InfoSec News 20230201
Top News
-
PoS malware can block contactless payments to steal credit cards
"New versions of the Prilex point-of-sale malware can block secure, NFC-enabled contactless credit card transactions, forcing consumers to insert credit cards that are then stolen by the malware.
On a payment terminal, contactless transactions use NFC (Near Field Communication) chips embedded in credit cards and mobile devices to conduct close-proximity payments via credit cards, smartphones, or even smartwatches.
They are very convenient, and their popularity has exploded since the COVID-19 pandemic, with over $34.55 billion in contactless transactions recorded in 2021.
However, using NFC chips in credit cards has made it harder for point of sale (PoS) malware to steal credit card information, causing threat actors to develop new methods to steal your payment information.
Kaspersky, following the Prilex PoS malware closely, reports seeing at least three new variants in the wild, with version numbers 06.03.8070, 06.03.8072, and 06.03.8080, first released in November 2022.
These new variants introduce a new feature that prevents payment terminals from accepting contactless transactions, forcing customers to insert their cards.
Furthermore, in September 2022, Kaspersky reported that Prilex added EMV cryptogram generation to evade transaction fraud detection and to perform "GHOST transactions" even when the card is protected with CHIP and PIN technology."
TLP1 : Green
-
OpenAI releases tool to detect AI-written text
"OpenAI has released an AI text classifier that attempts to detect whether input content was generated using artificial intelligence tools like ChatGPT.
"The AI Text Classifier is a fine-tuned GPT model that predicts how likely it is that a piece of text was generated by AI from a variety of sources, such as ChatGPT," explains a new OpenAI blog post.
OpenAI released the tool today after numerous universities and K-12 school districts banned the company's popular ChatGPT AI chatbot due to its ability to complete students' homework, such as writing book reports and essays, and even finishing programming assignments.
According to BusinessInsider, ChatGPT is banned in NYC, Seattle, Los Angeles, and Baltimore K-12 public school districts, with universities in France and India also banning the platform from school computers."
TLP1 : Green
Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism
-
Nevada Ransomware Has Released Upgraded Locker
"Resecurity, California-based cybersecurity company protecting Fortune 500 globally, has identified a new version of Nevada Ransomware which recently emerged on the Dark Web right before the start of 2023. The actors behind this new project have an affiliate platform first introduced on the RAMP underground community, which is known for initial access brokers (IABs) and other cybercriminal actors and ransomware groups.
Around February 1, 2023 – the group distributed an updated locker written in Rust for their affiliates supporting Windows, Linux and ESXi – this programming language has become a trend for ransomware developers these days (Blackcat, RansomExx2, Hive, Luna, Agenda). These updates have since provided improved functionality and significant tweaks to improve the affiliate panel. Another significant update has been identified around January 20th – which may confirm how the project is actively developing."
TLP1 : Green
-
Follow-up: We asked ex-FBI pros how their peers gutted Hive
"The FBI spent months entrenched in the systems of a top-five ransomware syndicate. We asked people familiar with such operations how the Bureau managed to pull it off.
International ransomware syndicate Hive met its end after the FBI seized IT infrastructure cybercriminals used to extort their victims.
According to the US Department of Justice (DoJ), the feds infiltrated the gang in July 2022, allowing them to give victims thousands of decryptor keys and prevent them from having to pay $130 million in ransom demands.
The revelation means that for the past six months, authorities knew about most of Hive’s victims, and the syndicate likely saw a sharp drop in ransom revenue from its affiliates. However, cybercriminals still weren’t alerted."
TLP1 : Green
-
Cyber Insights 2023: The Geopolitical Effect
"Geopolitics describes the effect of geography on politics, and usually refers to the political relationship between nations. That relationship is always mirrored in cyber. The Russia/Ukraine war that started in early 2022 has been mirrored by a major disturbance in cyber – and that disturbance will continue through 2023.
The physical conflict has forced much of the world to take sides. The US, NATO, the EU, and their allies are providing major support – short of troops – to Ukraine. China, Iran, and North Korea are all supporting Russia. The cyber conflict is similar, largely conforming to the George W Bush ‘axis of evil’ (Iran, Iraq, and North Korea, with the popular addition of Russia and China) versus the US, EU, and their allies.
Here we’re going to discuss how the current state of global geopolitics might play out in cyber during 2023."
TLP1 : Green
-
Clock ticking for TikTok users to shine light on how app uses data to control them
"TikTok’s “For You” video feed recommender tool is to be scrutinzed by German-funded app DataSkop, which is inviting users of the Chinese-owned social media platform to submit their personal data so it can paint an accurate picture of how they are being manipulated.
“What kinds of content is TikTok’s "For You" recommender showing us?” That is the question DataSkop posed in a press release issued today. It added: “What niches are users being led into? DataSkop’s second data donation project is designed to find answers to questions like these over the coming months.”
To that end, TikTok users have until the end of March to donate their personal usage data to the DataSkop project. “By analyzing these data sets, we will gain deeper insight into how the platform’s recommender system works,” said DataSkop."
TLP1 : Green
Breaches: Data Breaches and Hacks
-
Google Fi breached, customer data compromised
"Google Fi said customer data has been compromised by hackers, and the incident is most likely linked to the massive T-Mobile hack on January 19.
US mobile phone carrier Google Fi has been linked to the recent T-Mobile data breach on January 19 which involved over 37 million T-Mobile customers.
Google Fi sent an email to its customers Monday explaining that their primary network provider had informed them of “suspicious activity involving a third-party customer support system and a limited amount of Google Fi customer data.”
The no-frills cell phone carrier piggybacks on the T-Mobile network for national coverage and US cellular for regional service, leaving users to conclude the two breaches were connected."
