Off the Wall with the IT Privacy and Security Weekly Update for August 10th 2021


We start with an aerobic workout that may have you leaning on a wall … and end with a wag as to why your dog may be propped up against a wall.

In between, there are rooms of fantastic stories for you with flytraps and Instagrams and even a sprinkling of Emmental cheese.

We’ve got an appeal to put the phone down that might be that call you never wanted to receive, and a risk profiler that could keep you within your own four walls for quite some time.

We think this week’s IT Privacy and Security Weekly update is the best one yet and a great way to shake off cabin fever, whether you are inside or out!

So let’s get IT moving!

Global: Hackers Posed as Aerobics Instructors for Years to Target Aerospace Employees

We missed this story a couple of weeks back, but it’s just so great that we are sharing it now.

Proofpoint researchers have identified a years-long social engineering and targeted malware campaign by the Iranian-state aligned threat actor TA456.

The researchers found evidence that the Iranian hacker group created a persona called Marcella Flores, who posed as a glamorous aerobics instructor and university graduate from Liverpool, England. Operating on Facebook and other social media websites, the hackers operating the Flores account cultivated relationships with targeted employees, before attempting to secretly compromise their computers.

In one case, between November 2020 and June 2021, the hackers used the Flores persona to send benign messages, photographs, and a coquettish video to an intended victim who worked for a subsidiary of an aerospace defense contractor. After attempting to build a trusted relationship, the Flores account sent a fake “diet survey” about eating habits that was laced with malware that could steal usernames, passwords, and other data from the infected computer. The email was signed “Marcy.”

Designed to conduct reconnaissance on the target’s machine, the macro-laden document contained personalized content and demonstrated the importance TA456 placed on the target. Once the malware establishes persistence, it can perform reconnaissance on the infected machine, save the reconnaissance details to the host, exfiltrate sensitive information to an actor-controlled email account via SMTPS, and then cover its tracks by deleting that day’s host artifacts.

The infection chain was triggered via an email message containing a OneDrive URL that claimed to be a diet survey — a macro-embedded Excel document — only to stealthily retrieve the reconnaissance tool by connecting to an attacker-controlled domain.

So what’s the upshot for you? This is more evidence of the resources and lengths a nation-state will use to exhaust and extract desired intellectual property from the desired endpoint.

Global: Leaked Document Says Google Fired Dozens of Employees for Data Misuse

The document provides concrete figures on an often delicate part of a tech giant’s operations: investigations into how a company’s own employees leverage their position inside the company to steal, leak, or abuse data they may have access to. Insider abuse is a problem across the tech industry.

The document says that Google terminated 36 employees in 2020 for security-related issues.

Eighty-six percent of all security-related allegations against employees included mishandling of confidential information, such as the transfer of internal-only information to outside parties.

Back in 2010, Google fired engineer David Barksdale for leveraging his position as a member of a technical group to access the accounts of four minors. Barksdale accessed a 15-year-old boy’s Google Voice call logs, as well as contact lists and chat transcripts, and unblocked himself from a teen who had cut communications with him, the report added.

So what’s the upshot for you? If you want to demonstrate compliance, the best way to do that is to keep your own backyard tidy.

Global: Apple Scanning Your Photos

Despite some scare stories suggesting Apple is about to start scanning all your iMessages for evidence of child sexual abuse material (CSAM), the tech giant has made clear it’s not doing that at all.

It is, however, going to scan all photos users upload to the iCloud, using code that compares the “hash” of the image to known hashes of child sexual abuse photos, stored in databases from the likes of the National Center for Missing & Exploited Children.

Think of a hash as a unique numerical representation of an image. It means computers can see if one photo is the same as another.

Once a match is discovered, it’ll be checked by a human to ensure that it requires reporting to NCMEC and the relevant police authorities.)

So what’s the upshot for you? If you are worried about this being pushed forward into alternate use cases, just turn off backup to the cloud. You will need to clear the photos off your phone more often, but then you control your privacy with regard to photo scanning.
Go to your settings, scroll down to Photos and flick the switch to iCloud Photos. It’s turned on by default so will need turning off if you’re a new user.

