Mandiant finds record zero-days in 2021
According to the security firm’s annual report, disclosed zero-day vulnerabilities exploded in 2021, more than doubling the previous 2019 record with 80. Most of the zero-days tracked by Mandiant were exploited by APT groups. Since it began tracking in 2012, Mandiant reports that China exploited more zero-days than any other nation. The growth in zero-days mirrors a report from Google’s Project Zero, which also saw a record number of zero-days in 2021. However Project Zero believed this was due to better industry disclosure rather than just an increase in zero-days discovered.
Bored Ape Yacht Club hacked
2022 is proving to be the year of high profile crypto hacks. The Discord server and Instagram account belonging to the Bored Ape Yacht Club, or BAYC, were both hacked on April 25th, used to send out unofficial “mint” links to followers. Wallets of users who clicked through the links were compromised. Originally it was believed the total NFTs lost were valued at $13.7 million. However a Yuga Labs investigation found the actual attack was smaller, resulting in $3 million in losses. .
(CoinDesk)
Oracle patches critical Java vulnerability
Oracle released the patch last week, which could have allowed attackers to forge TLS certificates and signatures in Java versions 15 and above. The researcher who discovered the flaw, ForgeRock’s Neil Madden, the flaw allowed an attacker to trivially and completely bypass ECDSA signatures, letting an attacker forge certificates and handshakes with “the digital equivalent of a blank piece of paper.” Other security researchers have called it “the crypto bug of the year” with some speculating it could be used by someone outside a network with no verification at all. Oracle released a fix, and its recommended organizations give it priority.
The EU approves DSA terms
The European Union agreed to the terms of the Digital Services Act. While the exact text has not been released, it contains a number of obligations for tech platforms, banning ad targeting based on religion, sexual oritentation and ethnicity, prohibiting so-called “dark patterns” in platform UIs, requiring transparency on recommendation algorithms for large platforms, and provide greater transparency on content takedowns with a clear appeals process. Large platforms will be charged feed to fund overall compliance with the act. The act must still be voted into law, and firms will have 15 months after the Act passes to come into compliance. This is different from the EU’s Digital Markets Act, which focuses on creating a level playing field.
Thanks to our episode sponsor, Feroot
Feds warns about BlackCat ransomware crossing your path
The Federal Bureau of Investigation issued a warning on this new ransomware-as-a-service offering, also known as ALPHV and Noberus, noting that since its emergence in November 2021, it’s reportedly hit at least 60 organizations globally. BlackCat is notable for being the first ransomware operator to use the RUST programming language. This is considered a more secure language, with benefits of improved performance and concurrent processing. The FBI said BlackCat may have an extensive network with links to the Darkside/BlackMatter actors.
A look at Prynt Stealer
The analysts at Cyble profiled a new edition to the info-stealing malware ecosystem, a subscription tool called Prynt Stealer. This tool is able to target a large number of web browsers, as well as messaging, gaming, and crypto wallet apps, with keylogging and screen clipper modules. A lifetime license costs $900 but subscriptions start at $100 a month. The malware also includes a builder tool to create specialized and harder to detect versions customized to a customer’s needs. Cynle found Prynt Stealer prioritizes stealthiness, with AES256 encrypted communications to C2 servers and binary confusion measures. Once a system is scanned, actual data exfiltration takes place through a Telegram bot.
Lapsus$ obtained T-Mobile source code
According to copies of chat logs obtained by security researcher Brian Krebs, the extortion group Lapsus$ breached the telco multiple times in March 2022, stealing source code across multiple projects in that time. T-Mobile maintains that no customer or government information was obtained. The chat logs also show Lapsus$ typically gained access to organizations through purchasing credentials on dark web sites. To get around device enrollment, the organization typically used social engineering to bypass security procedures. The logs also show the operator of this T-Mobile hack prioritized obtaining source code, rather than targeting user information.
Lazarus Group still laundering Axie Infinity Funds
According to the blockchain analysis firm Elliptic, the Lazarus Group has managed to launder nearly $100 million of the $600 million in crypto stolen from the game Axie Infinity using a flaw in the Ronin Network bridge. Late last week the group as able to move $4.5 million worth of Ethereum from the monitored wallet. This comes after the US Treasury Department attempted to freeze the assets by imposing sanctions on the wallet. Funds are being laundered primarily though a service called Tornado Cash, a cryptocurrency mixer. A review by the Washington Post found that sanctions against crypto wallets have proven hard to enforce, with several sanctioned wallets still able to transact for months after action by the Treasury.
(WaPo)