SolarWinds breach now linked to Turla
This comes from analysis on the Sunburst backdoor by researchers at Kaspersky. The exploit used in the supply-chain attack shows a number of code similarities to the Kazuar backdoor. This was first discovered by Palo Alto Networks in 2017 and used in cyberespionage campaigns as part of a series of tools used by the Turla APT group. Similarities include a sleeping algorithm, the extensive usage of the FNV-1a hash, and the algorithm used to generate victim unique identifiers. While none of the features are unique, the researchers note that Kazuar has continued to evolve its code since it was first discovered to now closely resemble Sunburst, with the number of coincidental similarities too suspicious to ignore.
UK ruling limits the reach of “general warrants”
The High Court of England ruled that “general warrants” cannot be used for blanket “equipment interference” that previously were used to specify entire groups of people together with any hackable gadgets in use as a “class” being targeted. This case was brought by Privacy International and overturned a previous ruling by the Investigatory Powers Tribunal. The ruling still allows for general warrants to be used to authorize equipment interference by British authorities, but each device impacted would need to be specified in the warrant itself.
UN data breach exposes staff records
The security research group Sakura Samurai disclosed that they discovered and cloned exposed Git directories and credentials associated with the United Nations Environment Programme and International Labour Organization, allowing them access to information of over 100,000 employees, as well as the UNEP’s source code base. Information exposed included employee IDs, names, start and end dates, approval statuses, employee evaluations, and demographic data. The researchers reported their findings to the UN’s Vulnerability Disclosure Program on January 4th and was quickly patched, but given how easy it was to obtain, it was likely that threat actors have already obtained the information.
BitDefender releases ransomware decryptor
The Romanian cybersecurity firm released the free decrypter, which will work on files and systems impacted by the DarkSide ransomware. DarkSide is a ransomware-as-a-service operator and has been operating since August 2020, spiking in activity between October and December. The tool will let users scan specific folders or an entire system, and automatically decrypt the selected files. While this tool will be helpful in recovering systems, DarkSide and other ransomware operators are increasingly turning to extortion of exfiltrated files as a secondary source of ransoms.
Thanks to our episode sponsor, IT Asset Management Group
Turkey investigating change to WhatsApp data sharing
Turkey’s antitrust board launched an investigation into Facebook and WhatsApp regarding the previous announced changes. WhatsApp’s new terms of service allow the messaging app to share data with other Facebook companies, set to go into effect February 8th without an opt-out. The regulator said it was halting that implementation pending the investigation, saying it would mean “more data being collected, processed and used by Facebook.”
Security researcher archives Parler before it went offline
Before Amazon Web Services cut off services to the social network Parler, a security researcher using the Twitter handle @donk_enby archived the vast majority of the site, claiming to have saved 99.9% of content. Initially the researcher’s goal was to archive all posts from January 6th, the day of the violent Capitol riot, quickly expanding the scope of the archive as it became clear the site would become no longer available. The data collected includes 1.1 million videos including all associated metadata, like GPS data of where the video was captured. In all the archive exceeded 56TB of data, and the researcher said the eventual plan is to host it on the Internet Archive.
New tool sheds light on AppleScript malware
The Cybersecurity firm SentinelOne created the Apple Event decompiler, or AEVT, designed to help organizations analyze cryptomining malware using AppleScript to automate its different deployment stages. These AppleScripts operated as run-only code, meaning contextual clues used by typical static analysis weren’t generated. SentinelOne says the OSAMiner AEVT analyzed has operated for five years, as the AppleScript vector has avoided typical security analysis. AEVT is build off of a reverse-engineering of the AppleScript binary, letting researchers take the disassembled code and translate it into AppleScript source code for easier reading. SentinelOne hopes the tools will make it easier to get visibility into the growing world of AppleScript-based malware.
Microsoft releases new security-focused Surface
The company announced the Surface Pro 7+ for Business, an incremental update to its tablet PC line available to commercial and education customers. The Surface Pro 7+ offers 11th gen Intel processors and optional LTE but keeps the form factor the same to the standard 7 for compatibility with accessories. Non-LTE versions start at $899, with LTE models at $1149, come with user removable SSDs, and can be optioned up to 32 GB of RAM and 1 TB of storage. Windows enhanced hardware security features will be enabled out of the box by default, including virtualization-based security and Hypervisor-protected code integrity. These are designed to prevent traditional escalation of privilege attacks and isolate the security subsystem. The Surface Pro 7+ is available in markets across North America, Europe and Asia later this week.