FFT news digest April 23 2021

Apple

A slew of Apple-related news this week, including product announcements and a ransomware incident that has confirmed plans for welcome changes to its MacBook range.

Its 'Spring Loaded' event included news of new M1 iMacs and a revamped Apple TV 4K box. But there were also details of changes to the Podcasts app, with new subscription options (Apple appears to take a 30% cut of any takings in the first year). It's also launching 'AirTag' trackers that can be attached to any device - and theoretically to pets and children, though Apple says that's not what they're designed for. There's an updated iPad Pro - and you can now extend AppleCare+ protection beyond the current three years, but only if you're in the US. Apple is also due to release the latest version of its iPhone and iPad operating system next week.

Just as interesting as the planned event were the very much unplanned details that emerged as the result of a ransomware incident that hit one of Apple's suppliers. The group, known as REvil, is reported to be blackmailing Taiwan-based Quanta Computer for some $50 million and is threatening to release thousands of files unless it gets its money. Files already seen by Apple watchers confirm rumours that new MacBooks will include the return of the much-missed MagSafe power connector. They will also feature an HDMI connection and an SD card slot, in a victory for users who have railed against Apple's insistence on forcing the purchase of expensive, unreliable dongles. The new models are expected later this year.

Threats

LinkedIn: Not for nothing is LinkedIn known as the 'phishermen's friend'. It's cheap, easy and LinkedIn appears unable to stop its use by spies and crooks. This week, the UK's domestic intelligence agency said China and Russia had targeted 10,000 people via the platform and warned anyone with access to sensitive information to be on their guard. BBC

WhatsApp: A fake "pink" themed version of WhatsApp is targeting users in the Indian sub-continent. The app is smart enough to be able to auto-reply to messages received on other platforms. The reply contains a link to the "pink" download site. ESET

Facebook Messenger: A widespread scam is trying to steal Facebook credentials by sending adverts promoting an alleged Messenger update. Researchers found nearly 1,000 fake Facebook profiles being used in the scam. Group-IB

Google Alerts: Great overview of how Google's invaluable tool is being abused by scumbags. Bleeping Computer explains why it pays to be cautious with the links in these alerts.

MacBooks: Just because Apple's new MacBooks run on a new processor doesn't mean they're invulnerable to malicious software. Several variants have emerged and Trend Micro has details on the latest research.

Fake stores: Sites impersonating the Microsoft Store, Spotify and an online document converter are being used to distribute malware designed to steal information stored in browsers. ESET via Bleeping Computer

Nation state crooks

One of the New Yorker's trademark long reads tells the extraordinary tale of North Korea's "hacking army", and the billions of dollars they've stolen for the Pyongyang regime. It begins with the story of a low-level Japanese criminal who spent a day withdrawing cash from ATMs in 7-Eleven stores in accordance with the strict instructions he had been given (e.g. the equivalent of $900 at a time, no more than 19 withdrawals from a single machine). Three hours later, he "waddled" home with 3.8 million yen in his pockets (that's roughly $35,000). Only later did it emerge that the money was destined for the Korean People's Army. It's a great story - and North Korea continues to add to it.

Breaches...again

The veil covering Facebook's public relations strategy slipped when it sent an internal document to a journalist - and the resulting sight isn't pretty. A key part of its strategy, according to the document, is to desensitise users about datasets that have been collected from the public parts of the social network. That approach appears to have been adopted after the personal information of some 533 million users, including mobile phone numbers and birthdates, was published on a hacker forum. "We have to frame this as a sector problem and normalize that this is happening," the internal email sent to Data News said

Date of death

Proposed legislation in the UK seeks to improve the lamentable security afflicting internet-connected devices by forcing manufacturers to be more transparent and more responsible. The changes would ban easily guessed default passwords - and would outlaw their publication online. Manufacturers would also have to tell customers for how long their purchase would receive security updates. This week researchers published details of vulnerabilities in a smart air fryer which could allow it to be taken over remotely. And CyberNews found 380,000 internet-connected cameras that had their default password unchanged. The UK's proposals are welcome. The challenge will be how to enforce them.

AI

A radical plan by the EU would limit police use of facial recognition and ban some Artificial Intelligence systems, with severe fines for violations. "Our regulation addresses the human and societal risks associated with specific uses of AI,” the European Commission said. The plan would create a list of "high-risk" uses of AI, including employment decisions, bank lending, education selection and exam marking. Live facial recognition in public spaces would be banned altogether. The regulation has a long and winding road ahead before it becomes law - and even then, it's likely to face challenges in how it's enforced.

In brief

Crime pays: Even a simple malicious software campaign can bring big rewards. One attacker earned $560,000 from a scam that offered hacking tools on Telegram. Downloading them would install a tool that stole any data copied to the Windows clipboard. The Record

Hacker hacked: Secure messaging outfit, Signal, successfully hacked the Cellebrite tool that is widely used by law enforcement to break into phones. Signal isn't saying how it acquired Cellebrite's product, except that it fell "off a truck"... Signal

Disinformation: Social media companies play a central role in disseminating the messaging of violent extremists in the US, the FBI's Director told a Senate committee. He likened the issue to that of foreign-backed online political disinformation.

Supply chain: As the Apple story demonstrates, it's often much easier to attack a supplier to a company, rather than the company itself. ZDNet explores a growing menace.

Pension fraud: £1.8 million has already been lost this year as criminals target savers, according to Action Fraud. Common scams include fake investment opportunities, early pension releases and free pension reviews.

Vehicles: Cars are increasingly becoming computers on wheels - so they're vulnerable to attack like any other computing device. Owners are worried and report an increase in hacking incidents or other cyber attacks. HSB

Robot: A Californian woman phoned the police after hearing noises downstairs. They responded and broke down the door...to find the culprit was a robot vacuum cleaner. CBS

Updates

Pulse Secure: The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to mitigate a vulnerability in Pulse Connect Secure VPN appliances by today. At least two state-backed groups have been exploiting the vulnerability.

SonicWall: Email Security users are urged to upgrade to the latest version to combat serious vulnerabilities that were previously unknown.

QNAP: A widespread ransomware campaign is targeting QNAP devices by exploiting a vulnerability that was fixed last week.

Windows 10: Microsoft has been rolling out updates to fix problems caused by last week's updates. One issue caused problems connecting to shared folders. The other could be exploited to crash a device simply by opening a folder where a malicious file had been downloaded.

Firefox: Version 88 brings a series of changes and fixes an issue that could be abused to track users' browsing activity between different websites.

Chrome: Yet more security updates from Google. This time, seven issues are addressed, including one that has been actively exploited.

Zoom: Latest update fixes security issues, and also introduces more emoji reactions and new annotation features.

Meet: Not to be outdone (though frankly it already has been), Google has also released new features for its collaboration solution.

Oracle: No fewer than 390 security fixes released as part of April 2021 Critical Patch Update, including updates to address more than 200 bugs that could be exploited remotely without authentication.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved