Israeli firm uses Windows zero-days to deploy spyware

Microsoft and Citizen Lab have linked Israeli spyware company Candiru (also tracked as Sourgum) to new Windows spyware dubbed DevilsTongue deployed using now patched Windows zero-day vulnerabilities. “Candiru is a secretive Israel-based company that sells spyware exclusively to governments,” explained Citizen Lab, and their spyware can infect and monitor iPhones, Androids, Macs, PCs, and cloud accounts. Citizen Lab also tied over 750 websites to Candiru’s spyware infrastructure, finding that many of these domains mimicked domains representing media companies and advocacy organizations including Amnesty International and Black Lives Matter.

(Bleeping Computer)

Cyberattacks increased 17% in Q1 of 2021, with 77% being targeted attacks

This, according to a new Positive Technologies Cybersecurity Threatscape Q1 2021 report. Cybercriminals typically attacked government institutions, industrial companies, science and education institutions. The main motive for attacks on both organizations and individuals remains acquisition of data. Other findings in the report include: Ransomware is still the malware that is most often used by attackers. The most popular vulnerabilities for attackers this quarter were Microsoft Exchange Server, Accellion and SonicWall VPN, and more cybercriminals are developing malware to conduct attacks on virtualization environments.

(Security Magazine)

Another unpatched bug in Windows print spooler  

Microsoft is warning of another vulnerability in its Windows Print Spooler that can allow attackers to elevate privilege to gain full user rights to a system. This follows their patching of two other remote code-execution (RCE) bugs that collectively became known as PrintNightmare. Microsoft released the new advisory late Thursday for the vulnerability tracked as CVE-2021-34481. Microsoft credited Dragos vulnerability researcher Jacob Baines for identifying the issue. The vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations.

(ThreatPost)

While employees work remotely, attackers target their IoT devices left in the office

A new survey released by Zscaler examined over 575 million device operations and 300,000 malware attacks on IoT devices, and determined that nearly 76% of these IoT devices are still connected and maintaining communication with their companies’ networks on unencrypted plain text channels, posing severe security risks to businesses. Most attack traffic was reported on IoT devices in manufacturing and retail sectors (59%), including GPS trackers, 3D printers, automotive multimedia systems, barcode readers, PoS terminals, and other data collection devices. The report is available at info.zscaler.com.

(CISOMag)

Thanks to our episode sponsor,
Varonis

Still in the news is REvil’s ransomware attack on Kaseya VSA servers. Varonis is here to help mitigate the blast radius of such attacks. Want a step-by-step guide on what you should be looking for? Visit varonis.com/risk to help make sure your data is protected.

US government launches plans to cut cybercriminals off from cryptocurrency

The Treasury Department has announced it will support the implementation of money laundering requirements for virtual currency exchanges and the building of partnerships with the industry to track the currency in real time. The Financial Crimes Enforcement Network will announce a new public-private information sharing group that will include financial institutions, technology firms, third-party service providers and federal government agencies. “The exploitation of virtual currency to launder ransomware proceeds is without question, facilitating ransomware,” a senior administration official told reporters. “There’s inadequate international regulation of virtual currency activity, which is a key factor in how cybercriminals are able to launder their funds, demand ransomware payments and fuel sophisticated cybercrime as a service business model.”

(Cyberscoop)

Hackers get past Windows Hello by tricking the webcam

Researchers at CyberArk were able to dupe the facial recognition intelligence used in Windows Hello. The Microsoft facial recognition system works with an array of third-party webcams, but only those that have an infrared sensor in addition to the regular RGB sensor. But CyberArk discovered that Windows did not look at the RGB data, which allowed them to easily unlock the victim’s Windows Hello–protected device. Microsoft calls the finding a “Windows Hello security feature bypass vulnerability” and released patches on Tuesday.

(Wired)

Cyberattack on Moldova’s Court of Accounts destroyed public audits

Moldova’s “Court of Accounts” has suffered a cyberattack leading to the agency’s public databases and audits being destroyed. Court of Accounts of Moldova is a government authority that performs audits of public financial resources and government agencies to comply with international standards. Yesterday, Moldova’s state news agency Moldpres reported on behalf of the Court of Accounts that their website was hacked, and threat actors destroyed audit reports and other public data. The attack has led the agency to shut down its website while the incident is investigated and data can be restored.

(Bleeping Computer)

AI narration of chef Anthony Bourdain’s voice sparks debate

A new documentary about Anthony Bourdain has ignited a debate after film-makers revealed they had used an AI simulation of the late chef’s voice. Director Morgan Neville said that the synthetic voice was created by feeding more than 10 hours of Bourdain’s voice into a machine-learning system. “There were a few sentences that [Bourdain] wrote that he never spoke aloud,” he told Variety. Although the narration technique was used in the film with the support of Bourdain’s estate and literary agent, some reviewers have questioned the ethics behind it, calling it a deepfake.

(BBC News)