Microsoft report details the changing cybercrime landscape

The company recently published its second annual Microsoft Digital Defense Report, providing insights collected across its trillions of security signals on the evolving state of ransomware, malicious email, and malware. The rise of ransomware-as-a-service operations was unsurprisingly discussed, with Microsoft finding that consumer, financial, and manufacturing sectors the most commonly targeted. The company also saw a surge of phishing emails steadily increasing from June 2020 to June 2021, with a large spike in November. In malware, Microsoft saw web shell-based exploits increase, with an average of 140,000 web shell threats on servers from August 2020 to January 2021, and an average of 180,000 encounters per month in 2021.

(Microsoft)

LibreOffice issues fix for signed document spoofing

Security researchers at Ruhr University in Germany spotted an Improper Certificate Validation vulnerability in the popular open-source office suite. This could open the door for an attacker to self-sign an ODF document with an untrusted signature, but then modify to present the signature algorithm as invalid. The bug would cause LibreOffice to incorrectly show this as a valid signature issued by a trusted person. The flaw impacts all versions of Apache OpenOffice up to 4.1.10, with both LibreOffice and OpenOffice issuing patches.

(Security Affairs)

You got nuclear secrets in my peanut butter!  

A Navy nuclear engineer and his wife were arrested for allegedly violating the Atomic Energy Act by attempting to sell nuclear warship data to what they believed to be an agent of a foreign power, but in reality was an FBI agent. Court filings indicate the couple mailed an unnamed foreign government on April 1, 2020 with instructions on how they should contact them using encrypted communications. An FBI’s attaché in the foreign country gave this to the FBI, who made contact in December 2020 using encrypted ProtonMail email. The defendant agreed to handover documents at a dead drop in exchange for Monero cryptocurrency, with the SD card of information hidden in half a peanut butter sandwich. Eventually three data dead drops were made in total, in exchange for $70,000 in crypto. 

(Bleeping Computer)

Instagram announces new tools to “nudge” teens

Facebook vice president for global affairs and communications Nick Clegg said the company plans to reduce the amount of political content in the News Feed, with a focus on more content from friends. The company also plans to introduce a new “take a break” feature for teenagers on Instagram as part of efforts to “nudge” teenagers away from content that “may not be conducive to their well-being.” Instagram previously announced it will focus on developing improved parental supervision tools for teenage users 13 and older, while it paused development of a version of the platform for younger kids. 

(CNet)

Thanks to our episode sponsor, Bitsight

Did you know that 1-in-10 organizations are now creating cybersecurity-specific committees at the board level? From managing third party supply chain risk, to quantifying financial exposure, to reducing the likelihood of ransomware, BitSight helps security and risk professionals create more effective cybersecurity programs with cybersecurity ratings and analytics. Learn why Moody’s, the Department of Defense, and other leading institutions partner with BitSight at www.bitsight.com

Apple patches actively exploited zero-day

Apple released version 15.0.2 for iPadOS and iOS, labeled as an “important security update” to patch an actively exploited vulnerability. According to Apple’s security support page, the update fixes a memory corruption vulnerability that allowed an application to execute arbitrary code with the highest level of device access, although as usual with Apple further details are rather thin. The update also resolves some bugs with accessories not being seen by the Find My network.

(TechCrunch)

Apple will appeal app store changes in Epic lawsuit

In the Apple vs Epic lawsuit, Judge Yvonne Gonzalez Rogers largely ruled in Apple’s favor, declaring that the company did not meet the conditions of a monopoly under California law. The only exception was a permanent injunction stating Apple could no longer prohibit developers from pointing users to outside payment systems, with Apple having until early December to revise its App Store rules. We’ve already seen companies preparing payment options in anticipation of this change. Apple now plans to appeal that decision, asking the judge for a stay on the injunction through the appeals process. Which will probably be a while. Epic previously announced it was appealing the decision as well. 

(TechCrunch)

Amazon updates work from home policy

Big tech has continued to update how it handles bringing employees back to offices during the ongoing COVID-19 pandemic. Amazon’s most recent policy announcement will no longer see employees return en masse in January 2022. Instead, CEO Andy Jassy told employees the decision to return to offices will be left to individual team leaders at the director level, with no company wide minimum number of days required in an office. The only limitation, Jassy wants employees close enough to a home office to be able to return for meetings within a day’s notice.  Jassy said with 1.3 million employees, a one-size-fits-all approach doesn’t work for the company. 

(GeekWire)

Huawei Cloud targeted by cryptomining malware

Security researchers at TrendMicro found the operators of a Linux crypto-mining malware strain are now targeting Huawei Cloud. This malware was previously found targeting Docker containers in 2020. This updated version commented out the firewall rules creation function found in the Docker variety, and drops a network scanner to map other hosts with API-relevant ports. This version also looks to detect and remove any other cryptojacking scripts found on the system. This seems to be a more devious cryptominer than others, as it adds newly created users to the sudoers list for root access, and uses its own ssh-RSA key to modify file permissions to a locked state.

(Bleeping Computer)