Fresh from the auction block: The IT Privacy and Security weekly update for March 9th. 2021

“Yee-haw” Daml’ers!

We have a galloping great IT Privacy and Security Update for you this week! We help the Mac users come to terms with why it seems like they have been getting more updates than their Windows counterparts.

We provide you a sense of self-worth, and just as a note… apparently, that friend of yours from Gozo really does rate higher than the one from Idaho.

We update you on the dangers of supporting West Ham, a simple overview of all the noise associated with Microsoft’s Exchange issue, the code flaw at the DODO crypto exchange, and then we finish with a lovely, lilting, run-through of just how easy it is to secure your home network.

This is it. This is absolutely the best IT Privacy and Security Update yet, so get your auction card, roll your sleeves up and let’s get bidding!

Global: Why you are applying yet another update to your Apple computer.

Apple rolled out fixes for a high-severity vulnerability in its WebKit browser engine that, if exploited, could allow remote attackers to completely compromise affected systems.

Apple released the security updates on Monday for the flaw, for its Safari browser, as well as devices running macOS, watchOS and iOS.

The bug (CVE-2021-1844) ranks 7.7 out of 10 on the CVSS vulnerability-severity scale, making it high-severity. An exploit would allow an attacker to remotely execute code and ultimate take over the system.

What is a Webkit? The WebKit browser engine was developed by Apple for use in its Safari web browser – however, it is also used by Apple Mail, the App Store, and various apps on the macOS and iOS operating systems. The vulnerability stems from a memory-corruption issue in WebKit; this type of bug occurs when the contents of a memory location are modified in a way that exceeds the intention of the original program/language constructs – allowing attackers to execute arbitrary code.

So what’s the upshot for you? Apple on Monday urged affected device users to update as soon as possible: “Keeping your software up-to-date is one of the most important things you can do to maintain your Apple product’s security.” …and that is completely consistent with what you hear from us!

US: What Are You Worth On The Dark Web?

You wouldn’t know it by watching the news, with everything that’s been happening surrounding the pandemic and global politics, but last year was one of the worst years for cyber attacks. Corporations and organizations like NASA, McDonald’s, Visa, MasterCard, Microsoft, T-Mobile, Lockheed Martin, Google, even cybersecurity companies FireEye and SolarWinds were all victims to breeches.

So where does the stolen data go? Up on the dark web for sale, and in a very comprehensive listing we learn that you can buy pretty much a full US identity for about $1100, whereas just a passport from a country like Malta would set you back $6500.
We now see product ratings for the stolen articles, like the fake ID and Drivers license from Missouri “IDs are amazing” from a verified purchaser, or fake drivers license from New Jersey with the comment “great id will be back”.
Cloned credit card prices are up on last year, which is bad news for you as this drives up demand.
Malware and DDos attacks are getting ever cheaper, while you can even buy 1000 Instagram likes for $5, a buck less than last year.

So what’s the upshot for you? Dark web market data may not provide the average person with useful insights, but what they do provide is a powerful perspective into just how valuable your personal data really is, and how cheap it is to exploit you.

We’ve heard all the horror stories of unsuspecting victims losing their life savings or hackers selling cam footage on the deepest corners of the web, and it’s easy to think it will never happen to you. The truth is, that with the growing supply of personal information on the dark web, the likelihood and occurrence of identity theft increases every day.

The reality is that hackers rarely resort to targeting specific people. With the sheer quantity of data available for purchase, they just need to play the numbers game

OK, but how do you protect yourself?

