Another data-wiper has been found, the open source Fosshost service is closing, and more
Welcome to Cyber Security Today. It’s Monday, December 5th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
A new data-wiping and extortion piece of malware has been found, one that attacks organizations in Russia. According to researchers at Kaspersky, the CryWiper is the latest of nine new data wipers found this year as threat actors create new ways of squeezing money from victims. CryWiper pretends to be ransomware, claiming it has encrypted victims’ data that will be restored if a payment is made. However, the data is never recoverable. Kaspersky doesn’t say how organizations were initially infected. But it notes that these days email is one of the most common ways malware is distributed. So analyzing and blocking malicious attachments and URLs is important. So is behavioral file and network activity analysis. Security teams should also run regular penetration tests to detect and plug holes in their organization’s IT infrastructure.
Crooks have been able to get hold of the digital application signing keys of some big IT companies and are using them to sign malware. That’s according to the news site Ars Technica. A list of leaked keys was recently posted by a researcher for Google’s Android security team but it was the news site that put names to the key owners. Among them are Samsung, LG and Mediatek. Digital keys are used by the Android operating system to recognize approved mobile apps and their updates added to smartphones. Google says all of the vendors promptly implemented mitigation measure as soon as the compromise of their keys was reported. There is no indication malware leveraging these stolen keys was in the Google Play store. However the incident raises questions about how seriously IT departments take digital key security.
Separately, Google researchers said they discovered commercial spyware suspected of being sold by a company in Europe. The suspect application exploited vulnerabilities in the Chrome and Firefox browsers, as well as in Microsoft Defender. Google, Microsoft and Mozilla fixed the vulnerabilities months ago. The best defence against spyware is making sure you run fully patched applications.
Open-source companies and developers using the U.K.-based provider called Fosshost are being urged to immediately backup their data and find a new provider. This comes after Fosshost said its servers are expected to go offline shortly. According to the Bleeping Computer news site, Fosshost first gave notice of troubles in August. Well-known open source projects such as Debian, GNOME and others made use of Fosshost.
Ever wonder how stolen data is marketed by crooks? Through a lot of distributors. According to researchers at two American universities, more than 2,000 people listed stolen digital information for sale on 30 darknet markets during an eight-month period that ended in April, 2021. The researchers estimate these sellers pulled in US$140 million during that eight-month period. Of that total one market — Agartha — accounted for US$91 million in sales, while another — called Cartel — pulled in US$31 million. A now-closed market that specialized in stolen data from this country called the CanadianHQ had sales of US$241,000 during the same period.
Another organization has admitted a flaw in its web addresses allowed a serious privacy breach. The Florida Department of Revenue acknowledged a flaw that allowed anyone who logged into the state’s business tax application website could see not only their account but also the accounts of hundreds of others. How? The web address included the application number of each submission. After logging in, if a person changed any digit in the number in the URL they were switched to another person’s application. The problem was discovered by a security researcher and reported by the TechCrunch news service. This is an access control problem called an insecure direct object reference. Application administrators with systems that create a serial number for user profiles, forms or transactions have to make sure that either the number doesn’t appear in the URL, or if it does it’s tightly linked to a users’ login credentials.
A Florida man has been sentenced to 18 months in prison and ordered to pay $20 million in restitution to a cryptocurrency investor for the convict’s part in a theft of cryptocurrency. The gang was able to swap the smartphone SIM card of the investor in 2018. With control over the investor’s phone they were able to access accounts registered to his mobile phone number. According to the New York Post, a then 15-year-old allegedly led a group behind this. They hacked the investor’s phone by paying a worker at an AT&T cellphone store to help in the SIM card swap. The victim is now suing AT&T.
Also last week police in Spain broke up a SIM-swapping gang called Black Panthers that stole money from victims. Fifty-five people were arrested including the alleged leader. The gang was divided into groups that specialized in social engineering, vishing, phishing and call forwarding attacks on victims. One group posed as IT support staff of cellphone providers to steal the login credentials of phone service distributors. That gave the gang access to phone companies’ databases of customers. Then they could switch the victims’ SIM cards to smartphones controlled by the gang. After that they could empty any bank accounts tied to the cellphone numbers. Another group of the gang specialized in cloning the bank cards of victims. One way to prevent SIM swapping is to enable multfactor authentication on your cellphone account. Another is to check with your wireless provider to see if they prevent the switching of your phone’s SIM card to another phone without special security procedures.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.