Telcos targeted by Chinese attackers
Researchers at McAfee report that a hacking group known as Mustang Panda and RedDelta, known to operate out of China, has targeted at least 23 telcos across Southeast Asia, Europe and the United States since August 2020. Initial vectors for attacks are still unknown, but the campaign appears to direct employees at the telcos to a malicious phishing domain, where the Cobalt Strike backdoor is installed. It’s believed the attackers are attempting to steal sensitive information around 5G technology. The phishing site appears as a Huawei career site, but the researchers were clear that Huawei was not associated with the campaign.
(ZDNet)
Mimecast source code stolen by SolarWinds attackers
The email security company confirmed that attackers exploiting the supply-chain attack on SolarWinds’ Orion platform downloaded source code from a limited number of repositories. In addition, the threat actors were able to obtain Mimecast-issued certificates and related customer server connection information, a subset of email addresses, as well as hashed and salted credentials. Mimecast said it did not believe any production software was impacted, and that the source code stolen was insufficient to develop a working version. Mimecast already reset all stolen credentials, impacting roughly 10% of its customers.
Hiding data in Twitter images
Programmer David Buchanan demonstrated that it was possible to store up to 3MB of data in an image posted to Twitter, demonstrating using MP3 files as well as a Zip archive containing PNGs. Previewing the files showed the image as normal, but all that was required to access the underlying data was to change the file extension after download. Ordinarily, Twitter compresses image files at upload. However Buchanan found adding data to the end of the ‘DEFLATE’ stream would not be removed by Twitter’s processing. We reported yesterday on cybercriminals storing stolen credit card info in a JPG file, so the security implications aren’t hard to imagine.
Google antitrust lawsuit looks at Privacy Sandbox
A group of 15 attorneys general, led by Texas, filed an antitrust lawsuit against Google in December, saying Google used its “monopolistic power to control pricing” with its adtech policies. An updated filing targets Google’s Privacy Sandbox initiative. The filing now questions that with Google’s considerable Chrome browser market share, if the company’s Privacy Sandbox initiative isn’t self-serving. This would follow similar moves from Mozilla and Apple in removing support for third-party cookies, but the lawsuit argues would require advertisers to use Google as a middleman and further entrench its advertising system.
Thanks to our episode sponsor, Trend Micro
CISA warns of Trickbot campaigns
The agency and the FBI issued a joint warning, noting a rise in recent Trickbot activity. Attackers are using email phishing campaigns to get people to install the Trickbot trojan, with CISA urging organizations to conduct training to identify these attempts, as well as block suspicious IP addresses. Trickbot has been around since 2016 as a banking trojan, and last year a Microsoft-led private industry group attempted to disrupt the Trickbot network, only to have a new version seen in the wild weeks later.
Telemarketers fined for a billion robocalls
The US Federal Communications Commission issued a record $225 million fine against two Texas-based telemarketers, Rising Eagle and JSquared Telecom, for being responsible for roughly 1 billion robocalls to falsely sell short-term health insurance plans. The FCC also said the companies were tied to scams involving IRS imposter calls, calls that pretend to be from Apple, false COVID-hardship programs, and fictional refunds from Amazon. The FCC also announced the formation of a “Robocall Response Team” to better coordinate efforts to reduce robocalls.
(CNBC)
Dropbox Password manager comes to free users
The company will open its Dropbox Password manager to free Dropbox Basic accounts in April, although this will be limited to 50 passwords. Free users will be able to sync passwords across three devices, with access through browser extensions, desktop and mobile apps. The service was first introduced to paid accounts last year, and allows for unlimited syncing and storage of passwords.
Firm offers global vehicle surveillance service
The surveillance contractor Ulysses Group claims to offer access to over 15 billion vehicle locations around the world every month, able to remotely locate vehicles in real time in virtually any country outside of North Korea and Cuba. Ulysses is able to do this through vehicle telematics data, sent through embedded systems. This is usually sent to the vehicle maker or OEMs, but aggregator companies can also purchase, repackage, and resell this data. The company has not sold the service to the US government, although it has sold other surveillance solutions to the U.S. Special Operations Command. Senator Ron Wyden said his office is investigating the company as part of a larger investigation into data brokers.
(Vice)
