U.K. media campaign fights encryption
A government-funded campaign says encryption puts children at risk
The encryption wars are back, once again. A U.K. government-funded campaign called No Place to Hide is “calling for social media companies to work with us to find a solution that protects privacy, without putting children at even greater risk.” It also says that support for end-to-end encryption (E2EE) will prevent the ability to detect child sexual abuse and exploitation on their platforms, and that an “estimated 14 million reports of suspected child sexual abuse online could be lost each year.”
In response, the U.K. Information Commissioner’s Office told The Guardian that E2EE “serves an important role both in safeguarding our privacy and online safety,” and that “it strengthens children’s online safety by not allowing criminals and abusers to send them harmful content or access their pictures or location.”
What’s trending in security?
⚡ Amid heightened tensions between Ukraine and Russia, a hacktivist group in Belarus named Cyber Partisans said they had infected the network of the country’s state-run railroad system with ransomware and would provide the decryption key only if Belarus President Alexander Lukashenko stopped aiding Russian troops ahead of a possible invasion of Ukraine.
The development comes as the U.S. and U.K. intelligence agencies sounded the alarm on possible cyberattacks staged by Russia against governments and critical infrastructure operators in the country. [Ars Technica / WIRED / Gizmodo]
🚨 Microsoft shed additional light on the cyberattacks that disabled Ukrainian government websites, as Kyiv pointed to Russia as the culprit. The disclosure comes as Ukrainian cybersecurity agencies said the attack involved exploitation of CVE-2021-32648, a vulnerability in the October CMS, to compromise government systems. The attacks are also one of the several malware operations that have targeted the Log4Shell exploit and used it to spread to vulnerable systems.
That said, Ukrainian intelligence agencies disclosed that the code used in the WhisperGate wiper that targeted government agencies in Ukraine this month was re-purposed from a WhiteBlackCrypt ransomware campaign that targeted Russian victims last year, alluding to a false flag operation. [The Hacker News / Kim Zetter]
🏅 China is mandating that athletes download and use a health and travel app when they attend the Winter Olympics next month. But a closer examination has revealed a number of security loopholes. The app also allegedly comes with a list of 2,422 political keywords, described within the code as “illegalwords.txt,” that worked as a keyword censorship list. [Citizen Lab]
🍪 Google backed away from FLoC, its controversial system to replace third-party tracking cookies. Instead, the search and advertising giant aims to use Topics, a way to determine what broad categories users fall into based on their browsing history. Google then shares three of those presumed preferences with participating websites, who serve the relevant ads. While it’s seen as an improvement over the cookie-based system, it doesn’t fully allay the concerns about Google’s dominance of the ad market and its ability to track its users on a first-party basis. [The Hacker News]
💵 A new form of ransomware called White Rabbit, which demands payment in exchange for the decryption key, could be linked to a notorious financial crime group known as FIN8. The ransomware, which first emerged in December 2021 with an attack against a U.S. bank, is believed to have used tactics that have been seen before, most notably by the now-defunct Egregor. Financially motivated cyber criminals shifting towards ransomware is usually a sign that there’s more money to made from encrypting networks than phishing and other malware attacks. [The Hacker News]
🛡️ The North Korea-based Lazarus Group once again dangled fake job opportunities in a spear-phishing campaign that used Windows Update as a living-off-the-land technique and GitHub as a command-and-control (C2) server to spew malware against targets in the defense industry. [The Hacker News]
🔍 Israeli police used NSO Group’s Pegasus spyware to monitor citizens, mayors, political protesters, and former government employees without warrants or court oversight, in further setback for the controversial company. “There is also no supervision on the data being collected, the way police use it, and how it distributes it to other investigative agencies,” Calcalist reported.
Once Pegasus is on the device, the spyware can turn it into a powerful surveillance tool by gaining complete access to its camera, calls, media, microphone, email, text messages, and other functions, enabling surveillance of the person targeted and their contacts.
In related news, it has emerged that Human Rights Watch staff member Lama Fakih as well as Finnish diplomats were targeted with Pegasus spyware, once again highlighting the scale of misuse. The Finnish revelations follow similar reports from European countries, such as Hungary and Poland, suggesting the the Israeli company had a much larger clientele in democratic countries.
Furthermore, a New York Times investigation alleged that the U.S. Federal Bureau of Investigation considered procuring the clandestine commercial spyware tool for its law enforcement probes, while also showing its widespread use by the the U.A.E., Mexico, Saudi Arabia, and other nations. [The New York Times / Human Rights Watch / Calcalist]
🌐 A joint law enforcement operation resulted in the takedown of VPNLab.net, a VPN service that was advertised in the dark web and promised online anonymity for as little as $60 per year. Europol said it set its sights on VPNLab.net after multiple other investigations lifted the lid on the criminals using the service to control botnets and distribute malware. The law enforcement agency also said the VPN was a popular choice for cybercriminals for avoiding detection while launching various malicious activities. [The Hacker News]
🔗 BlackBerry security researchers have analyzed the Prometheus TDS (Traffic Direction System) and discovered a correlation with a cracked copy of Cobalt Strike that’s been put to use by various malware families. [The Hacker News]
⚙️ Apple fixed two significant security vulnerabilities when it released iOS 15 in September 2021 that could have potentially exposed users’ private Apple ID information and in-app search history to malicious third-party apps and allowed apps to override user Privacy preferences, according to a quietly revised advisory published by the company this week.
