Microsoft reveals Nobelium’s MagicWeb
Security researchers at the company discovered a technique used by the Russian-linked threat group to maintain persistent access to compromised networks. Dubbed MagicWeb, this uses a malicious DLL to manipulate claims passed in tokens generated by an Active Directory Federated Services server. This ultimately manipulates existing user authentication certificates. This required Nobelium to first have highly privileged credentials, gain access to a network, and gain admin privileges in Active Directory. Given these conditions, MagicWeb appears highly targeted.
Details emerge on large-scale pro-Western influence campaigns
A joint report from the Stanford Internet Observatory Cyber Policy Center and the social media intelligence company Graphika detailed a series of interwoven campaigns, which ran from March 2012 through August 2022. This used dozens of Facebook profiles and pages, Instagram accounts, and over 150 Twitter accounts to push narratives promoting American interests. While not publicly attributing the activity, Twitter said the operation presumably originated in the US and Great Britain, while Meta identified the US. This appears to be part of the Trans-Regional Web Initiative run by the US. Researchers found it didn’t seem to generate much engagement, with little likes and retweets, and only 19% of asset accounts with over 1,000 followers.
Stolen NFTs prove big business
According to the blockchain research firm Elliptic, threat actors stole over $100 million worth of NFTs in 2022 through July. While the so-called “crypto winter” saw prices on NFTs drop significantly, analysts did not see a drop in scam activity. Instead July saw a record number of NFTs reported stolen. Cyber criminals averaged $300,000 worth of crypto assets per scam, although presumably many more thefts remain unreported.
(Reuters)
Tether ignores crypto sanctions
Earlier this month, the US Treasury Department sanctioned the crypto mixer Tornado Crash, over allegations it supported money laundering efforts from North Korea and other threat actors. According to an analysis of data from Dune Analytics by the Washington Post, the crypto company Tether so far failed to block accounts associated with the service. Tether’s CTO Paolo Ardoino said it has not been contacted by US officials with a request to freeze transactions with Tornado Crash. The Hong Kong-based Tether does not operate in the US, so its legal obligations remain unclear. Traditionally, companies have been more proactive about complying with Treasury sanction. This signals the ambiguity the department may face as it increasingly deals with digital assets.
(WaPo)
Thanks to today’s episode sponsor, Code42
Ethereum to go proof-of-stake in September
Ethereum developers confirmed that the popular blockchain will transition from proof-of-work to proof-of-stake on September 6th. This follows successful upgrades on all public testnets. The transition will come in two upgrades. One named Bellatrix on September 6th, followed by a Paris upgrade between September 10th and 20th. The Ethereum Foundation warned operators to download necessary client upgrades before Bellatrix drops.
Twitter shuffles safety teams
According to a staff memo seen by Reuters, Twitter will combine its health experience team with the Twitter Service team under a new Health Products and Services group. This group will review user reported profiles for toxic content and take down spam accounts. This might ordinarily seem like a fairly banal corporate reorganization. But this news comes a day after recent whistleblower allegations shed new scrutiny on Twitter’s response to spam accounts and overall corporate security.
(Reuters)
Plex resets passwords
The makers of the media server announced the security precaution citing a “potential data breach.” The Plex team discovered “that a third party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords.” The attackers did not access a separate server holding payment data. Plex says it “hashed and secured” passwords “in accordance with best practices,” indicating limited utility in stealing the data. The company recommends enabling two-factor authentication and logging out of all connected devices as a further precaution.
Leaky NIC lights defeat air-gaps
Dr. Mordechai Guri, the head of R&D in the Cyber Security Research Center at Ben Gurion University, published a new way to exfiltrate data from air-gapped systems called ETHERLED. This uses the LEDs on NICs to send data out of the system up to hundreds of meters away. Data can be sent through simple Morse code or modulated over optical signals. This requires an attacker to breach the system and plant malicious code. In this case, the attack uses undocumented firmware commands to trigger the NIC lights. Suggested countermeasures for the attack include black tape to block the lights.