Backdoor found in court and jail AV recording software

pIn other news Kevin Mandia steps down TikTok takes down several influence networks LastPass will start encrypting URLsppThis newsletter is brought to you by Proofpoint You can subscribe to an audio version of this newsletter as a podcast by searching for Risky Business News in your podcatcher or subscribing via this RSS feed On Apple PodcastsppCybersecurity researchers from Rapid7 and S2W have found a backdoor trojan inside a popular app used for recording courtroom and jury meetingsppThe malware was found in the installer for JAVS Viewer version 837 an app from Justice AV Solutions that allows customers to play back older recordingsppJAVS customers who downloaded the official installer from the companys website between April 1 and midMay are likely infected with a version of the GateDoor backdoorppThe malware is written in Go and is the Windows version of RustDoor a Rustbased backdoor that could infect macOS systemsppPrevious reports from Bitdefender and S2W linked both versions of the malware to server infrastructure previously operated by the AlphV BlackCat ransomware operationppRapid7 has published information on its blog on how customers can determine if they installed the malicious version of the JAVS Viewer appit drops a misspelled fffmpegexe encoder signed with a Vanguard Tech Limited certificateppIf systems are found to be infected Rapid7 advises a full reimaging and the changing of all passwords stored on that systemppFor its part Justice AV Solutions appears to have been very responsive to the incident Per a statement listed under Rapid7s report the company says it removed the modified installer from its servers and is now conducting an audit of all JAVS software productsppThe incident appears to be contained but its still unclear how the threat actor managed to put a backdoored file on its serversppWhile Justice AV Solutions lists more than 10000 customers on its website its likely that not all were impactedppGala Games hack The individual who exploited and stole 21 million worth of crypto tokens from the Gala Games platform has returned all the stolen assets The hack took place earlier this week on Monday when a hacker exploited the platform minted 200 million worth of new tokens and managed to steal 21 million before their access was cut off The funds were returned after the company claimed it identified the hackers identity and was working with law enforcement Gala didnt specify if they are now dropping the case against the attacker Additional coverage in CoinTelegraphppChange Healthcare hack Members of the American Medical Association AMA have asked the US government to absolve them of HIPAA requirements related to Change Healthcares February ransomware attack AMA members have asked the US Department of Health and Human Services to hold Change Healthcare responsible for sending breach notifications related to the hack Previously Change Healthcares parent company said it would handle breach notifications for some customers but not all More than 100 healthcare organizations have signed an AMA letter PDF to the government Additional coverage in HealthcareDiveppNYSE hack fine The US SEC has fined Intercontinental Exchange ICE the company behind the New York Stock Exchange NYSE 10 million for failing to report an April 2021 security breach in a timely mannerpppcTattletale leak Stalkerware application pcTattletale is leaking screenshots captured from installed systems due to a vulnerability in its API The issue was discovered by security researcher Eric Daigle who reported the leak to the vendor earlier this month Despite repeated contact attempts the company has yet to respond to both the researcher and reporters TechCrunch says the app is currently used by multiple hotels to keep an eye on employee systems Screenshots taken by the app from hotel systems are now exposing the personal details of their guestsppEindhoven leak The Dutch city of Eindhoven has suffered a security breach and leaked the personal details of over 220000 residents Additional coverage in Eindhovens DagbladppTLS Session Tickets and the GDPR Polish privacy researcher Lukasz Olejnik has conducted a privacy audit of a TLS feature named Session Tickets that can allow TLS sessions to be easily resumed The new feature is GDPR compliant and Olejnik says thats a good thing since a privacy regulation impacting technical advancements may suggest that something is very wrong with EU data protection lawppBlueSky gets DMs The BlueSky social network now supports direct messages DMsppLastPass encrypts URLs Password manager LastPass will start encrypting URLs stored in user vaults to protect user data against unauthorized access LastPass is rolling out encrypted URLs after a major security breach in December 2022 A report claimed threat actors decrypted some of the stolen password vaults and then emptied cryptocurrency wallets with the recovered credentials Encrypting