US says national water supply ‘absolutely’ vulnerable to hackers
According to senior White House officials, U.S. drinking water supplies are in significant danger. Describing the infrastructure’s current state of vulnerability, a senior official described on Thursday them as “absolutely inadequate” and vulnerable to large-scale disruption by hackers. The official continued, “there’s inadequate resilience to even a criminal sector…The threshold of resilience is not what it needs to be.” Although the Biden administration has attempted to address infrastructure cybersecurity, a significant snag is that most infrastructure-based services are provided by private, not government, companies. U.S. officials speaking on condition of anonymity have described a plan “to get the 150,000 systems that serve 300 million Americans to cooperate with the government by sharing information and hardening defenses.”
Microsoft mitigated a record 3.47 Tbps DDoS attack on Azure users
This attack targeted an Azure customer from Asia in November and was followed by two more large size attacks in December, also targeting Asian Azure customers. “At 340 million packets per second, we believe this to be the largest attack ever reported in history,” said Alethea Toh, an Azure Networking Product Manager. Toh described this as having originated from approximately 10,000 sources and from multiple countries across the globe, including the United States, China, South Korea, Russia, Thailand, India, Vietnam, Iran, Indonesia, and Taiwan.”
BotenaGo Mirai botnet code leaked to GitHub
Millions of routers and internet-of-things (IoT) devices are at risk, researchers from AT&T Alien Labs said on Wednesday and they expect that the ready availability of the source code to malware authors will widen the number of attacks especially given the opportunity for new malware variants. Theses attacks are expected to target routers and IoT devices globally. AV detection for BotenaGo is still bumping along near the bottom with even the earliest samples discovered back in November still slipping past most AV software in order to infect systems with one of the most popular botnets of all: Mirai.
105 million Android users targeted by subscription fraud campaign
A premium services subscription scam called “Dark Herring” fhas been haunting Google Play Store apps and has allegedly affected over 100 million users worldwide. It was found in 470 applications on the Google Play Store, which is Android’s official and most trustworthy source of apps. The earliest submission dates to March 2020. Dark Herring relies on AV anti-detection capabilities, propagation through a large number of apps, code obfuscation, and the use of proxies as first-stage URLs. While none of the above is new or groundbreaking, seeing them combined into a single piece of software is rare for Android fraud.
Thanks to our episode sponsor, deepwatch
Increasing ransomware attacks and their evolving sophistication have been putting more pressure on security teams than ever before. Luckily, managed detection and response (or MDR) has emerged as a critical component for improving security operations, reducing ransomware risk, and minimizing the overall impact an attack can have. Visit deepwatch.com to see how we help to prevent breaches for our customers, by working together.
This NFT on OpenSea will steal your IP address
According to a researcher at NFT organization Convex Labs, NFT marketplaces like OpenSea are allowing vendors or attackers to load custom code when someone simply views an NFT listing. Nick Bax, head of research at Convex Labs, says the technique leverages cross-site scripting, and although it is common for websites in general to collect and store visitors’ IP addresses, the difference here is that an outside third party—the NFT seller—is able to gather information on the people viewing the NFT, potentially without them knowing.
(Vice)
Targeted ransomware takes aim at QNAP NAS drives, vendor recommend immediate updates
QNAP has urged its users of Network-attached Storage (NAS) services to act “immediately” and install the most recent latest updates and to enable security protections, specifically to address a threat posed by a product-specific ransomware called Deadbolt. It “has been widely targeting all NAS exposed to the internet without any protection and encrypting users’ data for Bitcoin ransom,” the Taiwanese company warned in a statement released yesterday. QNAP strongly suggests disabling port-forwarding and UPnP port forwarding for customers who have an internet-facing NAS.
DeepDotWeb operator sentenced to eight years behind bars
Following up on a story we brought you last April, this week, the US Department of Justice (DoJ) sentenced the operator of the DeepDotWeb platform, Tal Prihar, to 97 months in prison on charges of conspiracy to commit money laundering, which Prihar had pleaded guilty to in March last year. DeepDotWeb was owned by Prihar and co-defendant Michael Phan, provided a platform for Dark Web news and links to marketplaces, receiving commissions worth more than $8 million for their referrals. Michael Phan is currently in Israel and extradition proceedings are underway.
(ZDNet)
Mac webcam hijack flaw wins $100,500 from Apple
Ryan Pickren from the Georgia Institute of Technology, is $100,500 richer after discovering a security hole in the Safari browser for macOS that could allow a malicious website to hijack accounts and seize control of users’ webcams. He uncovered a universal cross-site scripting (UXSS) flaw that could lead to security problems such as turning on the camera. He describes that the attack begins by tricking a potential victim into opening what they believe to be an innocent-looking .PNG image file. Pickren responsibly disclosed the problems to Apple in mid-July 2021, and Apple has now paid him the sum as a bug bounty. Pickern is no stranger to bug bounty success, having found another Apple webcam vulnerability for which he was paid $75,000, as well as 15 million air miles through the United airlines’ bug bounty program, in which he donated half to Georgia Tech and a further 2.5 million to Make-A-Wish America.