Global: FlyTrap Android Malware Compromises Thousands of Facebook Accounts

Dubbed “FlyTrap,” the previously undocumented malware is believed to be part of a family of trojans that employ social engineering tricks to breach Facebook accounts as part of a session hijacking campaign orchestrated by malicious actors operating out of Vietnam.
The apps claim to offer Netflix and Google AdWords coupon codes and let users vote for their favorite teams and players at UEFA EURO 2020, which took place between 11 June and 11 July 2021, under the condition that they log in with their Facebook accounts to cast their vote, or collect the coupon code or credits.

The mobile application poses a threat to the victim’s social identity by hijacking their Facebook accounts via a Trojan infecting their Android device. The information collected from the victim’s Android device includes Facebook ID, Location, Email address, IP address, Cookie, and Tokens associated with the Facebook account.

These hijacked Facebook sessions can be used to spread the malware by abusing the victim’s social credibility through personal messaging with links to the Trojan, as well as propagating propaganda or disinformation campaigns using the victim’s geolocation details.

So what’s the upshot for you? Google has pulled all 9 of the apps, but if any sound familiar, you might want to remove them from your phone and change your Facebook password.

Global: Vulnerability Affecting Routers From Many Vendors Exploited Days After Disclosure

On August 3, cybersecurity firm Tenable published a blog post describing a vulnerability affecting routers that use firmware from Arcadyan, a Taiwan-based provider of networking solutions.

The vulnerability, affecting multiple vendors, can be exploited by an unauthenticated attacker to bypass authentication and ultimately take control of targeted devices by gaining root shell access.

The list of companies whose products are impacted by CVE-2021-20090 includes ADB, ASMAX, ASUS, Beeline, BT, Buffalo, Deutsche Telecom, HughesNet, KPN, O2, Orange, Skinny, SparkNZ, Telecom Argentina, Telmex, Telstra, Telus, Verizon, and Vodafone.

So what’s the upshot for you? If you have one of the brands affected, it might be a good idea to see if they have a firmware update for this issue … because it is being actively exploited.

If there is no update provided by the manufacturer for your device, check the DD-wrt database for more up-to-date open-source firmware. DD-WRT » Router Database

Global: Scammer Service Will Ban Anyone From Instagram for $60

New ban-as-a-service (BaaS) offerings so anyone can harass or censor others, according to screenshots, interviews, and other material reviewed by Motherboard.

It appears that in some cases, the same scammers who offer ban-as-a-service also offer or are at least connected to services to restore accounts for users who were unfairly banned from Instagram, sometimes for thousands of dollars.

“Me (and my friends) currently have the best ban service on-site/in the world,” one advertisement for a ban service on the underground forum OG Users reads. “We have been professionally banning since 2020 and have top-tier experience. We may not have the cheapest prices, but trust me you are getting what you are paying for.”

“Maybe it is their ex or they have/had a grudge with them. Maybe ruining their business, maybe getting paid even more from a third party. I use an impersonation method where I get my verified IG accounts and change my profile to look exactly like the target’s bio, name, profile photo etc. I report them for impersonation once and boom, they are gone.”

“Basically it’s 3500-4k to restore. 1500 refundable deposit to start,” one person allegedly offering restore services wrote in a message to a victim, according to one of the screenshots.
So what’s the upshot for you? Instagram is aware of the issue and provide more detail here

Global: Teach a Man or Woman to Phish and…

Give a Man a Fish, and You Feed Him for a Day. Teach a Man To Phish, and You Feed Him for a Lifetime. ← looks like this saying did need a bit of a refresh.

Webroot Brightcloud Mid Year Threat Report in May 2021 revealed a 440% increase in phishing, holding the record for the single largest phishing spike in a single month. It also showed that industries such as oil, gas, and mining saw a 47% increase in the same six-month period, with manufacturing and wholesale traders seeing a 32% increase.

Supply chains were under attack. The management of companies and the enterprise industry showed a significant increase in malware infections — 57% versus the global average.

So what’s the upshot for you? So here is the new ransomware service layering…

  • First, you break in. (Initial Access Brokers).
  • Then you apply the Ransomware (Ransomware as a Service) application
  • Then a brand-new position in the RaaS landscape: negotiators.
    We loved the article title summing this all up: “Ransomware Gangs are Starting to Look Like Ocean’s 11”. Ransomware Gangs are Starting to Look Like Ocean’s 11 - Kela

Global: Microsoft Wont-Fix-List

Microsoft Wont-Fix-List (July 2021 Edition)

“This list was intended to be a summary of what happened in July 2021 and I decided I’ll keep it that way because I honestly think I don’t have the energy to maintain an up-to-date list of ALL “won’t fixes” Microsoft has to offer. So I’ll keep this remark here for clarity and change the description.”

