A quick Saturday digest of cybersecurity news articles from other sources.
Reddit admits it was hacked and data stolen, says “Don’t panic”
Reddit is suggesting 3 tips as a follow-up to this breach. We agree with 2 of them but not with the 3rd…
DarkBit Ransomware Targets Israel with Command-Line Options and Optimized Encryption Routines
A new ransomware strain dubbed “DarkBit” has recently appeared on the threat landscape after targeting one of Israel’s top research universities, Technion – Israel Institute of Technology (IIT).
The threat actor behind this Golang-compiled ransomware appears to have geopolitical motivations; the ransom note is laden with anti-Israeli and anti-government rhetoric, along with mentions of the recent spate of layoffs across the technology industry.
The main portable executable (PE) module supports command-line options and data encryption optimization for large files.
Mysterious Russian satellites are now breaking apart in low-Earth orbit
First it’s Chinese spy balloons, then “UFOs”, now Russian mystery satellites.
On Christmas Day, 2013, the relatively small Russian Rokot rocket launched from the Plesetsk site in the northern part of the country. The mission carried three small military communications satellites, but observers noted that the mission appeared to eject a fourth object into orbit.
A few months later Russia confirmed that this object was a satellite, and it came to be known as Cosmos 2491. To the surprise of many sky watchers, this satellite then began to perform novel orbital maneuvers, such as raising and lowering its orbit, that demonstrated rendezvous and proximity operations.
Cryptocurrency users in the US hit by ransomware and Clipper malware
A new attack campaign launched by an unknown threat actor targets the U.S. with two malware families: MortalKombat ransomware and Laplas Clipper. We detail how these malware campaigns are executed and how to keep your business safe.
This attack campaign as described by Cisco Talos starts with a phishing email that impersonates CoinPayments, a legitimate cryptocurrency payment gateway. The content is very brief, describing a payment in Bitcoin that has been canceled due to a time-out problem. It seems reasonable to believe only people making transactions in Bitcoin would open the attached file, which is a ZIP archive file containing a malicious BAT loader script. More…
Frebniis: New Malware Abuses Microsoft IIS Feature to Establish Backdoor
Malware injects malicious code into Failed Request Event Buffering module in order to monitor HTTP requests from attacker. Symantec, by Broadcom Software, has observed a new malware that abuses a feature of Microsoft’s Internet Information Services (IIS) to deploy a backdoor onto targeted systems.
The malware, dubbed Frebniis (Backdoor.Frebniis), was used by a currently unknown threat actor against targets in Taiwan.
The technique used by Frebniis involves injecting malicious code into the memory of a DLL file (iisfreb.dll) related to an IIS feature used to troubleshoot and analyze failed web page requests. This allows the malware to stealthily monitor all HTTP requests and recognize specially formatted HTTP requests sent by the attacker, allowing for remote code execution. In order to use this technique, an attacker needs to gain access to the Windows system running the IIS server by some other means. In this particular case, it is unclear how this access was achieved. More..
Security warning: Beep malware can evade detection
Cybersecurity experts at Minerva recently made a stunning discovery of a new malware tagged Beep that has the features to evade detection and analysis by security software. The cybersecurity organization discovered Beep after samples were uploaded on VirusTotal.
How Beep works to evade detection
While Beep is in its early stage of development and still lacks some essential malware attack capabilities, Minerva’s report shows that it can enable threat actors to download and inject additional payloads on infected systems using three major components: a dropper, an injector and a payload.
The differentiating factor between Beep and other malware is its ability to beat detection using unique evasion techniques. For example, Beep uses sandbox evasion techniques to bypass sandbox security systems used to test suspicious programs for malware activity. Beep also uses encryption techniques to disguise its malicious activity, making it even more difficult to detect. More…
Bruce Schneier Posts
The FBI Identified a Tor User
[2023.01.17] No details, though:
According to the complaint against him, Al-Azhari allegedly visited a dark web site that hosts “unofficial propaganda and photographs related to ISIS” multiple times on May 14, 2019. In virtue of being a dark web site — that is, one hosted on the Tor anonymity network — it should have been difficult for the site owner’s or a third party to determine the real IP address of any of the site’s visitors.
Yet, that’s exactly what the FBI did. It found Al-Azhari allegedly visited the site from an IP address associated with Al-Azhari’s grandmother’s house in Riverside, California. The FBI also found what specific pages Al-Azhari visited, including a section on donating Bitcoin; another focused on military operations conducted by ISIS fighters in Iraq, Syria, and Nigeria; and another page that provided links to material from ISIS’s media arm. Without the FBI deploying some form of surveillance technique, or Al-Azhari using another method to visit the site which exposed their IP address, this should not have been possible.
There are lots of ways to de-anonymize Tor users. Someone at the NSA gave a presentation on this ten years ago. (I wrote about it for the Guardian in 2013, an essay that reads so dated in light of what we’ve learned since then.) It’s unlikely that the FBI uses the same sorts of broad surveillance techniques that the NSA does, but it’s certainly possible that the NSA did the surveillance and passed the information to the FBI.
AI and Political Lobbying
[2023.01.18] Launched just weeks ago, ChatGPT is already threatening to upend how we draft everyday communications like emails, college essays and myriad other forms of writing.
Created by the company OpenAI, ChatGPT is a chatbot that can automatically respond to written prompts in a manner that is sometimes eerily close to human.
But for all the consternation over the potential for humans to be replaced by machines in formats like poetry and sitcom scripts, a far greater threat looms: artificial intelligence replacing humans in the democratic processes — not through voting, but through lobbying.
ChatGPT could automatically compose comments submitted in regulatory processes. It could write letters to the editor for publication in local newspapers. It could comment on news articles, blog entries and social media posts millions of times every day. It could mimic the work that the Russian Internet Research Agency did in its attempt to influence our 2016 elections, but without the agency’s reported multimillion-dollar budget and hundreds of employees. More...
No-Fly List Exposed
[2023.01.23] I can’t remember the last time I thought about the US no-fly list: the list of people so dangerous they should never be allowed to fly on an airplane, yet so innocent that we can’t arrest them. Back when I thought about it a lot, I realized that the TSA’s practice of giving it to every airline meant that it was not well protected, and it certainly ended up in the hands of every major government that wanted it.
The list is back in the news today, having been left exposed on an insecure airline computer. (The airline is CommuteAir, a company so obscure that I’ve never heard of it before.)
This is, of course, the problem with having to give a copy of your secret list to lots of people.
EDITED TO ADD (2/14): The 23 yo researcher who found NOFLY.csv wrote a blog post about it. This is not the first time the list has become public.
NIST Is Updating Its Cybersecurity Framework
[2023.01.30] NIST is planning a significant update of its Cybersecurity Framework. At this point, it’s asking for feedback and comments to its concept paper.
- Do the proposed changes reflect the current cybersecurity landscape (standards, risks, and technologies)?
- Are the proposed changes sufficient and appropriate? Are there other elements that should be considered under each area?
- Do the proposed changes support different use cases in various sectors, types, and sizes of organizations (and with varied capabilities, resources, and technologies)?
- Are there additional changes not covered here that should be considered?
- For those using CSF 1.1, would the proposed changes affect continued adoption of the Framework, and how so?
- For those not using the Framework, would the proposed changes affect the potential use of the Framework?
The NIST Cybersecurity Framework has turned out to be an excellent resource. If you use it at all, please help with version 2.0.
EDITED TO ADD (2/14): Details on progress and how to engage.
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com