This week, multiple arrests occurred in relation to the REvil ransomware, Tor finally totally depreciated v2 services, and North Korea-related APT are trying to hack researchers again. Read our weekly news recap to find out more.
You probably heard about the Assembly language, which is among other things used to do reverse engineering. If you’re curious to learn the basics, or just to see what it looks like, you can take a look at our latest article.
APT#
China says a foreign spy agency hacked its airlines, stole passenger records (The Record)
The Chinese authorities announced that a foreign intelligence agency hacked multiple Chinese airlines in 2020 to steal passengers travel records. They did not name any company or agency.
State hackers breach defense, energy, healthcare orgs worldwide (Bleeping Computer)
The cybersecurity firm Palo Alto Networks warned of an attack targeting vulnerable Zoho’s enterprise password management installations that might be carried out by the China-related APT27. Over 11,000 servers were found to be vulnerable, and the attackers might have targeted more than 370 in the US alone.
North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets (Cisco - Talos)
Cisco Talos observed a malware campaign carried on by Kimsuky, a North Korea-related APT. The group uses malicious Blogspot blogs to deliver malware and targets South Korea think tanks focused on military, political and diplomatic topics related to North Korea, Russian, China, and the US.
Lazarus hackers target researchers with trojanized IDA Pro (Bleeping Computer)
The North Korean related Lazarus APT was found to be distributing a pirated version of the IDA Pro reverse engineering software containing a trojan. Earlier this year, the same group created social media accounts and pretended to be security researchers to try to hack actual ones.
macOS zero-day deployed via Hong Kong pro-democracy news sites (The Record)
The Google Threat Analysis Group discovered a watering hole attack campaign using Hong Kong pro-democracy websites and going on since at least August this year. The attack was using 0day flaws to target iOS and macOS systems. Google did not manage to attribute the attack but assessed that it was likely be state-backed.
Cryptocurrencies#
The FBI warned of increased usage of scams leveraging cryptocurrencies ATMs and QR codes to facilitate payments. Scammers would often give a QR code associated with their cryptocurrencies wallet, and ask victims to deposit some cash.
Bitcoin soft fork days away as Taproot upgrade closes in (Cointelegraph)
Taproot, the first major Bitcoin update since 2017 is set to be activated in a soft fork this week. It will require 90% of the miners on board, and introduce Merkelized Abstract Syntax Tree and Schnorr Signatures. The activation process can be followed here.
Treasury Continues to Counter Ransomware as Part of Whole-of-Government Effort; Sanctions Ransomware Operators and Virtual Currency Exchange (US Departement of Treasury)
The US Treasury sanctioned Chatex, a cryptocurrencies exchange, for facilitating financial transactions for ransomware actors. The authorities also said that more than half of the exchange’s activity was directly linked to illegal activities such as darknet markets. IZIBITS OU, Chatextech SIA, and Hightrade Finance Ltd were also punished by OFAC sanctions for the material support they provided to Chatex.
Darknet#
Wallstreet Vendor “RaptureReloaded” Sentenced to Prison (Darknetlive)
A Wall Street market vendor was sentenced to 96 months in prison for selling various drugs. She was caught after paying for drug packages with her credit card and using her real phone number and email address to register various accounts.
New Release: Tor Browser 11.0 (Tor Blog)
Tor Browser 11 was released on Monday, and includes the final depreciation of Onion Services v2
General Security#
Microsoft Patch Tuesday security updates for November 2021 fix 2 Zero-Days actively exploited (Security Affairs)
Microsoft released a security update addressing 55 vulnerabilities. 2 of them related to Exchange (2016 and 2019) and Excel are actively exploited.
Sunsetting Chrome sync for Chrome M48 and older (Google)
Google announced that Chome sync will be disabled from Chrome browsers using version M48 or lower.
‘Trojan Source’ Bug Threatens the Security of All Code (Krebs on Security)
Researchers at the University of Cambridge discovered a bug that could allow attackers to sneak vulnerabilities into a source code just by adding Bidi override characters (a feature of Unicode to manage scripts with different writing directions) into strings or comments.
Privacy#
Robinhood Announces Data Security Incident (Robinhood)
Robinhood (a trading platform) was hacked after a support employee got social-engineered. According to the company, the unauthorized party is believed to have gained access to five million users’ email addresses and full names. More personal details of about 310 users were also accessed.
Google scores big win as court blocks iPhone tracking lawsuit (We Live Security)
The UK’s Supreme Court dismissed a mass action lawsuit where Google was accused of tracking iPhone users without their knowledge or consent for commercial purposes. The court ruled that a damages compensation couldn’t be awarded without proof that the affected users suffered material damage or mental distress.
Philippines gov takes down passport application website amid privacy leak fears (The Register)
The Philippines’ Department of Foreign Affairs disabled its online passport application tracker over data privacy issues concerns. It said that some information might have been exposed and that an internal audit is in progress.
Ransomware#
Five affiliates to Sodinokibi/REvil unplugged (Europol)
Europol announced that Romanian and Kuwaiti law enforcement agencies caught two suspected believed to be Sodinobiki/REvil affiliates, and one believed to be affiliated to GrandGrab. In total, they are suspected of being involved in 7,000 attacks, asking more than EUR 200 million in ransoms.
REvil Ransom Arrest, $6M Seizure, and $10M Reward (Krebs on Security)
A Russian national was indicted in the US after being arrested in Poland in October for being involved with REvil. The DOJ also seized USD 6.1 million in cryptocurrencies.