Cyber Security Headlines – March 19, 2021

Over $4.2 billion in cybercrime losses reported to FBI in 2020

Cyber crooks went on a crime spree last year, bilking us out of 20% more money than the year before. According to the annual report from the FBI’s Internet Crime Complaint Center (IC3), as crooks get bolder, they’ve pumped up the largest ransomware demand to $30 million dollars. In fact, ransomware payments have nearly tripled. But although ransomware tends to dominate headlines, it’s dwarfed by the money lost in business email compromise (BEC) attacks: a sum that’s 64 times greater than that raked in by ransomware. If you lump in spoofing, which is often part of BEC, total losses were close to $2.1 billion. 

(Cyberscoop)

Fake iPhone charger blows up in researcher’s face

An “iPhone” charger blew up in the face of cybersecurity researcher Andrea Stroppa. Stroppa had borrowed the exploding charger from a friend and discovered that it was a knock-off of the Apple product that his friend bought off an unofficial channel on Instagram. It wasn’t an isolated incident: Stroppa and his colleagues at cybersecurity research firm Ghost Data Team discovered that there are illicit Chinese factories selling knock-offs that look identical to the Apple products but which are sold for prices discounted up to 10 times the cost of the bona fides. Stroppa’s friend, believing an ad that said it was  an “original Apple product,” bought the  charger for about a 25% discount off the $19 price for a genuine one.

(Bloomberg)

Taxpayers attacked with Trojan-inflicting phishing campaign

The US tax filing deadline has been pushed to May due to the pandemic, but phishers have already launched a tax-themed campaign to trick people into downloading malicious macros that inflict both NetWire and Remcos Remote Access Trojans (RATs). On Thursday, Cybereason published research analyzing phishing document samples that, once opened, blur the content and prompt victims to enable macros and editing in order to view the text. Woe to those who fall for it: If they accept, a “heavily obfuscated” macro drops a malicious .DLL payload—a dropper for one of the two Trojans)—in the /temp directory. 

(ZDNet)

British man busted for selling homemade guns on the dark web

A Southampton man has been sentenced to eight years after police discovered a firearm-making workshop in his home. A raid uncovered chemicals and powders that could be used to create explosives; homemade parts for firearms; templates; a functioning, homemade stun gun; and a construction guide for a MAC-10 submachine gun. The prosecutor, Tabitha Macfarlane, said that 48-year-old Pascal Knorr-Gulde had demonstrated “significant planning” and that he had apparently tried to sell his creations on the dark web. 

(Dark Net Daily)

Thanks to our episode sponsor, Trend Micro

The conversation between you and your board of directors is not always a walk in the park. With more cloud projects coming your way, it’s time to change the conversation to speak their language and start paving the way for a secure future. For more, go to http://trendmicro.com/CISO


iOS developers targeted by new malware

SentinelOne researchers have discovered new malware that’s targeting Apple developers in a supply-chain attack that installs a macOS backdoor on the computers of iOS developers. It involves Xcode, a free integrated development environment (IDE) from Apple that allows developers to create applications that run on macOS, iOS, tvOS, and watchOS. Threat actors are increasingly creating boobytrapped versions of popular projects in the hope that they’ll be incorporated into other developers’ applications. When the apps are compiled, the poisonous component will then infect computers in a supply-chain attack. In this case, the malware, called XcodeSpy, exploits the Run Script feature in the Xcode IDE. 

(Bleeping Computer)

Yet more printing problems caused by Windows updates

Two days after Microsoft hurried out a fix for Windows 10 printer troubles caused by last week’s Patch Tuesday update for older versions of Windows 10, it was warning of even more problems besides the Blue Screen of Death. Microsoft had this to say on Wednesday: “After installing updates released March 9, 2021 or March 15, 2021, you might get unexpected results when printing from some apps.” The issues might include document elements printing as solid black or missing color boxes, such as barcodes, graphics, logos or QR codes. Table lines might go missing, while alignment or formatting might be all screwed up. Microsoft said it expected a fix within a few days.

(Bleeping Computer)

China slaps LinkedIn with 30-day suspension over lax censorship

China says LinkedIn—the sole social network allowed to operate in the country—hasn’t been censoring its posts strenuously enough. Its internet regulator is punishing the Microsoft-owned platform for failing to control objectionable posts circulating in the period around an annual meeting of China’s lawmakers, according to three people briefed on the matter, which hasn’t been made public. It’s unclear exactly which material got LinkedIn into trouble. As punishment, Chinese officials are requiring LinkedIn to perform a “self-evaluation” and to offer a report to the internet regulator and to suspend new-user sign-ups inside China for 30 days.

(New York Times)

Google pays Uruguayan researcher $164,674 for cloud bug

Ezequiel Pereira, a Uruguayan university student, has scored a juicy bounty of $133,337 for a remote code execution (RCE) bug he discovered in the Google Cloud Deployment Manager. It’s the top prize in the 2020 Google Cloud Platform (GCP) bug bounty program, which paid out a total of $313,337, or triple the $100,000 pool the company created for the 2019 program. Google announced that six winners will share the money, which isn’t a reward for a bug bounty, per se, but rather an additional prize and recognition for submissions to Google’s vulnerability reward program. It’s quite a cherry to put on top of the cupcake, though: The additional prize Google paid to Pereira is on top of a $31,337 reward for the original report he submitted last year, meaning he made a total of $164,674 for discovering the RCE. (ZDNet)