The CyberWire Daily Podcast 10.23.24
Ep 2175 | 10.23.24

NotLockBit takes a bite out of macOS.

Transcript

NotLockBit mimics its namesake while targeting macOS. Symantec uncovers popular mobile apps with hardcoded credentials. Avast releases a Mallox ransomware decryptor. Akira ransomware reverts to tactics tried and true. Lawmakers ask the DOJ to prosecute tax prep firms for privacy violations. The SEC levies fines for misleading disclosures following the SolarWinds breach. Software liability remains a sticky issue. Updated guidance reiterates the feds’ commitment to the Traffic Light Protocol. A task force has cybersecurity recommendations for the next U.S. president. Today’s guest is Jérôme Segura, Sr. Director of Research at Malwarebytes, sharing their work on "Scammers advertise fake AppleCare+ service via GitHub repos." Warrantless surveillance, powered by your favorite apps.

Today is Wednesday October 23rd 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

NotLockBit mimics its namesake while targeting macOS. 

A new macOS malware, dubbed NotLockBit, is making headlines for mimicking the notorious LockBit ransomware. Written in Go and targeting both Windows and macOS systems, NotLockBit follows typical ransomware tactics, including data theft, file encryption, and deleting shadow copies to prevent recovery. It uses RSA encryption, ensuring that only the attacker can decrypt the master key. The malware appends “.abcd” to encrypted files and drops ransom notes while attempting to display a LockBit 2.0 banner. SentinelOne, which discovered the malware, believes it is still in active development. Trend Micro found that NotLockBit exfiltrates victim data to an Amazon S3 bucket using hardcoded AWS credentials, possibly belonging to the attacker or a compromised account. Though AWS has since suspended the account, SentinelOne warns that more developments from this threat actor are likely. NotLockBit is the first functional ransomware family to target macOS beyond proof-of-concept samples. Researchers speculate the threat actors are impersonating LockBit to capitalize on name recognition. 

Symantec uncovers popular mobile apps with hardcoded credentials. 

Symantec has uncovered a significant security flaw in numerous popular iOS and Android apps, exposing millions of users to potential breaches. The issue arises from developers embedding hardcoded, unencrypted cloud service credentials—such as AWS and Azure keys—directly into app code. This insecure practice grants attackers unauthorized access to sensitive data and backend infrastructure, leading to potential data exfiltration, service disruptions, and further exploitation. Attackers could leverage these hardcoded keys to access cloud services and manipulate data. Symantec stresses the need for robust security measures, such as using environment variables, secrets management, and encryption of sensitive data. For cybersecurity professionals, this discovery highlights the importance of secure app development practices, regular security audits, and automating code scanning to mitigate risks tied to credential exposure.

Avast releases a Mallox ransomware decryptor. 

Researchers at Avast have discovered a flaw in the Mallox ransomware, allowing victims to recover files without paying a ransom. This flaw, found in versions active throughout 2023 and early 2024, lets users decrypt files encrypted with extensions like .mallox and .xollam. Although the attackers patched the vulnerability in March 2024, a free decryption tool from Avast is available for those affected by the older versions. Victims are advised to back up files and run the tool with administrative privileges. A tip of the hat to the team at Avast. 

Akira ransomware reverts to tactics tried and true. 

Cisco Talos reports that the Akira ransomware group has shifted back to older tactics after experimenting with pure extortion and a Rust-based encryptor called Akira v2 throughout early 2024. The new C++ version of Akira, reintroduced in September 2024, targets both Windows and Linux systems, using a faster ChaCha8 encryption algorithm for swiftness. Researchers noted that Akira’s return to C++ suggests a preference for cross-platform consistency, making their operations more stable. Alongside their retooling, Akira affiliates have exploited several critical vulnerabilities, such as SonicWall’s SonicOS RCE flaw (CVE-2024-40766) and Fortinet’s SQL injection flaw (CVE-2023-48788), to gain initial access. For post-intrusion activity, vulnerabilities like Cisco’s ASA (CVE-2023-20269) and VMware’s ESXi authentication bypass flaw (CVE-2024-37085) have been used for privilege escalation and persistence. In a June 2024 attack on a Latin American airline, the group exploited a Veeam Backup flaw (CVE-2023-27532) to steal credentials and maintain access.

Talos researchers highlight Akira’s adaptability, emphasizing its use of refined ransomware techniques and the proactive selection of new vulnerabilities for initial access and lateral movement.

Lawmakers ask the DOJ to prosecute tax prep firms for privacy violations. 

Democratic lawmakers are calling on the Department of Justice to prosecute major tax preparation firms for allegedly sharing customers’ sensitive financial data with Google and Meta without proper consent. A recent Treasury Department audit found that these firms—identified by a Congressional investigation as TaxSlayer, H&R Block, TaxAct, and Ramsey Solutions—illegally shared tax data, including income and refund details, with the tech companies. The lawmakers, including Sens. Elizabeth Warren and Richard Blumenthal, argue that accountability is crucial, noting potential billions in liability and criminal charges. Penalties could include $1,000 per violation and up to a year in prison. This follows a 2022 report by The Markup, which first uncovered these violations, and an FTC warning to tax firms about securing consumer consent before sharing data. H&R Block is also facing a RICO lawsuit for its actions. Lawmakers emphasized the urgency for the DOJ to prioritize enforcement against corporate misconduct, aligning with the agency’s commitment to targeting white-collar crime.

