The Technology blog and podcast

This week in Security news, news ending February 11, 2022

I’m right on time this time! This Week in Security News – February 11, 2022 is the article to look at which includes the digest of news.

Below, find the article titles and for links, click through to the article!

• Hidden Scams in Malicious Scans: How to Use QR Codes Safely
• Feds Arrest Couple Who Allegedly Laundered $1 Billion in Stolen Bitcoins
• Ransomware Spotlight: LockBit
• Microsoft Considering Possible Deal for Mandiant
• Why Cyber Change Outpaces Boardroom Engagement
• Iranian Hackers Using New Marlin Backdoor in ‘Out to Sea’ Espionage Campaign
• Suspected Chinese Hackers Hit News Corp with ‘Persistent Cyberattack’
• A Sign of Ransomware Growth: Gangs Now Arbitrate Disputes

The Mandiant article is of interest and should be kept an eye on. The feds busting a couple for laundering stolen funds, especially bitcoin is of interest.

The Department of Justice announced the arrests and indictment of Russian-U.S. national Ilya Lichtenstein, 34, and his wife, Heather Morgan, 31, in a press release. Prosecutors accused Lichtenstein and Morgan of attempting to launder almost 120,000 BTC (currently worth around $5 billion) through a wallet owned by Lichtenstein.

Was there anything else you found in the list of articles that you found of interest? Sound off in the comments!

Comments (0)

The IRS and Biometrics, they can’t make up their mind

I wasn’t exactly sure what I thought about the IRS and biometrics.

This all started when I read an article which I did post to the security box list titled IRS Will Soon Require Selfies for Online Access by Brian Krebs. When I first read this, I first thought how impossible this is going to be, especially for those of us with some type of disability whether it is physical or otherwise.

Then I thought how Brian, a fully sighted individualm, had nothing but problems with the sign up process.

After thinking about all this, I realized that covering this alone would not make any sense so I held on to it for revisiting.

I’m sure glad I did. Today, I spotted the article IRS To Ditch Biometric Requirement for Online Access by the same Brian Krebs.

Now they’re talking about possibly going with the government site login.gov which of course the government runs and should in theory be trusted.

With that said, whatever the IRS does, its tax season and it isn’t the time to be messing with stuff like this now. They are encouraging people to pay their taxes anyhow, even though they’ll be in a transition period. What a mess!

Read both articles, and let me know what you think. I know its going to be a mess for now, so if there are any updates, I’ll be sure to let you know if I see them.

Comments (0)

Apple releasing IOS 15.3.1

Yesterday, Applevis released a post talking about IOS 15.3.1. Here is that blog post for people to look at.

It talks about how there is a fix that has made braille displays crash, and that’s really all the notes say. There could be other security things that may affect your use of the phone, but the main highlight was the braille display fix.

I know that when I got the new Orbit 40 replacing the one that somehow broke, while it paired with the phone, it never worked. Orbit never could duplicate it, but I tried the same steps with the same results. So, we’ll see if whatever the fix is for 15.3.1 is, will fix my issue.

I’m not blaming any of the manufacturers for the trouble, I explained the issue to Orbit the best I could. I guess we’ll see what happens. Technology is strange some times.

Comments (0)

The Security box, podcast 81: Fake Investor does not go away, Fake investor is back and still the same

Here is the 137.32mb file for those who don’t have RSS capability.

We had a great show which included some very basic stuff as part of the open forum section of the show. The first hour was definitely interesting, although we didn’t have any live participation during it.

We’ll be returning to our normal time of 11 am PT, 2 ET for this show for next week.

Here are the show notes for you to peruse.

---

Show title: Fake Investor does not go away, Fake investor is back and still the same

Hello folks, welcome to podcast 81 of the Security Box! It seems like its time for an update on a very interesting character isn’t it? Its time for another update on the fake investor we’ve covered since podcast 10. I know that I’ve linked somewhere on the blog all of the podcasts we’ve covered John Bernard, and this is going to be one of those podcasts.

