Reading Time: ~ 2 min.

TrickBot Silently Targets Servers

Knowing that many domain controller servers are rarely
shutdown or rebooted, the authors of TrickBot
have made some changes to allow the infection to run from memory. While this
can be detrimental to the payload, as a reboot could easily remove it, the
stealth approach could let the infection cause major havoc on systems that
aren’t routinely restarted. Though TrickBot is normally dropped as a secondary
infection from Emotet, it’s taken this new stealth approach to move across
networks more easily.

Stenography Makes Leaps into Industrial Cyberattacks

Researchers have been following a new trend of incorporating
multiple levels of steganography
into cyber attacks focused mainly on large industries. The attacks are specified
for each victim, including a language localization script that only executes if
the local OS is in the right language and using macros to launch hidden malicious
PowerShell scripts that require no additional input. The scripts, when
executed, communicate with imgur.com or other image hosting sites to grab
pictures with malicious code hidden in the pixels that eventually drops an
encrypting payload.

Flaw in Apple Sign-in Nets Bounty Hunter $100,000

An authentication flaw has been discovered within the Apple sign-in feature for third-party sites that could
allow an attacker to forge fake accounts if the victim hadn’t chosen their own
email address to be identified. If a victim chooses not to do so, Apple creates
a unique email ID that is used to create a JSON web token (JWT) to sign in the
user. This could easily be forged alongside the email ID to gain unlimited
access to any account. The researcher who found the bug and reported it to the
Apple Security Bounty Program was rewarded with $100,000.

Ransomware Authors Begin Data Auction

The authors behind several prominent ransomware campaigns,
including Sodinokibi and REvil, have begun an auction
for stolen data on their dark web site. Currently, there are two auctions
active on the site, one with data belonging to an unnamed food distributor and
the other with accounting and financial information for an unnamed crop
production company from Canada. The auctions have starting prices of $55,000, along
with fees to be paid in Monero cryptocurrency because of its anonymity and ease
of direct payment from victims.

San Francisco Employee Retirement Database Compromised

A vendor conducting a test on a database belonging to the
San Francisco Employee Retirement Systems (SFERS)
recently noticed some unauthorized access to the database containing records on
74,000 members. Though the database didn’t contain Social Security Numbers, it did
contain a trove of personally identifiable information including names,
addresses, and birthdates. Fortunately, the database was using old data for the
test and had nothing newer than 2018. Nevertheless, SFERS officials are offering
credit and identity monitoring services for affected victims.

The post Cyber News Rundown: Trickbot Silently Targets Servers appeared first on Webroot Blog.