  1. Avoid public or unsecured WiFi. If you must log into an account on a network you don’t trust like at a coffee shop, use a VPN to encrypt all communications. If an attacker has admin access to the network you’re using, they can manipulate everything you’re doing and even forge bank websites.
  2. Check the CashPoint for ATM skimmers. Skimmers are devices placed over an ATM (often exact replicas of the card reader) to read a card and send your information to a hacker. To check for skimmers, you should:
  • Press around the sides of the card slot and see if anything feels loose, they’re delicately mounted so they’ll move when pressed with a small amount of pressure.
  • Check for glue around the edges or tape. If you see any glue material, stay away from that ATM and call the bank.
  • If you have difficulty putting your card into the machine, stop trying and report it to the bank.
  • Check for fake keypads. Fake keypads are sometimes placed over the legitimate one to record your PIN number. They’re also often very loosely mounted. If it jiggles around a bit or if you notice the keypad is off-center, you should avoid using it.
  1. Avoid giving sensitive information over the phone to anyone, regardless of whether it is a requirement for some process. If possible, do it in person. And be sure to verify who you are talking to is who they say.
  2. Run an anti-malware program on your machine.
  3. Don’t reuse the same password on different accounts.
  4. If you have a gmail account and are being asked to use e-mail as your account identifier, create an e-mail that is not your name and use that with a + website name to register. for example This means that if your account is ever compromised, that logon will only work on one website. Change the detail after the + sign to use for all accounts that require an email address.
  5. Delete accounts, phone apps and sign-in details for things you no longer use
  6. Use an encrypted spreadsheet or a password manager to track your unique passwords.

Long list huh? The average stolen identity takes about 2 years to put right and through that time your access to bank funds, credit and a whole list of other resources can be severly compromised.

Global: Ransomware gang plans to call victim’s business partners about attacks

Apparently now ransomware operators are taking a further step to ensure companies who end up with encrypted files pay up.

First step they encrypted the files.
Then they copied the files prior to encrypting them so they can be released as proof.
Then they add in a DDoS Attack, to get the boot in.
Now … they are calling the press and the company’s clients to let them know the firm is under a ransomware attack.

So what’s the upshot for you? You may have heard that the US treasury department, for one, doesn’t want you paying ransomware to the baddies as it can help finance terrorist activities or North Korea’s nuclear program.

Ransomware Advisory | U.S. Department of the Treasury.

This has put a lot of downward pressure on profit margins for those criminals. They are looking for new ways to incentivize those they attack to move toward payment. Expect to see more creativity as the controls on ransomware become tighter

UK: West Ham Utd Website Spills Supporters’ Personal Data

The West Ham Football Club (soccer in the US) website was showing several error messages this morning, including an admin message from Drupal.

Creating an account on the site and then re-logged in with those credentials, researcher Barry Collins was shown the personal details of another West Ham supporter, including their full name, date of birth, mobile telephone number, address and email address.

Other supporters on the West Ham fans’ forum have reported similar problems. The site seems to be leaking the details of multiple supporters…

“Not only could this arise in a GDPR issue, it seems like it would be difficult to know who has seen what information and they could be potentially at risk of future targeted phishing emails."

So what’s the upshot for you? It looks like the Hammers need to take a hammer to their Drupal set up or they’ll be “Forever Blowing Bubbles”. We are sure more than a few of their supporters have the technical expertise to help configure the site securely! Go you Hammers!

Global: Buggy DODO loses $3.5 million in a recent exploit

Backstory: Built on Ethereum and Binance Smart Chain (BSC), DODO enables trading between two arbitrary tokens on the same network.
The SmartTrade feature intelligently finds the best order routing from aggregated liquidity sources to give traders the best prices.
Users who execute trades on DODO also have the option to participate in trading mining, which rewards traders with DODO tokens.

Today a reported bug in the smart contract allowed the exploiter to the init() function to be called multiple times.
What happened was this:

  • The exploiter creates a counterfeit token and initializes the smart contract with it by calling the init() function.
  • The exploiter calls the sync() function and sets the “reserve” variable, which represents the token balance, to 0.
  • The exploiter calls init() again to re-initialize – this time with a “real” token (i.e., tokens in DODO’s pools).
  • The exploiter then uses a flash loan to transfer all real tokens from the pools and bypass the flash loan check.

In all it allowed US$3.8M to be cleared out, of which US$1.8M is expected to be recovered.
Although two parties were involved, the second is thought to be a bot that completed the process.
…And the destination addresses are known.

So what’s the upshot for you? Currently the DODO team is asking who the owners of those deposit addresses might be. We think some type of reward or bug bounty might be a good incentive. Come on DODO!

