CyberWire Daily - NotLockBit takes a bite out of macOS.
Episode Date: October 23, 2024NotLockBit mimics its namesake while targeting macOS. Symantec uncovers popular mobile apps with hardcoded credentials. Avast releases a Mallox ransomware decryptor. Akira ransomware reverts to tactic...s tried and true. Lawmakers ask the DOJ to prosecute tax prep firms for privacy violations. The SEC levies fines for misleading disclosures following the SolarWinds breach. Software liability remains a sticky issue. Updated guidance reiterates the feds’ commitment to the Traffic Light Protocol. A task force has cybersecurity recommendations for the next U.S. president. Today’s guest is Jérôme Segura, Sr. Director of Research at Malwarebytes, sharing their work on "Scammers advertise fake AppleCare+ service via GitHub repos." Warrantless surveillance, powered by your favorite apps. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today’s guest is Jérôme Segura, Sr. Director of Research at Malwarebytes, sharing their work on "Scammers advertise fake AppleCare+ service via GitHub repos." You can learn more about this research here. Selected Reading NotLockBit Ransomware Can Target macOS Devices (SecurityWeek) Millions of iOS and Android Users at Risk as Popular Apps Expose Cloud Keys (Hackread) Mallox Ransomware Flaw Let Victims Recover Files Without Ransom Payment (Cyber Security News) Akira ransomware pivots back to double extortion, C++ code (SC Media) Lawmakers ask DOJ to prosecute tax prep firms for sharing customer data with big tech (The Record) SEC fines four companies $7M for 'misleading cyber disclosures' regarding SolarWinds hack (TechCrunch) The struggle for software liability: Inside a ‘very, very, very hard problem’ (The Record) US Government Pledges to Cyber Threat Sharing Via TLP Protocol (Infosecurity Magazine) Task force unveils cyber recommendations for the next president (CyberScoop) The Global Surveillance Free-for-All in Mobile Ad Data (Krebs on Security) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Not Lockabit mimics its namesake while targeting macOS.
Symantec uncovers popular mobile apps with hard-coded credentials.
Avast releases a Malix ransomware decryptor.
Akira ransomware reverts to tactics tried and true.
Lawmakers ask the DOJ to prosecute tax prep firms for privacy violations.
The SEC levies fines for misleading disclosures following the
SolarWinds breach. Software liability remains a sticky issue. Updated guidance reiterates the
Fed's commitment to the traffic light protocol. A task force has cybersecurity recommendations
for the next U.S. president. Today's guest is Jerome Segura, Senior Director of Research at
Malwarebytes, sharing their work on scammers advertising fake AppleCare services via GitHub repos
and warrantless surveillance powered by your favorite apps.
It's Wednesday, October 23rd, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thanks for joining us here today.
Great to have you with us, as always.
A new macOS malware dubbed NotLockBit
is making headlines for mimicking the notorious LockBit ransomware.
Written in Go and targeting both Windows and macOS systems,
NotLockBit follows typical ransomware tactics,
including data theft,
file encryption, and deleting shadow copies to prevent recovery. It uses RSA encryption,
ensuring that only the attacker can decrypt the master key. The malware appends.abcd to encrypted files and drops ransom notes while attempting to display a LockBit 2.0 banner.
Sentinel-1, which discovered the malware, believes it is still in active development.
Trend Micro found that not LockBit exfiltrates victim data to an Amazon S3 bucket using hard-coded AWS credentials,
possibly belonging to the attacker or a compromised account.
Though AWS has since suspended the account,
Sentinel-1 warns that more developments
from this threat actor are likely.
Not LockBit is the first functional ransomware family
to target macOS beyond proof-of-concept samples.
Researchers speculate the threat actors
are impersonating LockBit to capitalize on
name recognition. Symantec has uncovered a significant security flaw in numerous popular
iOS and Android apps, exposing potentially millions of users to breaches. The issue arises
from developers embedding hard-coded, unencrypted cloud service credentials, such
as AWS and Azure keys, directly into app code.
This insecure practice grants attackers unauthorized access to sensitive data and backend infrastructure,
leading to potential data exfiltration, service disruptions, and further exploitation.
Attackers could leverage these hard-coded keys to access cloud services and manipulate data.
Symantec stresses the need for robust security measures,
such as using environment variables, secrets management, and encryption of sensitive data.
For cybersecurity professionals, this discovery highlights the importance of secure app development
practices, regular security audits, and automating code scanning to mitigate risks tied to credential
exposure. Researchers at Avast have discovered a flaw in the Malox ransomware, allowing victims
to recover files without paying a ransom. This flaw, found in versions active through 2023 and early 2024,
lets users decrypt files encrypted with extensions like.mallux and.zolam.