What has he done lately? This article titled Fake Investor John Bernard Sinks Norwegian Green Shipping Dreams from Krebs on Security has the entire details on what he has been up to now and a reminder of his past.

Besides all of this, we’ll step through the news that has been posted to the TSB list as well as on our blog.

We also had a new person come in and aask some stuff they’ve heard and we debunk the myths and facts of everything.

Want to subscribe to the Security Box discussion list? We’ll post stuff we’re reading, you can discuss it with us, and even post your own stuff too.

Here is a link to the Security Box discussion list hosted through 986themix. Just put your email address and name if you wish, and hit that subscribe button. Follow any email instructions you get. Just subscribing will not get you on by default. Confirmations last about 3 days.

I hope you enjoy the program as much as I am bringing it to you! Its going to be a great show.

Comments (0)

Youtube and shady ads

Kim Komando has a breaking news newsletter. I decided to subscribe to it because there could be things that might be of interest. Today, Watch out for this scam ad popping up in YouTube is the highlight in this newsletter.

What can we as disabled people do about it? Close the browser and try again. These popout ads I may have seen occasionally and if you can’t close it with an alt+f4 on your computer if it opens in a new window, or makes it difficult to navigate unless you click a button they want you to click, you will have to close the browser.

I don’t think I’ve seen this in quite awhile, although I don’t sit on youtube for long periods of time.

As for youtube apps themselves, I don’t know if I have seen these ads that they talk about, but if it does cause a problem, close the app and try again. Most of those ads probably don’t have accessible buttons to close them, and clicking on an inaccessible button may become a problem today.

It used to not be a serious problem, it used to just be a scare tactic, but now, you never know. Stay safe.

Comments (0)

The Streaming wars, are we still in those wars?

Hello everyone,

While I’m doing a bunch of things today, Jamie T of our Throwback Saturday Night program was asking about Streaming services and how much of a compromise they are.

While I used Hulu under the free plan until they went paid, I personally do not use any streaming service and pay for it.

This is a 2020 article titled The Streaming Wars: A Cybercriminal’s Perspective which is very well written.

Five platforms were mentioned and rightly so. Apple TV was the least likely of having problems with malware and the like, however, if you use an app to connect other services to your TV, you could be at risk.

This is well worth the read, and I think people should read it, even though it is 2 years old. The fact is, since the Pandemic is still happening in a lot of the world, the cybercriminals will not stop at anything to get their wares out, if that means scaring people half to death.

Have you seen this article and what do you think?

Comments (1)

Critical vulnerability found in game, dark souls servers taken offline

I know that a lot of games are for the people who can see, and this was sent to the Security Box list. The article is titled Dark Souls servers taken down following discovery of critical vulnerability and it comes from Ars Technica.

Bandai Namco, publisher of the Dark Souls role-playing game series, has taken down its player-versus-player servers while it investigates reports of a serious vulnerability that allows players to execute malicious code on the PCs of fellow players.

This isn’t the first time something like this happened, and Log4J is even talked about here.

According to the video that was posted and linked, someone named “The Grim Sleeper” was affected by this.

“What the fuck,” The_Grim_Sleeper said in response. “My game just crashed, and immediately Powershell opened up and started narrating a fucking” screed. “I didn’t even know that shit was possible.”

Well, you learn something new every day. The company has disabled server play, but allows you to play on your own while they investigate this bug.

For full details, please feel free to check out this article if you are playing this game. Its important that you do.

Comments (0)

News of the week, news ending February 5, 2022

Hi all, yes, I’m a little late with this one, but only a few days. I did read Trend Micro’s news of the week Digest they put out and it was quite interesting as usual.

• The Samba Vulnerability: What is CVE-2021-44142 and How to Fix It
• White House Cybersecurity Official in Europe Warning of Russian Hacks
• Conti and LockBit Make Waves with High-Profile Attacks: Ransomware in Q4 2021
• Samba ‘Fruit’ Bug Allows RCE, Full Root User Access

Codex Exposed Helping Hackers in Training

• Inside Trickbot, Russia’s Notorious Ransomware Gang
• BlackCat Ransomware Implicated in Attack on German Oil Companies
• $320 Million Stolen from Wormhole, Bridge Linking Solana and Ethereum
• Cyberattack Hits German Service Station Provider

There are a few that catch my eye, especially the ones dealing with Lock Bit, and Conti, no surprise on the service station attack, and of course, Dark Side or REvil being involved in Black hat.

