Headline
Threat Source newsletter (Sept. 1, 2022) — Conversations about an unborn baby's privacy
By Jon Munshaw.
Welcome to this week’s edition of the Threat Source newsletter.
This week marks about 90 days before my wife’s due date with our first child, a baby girl. We’re both incredibly excited and nervous at the same time, and we have much to discuss, like how to lay out the nursery, what times we’ll put her down for a nap and who must be the one to get up the first time she starts crying at 2 a.m.
But the first true argument my wife and I have had about having a child is whether we should show the baby’s face on Instagram.
This child isn’t even born yet, and social media companies are probably already building out a data profile on her. I signed up for the What to Expect app so I could follow along with my wife’s pregnancy progress and learn more about what she’s going through and how the baby is developing. Already I’m getting targeted ads on the app and my Instagram for specific brands of baby food, the stroller that we’ve listed on our registry and an automatic children’s toothbrush. Celebrities are increasingly choosing to not show their babies’ faces on social media for paparazzi and physical privacy reasons, which makes sense. But I’m already starting to question what types of privacy decisions I need to make on my daughter’s behalf before she’s old enough to know what she’s getting herself into, and I don’t even have to worry about someone selling a picture of my baby to People magazine for $1 million.
The site we’re using for our baby registry was already asking for her name (we’re not telling anyone the name until she’s born) and my wife’s due date, so conceivably, they’ll know when the general time frame when she’s born. Then what will Amazon start learning about our baby if we use our home assistant to order diapers and food refills? If we use an app to track her sleeping habits and eating schedule, what else could an app conceivably learn and eventually use to send me more targeted ads?
Refusing to post my baby on Instagram is, admittedly, probably a bridge too far. After all, how else am I going to brag about how cute she is?
But there are real physical security concerns about posting pictures of children on social media, because some of these sites can, unfortunately, become places where criminals seek out younger victims. Or what happens when she turns 13 and decides she actually doesn’t want to be on the internet? I didn’t get her consent when she was two weeks old, so can I scrub everything the internet already knows about her?
There really aren’t any systems in place to inform parents about how the pictures or information they share about their children is being used. And most parents certainly aren’t digging deep into Meta’s privacy policy.
I think, generally, a good rule of thumb is that anything you post on social media could get out of your control. Even with a private Instagram account, there’s no guarantee someone can’t take a screenshot of your post and then share it with someone else. And unless the parents completely plan on going dark off the internet, there’s no real way to work around this.
When my daughter is born, I’m sure I won’t be able to resist sharing her name and her cute outfits on Instagram. But it is interesting to consider the privacy implications of doing so. When my parents stuck a VHS camcorder in my face when I was first born, I don’t think they had to worry about a multi-billion dollar company somehow using that to sell them Wi-Fi-connected diapers.
The one big thing
An unknown threat actor is using the ModernLoader RAT to spread several other types of malware, including cryptominers and information-stealers. The actors are attempting to compromise vulnerable web applications to serve malware and deliver threats via files masquerading as fake Amazon gift cards. Eventually, it downloads ModernLoader, which can bring other malware families to the party, including the RedLine stealer and XMRig cryptocurrency miner. While this campaign has, so far, mainly targeted Eastern Europe, the actors have been able to obscure their work enough that it’s difficult to identify who they target next or what the attackers’ previous patterns are.
Why do I care?
Although the scope of this attack is thus far limited, the attackers in this case seem to be fairly sophisticated, and the use of off-the-shelf tools means it’s tough to track them or attribute these campaigns to a known APT. The infostealers ModernLoader drops can steal users’ important login credentials or important information about the targeted machine, which could be used in future attacks. And any cryptominer has the potential to sap the target machine’s power, costing the target time and money.
So now what?
Talos has released new Snort rules and OS Queries to detect activities from this campaign, so those should be deployed immediately. This actor seems to mainly rely on fake offers for Amazon gift cards, so be extra vigilant for those types of scams, even though you already should be on high alert for any deal that seems too good to be true.