URLs will prevent threat actors from linking credentials from a password vault to an online service LastPass says its encrypting URLs now because most devices have the memory to handle encryption algorithmsppDHS immigrants biometrics database Experts from Georgetown Universitys law school say the DHS is misleading and intimidating immigrants to collect biometric and DNA profiles Experts say that since 2020 the DHS has added more than 15 million DNA profiles to the national law enforcement database CODIS a 5000 increase in just 3 yearsppEdge gets screenshot protection Microsoft has added new DLP security features to the enterprise version of its Edge web browser New versions of Edge for Business will allow admins to restrict an employees ability to take screenshots or capture the screen on sensitive pages Administrators can also restrict users from printing Word Excel and PowerPoint documents marked as sensitive The new features will be available in the coming weeksppMicrosofts VBScript deprecation Microsoft will deprecate and make VBScript a featureondemand FOD in the second half of the year with the release of Windows 11 version 24H2 VBScript will remain enabled by default but administrators will now have the option to disable it if they wish to VBScript will be disabled by default in 2027 Microsoft says it plans to remove VBScript from Windows but has not committed to an exact date yetppUK ICO to investigate Microsoft The UKs privacy watchdog is investigating Microsoft over Recall a new Windows 11 feature that takes screenshots of users PCs every few seconds Microsoft says the feature is intended to allow users to use a locally installed AI assistant to search through screenshots and a users past activity Recall is currently available on Microsofts new select line of Copilot PCs UK officials say theyre looking into what safeguards Microsoft is putting in place to safeguard user privacy Privacy and security experts have criticized Recall for exposing Windows users to new risks Critics say the feature creates unredacted screenshots that may contain sensitive information like passwords and bank numbers and leave the data on the users hard drive from where it can be stolen by malwareppDiverse Cybersecurity Workforce Act Two Democrats from the US House of Representatives have introduced the Diverse Cybersecurity Workforce Act a bill that would establish a program within CISA to promote the cybersecurity field to underrepresented and disadvantaged communitiesppGoldstein replacement CISA has nominated Jeff Greene to take over the position of the agencys Executive Assistant Director for Cybersecurity Greene will replace Eric Goldstein who will be leaving his post this month Greene previously served in the White Houses National Security Councils Cyber Directorate and as Director of US NIST Additional coverage in The RecordppEU antipropaganda statement Sixteen EU members have pledged to detect and fight propaganda and disinformation targeting the EU and neighboring countries The 16 countries plan to share information provide legal reactions and even issue sanctions against foreign actors They also plan to pressure online platforms to follow their legal obligations and crack down on disinformation campaigns Countries that signed the statement include France Germany Poland Austria Bulgaria Croatia Czechia Denmark Greece Italy Latvia Luxembourg Portugal Romania Slovenia and Spain ht Lukasz OlejnikppDeepfakes in the criminal code The President of Latvia has asked the government to amend the countrys criminal code to criminalize the creation of deepfakes for political use The proposal suggests that offenders should face punishment of up to five years in jail President Edgars Rinkēvičs proposal comes after deepfakes were used in Slovakias presidential and parliamentary election last year in support of an antiEU and proKremlin candidate Additional coverage in LSMppIn this Risky Business News sponsor interview Catalin Cimpanu talks with Proofpoint senior threat intelligence analyst Selena Larson about the latest changes in the threat actor landscape in the aftermath of several law enforcement takedowns and Microsoft tech stack changesppBEC money launderer sentenced US authorities have sentenced a Georgia man to 10 years in prison for laundering the proceeds of BEC and romance scamsppNovel phishing infrastructure Huntress researchers have discovered the infrastructure of a phishing group that appears to combine several techniques for a novel form of phishing operations Huntress says the threat actor appears to combine HTML smuggling injected iframes and session theft via transparent proxyfor a neverbeforeseen attack comboppElections India hacktivism and cybercrime Resecurity has published a report on how cybercrime and hacktivist groups are playing a role in this years Indian elections either through data dumps or influence operationsppArc malvertising Malwarebytes researchers look at a recent