CuckooBees campaign stings targets for years
The APT Winnti, otherwise known as BARIUM or Blackfly, has been active since 2010, and suspected of working on behalf of the Chinese government. Researchers at Cybereason published a report on a Winnti campaign called Operation CuckooBees that’s been ongoing since 2019, focusing on stealing proprietary information from technology and manufacturing companies across Europe, Asia, and North America. The researchers found the group used a “multi-stage infection chain” starting with targeting ERP software, ultimately combining known vulnerabilities and zero-days to gain network access and drop a webshell for persistent access. The campaign also targeted WinRM over HTTP and PrintNotify Windows services to create backup and sideloaded access. The investigation is still ongoing, with Cybereason only sharing a partial list of Indicators of compromise at this time. .
(ZDNet)
Health and Human Services hammered over security
The US Department of Health and Human Service conducted an internal security audit, and ruled that its information security program was ineffective for the fourth consecutive year. This audit looked if the department was in compliance with the Federal Information Security Modernization Act of 2014. The audit found HHS did not meet adequate levels of maturity in its ability to Identify, Protect, Detect, Respond, and Recover functions for security issues. The audit acknowledged that HHS is aware of these issues and is in the process of improving toward compliance.
Docker images used to DDoS Russian sites
A group of pro-Ukrainian actors believed to be backed by the country’s IT Army targeted 24 domains including sites belonging to the Russian government, military, and media like the TASS news agency. Security researchers at CrowdStrike observed two Docker images used in the attacks between February and March. Combined the images have been downloaded over 150,000 times. It seems the DDoS targets were picked randomly at first, although later images were updated with a time-based selection and a hardcoded list of targets.
GitHub to require 2FA
The Microsoft subsidiary announced that it will require developers who contribute code to use two-factor authentication, in an attempt to improve the security of the software supply chain. The change won’t be coming overnight, GitHub says the requirement will come into effect at the end of 2023. Enterprise customers will also be able to require developers to use 2FA when accessing their repositories. Currently only 16.5% of GitHub users use 2FA. GitHub will allow for mobile push notifications and hardware security keys as a second factor.
(Protocol)
Thanks to our episode sponsor, Censys
Meta releases GPT-3-like language model
Meta developed the Open Pretrained Transformer language model (or OPT), which contains 175 billion parameters, roughly the same size as OpenAI’s GPT-3 model. This isn’t a coincidence, it was designed to match GPT-3 on accuracy with language tasks. The company released the model as available for non-commercial use for free. For comparison, OpenAI offers GPT-3 as a paid service, but does not share its code or the model itself. Meta also released its code and a logbook that documents its overall training process from October 2021 through January 2022, inviting other researchers to further study the model. Meta audited OPT to remove some harmful behaviors, but Meta researchers acknowledged that releasing it is a “non-zero risk in terms of harm.”
Google removed billions of ads in 2021
The search giant revealed that as part of its crackdown on deceptive advertising practices, the company removed 3.4 billion ads last year, restricted an additional 5.7 billion ads, and suspended over 5.6 million advertiser accounts, triple the number in 2020. Google said bad actors continue to try to find ways through its system, like creating thousands of accounts simultaneously and using text manipulation to show different content to reviewers. This came as Google implemented a three-strikes rule for ads that contain deceitful practices, dangerous products, or inappropriate content. Of removed ads, 19% were pulled for abusing the ad network.
(CNET)
SafeGraph to stop selling Planned Parenthood location data
Earlier this week, Motherboard reported that it was possible to buy the location data of people visiting Planned Parenthood sites specifically,, including where they came from and went afterwards, from the data broker SafeGraph, as part of an overall “Family Planning Center’s category. After the report, SafeGraph released a statement saying that “[i]n light of potential federal changes in family planning access” it will remove that category from its self-service shop and API to stop any misuse of its data. SafeGraph maintains that it does not sell data on individuals, but it does sell device-specific location data in certain instances.
(Vice)
New ransomware linked to North Korea
Trellix researcher Christiaan Beek documented a new ransomware strain called VHD that he traced to APT38, a threat group with ties to North Korea. VHD has been used in ransomware attacks on global finance systems and crypto exchanges since at least March 2020. North Korea frequently uses ransomware and other cyber attacks to help raise money for the state. Beek found code similarities with known North Korean code in VHD, and saw an overlap in the bitcoin addresses used to send ransomware payments with known North Korean wallets.