Ryuk ransomware now self-spreads to other Windows LAN devices
The ransomware variant was discovered by the French national cyber-security agency while investigating an attack in early 2021. Its worm-like capabilities allow it to propagate itself onto every reachable machine on which Windows RPC accesses are possible. It does this by listing all the IP addresses in the local ARP cache and sending what resembles Wake-on-LAN (WOL) packets to each of the discovered devices. It then mounts all sharing resources found for each device so that it can encrypt the contents. It can also execute itself remotely using scheduled tasks created on each subsequently compromised network host with the help of the legitimate Windows task scheduler tool.
Go malware sees 2000% increase, adopted by APTs and e-crime groups
A study by cybersecurity firm Intezer confirms a general trend in the malware ecosystem which reveals malware authors have slowly moved away from C and C++ to Go, a programming language developed and launched by Google in 2007. Also referred to as Golang, it is used by nation-state hacking groups (also known as APTs), cybercrime operators, and even security teams alike, who often used it to create penetration-testing toolkits. The reasons for its popularity include easy cross-platform compilation, it is difficult for security researchers to reverse engineer, and GO was created by Google to be a better programming language for cloud applications.
(ZDNet)
Former SolarWinds CEO blames intern for ‘solarwinds123’ password leak
On Friday, top executives at SolarWinds blamed a company intern for a critical lapse in password security that apparently went undiagnosed for years. The password in question, “solarwinds123,” was discovered in 2019 on the public internet by an independent security researcher who warned the company that the leak had exposed a SolarWinds file server. SolarWinds representatives told lawmakers Friday that as soon as the password issue was reported, it was corrected within days. Neither the current nor former SolarWinds CEOs could explain to lawmakers why the company’s technology allowed for such passwords in the first place. As hearings continue, this remains a developing story.
(CNN)
T-Mobile discloses data breach after SIM swapping attacks
The company sent a notice to impacted customers on February 9, 2021, and filed it with US attorney generals’ offices, stating that an unknown attacker had gained access to customers’ account information, including personal info and personal identification numbers (PINs) which can lead to SIM swapping. This is the fifth data breach disclosed by T-Mobile during the last four years. SIM swapping involves using social engineering or hacking to port a victim’s phone SIM to a different phone controlled by fraudsters, giving them access to banking info and everything else stored on or accessible through that phone.
Thanks to our episode sponsor, TrustMAPP
What are these suspicious Google GVT1.com URLs?
Chrome users who have noticed redirects pointing to .gvt1.com and *.gvt2.com are expressing concern about the suspicious nature of these URLs. They have even been flagged by some antivirus products as potential malware. But the letters GVT in these domains actually stands for Google Video Transcoding, and is used as a cache server for content and downloads used by Google services and applications. The domains are only used by Google to deliver official content, Chrome browser updates, and Android-related executables. Researchers at Bleeping Computer stated that despite the benign nature of these URLs, they are still concerned as to why they are using non-secure http, not https addresses.
LastPass in privacy hot seat over web trackers
The Exodus Privacy app, developed by the Guardian Project to document the number of trackers and permissions other apps use, discovered seven web trackers in the Android version of LastPass. Highlighting the findings in an analysis published Thursday, German security researcher Mike Kuketz recommended users move away from the password manager in favor of one without trackers. While LastPass’ password encryption normally protects your passwords from being viewed by any tracker or site, these trackers let third-party companies collect a startlingly complete record of the sites you visit.
(CNet)
North Korean hackers targeting defense firms with ThreatNeedle malware
New findings from Kaspersky suggest that the Lazarus Group has moved beyond the usual gamut of financially-motivated crimes to fund the cash-strapped North Korean regime. It is now using a COVID themed spearfishing campaign to deploy ThreatNeedle malware to exfiltrate sensitive information from organizations in the defense industry. The cybersecurity firm said organizations in more than a dozen countries have been affected to date.
Microsoft open-sources tool used to hunt for SolarWinds hacker code
The CodeQL queries that it used to investigate the impact of malware planted in the SolarWinds Orion software updates is being made available for other organizations to use to perform a similar analysis. Microsoft used CodeQL queries to analyze its source code and confirm there were no indicators of compromise. Microsoft warns that findings from the queries might also trip over benign code, and also there is no guarantee that the malicious SolarWinds actors would be constrained to the same functionality or coding style in other operations.
(ZDNet)