Top security headlines from the week
A widespread cyber attack is affecting government services in Montenegro, including water supply systems, transportation services and online government services. Montenegrin officials were quick to blame Russian state-sponsored actors for the attack earlier this week, saying it was the largest attack of this type the country’s ever faced. The FBI sent in a dedicated cybersecurity team to the country to help them recover services as fast as possible. The Cuba ransomware group took credit for the attack, saying it had stolen financial documents and more. Cuba made $43.9 million last year in ransom payments, according to the FBI. (CBS News, Recorded Future) A new warning from the FBI highlighted several recent attacks against decentralized finance (DeFi) platforms that have led to the loss of millions of dollars’ worth of cryptocurrency. The advisory says that attackers are exploiting individual vulnerabilities in popular DeFi platforms’ smart contracts and signature verification systems to break into users’ wallets or chaining together several flaws to manipulate digital currency pricing. Though the FBI told these platforms to analyze and patch their code, users should ensure they investigate potential platforms appropriately before choosing to store or invest their cryptocurrency somewhere. (ZDNet, Gizmodo) The U.S. Federal Trade Commission is suing a massive data broker for selling the location data of millions of mobile device users that could be directly tracked on an individual basis. The suit alleges the company did not anonymize the exact location data it was collecting from cell phones before selling it to other third-party outlets. The data could then be used to track a person’s exact activities. This could potentially allow anyone with the data to learn things about a user such as whether they are homeless, if they recently went to an abortion clinic or what their place of worship is, all of which are specifically highlighted in the suit. (Ars Technica, Reuters)
Can’t get enough Talos?
Threat Roundup for Aug. 19 - 26 Beers with Talos Ep. #125: A(nother) new host approaches! Talos Takes Ep. #110: The kinetic and cyber threats Ukrainian agriculture faces Three campaigns delivering multiple malware, including ModernLoader and XMRig miner Talos Renews Cybersecurity Support For Ukraine on Independence Day
Upcoming events where you can find Talos
Cisco Security Solution Expert Sessions (Oct. 11 & 13) Virtual
Most prevalent malware files from Talos telemetry over the past week
SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645
MD5: 2c8ea737a232fd03ab80db672d50a17a
Typical Filename: LwssPlayer.scr
Claimed Product: 梦想之巅幻灯播放器
Detection Name: Auto.125E12.241442.in02
SHA 256: f21b040f7c47d8d3d9c1f0ef00f09e69f2c3f0e19d91988efc0ddd4833ced121
MD5: 9066dff68c1d66a6d5f9f2904359876c
Typical Filename: dota-15_id3622928ids1s.exe
Claimed Product: N/A
Detection Name: W32.F21B040F7C.in12.Talos
SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991
By Jon Munshaw.
Welcome to this week’s edition of the Threat Source newsletter.
This week marks about 90 days before my wife’s due date with our first child, a baby girl. We’re both incredibly excited and nervous at the same time, and we have much to discuss, like how to lay out the nursery, what times we’ll put her down for a nap and who must be the one to get up the first time she starts crying at 2 a.m.
But the first true argument my wife and I have had about having a child is whether we should show the baby’s face on Instagram.
This child isn’t even born yet, and social media companies are probably already building out a data profile on her. I signed up for the What to Expect app so I could follow along with my wife’s pregnancy progress and learn more about what she’s going through and how the baby is developing. Already I’m getting targeted ads on the app and my Instagram for specific brands of baby food, the stroller that we’ve listed on our registry and an automatic children’s toothbrush. Celebrities are increasingly choosing to not show their babies’ faces on social media for paparazzi and physical privacy reasons, which makes sense. But I’m already starting to question what types of privacy decisions I need to make on my daughter’s behalf before she’s old enough to know what she’s getting herself into, and I don’t even have to worry about someone selling a picture of my baby to People magazine for $1 million.
The site we’re using for our baby registry was already asking for her name (we’re not telling anyone the name until she’s born) and my wife’s due date, so conceivably, they’ll know when the general time frame when she’s born. Then what will Amazon start learning about our baby if we use our home assistant to order diapers and food refills? If we use an app to track her sleeping habits and eating schedule, what else could an app conceivably learn and eventually use to send me more targeted ads?
Refusing to post my baby on Instagram is, admittedly, probably a bridge too far. After all, how else am I going to brag about how cute she is?
But there are real physical security concerns about posting pictures of children on social media, because some of these sites can, unfortunately, become places where criminals seek out younger victims. Or what happens when she turns 13 and decides she actually doesn’t want to be on the internet? I didn’t get her consent when she was two weeks old, so can I scrub everything the internet already knows about her?
There really aren’t any systems in place to inform parents about how the pictures or information they share about their children is being used. And most parents certainly aren’t digging deep into Meta’s privacy policy.
