InfoSec News Nuggets 05/24/2022

Why it’s hard to sanction ransomware groups On February 25, the day after Russia invaded Ukraine, a prolific ransomware gang called Conti made a proclamation on its dark website. It was an unusually political statement for a cybercrime organization: Conti pledged its “full support of Russian government” and said it would use “all possible resources to strike back at the critical infrastructures” of Russia’s opponents. Perhaps sensing that such a public alliance with the regime…
Read More

InfoSec News Nuggets 05/23/2022

Researchers Spot Supply Chain Attack Targeting GitLab CI Pipelines Security researchers at SentinelLabs are calling attention to a software chain supply attack targeting Rust developers with malware aimed directly at infecting GitLab Continuous Integration (CI) pipelines. The campaign, dubbed CrateDepression, combines typosquatting and the impersonation of a known Rust developer to push a malicious ‘crate’ hosted on the Rust dependency community repository.  (Editor’s note: A crate is a compilation unit in Rust). The malicious crate was…
Read More

InfoSec News Nuggets 05/20/2022

Texas social media law will cause “chaos” online, Supreme Court is told More than two dozen groups have urged the US Supreme Court to block a Texas law that prohibits large social media companies from moderating content based on a user's "viewpoint." The Texas law, HB20, "results in blatant violations of the First Amendment rights of platform providers," said a Supreme Court brief filed yesterday. The law taking effect means that "chaos will ensue online with disastrous and…
Read More

InfoSec News Nuggets 05/19/2022

Long lost @ symbol gets new life obscuring malicious URLs Threat actors have rediscovered an old and little-used feature of web URLs, the innocuous @ symbol we usually see in email addresses, and started using it to obscure links to their malicious websites. Researchers from Perception Point noticed it being used in a cyberattack against multiple organization recently. While the attackers are still unknown, Perception Point traced them to an IP in Japan. The attack started with a phishing…
Read More

InfoSec News Nuggets 05/18/2022

Ransomware gang threatens to overthrow Costa Rica government A ransomware gang that infiltrated some Costa Rican government computer systems has upped its threat, saying its goal is now to overthrow the government. Perhaps seizing on the fact that President Rodrigo Chaves had only been in office for a week, the Russian-speaking Conti gang tried to increase the pressure to pay a ransom by raising its demand to $20 million. Chaves suggested Monday in a news…
Read More

InfoSec News Nuggets 05/17/2022

Misconfigured ElasticSearch Servers Exposed 579 GB of Users’ Website Activity The IT security researchers at Website Planet have identified two exposed ElasticSearch servers belonging to an unnamed organization using open-source data analytics software developed by the London, England-based software vendor, SnowPlow Analytics. This software allows companies to track and store information on their website (s) visitors apparently without their knowledge. It is worth noting that a web analytics tool can collect versatile data metrics. The data is then used…
Read More

InfoSec News Nuggets 05/16/2022

BPFdoor: Stealthy Linux malware bypasses firewalls for remote access A recently discovered backdoor malware called BPFdoor has been stealthily targeting Linux and Solaris systems without being noticed for more than five years. BPFdoor is a Linux/Unix backdoor that allows threat actors to remotely connect to a Linux shell to gain complete access to a compromised device. The malware does not need to open ports, it can’t be stopped by firewalls, and can respond to commands from…
Read More

InfoSec News Nuggets 05/13/2022

DEA Investigating Breach of Law Enforcement Data Portal The U.S. Drug Enforcement Administration (DEA) says it is investigating reports that hackers gained unauthorized access to an agency portal that taps into 16 different federal law enforcement databases. KrebsOnSecurity has learned the alleged compromise is tied to a cybercrime and online harassment community that routinely impersonates police and government officials to harvest personal information on their targets. On May 8, KrebsOnSecurity received a tip that hackers obtained a…
Read More

