Security
Headlines
HeadlinesLatestCVEs

Headline

Threat Source newsletter (Sept. 29, 2022) — Attackers are already using student loan relief for scams

By Jon Munshaw.

Welcome to this week’s edition of the Threat Source newsletter.

I’ve spent the past few months with my colleague Ashlee Benge looking at personal health apps’ privacy policies. We found several instances of apps that carry sensitive information stating they would share certain information with third-party advertisers and even law enforcement agencies, if necessary.

One of the most popular period-tracking apps on the Google Play store, Period Calendar Period Tracker, has a privacy policy that states it will “share information with law enforcement agencies, public authorities, or other organizations if We’re [sic] required by law to do so or if such use is reasonably necessary. We will carefully review all such requests to ensure that they have a legitimate basis and are limited to data that law enforcement is authorized to access for specific investigative purposes only.”

A report from the Washington Post also released last week found that this app, as well as popular health sites like WebMD, “gave advertisers the information they’d need to market to people, or groups of consumers based on their health concerns.”

To me — these were all things I had never considered before. I’m sure I’m not alone in just going to Google to type in “pain in left flank” or something along those lines to see if I’m dying or not. The research Ashlee and I did really make me rethink the type of information I’m inputting into apps on my phone, especially around my health. For example, I de-coupled the Google Fit tracking from my phone so it’s not just counting steps in the background. And I’ve switched to a privacy-focused browser on my personal computer at home (it doesn’t help that I’m also mad at Chrome for ending support for ad blockers).

I’m actually mad at myself that it took me this long to think more critically about this topic. The research has always been out there.

A 2018 study from Privacy International found that 61 percent of apps they tested immediately started sharing data with Facebook the instant a user opens the app — this was at the peak of the discussion around the Cambridge Analytica/Facebook scandal. And the U.S. Federal Trade Commission filed a complaint against the Flo period-tracking app in January 2021 for misleading users about who it sends personal information to.

We, collectively as a society, should have always been taking this issue more seriously. And the recent Supreme Court ruling in Dobbs v. Jackson Women’s Health Organization is highlighting how personal data stored on apps could lead to legal consequences. The warning sides have always been there, but I think we were just too willing to trade in convenience in exchange for our privacy, thinking many of us have “nothing to hide.”

The one big thing

Insider threats are becoming an increasingly common part of the attack chain, with malicious insiders and unwitting assets playing key roles in incidents over the past year. This is becoming an increasing challenge for companies that now have remote workers all over the globe, many of whom may never come back to the office again. And if one of these employees leaves, it could leave some major security gaps. Over the past six months to a year, Talos has seen an increasing number of incident response engagements involving malicious insiders and unwitting assets being compromised via social engineering.

Why do I care? Insider threats are different than “traditional” cyber attacks we think of because it’s not about a threat actor sitting in an entirely different country lobing malicious code at a network. It usually involves trying to socially engineer someone into unwittingly letting their guard down and providing access to a malicious user or giving up sensitive information in exchange for some money. This can seriously happen to anyone anywhere, increasingly so in the era of hybrid work. So now what?

Defending against these types of insider threats is difficult for a variety of reasons, but first and foremost, they typically are allowed to access the network and have valid login credentials. This is where traditional security controls like user and access control come into play. Organizations should limit the amount of access a user has to the minimum required for them to perform their job.

Top security headlines from the week

Ukraine is warning that Russian state-sponsored actors are still targeting critical infrastructure with cyber attacks. The campaigns would likely be to “increase the effect of missile strikes on electrical supply facilities,” the Ukrainian government said. The warning also stated that the actors would also target Baltic states and Ukrainian allies with distributed denial-of-service attacks. Meanwhile, the U.S. continues to invest money into Ukraine’s cyber defenses and volunteer hackers continue to pitch in across the globe. (CyberScoop, Voice of America) U.K. police arrested a teenager allegedly involved in the recent Rockstar data breach, which included leaked information regarding the upcoming “Grand Theft Auto VI” video game. The suspect may have ties to the Lapsus$ ransomware group and have some involvement in another data breach against the Uber rideshare company. Lapsus$’s recent activities are vastly different from what APTs’ traditional goals are, usually related to making money somehow, instead opting to just seemingly want to cause chaos of the sake of it. These two major breaches highlight the fact that many major organizations have unaddressed vulnerabilities. (TechCrunch, Wired) A disgruntled developer leaked the encryptor behind the LockBit 3.0 ransomware, the latest in a line of drama with the group. The builder works and could allow anyone to build their own ransomware. The Bl00Dy ransomware gang has already started to use the leaked builder in attacks against companies. Bl00Dy has been operating since May 2022, first targeting medical and dental offices in New York. In the past, the group has also used leaked code from Babuk and Conti to build their ransomware payloads. They also claim to have a Tor channel they use to post leaks from affected companies if they do not pay the ransom. (The Record, Bleeping Computer)

Can’t get enough Talos?

