AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 2/6/2020

1 – Maze ransomware publicly shaming victims into paying

At least five law firms have been hit and held hostage by the Maze ransomware group in the last four days with these attacks being part of a wider campaign possibly affecting between 45 and 180 total victims in January. Maze is using a somewhat unique tactic with its latest victims. Instead of simply placing a ransom note on the infected system and waiting for payment, the gang places the company name on a website. If a payment is not forthcoming immediately it then places a small amount of the stolen data on the site as proof, reported Brett Callow, threat analyst with Emsisoft. If payment is received the name is removed. The websites are hosted by two Chinese companies, one a Singapore-based division of Alibaba and the other by Tencent, although there is no indication these entities are involved in the ransomware scheme.

 

2 – WhatsApp Bug Allowed Attackers to Access the Local File System

Facebook patched a critical WhatsApp vulnerability that would have allowed potential attackers to read files from a user’s local file system, on both macOS and Windows platforms. “A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading,” Facebook’s security advisory explains. “Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.” All WhatsApp Desktop versions before v0.3.9309 are affected by this issue when paired with WhatsApp for iPhone versions prior to 2.20.10.

 

3 – Researcher: Backdoor mechanism still active in devices using HiSilicon chips

Russian security researcher Vladislav Yarmak has published today details about a backdoor mechanism he discovered in HiSilicon chips, used by millions of smart devices across the globe, such as security cameras, DVRs, NVRs, and others. A firmware fix is not currently available as Yarmak did not report the issue to HiSilicon citing a lack of trust in the vendor to properly fix the issue. In a detailed technical rundown that Yarmak published on Habr earlier today, the security researcher says the backdoor mechanism is actually a mash-up of four older security bugs/backdoors that were initially discovered and made public in March 2013, March 2017, July 2017, and September 2017.

 

4 – FBI Warns of DDoS Attack on State Voter Registration Site

The US Federal Bureau of Investigation (FBI) warned of a potential Distributed Denial of Service (DDoS) attack that targeted a state-level voter registration and information site in a Private Industry Notification (PIN) released today. “The FBI received reporting indicating a state-level voter registration and voter information website received anomalous Domain Name System (DNS) server requests consistent with a Pseudo Random Subdomain (PRSD) attack,” according to the FBI PIN seen by BleepingComputer. PRSD attacks are a type of DDoS attack used by threat actors to disrupt DNS record lookups by flooding a DNS server with large amounts of DNS queries against non-existing subdomains.

 

5 – Ancestry.com rejected a police warrant to access user DNA records on a technicality

DNA profiling company Ancestry.com has narrowly avoided complying with a search warrant in Pennsylvania after a search warrant was rejected on technical grounds, a move that is likely to help law enforcement refine their efforts to obtain user information despite the company’s efforts to keep the data private. Little is known about the demands of the search warrant, only that a court in Pennsylvania approved law enforcement to “seek access” to Utah-based Ancestry.com’s database of more than 15 million DNA profiles. TechCrunch was not able to identify the search warrant or its associated court case, which was first reported by BuzzFeed News on Monday. But it’s not uncommon for criminal cases still in the early stages of gathering evidence to remain under seal and hidden from public records until a suspect is apprehended.

 

6 – NIST tests methods of recovering data from smashed smartphones

Smash it, submerge it in water, and perhaps shoot it for good measure – just three of the methods criminals use to permanently erase digital evidence from smartphones. And yet, as many criminals have found out to their cost, reducing a device to a pile of smashed plastic and glass means nothing if the internal memory chips remain in working order. The forensic engineers who help police gather evidence understand this even if it’s not always been clear which methods are the most effective as extracting data accurately enough for it to meet standards of evidence. With more and more evidence now sitting on smartphones, a better understanding of what works and what doesn’t has suddenly turned into an urgent issue.

 

7 – Can privacy be big business? A wave of startups thinks so.