InfoSec News Nuggets 05/12/2022

FBI, CISA, and NSA warn of hackers increasingly targeting MSPs Members of the Five Eyes (FVEY) intelligence alliance today warned managed service providers (MSPs) and their customers that they're increasingly targeted by supply chain attacks. Multiple cybersecurity and law enforcement agencies from FVEY countries (NCSC-UK, ACSC, CCCS, NCSC-NZ, CISA, NSA, and the FBI) shared guidance for MSPs to secure networks and sensitive data against these rising cyber threats. "The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities expect malicious cyber actors—including state-sponsored…
Read More

InfoSec News Nuggets 05/11/2022

US immigration agency operates vast surveillance dragnet, study finds US Immigration and Customs Enforcement (Ice) has built a vast digital surveillance system that gives it access to the personal details of almost every person in America, a two-year investigation by Georgetown University law center has found. Researchers from the Center on Privacy & Technology on Tuesday released one of the most comprehensive reviews of Ice activities, concluding that the federal organisation has strayed well beyond its…
Read More

InfoSec News Nuggets 05/10/2022

All internet service providers in US must block 3 pirate streaming sites, federal judge rules A federal judge in New York City has ordered every internet service provider in the United States to block three pirate streaming services that are rebroadcasting copyrighted Israeli shows in this country. U.S. District Judge Katherine Polk Failla of the Southern District of New York issued default judgments and permanent injunctions last week against streaming services Israel.tv, Israeli-tv.com and Sdarot.tv, report Ars…
Read More

InfoSec News Nuggets 05/09/2022

FBI says business email compromise is a $43 billion scam The Federal Bureau of Investigation (FBI) said today that the amount of money lost to business email compromise (BEC) scams continues to grow each year, with a 65% increase in the identified global exposed losses between July 2019 and December 2021. From June 2016 until July 2019, IC3 received victim complaints regarding 241,206 domestic and international incidents, with a total exposed dollar loss of $43,312,749,946.…
Read More

InfoSec News Nuggets 05/06/2022

A lone-wolf researcher has turned the table on the hackers A researcher going by the name hyp3rlinx has discovered that some of the most popular ransomware strains, such as Conti, REvil, LockBit, including many others, carry a flaw that makes them vulnerable to DLL hijacking. By exploiting the flaw, the researcher was able to prevent the ransomware from its key selling proposition - encrypting files. As reported by Bleeping Computer, DLL hijacking is usually used to inject…
Read More

InfoSec News Nuggets 05/05/2022

Russia to Rent Tech-Savvy Prisoners to Corporate IT? Faced with a brain drain of smart people fleeing the country following its invasion of Ukraine, the Russian Federation is floating a new strategy to address a worsening shortage of qualified information technology experts: Forcing tech-savvy people within the nation’s prison population to perform low-cost IT work for domestic companies. Multiple Russian news outlets published stories on April 27 saying the Russian Federal Penitentiary Service had announced a plan…
Read More

InfoSec News Nuggets 05/04/2022

Mozilla finds mental health apps fail 'spectacularly' at user security, data policies An investigation into mental health and prayer apps has revealed a disturbing lack of concern surrounding user security and privacy. On Monday, Mozilla released the findings of a new study into these types of apps, which often deal with sensitive topics including depression, mental health awareness, anxiety, domestic violence, PTSD, and more, alongside religion-themed services. According to Mozilla's latest *Privacy Not Included guide, despite the…
Read More

InfoSec News Nuggets 05/03/2022

GitHub Says Recent Attack Was Highly Targeted Microsoft-owned code hosting platform GitHub says the recent cyberattack that resulted in the cloning of private repositories was highly targeted in nature. Disclosed in mid-April, the incident involved stolen OAuth tokens issued to third-party integrators Heroku and Travis CI, which were used to download the private repositories of dozens of organizations. The two continuous integration (CI) systems help organizations automate the scanning of newly introduced code changes, to help identify…
Read More

InfoSec News Nuggets 05/02/2022

How to detect phishing images in emails Phishing has long been a common way to induce a receiver to unveil personal data. Primarily, it works this way: You receive an email from a purportedly reputable source–say, your employer–asking you to click the link and get familiar with new regulations effective in the following week. You are curious about the contents, so you click the link, which asks you to log in to the company’s systems…
Read More

