Cyber Security Headlines – March 18, 2021

Telcos targeted by Chinese attackers

Researchers at McAfee report that a hacking group known as Mustang Panda and RedDelta, known to operate out of China, has targeted at least 23 telcos across Southeast Asia, Europe and the United States since August 2020. Initial vectors for attacks are still unknown, but the campaign appears to direct employees at the telcos to a malicious phishing domain, where the Cobalt Strike backdoor is installed. It’s believed the attackers are attempting to steal sensitive information around 5G technology. The phishing site appears as a Huawei career site, but the researchers were clear that Huawei was not associated with the campaign. 

(ZDNet)

Mimecast source code stolen by SolarWinds attackers

The email security company confirmed that attackers exploiting the supply-chain attack on SolarWinds’ Orion platform downloaded source code from a limited number of repositories. In addition, the threat actors were able to obtain Mimecast-issued certificates and related customer server connection information, a subset of email addresses, as well as hashed and salted credentials. Mimecast said it did not believe any production software was impacted, and that the source code stolen was insufficient to develop a working version. Mimecast already reset all stolen credentials, impacting roughly 10% of its customers. 

(Bleeping Computer)

Hiding data in Twitter images

Programmer David Buchanan demonstrated that it was possible to store up to 3MB of data in an image posted to Twitter, demonstrating using MP3 files as well as a Zip archive containing PNGs. Previewing the files showed the image as normal, but all that was required to access the underlying data was to change the file extension after download. Ordinarily, Twitter compresses image files at upload. However Buchanan found adding data to the end of the ‘DEFLATE’ stream would not be removed by Twitter’s processing. We reported yesterday on cybercriminals storing stolen credit card info in a JPG file, so the security implications aren’t hard to imagine. 

(Bleeping Computer)

Google antitrust lawsuit looks at Privacy Sandbox

A group of 15 attorneys general, led by Texas, filed an antitrust lawsuit against Google in December, saying Google used its “monopolistic power to control pricing” with its adtech policies. An updated filing targets Google’s Privacy Sandbox initiative. The filing now questions that with Google’s considerable Chrome browser market share, if the company’s Privacy Sandbox initiative isn’t self-serving. This would follow similar moves from Mozilla and Apple in removing support for third-party cookies, but the lawsuit argues would require advertisers to use Google as a middleman and further entrench its advertising system. 

(The Verge)

Thanks to our episode sponsor, Trend Micro

The conversation between you and your board of directors is not always a walk in the park. With more cloud projects coming your way, it’s time to change the conversation to speak their language and start paving the way for a secure future. For more, go to http://trendmicro.com/CISO

CISA warns of Trickbot campaigns

The agency and the FBI issued a joint warning, noting a rise in recent Trickbot activity. Attackers are using email phishing campaigns to get people to install the Trickbot trojan, with CISA urging organizations to conduct training to identify these attempts, as well as block suspicious IP addresses. Trickbot has been around since 2016 as a banking trojan, and last year a Microsoft-led private industry group attempted to disrupt the Trickbot network, only to have a new version seen in the wild weeks later. 

(Dark Reading)

Telemarketers fined for a billion robocalls

The US Federal Communications Commission issued a record $225 million fine against two Texas-based telemarketers, Rising Eagle and JSquared Telecom, for being responsible for roughly 1 billion robocalls to falsely sell short-term health insurance plans. The FCC also said the companies were tied to scams involving IRS imposter calls, calls that pretend to be from Apple, false COVID-hardship programs, and fictional refunds from Amazon. The FCC also announced the formation of a “Robocall Response Team” to better coordinate efforts to reduce robocalls. 

(CNBC)

Dropbox Password manager comes to free users

The company will open its Dropbox Password manager to free Dropbox Basic accounts in April, although this will be limited to 50 passwords. Free users will be able to sync passwords across three devices, with access through browser extensions, desktop and mobile apps. The service was first introduced to paid accounts last year, and allows for unlimited syncing and storage of passwords. 

(The Verge)

Firm offers global vehicle surveillance service

The surveillance contractor Ulysses Group claims to offer access to over 15 billion vehicle locations around the world every month, able to remotely locate vehicles in real time in virtually any country outside of North Korea and Cuba. Ulysses is able to do this through vehicle telematics data, sent through embedded systems. This is usually sent to the vehicle maker or OEMs, but aggregator companies can also purchase, repackage, and resell this data. The company has not sold the service to the US government, although it has sold other surveillance solutions to the U.S. Special Operations Command. Senator Ron Wyden said his office is investigating the company as part of a larger investigation into data brokers. 

(Vice)


Rich Stroffolino
Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. Since 2015, he's worked in technology news podcasting and media. He dreams of someday writing the oral history of Transmeta.