Microsoft discloses malware attack on Ukraine government networks
According to AP News, “Microsoft said late Saturday that dozens of computer systems at an unspecified number of Ukrainian government agencies have been infected with destructive malware disguised as ransomware.The disclosure suggesting an attention-grabbing defacement attack on official websites was a diversion. The extent of the damage was not immediately clear. The disclosure followed a Reuters report earlier in the day quoting a top Ukrainian security official as saying the defacement was indeed cover for a malicious attack.”
(AP News)
New unpatched Apple Safari browser bug allows cross-site user tracking
The fraud protection software company FingerprintJS has disclosed a bug in Apple Safari 15’s implementation of the IndexedDB API that could be “abused by a malicious website to track users’ online activity in the web browser,” and possible reveal their identity. FingerprintJS reported the vulnerability, named IndexedDB Leaks, to Apple on November 28, 2021. “IndexedDB is a low-level JavaScript application programming interface (API) provided by web browsers for managing a NoSQL database of structured data objects such as files and blobs.” Jake Archibald, a developer advocate for Google Chrome, described this as “a huge bug.” tweeted. He pointed out that “on OSX, Safari users can (temporarily) switch to another browser to avoid their data leaking across origins. iOS users have no such choice, because Apple imposes a ban on other browser engines.”
Microsoft Defender weakness lets hackers bypass malware detection
A weakness in Microsoft Defender antivirus on Windows can be exploited by threat actors to discover locations that are excluded from scanning, in order to insert malware. This issue has been present for at least eight years, according to some users, and affects Windows 10 21H1 and Windows 10 21H2. Part of the problem is that Microsoft Defender allows users to specify locations (local or on the network) that should be excluded from malware scans. Users will do this to prevent antivirus from “affecting the functionality of legitimate applications that are erroneously detected as malware.” Researchers have discovered, though, “that the list of locations excluded from Microsoft Defender scanning is unprotected and any local user can access it.”
Linux malware sees 35% growth during 2021
There was a 35% increase in malware infections targeting Linux devices in 2021, with most infections working to “recruit IoT devices for DDoS attacks.” On an individual basis, IoTs are typically “under-powered smart devices running various Linux distributions and are limited to specific functionality.” When they are grouped together they become capable of delivering massive DDoS attacks to even well-protected infrastructure. They are also recruited to “mine cryptocurrency, facilitate spam mail campaigns, serve as relays, act as command and control servers, or even act as entry points into corporate networks.”
Thanks to our episode sponsor, Datadog
North Korea pulled in $400m in cryptocurrency heists last year
The North Korean government stole almost $400m in digital cash last year, according to a report from Chainalysis. The attackers went after investment houses and currency exchanges to steal the cryptocurrencies, using use mixing software to make masses of micropayments to new wallets, before consolidating them all again into a new account and moving the funds. “Bitcoin used to be a top target but Ether is now the most stolen currency, accounting for 58 per cent of the funds stolen.”
Russian court remands REvil hackers
The REvil cybercrime group is facing pressures from with the Russian legal system, with a Moscow court remanding eight hackers into custody for two months as part of a country-wide crackdown. The eight members could face up to seven years in prison if convicted. “On Friday, Russia said it had dismantled the hacking group REvil, which carried out a high-profile attack last year on US software firm Kaseya, following a request from Washington.”
How quick thinking stopped a ransomware attack from crippling a Florida hospital
CNN.com on Sunday carried a feature story about Jamie Hussey, IT director at Jackson Hospital in south Florida, which was recently hit by the Mespinoza ransomware. Hussey quickly realized that the charting software, which was maintained by an outside vendor, had been infected. The article describes his fast switch to “downtime procedures” meaning shifting staff to pen and paper while physically disconnecting the hospital’s electronic health records system from the rest of the computer network to check them for malicious code before reconnecting to the system. Although a story about a hospital being attacked is nothing new, the article shows how Hussey and his newly hired assistant – a cybersecurity graduate – took the reins to ensure a safe recovery for the hospital and its patients. “”Lock it down and piss people off,” he said, adding, “It’s what you have to do just to secure your network.” The article is available at CNN.com – do an internal search for Florida, hospital, ransomware, or check our link at CISOSeries.com.
(CNN)
Now you can get your vulnerability alerts by phone
There is a new service for people who need to know about cybersecurity developments right away: a website that will text you with the details. Bugalert was founded by product manager Matt Sullivan, and is a crowdsourced venture that he hopes “will take the pain out of trying to tell the signal from the noise when security researchers make high-impact vulnerability disclosures.” The service will depend on vetted volunteers who will send push alerts to registered subscribers. “Bugalert’s GitHub page lets Sullivan select a number of repository maintainers who are geographically dispersed” for round-the-clock coverage.”