InfoSec News Nuggets 04/29/2022

Millions of Java Apps Remain Vulnerable to Log4Shell Four months after the discovery of the zero-day Log4Shell critical flaw, millions of Java applications still remain vulnerable to compromise, researchers have found. Researchers at security firm Rezilion analyzed the current potential attack surface for the vulnerability in the popular open-source Apache Log4j framework that threatened to break the internet when it was discovered in December. The flaw in the ubiquitous Java logging library Apache Log4j is easily exploitable and…
Read More

InfoSec News Nuggets 04/28/2022

Fighting Fake EDRs With ‘Credit Ratings’ for Police When KrebsOnSecurity recently explored how cybercriminals were using hacked email accounts at police departments worldwide to obtain warrantless Emergency Data Requests (EDRs) from social media firms and technology providers, many security experts called it a fundamentally unfixable problem. But don’t tell that to Matt Donahue, a former FBI agent who recently quit the agency to launch a startup that aims to help tech companies do a better job screening out phony law…
Read More

InfoSec News Nuggets 04/27/2022

Quantum ransomware seen deployed in rapid network attacks The Quantum ransomware, a strain first discovered in August 2021, were seen carrying out speedy attacks that escalate quickly, leaving defenders little time to react. The threat actors are using the IcedID malware as one of their initial access vectors, which deploys Cobalt Strike for remote access and leads to data theft and encryption using Quantum Locker. The technical details of a Quantum ransomware attack were analyzed…
Read More

InfoSec News Nuggets 04/26/2022

TeamTNT targeting AWS, Alibaba Cisco Talos has recently received modified versions of the TeamTNT cyber crime group's malicious shell scripts, an earlier version of which was detailed by Trend Micro, from an intelligence partner. According to our intelligence partner, the malware author modified these tools after they became aware that security researchers published the previous version of their scripts. These scripts are primarily designed to target Amazon Web Services (AWS) but could also run in on-premise,…
Read More

InfoSec News Nuggets 04/25/2022

Russian hackers are seeking alternative money-laundering options The Russian cybercrime community, one of the most active and prolific in the world, is turning to alternative money-laundering methods due to sanctions on Russia and law enforcement actions against dark web markets. Although the options are few, cybecriminals are discussing viable solutions to cash out or safe keep stolen funds and cryptocurrency, analysts at Flashpoint observed in conversations from threat actors. First came the bank sanctions and the blocking of SWIFT payments, a result of…
Read More

AboutDFIR Site Content Update 4/23/22

Big thing right up front - this is the last site update before the Forensic 4:Cast nominations close -  click here to nominate your favorite or most useful resources!  Annual Industry Reports- new entries added - RIA, Arctic Wolf, and Meta Jobs - new entries added - Raytheon Intelligence & Space, Zachary Piper Solutions, Cognizant, Kyndryl, and Center for Internet Security Tools & Artifacts - Windows - new entries added - Windows Registry, a graphing…
Read More

InfoSec News Nuggets 04/22/2022

REvil resurrected? Ransomware crew appears to be back. Keyword: Appears The notorious REvil ransomware gang appears to have returned from the bowels of the dark web, three months after the arrest of 14 of its suspected members, with its old website forwarding to a new operation that lists both previous and fresh victims. Back in January, Russia said it dismantled the crime ring's networks and raided its operators' homes amid the arrests of 14 of its alleged…
Read More

InfoSec News Nuggets 04/21/2022

U.S., allies provide ‘comprehensive’ look at Russia cyber threats to critical infrastructure U.S and international authorities on Wednesday issued a joint alert warning state-backed Russian hackers and criminal groups remain a top threat to critical infrastructure worldwide. The Cybersecurity and Infrastructure Security Agency (CISA) described the public alert as the “most comprehensive view of the cyber threat posed by Russia to critical infrastructure released by government cyber experts since the invasion of Ukraine in February.” It…
Read More

