AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 09/13/2021

Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware

Symantec, part of Broadcom Software, has linked the recently discovered Sidewalk backdoor to the China-linked Grayfly espionage group. The malware, which is related to the older Crosswalk backdoor (Backdoor.Motnug) has been deployed in recent Grayfly campaigns against a number of organizations in Taiwan, Vietnam, the United States, and Mexico. A feature of this recent campaign was that a large number of targets were in the telecoms sector. The group also attacked organizations in the IT, media, and finance sectors. Sidewalk was recently documented by ESET, who attributed it to a new group it called SparklingGoblin, which it linked to the Winnti malware family. Symantec’s Threat Hunter Team has attributed Sidewalk to Grayfly, a longstanding Chinese espionage operation. Members of the group were indicted in the U.S. in 2020. The recent campaign involving Sidewalk suggests that Grayfly has been undeterred by the publicity surrounding the indictments.


WhatsApp to Let Users Encrypt Chat Backups Uploaded to iCloud

Currently, WhatsApp on iPhone lets users back up their chat history to ‌‌iCloud‌‌, but messages and media that users back up aren’t protected by WhatsApp’s end-to-end encryption while in Apple’s cloud servers. Given that Apple holds the encryption keys for iCloud, a subpoena of Apple or an unauthorized iCloud hack could potentially allow access to WhatsApp messages backed up there. Apple was reportedly pressured to not add encryption to iCloud Backups after the FBI complained. The upcoming WhatsApp feature will resolve that security vulnerability by allowing users to encrypt and password-protect their chat history before uploading it to Apple’s cloud-based platform. WhatsApp began early work on the security feature back in March 2020. The rollout will make backups secure in remote iCloud servers by making them unreadable without an encryption key. Encrypted backups will be optional, and users will be asked to save a 64-bit encryption key or create a password that is associated with the key.


How to Talk to the Board About Zero Trust

It’s no secret that CISOs and other cybersecurity leaders struggle to communicate with executive management and boards of directors in a language they can understand. Business leaders naturally want to discuss cybersecurity in business terms. For many infosec leaders, learning how to “speak business” is akin to learning a second language; they’re much more comfortable talking in tactical and technical terms. But there’s more to the story. In my experience, board members and C-level business executives oftentimes allow ego to circumvent common sense. They’ve risen to their current lofty positions thanks to their unique blend of knowledge, talent and ambition. They’re driven to be seen as the smartest person in the room at all times. And some think rules don’t apply to them. So, what happens when a cybersecurity leader walks into a board meeting spouting technical jargon unfamiliar to these captains of industry and dares to suggest that their own behavior might be part of the problem? It solidifies a longstanding bias among executive leaders toward viewing cybersecurity as an inhibitor to the business. 


Alleged Russian malware developer arrested after being stranded in South Korea due to COVID-19 pandemic

The global pandemic has caused heartbreak and hardship for millions of people around the world, but for one alleged member of the notorious TrickBot malware gang it may also have resulted in their arrest. As Catalin Cimpanu at The Record reports, a man was arrested last week by South Korean law enforcement agents at Seoul’s international airport as he attempted to board a flight back to his native Russia. The man, who has only been named as “Mr A” in local mediaa reports, had entered South Korea in February last year, and was initially unable to return to Russia due to restrictions placed on international travel at the onset of the worldwide Coronavirus outbreak. By the time travel restrictions had been lifted, Mr A’s passport had expired – requiring him to remain in an apartment in Seoul as he awaited a replacement.


Wide-ranging SolarWinds probe sparks fear in Corporate America

A U.S. Securities and Exchange Commission investigation into the SolarWinds Russian hacking operation has dozens of corporate executives fearful information unearthed in the expanding probe will expose them to liability, according to six people familiar with the inquiry. The SEC is asking companies to turn over records into “any other” data breach or ransomware attack since October 2019 if they downloaded a bugged network-management software update from SolarWinds Corp, which delivers products used across corporate America, according to details of the letters shared with Reuters. People familiar with the inquiry say the requests may reveal numerous unreported cyber incidents unrelated to the Russian espionage campaign, giving the SEC a rare level of insight into previously unknown incidents that the companies likely never intended to disclose.

Related Posts