Jamf buys ZecOps
The Apple in the enterprise world just got a little deeper, with Apple MDM stalwart Jamf acquiring ZecOps. This will add advanced threat detection and incident response to the company’s mobile security capabilities. ZecOps provides insights into sophisticated mobile threats meant to be blocked by Apple’s Lockdown mode in iOS, which it can run alongside. Jamf said it will provide more details about integrations post-acquisition at its annual User Conference this week.
Porn phishing scam turns into a DDoS
Researchers at the Swedish digital forensics nonprofit Qurium Media discovered a massive DDoS attack targeting the Phillipine media outlet Bulatlat. Page requests for the media outlet appeared to come from Facebook links disgusted to look like links to pornography. Clicking on them captured Facebook credentials and redirected to Bulatlat. Once credentials were obtained, the accounts spammed their friends lists with more faked links, thus increasing both the phishing and DDoS scheme. The attackers used a “bouncing domain” and “residential proxies” to avoid Facebook monitoring systems for such scams. Qurium traced the campaign back to the Vietnamese company Mac Quan Inc, estimating it captured credentials on over 500,000 Facebook users.
(Wired)
Cloudflare announced secure eSIM offering
Cloudflare announced Zero Trust SIM, which will provide an eSIM that will be locked to a specific device, use Cloudflare Gateway for DNS filtering, validate hosts and IP addresses and be used as a second factor for authentication. The eSIM will deploy over mobile device management platforms for iOS and Android, with plans to make physical SIM cards as well. It’ll launch initially in the US in the next few months. It expects to roll out the service globally soon after. The company also announced Zero Trust for Mobile Operators, a pilot carrier partner program to allow service providers to offer subscriptions to Cloudflare’s mobile security tools. No word on when that will launch.
Terra’s Do Kwon wanted by Interpol
South Korean officials announced that Interpol issued a Red Notice for Do Kwon. This requests global law enforcement agencies to locate and arrest the Terraform Labs co-founder. He’s wanted on charges related to the recent wideout of $60 billion in cryptocurrency assets. South Korean officials accuse Kwon of breaches of its capital-markets law. Do Kwon’s current location remains unclear. He had moved from South Korea to Singapore, but officials in the city-state said he no longer resided there on September 17th.
Thanks to today’s episode sponsor, Votiro
Good and bad news for TikTok
The UK’s Information Commissioner’s Office issued a “notice of intent” to TikTok, stating that it reached a “provisional view” that the app breached UK data laws from May 2018 through July 2020. According to the notice, TikTok may have processed the data of children under 13 years old without parental consent. TikTok has 30 days to respond to this notice.
There’s better news for TikTok on the US front. The New York Times’ source say TikTok and the Biden administration drafted a preliminary agreement to resolve national security concerns, but no deal has been finalized yet. This will reportedly center around ensuring China-based TikTok employees don’t have access to American data, granting Oracle power to monitor what’s recommended in TikTok to prevent Chinese propaganda, and forming a board of security experts to oversee TikTok’s US operations.
Noberus ransomware adds to its arsenal
The ransomware-as-a-service group Coreid began operations in 2012, making them a bit of an elder statesman in cybercrime. They originally ran ransomware schemes themselves, switching to an affiliate model around 2018. Security researchers believe the group to operate the Noberus ransomware, also known as BlackCat. Researchers note that Noberus added some new capabilities in recent attacks. Affiliates were seen using the Exmatter data exfiltration tool, as well as the EAmfo info-stealer that targets Veeam backups. Noberus remains current with malware trends, written in Rust for better cross-platform support and also recently adding the ability to encrypt Arm-based systems.
New threat group found working with long-term persistence
Researchers at SentinelLabs discover a group called Metador operating in a Middle East telco since at least December 2020. Its victim had been breached by other threat actors out of China and Iran in the past. Analysts noted though that Metador seemed to be “highly aware of operations security,” and was able to “quickly deploy intricate countermeasures in the presence of security solutions.” The group uses malware that runs entirely in memory, making detection difficult. Code analysis indicates it uses dedicated teams to develop and operate the malware. SentinelLabs says the level of sophistication indicates “a high-end contractor arrangement” seen with nation-state operators.
More adware found on mobile app stores
Security researchers with Satori Threat Intelligence found 75 apps in the Google Play and ten in Apple’s App Store operating ad fraud schemes operated as part of a Scylla campaign. Combined the apps were installed 13 million times. These apps generated revenue through invasive ads as well as impersonating other apps to spur in-app transactions. The researchers believe this to be a continuation of an ad fraud operation that goes as far back as August 2019.