Cyber Security Headlines: Nobelium’s MagicWeb, pro-Western influence campaigns, $100 million in NFTs stolen

Microsoft reveals Nobelium’s MagicWeb

Security researchers at the company discovered a technique used by the Russian-linked threat group to maintain persistent access to compromised networks. Dubbed MagicWeb, this uses a malicious DLL to manipulate claims passed in tokens generated by an Active Directory Federated Services server. This ultimately manipulates existing user authentication certificates. This required Nobelium to first have highly privileged credentials, gain access to a network, and gain admin privileges in Active Directory. Given these conditions, MagicWeb appears highly targeted. 

(Microsoft)

Details emerge on large-scale pro-Western influence campaigns

A joint report from the Stanford Internet Observatory Cyber Policy Center and the social media intelligence company Graphika detailed a series of interwoven campaigns, which ran from March 2012 through August 2022. This used dozens of Facebook profiles and pages, Instagram accounts, and over 150 Twitter accounts to push narratives promoting American interests. While not publicly attributing the activity, Twitter said the operation presumably originated in the US and Great Britain, while Meta identified the US. This appears to be part of the Trans-Regional Web Initiative run by the US. Researchers found it didn’t seem to generate much engagement, with little likes and retweets, and only 19% of asset accounts with over 1,000 followers. 

(CyberScoop)

Stolen NFTs prove big business

According to the blockchain research firm Elliptic, threat actors stole over $100 million worth of NFTs in 2022 through July. While the so-called “crypto winter” saw prices on NFTs drop significantly, analysts did not see a drop in scam activity. Instead July saw a record number of NFTs reported stolen. Cyber criminals averaged $300,000 worth of crypto assets per scam, although presumably many more thefts remain unreported.  

(Reuters)

Tether ignores crypto sanctions

Earlier this month, the US Treasury Department sanctioned the crypto mixer Tornado Crash, over allegations it supported money laundering efforts from North Korea and other threat actors. According to an analysis of data from Dune Analytics by the Washington Post, the crypto company Tether so far failed to block accounts associated with the service. Tether’s CTO Paolo Ardoino said it has not been contacted by US officials with a request to freeze transactions with Tornado Crash. The Hong Kong-based Tether does not operate in the US, so its legal obligations remain unclear. Traditionally, companies have been more proactive about complying with Treasury sanction. This signals the ambiguity the department may face as it increasingly deals with digital assets. 

(WaPo)

Thanks to today’s episode sponsor, Code42

Surprise! Surprise! Five years from now, Jamie, who’s resigning today, will ring the NASDAQ bell officially launching her company on the public market. And what you’ll soon realize is that Jamie stole your most valuable data to start her new company. Learn how Code42 Incydr can stop data theft and protect your organizations’ most valuable assets. Visit Code42.com/showme to learn more.

Ethereum to go proof-of-stake in September

Ethereum developers confirmed that the popular blockchain will transition from proof-of-work to proof-of-stake on September 6th. This follows successful upgrades on all public testnets. The transition will come in two upgrades. One named Bellatrix on September 6th, followed by a Paris upgrade between September 10th and 20th. The Ethereum Foundation warned operators to download necessary client upgrades before Bellatrix drops. 

(The Block)

Twitter shuffles safety teams

According to a staff memo seen by Reuters, Twitter will combine its health experience team with the Twitter Service team under a new Health Products and Services group. This group will review user reported profiles for toxic content and take down spam accounts. This might ordinarily seem like a fairly banal corporate reorganization. But this news comes a day after recent whistleblower allegations shed new scrutiny on Twitter’s response to spam accounts and overall corporate security. 

(Reuters)

Plex resets passwords

The makers of the media server announced the security precaution citing a “potential data breach.” The Plex team discovered “that a third party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords.” The attackers did not access a separate server holding payment data. Plex says it “hashed and secured” passwords “in accordance with best practices,” indicating limited utility in stealing the data. The company recommends enabling two-factor authentication and logging out of all connected devices as a further precaution. 

(Android Authority)

Leaky NIC lights defeat air-gaps

Dr. Mordechai Guri, the head of R&D in the Cyber Security Research Center at Ben Gurion University, published a new way to exfiltrate data from air-gapped systems called ETHERLED. This uses the LEDs on NICs to send data out of the system up to hundreds of meters away. Data can be sent through simple Morse code or modulated over optical signals. This requires an attacker to breach the system and plant malicious code. In this case, the attack uses undocumented firmware commands to trigger the NIC lights. Suggested countermeasures for the attack include black tape to block the lights.

(The Hacker News)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.