These are the stories that relate to our careers, clients, and businesses in the cybersecurity world for the Week of May 22nd, 2021. Watch this in video form over on YouTube, or you can listen on the go with the Bear Security podcast.

Malware Pretending to Be Ransomware

The Hacker News reported that Microsoft’s Security Intelligence Team posted a series of tweets regarding a “massive email campaign” that’s pushing Java-Based STRRAT malware. This particular malware disguises itself as a ransomware infection, appending the file name extension .crimson to files without actually encrypting them. Meanwhile, the malware establishes connections to a command-and-control server where it can be instructed to collect browser passwords, log keystrokes, and run remote commands.

The campaign commences with spam emails sent from compromised email accounts with subjects regarding “Outgoing Payments” in the subject line, attempting to trick users to open a malicious PDF document.

Microsoft has posted the IoC’s associated with the campaign on their GitHub or read the entire story over at The Hacker News to see more details.

Apple AirTags Could Be Used to Target Empty Homes

Vice is reporting that security researchers have identified that a feature of Find My that displays when an AirTag was last seen, could give away that you are away from your home. By design, an AirTag updates the owner of its position, and the last time it transmitted said location via the iPhone Find My App. While the feature is intended to let the owner know when the tag was near an iPhone, the owner of the tag could infer based on this information, the last time their AirTag was near an iPhone.

The theory is that since iPhones often travel with their owners, the absence of one at a location could suggest that there are no people around, and through that, tell you not only when people have arrived or left, but also how long they’ve been away. This could empower someone with ill intentions to leave an AirTag in a place of interest, and if discovered, pretend it was a mistake. Researchers believe Apple could mitigate these risks through some changes, but no word yet from Apple.

Read the entire story over at Vice.

Cisco Talos Warns Lemon Duck Crypto Botnet Gets An Upgrade

Cisco Talos published some research last week regarding the cryptocurrency mining botnet named Lemon Duck. They say that since April 2021, they’ve observed upgraded infrastructure and new components associated with the botnet, that targets unpatched Microsoft Exchange Servers and attempt to download and execute payloads for Cobalt Strike DNS beacons. Cisco Talos says shortly after Microsoft disclosed Exchange Server vulnerabilities back on March 2nd, they’ve seen various threat actors, including Lemon Duck, sought to exploit these vulnerabilities to gain initial exploitation into environments before security patches were made available.

The research goes on to advise that once a system is compromised by Lemon Duck, they often attempt to retrieve additional components and modules from attacker-controlled web servers, largely using PowerShell. After initial beaconing and the gathering of system information, if the malware succeeds in downloading a base-64 encoded Portable Executable file. This file enables the malware to uninstall or disable multiple AV / Security products, windows updates, and Windows Defender.

You can view the full breakdown over on the Talos Intelligence blog.

Misconfigured Third Party Services on Mobile Apps Leads to Over 100 Million Exposed

CheckPoint Research published the results of their research regarding how many application developers put their data and users at risk. They observed that third-party services employed by the developers were misconfigured, which put users’ personal data and the developer’s own internal resources at risk. Researchers said they were able to access the records of over 100 million users and all they had to do was attempt to access the data. Data they found included email addresses, passwords, private chats, device location, user identifiers, and more. Apps affected included Logo Maker, Astro Guru, T’Leva, Screen Recorder, iFax, and others.

Third-party libraries and services are nothing new, and a developer not doing their due diligence or taking the time to properly configure them can lead to these kinds of situations. The best defense users can take is to be sure to limit permissions to only what’s necessary, and only download apps you trust.

Read the full research over at CheckPoint Research.

Gartner Reports Worldwide Security and Risk Management Spending to Exceed $150 Billion

Gartner released a report this week that indicates worldwide spending on information security and risk management technologies is forecast to grow another 12.4% to reach over $150 billion this year. That is about double the increase in 2020, which came in at 6.4%. Gartner says the growth is related to continued demand for remote worker technologies, cloud, security, and grappling with security and regulatory demands.

View the full report over at Gartner.

Resources to Explore for Defenders

The Cybersecurity & Infrastructure Security Agency (CISA) has released eviction guidance for those affected by SolarWinds, M365/Active Directory compromise.

The US Department of Defense has released the first version of their Zero Trust Reference Architecture documents.

Involved in HIPAA?

The National Institute for Standards and Technology (NIST)’s comment period for HIPAA implementation guidance is open through June 15th. Be sure to take the opportunity to provide your feedback.

That’s all for this week’s security news. Come back every Saturday for the next rendition or check it out over on YouTube or on podcast. Have a good week everyone!