I think, generally, a good rule of thumb is that anything you post on social media could get out of your control. Even with a private Instagram account, there’s no guarantee someone can’t take a screenshot of your post and then share it with someone else. And unless the parents completely plan on going dark off the internet, there’s no real way to work around this.
When my daughter is born, I’m sure I won’t be able to resist sharing her name and her cute outfits on Instagram. But it is interesting to consider the privacy implications of doing so. When my parents stuck a VHS camcorder in my face when I was first born, I don’t think they had to worry about a multi-billion dollar company somehow using that to sell them Wi-Fi-connected diapers.
**The one big thing **
An unknown threat actor is using the ModernLoader RAT to spread several other types of malware, including cryptominers and information-stealers. The actors are attempting to compromise vulnerable web applications to serve malware and deliver threats via files masquerading as fake Amazon gift cards. Eventually, it downloads ModernLoader, which can bring other malware families to the party, including the RedLine stealer and XMRig cryptocurrency miner. While this campaign has, so far, mainly targeted Eastern Europe, the actors have been able to obscure their work enough that it’s difficult to identify who they target next or what the attackers’ previous patterns are.
**Why do I care? **Although the scope of this attack is thus far limited, the attackers in this case seem to be fairly sophisticated, and the use of off-the-shelf tools means it’s tough to track them or attribute these campaigns to a known APT. The infostealers ModernLoader drops can steal users’ important login credentials or important information about the targeted machine, which could be used in future attacks. And any cryptominer has the potential to sap the target machine’s power, costing the target time and money. **So now what? **Talos has released new Snort rules and OS Queries to detect activities from this campaign, so those should be deployed immediately. This actor seems to mainly rely on fake offers for Amazon gift cards, so be extra vigilant for those types of scams, even though you already should be on high alert for any deal that seems too good to be true.
Top security headlines from the week
A widespread cyber attack is affecting government services in Montenegro, including water supply systems, transportation services and online government services. Montenegrin officials were quick to blame Russian state-sponsored actors for the attack earlier this week, saying it was the largest attack of this type the country’s ever faced. The FBI sent in a dedicated cybersecurity team to the country to help them recover services as fast as possible. The Cuba ransomware group took credit for the attack, saying it had stolen financial documents and more. Cuba made $43.9 million last year in ransom payments, according to the FBI. (CBS News, Recorded Future)
A new warning from the FBI highlighted several recent attacks against decentralized finance (DeFi) platforms that have led to the loss of millions of dollars’ worth of cryptocurrency. The advisory says that attackers are exploiting individual vulnerabilities in popular DeFi platforms’ smart contracts and signature verification systems to break into users’ wallets or chaining together several flaws to manipulate digital currency pricing. Though the FBI told these platforms to analyze and patch their code, users should ensure they investigate potential platforms appropriately before choosing to store or invest their cryptocurrency somewhere. (ZDNet, Gizmodo)
The U.S. Federal Trade Commission is suing a massive data broker for selling the location data of millions of mobile device users that could be directly tracked on an individual basis. The suit alleges the company did not anonymize the exact location data it was collecting from cell phones before selling it to other third-party outlets. The data could then be used to track a person’s exact activities. This could potentially allow anyone with the data to learn things about a user such as whether they are homeless, if they recently went to an abortion clinic or what their place of worship is, all of which are specifically highlighted in the suit. (Ars Technica, Reuters)
**Can’t get enough Talos? **
- Threat Roundup for Aug. 19 - 26
- Beers with Talos Ep. #125: A(nother) new host approaches!
- Talos Takes Ep. #110: The kinetic and cyber threats Ukrainian agriculture faces
- Three campaigns delivering multiple malware, including ModernLoader and XMRig miner
- Talos Renews Cybersecurity Support For Ukraine on Independence Day
**Upcoming events where you can find Talos ****Most prevalent malware files from Talos telemetry over the past week **
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
MD5: 2c8ea737a232fd03ab80db672d50a17a
Typical Filename: LwssPlayer.scr
Claimed Product: 梦想之巅幻灯播放器
Detection Name: Auto.125E12.241442.in02
MD5: 9066dff68c1d66a6d5f9f2904359876c
Typical Filename: dota-15_id3622928ids1s.exe
Claimed Product: N/A
Detection Name: W32.F21B040F7C.in12.Talos
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991