Guardicore Labs discovers a previously unknown botnet

Security researchers at Guardicore Labs announced the discovery of what they believe to be a previously undiscovered botnet. Dubbed FritzFrog, the botnet uses propriety code to infect SSH servers with in-memory payloads, then gather multiple infected servers into a peer-to-peer network. The researcher first spotted the botnet in January and believe it has infected over 500 servers including US and European universities, and a railroad company. 

(Ars Technica)

CISA releases details on a new North Korean trojan

The Cybersecurity and Infrastructure Security Agency and the FBI published a report detailing a new remote access trojan used by government-backed North Korean attackers, called BLINDINGCAN. The report details the trojan is delivered through XML documents and DLLs, with the ability to remove itself from compromised systems and clean its traces to avoid detection. The trojan is linked to the hacking organizations Lazarus Group and APT38.

(Bleeping Computer)

Facebook enforces a ban on groups that discuss “potential violence”

Facebook announced it removed 790 QAnon groups from its platform, as well as restricting another 1,950 groups, 440 pages and more than 10,000 Instagram accounts related to the conspiracy theory. Facebook also blocked the hastags #digitalarmy and #thestorm. According to data from the New York Times, activity on the largest of these groups increased 200 to 300% in the last six months. The move was part of a new policy at Facebook to take down groups that discuss “potential violence,” as well as preventing such groups from buying ads on the platform. As part of the new policy, Facebook will also remove 980 groups related to Antifa and various militia groups. 

(New York Times)

Bloomberg publishes a look into ransomware negotiations

Bloomberg detailed the negotiations between the University of California at San Francisco with a ransomware organization that encrypted servers from the school’s epidemiology and biostatistics department used in COVID-19 research. The attackers initially asked UCSF for a $3 million ransom with a three day deadline before the price doubled. The attackers threatened to release sensitive student data exfiltrated if the ransom was not paid. The attackers used the Netwalker ransomware on the university, with the university hiring a private contractor to facilitate negotiations. After four days of negotiations, UCSF agreed to a $1.14 million ransom.

(Bloomberg)

Fuzz testing is becoming more mainstream

Robert Lamos at Dark Reading looks at the emergence of fuzzing into software development pipeline. Fuzzing involves injecting code with invalid, unexpected or random data as inputs in an attempt to crash the application. He points to the acquisition of Peach Teach and Fuzzit by GitLab over the summer, as well as CloudFlaire’s announcement that it would adopt ForAllSecure’s Mayhem fuzzer in software development. Lamos points that fuzzing has not previously gained widespread adoption as it can slow DevOps timelines, and adds complexity to CI/CD workflows. Part of the recent changes are due to more mature tooling, and limiting the number of fuzzing inputs possibilities to keep complexity down. 

(Dark Reading)

Coordinated phishing attacks becoming more common

Earlier this summer, Twitter was hit by a coordinated social engineering attack that used phone spear phishing attacks to target employees with access to internal tools. Now Andy Greenberg at Wired reports that according to findings from three security firms, dozens of companies have been hit by similar attacks, including banks, cryptocurrency exchanges, and web hosting firms. The attack involves calling employees of the companies, posing as IT staff to get passwords to internal tools. The security firms say the phishing calls involve sophisticated research like targeting new and inexperienced employees, scraping org charts, and using public data from LinkedIn. Attackers then attempt to get employees to log in to a malicious portal to reveal their passwords. 

(Wired)

Palantir heads off to the centennial state

The data analytics company Palantir Technologies now lists Denver Colorado as its headquarters on its website, social media sites, and Wikipedia, seemingly relocating from Silicon Valley. CEO Alex Karp told Axios in May that a relocation was under consideration and listed Denver as a possibility. The Denver Economic Development & Opportunity department said it was aware of the relocation, but did not provide the company any incentives to do so. 

(Biz Journals)

A Microsoft survey looks at the effects of COVID-19 on cybersecurity spending

A new survey of business leaders by Mirosoft found that during the COVID-19 pandemic, multi factor authentication was the most common area of security investment, with US respondents most commonly investing in endpoint device protection. 28% of respondents had experienced a successful phishing attack, with companies utilizing mostly on-prem infrastructure seeing the most successful attacks. 58% of respondents reported increased cybersecurity budgets since the start of the pandemic. (Microsoft)