This Week in Security News – February 4, 2022 is the article that you need to fully check out to see if something catches your eye.

Thanks for reading!

Comments (0)

Sans News bites, February 4, 2022

Hello all, welcome to another Sans News Bites. Some of this news may be of value to you, so please take a look to see if something affects you.

Here is a link to the newsletter for you to peruse.

Top of the news

• Thieves Steal More than $300 Million from Wormhole Blockchain Platform 
• DHS Cyber Safety Review Board
• Open Source Security Foundation’s Alpha-Omega Vulnerability Detection Project

These are three big stories. The biggest is the heist of the crypto currency. I’ve said this numerous times to people on clubhouse who insist that Crypto is the future, with stories like this coming out, I do not believe Crypto is the future, it will eventually crash somehow. With so many putting thousands of dollars in to Crypto Currency, if it crashes because of this supposed theft, than they’ll be out the money while those who hold out will be just fine.

I’ve hear Security Now’s Steve Gibson talk about Bitcoin and its tecnology, and it is awesome what was done. But since it can be stolen just like cash and credit cards, Crypto has no FDIC insurance. Cash doesn’t either, but credit cards and even debit cards are insurred by your company with $0 liability if reported in a timely manner.

With credit cards, they give you at least a billing statement to review and dispute anything you don’t recognize. So when your statement comes out, review it so you are not out money you aren’t expecting to pay. For debit cards, check your bank statement for the same thing, check for charges and withdrawls you aren’t expecting.

The other two stories here are interesting and worth watching.

The Rest of the news

• Oil Companies Impacted by Cyberattack

• Cisco Releases Fixes for Router Vulnerabilities

• ESET Fixes Privilege Elevation Vulnerability

• US State Dept. Concerned About Red Cross Breach

• FBI Says They Tested but Did Not Use Pegasus Spyware

The biggest stories here are the oil companies potentially having a ransomware problem and Eset fixing a vulnerability in its products. Ransomware is a big deal now, and no company will be out of the woods. At some point, we all will at some point have to deal with a ransomware attack, whether we can afford it or not.

As for Eset, they fixed their products, and as an antivirus company, they had to jump on it fast. Running Antivirus is hard, but fixing the issue quickly was key.

I read the red cross fiasco, See this blog post from the 28th of January for my thoughts. I’m glad that Sans covered this just the same, because not many people will know about this unless word gets out.

Finally, Sans covered the fact that the FBI tested Pegasus. I don’t see a problem with testing something, especially if you’re going to use it anyway, but Pegasus has been known to be a big problem and those of us who followed it know that it is.

I’m glad the FBI is not using the dangerous software, and read the thoughts of Sans to see what they have to say on this one.

I’ll have more later, as this completes my thoughts on the newsletter. Make sure you read it and if something affects you, you’re aware of it and can take steps to make sure you’re as prepared to deal than you can be. Maybe that sentence doesn’t make sense, you get the idea though.

Comments (0)

Looks like gatekeeper isn’t all that cracked up to be

Armando Vias posted an article to the Security Box with another gate keeper issue where it can’t protect you from harm.

This time, it isn’t necessarily gatekeeper’s fault, as it does prompt you to open a file that it doesn’t know anything about. If you download, say an image, and an actor can get you to go to a site where they can change that image to a different file extension, gatekeeper lets it run and that could lead to some malicious activity if done successfully.

This hacker news article Apple Pays $100,500 Bounty to Hacker Who Found Way to Hack MacBook Webcam has all of the details on this one.

I don’t necessarily blame apple and gatekeeper, but this was definitely a bad one, I think. Keep yourself up to date as much as possible.

