Join Guardsquare to learn more about our new guided configuration approach to mobile application protection.

Our latest innovation ensures that all developers can effortlessly launch apps with industry-leading protection in less than a day.

This webinar will: walk through Guardsquare's new guided configuration approach; discuss how this new approach empowers mobile app publishers to easily configure security features, receive actionable insights, and monitor protection outcomes without sacrificing app performance or user experience; and cover a case study addressing how customers successfully implemented the technology.

Welcome to another_secpro!

It’s been another busy week with another set of problems to keep you busy. We’ve got the details below, but here’s a quick synopsis for those of you in a rush…

Cybersecurity experts Bruce Schneier and Roger Grimes emphasize the difficulty of prioritizing actions among numerous unranked cybersecurity guidelines, which often lack risk-based prioritization. Strava's fitness app continues to expose sensitive data, enabling the tracking of military personnel and world leaders. German police have achieved some success in deanonymizing Tor users through timing analysis. Cybercrime is also escalating with low-tech ATM attacks in Germany and major command injection vulnerabilities affecting Arcadyan routers. Recent takedowns by Eurojust disrupted global infostealer malware networks, and Google revealed a Russian espionage campaign targeting Ukrainian military recruits via a hybrid malware operation. A massive data breach at Change Healthcare compromised the data of 100 million Americans, while lax mobile ad data practices expose individuals to location tracking. Meanwhile, phishing attacks using Webflow target cryptocurrency wallets, and Sysdig's EMERALDWHALE campaign uncovered the theft of 15,000 cloud credentials. Finally, ThreatFabric discovered updated LightSpy malware, now targeting both macOS and iOS.

As always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!

Cheers!
Austin Miller
Editor-in-Chief

Bruce Schneier - Roger Grimes on Prioritizing Cybersecurity Advice: "This is a good point: Part of the problem is that we are constantly handed lists…list of required controls…list of things we are being asked to fix or improve…lists of new projects…lists of threats, and so on, that are not ranked for risks. For example, we are often given a cybersecurity guideline (e.g., PCI-DSS, HIPAA, SOX, NIST, etc.) with hundreds of recommendations. They are all great recommendations, which if followed, will reduce risk in your environment. What they do not tell you is which of the recommended things will have the most impact on best reducing risk in your environment. They do not tell you that one, two or three of these things…among the hundreds that have been given to you, will reduce more risk than all the others."

Bruce Schneier - Tracking World Leaders Using Strava: "Way back in 2018, people noticed that you couldfind secret military bases using data published by the Strava fitness app. Soldiers and other military personal were using them to track their runs, and you could look at the public data and find places where there should be no people running. Six years later, the problem remains.Le Mondehasreportedthat the same Strava data can be used to track the movements of world leaders. They don’t wear the tracking device, but many of their bodyguards do."

Bruce Schneier - Law Enforcement Deanonymizes Tor Users:The German police havesuccessfully deanonymized at least four Tor users. It appears they watch known Tor relays and known suspects, and use timing analysis to figure out who is using what relay. Tor haswrittenaboutthis.

Bruce Schneier - Criminals Are Blowing up ATMs in Germany: "It’slow tech, but effective. Why Germany? It has more ATMs than other European countries, and—if I read the article right—they have more money in them."

CMU CERT - Vulnerable WiFi Alliance example code found in Arcadyan FMIMG51AX000J: "A command injection vulnerability has been identified in the Wi-Fi Test Suite, a tool developed by the WiFi Alliance, which has been found deployed on Arcadyan routers. This flaw allows an unauthenticated local attacker to exploit the Wi-Fi Test Suite by sending specially crafted packets, enabling the execution of arbitrary commands with root privileges on the affected routers."

Eurojust - Malware targeting millions of people taken down by international coalition: "A global operation, supported by Eurojust, has led to the takedown of servers of infostealers, a type of malware used to steal personal data and conduct cybercrimes worldwide. The infostealers,RedLineandMETA, taken down today targeted millions of victims worldwide, making it one of the largest malware platforms globally. An international coalition of authorities from the Netherlands, the United States, Belgium, Portugal, the United Kingdom and Australia shut down three servers in the Netherlands, seized two domains, unsealed charges in the United States and took two people into custody in Belgium."

Google Cloud - Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives: "In September 2024, Google Threat Intelligence Group (consisting of Google’s Threat Analysis Group (TAG) and Mandiant) discovered UNC5812, a suspected Russian hybrid espionage and influence operation, delivering Windows and Android malware using a Telegram persona named "Civil Defense". "Civil Defense" claims to be a provider of free software programs designed to enable potential conscripts to view and share crowdsourced locations of Ukrainian military recruiters. If installed with Google Play Protect disabled, these programs deliver an operating system-specific commodity malware variant to the victim alongside a decoy mapping application we track as SUNSPINNER. In addition to using its Telegram channel and website for malware delivery, UNC5812 is also actively engaged in influence activity, delivering narratives and soliciting content intended to undermine support for Ukraine's mobilization efforts."

