FFT news digest Nov 19 2021

Cyber warfare

'Cyber warfare' is an inexact term that many analysts reject on the basis that no-one can agree how to define it. Our view is that whatever you call it, nation states, and groups allied to them, are engaging in cyber operations to a worrying degree. Just take the past week for example;
- The London-based Middle East Eye website was among several sites compromised by unidentified hackers so that visitors would be infected with malicious software. ESET says the attackers may have used spyware from the Israeli company, Candiru.

- Facebook says Pakistani hackers set up a fake Android app store to target individuals connected to the former Afghan government, both before and after it was ousted by the Taliban.

- Facebook also said it had taken action against three hacking groups from Syria that used a wide range of tactics and tools to target a range of people in the country, including journalists and humanitarian organisations.

- US, UK, and Australian cybersecurity agencies warned about ongoing efforts to exploit vulnerabilities in Microsoft Exchange and Fortinet and said these were linked to an Iranian-backed hacking group.

- Two Iranian nationals are accused of extensive efforts to interfere in the 2020 US elections, according to a federal indictment. It says they gained access to confidential voter information and the network of a media services company.

- Government-backed hackers from North Korea launched almost weekly cyberattacks throughout the first half of 2021, according to Proofpoint, Attackers used a range of tactics including sextortion to target foreign policy experts, non-governmental organisations, academics, and journalists.

- And analysis for TechCrunch warns that China is well down the road of professionalising its next generation of hackers, rather than relying on co-opted criminals.

Threats

FatPipe VPN: The FBI has warned of a vulnerability in FatPipe MPVPN networking devices that has been exploited since at least May. There's no fix at the moment, but FatPipe has suggested mitigations.

Black Friday: A record number of malicious phishing shopping websites have been set up over the last two months as criminals ramp up their operations for next week's shopping extravaganza. Check Point

Streaming: Netflix has long been a popular lure for scumbags trying to steal payment information. The latest variation is a campaign designed to look like sign-up offers for Netflix and its competitors. Kaspersky

WhatsApp: MetaFace has been prompted to launch an awareness campaign in response to the flood of scam messages on its messaging service. "Think. Stop. Call," is its tagline, with the emphasis on not transferring money to anyone until the request has been proved genuine.

Small font: Avanan says it has found phishing emails that use a font size of one to evade email security scanners. The emails appear to be password expiration notifications from Microsoft 365.

Smuggling: There's been a rise in an ingenious approach to defeat malicious software attacks. HTML smuggling involves exploiting HTML5/Javascript to place a script on the target machine which assembles the malicious payload on the device. We reckon this is another reason for adopting remote browsing. Microsoft

Internet Explorer: Microsoft's ancient browser is no longer supported, but that doesn't mean criminals aren't trying to exploit it. Delete. Now! Bleeping Computer

Organised crime

More evidence about the ridiculous scale of cybercrime, this week from Europol and the UK's National Cyber Security Centre. In its latest Internet Organised Crime Threat Assessment, Europol outlines the extent to which criminals have taken advantage of the COVID-19 pandemic. It says they continue to exploit remote working and the increased reliance on online shopping, while the increased amount of time children spend online has made them more susceptible to grooming. For its part, the NCSC says it provided comprehensive support for 777 cyber incidents during the past 12 months, up from 723 in 2019. Some 20% of the attacks targeted healthcare organisations and those involved in COVID-19 vaccination research and distribution.

Ransomware

Collaboration between Russian ransomware groups and Chinese hackers is not the sort of development to make anyone feel safer. Alas, this is exactly what Flashpoint says it has seen on hacking forums - although it also warns that this might be designed to manipulate the media. Flashpoint has screenshots from one forum showing a Russian using what appears to be machine-translated Mandarin to ask about buying vulnerabilities. Separately, research from Digital Shadows says ransomware groups are now rich enough to buy zero-day (i.e. previously undisclosed) vulnerabilities. Until now, such issues have mainly been available only to nation-states rather than to criminals, although the line between the two is admittedly often blurry.

