Skip to main content

2024.09.10.News You Should Know

Privacy News

Data watchdog fines Clearview AI $33M • The Register - Clearview scrapes photos from all over the internet, adds them to its database, then sells the data to advertisers and governments, some who use it without appropriate legal permissions (think 4th amendment/warrantless surveillance issues)

Election News

Spamouflage trolls pretend to be American patriots on X • The Register - #China - People’s Republic of China propaganda crew ramps up X and TikTok work claiming to be American citizens and “frustrated Conservatives”. The threat actor group is using AI generated content of Pres. Biden, VP Harris, and fmr Pres. Trump. Overall, users are able to identify that something isn’t “right” about the accounts, though the propagandist are getting better.

Senior NY State staffer charged over alleged China links • The Register - Chinese and North Korean threat actors aren’t only a cyber threat. Federal officials have arrested tens of individuals across the US for serving the Chinese Communist Party and participating in scams to help the DPRK (N. Korea). Further investigations are occurring at other New York City employee residencies.

Ransomware News

Cicada ransomware may be a BlackCat/ALPHV rebrand • The Register - BlackCat/ALPHV was taken down earlier this year, but Cicada uses the same software, same techniques, and is likely the same hands-on-keyboard

Planned Parenthood scrambles to repair IT after cyber-attack • The Register - Planned Parenthood has been victimized by RansomHub after snatching roughly 100GBs of data from the network. Non-profits aren’t known for their deep pockets and it remains to be seen what was stolen. Because of the sensitivity of services provided by Planned Parenthood, numerous privacy issues exist with this theft and the potential release.

AI News

Think hard before deploying Copilot for Microsoft 365 • The Register - Even Microsoft recognizes the dangers of its Copilot program, offering a new document entitled “Transparency Note for Copilot for M365” Warning, users may want to plug Copilot into other solutions, like a CRM (Salesforce) but that brings even further dangers. Note: LLMs don’t know what’s true or not.

Governments

Malaysia’s plan to block overseas DNS dies after a day • The Register - Malaysia sought to push all DNS down to the local ISP level. Techies, privacy groups, and the rest of the company pushed back.

Biden admin calls infosec ‘national service’ in job-fill bid • The Register - Biden WH kicks off it’s Service for America campaign, hosting cyber security career fairs through the end of October citing the 500k unfilled cyber jobs around the country.

Homeland security hopes to scuttle maritime cyber-threats • The Register - And Homeland is looking to bolster port security. After VoltTyphoon and other port attack (See Maersk 2017 and er…2024), Homeland decides to shore up security. Request for Information went out to groups all over the US and the world on how to improve security, and quickly. Readers may remember last years Nagoya Harbor (Japan) attack by Lockbit and Australia’s DP World attack.

White House publishes roadmap to secure internet routing • The Register - White House also publishes its “Roadmap to Enhancing Internet Routing Security” where BGP is on the chopping block. As noted by the authors, BGP wasn’t designed for authority or authorization. So threat actors hijacking routes has become common practice among state-actors. (See Pakistan:Youtube 2008, Russia:Twitter 2022, and China Telecom America: 2010, 2015-2019)

Microsoft

Microsoft Office 2024 to disable ActiveX controls by default (bleepingcomputer.com) - The ActiveX language from 1996 is finally dying. Good riddance. Microsoft will move the setting to “Disable all controls” in October 24, and later in April 25 (M365 apps). This comes after N.Korean threat actors and ransomware groups have leveraged zero days in the platform to attack company after company and matches with Microsoft’s removal of other legacy scripting languages and features.

Languages

Researchers Find Over 22,000 Removed PyPI Packages at Risk of Revival Hijack (thehackernews.com) - Packages removed from the PyPI (Python Package Indexer) may be re-registered by threat actors affecting users who see the “–latest” packages or users using “pip install --upgrade”

Research

New PIXHELL Attack Exploits Screen Noise to Exfiltrates Data from Air-Gapped Computers (thehackernews.com) - Lets just make the screens hum and then record the humming and steal all their secrets. Cool thing is that attacks like this get faster and more generalized.

New RAMBO attack steals data using RAM in air-gapped computers (bleepingcomputer.com) - Turn the RAM on and off really fast, and catch the resulting radio waves. The RAMBO attack achieves data transfer rates of up to 1,000 bits per second (bps), equating to 128 bytes per second, or 0.125 KB/s. (Stealing a users Key strokes, realtime. RSA key (4096), 4 seconds. Password .1 second, Image or word doc, <1min). Who? Israeli Researchers led by Mordechai Guri, an experienced expert in covert attack channels who previously developed methods to leak data using network card LEDs, USB drive RF signals, SATA cables, and power supplies.

