LastPass confirms credential stuffing attack against its users
Password manager app LastPass confirmed Tuesday that a threat actor has launched a credential stuffing attack against its users in an attempt to gain access to their cloud-hosted password vaults. Users noticed the attack after receiving email alerts from LastPass indicating that it blocked a login attempt with a correct master password from a foreign IP address, typically based in Brazil. Security researcher Bob Diachenko claims that the attack may be more than just credential stuffing, indicating that hackers may have used a compromised database that leaked LastPass account master passwords. The company said it had not seen any evidence that accounts were successfully compromised in the attack.
Alexa issues deadly challenge to 10-year-old girl
After being asked by a 10-year-old girl to provide a challenge, Amazon’s Alexa voice assistant suggested the girl, “Plug in a phone charger about halfway into a wall outlet, then touch a penny to the exposed prongs.” The girl’s mother noted that the smart speaker suggested partaking in the challenge that it had “found on the web.” The dangerous activity, known as “the penny challenge”, began circulating on TikTok and other social media websites about a year ago. Amazon issued a statement indicating it had updated Alexa to prevent the assistant from recommending such activity in the future.
Apple aims to retain talent with up to $180,000 bonuses
According to inside sources, Apple informed its high-performing engineers that they would receive out-of-cycle bonuses ranging from $50,000 to $180,000 in the form of restricted stock units which vest over a period of four years. While Apple has historically awarded cash bonuses to employees, the size of the latest stock grants are atypical and surprisingly timed.The bonus program has irked some engineers who did not receive the shares. Apple appears to be waging a talent war with Silicon Valley companies, particularly Meta who has hired roughly 100 engineers from Apple over the last few months.
Next Log4j version released to fix new RCE bug
On Tuesday, Apache released Log4j version 2.17.1 for Java 8, which fixes a newly discovered remote code execution (RCE) vulnerability in 2.17.0. The new RCE bug, tracked as CVE-2021-44832 and rated Moderate, takes advantage of the lack of controls on JDNI access in log4j. The bug represents the fifth Log4j vulnerability since the original Log4Shell vulnerability (CVE-2021-44228), which threat actors began actively exploiting around December 9th, after an exploit surfaced on GitHub. Log4j users are advised to immediately upgrade to the latest release.
Thanks to our episode sponsor, Lookout
Threat actors abuse MSBuild to execute Cobalt Strike
Over the past week, Morphus Labs security researcher Renato Marinho says two different malicious campaigns were observed abusing Microsoft Build Engine (MSBuild) which is designed to create Windows applications. The campaigns leverage a malicious MSBuild project which compiles and executes C# code that, in turn, executes Cobalt Strike. Threat actors typically use a valid remote desktop protocol (RDP) account to access the target network, then move laterally using remote Windows Services (SCM), and abuse MSBuild to execute the Cobalt Strike Beacon payload. To protect against these campaigns, Marinho recommends organizations set the Windows Defender Application Control (WDAC) policy to block Microsoft-signed applications that allow execution of other code.
DOJ grant upgrades surveillance in Indiana school district
The Department of Justice has awarded nearly $126 million to 153 schools across the country to advance school safety. The Hanover Community School Corporation, located in Indiana, plans to use their $350,000 grant to outfit its five district buildings with a new video surveillance system which can provide analytics and facial recognition. The STOP School Violence Act was enacted in 2018, and gives the Justice Department the authority to provide grants to states, local governments, Indian tribes, and public agencies to help better protect against acts of violence in schools.
New Flagpro malware used by APT to attack Japanese firms
The BlackTech APT (advanced persistent threat) group, thought to be China-based, has been spotted targeting Japanese companies using new malware called ‘Flagpro’. The infection chain used begins with a phishing email carrying a password-protected ZIP or RAR attachment that creates the Flagpro executable in the startup directory. According to a report by NTT Security, Flagpro has been deployed against Japanese firms since at least October 2020 however a new version of Flagpro has now been identified, capable of automatically closing dialogs related to establishing external connections to conceal its presence from the victim.
Is your child’s Christmas present spying on you?
Many people found it charming when Mattel upgraded its classic Fisher-Price Chatter telephone for its 60th anniversary in October with actual Bluetooth capabilities, so grownups can also use the toy to make actual mobile phone calls. However, a team at Pen Test Partners revealed that the implementation of Bluetooth used in the toy does not pair securely, allowing for audio bugging by anyone nearby while its Chatter feature is in use. Because the audio functions of the Chatter telephone will only allow bugging if the handset is picked up, adults should supervise use of the toy, ensuring the handset is always replaced and that the toy is turned off when not in use.