InfoSec News Nuggets 04/20/2022

Court reaffirms that data scraping isn't hacking in LinkedIn appeal The Ninth Circuit Court of Appeals on Monday reaffirmed a 2019 ruling that LinkedIn could not ban competitor hiQ Labs from scraping publicly available data on its platform by citing federal hacking laws. The case dates back to a 2019 lawsuit by HiQ Labs to block a cease-and-desist letter from LinkedIn aimed at halting the company from scraping public data from the social networking site. The…
Read More

InfoSec News Nuggets 04/19/2022

Cybercriminals do their homework for latest banking scam A new social engineering scam is making the rounds, and this one is particularly insidious: It tricks users into sending money to what they think is their own account to reverse a fraudulent charge. The FBI's Internet Crime Complaint Center issued the warning, which it said involves cybercriminals who have definitely done their homework. "In addition to knowing the victim's financial institution, the actors often had further information such…
Read More

InfoSec News Nuggets 04/18/2022

CISA Alert on ICS, SCADA Devices Highlights Growing Enterprise IoT Security Risks On April 13, the Department of Energy (DoE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory to warn that certain industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices can be targeted by advanced persistent threat (APT) actors who have the capability to gain full system access.…
Read More

InfoSec News Nuggets 04/15/2022

DHS investigators say they foiled cyberattack on undersea internet cable in Hawaii Federal agents in Honolulu last week “disrupted” an apparent cyberattack on an unnamed telecommunication company’s servers associated with an underwater cable responsible for internet, cable service and cell connections in Hawaii and the region, the agency said in a statement Tuesday. Hawaii-based agents with Homeland Security Investigations, an arm of the Department of Homeland Security, received a tip from their mainland HSI counterparts…
Read More

InfoSec News Nuggets 04/14/2022

A SERIES OF PATENT LAWSUITS IS CHALLENGING THE HISTORY OF MALWARE DETECTION In early March, cybersecurity firm Webroot and its parent company OpenText launched a series of patent litigation containing some eye-opening claims. Filed March 4th in the famously patentholder-friendly Western District of Texas court, the four lawsuits claim that techniques fundamental to modern malware detection are based on patented technology — and that the company’s competitors are infringing on intellectual property rights with their implementation of network…
Read More

InfoSec News Nuggets 04/13/2022

Sandworm hackers fail to take down Ukrainian energy provider The Russian state-sponsored hacking group known as Sandworm tried on Friday to take down a large Ukrainian energy provider by disconnecting its electrical substations with a new variant of the Industroyer malware for industrial control systems (ICS) and a new version of the CaddyWiper data destruction malware. The threat actor used a version of the Industroyer ICS malware customized for the target high-voltage electrical substations and then tried…
Read More

InfoSec News Nuggets 04/12/2022

Raspberry Pi just made a big change to boost security Raspberry Pi has made a change to its operating system Raspberry Pi OS that removes the default username and password. Until now, the default username and password for the tiny computers has been respectively "pi" and "raspberry", which made setting up a new Pi device simple but also potentially made the popular internet-connected devices easier for remote attackers to hack them through techniques like password spraying. "Up until…
Read More

InfoSec News Nuggets 04/11/2022

Move over Apple Pay - Hitachi has created a fingerprint payment system A new biometric finger vein-based biometric authentication system could one day replace your smartphone as the easiest way to pay for goods and services. Nikkei Asia reports that Hitachi has developed just such a system for payments using only your finger: Hitachi has developed a finger vein-based biometrics authentication system to enable the user to check in to a hotel or make payments at…
Read More

InfoSec News Nuggets 04/08/2022

The Ukraine War Is Giving Commercial Space an ‘Internet Moment’ Capabilities honed by commercial space companies to document the destruction inflicted by Russia in Ukraine are likely to have long-lasting effects on the industry. Satellites have brought the world unprecedented glimpses into the brutal war, whether through commercial imagery showing the Russian destruction of a shelter clearly labeled as having kids inside, social-media videos shared via SpaceX’s Starlink satellites, or a photojournalist’s pictures from Mariupol filed through satellite phones. It’s likely…
Read More