California helped create the modern Big Data industry, in which tech companies vacuum up and profit off personal information. Now a new law in the state is creating something like a solution to the loss of privacy. The California Consumer Privacy Act, which took effect Jan. 1, gives people the right to know what large companies know about them and the right to block the sale of that information to others. In effect, it created a market for privacy expertise and software. A wave of privacy-focused technology startups is offering a variety of services, from personal data scrubbing to business-focused software meant to help companies comply with the law.

 

8 – In an unprecedented move, Twitter gave a state university access to a student’s parody account after it complained that he was mocking the school

A SUNY Geneseo student took to Twitter this week to express his frustration after losing access to a Twitter account he made to poke fun at his school’s social media presence and communication with students. What has happened in the days since — allegations the school hacked his email, the removal of all his account’s tweets, the school’s defense of its actions, and his account’s eventual suspension — has only led to further confusion, and more questions than answers. What we know is that, at one point, the university complained to Twitter about the account, and in response, the social media platform transferred ownership of the profile away from the student and to an administrator.

 

9 – Google bug saw videos sent to archives of the wrong users

Google has reached out to some users to apologise after a “technical issue” saw videos uploaded to another user’s archives. In an email, the search engine giant said the issue affected the Google “download your data” service — called Google Takeout — for Google Photos in November last year. “Between November 21, 2019, and November 25, 2019, our records show you requested a Google ‘download your data’ export, which included Google Photos content,” the company wrote. “Unfortunately, during this time, some videos in Google Photos were incorrectly exported to unrelated user’s archives. “One or more videos in your Google Photos account was affected by this issue.”

 

10 – Iowa Democratic Party chairman says he had ‘no knowledge’ of DHS offer to vet vote app

The head of the Iowa Democratic Party said Tuesday he had “no knowledge” of a reported offer by the Department of Homeland Security’s (DHS) cyber agency to vet the vote tabulation app that caused delays during the Iowa caucuses on Monday night. “We had no knowledge of DHS making that offer to us,” Iowa Democratic Party (IDP) Chairman Troy Price said during a press conference to address the handling of the results of the caucus. Price’s comments came after acting Homeland Security Secretary Chad Wolf said during an appearance on “Fox and Friends” earlier Tuesday that the state Democratic Party had turned down an offer to vet the app.

 

11 – Teen takes down ISP with DDoS attacks to get info on one of its subscribers

Ukrainian police have arrested a 16-year-old from the city of Odessa last month for attempting to extort a local ISP (internet service provider) into sharing data on one of its subscribers. Ukrainian authorities say that when the service provider declined, the teen used distributed denial of service (DDoS) attacks to take down the ISP’s network. The attacks, which took place last year, were severe enough that the ISP contacted law enforcement. A spokesperson for the Ministry of Internal Affairs told ZDNet officers from Ukraine’s cyber police tracked down the teen to the city of Odessa, where they arrested the 16-year-old last month, in January.

 

12 – Cybersecurity Bill Would Set Defense Plan for Local Agencies

A new Maryland bill would ask the state’s Department of Information Technology to develop a baseline plan for localities within the state to help battle cyber attacks. Senate bill 120, introduced by Sen. Susan Lee, D-Montgomery, would give the Maryland Department of Information Technology the expanded responsibility of developing a cybersecurity strategy and helping agencies within the state implement it at their discretion. Under current law, the Department of Information Technology oversees the defense of state systems, but not that of counties, school districts and other similar entities. Having a sample plan in place could be beneficial in preventing future attacks that disrupted the likes of the city of Baltimore and Salisbury Police Department recently and cost millions in reparations.

 

13 – Iran-linked hackers pose as journalists in email scam

When Iranian-born German academic Erfan Kasraie received an email from The Wall Street Journal requesting an interview, he sensed something was amiss. The Nov. 12 note purportedly came from Farnaz Fassihi, a veteran Iranian-American journalist who covers the Middle East. Yet it read more like a fan letter, asking Kasraie to share his “important achievements” to “motivate the youth of our beloved country.” “This interview is a great honor for me,” the note gushed. Another red flag: the follow-up email that instructed Kasraie to enter his Google password to see the interview questions. The phony request was in reality an attempt to break into Kasraie’s email account.

 

Related Posts