Man in the Middle

Researchers have found 1,220 phishing websites that target online services including Instagram, Google, Apple, PayPal and LinkedIn. Their aim is to steal users' credentials and defeat the increasing use of two-factor authentication. The study from from Stony Brook University and Palo Alto Networks shows how toolkits enable fraudsters to sit between an online service and its users. The kits employ a fake website that mirrors the live content of the target service and simply relays requests and responses in real-time. That allows credentials, including 2FA codes, to be harvested from accounts. The good news is that the researchers have come up with a method to identify the fake websites.

Bad Apple

Last week, we reported on a Hong Kong website that exploited a vulnerability in Apple's Mac operating system to infect visitors with malware. That's worrying, but the real issue is that Apple failed to fix the issue despite having known about it for seven months. The delay affected the Catalina version which Apple continues to support in line with its policy to continue releasing updates for around two years after an operating system is superseded. Apple has yet to comment, but analysts have pointed to what they say are serious problems in the company's approach to fixing the (many) vulnerabilities in its products. Bottom line in their view is that the only way to be sure of getting security updates is to install the latest operating system version (which is often plagued with bugs).

In brief

Outages: Many services, including Spotify, were hit by a brief failure of Google's services this week. It's a reminder that incidents will happen, despite the vast efforts companies like Google invest in reliability. At a practical level, an earlier outage that affected NHS apps is a reminder to download or print out one's COVID-19 vaccination status.

Amazon ultrasound: A new feature will allow late-model Echo and Echo Dot speakers to use ultrasound to detect when anyone's at home so that lights and other smart devices can be turned on and off. Google already has a similar feature in some of its devices.

TikTok: More than 125 people and businesses associated with popular TikTok accounts were targeted in a phishing campaign. Emails warned that accounts were at risk of being deleted for copyright violations or eligible for a verification badge. Abnormal Security via CyberScoop

Disney: A text-to-speech voice on TikTok (meant to sound like Rocket the Raccoon) refused to read words, including “gay,” “lesbian,” or “queer”. After users demonstrated Rocket's reluctance, the issue suddenly disappeared.

Text suspension: A high school student in New Hampshire student is suing his school district after being suspended for text messages about gender identity that he sent when he was off campus.

Rent-a-hit: A 52-year old Michigan woman decided to have her husband killed. Unfortunately for her, she went to rentahitman[.]com and completed a "service request". The site turned out to be a cybersecurity test site and its owner was so worried he promptly informed the police. She's now pleaded guilty to charges of solicitation of murder. mLIVE

Suitcase: Pen Test Partners has made a name for itself in identifying some of the shortcomings of internet-connected devices. Its latest victim is a Bluetooth-enabled robotic suitcase which can be hijacked by guessing its secret pairing code. It's 11111111. (And the luggage costs a mere $745).

Updates

iOS: Yet another update for iPhones and iPads. iOS 15.1.1 is supposed to fix problems with calls being cut off on iPhone 12 and iPhone 13 models, and the update is only available for those devices.

Windows Server: An unscheduled update to fix authentication problems caused by the monthly patch release last week.

Windows 10: Version 21H2 (aka the November 2021 Update) has few new features and is probably not worth installing. The exception might be anyone running Windows 10 2004 because Microsoft will stop supporting it next month. Until now, Microsoft has released new versions of Windows 10 every six months. From now on, there will be one per year to align with Windows 11.

Chrome: Yet another update for Google's browser which appears to be riddled with vulnerabilities. Google says the latest release fixes no fewer than 25 security issues. Unfortunately, it also appears to cause problems with many websites.

Netgear: Updates for small office and home routers to address dangerous vulnerabilities in their uPnP functionality. Universal Plug and Play is designed to make small networks easier to use, but it has well-documented security issues and, ideally, it would be disabled. Unfortunately, this can cause problems for non-technical users, so it's another reminder of the importance of keeping routers updated.

Zoom: Updates for Zoom's conferencing apps (not its standalone video call app).

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved