My Weekly Roundup #140
Rewriting Romance Victim History: Common Truths and Falsehoods Told by Society
Over the years I have worked with many people who track romance scams. I’ve spoken to analysts, psychologists, police officers, federal law enforcement, and most painfully: the victims. As an observer to many of these efforts, friends and family are normally the first to see changes in the victim.
Iranian linked conglomerate MuddyWater comprised of regionally focused subgroups
By Asheer Malhotra, Vitor Ventura and Arnaud Zobec. Talos disclosed a MuddyWater campaign in January targeting Turkish entities that leveraged maldocs and executable-based infection chains to deliver multistage, PowerShell-based downloader malware.
Russia creates its own TLS certificate authority to bypass sanctions
Russia has created its own trusted TLS certificate authority (CA) to solve website access problems that have been piling up after sanctions prevent certificate renewals.
Since its reemergence on Nov. 14, 2021, Black Lotus Labs has once again been tracking Emotet, one of the world’s most prolific malware distribution families which previously infected more than 1.
Very very lazy Lazyscripter’s scripts: double compromise in a single obfuscation
In July of 2021, we identified an infection campaign targeting important European entities. During this investigation we could identify the threat actor behind these attacks as LazyScripter, an emerging APT group pointed by MalwareBytes in February 2021.
New Nokoyawa Ransomware Possibly Related to Hive
Hive, which is one of the more notable ransomware families of 2021, made waves in the latter half of the year after breaching over 300 organizations in just four months — allowing the group to earn what could potentially be millions of US dollars in profit.
The Dirty Pipe Vulnerability — The Dirty Pipe Vulnerability documentation
This is the story of CVE-2022-0847, a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes.
Akamai Blog | CVE-2022-26143: TP240PhoneHome Reflection/Amplification DDoS Attack Vector
Executive summary A new reflection/amplification distributed denial of service (DDoS) vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to launch multiple high-impact DDoS attacks.
New RURansom Wiper Targets Russia
Other versions also attempt to start the process with elevated privileges. These different versions and modifications might indicate that the malware was still undergoing development at the time of writing.
Leaked stolen Nvidia cert can sign Windows malware
An Nvidia code-signing certificate was among the mountain of files stolen and leaked online by criminals who ransacked the GPU giant’s internal systems.
Real-World Onion Sites
This is a list of substantial, commercial-or-social-good mainstream websites which provide onion services. You can find techical details and the legend/key for symbols in the footnotes section, below.
Facial recognition: Italian SA fines Clearview AI €20 million; Bans use of biometric data and monitoring of Italian data subjects
The Italian SA (Garante per la protezione dei dati personali) fined the US-based company Clearview AI EUR 20 million after finding it applied what amounted to biometric monitoring techniques also to individuals in the Italian territory.
Twitter launches Tor website to tackle Russian censorship
Twitter is now accessible over the Tor network, allowing users in countries that banned it to continue accessing the social network’s site. The new onion URL was announced today by security engineer Alec Muffett who announced that Twitter can now be accessed worldwide via the Tor browser.
Russia’s social media ban followed by a spike in demand for VPNs
Obviously, this is not just a privacy issue at this point but also about being able to access sites and information that Russia is trying to shut down, but given Moscow police have also allegedly been seizing phones to read text messages, it would not be surprising for Russia to really start monitor