TrickBot Silently Targets Servers
Knowing that many domain controller servers are rarely shutdown or rebooted, the authors of TrickBot have made some changes to allow the infection to run from memory. While this can be detrimental to the payload, as a reboot could easily remove it, the stealth approach could let the infection cause major havoc on systems that aren’t routinely restarted. Though TrickBot is normally dropped as a secondary infection from Emotet, it’s taken this new stealth approach to move across networks more easily.
Stenography Makes Leaps into Industrial Cyberattacks
Researchers have been following a new trend of incorporating multiple levels of steganography into cyber attacks focused mainly on large industries. The attacks are specified for each victim, including a language localization script that only executes if the local OS is in the right language and using macros to launch hidden malicious PowerShell scripts that require no additional input. The scripts, when executed, communicate with imgur.com or other image hosting sites to grab pictures with malicious code hidden in the pixels that eventually drops an encrypting payload.
Flaw in Apple Sign-in Nets Bounty Hunter $100,000
An authentication flaw has been discovered within the Apple sign-in feature for third-party sites that could allow an attacker to forge fake accounts if the victim hadn’t chosen their own email address to be identified. If a victim chooses not to do so, Apple creates a unique email ID that is used to create a JSON web token (JWT) to sign in the user. This could easily be forged alongside the email ID to gain unlimited access to any account. The researcher who found the bug and reported it to the Apple Security Bounty Program was rewarded with $100,000.
Ransomware Authors Begin Data Auction
The authors behind several prominent ransomware campaigns, including Sodinokibi and REvil, have begun an auction for stolen data on their dark web site. Currently, there are two auctions active on the site, one with data belonging to an unnamed food distributor and the other with accounting and financial information for an unnamed crop production company from Canada. The auctions have starting prices of $55,000, along with fees to be paid in Monero cryptocurrency because of its anonymity and ease of direct payment from victims.
San Francisco Employee Retirement Database Compromised
A vendor conducting a test on a database belonging to the San Francisco Employee Retirement Systems (SFERS) recently noticed some unauthorized access to the database containing records on 74,000 members. Though the database didn’t contain Social Security Numbers, it did contain a trove of personally identifiable information including names, addresses, and birthdates. Fortunately, the database was using old data for the test and had nothing newer than 2018. Nevertheless, SFERS officials are offering credit and identity monitoring services for affected victims.