Iran-linked APT activity on the rise
Security researchers at Cybereason observed a spike in activity from APT35, a group with links to Iran also known as Charming Kitten or Phosphorus group. This group was initially discovered by Microsoft in 2013 and made headlines in 2014 for operating an elaborate spying campaign organized on social media. The group is now using a new PowerShell backdoor called PowerLess Backdoor, running it in a .NET context to avoid detection. This is used to load additional modules like a keylogger and browser spyware. Researchers also found the group exploiting Log4Shell vulnerabilities, as well as links to the Memento ransomware organization.
Hacker claims responsibility for North Korean internet disruptions
Researchers looking at internet traffic from North Korea have noted that the country has been experiencing significant internet connectivity issues for the past two weeks, with virtually all websites taken offline at times. The hacker known as P4x is taking responsibility for the disruption, saying its in response to a North Korean campaign targeting security researchers last year, and out of frustration by a lack of government response to the incident. P4x found numerous documented vulnerabilities left unpatched on North Korean systems, launching a nation-state denial-of-service attack. While leaving out specifics so as to not aid North Korean remediation, he points to “ancient” versions of Apache running in the country. P4x compared his operation to “ the size of a small-to-medium pentest,” running automated scripts to look for online systems with known vulnerabilities. P4x said he intends to actually hack into North Korean systems to steal and share information.
(Wired)
TikTok: the once and future national security threat
Remember when TikTok was such a national security threat that the Trump administration spent a not inconsiderable amount of time trying to spin it out from its parent company ByteDance to a seemingly ever revolving door of suitors, from Microsoft to Oracle? While perhaps not quite so heavy handed, the Biden administration is taking up the torch, moving to revise Commerce Department rules to address security risks from foreign-owned apps, including TikTok. This could include the commerce secretary baring apps altogether, or having apps submit to third-party auditing, code exaministation, and log monitoring. Administration officials say the process is moving slowly in order to ensure it can meet legal challenges. TikTok maintains it does not share information on American users with the Chinese government.
(WSJ)
Cloudflare launches bug bounty program
The web infrastructure company announced the public bug bounty program, expanding on a vulnerability disclosure program it operated since 2014. The previous program did not include cash bounties, and had limited effectiveness, with only 13% of the 1,197 reports validated as vulnerabilities. In 2018, the company launched a private bug bounty program for vetted researchers, paying out just over $211,000 over the life of the program. The new program will pay out up to $3000 for critical bugs. To complement the program, Cloudflare also launched a testing sandbox named CumulusFire to provide a standardized playground for exploits.
Thanks to our episode sponsor, Pentera
Sugar ransomware is anything but sweet
Walmart’s cyber threat team analyzed a new ransomware family it’s calling Sugar, the latest organization operating a ransomware-as-a-service model. It was first discovered in November 2021 and differentiates from other operations by focusing on individual computers rather than an enterprise network. Sugar freely borrows from other ransomware families, with similarities found with REvil and a decryptor page similar to Cl0p operators. The researchers note there isn’t much online chatter about Sugar ransomware, so it’s unclear if it isn’t widespread yet, or possibly confused for other operations given its similarities.
Google and Microsoft inject OpenSSF with funds
The two companies are providing another $5 million to The Alpha-Omega Project by the Open Source Security Foundation, designed to secure the software supply chain by finding zero-day vulnerabilities with maintainers. OpenSSF itself was only founded as a cross-industry collaboration by the Linux Foundation in August 2020. This announcement follows The White House hosting an open source security summit due to the widespread Log4j vulnerability. Alpha works with project maintainers of critical open source projects to identify and fix security vulnerabilities. Omega will identify “at least” 10,000 of the most widely used OSS projects and apply “automated security analysis” to locate issues in long-tail open source projects.
Blackberry sells legacy patents
We previously covered Blackberry’s shut down of its legacy services, leaving its once iconic QWERTY keyboarded smartphones effectively unusable. Now after shutter services, Blackberry announced it sold the patents around its legacy services and products to Catapult IP Innovations for $600 million. These patents involve mobile devices, messaging, and wireless networking. Blackberry did not sell any patents related to its core business operations, involving cybersecurity services and automotive software.
(ZDNet)
Belgium fines IAB Europe over GDPR violations
Belgium’s data protection agency fined IAB Europe, an association of online ad companies, 250,000 euros, saying the group’s Transparency and Consent Framework tool violates GDPR. This tool lets sites obtain user consent for processing personal data for ads. In addition to the fine, the regulator ordered IAB Europe to issue a “series of remedies” to come into GDPR compliance. The regulator said the fines and mandates were need because the tool could lead citizens to a loss of control over their personal data. IAB Europe said is “considering all options” for a legal challenge, warning of “major unintended negative consequences” beyond the digital ad industry for the precedent set by the ruling.