Although the attackers patched the vulnerability in March of this year,
a free decryption tool from Avast is available for those affected by the older versions.
Victims are advised to back up files and run the tool with administrative privileges.
And a tip of the hat to the team at Avast.
Cisco Talos reports that the Akira ransomware group has shifted back to older tactics
after experimenting with pure extortion and a Rust-based encryptor called
Akira version 2 throughout early 2024. The new C++ version of Akira, reintroduced in September
of this year, targets both Windows and Linux systems using a faster ChaCha8 encryption
algorithm for swiftness. Researchers noted that Akira's return to C++
suggests a preference for cross-platform consistency,
making their operations more stable.
Alongside their retooling,
Akira affiliates have exploited several critical vulnerabilities,
such as SonicWall's SonicOS RCE flaw
and Fortinet's SQL injection flaw to gain initial access.
For post-intrusion activity, vulnerabilities like Cisco's ASA and VMware's ESXi authentication bypass flaw
have been used for privilege escalation and persistence.
In a June 2024 attack on a Latin American airline,
the group exploited a Veeam backup flaw to steal credentials and maintain access.
Talos researchers highlight Akira's adaptability, emphasizing its use of refined ransomware techniques and the proactive selection of new vulnerabilities for initial access and lateral movement.
for initial access and lateral movement.
Democratic lawmakers are calling on the Department of Justice to prosecute major tax preparation firms
for allegedly sharing customers' sensitive financial data
with Google and Meta without proper consent.
A recent Treasury Department audit found that these firms,
identified by a congressional investigation as TaxSlayer,
H&R Block, TaxAct, and Ramsey Solutions, illegally shared tax data, including income and refund details, with the tech companies.
The lawmakers, including Senators Elizabeth Warren and Richard Blumenthal, argue that
accountability is crucial, noting potential billions in liability and criminal charges.
Penalties could include $1,000 per violation and up to a year in prison.
This follows a 2022 report by The Markup, which first uncovered these violations,
and an FTC warning to tax firms about securing customer consent before sharing data.
H&R Block is also facing a RICO lawsuit for its actions.
Lawmakers emphasize the urgency for the DOJ to prioritize enforcement against corporate misconduct,
aligning with the agency's commitment to targeting white-collar crime.
collar crime. The SEC has fined four companies, Checkpoint, Minecast, Unisys, and Avaya,
for misleading disclosures related to the 2019 SolarWinds breach, which affected various companies and government agencies. The fines range from $990,000 to $4 million, minor amounts for companies of their size. Each company allegedly
downplayed the severity of their respective breaches. For example, Mimecast and Avaya
failed to disclose the full extent of stolen data, while Checkpoint issued generic statements
about cyber risks. All companies cooperated with the investigation, settling without admitting
or denying fault. Despite the penalties, which serve as a warning, the amounts imposed are seen
as relatively insignificant given the scale of the firms involved, a slap on the wrist at best.
The SEC continues to push for stronger regulations around breach disclosure
to ensure better transparency and
accountability. Six years after the Cyberspace Solarium Commission proposed holding software
companies accountable for security flaws, this recommendation remains unfulfilled. The push for
software liability emerged due to repeated cyberattacks, the solar winds and CrowdStrike breaches,
which demonstrated the risks of poorly written code. While the majority of the Commission's
recommendations have been implemented, liability remains a thorny issue. Policymakers and experts
agree that it is essential for companies to take responsibility when their software causes harm.
for companies to take responsibility when their software causes harm.
However, designing a framework for liability is challenging due to legal and technical complexities.
Writing for The Record, Eric Geller reports that one key challenge is defining a standard of care for software security. The fast pace of technological change makes it difficult to
set clear guidelines, and there's debate over
whether liability should be regulated through lawsuits or by government standards. Additionally,
software vendors have long been shielded from liability, with industry contracts typically
disclaiming responsibility. The tech industry argues that liability would stifle innovation,
increase costs, and distract companies from improving security.
Despite this resistance, advocates argue that companies need to be held accountable for vulnerabilities,
just like automakers are for defective cars.
The Biden administration has expressed interest in pursuing software liability, but progress has been slow.
Meanwhile, tech leaders emphasize market-driven
solutions, claiming that businesses already prioritize security to maintain customer trust.
