Microsoft warns of Subzero malware
The company’s Threat Intelligence Center recently advised that it found multiple links to the private-sector offensive actor DSIRF with a threat group its tracked known as Knotweed. The threat intelligence firm RiskIQ linked DSIRF with the development of the Subzero malware, which can be used to access a target’s phone, computer and IoT devices. Microsoft further found that C2 servers for Subzero link directly back to DSIRF. The company observed Knotwood campaigns utilizing multiple zero-days, including chaining two Windows privilege escalation exploits with an Adobe Reader attack, leading to a Subzero cybersecurity fatality on impacted systems. Knotwood targets include “law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama.”
JusTalk logs leak
Last week, security researcher Anurag Sen discovered an exposed online database containing hundreds of gigabytes of log data for the messaging app JusTalk. The plaintext logs contained phone numbers of the sender, the recipient, and the message itself, as well as any calls made. The logs also have granular location data, showing large clusters of users in the U.S., U.K., India, Saudi Arabia, Thailand and mainland China. The database was hosted by Huawei in China. Shodan shows the server continually storing monthly chat logs. JustTalk claims its app uses end-to-end encryption. This week, Sen discovered an undated ransom note left on the database, indicating it was accessed at least once by a malicious actor. Attempts to contact the company about the leak were unsuccessful.
The cost of an average data breach
According to a new report from IBM security, the average cost of a data breach increased 2.6% on the year to an all-time record of $4.4 million in 2022. Since the start of 2020, the average data breach cost rose 13%. The report found that over 50% of organizations surveyed said they increased the cost of products and services to offset the cost of breaches. This average cost isn’t just based on the immediate expense of a breach, whether paying a ransom or containing a breach, but also accounts for longer term expenses like regulatory fines and lost sales. 83% of respondents reported more than one breach.
Bots help defeat 2FA
No form of authentication or security is impervious. While encouraging the use of multi-factor authentication is undoubtedly an improvement over simple passwords, threat actors have been finding ways around these security measures. A new report from Recorded Future highlights how threat actors are increasingly using bots to automate the theft of one-time passwords. These bots typically operate through voice calls or SMS messages to potential victims, requesting the input of an OTP. The report used an open-source bypass bot and found they required little technical expertise or even language skills. This could allow threat actors to broaden their base of targets. Traditional methods of OTP bypassing, like SIM swaps, require much more time and technical chops.
Thanks to today’s episode sponsor, Snyk
TikTik promises transparency for researchers
The company’s COO Vanessa Pappas announced it will grant researchers access to its platform framework and moderation system. Researchers will access “public and anonymized data” for the purpose of assessing content and tests. This access will also extend to experts on TikTok’s advisory council. The company also said it plans to provide more transparency around its efforts to curb “covert influence operations.” This announcement comes hours after a Gizmodo report that its parent company ByteDance used the news app TopBuzz to plant pro-China messages for American users. ByteDance denies these claims.
Rediscovering an old UEFI rootkit
Security researchers at Kaspersky report that a Unified Extensible Firmware Interface, or UEFI rootkit dubbed CosmicStrand has been used in the wild since 2016. The researchers found the rootkit on Gigabyte or Asus motherboards, which sets “hooks” along the boot process of a PC to survive reinstalls of Windows or replacing hard drives. While we’ve seen UEFI rootkits increasing in numbers of late, CosmicStrand shows that the approach may be older and more pervasive among threat actors. Researchers at Qihoo360 discovered a variant of the rootkit in 2017, but Ars Technica reports most Western-based security firms didn’t take notice. The C2 servers for the rootkit have gone dark for long periods of time, likely why Kaspersky rediscovered it recently.
GitHub adds npm features
The Microsoft-owned code repository announced that its support for 2FA for npm exited beta and is now generally available to all users. As part of this launch, GitHub also announced a new npm login and publishing systems, allowing browser-based authentication with valid tokens retained on the same session for up to five minutes. This will prevent developers from having to enter a new one-time password on every action in npm with 2FA enabled. The platform also added the ability to connect GitHub and Twitter accounts to npm. It hopes this will make it harder to impersonate creators of popular software.
No More Ransom helps millions
As part of its six-year anniversary, the No More Ransom initiative reports that its helped over 1.5 million people decrypt devices. This support spans over 37 languages, with the initiative now partnering with 188 organizations, and offering 136 decryption tools to help deal with 165 ransomware families. Back in 2016, the initiative started with partners Kaspersky, the National High Tech Crime Unit of the Dutch National Police, and Europol’s European Cybercrime Centre. The initiative also posts technical documentation to help organizations detect ransomware as well as publishing general guidelines to shore up defenses.