The journey to a passwordless future
Apple, Google, and Microsoft take a significant step forward to get rid of passwords
With passwords being an ongoing security concern, tech giants Apple, Google, and Microsoft announced that they have committed to building support for a common passwordless sign-in standard across all of the mobile, desktop, and browser platforms over the coming year.
The idea is simply login by linking them to a physical device (i.e., a phone) such that unlocking it will then be enough to sign in to web services without the need to ever enter a password. “The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms,” FIDO alliance said.
What’s trending in security?
⚠️ A previously unknown hacking group focused on cyberespionage has set its sights on employees responsible for corporate development, large corporate transactions, and mergers and acquisitions.
Called UNC3524, the threat actor has managed to remain undetected for an average dwell time of 21 days partly through backdoors installed on appliances that do not support security tools, in addition to demonstrating a high level of operational security and top-notch tradecraft. In some cases, UNC3524 remained undetected in victims’ environments for as long as 18 months. [The Hacker News]
🛡️ The European Parliament overwhelmingly approved a proposal that allows Europol to work more closely with non-E.U. governments and receive data from private companies to help coordinate the fight against terrorism, child sex abuse, and other serious crimes. [European Parliament]
🐟 The U.S. Department of Justice (DoJ) announced the conviction of Sercan Oyuntur, 40, resident of California, for multiple counts relating to a phishing operation that caused $23.5 million in damages to the U.S. Department of Defense (DoD). [DoJ]
🔍 The Spanish government said the mobile phones of the prime minister, Pedro Sánchez, and the defense minister, Margarita Robles, were both infected in May and June 2021 with NSO Group’s Pegasus spyware. The Moroccan government is said to be behind the mobile hacking incidents.
The allegations come as the Spanish government has faced questions over how its supposed use of the surveillance tool came to monitor dozens of members of the Catalan independence movement. Spain’s National Intelligence Center has since admitted that the agency had hacked into the cellphones of 18 Catalan separatists after proper judicial authorization, leading to the sacking of the spy chief Paz Esteban.
Pegasus is designed to surveil the phones of intended targets by gaining access to calls, messages, media, emails, microphones, and cameras. [The Guardian / The Hacker News / Associated Press]
💥 While Ukraine has been buffeted by a number of destructive cyberattacks since the start of Russia’s military invasion of the country, the latter has been hammered by pro-Ukrainian hacktivists in widespread tit-for-tat assaults, resulting in the leak of personal information and defacement of Russian TV platforms to broadcast anti-war messages. This also includes using Docker images to carry out denial-of-service attacks against Russian websites. Microsoft, in a special report, disclosed that Russia started to lay the groundwork for launching cyberattacks against Ukraine as early as March 2021. [Ars Technica / The Washington Post / CrowdStrike / The Hacker News]
🚨 The North Korean Lazarus hacking group has been linked into a new phishing campaign that leverages cryptocurrency-themed lures to target South Korean users by posing as Naver, the popular South Korean search engine and web portal, to steal credentials. [Zscaler / Cluster25]
Speaking of North Korea, an unnamed engineering company with energy and military customers was recently the target of a hacking group linked to the country called Stonefly that has been operating since at least 2009. The ultimate goal is to obtain confidential information by means of a custom backdoor called Preft. “It now appears to specialize in targeting organizations that hold classified or highly sensitive information or intellectual property.” researchers said. [Symantec]
⚡ Researchers have disclosed details of a new campaign targeting Israel called OpsBedil. Led by DragonForce Malaysia, a pro-Palestinian hacktivist group located in Malaysia, the activities — defacements, denial-of-service attacks, and data leaks — are said to be a political response to escalating tension in the Middle East during Ramadan. “The operations are mainly reactionary and following physical or political confrontations.” [Radware]
📧 Phishing actors abuse Google’s SMTP relay service to bypass email security products and successfully deliver malicious emails to targeted users. At least 30,000 emails were distributed in the first two weeks of April using this method. [Avanan]
🏭 A China-linked advanced persistent threat group (APT) known as Winnti has been attributed to a sprawling cyberespionage attack targeting manufacturing and technology companies in North America and Asia since 2019 with the goal of pilfering intellectual property and other sensitive data. Cybereason said it caught wind of the operation when investigating a 2021 intrusion at an unnamed manufacturing firm. [The Hacker News]
