news210716

Gone..but for how long

The group behind recent high-profile ransomware attacks disappeared this week, with its web sites and infrastructure suddenly going offline. The disappearance came four days after President Biden demanded his Russian counterpart take action against ransomware groups attacking US organisations. Tempting as it might be to connect the two events, it's just as likely the group, known as REvil, decided to lie low until the dust from their recent exploits settles. Other ransomware groups have gone offline in the past, only to re-emerge with updated tools and methods.

Researchers have been analysing REvil's methods and their conclusions are depressing, but not unexpected. Palo Alto Networks says the most common tactics are as simple as a phishing message and/or logging into Remote Desktop Protocol servers using stolen credentials. Given how effective this approach has been, it's easy to see why REvil wouldn't bother with anything more complicated. And Palo Alto says REvil has been very effective indeed; the average payout so far this year is $2.25 million.

Many organisations lack both the technology and the knowledge to prevent or detect ransomware attacks, according to research by Trend Micro. Its survey found a widespread inability to detect phishing emails, remote desktop protocol (RDP) compromise or other common techniques. Trend Micro urges organisations to adopt multi-factor authentication, install security updates promptly and ensure employees have regular awareness sessions. And Palo Alto Networks says it's essential to learn what's normal in an IT environment so that any changes can be spotted and analysed.

Threats

Trends: Some obvious but important issues for the second half of the year. Hybrid working is likely to see more staff returning to offices, but this will also lead to potentially harmful devices connecting to corporate networks. Likewise, working from home will almost certainly have resulted in people adopting unofficial solutions ('shadow IT') to overcome connectivity issues. All of this will create a substantial workload for administrators. Dice

LinkedIn: More than 632 million user profiles have been harvested from LinkedIn in the third such incident in four months. Yet again, it's not a breach, just a result of using clever tools to 'scrape' the information from the platform. BBC cybernews

Screen stream: Newly-uncovered malicious software records a victim's computer screen by abusing a popular live-streaming solution. The giveaway is that it comes under the guise of installers for the outdated Adobe Flash Player and Microsoft Silverlight programmes. Trend Micro

Vishing: Good example of the (very convincing) tactics used by criminals in their efforts to steal banking credentials. BBC journalist, Jon Ironmonger, recorded a call with one scammer, whose polite mask (finally) slips when challenged, to be replaced by a vicious snarl.

Crypto crooks: Criminals are using every trick in the book to steal crypto currency, including technical support scams, SIM swaps and old-fashioned phishing. If you own crypto currency, you will be targeted. Bleeping Computer

Verification: Verification badges have become a sought after status symbol among social media users and there's been an increase in scammers trying to exploit them. They promise verification in return for money or account details. CNET

Storage: If you have a consumer storage device attached to your home network, you should probably ensure that it's not connected to the internet. There have been too many security vulnerabilities in these NAS devices - culminating in the disastrous wiping of some WD products.

Pixels: A reminder about the risks of using pixelisation (or blurring) to obscure information in images. A researcher wrote a tool to recover passwords from pixelised screenshots. It works, so it's far better to obscure sensitive information with a solid colour.

Iran

Iranian government hackers are smart and relentless. In their latest escapade they impersonated two UK academics in an effort to attack journalists, think tanks and other academics. The campaign used invitations to fake conferences and events in an attempt to persuade targets to enter their details in a legitimate but compromised website, according to the report by Proofpoint. Such tactics are not unusual. What is less common is that the Iranians also tried to persuade their targets to have a chat on the phone. Meanwhile, Facebook says it put an end to an Iranian campaign that used the platform to attack US military personnel by posing as job recruiters.

Spyware

Another fascinating tale from Citizen Lab which sheds more light on the secretive world of international spyware manufacturers. The latest subject to be examined by Citizen Lab is Candiru, a(nother) Israeli-based company with products designed to compromise and monitor iPhones, Android devices, Macs, PCs and cloud accounts. By identifying a "politically active victim" in Western Europe, Citizen Lab recovered a copy of Candiru's spyware. Working with Microsoft, at least 100 victims were observed in Europe, the Middle East and as far afield as Singapore. It's great research that brought together disparate organisations. It's well worth a read.