A list of vulnerabilities or design flaws Microsoft does not intend to fix. Since the number is growing, Chris Falta decided to make a list.

So what’s the upshot for you? Microsoft is now describing some of these as intentional vulnerabilities.

Perhaps it’s like buying Emmental cheese. You know it’s full of holes, but you accept that because you like the taste.

Global: Put your phone down for this story.

We are scientists engaged in the study of biological and health effects of non-ionizing electromagnetic fields (EMF). Based upon peer-reviewed, published research, we have serious concerns regarding the ubiquitous and increasing exposure to EMF generated by electric and wireless devices. These include–but are not limited to–radiofrequency radiation (RFR) emitting devices, such as cellular and cordless phones and their base stations, Wi-Fi, broadcast antennas, smart meters, and baby monitors as well as electric devices and infrastructures used in the delivery of electricity that generates extremely-low frequency electromagnetic field (ELF EMF).

The scientific basis for our common concerns. Numerous recent scientific publications have shown that EMF affects living organisms at levels well below most international and national guidelines. Effects include increased cancer risk, cellular stress, increase in harmful free radicals, genetic damages, structural and functional changes of the reproductive system, learning and memory deficits, neurological disorders, and negative impacts on general well-being in humans. Damage goes well beyond the human race, as there is growing evidence of harmful effects on both plant and animal life.

So what’s the upshot for you? So after years of hearing how safe your phone is to use… It looks like it might really not be.

Global: Risk Profiler for interactions during the Pandemic

Did you ever wish you had the means to determine the level of risk associated with an activity during this period of Covid-19 resurgence?
This is a great tool put together by six tech roommates in the San Francisco bay area.
While it may not cover every variant element to the nth. degree, it does provide a fairly consistent view of the risk you will face.
Watch the video first and then fill in your details.

So what’s the upshot for you? This tool is great for your evaluation of options in regard to risk as in our Miami Florida party example…
Avoid - don’t go to the party
Reduce - Go to the party but wear a mask and have some available for those who get close to you.
Transfer - have your friend go to the party and live vicariously through them.
Retain or Accept - you may have had your vaccination so you accept the risk of Covid as you believe it will be lower for you.
Exploit - go to the party and sell masks to people (you are leveraging generally negative risk in a way that is profitable or beneficial)
Ignore - pretend that Covid doesn’t exist, and vote for Florida Governor Ron Desantis when he runs for US president in 2024 (U.S. registered voters only).

US: Anheuser-Busch thinks your dog would like a beer, too

“Innovation Machine”, a team of forward-thinking individuals who have fast-tracked the process of creating a new product, like beer for dogs, from 18 months to around 100 days navigated and overcame the challenges like safety and taste that came with creating a brew meant for dogs and not people.

The dog beer is a mixture of bone broth from pork butt with corn, celery, and a blend of turmeric, ginger, basil, and mint. A healthy and inventive tail-wagging treat, that can also serve as a food substitute for dogs who can’t eat dry dog food.

The four-pack was initially released on National Dog Day last year and sold out in 24 hours. Since then, it has become a pet favorite.

Anheuser-Busch shared the Busch Dog Brew with the world through one of their most successful advertising campaigns to date, Chief Tasting Officer. Pet owners could apply via Facebook, Instagram, or Twitter by sharing a photo of their pooch with the hashtag #BuschCTOContest and a brief synopsis of why their dog should be hired.
Ethan, a rescue dog from Kentucky was selected for the one-of-a-kind job that comes with a $20,000 salary, veterinary healthcare coverage, and many pet projects.

So what’s the upshot for you? Now you and your best bud can have a beer together, and you know what despite what other mishaps your dog has, he/she is never going to “leak” that information. ← Sorry we couldn’t help it.

And that’s it for this week and please, no mix-ups. If your can of beer is starting to taste like celery, it could be the reason your dog is leaning against the wall.

Be kind, stay safe, (sober,) and secure. See you in Se7en.

1 Like