💲 More than $43.3 billion has been lost through Business Email Compromise and Email Account Compromise scams since 2016, according to data released Wednesday by the U.S. Federal Bureau of Investigation. The total number of reported incidents was 241,206. [FBI]
🐛 A wormable malware dubbed Raspberry Robin has been active since last September and is spreading through USB drives onto Windows machines to use Microsoft Standard Installer (MSI) and other legitimate processes to install malicious files. “Absent additional information on later-stage activity, it’s difficult to make inferences on the goal or goals of these campaigns,” researchers said. [The Hacker News]
❌ With managed service providers presenting an attractive avenue for threat actors to compromise and conduct intrusions into multiple end targets, cybersecurity agencies in Australia, Canada, New Zealand, the U.K., and the U.S. are urging organizations to take steps to bolster their cyber defenses. [The Hacker News]
🖼️ The European Commission unveiled a new plan to combat child sexual abuse material that requires online service providers to mandatorily scan their platforms for illegal content, opening the door to generalized surveillance. It has also raised concerns that the proposal could force companies to break end-to-end encryption (E2EE) to peer into the personal communications of all users as any technology required to detect CSAM would make E2EE effectively impossible. If anything, in the absence of proper methods to legally seek out CSAM without compromising user privacy and security, the move could hasten the adoption of E2EE. [The Hacker News / WIRED]
💵 According to Sophos’ The State of Ransomware 2022, 55% of the 200 surveyed companies in Brazil were targeted by ransomware attacks last year, of which only 40% of the firms chose to pay malicious actors for ransom after being attacked. What’s more, 66% of organizations surveyed were hit with ransomware in 2021, up from 37% in 2020. [Sophos]
4⃣️ Four ransomware strains, including BEAF, PXJ, ZZZZ and CHiCHi, have been linked to North Korea’s army of cyber hackers based on overlaps with the VHD ransomware strain that surfaced in 2020 as part of the threat actor’s multi-platform malware framework called MATA. The observations show that the financially motivated APT continues to dabble in ransomware to generate revenues for the cash-strapped hermit kingdom. [Trellix]
🚫 A typosquatting campaign intended to abuse popular brands is in the works, according to researchers from Recorded Future, by leveraging a command-and-control (C2) infrastructure dubbed SOLARDEFLECTION. The operation has been attributed to Nobelium, the Russian hacking group behind the SolarWinds hack. [Recorded Future]
🕸️ A Nigerian scammer (codenamed E.K.) responsible for stealing more than 800,000 credentials from some 28,000 victims over the past several years ironically infected his own machine with an information stealing malware called Agent Tesla that resulted in his identity being exposed. [Malwarebytes]
ℹ️ The U.S. State Department is offering rewards that total $15 million for more information about the key leaders, operators or affiliates associated with the Conti team, a ransomware-as-a-service (RaaS) operation in which the core developers make the code available on the market for others to use, enabling less-skilled operators to more easily launch sophisticated ransomware attacks.
Conti continues to pose a formidable threat to businesses despite suffering a security incident of its own after an anonymous security researcher in February leaked two years worth of the group’s internal chat logs and the gang’s source code. [The Hacker News]
📱 Several Android mobile fleeceware apps have been spotted in Google Play store, once again demonstrating once again how malicious actors can improvise their tactics to get around the app store’s security protections. Called Joker, the malware is designed to surreptitiously sign users up for paid services and is distributed within otherwise benign applications. [The Hacker News]
▶️ A new campaign has been spotted leveraging YouTube videos that lure victims into downloading a fake bot to automatically buy Binance NFT Mystery Boxes. The video description leads the victim to download the fake bot, hosted on GitHub, but in reality is used to spread RedLine Stealer, a malware sold on underground forums for $100 a month. But in a sign that the operators are employing increasingly sophisticated tactics to infiltrate devices, the a campaign disclosed this week involved the abuse of an actively exploited zero-day vulnerability in Chrome (CVE-2022-1096) to distribute the malware. [Netskope / CloudSEK]
🔗 Vanity links created by companies to add their brand to well-known cloud services could become a useful vector for phishing attacks and a way to better fool victims, researchers are warning. [Varonis]