Cyber Security Headlines – March 8, 2022

Leaked Nvidia data used in malware

Last week we covered that the extortion group Lapsus$ accessed Nvidia’s systems and stole proprietary data as well as employee credentials. The group threatened to release the data if Nvidia did not remove its Lite Hash Rate ethereum mining limiter on recent GPUs. The group made good on it’s promise, publishing chunks of the pilfered data, including code-signing certificates used for its drivers and apps. Security researchers found that these are now being used to sign malware, with some samples already available in VirusTotal. These certificates are expired, but Windows will still load signed drivers into the OS.

(Bleeping Computer)

Russia says it’s okay to download a car

Faced with many technology companies no longer providing software and services in the country, Russian officials are drafting rules that would establish a “unilateral” software licensing mechanism, effectively renewing expired software licenses without consent of the owners of the IP. This would only apply if the copyright holder resides in a country with sanctions against Russia, and there are no viable Russian alternatives. The  Civil Code of the Russian Federation already allows for this practice under specific circumstances, provided that patent holders are notified and a reasonable fee is paid. The proposed amendment to the Civil Code would forgo payment while sanctions are in place. Russia says copyright infringement is still illegal and prosecuted in the country. 

(Bleeping Computer)

Sharkbot takes a bite out of the Play Store

The banking trojan known as Sharkbot has been seen operating online since October 2021, itially monitored by the security firms Cleafy and ThreatFabric. It’s able to perform transactions using Automatic Transfer Systems, letting it auto-fill fields in real banking apps and start transfers without human interaction. Each of these simulated interactions has to be sent to Sharkbot from C2 servers. Aside from ATS attacks, Sharkbot is able to do traditional overlay attacks, keylogging, and SMS intercepts. To make matters worse, researchers found Sharkbot in the Google Play Store, masquerading as an antivirus app. Once downloaded, the app uses the “Direct Reply” Android feature to send a link to download a full version of the malware, likely how it evaded detection. We’ve seen a number of these so-called “dropper” apps get through the Play Store in recent months.  

(Security Affairs)

Security vendors form Critical Infrastructure Defense Project

This new initiative was formed by Cloudflare, CrowdStrike, and the disappointingly not alliterative Ping Identity, and will offer free services and support for four months to US critical infrastructure providers identified as being particularly vulnerable to a cyber attack. This includes energy and utility companies of all sizes and hospital systems. The idea here is that town and municipal-based critical infrastructure will have free resources to help improve their threat monitoring capabilities in the near-term. The three companies will also stay in contact with key cyber officials across the government to see if they advise extending this four month period if risks of cyber attacks remain elevated. 

(Security Week)

There are many misconceptions about security automation, so Torq is debunking a security automation myth each day this week.

Myth 2: Security Automation Is Just a New Term for Automated Security Testing
Wrong. While scanning and testing may be one example of a security automation use case, it’s hardly the only one. Automation can be used to do things like help manage complex security workflows and optimize collaboration between different stakeholders. These are tasks that were not traditionally automated. To learn more about the realities of automation, head to torq.io.

Cogent cuts ties with Russia

The US internet infrastructure company Cogent Communications decided to end relationships with Russian customers. This includes state-owned telecoms Rostelecom and TransTelekom. According to CEO Dave Schaeffer, the company didn’t want the Russian government to benefit from using its service to mount disinformation campaigns and hacks against Ukrainian targets saying  “Our goal is not to hurt anyone. It’s just to not empower the Russian government to have another tool in their war chest.” While there are other internet backbone providers operating in Russia, Cogent is one of the biggest. 

(Wired)

VPN demand spikes

Researchers at SafetyDirective report that VPN demand in Russian increased 462% on the year since the government began censoring social media platforms on February 24th, including both paid and free VPNs. An initial spike in VPN demand kicked up on February 26th when the government accused Russian-language news outlets with spreading false information. These outlets were subsequently blocked on March 1st. Peak demand was seen on March 4th when Russia announced a block on Facebook. 

(Security Magazine)

Mozilla releases emergency Firefox patch

The update addresses two critical zero day security flaws in the popular browser that are under active exploitation. Both are use-after-free bugs, coming from memory-corruption where Firefox continues to try to use an allotment of memory after it was assigned to another app. Security researchers at Sophos said the bugs were being exploited in the wild for remote code execution using malicious websites, as well as for sandbox escape exploits. Mozilla didn’t reveal much about the exploits since they are actively exploited. The flaws impact the desktop and Android version of Firefox. 

(ThreatPost)

Security firms found hosting exposed assets

A new study from Reposify found that over a two-week period in January 2022, 35 multinational cybersecurity companies and their subsidiaries hosted over 200,000 exposed assets, including databases, remote access sites, and cloud services. 51% of firms in the study had exposed databases, with 37% exposing backups and storage. Remote access sites were most commonly exposed, found in 86% of firms. Remote access protocols proved particularly leaky, with 90% of companies exposing OpenSSH. Reposify said te majority of assets exposed fall under an organization’s “unofficial perimeter,” representing Shadow IT, unknown risk, or possible backdoor access. 

(Security Week)

Rich Stroffolino
Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. Since 2015, he's worked in technology news podcasting and media. He dreams of someday writing the oral history of Transmeta.