Cyber Security Headlines November 25, 2020

Brazil continues to recover from its worst cyberattack

Brazil’s Superior Electoral Court was hit with a ransomware attack on November 3rd, with systems taken offline for 26 hours to mitigate damage and gather evidence. The court had limited functionality restored for urgent cases through November 20th. Court minister Henrique Martins characterized it as the worst cyberattack suffered by Brazil in terms of scope and complexity. The recovery process has seen the court’s 50-person IT staffed coordinating with additional help from  Atos, Microsoft and Redbelt Security. While court systems are back to full functionality, Martins warned that revised policies and fundamental infrastructure changes are needed to prevent another attack in the future. 

(ZDNet)

Apple’s security chief indicted on bribery charges

A California grand jury brought the charges against Thomas Moyer, on charges that he tried to bribe Santa Clara County officials with 200 iPads in exchange for 4 concealed firearms licenses (known as CCW) for Apple employees. The charges followed a two-year investigation. The iPads were reportedly never delivered because Moyer and Santa Clara’s Undersheriff Rick Sung learned in 2019 that the district attorney was executing a search warrant for the sheriff department’s CCW records.

(The Verge)

Baidu apps are leaking data

Researchers from Palo Alto Networks’ Unit42 claim that the Baidu Maps and the Baidu App on Android were leaking sensitive user data, with a Baidu SDK called Push sending the data to a Chinese server. Information included phone model, IMSI number and MAC address.Since IMSI follows subscribers from different handsets, this could theoretically be used for tracking a user across devices. Palo Alto informed Google of the leaks last month, resulting in both apps being removed from the Play Store on October 28. The Baidu app returned to Google Play on November 19th after being updated, Baidu Maps is still not available. A Baidu spokesperson said the data was used to enable Push functionality and disclosed in the apps’ privacy agreement. 

(Forbes)

Actively exploited backdoor discovered on consumer routers

Security researchers at CyberNews discovered the backdoors in Chinese-made Jetstream routers exclusively sold at Walmart, as well as Wavlink branded routers found on Amazon and eBay. The researchers found evidence that these backdoors, which allow for remote root access, were being actively exploited. There is also evidence that the Mirai botnet is working on adding the routers. The researchers even discovered a separate GUI for remote code execution, and that credentials needed to access the device were always available by inspecting the JavaScript on the endpoint. A Walmart spokesperson told CyberNews the Jetstream router was out of stock and the company didn’t plan to replenish inventory. 

(Cyber News)

Thanks to our sponsor, Dtex

Traditional Employee Monitoring solutions are creepy. Capturing screenshots, recording keystrokes, monitoring web browsing and following social media activities is unnecessary and damages culture. DTEX InTERCEPT is the first and only solution that delivers the real-time workforce monitoring capabilities today’s organizations need and employees will embrace. Learn more at dtexsystems.com.

Canonical publishes LTS container images on Docker Hub

The Ubuntu publisher provides these images with five-year free security maintenance period, and offering 10-years of support for paying customers. The company says these LTS images will receive critical and high-severity vulnerabilities fixes within 24 hours. According to Canonical CEO Mark Shuttleworth, the company hopes the LTS container images will provide a guarantee of software supply chain security and integrity, something previously hard to deliver for cloud-native organizations. 

(Security Week)

You can teach an old botnet new tricks

While a coalition of organizations led my Microsoft and Symantec successfully disrupted much of the existing infrastructure for the Trickbot botnet, security researchers are finding the operators quickly pivoting to keep the network going. Netscout researchers spotted a new TrickBot Linux variant that was used by its operators. Trickbot was also seen being used to distribute Ryuk ransomware. Bitdefender researchers now report that new versions of Trickbot have eliminated some telltale DLLs, indicating a move away from unpacked modules. The botnet is also using new C2 routers, now using the same infrastructure as the Bazar backdoor, as well as moving away from Tor plugin services in favor of obfuscated IP addresses. Trickbot has also been seen with a new reconnaissance module called LightBot, which is used to target systems of interest once inside a target network.  

(Security Affairs)

Coin-miner botnet shifts its gaze to Linux

The Stantinko threat group has been operating an adware and coin-miner botnet since 2012. Now researchers at Intezer have spotted a Linux version of the botnet’s trojan targeting Linux servers. This trojan appears as httpd, the Apache Hypertext Transfer Protocol Server. The researchers believe this is part of a broader campaign that takes advantage of compromised Linux servers.

(Security Affairs)

Twitter to relaunch verification in 2021

Twitter announced the relaunch early in the hopes of getting user feedback ahead of implementation. The social network will initially verify six types of accounts, including those belonging to government officials; companies, brands and nonprofit organizations; news; entertainment; sports; and activists, organizers and other influential individuals. Twitter said it may add more categories over time. Accounts must be “notable and active,” and Twitter will withhold verification for accounts that frequently violate Twitter Rules. Each account type has its own requirements for verifications spelled out in the new policy draft. Twitter has suspended its verification program since 2017, although it did verify medical experts tweeting about COVID-19 earlier in 2020. 

(TechCrunch)


Rich Stroffolino
Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. Since 2015, he's worked in technology news podcasting and media. He dreams of someday writing the oral history of Transmeta.