FBI warns of malware in search ads
A new public service announcement from the law enforcement agency warned of threat actors purchasing ads in search engines that spoof legitimate businesses and services. These link back to malicious sites that prompt downloads with names that indicate the software relates to the spoofed company. Instead these act as phishing platforms, targeting financial and cryptocurrency transactions. The FBI clarified that search engine ads aren’t inherently malicious, but users should use caution when accessing sites through search ads.
Guardian hit with suspected ransomware
The British newspaper stalwart confirmed a “serious IT incident” hit its systems over the last 24 hours, suspecting a ransomware attack. Online publishing remains unaffected, but it shifted to remote work as its experienced disruption “behind the scenes.” The paper remained confident it could produce a print edition for December 22nd. No word if any data was stolen, if there has been a ransom demand, or what group orchestrated the attack.
Attackers grab Okta source code
The authentication service provider disclosed a malicious actor accessed its private GitHub repositories this month. According to email notifications seen by Bleeping Computer, the incident resulted in stolen source code. Okta says the attackers did not gain access to its services or customer data, and that it does not rely on source code as a means to secure its services. The accessed repositories appear related to Okta Workforce Identity Cloud, not its Auth0 Customer Identity Cloud product. This year Okta also disclosed a breach of its administrative consoles and customer data back in January, and a leak of older Auth0 source code in September.
Ecco leaked sensitive data for over 500 days
Researchers at Cyber News discovered that the global shoe manufacturer and retailer Ecco left a Kibana instance exposed online, holding a combined 60GB of sensitive sales and system data in ElasticSearch. Anyone with access could view, edit, copy, or delete the data. A misconfiguration error allowed anyone to access the data through its API. Historical data shows it accessible as on June 4, 2021. Cyber News contacted Ecco about the error ahead of the story, they never received a reply but the instance was taken offline ahead of publishing.
And now a word from our sponsor, Tines
Eufy makes security changes
Eufy security cameras made a name for themselves by promising that data would be stored locally with end-to-end encryption. Earlier this year, security researchers discovered that unencrypted feeds of its cameras could be accessed and that thumbnails of camera images were uploaded to its cloud. Now in a blog post, Anker’s Eufy security brand admitted it’s Security Live View Feature has a security flaw. It claimed the issue exposed no user data. The company also announced it will only allow viewing live streams through its secure Web portal while logged in. The company will also advise users they have a choice of local or cloud push notifications. Enabling cloud push notifications uploads thumbnails of camera images to eufy’s servers.
Ukraine intercepts Russian calls from the front
The Guardian highlighted that the Ukrainian military eavesdropped on calls made by Russian soldiers while on the front lines. These are calls made over personal cell phones by Russian soldiers. These go through a Ukrainian telecom provider, making it easy for the military to intercept. Earlier in the conflict, Russian communications often used open radio frequencies, resulting in leaked communications from military commands. Since the initial invasion, experts say Russian security has improved, but remains vulnerable due to use of consumer phones by soldiers. Some of these calls expose military intelligence, with Ukraine releasing any calls to the press that have propaganda value.
The business of spam darkweb markets
Sophos’ Matt Wixey wrote up a look at a surprisingly coordinated scam involving the Genesis Market. Genesis lives on the Tor network, but Wixey noticed adds for it in search engines and Reddit that shows a clearnet site. Rather than being invitation-only like the real Genesis Market, these sites asked for a $100 deposit for access, pain in Monero or Bitcoin. Overall, the team discovered twenty similar sites registered between August 2021 and June 2022 that seemed to be operated by the same group, all imitating existing or defunct dark web markets. The addresses linked to across all sites received over $132,000 in cryptocurrency.
A look at cyber skill demand
According to a recent Kaspersky survey, reverse engineering malware took the top spots for skills InfoSec specialists wanted to advance in 2022. Looking at training session data, over 45% of participants showed interest in improving the skill. Meanwhile 28% of participants took classes on Yara rules training, while 27% signed up for courses on incident response, malware analysis, and product security assessments. Overall the report found that while the number of new cybersecurity programs grew rapidly, demand for cyber professionals still outstripped the supply of skilled workers.