Separately, security researcher Ryan Pickren serious security flaws in Apple Safari browser and macOS that could have been exploited to take over a Mac’s mic or camera, or access any accounts the victim was already logged into. Apple fixed the issues in early 2022 and award Pickren a $100,500 bug bounty. [MacRumors / Ryan Pickren]
📨 The U.S. government has ordered WhatsApp to track seven users based in China and Macau. The Drug Enforcement Administration (DEA) has asked the Facebook-owned messaging company to “monitor the IP addresses and numbers with which the targeted users were communicating, as well as when and how they were using the app,” according to an unsealed government surveillance application. [Forbes]
💲 More than 2,323 local governments (77), schools (1,043), and healthcare organizations (1,203) in the U.S. were affected by ransomware attacks in 2021. But a slew of law enforcement actions, including the arrest of REvil ransomware gang members in Russia, has raised the possibility that things may finally change. [Emsisoft]
🏭 A number of spyware campaigns have been observed targeting industrial enterprises, aiming to harvest email account credentials and conduct financial fraud or resell them to other actors. Examples of commodity malware used in attacks include AgentTesla/Origin Logger, HawkEye, Noon/Formbook, Masslogger, Snake Keylogger, Azorult, and Lokibot. [Kaspersky]
🌕 Researchers have discovered a new UEFI firmware implant called MoonBounce that was observed in a targeted espionage attack against one vicim last year. MoonBounce uses this persistence mechanism to alter code as it is loaded and executed during the boot process. The discovery marks the third time the security community has uncovered a UEFI-based malware that’s designed to persist on a computer’s flash memory, after LoJax and MosaicRegressor. [The Hacker News]
⚠️ TrickBot has dominated the malware threat landscape since 2016, constantly adding optimizations and improvements while facilitating the deployment of damaging malware and ransomware strains such as Diavol, Ryuk, and Conti. More recently, it has been linked to the re-emergence of Emotet. An analysis of the latest version of the malware has revealed new layers of obfuscation and anti-reverse engineering features designed to crash the browser if an attempt to analyze the malware source code is detected. [The Hacker News]
🚫 The BfV German domestic intelligence services (short for Bundesamt für Verfassungsschutz) has warned of ongoing attacks coordinated by the APT27 Chinese-backed hacking group targeting German commercial organizations, with the attackers using the HyperBro remote access trojans (RAT) to backdoor their networks. The attacks have been taking place since at least March 2021. [BfV]
❌ 470 malicious apps lurking on the Google Play Store have successfully installed Dark Herring malware — a cash-stealer intended to subscribe users to premium services — on more than 100 million Android devices across the world, including Egypt, Finland, India, Pakistan, and Sweden. All the offending apps have since been removed from the marketplace. [Zimperium]
📸 An active phishing campaign is hijacking corporate Instagram accounts as well as accounts of individual influencers since approximately August 2021 by sending fake emails about copyright infringement to direct victims to a rogue site that steals their credentials, which are used to take control of the account, followed by changing the passwords and usernames. The threat actors then demand ransoms from the victims to restore access. [Secureworks]
📱 A banking-fraud trojan dubbed BRATA that has been targeting Android devices for three years has been updated with a new host of capabilities. Chief among them is a kill switch that performs a factory reset and wipes infected devices clean following a successfully conducted a wire transfer from the victim’s banking app to cover up its malicious tracks. The new capabilities underscore the ever-evolving behavior of crimeware apps and other kinds of malware. [The Hacker News]
🤖 The source code of the BotenaGo malware, which is used to exploit over 30 vulnerabilities in routers and IoT devices in order to spread the Mirai botnet, has been uploaded to GitHub, allowing any malicious hacker to use, modify, and upgrade it in a move that could widen the number of attacks in the future. The development comes as Intel 471 said it observed a surge in Internet of Things (IoT) device attacks in 2020 and 2021. [AT&T Alien Labs / Dark Reading]
❎ The Federal Communications Commission (FCC) has revoked China Unicom Americas’ license, one of the world’s largest mobile service providers, over “serious national security concerns.” [FCC]
🗄️ The past weeks in data breaches, leaks, and ransomware: Bank Indonesia, Crypto.com, Delta Electronics, French Ministry of Justice, Global Affairs Canada, Moncler, Nobel Foundation, OpenSubtitles, Puerto Rico's Senate, Qubit Finance, Red Cross, RRD, Segway
Tips, Comments, Ideas?
Send them my way by writing replying to this email.
Thanks again for reading. See you in the next edition!