Inside Security - December 6th, 2019

Inside Security (Dec 6th, 2019)

Subscribe | View in browser

1. U.S. federal agencies have clamped down on Evil Corp, a Russian cybercrime group that developed and distributed the Dridex malware responsible for $100 million in theft. The Dridex malware infected computers and harvested login credentials from hundreds of banks and financial institutions in over 40 countries. The Treasury Department has imposed sanctions on the group, the Justice Department has charged two of Evil Corp's members with cybercrimes, and the State Department has issued a $5 million reward for information leading to the capture and conviction of Evil Corp's leader, Maksim Yakubets. The U.S. agencies worked with the U.K. National Crime Agency in acting against the cybercrime syndicate. -- CNBC

2. Mac users are apparently being targeted by the North Korean Lazarus hacking group with a new stealthy trojan that poses as a fake cryptocurrency trading platform. Dinesh Devadoss of K7 Computing discovered the trojan, and MacOS security researcher Patrick Wardle linked it to the Lazarus hacking group. The "fileless" trojan carries out a "pure in-memory execution of a remotely downloaded payload," explained Wardle. It is similar to previous Lazarus campaigns in which a fake cryptocurrency company and trading app were used to steal cryptocoins. -- THREATPOST

3. China-based ByteDance has reached a $1.1 million settlement with a group of parents who sued the company over its handling of children's data obtained from its popular TikTok app. The U.S. plaintiffs alleged that ByteDance tracked, collected, and exposed information on children, in violation of the Children's Online Privacy Protection Act (COPPA). Responding to the settlement, a TikTok spokesperson told The Verge: "Although we disagree with much of what is alleged in the complaint, we have been working with the parties involved and are pleased to have come to a resolution of the issues." In February, the Federal Trade Commission fined TikTok (previously called $5.7 million for violating COPPA. ByteDance and TikTok have come under scrutiny in the U.S. Congress over alleged ties to the Chinese government. -- THE VERGE

4. U.S. and European law enforcement agencies have cracked down on money mule operations that launder money obtained through cyber fraud. Money mules are used, sometimes unknowingly, to receive money obtained from fraud victims and to forward them to foreign-based cybercriminals. In the U.S., the Justice Department closed down the operation of 600 domestic money mules and tripled the number of criminal prosecutions against money mule operations as compared to last year. As part of its European Money Mule Action (EMMA) initiative, Europol identified 3,833 money mules and arrested 228 money mule recruiters. Europol said that more than 650 banks, 17 bank associations, and other financial institutions reported 7,520 money mule transactions, preventing a total loss of €12.9 million ($14.3 million). -- THE CRIME REPORT

5. Apple has admitted that its iPhone 11 collects geolocation data even when the user disables the geolocation feature, but stressed that the data does not leave the phone. The company's admission comes in response to a blog post by security researcher Brian Krebs in which Krebs related that his iPhone 11 Pro "intermittently seeks the user's location information even when all applications and system services on the phone are individually set to never request this data." Apple at first dismissed Krebs' concern but later explained that the iPhone 11 has ultra-wideband technology that enables the phone to become aware of other ultra-wideband devices in the vicinity, a capability used for its AirDrop feature. The technology collects location data, but does not share it with anyone, the company says. -- TECHCRUNCH

6. The Department of Homeland Security (DHS) has flagged a number of critical vulnerabilities in industrial Ethernet switches made by German firm Weidmueller. The vulnerabilities include improper restriction of excessive authentication attempts, uncontrolled resource consumption, missing encryption of sensitive data, and unprotected storage of credentials. An attacker with low skill level could exploit these security flaws to remotely gain unauthorized access to the affected device, compromising its confidentiality, integrity, and availability. CERT@VDE found the flaws and reported them to DHS's Cybersecurity and Infrastructure Security Agency (CISA). Weidmueller has issued firmware patches for some switches and workarounds for other switches to fix the vulnerabilities. -- CISA ADVISORY

7. Ransomware is increasingly targeting network-attached storage (NAS) and backup storage devices. Kaspersky Lab researchers are warning that attackers are able to bypass user authentication by exploiting vulnerabilities in these devices. Then, the attackers are able to deploy ransomware and encrypt data. The number of attacks has grown from around 5,000 to more than 13,000 in the last 12 months. "Previously, encryption ransomware targeting NAS was hardly evident in the wild, and this year alone we have already detected a number of new ransomware families focused solely on NAS," said Kaspersky security researcher Fedor Sinitsyn. -- ZDNET

8. VMware has released a patch for a critical vulnerability in the company's ESXi and Horizon DaaS products identified at the recent Tianfu Cup hacking competition in China. The 360 Vulcan team earned $200,000 for demonstrating an attack on a virtual machine that enabled the team to gain control of the host operating system. VMware explained that the vulnerability is a heap overwrite problem in the OpenSLP service used in ESXi and Horizon DaaS products. An attacker could exploit the flaw to conduct a remote code execution attack. -- SECURITY WEEK

9. HackerOne, which provides a bug bounty platform for tech firms and the U.S. government, had to cough up $20,000 when a security researcher reported a data breach involving its platform. During communications between the researcher and the platform, a HackerOne analyst copied and pasted a valid session cookie that could provide someone with access to the cookie the ability to read and modify data the analyst could see. When the researcher informed HackerOne, it revoked the session cookie and contacted those affected by the breach. -- SILICON REPUBLIC

10. OpenBSD developers have issued patches for vulnerabilities in the free operating system that allowed attackers to go around authentication controls. Four vulnerabilities in BSD Authentication were discovered by Qualys Research Labs. Three of the vulnerabilities were local privilege escalation flaws, and the other was an authentication bypass bug. An attacker could exploit the authentication bypass vulnerability by using the password option with the username "-schallenge," which automatically grants the user access because the operating system interprets the word as a command-line option for the program carrying out the authentication. -- NAKED SECURITY

Fred Donovan is a professional writer, editor, and content specialist with decades of experience, most recently in the areas of information technology and cybersecurity. He has written for such publications as, FierceITSecurity, InfoSecurity Magazine, Report on Patient Privacy, TechGenix, eSecurity Planet, and NetDefense. Fred has a B.A. from Harvard University in government and an M.S. in national security from Georgetown University.

Copyright © 2020, All rights reserved.

Our mailing address is:
767 Bryant St. #203
San Francisco, CA 94107

Did someone forward this email to you? Head over to to get your very own free subscription!

You received this email because you subscribed to Inside Security. Click here to unsubscribe from Inside Security list or manage your subscriptions.

Subscribe to Inside Security