This week’s Cyber Security Headlines – Week in Review, December 12-16, is hosted by Rich Stroffolino with our guest, Jeremy Embalabala, CISO, HUB International
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Antivirus and EDR solutions tricked into acting as data wipers
A security researcher has found a way to exploit the data deletion capabilities of widely used endpoint detection and response (EDR) and antivirus (AV) software from Microsoft, SentinelOne, TrendMicro, Avast, and AVG to turn them into data wipers. SafeBreach researcher Or Yair came up with the idea to exploit existing security tools on a targeted system to make the attacks more stealthy and remove the need for a threat actor to be a privileged user. Also, abusing EDRs and AVs for data wiping is a good way to bypass security defenses as the file deletion capabilities of security solutions are expected behavior and would likely be missed.
TSA to expand facial recognition across America
America’s Transport Security Administration, has been testing facial recognition software in 16 airports to automatically screen passengers flying across the country. It is now looking into rolling it out nationwide next year. Flyers will be able to pass through security checkpoints by scanning a copy of a government-issued ID, such as a driver’s license stored on their mobile phones, and standing in front of a camera system. The equipment will snap a live photo of their face and check whether it matches with the one captured on their ID. It aims to reduce security screening wait times by automating the process so TSA agents do not need to manually check IDs. The pilot program, tested the Credential Authentication Technology 2 (CAT-2) system.
Greece outlaws spyware
Lawmakers in Greece approved new legislation to ban commercial spyware in the country, as well as reforming rules around wiretaps. Use, sale, or distribution of spyware in the country now carries a two-year minimum prison sentence. This ban doesn’t come out of the blue. Back in August, politician Nikos Androulakis (An-dro-U-lake-is) said he had been targeted by Predator spyware by the country’s National Intelligence Service in September 2021. Subsequent reporting alleged that spyware was used against other politicians and journalists.
(AP News)
Uber hit with another breach after attack on third-party vendor
Uber has suffered a sensitive data leak as a result of cyber-criminals gaining access to the AWS backup server of their third-party vendor, Teqtivity. Data leaked on a dark web forum appears to include source code associated with mobile device management platforms (MDM) used by Uber, Uber Eats and third-party vendor services. Operating under the pseudonym “UberLeaks,” the threat actors created four separate posts on the forum, each attributed to a different member of the infamous Lapsus$ hacking group.
Meta to share software in attempt to help fight crime
Meta said that it’s planning to share its Hasher Matcher Actioner tool with other companies in an effort to combat terrorism and human trafficking across the internet. The tool finds duplicated images that violate its terms of service by matching image hashes, or digital fingerprints. Meta’s announcement comes as the company enters its yearlong chairmanship of the Global Internet Forum to Counter Terrorism (GIFCT). While releasing open-source software is critical in limiting the places where violating content can appear, it remains unclear how this will affect content on the dark web.
(ABC News)
Thanks to today’s episode sponsor, Fortra
Royal ransomware uses novel encryption
The Royal ransomware gang made a name for itself with sophisticated tactics and rapidly expanding scope. A new report on the group from the Cybereason Security Research & Global SOC Team outline one item in its toolkit, partial encryption. While not new, Royal expanded on the tactic with flexible-percentage encryption that appears designed for specific targets. It uses multiple threads to further speed encryption time, and uses a variety of tactics to stop and start encryption. The US Department of Health and Human Services warned last week of Royal targeting healthcare providers. But the report found the group operating fairly agnostically across regions and industries. The researchers note that Royal doesn’t use affiliates and may have extensive membership drawn from the defunct Conti group.
InfraGard data for sale on dark web
Security researcher Brian Krebs reported that the user database for the US FBI’s InfraGard program appeared for sale on a cybercrime forum on December 10th. The program was designed to build information sharing partnerships between the FBI and private firms, including operators of critical infrastructure. Krebs contacted the seller, who said they obtained access by creating a new InfraGard account posing as the CEO of a major US financial corporation. The seller said he used a faked email but listed the actual CEOs phone number in the application. The impersonated CEO said the FBI never contact them by phone to verify the application. The dataset mostly reveals emails and phone numbers, but also allows for direct messaging other InfraGard members, opening the door to potential social engineering.
Hackers target Japanese politicians with new MirrorStealer malware
A hacking group tracked as MirrorFace had been targeting Japanese politicians for weeks before the House of Councilors election in July 2022, using a previously undocumented credentials stealer named ‘MirrorStealer.’ The campaign was discovered by ESET, whose analysts report they could piece together evidence thanks to operational mistakes made by the hackers that left traces behind. The hackers deployed the new information-stealing malware along with the group’s signature backdoor, LODEINFO, which communicated with a C2 server known to belong to APT10 infrastructure.
Crooks use HTML smuggling to spread QBot malware via SVG files
Researchers at Talos have uncovered a phishing campaign that distributes QBot malware using a technique that leverages Scalable Vector Graphics (SVG) images embedded in HTML email attachments. HTML smuggling as it is known, is a highly evasive technique for malware delivery that leverages legitimate HTML5 and JavaScript features. Malicious payloads are delivered via encoded strings in an HTML attachment or webpage, and the malicious HTML code is generated within the browser on the target device which is already inside the security perimeter of the victim’s network.
LEGO BrickLink bugs let hackers hijack accounts, breach servers
Security analysts have discovered two API security vulnerabilities in BrickLink.com, LEGO Group’s official second-hand and vintage marketplace for LEGO bricks. BrickLink is the world’s largest online community of LEGO fans, with over a million registered members. Two API security issues discovered by Salt Security could have allowed an attacker to take over members’ accounts, access and steal personally identifiable information (PII) stored on the platform, or even gain access to internal production data and compromise internal servers. The first one is a cross-site scripting (XSS) flaw in the “Find Username” dialog box of the coupon search section, the second flaw was located on the “Upload to Wanted List” page, where users can upload XML lists containing LEGO parts they wish to find and purchase.
UK arrests five for selling ‘dodgy’ point of sale software
Tax authorities from Australia, Canada, France, the UK and the US have conducted a joint probe into “electronic sales suppression software” – applications that falsify point of sale data to help merchants avoid paying tax on their true revenue. An announcement last Friday from the Joint Chiefs of Global Tax Enforcement (known as the J5), states that the probe resulted in the arrest of five individuals in the UK. The software allows retailers to keep a separate set of books and launder money in one transaction. 5 chief and Australian Taxation Office deputy commissioner John Ford described as an example how a customer might order a $60 steak and a $100 bottle of wine,at which point the software changes the transaction, recording it in the point of sale system as “a $10 bowl of chips and a $4 bottle of soft drink.”