WhatsApp ‘View Once’ could be ‘View Whenever’ due to a flaw • The Register - What’s App API told people not to look at your picture…unless they really wanted to. Technical control consisted of a boolean “viewonce” flag, when set to false, resulted in the image being viewable, savable, and recordable.

Environment & Culture

Security boom is over, with third of budgets flat or falling • The Register - Oh no, CISOs are reporting that security budgets are flat or dropping, but threat actors are reporting 30% increase in successful attacks. Someone’s going to come up short.

Breaches

Payment gateway data breach affects 1.7 million credit card owners (bleepingcomputer.com) - Threat actors spent a year in credit card processor Slim CD’s network. Over 1.7m victims are now known, with Slim CD stating the name, address, expiration dates and card numbers of users was lost, but not the CVV (the 3-4 digit code on the rear of the card.)

Avis alerts 300k car renters that crooks stole their info • The Register - customers’ names, addresses, dates of birth, driver’s license numbers, and financial information (including account numbers and credit or debit card numbers).

Crypto

North Korean scammers prep stealth attacks on crypto outfits • The Register - Threat Actors are ramping up for new and novel attacks against people in the Crypto industry. Remember, protect your keys.

Scams

North Korean Threat Actors Deploy COVERTCATCH Malware via LinkedIn Job Scams (thehackernews.com) - N. Korea continues its “Operation Dream Job” campaigns to include new attacks for job seekers. Attackers provide the user with a “Python Coding Challenge” that’s actually just malicious software. Specifically targeting macOS and successfully establishing command and control on the devices.

Sextortion scams now use your “cheating” spouse’s name as a lure (bleepingcomputer.com) - Threat actors have likely breached “The Knot” a wedding planning site, and are using data from the site to entice partners into clicking on scams or paying $500-$5000USD to get the data, or make it go away. (Interestingly, the breach, though not recognized by the Knot, resulting in one lady receiving news that her dog “Mr. Wiggles” was cheating on her. Et Tu Wiggles?)

Sextortion Scammers Try to Scare People by Sending Photos of Their Homes (404media.co) - Threat actors are scraping public home ownership databases and using the resulting info to threat users. So far the bitcoin addresses have been unique and individual preventing tracking of the associated threat actor group.

Popular posts from this blog

Savory Dutch Babies

Ingredients: 1/4 Stick butter 1/2C AP flour 3/4C room temp milk 3 room temp eggs Salt pepper mace nutmeg allspice etc if you want it Blend it or whisk it until homogeneous  Put a castiron in a cold oven at 425°.  Remove when preheat finishes and melt in a 1\4 stick of butter.   Pour in batter.  Top with parm and fresh herbs.  Cook 15m.

Malicious OneNote

Anatomy of a Malicious Email Attachment With Microsoft’s recent changes to macros within the Office and M365 suite, Threat Actors have changed their TTPs to utilize the OneNote (.one) file type for Malicious Code Delivery TL;DR (.one) files are a binary blob capable of embedding any file type. Threat actors are utilizing the prolific nature of OneNote to execute malicious code on endpoints. Block (.one) files from incoming email and dissociate commonly abused file extensions. The Problem Microsoft recently modified the way legacy Office applications and M365 applications handle macros within documents. With the restrictions on macros tightening, threat actors have been forced to find new techniques to deliver malicious code to the endpoint. The Attackers Solution Microsoft’s OneNote application has two great benefits to an attacker. It’s present anywhere M365 is being used and the application saves files in binary blobs with no limit on file contents. By targeting the OneNote ap

Show And Tell

Once a week, our security team gathers everyone into a meeting and shares the last week’s worth of security related news and any new security initiatives. This one hour may be the most valuable meeting we attend and has the greatest impact on successful security outcomes. What is it? We call ours a Security Show & Tell. (You can call it whatever fun and exciting name fits your corporate culture.) Regardless of the name, the goal is to set aside an hour each week to share three kinds of security stories and our response to them. Stories that are in the news. Stories that impact our work. Stories that impact our lives. Author’s Note: There’s some helpful tips below on how to gather these stories.  Why you should do it There’s a lot of great reasons to do this, but I want to drive home a few really important ones. How many times has this happened to you? You wake up, open infosec.exchange , and begin scrolling only to find out that $Vendor has a nasty zero-day and organiza