Cyber Security Headlines – July 26, 2021

French president pushes for Israeli inquiry into NSO spyware concerns

Emmanuel Macron has reportedly spoken to the Israeli prime minister, Naftali Bennett, to ensure that the Israeli government is properly investigating allegations that the French president could have been targeted with Israeli-made spyware by Morocco’s security services. In a phone call, Macron expressed concern that his phone and those of most of his cabinet could have been infected with the Pegasus hacking software developed by the Israeli surveillance firm NSO Group, which enables operators of the tool to extract messages, photos and emails, record calls and secretly activate microphones from infected devices. NSO has said Macron was not a “target” of any of its customers, meaning the company denies he was selected for surveillance using Pegasus.

(The Guardian)

Microsoft shares mitigations for new PetitPotam NTLM relay attack

PetitPotam is a new NTLM relay attack that allows taking over a domain controller or other Windows servers. The new attack uses the Microsoft Encrypting File System Remote Protocol (EFSRPC) to force a device, including domain controllers, to authenticate to a remote NTLM relay controlled by a threat actor, who can then steal hash and certificates to assume the identity of the device and its privileges. Discovered by French security researcher Gilles Lionel (Topotam77) this method was disclosed this week along with a proof-of-concept (PoC) script. Microsoft quickly published a security advisory, however some security specialists have criticized the mitigation, claiming it is insufficient

(Bleeping Computer)

Fake Windows 11 installers already distributing malware

Scammers are already taking advantage of the hype surrounding Microsoft’s next Windows release to push fake Windows 11 installers riddled with malware, adware, and other malicious tools. While Windows 11 will start rolling out worldwide during early 2022, Microsoft has already made it available for install to all customers enrolled in the Insider program after officially unveiling it as the next version of Windows last month. However, hundreds of users who already downloaded installers from unofficial sources are getting infected with malware, as Kaspersky security researchers discovered.

(Bleeping Computer)

Akamai outage was not a cyberattack

A global internet outage on Thursday that downed tens of thousands of websites, including those of giant corporations like McDonald’s and Delta Airlines, was not the result of a hack, data breach or other kind of malicious attack. According to a statement, the issue, which was quickly fixed, was the result of a software configuration update that triggered a bug in the DNS system, Akamai Edge DNS.

(CyberScoop)

Thanks to our episode sponsor,
Varonis

Still in the news is REvil’s ransomware attack on Kaseya VSA servers. Varonis is here to help mitigate the blast radius of such attacks. Want a step-by-step guide on what you should be looking for? Visit varonis.com/risk to help make sure your data is protected.

XCSSET macOS malware evolves, stealing login information from Telegram and Google Chrome

Security researchers from Trend Micro continue to monitor the evolution of this malware, which allows hackers to copy the Telegram GroupContainers folder onto machine to act on behalf of the legitimate owner of the account, and which can also steal the passwords from Google Chrome using the Safe Storage Key, which is stored in “Chrome Safe Storage,” sending it to a command and control server. It is believed that the code will also be able to target Evernote, Opera, Skype and WeChat.

(Security Affairs)

Kaseya gets universal decryptor to help REvil ransomware victims

Nearly three weeks after Florida-based software vendor Kaseya was hit by a widespread supply-chain ransomware attack, the company on Thursday said it obtained a universal decryptor to unlock systems and help customers recover their data. The company said in a statement that it had obtained the tool from a third-party and have no reports of any problem or issues associated with it. It’s still not clear if Kaseya paid any ransom, but it is worth noting that REvil affiliates had initially demanded $70 million — which was subsequently lowered to $50 million, after which REvil itself disappeared. 

(The Hacker News)

Japanese computers hit by a wiper malware ahead of 2021 Tokyo Olympics

Researchers from the Japanese security firm Mitsui Bussan Secure Directions (MBSD) discovered an Olympics-themed malware that implements wiping capabilities, The Record reported. The code was specifically designed to target Japanese PCs and was detected ahead of the opening ceremony of the 2021 Tokyo Olympics. The actual attack vector seems to be a malicious executable disguised as PDF file named: [Urgent] Damage report regarding the occurrence of cyber attacks, etc. associated with the Tokyo Olympics.exe.” The malware also implements evasion and anti-analysis capabilities to prevent the malicious code from being analyzed.

(Security Affairs)

Internet rot brings porn to the Washington post

A cautionary tale: news sites including The Washington Post and New York magazine, found out they had been displaying pornography on some of their older pages. This was due to a video platform called Vidme that had operated between 2014 to 2017, but whose domain had since been purchased by an adult site called 5 Star Porn HD. Web pages that had a Vidme player embedded from the time the service was viable began showing thumbnails of graphic sexual content instead of whatever had originally been there. As Motherboard notes, it’s an amusing example of a serious problem: the rotting infrastructure of the internet at large.

(Vice)


Steve Prentice
Author, speaker, expert in the area where people and technology crash into each other, viewed from the organizational psychology perspective. Host of many podcasts, voice actor and narrator for corporate media and audiobooks. Ghost-writer for busy executives.