AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 11/04/2021

Toronto subways hit by ransomware as US lawmakers slam ‘burdensome’ cybersecurity rules

The Toronto Transit Commission (TTC) — which runs the city’s public transportation system — reported a ransomware attack this weekend that forced conductors to use radio, crippled the organization’s email system and made schedule information on platforms and apps unavailable. In a statement on Friday, the TTC said it confirmed it was the victim of a ransomware attack after its IT staff “detected unusual network activity and began investigating.” “Impact was minimal until midday Friday, October 29, when hackers broadened their strike on network servers. The incident did not cause significant service disruptions, and there is no risk to employee or customers safety,” the TTC said. Impacted services include the TTC’s Vision system, which is used for operators to communicate with Transit Control. Next vehicle information on platform screens, through trip-planning apps and on the TTC website, were unavailable and online wheel trans bookings were also unavailable. 


Israeli spyware company NSO Group placed on US blacklist

NSO Group has been placed on a US blacklist by the Biden administration after it determined the Israeli spyware maker has acted “contrary to the foreign policy and national security interests of the US”. The finding by the commerce department represents a blow to the Israeli company and reveals a deep undercurrent of concern by the US about the impact of spyware on national security interests. It comes three months after a consortium of journalists working with the French non-profit group Forbidden Stories, including the Guardian, revealed multiple cases of journalists and activists who were hacked by foreign governments using the spyware. The Guardian and others also revealed that the mobile numbers of Emmanuel Macron, the French president, and nearly his entire cabinet were contained on a leaked list of individuals who were selected as possible targets of surveillance.


Cisco Talos reports new variant of Babuk ransomware targeting Exchange servers

Cisco Talos has a warning out for U.S. companies about a new variant of the Babuk ransomware. The security researchers discovered the campaign in mid-October and think that the variant has been active since July 2021. The new element in this attack is an unusual infection chain technique. Security researchers Chetan Raghuprasad, Vanja Svajcer and Caitlin Huey describe the new threat in a Talos Intelligence blog post. The researchers think that the initial infection vector is an exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of China Chopper web shell. Babuk can affect several hardware and software platforms but this version is targeting Windows. The ransomware encrypts the target’s machine, interrupts the system backup process and deletes the volume shadow copies. 


Meta to continue use of facial recognition technology

Much to the delight of privacy advocates and critics of facial recognition systems, Facebook on Monday said it will shut down its Face Recognition tool and delete the collected facial templates of more than a billion people. The technology, which includes the controversial DeepFace algorithm, was used to identify people in uploaded photos for tagging purposes. While Facebook is no longer using facial recognition software, Meta on Wednesday clarified that the limitation does not extend to metaverse products, reports Recode. “We believe this technology has the potential to enable positive use cases in the future that maintain privacy, control, and transparency, and it’s an approach we’ll continue to explore as we consider how our future computing platforms and devices can best serve people’s needs,” Jason Grosse, spokesperson for Meta, told the publication.


BlackMatter ransomware to shut down, affiliates transferring victims to LockBit

In messages obtained by a member of the vx-underground group, the prolific BlackMatter ransomware group has said it is closing shop due to increased law enforcement pressure. The group — hawking a rebranded version of the DarkSide ransomware used to attack Colonial Pipeline earlier this year — posted a message on its private ransomware-as-a-service website on November 1st saying some members of the gang are “no longer available” after “the latest news.” “Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) — project is closed,” the group wrote. “After 48 hours the entire infrastructure will be turned off, allowing: Issue mail to companies for further communication [and] Get decryptor. For this write ‘give a decryptor’ inside the company chat, where necessary. We wish you all success, we were glad to work.” 


Apple’s Federighi rails against app sideloading in single-note keynote

Apple’s head of software engineering Craig Federighi took his time onstage at the Web Summit 2021 conference to air a laundry list of grievances against proposed requirements for sideloading apps onto iPhones, describing the practice as “gold rush for the malware industry.” It’s a matter for discussion not simply because there is lively debate on the topic (though there is), but because the EU’s Digital Markets Act, if implemented as currently laid out, could mandate a method of putting apps on iPhones that circumvents Apple’s longstanding App Store and review process. CEO Tim Cook already made the company’s position (hard against this, obviously) known in June, when he said the rule could “destroy the security of the iPhone.” So it’s not a big surprise that Federighi would back up the boss, but dedicating pretty much a full onstage speech to a series of arguably misleading and totally unchallenged assertions offers the viewer light notes of desperation.

Related Posts