I have had some mac training, and I’m not a mac user currently, and I don’t even own a mac, but this is something I’m concerned about. The thing is, people in the mac space have never had to deal with things like this, so knowing where you’re going on the web is crucial to protecting yourself. Don’t go somewhere you’re not expecting to go.

Someone with a Mac may want to comment if they’ve seen something like this and how they avoided this.

Comments (0)

NSO group apparently asked U.S. firm to take “bags of cash”

This ars technica article was sent to the Security Box email list yesterday. It is titled Report: NSO offered US firm “bags of cash” for help spying on cellphone users and it is quite interesting. The company mentioned said they don’t even offer access to the SS7 network, and apparently, if someone had access to it, you could have a lot of data coming across to you.

There is reporting done by the Guardian, and its something we should keep an eye on.

We’ll keep an eye on this, I’m sure this won’t be the end of this, unfortunately.

Have you read this article and what do you think?

Comments (0)

John Bernard is back, sinks cruise line that wanted to bring a green house fleet to market

This is the fifth in a series that Krebs on Security has been doing on a guy by the name of John Bernard. His real name is not John Bernard of course, and we’ve covered him in podcasts 10, 12 and 14.

If you search for John Bernard you’ll find multiple blog postings including the 2020 October Piece asking if he was done for. I even wasn’t really impressed when I saw a story in 2021 and I titled this John … what’s your name now … is now back in the news because he can’t decide what he want to call himself.

He’s also been covered in news notes articles and the podcast show notes themselves for those podcasts.

This time, Mr. Bernard is covered in the fifth installment titled Fake Investor John Bernard Sinks Norwegian Green Shipping Dreams which is pretty detailed.

Several articles here have delved into the history of John Bernard, the pseudonym used by a fake billionaire technology investor who tricked dozens of startups into giving him tens of millions of dollars. Bernard’s latest victim — a Norwegian company hoping to build a fleet of environmentally friendly shipping vessels — is now embroiled in a lawsuit over a deal gone bad, in which Bernard falsely claimed to have secured $100 million from six other wealthy investors, including the founder of Uber and the artist Abel Makkonen Tesfaye, better known as The Weeknd.

John Bernard is a pseudonym used by John Clifton Davies, a convicted fraudster from the United Kingdom who is currently a fugitive from justice and residing in Ukraine. Davies’ Bernard persona has fleeced dozens of technology companies out of an estimated $30 million with the promise of lucrative investments.

…

In case after case, Bernard would promise to invest millions in tech startups, and then insist that companies pay tens of thousands of dollars worth of due diligence fees up front. However, the due diligence company he insisted on using — another Swiss firm called Inside Knowledge — also was secretly owned by Bernard, who would invariably pull out of the deal after receiving the due diligence money.

The scam artist John Bernard (left) in a recent Zoom call, and a photo of John Clifton Davies from 2015.

But Bernard would adopt a slightly different approach to stealing from Freidig Shipping Ltd., a Norwegian company formed in 2017 that was seeking the equivalent of USD $100 million investment to bring its green fleet of 30 new offshore service vessels to fruition.

…

Two Journalists wrote a story (which is behind a paywall) and Brian took some quotes from it. The writers say that he’s professional, even with his company Inside Knowledge. The article talks about how he has 6 potential investors that would put up 99.25 million, leaving the shortage of 750,000 which would have to be accounted for elsewhere and discussed in the article.

But by the spring of 2020, it was clear that Devos and others involved in the shipping project had been tricked, and that all the money which had been paid to Bernard — an estimated NOK 15 million (~USD $1.67 million) — had been lost. By that time the two co-founders and their families had borrowed USD $1.5 million, and had transferred the funds to Inside Knowledge.

The article goes in to the invesigation we talked about in the other podcasts where he supposedly killed his wife, and how he’s apparently living with a 4th wife now.

Remember that John Bernard wants you to believe what he’s telling you, and the fees are to guarantee the trust in him and his companies.

Do your due dilligance so you’re not bitten by him and his companies.

Bernard’s scam is genius because he never approaches investors directly; rather, investors are incentivized to put his portfolio in front of tech firms seeking financial backing. And because the best cons begin as an idea or possibility planted in the target’s mind.