malvertising campaign using the new Arc browser as a lure to infect users with malwareppSMS scam abuse Telecom security firm ENEA looks at how SMS scammers are abusing cloud services to host infrastructure without any issues from the hosters YOLOppPyPI macOS malware DataDog researchers have spotted a cluster of malicious PyPI packages that target macOS users with malwareppPegasus fakes Indian security firm CloudSEK has published a report looking at all the recent ads published on the dark web and Telegram claiming to sell versions of the Pegasus spywareobviously scamsppStorm0539 Microsoft has published a more indepth report PDF on Storm0539 a threat actor that has been targeting the gift card departments at US retail corporations Microsoft first spotted the group last December and the group was recently at the center of an FBI security alert as well PDFppThreattrend reports Cisco Talos Huntress NCC Group US NIST and Qrator Labs have recently published reports covering infosec industry threats and trendsppGootloader Malwarebytes has published a technical deep dive at recent campaigns distributing the Gootloader malware familyppIluria Stealer CyFirma continues to find new malware advertised in underground cybercrime circles Their latest finding is the new Iluria Stealer an infostealer from the developer of the older Nikki StealerppNew stealers Kaspersky researchers look at three new infostealers theyve spotted advertised onlineAcrid ScarletStealer and Sys01 If nuclear war erupted tomorrow the only things to survive would be cockroaches and infostealersppShrinkLocker ransomware Kaspersky has discovered and documented a new ransomware strain named ShrinkLocker that used Windows builtin BitLocker feature for data encryptionppCatDDoS botnets Chinese security firm QiAnXin is seeing a surge in activity in IoT botnets using a variant of the Mirai malware named CatDDoS The botnets have exploited over 80 vulnerabilities in different devices over the last three months to amass new bots and improve their attack capabilities CatDDoSrelated botnets are currently launching attacks on more than 300 targets on a daily basis QiAnXin says its seeing some of the botnets attempting to cannibalize each others botsppProofpoint recently identified a SugarGh0st RAT campaign targeting organizations in the United States involved in artificial intelligence efforts including those in academia private industry and government service Proofpoint tracks the cluster responsible for this activity as UNKSweetSpecterppTikTok influence operations TikTok says that in the first four months of the year it disrupted 15 influence operations and removed 3001 associated accounts The company says most networks were trying to influence upcoming elections among a selected target audience Most of the networks operated from the country they were trying to influence Only two networks based out of China and Iran targeted audiences abroad with proPRC and antiUS views respectively TikTok says the largest influence networks were found in Serbia Indonesia and Venezuela A list of all networks and their goals is available hereppSideWinder Embee Research says it uncovered new SideWinder APT infrastructure by combining regex patterns Whois records and domain registrar data from past operationsppTransparent Tribe IBM has published a report covering campaigns linked to Pakistans Transparent Tribe APT that took place between late 2023 to April 2024 The campaigns targets included entities in Indias government defense and aerospace sectorsppKimsukys Gomir ShadowStackRE has published a breakdown of Gomir a new Linux backdoor used by the Kimsuky APTppSharp Dragon expands A suspected Chinese APT group named Sharp Dragon Sharp Panda has expanded its targeting to new regions such as Africa and the Caribbean The group has been active for years but has historically targeted only the Southeast Asia region Security firm Check Point says the group is now using compromised accounts inside the governments of past victims to reach out to African and Caribbean governments and establish new footholds Researchers say the group is careful when selecting new targets and uses publicly and readily available tools to blend in with the noiseppKeyPlug in Italy Italian security firm YOROI takes a look at a few KeyPlug implants they found across Italy KeyPlug is a backdoor used in the past by Chinas APT41ppOperation Diplomatic Specter Palo Alto Networks says its tracking a suspected Chinese APT conducting a campaign against diplomatic missions embassies and military targets across the Middle East Africa and Asia Named Operation Diplomatic Specter the campaign has been active since late 2022 and its main tools have been the TunnelSpecter and SweetSpecter backdoorsppUnfading Sea Haze A suspected Chinese APT named Unfading Sea Haze has gone under the radar for more than five years in attacks targeting countries around the South China Sea Most of the attacks involved custom versions