Our website may use cookies to improve and personalize your experience and to display advertisements (if any). Our website may also include cookies from third parties like Google Adsense or Google Analytics. By using the website, you consent to the use of cookies. We’ve updated our Privacy Policy. Please click on the button to check our Privacy Policy.

AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 08/12/2021

New AdLoad malware variant slips through Apple’s XProtect defenses

A new AdLoad malware variant is slipping through Apple’s YARA signature-based XProtect built-in antivirus tech to infect Macs as part of multiple campaigns tracked by American cybersecurity firm SentinelOne. AdLoad is a widespread trojan targeting the macOS platform since at least since late 2017 and used to deploy various malicious payloads, including adware and Potentially Unwanted Applications (PUAs). This malware can also harvest system information that later gets sent to remote servers controlled by its operators. These massive scale and ongoing attacks have started as early as November 2020, according to SentinelOne threat researcher Phil Stokes, with an increase in activity beginning with July and the beginning of August.

 

The hacker behind a giant cryptocurrency heist is returning stolen funds

Someone just perpetrated one of the largest cryptocurrency heists known to date… and appears to be having second thoughts. The Block and CNBC report that a hacker stole about $611 million in Ethereum, Shiba Inu and other digital currencies from the decentralized Poly Network finance platform on August 10th by exploiting a vulnerability. Less than a day later, however, the intruder sent a token indicating they were “ready to surrender” and started returning millions in funds. It’s not completely clear what prompted the change of heart, but the hacker may have been caught. Slowmist and other security researchers reportedly tracked down identifying info, including email, an IP address and the Chinese cryptocurrency exchange the perpetrator used. If so, the ‘refund’ may have been an attempt to avoid criminal charges.

 

Deepfakes – the bot made me do it

A deepfake rendition of a loved one saying they’ve been kidnapped paints a grim picture of what future deepfakes – specially constructed videos from real data – purport to bring next to technology. After machine learning ingests the droves of images being created every day à la Instagram selfies and sound tracks from webinars, conference presentations or the narrated commentary of vacation videos from YouTube, it can paint a very clear image, video and voice of almost anyone, but with specially crafted fake communication mimicking that the person is in deep trouble. Technology wasn’t supposed to do this – it was supposed to help. Starting with fake phone calls, synthesized by processing audio clips of your boss that ask you to wire large sums of money, the next generation of deepfakes promises voices too clear and convincing to be disputed. Feed enough data into a machine learning system and that voice becomes scarily close to reality, as was witnessed in 2019 in an audacious real-time audio-based attack on a UK-based energy company, duping them out of US$243,000.

 

Introducing the Allstar GitHub App

We’re excited to announce Allstar, a GitHub app that provides automated continuous enforcement of security best practices for GitHub projects. With Allstar, owners can check for security policy adherence, set desired enforcement actions, and continuously enact those enforcements when triggered by a setting or file change in the organization or project repository. Allstar will help the open source community proactively reduce security risk while adding as little friction as possible. Allstar is a companion to Security Scorecards, an automated tool that assesses risk to a repository and its dependencies. Security Scorecards checks a number of important heuristics (currently 18), such as whether the project uses branch protection, cryptographically signs release artifacts, or requires code review. From these scores, users can understand specific areas to improve in order to strengthen the security posture of their project.

 

A 5G Shortcut Leaves Phones Exposed to Stingray Surveillance

IN NORTH AMERICA and many other parts of the world, high-speed 5G mobile data networks dangled just out of reach for years. But as 5G coverage becomes ubiquitous, the rollout comes with an important caveat. Even if your phone says it’s connected to the next-generation wireless standard, you may not actually be getting all of the features 5G promises—including defense against so-called stingray surveillance devices. To get 5G out to the masses quickly, most carriers around the world deployed it in something called “non-standalone mode” or “non-standalone architecture.” The approach essentially uses existing 4G network infrastructure as a jumping off point to put out 5G data speeds before the separate, “standalone” 5G core is built. It’s like starting your cake-decorating business out of your cousin’s ice cream shop while you renovate a new storefront three blocks away. 

 

Microsoft confirms there’s yet another new Windows Print Spooler security bug

The saga for Microsoft’s printer and related issues continues as earlier today the firm confirmed a new security flaw in the Windows Print Spooler service. The new vulnerability has been assigned the ID CVE-2021-36958 and here’s how the Redmond firm describes the new flaw: A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. As may be noticeable for those who have been following the saga closely, the new issue is related to the ongoing PrintNightmare bug that the company released a patch for a couple of days earlier. Microsoft claimed the patch should be helpful in mitigating the problem to a large degree as it would now require administrator privileges for running Point and Print driver installations and updates. However, on systems that already have the printer driver installed, non-admin users who are possibly threat actors can still exploit the vulnerability.

Related Posts