WastedLocker Crypto-Ransomware Technical Details

“WastedLocker: technical analysis” via Fedor Sinitsyn | SECURELIST
“The use of crypto-ransomware in targeted attacks has become an ordinary occurrence lately: new incidents are being reported every month, sometimes even more often.
On July 23, Garmin, a major manufacturer of navigation equipment and smart devices, including smart watches and bracelets, experienced a massive service outage. As confirmed by an official statement later, the cause of the downtime was a cybersecurity incident involving data encryption. The situation was so dire that at the time of writing of this post (7/29) the operation of the affected online services had not been fully restored.
According to currently available information, the attack saw the threat actors use a targeted build of the trojan WastedLocker. An increase in the activity of this malware was noticed in the first half of this year.”
More details here:

Sneaky Phishing Campaign for O365 uses Google Ads

"Office 365 phishing abuses Google Ads to bypass email filters"
"An Office 365 phishing campaign abused Google Ads to bypass secure email gateways (SEGs), redirecting employees of targeted organizations to phishing landing pages and stealing their Microsoft credentials.The attackers behind these attacks took advantage of the fact that the domains used by Google's Ads platform are overlooked by SEGs, which allows them to deliver their phishing messages to their targets' inboxes bypassing email filters."
More details here:

Trickbot Variant Infects Linux and Windows

TrickBot's new Linux malware covertly infects Windows devices” via Lawrence Abrams | Bleeping Computer
“TrickBot's Anchor malware platform has been ported to infect Linux devices and compromise further high-impact and high-value targets using covert channels.
TrickBot is a multi-purpose Windows malware platform that uses different modules to perform various malicious activities, including information stealing, password stealing, Windows domain infiltration, and malware delivery.
TrickBot is rented by threat actors who use it to infiltrate a network and harvest anything of value. It is then used to deploy ransomware such as Ryuk and Conti to encrypt the network's devices as a final attack.”
More details here:

Undetectable Malware Attacks Docker Cloud Instances

"Sneaky Doki Linux malware infiltrates Docker cloud instances" via Ax Sharma | Bleeping Computer
"Attackers are targeting misconfigured cloud-based docker instances running on Linux distributions with an undetectable strand of malware.
Dubbed Doki, the malware strand is part of the Ngrok Cryptominer Botnet campaign, active since at least 2018.  What makes Doki particularly interesting is its dynamic behavior regarding how it connects to its command and control (C2) infrastructure.
As opposed to relying on a particular domain or set of malicious IPs, Doki uses dynamic DNS services like DynDNS. Combined with a unique blockchain-based Domain Generation Algorithm (DGA), it can generate and locate the address of its C2 server in real-time and "phone home.""
More details here:

Newly Found Secure Boot Bypass Places Many Devices at Risk

"Billions of Devices Impacted by Secure Boot Bypass" via Tara Seals | ThreatPost"Billions of Windows and Linux devices are vulnerable to cyberattacks stemming from a bug in the GRUB2 bootloader, researchers are warning. GRUB2 (which stands for the GRand Unified Bootloader version 2) is the default bootloader for the majority of computing systems. Its job is to manage part of the start-up process – it either presents a menu and awaits user input, or automatically transfers control to an operating system kernel.Secure Boot is an industry standard that ensures that a device boots using only trusted software. When a computer starts, the firmware checks the signatures of UEFI firmware drivers, EFI applications and the operating system. If the signatures are valid, the computer boots, and the firmware gives control to the operating system. According to Eclypsium researchers, the bug tracked as CVE-2020-10713 could allow attackers to get around these protections and …

Credential Theft on The Rise

"Nation State Attackers Shift to Credential Theft" via Infosecurity:

"A greater focus is being placed on credential theft by nation state actors rather than stealing money.

Speaking on a virtual briefing, Jens Monrad, head of Mandiant Threat Intelligence for EMEA at FireEye, focused on attacks from Russia, Iran and China and their various activities. Monrad said attacks are easily done because of the user's common digital footprint, which can allow an attacker to pick up on items about the victim and use them in a social engineering scenario.

He explained that the biggest detection of malware seen by FireEye customers is focusing on stealing credentials and stealing information "and that makes sense as regardless of your motivation, if you can steal or buy stolen credentials. you will make less noise in your operation.""

More details here:

#cybersecurity #cyberthreat #c…

TikTok Disabling Component on APPLE iOS

"TikTok To Stop Clipboard Snooping After Apple Privacy Feature Exposes Behavior" via Threatpost | by Elizabeth Montalbano
"App will stop reading users' device cut-and-paste data after a new banner alert in an Apple update uncovered the activity. A new privacy feature in Apple iOS 14 sheds light on TikTok's practice of reading iPhone users' cut-and-paste data, even though the company said in March it would stop.Apple added a new banner alert to iOS 14 that lets users know if a mobile app is pasting from the clipboard and thus able to read to a user's cut-and-paste data.The alert is the result of an investigation by German software engineer Tommy Mysk in February, which discovered that any cut-and-paste data temporarily stored to an iPhone or iPad's memory can be accessed by all apps installed on the specific device, even malicious ones."
More detail:…