What’s remarkable about Freidig Shipping’s fleecing is that we heard about it at all. In the first of this now five-part series, we heard from Jason Kane, an attorney who focuses on investment fraud. Kane said companies bilked by small-time investment schemes rarely pursue legal action, mainly because the legal fees involved can quickly surpass the losses. What’s more, most victims will likely be too ashamed to come forward.

…

Finally:

John Clifton Davies, a.k.a. John Bernard, Jonathan Bibi, John Cavendish, is a U.K. man who absconded from justice before being convicted on multiple counts of fraud in 2015. Prior to his conviction, Davies served 16 months in jail on suspicion of murdering his third wife on their honeymoon in India. The U.K. authorities later dropped the murder charges for lack of evidence. Davies currently resides with his fourth wife in or near Kyiv, Ukraine.

If there is a way to get this guy picked up and charged for his crime(s) than lets see what we can do to bring him to justice. He’s hurt quite a number of people by stealing money, there’s got to be a way to bring him to justice once and for all.

While I like writing articles, there has to be a time to say that its enough and pick him up. Problem is, which country would be trying him anyway? Its going to get interesting as this continues to progress.

Comments (0)

Aira has a job opening

Ryan Bishop has been doing product development and IT work for Aira for awhile. They need a new product manager, and this job posting has all of the details.

Ryan is going to be the full time IT person at Aira and they’re looking. They sent an email to us in regards to this and asked us to post this.

Click through and if you fit the role, apply.

I have no mor knowledge than the email. Thanks for reading!

Comments (0)

Spam that links to a file that is not detected by anyone: file is a zip with excel files in it

I find this interesting. I just got the following in my email tonight.

---

Below is the result of your feedback form. It was submitted by () on Thursday, February 03, 2022 at 22:33:32

Name: Christa
phone: (08) 8993 0154
contact_method: phone
bug: no
additional_bug_info: Get the entire LinkedIn Now.

https://cutt.ly/EntireLinkedIn
comment_or_question: Get the entire LinkedIn Now.

https://cutt.ly/EntireLinkedIn

HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
REMOTE_ADDR: 144.126.217.72

---

It goes to a stripe page where they will charge you $99 and links to a sample zip file of excel files that are not malicious according to virus total. The file was scanned two months ago, but I call bull on this.

This is interesting that nobody has flagged it. If I opened the excel file, am I going to get bit or am I better off opening it in google docs under their spreadsheets?

I sent the thing to Trend Micro, maybe they’ll be interested in this one. Very interesting.

Comments (0)

Mac Malware that has been around awhile, gets more tools, causes potential damage to your mac

Michael in Tennessee sent this article to the Security Box Email list. Its titled Mac malware spreading for ~14 months is growing increasingly aggressive and comes to us from Ars Technica.

There are two components to this malware, an update component and an add network stealer component.

The UpdateAgent malware family began circulating no later than November or December 2020 as a relatively basic information-stealer. It collected product names, version numbers, and other basic system information. Its methods of persistence—that is, the ability to run each time a Mac boots—were also fairly rudimentary.

It introduces something called Person in the middle instead of man in the middle.

Microsoft researchers wrote:

Once adware is installed, it uses ad injection software and techniques to intercept a device’s online communications and redirect users’ traffic through the adware operators’ servers, injecting advertisements and promotions into webpages and search results. More specifically, Adload leverages a Person-in-The-Middle (PiTM) attack by installing a web proxy to hijack search engine results and inject advertisements into webpages, thereby siphoning ad revenue from official website holders to the adware operators.

Adload is also an unusually persistent strain of adware. It is capable of opening a backdoor to download and install other adware and payloads in addition to harvesting system information that is sent to the attackers’ C2 servers. Considering both UpdateAgent and Adload have the ability to install additional payloads, attackers can leverage either or both of these vectors to potentially deliver more dangerous threats to target systems in future campaigns.

The thing that this also does is removing a flag that tells Gatekeeper to look for something like this.

