AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 12/09/2021

Google disrupts massive Glupteba botnet, sues Russian operators

Google announced today that it has taken action to disrupt the Glupteba botnet that now controls more than 1 million Windows PCs around the world, growing by thousands of new infected devices each day. Glupteba is a blockchain-enabled and modular malware that has been targeting Windows devices worldwide since at least 2011, including the US, India, Brazil, and countries from Southeast Asia. Threat actors behind this malware strain are mainly distributing payloads onto targets’ devices via pay-per-install (PPI) networks and traffic purchased from traffic distribution systems (TDS) camouflaged as “free, downloadable software, videos, or movies.”


Europol identifying leads to target organized crime after Pandora Papers leaks

The European Union’s law enforcement agency Europol has said it is using the Pandora Papers, which had examined millions of leaked documents on how world leaders and celebrities use tax havens, to spot leads on organized crime investigations. The statement, made in an interview for the Belgium weekly magazine Knack, came three months after the data leaks revealed the secret offshore accounts of 35 current and former world leaders, as well as more than 330 politicians and public officials around the world.  The investigation was carried out by the International Consortium of Investigative Journalists (ICIJ) and a team of 150 news outlets — including DW’s Turkish service. It exposed powerful global players who were affiliated with companies that use offshore tax havens, including Jordan’s King Abdullah II, former Czech Prime Minister Andrej Babis, former UK Prime Minister Tony Blair as well as the leaders of Ukraine, Chile, and Kenya, among others.


Canadian indicted for launching ransomware attacks on orgs in US, Canada

The FBI and Justice Department unsealed indictments today leveling a number of charges against 31-year-old Canadian Matthew Philbert for his alleged involvement in several ransomware attacks. Officials from the Ontario Provincial Police held a press conference on Tuesday to announce the charges and Philbert’s arrest in Ottawa.  In a statement, US Attorney Bryan Wilson of the District of Alaska said Philbert “conspired with others known and unknown to the United States to damage computers, and in the course of that conspiracy did damage a computer belonging to the State of Alaska in April 2018.” Wilson and Canadian officials noted that they received help in the case from Dutch authorities and Europol. 


How to Stop Verizon, AT&T, and T-Mobile From Collecting Your Phone Data to Sell Ads

Social media sites, web browsers, and smartphone apps aren’t the only ways companies track your data: Your phone service provider collects data right from your phone, too. AT&T, T-Mobile (which now owns Sprint and MetroPCS), and Verizon all track location, web, and app usage, and then use that information to sell ads. Worse, carrier tracking is turned on by default for all users and happens even if you have iOS’s “App Tracking Transparency” or Android’s “Opt-out of Ads Personalization” settings turned on. These settings normally stop apps from collecting certain data, but your carrier tracks you through network activity, not an app, circumventing any on-device do-not-track settings. To be fair, each phone company offers their customers a chance to opt-out, but they’re so coy about it that most users are probably unaware that they have the option—or that data collection is the default behavior to begin with.


Cyberattack Causes Significant Disruption at Colorado Electric Utility

The Delta-Montrose Electric Association (DMEA) is a member-owned and locally controlled rural electric cooperative that serves more than 34,000 customers in Colorado’s Montrose, Delta, and Gunnison counties. It is part of Touchstone Energy Cooperatives, a cooperative federation that has over 750 members across the United States. DMEA last week revealed that it had discovered a breach of its internal network on November 7. The hacker attack resulted in disruption to phone, email, billing, and customer account systems, as well as documents, spreadsheets, and forms getting “corrupted.” DMEA’s CEO told local news outlets that the cyberattack led to 90% of internal controls and systems becoming corrupted, broken or disabled, and claimed that a majority of historical data dating back more than 20 years was lost. DMEA said its power grid and fiber network — the company also provides internet services — were not affected by the incident. The utility is still working on restoring affected services so it has told customers that all penalty fees and disconnections for non-payment will be suspended until the end of January 2022.


SonicWall ‘strongly urges’ customers to patch critical SMA 100 bugs

SonicWall ‘strongly urges’ organizations using SMA 100 series appliances to immediately patch them against multiple security flaws rated with CVSS scores ranging from medium to critical. The bugs (reported by Rapid7’s Jake Baines and NCC Group’s Richard Warren) impact SMA 200, 210, 400, 410, and 500v appliances even when the web application firewall (WAF) is enabled. The highest severity flaws patched by SonicWall this week are CVE-2021-20038 and CVE-2021-20045, two critical Stack-based buffer overflow vulnerabilities that can let remote unauthenticated attackers execute as the ‘nobody’ user in compromised appliances. Other bugs patched by the company on Tuesday enable authenticated threat actors to gain remote code execution, inject arbitrary commands, or upload crafted web pages and files to any directory in the appliance following successful exploitation.

Related Posts