InfoSec News Nuggets 04/07/2022

FIN7 Hackers Leveraging Password Reuse and Software Supply Chain Attacks The notorious cybercrime group known as FIN7 has diversified its initial access vectors to incorporate software supply chain compromise and the use of stolen credentials, new research has revealed. "Data theft extortion or ransomware deployment following FIN7-attributed activity at multiple organizations, as well as technical overlaps, suggests that FIN7 actors have been associated with various ransomware operations over time," incident response firm Mandiant said in a Monday…
Read More

InfoSec News Nuggets 04/06/2022

Germany Shuts Down Russian Hydra Darknet Market; Seizes $25 Million in Bitcoin Germany's Federal Criminal Police Office, the Bundeskriminalamt (BKA), on Tuesday announced the official takedown of Hydra, the world's largest illegal dark web marketplace that has cumulatively facilitated over $5 billion in Bitcoin transactions to date. "Bitcoins amounting to currently the equivalent of approximately €23 million were seized, which are attributed to the marketplace," the BKA said in a press release. Blockchain analytics firm Elliptic confirmed that the…
Read More

InfoSec News Nuggets 04/05/2022

Experts Shed Light on BlackGuard Infostealer Malware Sold on Russian Hacking Forums A previously undocumented "sophisticated" information-stealing malware named BlackGuard is being advertised for sale on Russian underground forums for a monthly subscription of $200. "BlackGuard has the capability to steal all types of information related to Crypto wallets, VPN, Messengers, FTP credentials, saved browser credentials, and email clients," Zscaler ThreatLabz researchers Mitesh Wani and Kaivalya Khursale said in a report published last week. Also sold for…
Read More

InfoSec News Nuggets 04/04/2022

“A little gift for you” SMS spam appears to come from your own phone number If you’ve received a spam SMS message sent from your own phone number, don’t panic. No, you weren’t hacked. And you’re not the only one who has received such a message, which looks a bit like this: Free Msg: Your bill is paid for March. Thanks, here’s a little gift for you: {redacted link}. But why do they make it…
Read More

InfoSec News Nuggets 04/01/2022

State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage Geopolitical tensions often make headlines and present a golden opportunity for threat actors to exploit the situation, especially those targeting high-profile victims. In the past month while the Russian invasion of Ukraine was unfolding, Check Point Research (CPR) has observed advanced persistent threat (APT) groups around the world launching new campaigns, or quickly adapting ongoing ones to target victims with spear-phishing emails using the war…
Read More

InfoSec News Nuggets 03/31/2022

Spring4Shell: No need to panic, but mitigations are advised Security teams around the world got another shock on Thursday when news of disclosure of a PoC for an unauthenticated RCE zero-day vulnerability in Spring Core, a massively popular framework for building modern Java-based enterprise applications, began circulating online. Thanks to many security researchers, the situation is a bit clearer today and there’s no need to panic just yet: Unlike Log4Shell, this new flaw – with no official…
Read More

InfoSec News Nuggets 03/30/2022

Log4Shell exploited to infect VMware Horizon servers with backdoors, crypto miners The Log4Shell vulnerability is being actively exploited to deliver backdoors and cryptocurrency miners to vulnerable VMware Horizon servers. On Tuesday, Sophos cybersecurity researchers said the attacks were first detected in mid-January and are ongoing. Not only are backdoors and cryptocurrency miners being deployed, but in addition, scripts are used to gather and steal device information. Log4Shell is a critical vulnerability in Apache Log4J Java logging library. The…
Read More

InfoSec News Nuggets 03/29/2022

Hundreds more packages found in malicious npm 'factory' Researchers continue to investigate a wave of malicious npm packages, with the published tally now reaching over 700. Last week, JFrog researchers disclosed the scheme in which an unknown threat actor had published at least 200 malicious Node Package Manager (npm) packages. The team said that the repositories were first detected on March 21 and grew rapidly, with each npm package deliberately named to mimic legitimate software. An automated script targeted…
Read More

