InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Most interesting is a list of over 50,000 phone numbers that were being spied on by NSO Group’s software. Why does NSO Group have that list? The obvious answer is that NSO Group provides spyware-as-a-service, and centralizes operations somehow. Nicholas Weaver postulates that “part of the reason that NSO keeps a master list of targeting…is they hand it off to Israeli intelligence.”
This isn’t the first time NSO Group has been in the news. Citizen Lab has been researching and reporting on its actions since 2016. It’s been linked to the Saudi murder of Jamal Khashoggi. It is extensively used by Mexico to spy on — among others — supporters of that country’s soda tax.
here’s a tool that you can use to test if your iPhone or Android is infected with Pegasus. (Note: it’s not easy to use.)
Siloscape is a new strain of malware that targets Windows Server containers to execute code on the underlying node and spread in the Kubernetes cluster.
Researchers from Palo Alto Networks have spotted a piece of malware that targets Windows Server containers to execute code on the underlying node and then drop a backdoor into Kubernetes clusters.
Siloscape is a heavily obfuscated malware that was designed to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers and carry out malicious activities.
Compromising an entire cluster could allow an attacker to steal sensitive information, including credentials, confidential files, or even entire databases hosted in the cluster.
“Siloscape uses the Tor proxy and an .onion domain to anonymously connect to its command and control (C2) server. I managed to gain access to this server. We identified 23 active Siloscape victims and discovered that the server was being used to host 313 users in total, implying that Siloscape was a small part of a broader campaign. I also discovered that this campaign has been taking place for more than a year.” reads the analysis published by Palo Alto Network researcher Daniel Prizmant.
The US Department of Justice (DOJ) just announced that it has charged a 55-year-old Latvian woman, who went by the moniker of Max, with malware-writing crimes.
Max, whose real name is apparently Alla Witte, is the sixth of seven defendants listed in the DOJ’s indictment, along with ten other unknown individuals identified only as CC8 to CC17. (CC is short for co-conspirator.)
Admittedly, this does lead to doomsday scenarios offered up by authors on the multitude of platforms sharing doomsday scenarios, with weak attribution included to suit their own narrative.
While commentary on the impact of such a scenario is generally to be welcomed, the focus of attribution remains. Recent events have introduced the world at large to ransomware variants previously only discussed within the information security industry. However, one has to question whether their inclusion is even remotely accurate.
As has been documented, we live in a world where anybody with access to a computer can be a player in the ransomware industry. Through ransomware-as-a-service (RaaS) there exists a business model that supports ‘partners’ to carry out attacks against victims, and to share the profits with the developers of the ransomware. In return for this arrangement, such partners or affiliates are offered a dashboard and a sizeable share of profits, in a relationship that appears to suit both parties based on the rise in use of such a model.
And herein lies the issue.
Recent ransomware attacks, using tools such as DarkSide, were indeed carried out by such partners. Celebrations over the retirement of certain ransomware variants appear to be premature, with GandCrab serving as an indication of what may actually occur. The group behind GandCrab, which was incredibly active and claimed to have made $2bn, announced its retirement in 2019.
While this announcement was greeted positively at the time, questions were raised about why the number of affiliates dropped sharply a few short months earlier. Fast forward a few months and the growth of Sodinokibi may have answered those questions, while confirming that rumours of senior partners’ retirement from the ransomware scene may have been greatly exaggerated.
However, and this is the critical component, it is the affiliates that break into organizations, and it is these same people that deploy ransomware within the environment, while all the time the ire remains solely fixated on the ransomware developer.
While the developer(s) should not escape the ferocity of anger placed upon them, it seems the affiliates continue their activities and can simply move to any number of other schemes should actions lead to the disruption of the ransomware group they have agreed to work with.
In our continued focus toward holding those accountable for the disruption they cause, closer attention must be paid to such mercenaries who are largely responsible for the exponential growth of such attacks. It is their involvement and capabilities that have allowed such attacks to adapt and become so much more crippling than ever before.
The country’s top nuclear official … Ali Akbar Salehi, did not say who was to blame for the “terrorist act”, which caused a power failure … a day after it unveiled new uranium enrichment equipment. … Israeli public media, however, cited intelligence sources who said it was the result of an Israeli cyber-attack. … On Saturday, Iran’s President Hassan Rouhani inaugurated new centrifuges at the Natanz site in a ceremony that was broadcast live. … It represented another breach of the country’s undertakings in the 2015 deal, which only permits Iran to produce and store limited quantities of enriched uranium. [The] deal, known as the Joint Comprehensive Plan of Action (JCPOA), has been in intensive care since Donald Trump pulled the US out of it. … Later state TV read out a statement by … Atomic Energy Organisation of Iran (AEOI) … head Ali Akbar Salehi, in which he described the incident as “sabotage” and “nuclear terrorism.” … Last July, sabotage was blamed for a fire at the Natanz site which hit a central centrifuge assembly workshop.
[The] power failure … appeared to have been caused by a deliberately planned explosion. … American and Israeli intelligence officials said there had been an Israeli role. Two intelligence officials briefed on the damage said it had been caused by a large explosion that completely destroyed the … power system that supplies the underground centrifuges. … The officials, who spoke on the condition of anonymity to describe a classified Israeli operation, said that the explosion had dealt a severe blow to Iran’s ability to enrich uranium and that it could take at least nine months to [recover]. Some Iranian experts dismissed initial speculation that a cyberattack could have caused the power loss. … The United States and Israel have a history of covert collaboration, dating to the administration of President George W. Bush, to disrupt Iran’s nuclear program. The best-known operation under this collaboration … was a cyberattack disclosed during the Obama administration that disabled nearly 1,000 centrifuges at Natanz.