Before installing the adware, UpdateAgent now removes a flag that a macOS security mechanism called Gatekeeper adds to downloaded files. (Gatekeeper ensures users receive a warning that new software comes from the Internet, and it also ensures the software doesn’t match known malware strains.) While this malicious capability isn’t novel— Mac malware from 2017 did the same thing—its incorporation into UpdateAgent indicates the malware is under regular development.

I mentioned and asked about Gate Keeper in a Mac Buzz talk on Clubhouse after seeing an article I blogged about and it was determined that gatekeeper is like Windows Defender or any other type of AntiVirus program fpor today.

In this article, it does link to Apple’s support document, which I think I want to read.

Microsoft said UpdateAgent masquerades as legitimate software, such as video apps or support agents, that is spread through pop-ups or ads on hacked or malicious websites. Microsoft didn’t explicitly say so, but users apparently must be tricked into installing UpdateAgent, and during that process, Gatekeeper works as designed.

In many ways, the evolution of UpdateAgent is a microcosm for the macOS malware landscape as a whole: malware continues to become more advanced. Mac users should learn how to spot social engineering lures, such as unsolicited pop-ups appearing in browser windows that warn of infections or unpatched software.

There’s more that I didn’t quote or write about, please check the full article for complete details. Stay safe!

Comments (0)

Sans News Bites for February 1, 2022: 3.47TB DDOS attack stopped, the winter games, Samba gets updated, and more

Hello folks,

Welcome to Sans News Bites. I’m really going to try and look at these newsletters and keep myself up to date. Even if we don’t talk about these in the show, the news that this agency has is something you might find of interest as they scower the web for information and bring it to you.

Here is the web page for this newsletter.

Top of the news

• • Commerce OIG Report Finds Deficiencies in System Security Assessment and Continuous Monitoring Program
• • QNAP Pushes Out NAS Firmware Update
• • FBI Cybersecurity Warning for 2022 Olympics and Paralympics

The Rest of the News

• • FBI Considered Using Pegasus Spyware
• • Malicious Hybrid Cloud Campaign
• • Microsoft Stopped Massive DDoS Late Last Year
• • Finland Says Diplomats Phones Infected with Pegasus Spyware
• • CISA Known Exploited Vulnerabilities Catalog Additions
• • Samba Addresses Critical RCE Flaw
• • Andorra Experiences Widespread Internet Outages Due to DDoS Attack

Its sad that the only ISP in Andora, a small country that borders France and Spain was attacked because there is the chance everyone could be affected in one way or another.

Microsoft got lucky and stopped a 3.47TB DDOS attack. According to the newsletter, this is the biggest to date.

There may be more, please read through it and if you want to talk about something, let me know.

Comments (0)

The Security Box, podcast 80: WordPress plugins used for attacks

Hello everyone. The podcast can be downloaded with this link. The file size is 148.38mb. The RSS was also updated for today’s program.

While the main topic was WordPress, we did talk about some of the blog posts that have been posted here on the blog, and even some possible problems with vague room names we’ve seen through clubhouse, although Messenger can also host rooms too.

The show notes follow with links to things talked about. Hope you enjoy the program as much as we have bringing it together for you! Thanks Nick for the nice chat and we hope to see you again.

---

Show notes

Welcome to podcast 80 of the Security box. On this edition, let’s talk about WordPress. While it is a good platform for people to use for web sites and even blogging as I do, it can come with risks we need to be aware of.

Part of those risks include keeping it up to date and of course the plug ins you install.

A lot of plugins can be found through the install section of your plug ins management facility, but you can also install plugins manually.

The article we’re going to cover today comes to us from Ars Technica and was sent by our godd friend, Michael. Supply chain attack used legitimate WordPress add-ons to backdoor sites is the article. I hope that you find the discussion of interest, and if you saw the write up, you found it of value.

We’ll also touch on other things blogged as well as ask any audience members what they learned and/or read during our discussion today.

Remember, you can always contact me through the tech blog or even through the show’s contact info as well. Thanks so much for listening, and make it a great day!

Comments (0)

« Newer Posts

go to sections menu

---