Creeps

There are plenty of reasons not to trust social media companies, but chief among them is that there's no way they can guarantee some of their employees aren't scumbags. This week's evidence to support this assertion comes courtesy of Facebook, which fired 52 people in 2014 and 2015 for abusing their privileged access to user data, according to "An Ugly Truth: Inside Facebook's Battle for Domination". There are lots of examples, but here's one. A woman was on holiday with a Facebook engineer. Following an argument, she left their hotel to stay somewhere else. Using Facebook data, the engineer was able to go straight to her new hotel to "confront" her.

Social media ID

The grotesque racial abuse that followed England's Euro 2020 defeat has led to calls in the UK (including a petition) for social media platforms to verify the identity of their users. We believe firmly that concerted action is needed to address the toxicity of much of social media, but we also recognise there are fundamental obstacles to any ID verification scheme. Quite apart from issues around privacy, we have little confidence in the ability of social media companies to operate such a scheme. And unless a global approach were taken, it would be simple to circumvent the controls. On the plus side, perhaps it's a sign that people are beginning to think seriously about how to confront the dangers of social media.

In brief

Sleep: The US federal communications regulator has approved an Amazon request to use higher-powered radar to monitor people's sleep patterns and sense gesture commands. Bloomberg

Washing machine: Meet the Samsung model that won't work until its owner gives it access to their contacts, location and camera. Reddit

Google fine: The French competition authority has fined Google €500m for failing to negotiate fees with news publishers. It follows a ruling last year that Google had to pay for excerpts used in Google News.

TikTokJob: TikTok is asking US job seekers to submit video resumes to leading US brands to land a new gig. Participating companies include Target and Chipotle. What could possibly go wrong.

Facebookville: Facebook is building a new, self-contained town near its current HQ in Silicon Valley. 1,729 apartments, a hotel, supermarket, cafes, parks etc. You can clock off, but you never leave. Reclaimthenet

Germany: Government agencies have been told to close their official Facebook pages. The Federal information Commissioner said Facebook was continuing to violate the protection of users' personal data. Reuters

Collapse: In 1972, Massachusetts Institute of Technology predicted that rapid economic growth would lead society to collapse in the middle of the 21st century. Motherboard highlights a paper from KPMG that says we're right on schedule. Sorry.

Updates

SolarWinds: Users of Serv-U products should ensure they have been updated. Microsoft says a vulnerability has been exploited by Chinese attackers.

Microsoft: This month's set of updates address 117 vulnerabilities, with 13 rated 'critical' and four being actively exploited. A very worrying issue is a vulnerability in Microsoft's Scripting Engine that can be used to create a booby-trapped website. There's also another update for the PrintNightmare issue. This one is supposed to resolve problems with the previous fixes, but there are already reports of a separate printing-related vulnerability in the way drivers are installed.

Ring: Amazon is rolling out end-to-end encryption for eligible devices. Once enabled, it means no-one apart from the owner can see video feeds (which means they're not visible to Amazon or to law enforcement agencies).

Forgerock: Vulnerabilities in the OpenAM access management solution are being actively exploited and users are being urged to check the latest updates have been installed.

Chrome: Google has released Chrome 91.0.4472.164 for Windows, Mac, and Linux to fix seven security vulnerabilities. Yet again, one is a high severity 'zero-day' vulnerability that is being actively exploited.

Firefox: Firefox 90 includes a new version of Mozilla's anti-tracking mechanism.

Adobe: Updates to address vulnerabilities in multiple Adobe products, including Acrobat and Reader.

VMware: Security update to address a vulnerability in VMware ESXi and VMware Cloud Foundation.

Tails: Version 4.20 includes fundamental changes, including how to connect to the Tor network.

Veracrypt: Ghacks has details of a fix for an issue preventing the VeraCrypt tool from working correctly on Windows systems.

FFT news digest Jul 16 2021