The SEC levies fines for misleading disclosures following the SolarWinds breach. 

The SEC has fined four companies—Check Point, Mimecast, Unisys, and Avaya—for misleading disclosures related to the 2019 SolarWinds breach, which affected various companies and government agencies. The fines range from $990,000 to $4 million, minor amounts for companies of their size. Each company allegedly downplayed the severity of their respective breaches. For example, Mimecast and Avaya failed to disclose the full extent of stolen data, while Check Point issued generic statements about cyber risks. All companies cooperated with the investigation, settling without admitting or denying fault. Despite the penalties, which serve as a warning, the amounts imposed are seen as relatively insignificant given the scale of the firms involved, a slap on the wrist at best. The SEC continues to push for stronger regulations around breach disclosure to ensure better transparency and accountability.

Software liability remains a sticky issue. 

Six years after the Cyberspace Solarium Commission proposed holding software companies accountable for security flaws, this recommendation remains unfulfilled. The push for software liability emerged due to repeated cyberattacks, like the SolarWinds and CrowdStrike breaches, which demonstrated the risks of poorly written code. While the majority of the commission’s recommendations have been implemented, liability remains a thorny issue. Policymakers and experts agree that it is essential for companies to take responsibility when their software causes harm. However, designing a framework for liability is challenging due to legal and technical complexities.

Writing for The Record, Eric Geller reports that one key challenge is defining a “standard of care” for software security. The fast pace of technological change makes it difficult to set clear guidelines, and there’s debate over whether liability should be regulated through lawsuits or by government standards. Additionally, software vendors have long been shielded from liability, with industry contracts typically disclaiming responsibility. The tech industry argues that liability would stifle innovation, increase costs, and distract companies from improving security.

Despite this resistance, advocates argue that companies need to be held accountable for vulnerabilities, just like automakers are for defective cars. The Biden administration has expressed interest in pursuing software liability, but progress has been slow. Meanwhile, tech leaders emphasize market-driven solutions, claiming that businesses already prioritize security to maintain customer trust.

Updated guidance reiterates the feds’ commitment to the Traffic Light Protocol. 

The Traffic Light Protocol (TLP) is a system used to classify and control the sharing of sensitive information. It defines four color-coded categories that indicate how information should be distributed:

TLP:RED – Information is highly sensitive and should only be shared with specific individuals.

TLP:AMBER – Information can be shared within an organization or with trusted parties, but not publicly.

TLP:GREEN – Information can be shared with a wider community but not on public platforms.

TLP:WHITE – Information can be freely shared without restrictions.

The U.S. federal government has reiterated its commitment to improving cyber threat information sharing with the cybersecurity community using the Traffic Light Protocol (TLP). This protocol, widely accepted globally, designates information handling permissions to build trust and ensure secure data sharing. The updated guidance clarifies the government’s approach to working with security researchers, stressing confidentiality when sharing threat data. National Cyber Director Harry Coker emphasized the importance of information sharing, calling it “the lifeblood” of cybersecurity, and highlighted the government’s dedication to listening, learning, and fostering partnerships with the private sector.

A task force has cybersecurity recommendations for the next U.S. president. 

A task force of cyber experts from Auburn University’s McCrary Institute and the Cyberspace Solarium Commission 2.0 has urged the next U.S. president to address key cybersecurity issues. Their report, “Securing America’s Digital Future,” emphasizes immediate priorities such as reconciling conflicting regulations, deterring cyberattacks, tackling the workforce shortage, and safeguarding critical infrastructure. Additionally, the report recommends strengthening federal cyber agencies, developing offensive strategies, creating a national cybersecurity curriculum, and expanding budgets for infrastructure protection. Collaboration with Congress is also advised to improve technical expertise and drive policy changes.

Our guest today is Malwarebytes’ Jerome Segura talking with me about their findings on"Scammers advertise fake AppleCare+ service via GitHub repos." We’ll be right back

Welcome back. You can find the link to the research Jerome discussed in our show notes. 

Warrantless surveillance, powered by your favorite apps. 

In a detailed investigation by Brian Krebs, a lawsuit filed under New Jersey’s Daniel’s Law highlights the alarming use of mobile location data by commercial services, making it possible for nearly anyone to track individuals’ daily movements. The case involves Atlas Data Privacy Corp., which is suing 151 data brokers for allegedly violating Daniel’s Law by selling the personal information of over 20,000 New Jersey law enforcement officers, government personnel, and their families. This law, passed after the tragic murder of Daniel Anderl, the son of a federal judge, is meant to safeguard such individuals’ private information.

At the center of this legal battle is Babel Street’s LocateX platform, a tool that allows users to track mobile devices based on their location data. Atlas alleges that Babel Street’s technology enables detailed tracking of devices at sensitive locations, such as mosques, abortion clinics, and courthouses. Atlas even demonstrated how its private investigator used a free trial of the platform to track the movements of police officers, uncovering addresses and personal routines.

The broader implications of this lawsuit reveal that modern advertising data, collected by mobile apps and websites, creates a troubling privacy risk. The sale of mobile advertising IDs (MAIDs), originally intended to anonymize user tracking, has allowed for widespread surveillance capabilities, enabling not only governments but private individuals to follow people’s movements in near real-time.

I cannot help wondering if one way to move the needle on this kind of rampant tracking could be for some gadfly, someone like comedian John Oliver perhaps, could legally purchase this kind of data and start publishing the routine comings and goings of members of congress. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.