Researches find decryption for Hive ransomware
A research paper from the Kookmin University of Seoul documented a vulnerability in Hive’s ransomware encryption, allowing for the recovery of the master key and restoring data. Hive uses a hybrid encryption approach that uses a symmetric cipher using a 10MiB master key of random data. Files of varying sizes are created using a specific offset of this key, which is stored in the filename, which makes it possible to extract the key. Using this approach, the researchers were able to recover 95% of the master key. Hive appeared on the scene in June 2021, operating on a ransomware-as-a-service model.
In the Google Play Store, no one can hear you scream
The security firm ThreatFabric published a report on a new Android malware operation dubbed Xenomorph that is showing up in the official Google Play Store. This malware was discovered earlier this month, acting as a banking trojan and using the Accessibility feature to overlay fake login screens on banking apps to collect login info. Xenomorph also intercepts SMS message notifications to defeat two-factor authentication. Based on analysis of the malware, it can show faked login screens from 56 banks from Spain, Portugal, Italy, and Belgium, as well as 12 cryptocurrency mobile wallets, and several email apps. There is no main Xenomorph app in Google Play, rather it’s delivered as a second-stage payload inside several malicious apps.
Linux leads in patching speeds
Security researchers at Google’s Project Zero found that from 2019 through 2021, Linux bugs were patched in an average of 25 days over the three year period, with 2021 patches taking just 15 days on average. Google averaged 44 days to patch, Apple 69 days, and Microsoft 83 days, although researchers noted all platforms reduced patch times over the past three years. On the mobile front, both iOS and Android had roughly similar response times, with 70 and 72 days, respectively. Project Zero generally provides a 90-day window from disclosing newly discovered bugs to allow patches to be released. In 2021, only a single bug exceeded its fix deadline, although 14% of bugs required an additional two-week grace period from Project Zero after its standard 90 days.
(ZDNet)
Truth Social launches on the App Store
The Trump Media & Technology Group published its social-media app Truth Social in the US App Store. The app currently has a waitlist, and user’s report having issues creating accounts and logging in. Trump Media CEO Devin Nunes said the goal is to have the app fully operational by the end of March in the US. Reuters reports 500 users had early access to test the app. Similar social media apps promising less censorship like Parler, Gettr and Rumble have had issues staying in compliance with iOS and Google Play terms and conditions, and have often shown lax security, leading to hackers defacing them soon after launch.
(CNet)
Thanks to our episode sponsor, Tines
Meta received a draft decision on EU-US data transfers
Meta made headlines a few weeks ago when it stated in a regulatory filing it may be forced to suspend service in the EU due to the shifting laws around data transfers to the US. This came to light after the European Court of Justice invalidated the previous Privacy Shield data transfer framework in 2020. This preliminary ruling by Ireland’s Data Protection Commision impacts Meta’s ability to transfer data to the US, although its unclear what is in this ruling, just that it was sent to Meta. According to the DPC’s Graham Doyle, Meta will have 28 days to make submissions on this decision, after which it will prepare a draft decision for other Concerned Supervisory Authorities, aka other European data regulators. So we’re probably still a long way from Meta being forced to stop data transfers, but this decision likely means there is still regulatory movement in that direction.
CISA releases cybersecurity toolkit
The US Cybersecurity and Infrastructure Security Agency published a guide with free cybersecurity resources and services to help organizations with incident response. This includes resources to reduce risk exposure before an attack, and tools to help after a security incident. Software provided in the guide includes open-source tools and other CISA specific software. The guide advises organizations to regularly patch software, implement multi-factor authentication, upgrade unsupported software, and replace default passwords.
(ZDNet)
Logistics company pauses operations due to ransomware
The Seattle-based Expeditors International was forced to shut down most worldwide operations over the weekend after the result of a cyberattack it described as a “significant event.” While the company did not mention the exact nature of the attack, BleepingComputer’s sources say this is the result of a massive ransomware incident. This impacted the company’s freight, customs, and distribution activities while it attempted to restore from backups. Expeditors did not provide an estimate when operations would resume.
Iranian broadcaster hit with wiper malware
According to a report from the security firm CHeck Point, Islamic Republic of Iran Broadcasting was hit with a cyberattack on January 27th, which allowed the attacks to briefly display imagery on state TV. This appeared to use a custom-made malware which was able to exploit backdoors in broadcast systems, and take screenshots of displays, and log configuration files. It’s unknown how the attacker gained initial access and Check Point did not attribute the attack. The intrusion also installed a system wiper that corrupted files, erased the master boot record, changed passwords, and deleted backups. The researchers noted that while the malware itself was extremely sophisticated, the tools to launch it appear to be fairly low quality, indicating it might have been executed by an insider.