US: The SolarWinds Supernova is Now attributed to the Chinese!?!

In late 2020, Secureworks® Counter Threat Unit™ (CTU) researchers observed a threat actor exploiting an internet-facing SolarWinds server to deploy the SUPERNOVA web shell. Additional analysis revealed similarities to intrusion activity identified on the same network earlier in 2020, suggesting the two intrusions are linked. CTU™ researchers attribute the intrusions to the SPIRAL threat group. Characteristics of the activity suggest the group is based in China.
CTU researchers were initially unable to attribute the August activity to any known threat groups. However, the following similarities to the SPIRAL intrusion in late 2020 suggest that the SPIRAL threat group was responsible for both intrusions:

  • The threat actors used identical commands to dump the LSASS process via comsvcs.dll and used the same output file path
  • The same two servers were accessed: a domain controller and a server that could provide access to sensitive business data.
  • The same ‘c:\users\public’ path (all lowercase) was used as a working directory.
  • Three compromised administrator accounts were used in both intrusions.
  • The commands came from a host that did not belong to the compromised organization and used an IP address geolocated to China.
    The exposure of the IP address was likely unintentional, so its geolocation supports the hypothesis that the SPIRAL threat group operates out of China.
    Similarities between SUPERNOVA-related activity in November and activity that CTU researchers analyzed in August suggest that the SPIRAL threat group was responsible for both intrusions.

So what’s the upshot for you? We couldn’t let another week go by without an update on the Biggest hack in the world. But now it appears that at least 2 Nation States had their fingers in the SolarWinds pie. (Boy those teams must have been writhing in annoyance as the Russians got all the credit for their craftwork). We don’t know where this all started, or where it will end, but you can be sure we will keep you up to date on the latest.

Global: New dropper app can install malware on your phone and comes to you through 8 popular apps.

“Clast82” is a dropper that can ““install any malware on the device.”
Clast82 includes a mobile remote access trojan to control infected devices, and its favored malware appears to be the AlienBot banking malware as a service (MaaS). Clast82 can take “full control over a victim’s phone—making it as if the hacker is holding the phone physically.”

All the apps uploaded to Play Store had no issues with their own code and so didn’t trigger any alerts. And, switched off, they didn’t exhibit any bad behaviors when operating. But once approved and switched on, they downloaded dangerous malware onto the device. “The payload dropped by Clast82 does not originate from Google Play, thus the scanning of applications before submission to review will not prevent the installation of the malicious payload.”
8 of the current Clast82 laden Apps are:

  • Cake VPN (com.lazycoder.cakevpns)
  • Pacific VPN (com.protectvpn.freeapp)
  • eVPN (com.abcd.evpnfree)
  • BeatPlayer (com.crrl.beatplayers)
  • QR/Barcode Scanner MAX (com.bezrukd.qrcodebarcode)
  • Music Player (com.revosleap.samplemusicplayers)
  • tooltipnatorlibrary (com.mistergrizzlys.docscanpro)
  • QRecorder (com.record.callvoicerecorder)

The concern going forward is that this dropper can be added to any app.

So what’s the upshot for you? Don’t install apps that you don’t need, and pay close attention to the permissions which the app is requesting; for example, a flashlight app requesting access to your contacts is immediately suspicious, oh… and read the reviews… starting with the bad ones first.
And, maybe most importantly, if you found any of the listed apps on your phone, and you have a banking app on that phone, change your banking app password ASAP.

Global: Github’s Authentication bug

“It is important to note that this issue was not the result of compromised account passwords, SSH keys, or personal access tokens (PATs) and there is no evidence to suggest that this was the result of a compromise of any other GitHub systems,” noted Mike Hanley, GitHub’s recently appointed chief security officer. “Instead, this issue was due to the rare and isolated improper handling of authenticated sessions. Further, this issue could not be intentionally triggered or directed by a malicious user.”
Less than 0.001% of authenticated sessions on were impacted and the company said there was no evidence that other products were affected.