InfoSec News Nuggets 03/28/2022

Estonian Tied to 13 Ransomware Attacks Gets 66 Months in Prison An Estonian man was sentenced today to more than five years in a U.S. prison for his role in at least 13 ransomware attacks that caused losses of approximately $53 million. Prosecutors say the accused also enjoyed a lengthy career of “cashing out” access to hacked bank accounts worldwide. Maksim Berezan, 37, is an Estonian national who was arrested nearly two years ago in…
Read More

AboutDFIR Site Content Update 3/26/22

Happy start of Spring to those in the Northern Hemisphere! Are you in our Forensicators of #DFIR list? If not, maybe you'd like to check out those who are listed there or submit yourself as a resource. Just one of the areas I've been looking at for potential site updates. Speaking of... Annual Industry Reports - new entries added  Jobs - new entries added Scholarships - new entries added/updated - Thanks again to Dave G for…
Read More

InfoSec News Nuggets 03/25/2022

Hundreds of HP printer models vulnerable to remote code execution HP has published security advisories for three critical-severity vulnerabilities affecting hundreds of its LaserJet Pro, Pagewide Pro, OfficeJet, Enterprise, Large Format, and DeskJet printer models. The first security bulletin warns about about a buffer overflow flaw that could lead to remote code execution on the affected machine. Tracked as CVE-2022-3942, the security issue was reported by Trend Micro’s Zero Day Initiative team. Although it comes with…
Read More

InfoSec News Nuggets 03/24/2022

Android app downloaded 100,000 times from Google Play Store contained password-stealing malware, say security researchers Google has removed an app with over 1000,000 downloads from its Play Store after security researchers warned that the app was able to harvest the Facebook credentials of smartphone users. Researchers at French mobile security firm Pradeo said the app embeds Android trojan malware known as "Facestealer" because it dupes victims into typing in their Facebook credentials to a web…
Read More

InfoSec News Nuggets 03/23/2022

Italy Investigates Russia's Kaspersky Antivirus Software Italy's data privacy watchdog said Friday it was investigating the "potential risks" that Russian antivirus software Kaspersky could be used to launch cyberattacks. It followed what it called "alarms sounded by many Italian and European organisations specialised in computer security" over the potential use of Kaspersky software for hacking assaults in the wake of Russia's invasion of Ukraine. The watchdog has asked the company to provide details on the…
Read More

InfoSec News Nuggets 03/22/2022

Lapsus$ hackers leak 37GB of Microsoft's alleged source code The Lapsus$ hacking group claims to have leaked the source code for Bing, Cortana, and other projects stolen from Microsoft's internal Azure DevOps server. Early Sunday morning, the Lapsus$ gang posted a screenshot to their Telegram channel indicating that they hacked Microsoft's Azure DevOps server containing source code for Bing, Cortana, and various other internal projects. Monday night, the hacking group posted a torrent for a 9 GB…
Read More

InfoSec News Nuggets 03/21/2022

1 - The German BSI agency recommends replacing Kaspersky antivirus software The German Federal Office for Information Security agency, aka BSI, recommends consumers uninstall Kaspersky anti-virus software. The Agency warns the cybersecurity firm could be implicated in hacking attacks during the ongoing Russian invasion of Ukraine. According to §7 BSI law, the BSI warns against the use of Kaspersky Antivirus and recommends replacing it asap with defense solutions from other vendors. “The Federal Office for…
Read More

InfoSec News Nuggets 03/14/2022

1 - Extortion scheme impersonates government officials, law enforcement The FBI issued a public warning this week about a fraud scheme wherein scammers impersonate government officials and law enforcement personnel. According to the PSA, the scammers spoof legitimate numbers and names and use fake credentials of well-known members of the government and law enforcement agencies. The scam starts off either as a call from the “police” or a text message from a “government agency”. The content…
Read More