all potentially impacted customers of these ongoing attacks targeting their NAS devices.
Future in-car biometrics could detect drunk-driving or a heart attack
Politicians in the US recently released a bipartisan infrastructure bill that includes around $555 billion in new spending to build roads, public transit, and other transport options. Amongst other things, the bill mandates Car OEMs to introduce technology to “passively monitor the performance of a driver of a motor vehicle to accurately identify whether that driver may be impaired.” This is significant news for companies working on tech to detect drunk-drivers. In June, the Automotive Coalition for Traffic Safety, Inc. (ACTS) announced that a product equipped with new alcohol detection technology would be available for open-source licensing in commercial vehicles for the first time in late 2021. Their tech results from extensive R&D and testing by the DADSS Program, a public-private partnership between automakers and the US Department of Transportation’s National Highway Traffic Safety Administration (NHTSA).
The most dangerous (and interesting) Microsoft 365 attacks
Government-sponsored hackers, who carry out cyberespionage campaigns, invest more resources than ever to find new ways of attacking the cloud. One of their preferred targets is Microsoft 365, previously called Office 365, a platform used by an increasing number of organizations of all sizes. From an intelligence collector’s perspective, it makes sense to target it. “Microsoft 365 is a gold mine,” Doug Bienstock, incident response manager at Mandiant, tells CSO. “The vast majority of [an organization’s] data is probably going to be in Microsoft 365, whether it’s in the contents of individual emails, or files shared on SharePoint or OneDrive, or even Teams messages.”