TLP1 : Green
Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits
-
Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
"A researcher has discovered two potentially serious vulnerabilities affecting Econolite traffic controllers. Exploitation of the security flaws can have serious real-world impact, but they remain unpatched.
Cyber offensive researcher Rustam Amin informed the US Cybersecurity and Infrastructure Security Agency (CISA) that he had identified critical and high-severity vulnerabilities in Econolite EOS, a traffic controller software developed for the Econolite Cobalt and other advanced transportation controllers (ATC).
The California-based vendor’s website says it has deployed more than 360 systems, 150,000 traffic cabinets, 120,000 traffic controllers, and over 160,000 sensors. In December 2022, the company reported reaching more than 10,000 installations of its EOS software."
TLP1 : Green
-
Microsoft releases emergency updates to fix XPS display issues
"Microsoft has released out-of-band (OOB) updates for some .NET Framework and .NET versions to address XPS display issues triggered by December 2022 cumulative security updates.
Users will experience null reference exceptions and images or glyphs displaying incorrectly when viewing XPS documents rendered using affected Windows Presentation Foundation (WPF) based apps.
"This update addresses a known issue which might cause XPS documents which utilize structural or semantic elements like table structure, storyboards, or hyperlinks to not display correctly in WPF-based readers," Microsoft added today.
The emergency updates released today are not delivered via Windows Update and will not install automatically on affected devices."
TLP1 : Green
-
New Sh1mmer ChromeBook exploit unenrolls managed devices
"A new exploit called ‘Sh1mmer’ allows users to unenroll an enterprise-managed Chromebook, enabling them to install any apps they wish and bypass device restrictions.
When Chromebooks are enrolled with a school or an enterprise, they are managed by policies established by the organization's administrators. This allows admins to force-install browser extensions, apps, and to restrict how a device can be used.
Furthermore, once enrolled, it is almost impossible to unenroll the device without the organization's admin doing it for you.
To bypass these restrictions, security researchers from the Mercury Workshop Team have developed a new exploit called 'Shady Hacking 1nstrument Makes Machine Enrollment Retreat', or 'Sh1mmer,' that lets users unenroll their Chromebooks from enterprise management."
TLP1 : Green
Incident Response: Infrastructure, Training, SIEM and Incident Handling
-
Auditing Kubernetes with Open Source SIEM and XDR
"Container technology has gained traction among businesses due to the increased efficiency it provides. In this regard, organizations widely use Kubernetes for deploying, scaling, and managing containerized applications. Organizations should audit Kubernetes to ensure compliance with regulations, find anomalies, and identify security risks. The Wazuh open source platform plays a critical role in monitoring Kubernetes and other components of an organization's infrastructure."
TLP1 : Green
Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography
-
Microsoft: Over 100 threat actors deploy ransomware in attacks
"Microsoft revealed today that its security teams are tracking over 100 threat actors deploying ransomware during attacks. In all, the company says it monitors over 50 unique ransomware families that were actively used until the end of last year.
"Some of the most prominent ransomware payloads in recent campaigns include Lockbit Black, BlackCat (aka ALPHV), Play, Vice Society, Black Basta, & Royal," Microsoft said.
"Defense strategies, however, should focus less on payloads but more on the chain of activities that lead to their deployment," since ransomware gangs are still targeting servers and devices not yet patched against common or recently addressed vulnerabilities.
Furthermore, while new ransomware families launch all the time, most threat actors utilize the same tactics when breaching and spreading through networks, making the effort of detecting such behavior even more helpful in thwarting their attacks."
TLP1 : Green
-
New LockBit Green ransomware variant borrows code from Conti ransomware
"Lockbit ransomware operators have implemented a new version of their malware, dubbed LockBit Green, which was designed to include cloud-based services among its targets.
This is the third version of the ransomware developed by the notorious gang, after the Lockbit Red and Lockbit Black ones. Affiliates to the Lockbit RaaS can obtain LockBit Green using the builder feature on the LockBit portal.
The release of the new version was confirmed by the vx-underground researchers"
TLP1 : Green
-
Crypto scam apps infiltrate Apple App Store and Google Play
"Operators of high-yielding investment scams known as "pig butchering" have found a way to bypass the defenses in Google Play and Apple's App Store, the official repositories for Android and iOS apps.
Pig butchering scams have been happening for a few years. They use involve fake websites, malicious advertising, and social engineering. By adding fraudulent apps to official download platforms, scammers can gain a victim's trust easier.
Researchers at cybersecurity company Sophos say that the scammers are targeting victims on Facebook or Tinder and convince them to download the fraudulent apps and "invest" large amounts of money into assets purported to be real.
Sophos observed such a campaign from a China-based threat group named "ShaZhuPan," which shows high organizational levels with distinct teams doing victim interaction, finance, franchise, and money laundering."
TLP1 : Green
-
Machine Learning Versus Memory Resident Evil
"Unit 42 researchers discuss a machine learning pipeline we’ve built around memory-based artifacts from our hypervisor-based sandbox, which is part of Advanced WildFire. This alternative approach is one we’ve come up with to boost detection accuracy against malware using a variety of different evasion techniques.
As we discussed in our first two posts in this series, malware authors are routinely refining their shenanigans to make strategies like static analysis and sandboxing ineffective. The continual development and permutation of techniques like packing methodologies and sandbox evasions create a continual cat and mouse game that is difficult to stay on top of for any detection team.
To make matters worse, popular detection techniques such as structural analysis, static signatures and many types of dynamic analysis do not fare well against the ever-increasing complexity we encounter in the more prevalent malware families."
TLP1 : Green
1Traffic Light Protocol (TLP) [1] for information sharing:
- Red:Not for disclosure, restricted to participants only.
- Amber: Limited disclosure, restricted to participants organizations.
- Green: Limited disclosure, restricted to the community.