Teams stores tokens in cleartext
A security researcher at the firm Vectra released a report detailing how the Microsoft app stores authentication tokens in cleartext. This impacts versions of the app on Windows, macOS and Linux. The researcher found the tokens in an ldb file. Further investigation found them in the Cookies folder, along with account information, session data, and marketing tags. The researcher advised Microsoft of the findings in August. Microsoft disagreed to the severity of the finding, so don’t expect a patch. The report recommends users switch from the Electron desktop app to the browser-based version in Edge, which offers additional protections against tokens leaking.
(Bleeping Computer)
Cyberscammers caught up in human trafficking
Ars Technica and ProPublica published a piece looking at the practice of human traffickers forcing victims into acting as cyberscammers. These individuals are sold on Telegram channels and other forums, advertised with language proficiencies and typing skills. This appears to includes tens of thousands of victims from China, Taiwan, Thailand, and Vietnam, tricked into traveling to Cambodia, Laos and Myanmar, where they are forcibly prevented from leaving compounds until they operated cyberfraud schemes to pay thousands of dollars for their freedom. These forced scammers would operate long-term romance scams on targets in Western countries, supplied with guides on how to operate scams and pre-made profiles.
(Ars Technica)
US Treasury issues guidance on Tornado Cash
Last month, the US Treasury announced sanctions against the Tornado Cash cryptocurrency mixer. The Treasury justified the sanction by alleging the mixer engaged in money laundering for North Korea’s Lazarus Group, among other threat groups. These sanctions meant that no US person could continue using it. The new guidance provides a way for US citizens to lawfully withdraw funds. Users now can apply for a license to complete a transaction. DeFiLlama estimates Tornado Cash smart contracts contain about $200 million at this time.
(Axios)
Terraform Labs founder facing arrest
Bloomberg reports that South Korean authorities issued an arrest warrant for Do Kwon, the founder of the crypto company Terraform Labs. The warrant alleges he violated the capital markets law. Reuters’ sources say South Korea’s Supreme Prosecutors’ Office placed Kwon and several Terraform employees on a no-fly list back in June, although he is believed to currently reside in Signapore. Earlier this year, Terraform’s Luna and UST tokens plummeted in value, leading to roughly $60 billion in losses.
(Bloomberg)
Thanks to today’s episode sponsor, Edgescan
Microsoft patches zero-days
The company patched two zero-days in its Patch Tuesday release, including an actively exploited elevation of privilege bug with the Windows Common Log File System Driver. This impacted all versions of Windows. These came as part of 63 total fixes in the update. CISA already added the critical zero-day to its Known Exploited Vulnerabilities List, along with the Apple actively exploited iOS zero-day we covered yesterday.
(Bleeping Computer)
Rising concerns of Russian industrial espionage
Experts speaking to The Record advised that Western companies should be on “full alert” for cyberattacks from Russian intelligence services, specifically looking at industrial espionage. This comes as the country’s Ministry of Industry and Trade issued a new strategic policy document warning that Russia’s domestic technology industry suffers from foreign dependence on intellectual property. Statements from Russian President Vladimir Putin suggest that the country’s intelligence service use cyberespionage as a way to close this technological development gap. It’s not clear if this will be part of future efforts or a shift already underway. Last month, Microsoft’s Threat Intelligence Center reported that the Russian-back Nobellium group “remains highly active.” However it still seems focused on targeting government organizations and NGOs.
(The Record)
Legacy medical devices at risk
A new report from the FBI states that threat actors increasingly look to exploit unpatched legacy medical devices still in operation. These exploits could impact data integrity, operations, and patient safety. The alert notes that most devices remain active anywhere from 10 to 30 years, much longer than a manufacturer’s software life cycle. This gap can present an easy to discover attack surface for threat actors. These medical devices often require special upgrading or patching procedures.
(SC Magazine)
SparklingGoblin APT attacks Hong Kong University
The security firm Eset published a blog post detailing the work of the APT, which operates in Southeast Asia. SparklingGoblin used a Linux variant of the SideWalk backdoor to target a university in Hong Kong in February 2021. It seems the group targeted the organizations for some time, including during May 2020 student protests, compromising several servers. The Linux version of SideWalk used by the group differed from the Windows variant. It generally shows less obscured code than the Windows version and points to known C2 servers of the group.
(InfoSecurity Magazine)