“Out of an abundance of caution, and with a strong bias toward account security, we’ve invalidated all sessions on created prior to 12:03 UTC on March 8 to avoid even the remote possibility that undetected compromised sessions could still exist after the vulnerability was patched,” Hanley explained.

So what’s the upshot for you? This one does not appear to be a huge security issue, but if you got thrown off Github last night, now you know why.

Global: Exchange breach is so bad that Microsoft is even patching unsupported versions of Exchange

The campaign was detected in January, said Steven Adair, the founder of Volexity. The hackers quietly stole emails from several targets, exploiting a bug that allowed them to access email servers without a password.

“This is what we consider really stealth,” Mr. Adair said, adding that the discovery set off a frantic investigation. “It caused us to start ripping everything apart.” Volexity reported its findings to Microsoft and the U.S. government.

At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities, and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber-espionage unit that’s focused on stealing email from victim organizations, multiple sources told Brian Krebs. The espionage group was exploiting four newly-discovered flaws in Microsoft Exchange Server email software and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.
“We’ve worked on dozens of cases so far where web shells were put on the victim system back on Feb. 28 [before Microsoft announced its patches], all the way up to today,” Volexity President Steven Adair said. “Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server. The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”

What’s a Web shell? A Web shell, is an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim’s computer servers.

In the interim, Microsoft is treating this very seriously and even providing patches for Microsoft Exchange servers that are out of support going back to Exchange 2010."

So what’s the upshot for you? You know it is serious when Microsoft reaches back to offer free patches and support to unsupported versions of their software.

EU: The Euro banking Authority is hit by the Exchange breech

Thanks to the precautionary measures taken, the EBA has managed to remove the existing threat and its email communication services have, therefore, been restored.
The analysis was carried out by the EBA in close collaboration with the Computer Emergency Response Team (CERT-EU) for the EU institutions, agencies, and bodies, the EBA’s ICT providers, a team of forensic experts, and other relevant entities.

Besides re-securing its email system, the EBA remains in heightened security alert and will continue monitoring the situation.

So what’s the upshot for you? Nothing. That was a lucky dodge.

Global: Staying safe on the home network

Looking for a place to put those unsafe light switches, garage door openers, and the occasional guest or visitor?
Most Home routers have the option to set up a guest network. If you have any IoT devices or guests (We are in a pandemic, so that might not be an issue at present, but just wait, soon your friends will be back in throngs…), the safest thing to do is to enable that network. If your router is a little bit older, update the firmware or look for the model in the DD-WRT router database and consider updating with that firmware. Often it’s like getting a completely new router with all kinds of cool added features and functionality.

To find your router, put in a browser (sometimes it’s
Once you log into the router, if you have not updated the default admin password, this is the perfect time.
For anything older than a year, check on updates for the router firmware (as above).

Then navigate through the menu and turn on the option for a guest network. Give it a name, and yes… even “guest” works, then turn on WPA2 encryption and set a password. Make it something you remember, and a longer password is good. We’ve even heard of “TheGuestNetwork!” being used. We are only suggesting that you be creative.

Don’t enable the option that allows visitors to access network resources. Guests should not be able to see folders or files, or any other info. Some routers call this option “Isolate” because you isolate the rest of the network from the guest network.

Lastly, if there is an option that allows that network access to router settings, turn it off.

Now you have a network to load your IoT devices onto … along with those throngs of guests!

So what’s the upshot for you? Using the guest network to segment less secure devices away from your more important ones is a great way to protect yourself and actually kind of fun to do… and it earns you our gold :star: of approval!

AND… that is it for this week Daml’ers! We loved the story suggestions that came in this week and hope you enjoyed our discoveries!

Stay safe, stay secure, and see you in se7en!


Great post! I thought the ATM/Personal Security and Home Network tips were spot on. Given the amount of devices many of us on this forum likely have, this is an important issue :+1:t2: :grinning:

1 Like

Thanks! The DODO Crypto story was a direct result of your input. Not sure it’s as relevant to all the audience, but I liked the “we know you’ve got it, please just give our money back” message.

1 Like