Security Bits — 26 November 2023

Feedback & Followups

• The recent wave of malicious Google ads targeting software downloads continues, this time it’s malicious versions of the popular Secure FTP client WinSCP — thehackernews.com/…

❗ Action Alerts

• Microsoft November 2023 Patch Tuesday fixes 5 zero-days, 58 flaws — www.bleepingcomputer.com/…
• A timely reminder to keep all WordPress plugins patched (you can enable automatic updates!): WP Fastest Cache plugin bug exposes 600K WordPress sites to attacks — www.bleepingcomputer.com/…

Worthy Warnings

• Welltok data breach exposes data of 8.5 million US patients — www.bleepingcomputer.com/… (a Software-as-a-Service vendor in the healthcare sector, and the leaked data includes SSNs, insurance details, and health information)
• A timely reminder that the holiday seasons now come with a spike in shipping-themed malware & phishing: Alert: New WailingCrab Malware Loader Spreading via Shipping-Themed Emails — thehackernews.com/…
• A timely reminder that even sophisticated attackers are still successfully attacking targets with malicious USB sticks: Russian Cyber Espionage Group Deploys LitterDrifter USB Worm in Targeted Attacks — thehackernews.com/… (this campaign is mostly targeting Ukrainian organisations, but the tactic can work against anyone)
• A reminder never to install software that offers to install itself that you didn’t expressly go looking for (and that Macs are not immune from malware, especially trojans): Atomic Stealer malware strikes macOS via fake browser updates — www.bleepingcomputer.com/…
• Two timely reminders that Crypto (currency/NFT etc.) remains a security-hell-scape and that no one should ‘invest’ anything into that they can’t afford to lose:
  • Ethereum feature abused to steal $60 million from 99K victims — www.bleepingcomputer.com/…
  • Randstorm Exploit: Bitcoin Wallets Created b/w 2011-2015 Vulnerable to Hacking — thehackernews.com/…

Notable News

• Thankfully, Nothing’s catastrophically insecure iMessage bridge was very short-lived — appleinsider.com/… (users had to give the service their actual Apple ID username and password, and Nothing’s service was not properly encrypted)
• Intel have released microcode patches for another CPU vulnerability (dubbed Reptar), but for once it’s not related to speculative execution! However, like the many speculative execution bugs in recent years, the bug is critical for cloud providers, but not a major concern for home users — thehackernews.com/… & www.bleepingcomputer.com/…
• A security audit funded by Microsoft found hardware implementation problems with the three most common fingerprint sensors used for Windows Hello — www.bleepingcomputer.com/… & thehackernews.com/…
  • Used on some Microsoft Surface devices, Dell laptops, and Lenovo ThinkPads!
  • The attacks are not trivial, so regular users are unlikely to be targeted, but vulnerable users and high-value targets should re-evaluate their use of Windows Hello for now
  • Researchers have given hardware vendors concrete guidance for better securing future products
  • Related News: Microsoft launches Defender Bounty Program with $20,000 rewards — www.bleepingcomputer.com/… (Bugs in AV software are particularly dangerous, so this is good to see)
• The ALPHV AKA BlackCat ransomeware gang have taken extortion up a notch by lodging US SEC complaints against victims who didn’t pay up and didn’t report their breach as required by law — www.bleepingcomputer.com/… (This adds a third layer of extortion for companies in industries with mandatory reporting rules in place — “pay us or you’ll never get your stuff back”, “pay us or we’ll publish you stuff”, and now “pay us or we’ll report you to your regulator”)

• A letter from Senator Wyden obtained by WIRED reveals the existence of a massive, probably illegal, formerly un-known and classified surveillance program named DAS which allows low-level US law enforcement access the phone records of US citizens — www.wired.com/…
• The US Federal Communications Commission had adopted new rules requiring carriers to enforce stricter verifications before making SIM changes — bleepingcomputer.com/… & thehackernews.com/… (An attempt to make SIM-swapping & SIM-porting attacks more difficult)

• Some notable wins by law enforcement:

  • Police in Malaysia with help from Australian & American law enforcement have dismantled the BulletProofLink Phishing-as-a-Service organisation and arrested its operators. The service had been active since 2015 and was offering cutting-edge services like AiTM (Adversary in The Middle) session token stealing to bypass MFA/2FA — thehackernews.com/…
  • The FBI dismantled the IPStorm botnet proxy service which sold cybercriminals the ability to route their malicious traffic through compromised domestic IP addresses to make it much harder to detect and block — www.bleepingcomputer.com/…
• Stick a pin in it, 2024 will be the year Google eliminate 3rd-party cookies in Chrome, starting with a very small trial (1% of users) in January — www.bleepingcomputer.com/…

Excellent Explainers

• Upcoming Contact Key Verification Feature Promises Secure Identity Verification for iMessage — tidbits.com/… (Another optional extra security feature for at-risk and high-value-target users)

Palate Cleansers

• A great tip from Bleeping Computer – since iOS 17 the AI in the Photos app detects laundry labels and lets you look up their meaning — www.cultofmac.com/…

  • I tested it, and it works! — mstdn.social/…
• An interesting two-part episode of the wonderful Malicious Life podcast that tells the story of the infamous NSO group — Part 1 & Part 2

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.