The Traffic Light Protocol, or TLP, is a system used to classify and control the sharing of
sensitive information. It defines four color-coded categories that
indicate how information should be distributed. TLP Red is when information is highly sensitive
and should only be shared with specific individuals. Amber is when information can
be shared with an organization or with trusted parties, but not publicly. Green is when
information can be shared with a wider community,
but not on public platforms. And white is when information can be freely shared without
restrictions. The U.S. federal government has reiterated its commitment to improving
cyber threat information sharing with the cybersecurity community using the Traffic
Light Protocol. This protocol, widely accepted globally,
designates information handling permissions to build trust and ensure secure data sharing.
The updated guidance clarifies the government's approach to working with security researchers,
stressing confidentiality when sharing threat data.
National Cyber Director Harry Coker emphasized the importance of information sharing, calling it the lifeblood of cybersecurity, and highlighted the government's dedication to listening, learning, and fostering partnerships with the private sector.
A task force of cyber experts from Auburn University's McCrary Institute and the Cyberspace Solarium Commission 2.0 has urged the next U.S. president
to address key cybersecurity issues. Their report, titled Securing America's Digital Future,
emphasizes immediate priorities such as reconciling conflicting regulations,
deterring cyber attacks, tackling the workforce shortage, and safeguarding critical infrastructure.
Additionally, the report recommends strengthening federal cyber agencies,
developing offensive strategies, creating a national cybersecurity curriculum,
and expanding budgets for infrastructure protection.
Collaboration with Congress is also advised to improve technical expertise and drive policy changes.
Coming up after the break, my conversation with Jerome Segura,
Senior Director of Research at Malwarebytes.
We're sharing their work on scammers advertising fake AppleCare Plus service via GitHub repos.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Jerome Segura is Senior Director of Research at Malwarebytes.
I recently caught up with him to discuss their research,
Scammers Advertise Fake AppleCare Plus Service via GitHub Repos.
I continue to investigate malvertising,
so the use of malicious ads to push scams, to push malware.
And in particular, I focus on ads that appear on search engines because they are one of the first stops for a lot of people that are looking for help, that are looking to download something.
They'll turn to a search engine and visit a trend that's been about brand impersonation for a while. And while I was looking at specific programs that users download, I kind of wanted to go
back to the basics a little bit and look at typical problems that users may encounter.
There's really no bigger brand than Microsoft or Apple.
There's really no bigger brand than Microsoft or Apple. And so I was a little shocked, to say the least,
that when I discovered how many ads were being bought out
by scammers in general, criminals, targeting Apple, targeting Microsoft,
and how difficult it is for regular people to navigate this kind of dangerous world.
So I really wanted to focus on, I guess, the experience that users encounter both on desktop
but also on mobile, because I think that's one of the things we don't talk maybe as much,
but a lot of people nowadays will use their mobile device,
their phone or their tablet to look something up.
And I kind of wanted to see what does it look like
if you're going to get scammed using a phone
compared to the desktop experience.
And yeah, it was an interesting discovery for me to see how much is being
targeted here and also to give tips to users in general.
Yeah, it really is striking here when I read through your research just how kind of blatant
this is. I don't want to say shocking because I guess nothing I find online shocks me anymore.
But can you walk us through what's going on here?
I mean, how are these bad guys going about their business?
Well, they are purchasing ads and a large number of them.
They're either using new advertiser accounts or in in some cases, they're using compromised advertiser accounts.
And one particular thing they're after is customer service.
So anything to do with customer service, customer support, phone number, live chat.
These are things that people will search for.
that people will search for.
And their goal is to be right there at the top of any search before official numbers.
And the reality is that with advertisements,
they tend to appear first.
They tend to be shown quite permanently on the screen.
And most people won't really look twice if what they see is legit or not.
So in my research, what I found is if you were to do a Google search
for Apple customer service or customer support,
or live chat, speak to an agent, anything like that,
your chances of seeing a malicious ad were pretty high.
The ad is really just the hook to get you to do an action.
And I think one of the things that's really interesting with scams
is they are initiated by the victims themselves.
It's not like they're receiving a phone call from Apple. They're the ones who want help. So they're more likely to actually
make a call, reach out to people that they don't know, and that's kind of what makes them an easy
prey. And what makes this particularly bad for folks who are using mobile devices?
Yeah, I'm glad you bring that up because I think that's one of the things that is worth talking about
in that on a mobile device, your experience obviously is quite different.
Your screen size is different.
And also the mobile device is kind of one and the
same thing as your communication device for being in touch all at the same time. So one of the
things is when you click on an ad, it would show up a page in full screen. And again,
even if you were to see the address bar, you will only see part of it, which for a lot of people would be deceiving.
