Software bug opened macOS to malware
Security researcher Cedric Owens discovered a bug that bypasses many of the checks macOS uses to thwart malware, allowing him to build a potentially malicious app to look like a harmless document. Double clicking on the “document” would run the malware without any warnings from the OS. This was possible due to macOS misclassifying certain app bundles and skipping security checks. Owens reported the bug to Apple, who patched it in macOS 11.3. However the Mac security company Jamf found that a sample of the Shlayer malware family exploiting the bug was captured in early January, several months before Owens’ disclosure.
An analysis of the COMB21 password leak
Researchers at Syhunt performed the analysis, looking at the compilation of password leaks published on February 2nd, which included 3.28 billion passwords linked to 2.18 billion emails. Of these, 2.78 million passwords were from the US, with over 625,000 linked to .Gov email addresses, of which the State and VA departments were the most common with roughly 29,000 each. The analysis notes that the leak included 13 credentials linked to emails of the Oldsmar water plant in Florida, which suffered a cyber attack attempting to impact water quality three days after the leak was published.
Authorities warn of FluBot Android malware
Germany’s Federal Office for Information Security and the UK National Cyber Security Centre published a joint alert about the rise of FluBot malware. This uses SMS spam appearing to come from legitimate delivery services to cause users to open malicious links and install the malicious app. Once installed, this uses the Android Accessibility screen overlay feature to steal login credentials from victims. Though only seen at the end of 2020, FluBot has become one of the most active Android malware operations, with FluBot activity expanding to Japan, Italy, Norway, Sweden, Finland, Denmark, Poland, and the Netherlands.
India demands removal of critical COVID response content
The New York Times reports that the Indian government ordered roughly 100 posts critical of the country’s COVID-19 response from Twitter, Facebook, and Instagram be removed, claiming the posts were misleading and could incite panic. The platforms complied with the order. Twitter specifically blocked the posts in India but remained available elsewhere, saying that the block was required by local law but that the post did not violate any Twitter policies. Indian law allows for local employees of social media platforms to be jailed for not complying to takedown notices.
Thanks to our episode sponsor, Aptible
Houston Rockets investigating cyber security incident
External security experts hired by the NBA team and the US FBI are investigating an attempt to install ransomware on the team’s internal servers. While investigators are still determining the full scope of the attack, the team has not seen signs that the actors obtained any sensitive information in the effort. Earlier this month, the Babuk group claimed to have obtained 500GB of data from the Houston Rockets, including financial data, non-disclosure agreements, and contracts. A ransom message threatening to release the data has since been removed.
REvil removes Apple extortion documents
MacRumors confirmed that the REvil ransomware group removed all references related to an extortion attempt against Apple, which previously included images and schematics stolen from the ODM Quanta. The group had turned its attention to Apple after Quanta refused its initial extortion attempt, pledging to leak additional information through May 1st if not paid a $50 million ransom. It’s not clear why the information was removed.
John Deere flaw leaks personal info
Motherboard reports Security Researcher Sick Codes discovered a pair of flaws in John Deere’s apps and website that would let attackers access personal data of people who owned John Deere vehicles and equipment, including name, address, equipment ID and VIN. The first bug didn’t rate limit username availability requests. That enabled the second exploit to use an API cookie to expose personal information associated with the usernames. Sick Codes reported the vulnerabilities to John Deere on April 12th and 13th. The company fixed one bug within three days and the second bug on April 21st.
The state of ransomware in Q1
According to Coveware’s Quarterly Ransomware Report, Q1 saw the average ransomware payment increase 42% from Q4 2020 to $220,298, with median payments up 59% to $78,398. While considerable increases, these both are still below the peaks in ransom payments seen in Q3 2020. A small number of very high ransoms tied to the CloP ransomware group pulled the average higher. Data extortion ransomware attacks continued to gain in popularity, now accounting for 77% of all ransomware attacks, up 10% on the quarter. Remote desktop compromises were the most common vector, surpassing email phishing and making up just under 50% of all attacks, and most common in organizations over 10,000 employees.