FFT news digest Aug 19 2022

Connected

The interdependence of distinct services is hardly news but this week saw several examples of the risks this creates.

Secure messaging platform, Signal, revealed that a breach of Twilio led to the exposure of the phone numbers and SMS registration codes for 1,900 of its users. Twilio provides SMS registration services for Signal and while attackers had access to Twilio's systems they would have been able to take over a Signal account by re-registering the phone number associated with it. As a result of the breach, Signal says it saw searches for three specific phone numbers and one of the corresponding accounts was hijacked. In Signal's case, this can be prevented by enabling registration lock and the account PIN.

An attack on email marketing platform, MailChimp, resulted in the exposure of email addresses belonging to users of cloud provider, Digital Ocean. According to Digital Ocean, it took MailChimp several days to admit what was actually happening. Initially, MailChimp had said the disruption to its platform was related to a cyberattack targeting crypto currency-related users. This is the second such breach of MailChimp's systems in four months.

In a survey by Proofpoint, 58% of respondents said third parties and suppliers had been the target of attacks. “As organizations adopt cloud infrastructures to support their remote and hybrid work environments, they must not forget that people are the new perimeter,” Proofpoint said. “It’s an organization’s responsibility to properly train and educate employees and stakeholders on how to identify, resist and report attacks before damage is done.”

Threats

Callback: Figures from Agari and PhishLabs underline (R) the growing effort that attackers are putting into their phishing operations. Simple emails aren't as effective as they used to be, so scumbags are combining email and voice calls to trick their victims. The second quarter of this year saw a 625% increase in such attacks compared to the previous three months.

Credentials: Similar research from Abnormal Security found (R) scammers are obsessed with Microsoft credentials. In its survey, LinkedIn was the most impersonated brand.

Viral: Malwarebytes warns about the use of viral content that is being used to lure potential victims into clicking on a link that redirects them to a tech support scam.

VNC: Virtual Network Computing is a handy, platform agnostic tool that allows a computer to be controlled remotely. There's just one problem; it's often insecure. Cyble found more than 9,000 examples that didn't even have a password to protect them.

Zeppelin: US security agencies have warned about the risk of Zeppelin ransomware which they say gains access to networks by exploiting vulnerabilities in SonicWall firewalls or through phishing campaigns.

Extensions: Almost seven million users have tried to install malicious browser extensions since 2020, according to Kaspersky. Most of them mimic productivity tools such as DOC to PDF converters.

North Korea: Job seekers in the aerospace and military sectors have been targeted with malicious software designed to work on Apple Macs. A decoy file has a PDF extension but in fact is an executable file. ESET

Vegas

The annual cybersecurity jamboree in Las Vegas has just ended so here's a round-up of some of the most interesting tidbits.

USB: There's a new version of the notorious Rubber Ducky USB hacking tool that is "more dangerous than ever." Security Boulevard

Starlink: A Belgian security researcher hacked Elon Musk's Starlink satellite system using a homemade circuit board that cost around $25.

Movies: Hackers took control of a decommissioned satellite and used it to stream their own content. Motherboard

Boeing: A flaw in the tablets used by some Boeing pilots could have allowed data to be modified and led to "dangerous miscalculations.”

US emergency systems: Many of the devices that underpin the US Emergency Alert System are out of date, insecure and can be hacked. DHS

Emojis: It looks like a string of emojis but it's actually a way to hack a computing device. Fortunately, it's unlikely to work. Yet. Motherboard

Spyware

The NSO group has finally managed to work out how many EU countries it has done business with. Despite manufacturing one of the world's most sophisticated spyware products, its initial response to the question was "at least five." It now says the number is 14, 12 are current customers, and there are 22 security, intelligence and law enforcement agencies defined as end users. There have been a slew of reports of Pegasus being used to target journalists and lawmakers and it should be regarded as an active threat in Europe. There are tools that can scan devices for spyware but they're either expensive (like ZecOps) or moderately complex (e.g. Amnesty International's MVT).

In brief

Water: A Russian ransomware gang breached the systems of a UK water company and promptly tried to extort the wrong organisation. It directed its demands to Thames Water when South Staffordshire was the actual victim. While amusing, hopefully utility companies are treating this as the red flag it is.

Apple ads: Apple's annual earnings from advertising are about $4 billion. It wants to make that a double-digit number, according to Apple watcher, Mark Gurman, who says it has tested adding sponsored results to Maps.

Tracking: We don't like the in-app browsers offered by people like Facebook. Security researcher, Felix Krause, explains how both the Facebook and Instagram iOS versions track "every single tap" the user makes in the browsers. 

Surveillance: A former US federal agent has developed an anti-tracking tool to check if you're being followed. It works by scanning for wireless devices and alerting the user if any of them are present for more than 20 minutes. Wired

Printered: There's a longstanding problem with most inkjet printers; they contain pads designed to soak up excess ink - once full, the printer stops working. Epson is the latest culprit. “A printer self-bricking after a while is a great example of ‘you think you bought a product, but you really rented a service,” wrote Jonathan Zittrain a professor of International Law at Harvard.

Sung: Janet Jackson's 1989 Rhythm Nation music video has been declared an official security vulnerability as it freezes some hard drives on older computers. As Bleeping Computer explains, the issue is "resonance."

This is a condensed version of the email our clients receive. You can subscribe to receive the full digest.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2022 Full Frame Technology - All Rights Reserved