Talos Takes Ep. #114: Once more into the Lazarus Pit Threat Roundup for Sept. 16 - 23 Cisco Talos Tracks Insider Attack Surge Phishing attack targets Microsoft flaw to deliver Cobalt Strike Researchers say insider threats play a larger role in security incidents Lazarus Group Targets MacOS Users Seeking Crypto Jobs

Upcoming events where you can find Talos

Cisco Security Solution Expert Sessions (Oct. 11 & 13) Virtual

GovWare 2022 (Oct. 18 - 20) Sands Expo & Convention Centre, Singapore

Most prevalent malware files from Talos telemetry over the past week

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645
MD5: 2c8ea737a232fd03ab80db672d50a17a
Typical Filename: LwssPlayer.scr
Claimed Product: 梦想之巅幻灯播放器
Detection Name: Auto.125E12.241442.in02

SHA 256: 1a234656f81e870cdeb0e648a6b305a41452c405cca21124de26b54f79d55ad0
MD5: 10f1561457242973e0fed724eec92f8c
Typical Filename: ntuser.vbe
Claimed Product: N/A
Detection Name: Auto.1A234656F8.211848.in07.Talos

SHA 256: c326d1c65c72eb66f5f5c0a84b1dcf3e8a79b69fffbd7a6e232b813ffbb23254 MD5: 8a5f8ed00adbdfb1ab8a2bb8016aafc1
Typical Filename: RunFallGuys.exe Claimed Product: N/A Detection Name: W32.Auto:c326d1.in03.Talos

SHA 256: 36efad0617db0d45de00cc4f3cf49af7c2d6b5b15ca456d13703b5d366c58431 MD5: 147c7241371d840787f388e202f4fdc1 Typical Filename: EKSPLORASI.EXE Claimed Product: N/A
Detection Name: Win32.Generic.497796

TALOS
#vulnerability#web#mac#google#microsoft#cisco#dos#git#auth#chrome

By Jon Munshaw.

Welcome to this week’s edition of the Threat Source newsletter.

I’ve spent the past few months with my colleague Ashlee Benge looking at personal health apps’ privacy policies. We found several instances of apps that carry sensitive information stating they would share certain information with third-party advertisers and even law enforcement agencies, if necessary.

One of the most popular period-tracking apps on the Google Play store, Period Calendar Period Tracker, has a privacy policy that states it will “share information with law enforcement agencies, public authorities, or other organizations if We’re [sic] required by law to do so or if such use is reasonably necessary. We will carefully review all such requests to ensure that they have a legitimate basis and are limited to data that law enforcement is authorized to access for specific investigative purposes only.”

A report from the Washington Post also released last week found that this app, as well as popular health sites like WebMD, “gave advertisers the information they’d need to market to people, or groups of consumers based on their health concerns.”

To me — these were all things I had never considered before. I’m sure I’m not alone in just going to Google to type in “pain in left flank” or something along those lines to see if I’m dying or not. The research Ashlee and I did really make me rethink the type of information I’m inputting into apps on my phone, especially around my health. For example, I de-coupled the Google Fit tracking from my phone so it’s not just counting steps in the background. And I’ve switched to a privacy-focused browser on my personal computer at home (it doesn’t help that I’m also mad at Chrome for ending support for ad blockers).

I’m actually mad at myself that it took me this long to think more critically about this topic. The research has always been out there.

A 2018 study from Privacy International found that 61 percent of apps they tested immediately started sharing data with Facebook the instant a user opens the app — this was at the peak of the discussion around the Cambridge Analytica/Facebook scandal. And the U.S. Federal Trade Commission filed a complaint against the Flo period-tracking app in January 2021 for misleading users about who it sends personal information to.