of the Gh0st opensource remote access trojan Security firm Bitdefender says it discovered traces of the groups malware on the networks of eight military and government targets in the South China Sea regionppMSS front companies Natto Thoughts looks at how the MSS appears to combine both front and real companies for its cyber contractor ecosystemppORB usage Googles Mandiant division warns about an increasing number of Chinese APT groups adopting ORB operational relay box networks to disguise their attack infrastructure These networks are made up of a mixture of residential proxy networks VPS servers and hacked routers and IoT devices Threat actors are using these networks to hide malicious operations such as vulnerability scanning exploitation attempts C2 traffic and data exfiltration Mandiant says its tracking multiple ORB networks in the wild The biggest are SPACEHOP and FLORAHOX used by groups like APT5 and APT31 respectivelyppApples WPS is leaking Apples WiFi Positioning System WPS is leaking too much information about nearby devices to a threat actor querying its official API A team of academics says this data can be collected over time to create a map of WiFicapable devices around the globe even for nonApple devices Researchers say that by constantly updating this map they can track the movement of individuals and groups of people over time For example researchers say they were able to accurately track the movement of Starlink terminals used by both Ukrainian and Russian forces in their recent conflict They also tracked how Gaza residents slowly moved to the South of the Gaza Strip in the recent IsraeliPalestine conflict Additional coverage in KrebsOnSecurityResearch paper PDFppVeeam auth bypass Backup and recovery software maker Veeam has released security updates that fix five vulnerabilities including an authentication bypass issues CVE202429849 in its enterprise backup solution If youre a company that is a potential target of ransomware campaigns you may want to patch this issue to prevent threat actors from deleting your backups and forcing you into a cornerppWinRAR bug writeup Security researcher Siddharth Dushantha has published a writeup of a bug he found in WinRARs Linux and Windows CLI clientsppPDFjs bug writeup Codeans Thomas Rinsma has published a writeup of a bug he found in Mozillas PDFjs PDF file viewer The bug could have allowed threat actors to run malicious code inside apps where the PDFjs library was used and left misconfigured Its a pretty niche scenario but 1010 on the nasty scaleppGitHub ES PoC Proof of concept code is now available for that CVSSv3 1010 auth bypass in GitHub enterprise servers CVE20244985ppSecurity audits Boost and ExpressVPN have published security audits this week The Boost audit found seven vulnerabilities while the ExpressVPN audit looked at the companys nologs policyppCisco security updates Cisco has released seven security advisories for its productsppGitLab security updates GitLab has published security updates to fix seven vulnerabilities including a oneclick account takeover XSSppNVD backlog More than three months after NIST stopped enriching the NVD database the organization has yet to resume its normal activity 93 of all vulnerabilities added to the NVD database over the last three months still lack crucial information According to a report from security firm VulnCheck NISTs involvement with the NVD is slowing down with fewer vulnerabilities processed with each passing weekppKevin Mandia steps down Mandiant CEO Kevin Mandia is stepping down from his role at the end of the month The move comes after Google has finished integrating Mandiant into its cybersecurity teams Google acquired Mandiant for 54 billion in late 2022 and the Mandiant threat intel team has been merged into Google Cloud Mandia will transition into an advisory role at the company Additional coverage in CRNppTool updateLittle Snitch Objective Development has released v6 of the Little Snitch firewall app for macOSppIn this edition of Between Three Nerds Tom Uren and The Grugq talk to Elena Grossfeld about the strategic culture of Russian intelligence organizationsppIn other news Google patches Pixel zeroday Black Basta ransomware gang had a secret Windows zeroday for three months Ukraine arrests bot farm operators linked to smishing attacks on its soldiersppYour weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray Its supported by Lawfare with help from the William and Flora Hewlett Foundation This weeks edition is sponsored by Panther

This newsletter is going on a one weekppIn other news Ransomware gang goes after PHP servers Chinese hackers breached 20k Fortinet devices White House announces cybersecurity support for rural hospitalsppIn other news Apple to add a password manager DJI to disable flight data syncing for US drones another stalkerware app gets hackedpp
Risky Business publishes cybersecurity newsletters and podcasts for security professionals
ppp