And in that particular instance, the criminals were using GitHub to host pages that had this code,
these fake Apple customer service pages.
And they had a simple piece of code
that would automatically show up the call button.
So it did not auto dial, thankfully.
It was that close.
Yeah, right.
What a world.
Yeah, I mean, it's really striking here.
The other thing that really hits me is how poor a job Google does in tamping these things down.
I mean, they're so easy for the skilled hacker to hide what they're doing and so blatant and widespread.
It really is disappointing and discouraging that Google either doesn't seem to be able
to or isn't interested in doing better about blocking these things.
Yeah, absolutely.
doing better about blocking these things.
Yeah, absolutely.
And I think, you know, to some degree,
there will always be bad actors that abuse the system.
And, you know, for me, I accept that and I would tolerate that.
But what I saw was completely different.
What I saw was dozens of malicious actors and constant ads.
At any time of the day, I could do a search and be guaranteed to see a malicious ad.
And I would go further in that comparing Google to Microsoft,
overall, I find that Microsoft does a better job at handling this type of fraud in that the Bing search engine,
at least, they make an effort
to show the top,
at least, you know,
at the top of the page
to show you the official site
or the official phone number
for whatever you're searching for.
They're willing to make the sacrifice
to have people not see an ad, not click on an ad, for the benefit of the user.
What I see on Google is the ads
are more important, and that is not
to the benefit of consumers out there.
They will guarantee,
that's going to make them click on something malicious.
So that's kind of where I draw the line.
Not only is there a problem in how much bad activity there is,
there doesn't seem to be any safeguards to at least protect users to some degree.
Yeah. to at least protect users to some degree.
Yeah.
Is this the kind of thing that your browser ad blocker,
is it all helpful with?
So yeah, an ad blocker,
and also by extension, I would say,
any browser kind of security plugin would help you there.
It is a little bit different on the mobile,
on mobile devices, just because of, you know,
depending on whether you're using an Apple device or an Android device,
your experience will be different. So I can't speak, you know, globally,
but generally speaking, yes, if you use any sort of ad blocking technology,
call blocking applications that has a list of known scam numbers,
anything like that would help.
Because that's a topic to me that comes quite often,
but people should really look what they're clicking on,
or people should really do this and that. And, you know, when I hear that, I'm like,
well, yeah, but you can't blame users, you know. If there's anything to
blame here, you know, it's the people that allow this to happen.
And there doesn't seem to be any,
you know, limit to the imagination
and creativity that these cameras can show
in, you know, impersonating brands.
So while it's important to educate users
and tell them, you know,
to be on the lookout for such threats,
you've got to provide them with, you know,
with tools that will help them as they go online.
You can't just, you know, expect people to always make the right choice.
Our thanks to Jerome Segura from Malwarebytes for joining us.
We will have a link to the research in our show notes. Thank you. fault-deny approach can keep your company safe and compliant.
And finally, in a detailed investigation by Brian Krebs, a lawsuit filed under New Jersey's Daniels Law highlights the alarming use of mobile location data by commercial services,
making it possible for nearly anyone to track individuals' daily movements.
The case involves Atlas Data Privacy Corporation, which is suing 151 data brokers for allegedly violating Daniel's law by selling the personal information of over 20,000 New Jersey law enforcement officers,
government personnel, and their families.
This law, passed after the tragic murder of Daniel Anderle, the son of a federal judge,
is meant to safeguard such individuals' private information.
At the center of this legal battle is Babel Street's LocateX platform, a tool that
allows users to track mobile devices based on their location data. Atlas alleges that Babel
Street's technology enables detailed tracking of devices at sensitive locations, such as mosques,
abortion clinics, and courthouses. Atlas even demonstrated how its private investigator used
a free trial of the platform to track the movements of police officers, uncovering
addresses and personal routines. The broader implications of this lawsuit reveal that modern
advertising data collected by mobile apps and websites creates a troubling privacy risk. The sale of mobile advertising IDs
or MAIDs, originally intended to anonymize user tracking, has allowed for widespread
surveillance capabilities, enabling not only governments but private individuals to follow
people's movements in near real time. I cannot help wondering if one way to move the needle
on this kind of rampant tracking
could be for some gadfly,
someone like comedian John Oliver perhaps,
to legally purchase this kind of data
and start publishing the routine
comings and goings of members of Congress.
members of Congress. And that's The Cyber Wire. For links to all of today's stories,
check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential
leaders and operators in the public and private sector, from the Fortune 500 to many
of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for
companies to optimize your biggest investment, your people. We make you smarter about your teams
while making your teams smarter. Learn how at n2k.com. This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.