We, collectively as a society, should have always been taking this issue more seriously. And the recent Supreme Court ruling in Dobbs v. Jackson Women’s Health Organization is highlighting how personal data stored on apps could lead to legal consequences. The warning sides have always been there, but I think we were just too willing to trade in convenience in exchange for our privacy, thinking many of us have “nothing to hide.”

**The one big thing **

Insider threats are becoming an increasingly common part of the attack chain, with malicious insiders and unwitting assets playing key roles in incidents over the past year. This is becoming an increasing challenge for companies that now have remote workers all over the globe, many of whom may never come back to the office again. And if one of these employees leaves, it could leave some major security gaps. Over the past six months to a year, Talos has seen an increasing number of incident response engagements involving malicious insiders and unwitting assets being compromised via social engineering.

**Why do I care? **Insider threats are different than “traditional” cyber attacks we think of because it’s not about a threat actor sitting in an entirely different country lobing malicious code at a network. It usually involves trying to socially engineer someone into unwittingly letting their guard down and providing access to a malicious user or giving up sensitive information in exchange for some money. This can seriously happen to anyone anywhere, increasingly so in the era of hybrid work. So now what?

Defending against these types of insider threats is difficult for a variety of reasons, but first and foremost, they typically are allowed to access the network and have valid login credentials. This is where traditional security controls like user and access control come into play. Organizations should limit the amount of access a user has to the minimum required for them to perform their job.

Top security headlines from the week

Ukraine is warning that Russian state-sponsored actors are still targeting critical infrastructure with cyber attacks. The campaigns would likely be to “increase the effect of missile strikes on electrical supply facilities,” the Ukrainian government said. The warning also stated that the actors would also target Baltic states and Ukrainian allies with distributed denial-of-service attacks. Meanwhile, the U.S. continues to invest money into Ukraine’s cyber defenses and volunteer hackers continue to pitch in across the globe. (CyberScoop, Voice of America)

U.K. police arrested a teenager allegedly involved in the recent Rockstar data breach, which included leaked information regarding the upcoming “Grand Theft Auto VI” video game. The suspect may have ties to the Lapsus$ ransomware group and have some involvement in another data breach against the Uber rideshare company. Lapsus$’s recent activities are vastly different from what APTs’ traditional goals are, usually related to making money somehow, instead opting to just seemingly want to cause chaos of the sake of it. These two major breaches highlight the fact that many major organizations have unaddressed vulnerabilities. (TechCrunch, Wired)

A disgruntled developer leaked the encryptor behind the LockBit 3.0 ransomware, the latest in a line of drama with the group. The builder works and could allow anyone to build their own ransomware. The Bl00Dy ransomware gang has already started to use the leaked builder in attacks against companies. Bl00Dy has been operating since May 2022, first targeting medical and dental offices in New York. In the past, the group has also used leaked code from Babuk and Conti to build their ransomware payloads. They also claim to have a Tor channel they use to post leaks from affected companies if they do not pay the ransom. (The Record, Bleeping Computer)

**Can’t get enough Talos? **

  • Talos Takes Ep. #114: Once more into the Lazarus Pit
  • Threat Roundup for Sept. 16 - 23
  • Cisco Talos Tracks Insider Attack Surge
  • Phishing attack targets Microsoft flaw to deliver Cobalt Strike
  • Researchers say insider threats play a larger role in security incidents
  • Lazarus Group Targets MacOS Users Seeking Crypto Jobs

**Upcoming events where you can find Talos **

Sands Expo & Convention Centre, Singapore

**Most prevalent malware files from Talos telemetry over the past week **

MD5: 2c8ea737a232fd03ab80db672d50a17a

Typical Filename: LwssPlayer.scr

Claimed Product: 梦想之巅幻灯播放器

Detection Name: Auto.125E12.241442.in02

MD5: 10f1561457242973e0fed724eec92f8c

Typical Filename: ntuser.vbe

Claimed Product: N/A

Detection Name: Auto.1A234656F8.211848.in07.Talos

MD5: 8a5f8ed00adbdfb1ab8a2bb8016aafc1

Typical Filename: RunFallGuys.exe

Claimed Product: N/A

Detection Name: W32.Auto:c326d1.in03.Talos

MD5: 147c7241371d840787f388e202f4fdc1

Typical Filename: EKSPLORASI.EXE

Claimed Product: N/A

Detection Name: Win32.Generic.497796

TALOS: Latest News

New PXA Stealer targets government and education sectors for sensitive information