US files charges against high profile attackers
The unsealed charges are against six Russian nationals believed to work for the prominent Russian hacking group Sandstorm and are members of the Russian Main Intelligence Directorate. The group is believed that have been involved with the BlackEnergy, Industroyer, and KillDisk malware that hit Ukraine in 2015 and 2016, as well as efforts to disrupt French elections in April 2017, spear phishing attacks against PyeongChang Winter Olympics partners, and the NotPetya attacks that caused over $1 billion in damages in 2017, among others. Ordinarily espionage operations are not subject to international prosecution, but US officials said that the groups indiscriminate use of malware with destructive capabilities showed a disregard for international norms.
(ZDNet)
A new browser wants to look at social media algorithms
The publication The Markup announced the Citizen Browser project, which aims to create a custom web browser to audit information sharing algorithms used by social media platforms. Initially the browser will focus on auditing YouTube and Facebook, looking at what information is served to specific users, how news is shown on those platforms, and what communities users are encouraged to join. The Markup will pay a nationally representative panel of 1,200 people to install the browser and share real time data, made up to be a statistically valid sample of the American population across age, race, gender, geography, and political affiliation, with all personally identified information removed and discarded before analysis.
Microsoft Exchange and OWA are increasingly malware targets
This comes from Accenture’s 2020 Cyber Threatscape report which found that APT’s have looked to the Microsoft stalwarts to steal business credentials and other sensative data. The report highlights the Russian group BELUGASTURGEON and APT39, both of which use Microsoft services as beachheads to hide traffic, relay commands, compromise e-mail, exfiltrate data and gather credentials for future espionage attacks. Other groups were found to craft malware specifically for Exchange, exploiting known security-feature bypass vulnerabilities to execute arbitrary commands. Microsoft is also a top target for impersonations, used in phishing attacks against government and oil and gas targets.
Dark Reading report looks at the COVID-19 impact on security priorities
The report identified remote access systems as the most commonly cited security priorities with 39% of respondents, with VPNs the second most cited with 36%, and authentication number three with 35%. Overall 54% of respondents said their organizations planned to use more cloud services in 2021, with only 7% predicting a decrease. Looking at the perceived effectiveness of security technology, endpoint protection, VPNs, and next gen firewalls saw at least 75% of respondents finding them effective. On the less effective side, 45% of less or respondents found user and entity behavior analysis, network access controls, honeypots, and ML and AI-based security systems to be effective. 49% of respondents identified managing security complexity as their biggest challenge, up from 38% last year.
Thanks to our episode sponsor, SecureLayer7
GravityRAT spyware comes to new operating systems
The remote access trojan has been identified by Kaspersky going back to 2015, but previously has only been seen on Windows systems. However researchers have now spotted updated GravityRAT code suggesting the spyware is now a multi platform tool. Code analysis of an Indian travel app for Android showed malware with C2 addresses related to the actors behind GravityRAT, with researchers now identifying more than 10 different versions of the spyware on Android and macOS in addition to Windows. The overall operation of the malware is similar, with researchers noting it seems focused on India, and with increasingly sophisticated ways of using digital signatures to make apps look legitimate.
Akamai sees DDoS ransom attacks increase
Research from the company shows that since August, peak DDoS attacks have shifted from gaming companies to financial services, with intensity increasing to 200 Gbps. This comes even as the vectors for the attack remain largely the same. Attackers have sent multiple organizations ransom demands, delivering a small scale DDoS to prove their intentions. This is different from other extortion attempts that threaten a DDoS, which usually are not followed up on. Akamai says its seen DDoS attacks triple since January, up to three million a day, with a 200% increase in attacks against web application firewalls.
Vizom malware operating in Brazil
The malware was discovered by researchers at IBM. Vizom is distributed through phishing emails, designed to look like a Zoom URL. Once downloaded, the malware uses DLL hijacking to create a child process for itself in the Zoom directory. From there a Remote Access Trojan is extracted, and chained to an instance of the Vivaldi Internet browser running in the background. Once Vizom detects a user going to a list of online banking services, it will use the remote access to put an overlay on screen to get a user to enter in their credentials.
(ZDNet)
Facebook rejects over 2 million ads attempting to “obstruct voting”
This comes from Facebook’s vice president of global affairs and communications Nick Clegg, with the ads coming from across Facebook and Instagram. Aside from the 2.2 million rejected ads, an additional 120,000 posts were withdrawn for the same reason. The platform also posted warnings on 150m examples of false information posted on its platform. Clegg said Facebook uses artificial intelligence that can flag billions of posts with election misinformation before they are seen by users.