Krebs on Security - Change Healthcare Breach Hits 100M Americans: "Change Healthcare says it has notified approximately 100 million Americans that their personal, financial and healthcare records may have been stolen in a February 2024 ransomware attack that caused the largest ever known data breach of protected health information."

Krebs on Security - The Global Surveillance Free-for-All in Mobile Ad Data: "Not long ago, the ability to digitally track someone’s daily movements just by knowing their home address, employer, or place of worship was considered a dangerous power that should remain only within the purview of nation states. But a new lawsuit in a likely constitutional battle over a New Jersey privacy law shows that anyone can now access this capability, thanks to a proliferation of commercial services that hoover up the digital exhaust emitted by widely-used mobile apps and websites."

Netskope- Attackers Target Crypto Wallets Using Codeless Webflow Phishing Pages: "From April to September 2024, Netskope Threat Labs tracked a 10-fold increase in traffic to phishing pages crafted through Webflow. The campaigns target sensitive information from different crypto wallets, including Coinbase, MetaMask, Phantom, Trezor, and Bitbuy, as well as login credentials for multiple company webmail platforms, as well as Microsoft365 login credentials. The campaigns have targeted more than 120 organizations worldwide, with the majority located in North America and Asia, across multiple segments led by financial services, banking, and technology."

Safebreach - An Update on Windows Downdate: "In August, I shared a blog on my most recent research project calledWindows Downdate, which I first presented atBlack Hat USA 2024andDEF CON 32(2024). In it, I explained how I was able to develop a tool to take over the Windows Update process to craft custom downgrades on critical OS components to expose previously fixed vulnerabilities. By using this downgrade ability, I discoveredCVE-2024-21302, a privilege escalation vulnerability affecting the entire Windows virtualization stack."

Sisdyg - EMERALDWHALE: 15k Cloud Credentials Stolen in Operation Targeting Exposed Git Config Files: TheSysdig Threat Research Team(TRT) recently discovered a global operation, EMERALDWHALE, targeting exposed Git configurations resulting in more than 15,000 cloud service credentials stolen. This campaign used multiple private tools that abused multiple misconfigured web services, allowing attackers to steal credentials, clone private repositories, and extract cloud credentials from their source code.Credentials for over 10,000 private repositories were collected during the operation.The stolen data was stored in a S3 bucket of a previous victim.

ThreatFabric - LightSpy: Implant for iOS:"In May 2024, ThreatFabric published a report about LightSpy for macOS. During that investigation, we discovered that the threat actor was using the same server for both macOS and iOS campaigns. Thanks to this, we were also able to obtain the most recent samples of LightSpy for iOS. After a brief analysis of the obtained files, we concluded that this version slightly differs from the version discussed byresearchers in 2020."

goliate/hidden-tear: It's a ransomware-like file crypter sample which can be modified for specific purposes. Simples.

ncorbuk/Python-Ransomware - A Python Ransomware Tutorial with a YouTube tutorial explaining code and showcasing the ransomware with victim/target roles.

ForbiddenProgrammer/conti-pentester-guide-leak: Leaked pentesting manuals given to Conti ransomware crooks.

codesiddhant/Jasmin-Ransomware: Jasmin Ransomware is an advanced red team tool (WannaCry Clone) used for simulating real ransomware attacks. Jasmin helps security researchers to overcome the risk of external attacks.

19th International Conference for Internet Technology and Secured Transactions (4th-5th November): The 19th International Conference for Internet Technology and Secured Transactions (ICITST-2024) will be held at the St Anne's College, Oxford, from the 4th to 6th of November, 2024. The ICITST is an international refereed conference dedicated to the advancement of theory and practical implementation of secured Internet transactions and to fostering discussions on information technology evolution. The ICITST-2024 aims to provide a highly professional and comparative academic research forum that promotes collaborative excellence between academia and industry.

The Women and Diversity in Tech and Channel Festival (5th November): "The Women and Diversity in Tech and Channel Festival is a celebration of diversity within the tech landscape. Although progress has been made, there is still far to go to make sure that people from every background and gender have avenues to achieve satisfaction and success with a role in tech."

Zywave's Cyber Risk Insights Conference (6th November): "Free Registration is offered to full-time Risk Managers and Insurance Buyers as a courtesy from Zywave. First come first served, of course, and we reserve the right to verify roles as well as to deny this free courtesy based on our sole discretion."

AI-Driven MedTech: Navigating the New Frontier (6th November): "Join us for an insightful webinar where we explore the transformative power of Artificial Intelligence (AI) in the medical and healthcare industries. As we stand on the brink of a new era in MedTech, AI is emerging as a pivotal force, driving innovation and enhancing patient care. This webinar will provide a practical understanding of how AI is becoming an indispensable “member” of the medical team, revolutionizing everything from diagnostics and treatment planning to medical device development."

The 10th IEEE World Forum on Internet of Things (10th-13th November): The IEEE WFIoT2024 continues the legacy of being the premier event hosted by the IEEE IoT Technical Community, uniting diverse expertise intrinsic to the IoT domain. This year, we proudly announce the theme for WFIoT 2024: "Unleashing the Power of IoT with AI." This theme underscores the pivotal role of Artificial Intelligence in augmenting the potential of the Internet of Things.