Applus Technologies is a worldwide leader in the testing, inspection and certification sector, the company was recently hit by a malware cyberattack that impacted vehicle inspections in eight states, including Connecticut, Georgia, Idaho, Illinois, Massachusetts, Utah, and Wisconsin.
The attack took place on March 30th, in response to the infection the company was forced to disconnect its IT systems from the Internet to prevent the malware from spreading. The company did not reveal the type of malware that infected its systems, but experts speculate the involvement of a ransomware attack.
“Unfortunately, incidents such as this are fairly common and no one is immune,” said Darrin Greene, CEO of the US entity, Applus Technologies, Inc. “We apologize for any inconvenience this incident may cause. We know our customers and many vehicle owners rely on our technology and we are committed to restoring normal operations as quickly as possible.”
The company will spend some time to fully restore the operations and continue the vehicle inspections, at the time of this writing it has yet to provide a timetable. According to the Department of Motor Vehicle (DMV), inspections will likely be suspended at least for another couple of days.
“Due to the enhanced technology and programming required to operate the program, it is imperative that we ensure every component of the program is free from malware, thoroughly tested and operating normally before bringing the program back online. The testing process will involve all of our agencies as well as the station owners who own and operate the computerized workstation equipment used to perform the motor vehicle inspections.” continues Applus Technologies.
“We will routinely update the return to service status as additional information becomes available. It is important to note that we want to make sure we have resolved all issues before restarting the system in order to avoid any additional delays or inconvenience once the program is back up and running.”
The Applus team is collaborating with the DMV providing frequent updates on the status of the incident response, it is also working with the DMV on the 60-day retest requirement and free retest policy to extend both during this time.
Part of the reason this attack could work so well is that game cheats typically require a user to disable key security features that would otherwise keep a malicious program out of their system. The hacker is basically getting the victim to do their own work for them.
“It is common practice when configuring a cheat program to run it the with the highest system privileges,” the report notes. “Guides for cheats will typically ask users to disable or uninstall antivirus software and host firewalls, disable kernel code signing, etc.”
Nvidia, the graphics chip company that wants to buy ARM, made a unusual announcement last week.
The company is about to launch its latest GeForce GPU (graphics processing unit) chip, the RTX 3060, and wants its users know that the chip is “tailored to meet the needs of gamers and those who create digital experiences.”
Our GeForce RTX GPUs introduce cutting-edge technologies — such as RTX real-time ray-tracing, DLSS AI-accelerated image upscaling technology, Reflex super-fast response rendering for the best system latency, and many more.
Ray-tracing is an algorithm used in generating synthetic images that are almost unbelievably realistic, correctly modelling complex optical interactions such as reflection, transparency and refraction, but this sort of realism comes at huge computational cost.
You can therefore see why gamers and digital artists might be very keen to get their hands on the latest special-purpose hardware that can speed up the creation of images rendered in this way.
Apple launched its M1 chip and cybercriminals developed a malware sample specifically for it, the latest generation of Macs are their next targets.
The popular security researcher Patrick Wardle discovered one of the first malware designed to target latest generation of Apple devices using the company M1 chip.
The discovery suggests threat actors are tailoring their malware to target the latest generation of Mac devices using the own processors.
Wardle discovered a Safari adware extension, tracked as GoSearch22, that was initially developed to run on Intel x86 chips, and now it was adapted to run on M1 chips.
“What we do know is as this binary was detected in the wild (and submitted by a user via an Objective-See tool) …so whether it was notarized or not, macOS users were infected.” reads the analysis published by Wardle. “Looking at the (current) detection results (via the anti-virus engines on VirusTotal), it appears the GoSearch22.app is an instance of the prevalent, yet rather insidious, ‘Pirrit’ adware:”
The Dridex malware gang is delivering a nasty gift for the holidays using a spam campaign pretending to be Amazon Gift Cards.
Dridex phishing campaign wants to send a gift
When distributing malware, malware gangs commonly use current events and the holidays as themes for phishing campaigns to lure people into opening malicious attachments.
Such is the case in a recent phishing campaign discovered by cybersecurity firm Cyberreason that pretends to be an Amazon gift certificate sent via email.
These emails, shown below, pretend to be a $100 gift certificate that users must redeem by clicking on a phishing email button.
CostaRicto APT is targeting South Asian financial institutions and global entertainment companies with an undocumented malware.
Blackberry researchers have documented the activity of a hackers-for-hire group, dubbed CostaRicto, that has been spotted using a previously undocumented piece of malware to target South Asian financial institutions and global entertainment companies.
“During the past six months, the BlackBerry Research and Intelligence team have been monitoring a cyber-espionage campaign that is targeting disparate victims around the globe.” reads the analysis published by BlackBerry. “The campaign, dubbed CostaRicto by BlackBerry, appears to be operated by “hackers-for-hire”, a group of APT mercenaries who possess bespoke malware tooling and complex VPN proxy and SSH tunnelling capabilities.”
