Security News > 2022 > February

Pangu Lab's incident analysis involved three servers, one being the target of an external attack and two other internal machines - an email server and a business server. According to the researchers, the threat actor pivoted established a connection between the external server and the email server via a TCP SYN packet with a 264-byte payload. "At almost the same time, the [email] server connects to the [business] server's SMB service and performs some sensitive operations, including logging in to the [business] server with an administrator account, trying to open terminal services, enumerating directories, and executing Powershell scripts through scheduled tasks" - Pangu Lab.

Hundreds of computers in Ukraine have been infected with data-wiping Windows malware, say researchers at ESET. In a series of tweets on Wednesday, the infosec biz said it picked up its first sample of the software nasty at about 1500 UTC, and believes the code has been in the works for the past two months. The malware uses drivers from a partitioning program to corrupt storage devices and destroy files on infected systems, according to ESET. It's not entirely clear right now how the malware is dropped onto victims' machines and run, though in one case, said ESET, an organization's Active Directory server was probably compromised to distribute the wiper through the network via a group policy object.

A Crowdstrike report looking into access brokers' advertisements since 2019 has identified a preference in academic, government, and technology entities based in the United States. Initial access brokers are a vital link in the cybercrime chain, as these threat actors are devoted to breaching corporate networks for future attacks.

Cybersecurity firms have found a new data wiper used in destructive attacks today against Ukrainian networks just as Russia moves troops into regions of Ukraine. A data wiper is malware that intentionally destroys data on a device to make the data unrecoverable and for the operating system to no longer work correctly.

Standards compliance startup Secureframe, launched in 2020, this week announced a $56m in Series B funding, led by Accomplice Ventures and coming less than a year after the company raised $18m. Shrav Mehta, founder and CEO of the New York City-based company, wrote in a blog post that the latest funding round "Is a major milestone for our fast-growing company and a signal to the market that automation is the future of security and compliance. This new financing underscores the tremendous demand for solutions that streamline the compliance process and help organizations achieve best-in-class security." "New regulations, emerging security frameworks, and rising customer expectations put significant strain on growing companies, and too many organizations are trying to keep up using disconnected security tools and manual compliance reviews," Mehta wrote.

Samsung shipped an estimated 100 million smartphones with botched encryption, including models ranging from the 2017 Galaxy S8 on up to last year's Galaxy S21. Researchers at Tel Aviv University found what they called "Severe" cryptographic design flaws that could have let attackers siphon the devices' hardware-based cryptographic keys: keys that unlock the treasure trove of security-critical data that's found in smartphones. In a paper entitled "Trust Dies in Darkness: Shedding Light on Samsung's TrustZone Keymaster Design" - written by by Alon Shakevsky, Eyal Ronen and Avishai Wool - the academics explain that nowadays, smartphones control data that includes sensitive messages, images and files; cryptographic key management; FIDO2 web authentication; digital rights management data; data for mobile payment services such as Samsung Pay; and enterprise identity management.

Pangu Lab has identified what it claims is a sophisticated backdoor that was used by the NSA to subvert highly targeted Linux systems around the world for more than a decade. The China-based computer-security outfit says it first spotted the backdoor code, or advanced persistent threat, in 2013 when conducting a forensic investigation on a host in "a key domestic department" - presumably a Chinese company or government agency.

A few days after the rickroll business, we were writing up another AirTag hack that documented how to create Bluetooth messages that could hitch a ride on Apple's AirTag network. Every two seconds, regular AirTags broadcast an identifier via a low-energy Bluetooth; any passing iPhones in the vicinity that are AirTag enabled and happen to pick up these broadcast messages co-operatively relay them back to Apple's AirTag backend, where they're saved for later lookup.

A global survey that looked into the experience of ransomware victims highlights the lack of trustworthiness of ransomware actors, as in most cases of paying the ransom, the extortion simply continues. 38% of ransomware attacks threatened to use stolen data to extort customers.

SEE: 40+ open source and Linux terms you need to know. Your first question might be "Why would you need to do this?" As I said, I do a lot of testing, so I have several Linux servers on a LAN that need to be able to send out emails.