Mac ransomware, Bing source-code leak and other cybersecurity news

We have collected the most important cybersecurity news of the week.

Medusa ransomware claims ‘theft’ of Bing and Cortana source code

Members of the hacking group Medusa claim to have stolen Microsoft’s internal materials, including the source codes for Bing, Bing Maps and Cortana. The attackers have already published about 12 GB of data.

According to security researchers, the leak contains digital signatures of the company’s products, many of which remain in use.

#Medusa is sharing what is claimed to be «source codes of the following Bing products, Bing Maps and Cortana.» The leak is ~12GB and likely part of the ~37GB leaked by Lapsus in 2022. #Microsoft 1/2 pic.twitter.com/VpofBJGEcM

— Brett Callow (@BrettCallow) April 19, 2023

They also suggest the information was originally stolen in 2022 during the Lapsus$ attack. Microsoft confirmed a system breach but said the leak did not affect «customer code, nor any data».

Security researchers spot similar methodologies across the two groups, though their linkage remains unconfirmed.

Microsoft representatives did not comment on the situation.

Former Conti and FIN7 members developed a new malware Domino

IBM Security Intelligence researchers report that former Conti ransomware group members joined with FIN7 to distribute the new Domino malware.

The malware can steal passwords, documents, browser credentials, application credentials and cryptocurrency wallets. It can also encrypt files on the infected system.

\n

Domino can disable security features such as Windows Defender and UAC.

Using this malware, hackers attack travel companies, hotels and restaurants.

LockBit ransomware targets Mac computers

The LockBit ransomware group has developed macOS-specific encryptors. MalwareHunterTeam researchers noted this.

«locker_Apple_M1_64»: 3e4bbd21756ae30c24ff7d6942656be024139f8180b7bddd4e5c62a9dfbd8c79
As much as I can tell, this is the first Apple’s Mac devices targeting build of LockBit ransomware sample seen…
Also is this a first for the «big name» gangs?
?@patrickwardle
cc @cyb3rops pic.twitter.com/SMuN3Rmodl

— MalwareHunterTeam (@malwrhunterteam) April 15, 2023

On VirusTotal they found a ZIP archive uploaded as of December 2022 containing builds of the macOS-targeted locker_Apple_M1_64, as well as malware for PowerPC processors used by older Macs.

Some researchers also suggested that current encryptor versions are not ready for deployment in real attacks and are likely used for testing.

Worth stressing, as LockBit macOS sample though *compiled* for macOS really isn’t (yet) designed for macOS.

1. Unsigned (won’t easily run on macOS)
2. Doesn’t appear to take into account TCC/SIP, so won’t be able to encrypt much of anything

So (in current form) macOS impact: ~0 https://t.co/zYVNhfYLRo

— Patrick Wardle (@patrickwardle) April 16, 2023

A LockBit group representative, known by the handle LockBitSupp, told Bleeping Computer that the Mac encryptor is ‘actively being developed’ but did not provide details.

Android malware Goldoson from Google Play downloaded 100 million times

In 60 Google Play apps, with a total of over 100 million downloads, McAfee researchers found Goldoson.

According to them, the malware was introduced via a third-party library.

On infected devices, Goldoson collects data about installed apps, the user’s location, and devices connected to Wi‑Fi or Bluetooth. It can also display ads in the background, generating revenue for the attacker.

\n

Most affected apps have already been cleaned of Goldoson by the developers. Others were removed from Google Play.

ESET uncovered a potential attack vector via decommissioned network equipment

ESET researchers bought 18 decommissioned routers from Cisco, Fortinet, Juniper Networks and discovered that nine of them contained full configuration data. Only five were properly wiped.

The data recovered from routers included IPsec credentials, VPN or hashed root passwords, details about clients, inter-router authentication keys, and credentials for specific apps and firewall rules.

Another portion related to the organization’s security could potentially allow an attacker to gauge the victim’s overall security level.

Researchers with high confidence identified the prior owner of the equipment and warned them of the risk. Among others on the list was an unnamed international technology company with more than 10,000 employees and revenue over $1 billion.

RedLine stealer halted after GitHub repositories were removed

ESET researchers discovered and helped remove four GitHub repositories used to manage RedLine malware.

#ESETResearch, with the help of @github, has temporarily disrupted the operations of #RedLineStealer. During a collaborative investigation with @flaresystems into the infamous stealer, we discovered that the control panels use GitHub repositories as dead-drop resolvers. 1/4 pic.twitter.com/7JjOSbYEBx

— ESET Research (@ESETresearch) April 17, 2023

\n

Due to the absence of backup channels, this disrupted the authentication procedures used by the malware’s control panels and temporarily halted its operation.

\n

The RedLine stealer, active since 2020, is designed to steal information. It can harvest credentials from browsers, FTP clients, email, messaging apps and VPNs. The malware can also steal authentication cookies and card numbers stored in browsers, chat logs, local files, and cryptocurrency wallets databases.

FSB begins checks on Moscow police over data leak involving law enforcement officers

FSB officers and the Main Directorate for Internal Security of the Russian Interior Ministry are conducting mass checks at the Moscow Police Department’s Central Administrative District due to a leak of law enforcement data, Tass reports.

According to Tass, police officers obtained requests for personal data of law enforcement officers and judges via the dark web and handed them to clients for a fee.

Several officers from the Taganskiy District Police Department and the Arbat Police Department have already been detained. The head of the latter resigned; a deputy head of the CAO police department also submitted a resignation.

Also on ForkLog:

• Co-founder of bitcoin exchanges Coyote Crypto and EggChange was sentenced.
• The former head of the Thodex exchange was extradited to Turkey.
• Media: Montenegrin authorities accused Do Kwon of using a forged passport.
• The Crypto Capital case defendant lost $200,000 at a casino while awaiting sentencing.
• Researcher: rapper Soulja Boy earned at least $730,000 from NFT scams.
• The Tornado Cash developer will be released under house arrest.
• In Russia, the number of crypto-related court cases has risen.
• 6071 BTC moved after nine years of ‘sleep’. Researchers suggested asset ties to Mt. Gox founder Jed McCaleb.
• SafeMoon struck a deal with a hacker to return 80% of funds.
• Due to an unknown error in MetaMask users lost over $10 million.
• Vulnerabilities in iOS and macOS put users’ cryptocurrencies at risk.
• In 2022 Australians lost $148 million to crypto scammers.
• The Kyber Network team urged users to withdraw funds due to the vulnerability.
• The case ‘red admin’ of WEX will be heard in Novosibirsk.
• Journalists learned of a possible deal involving Bitzlato’s founder with the investigation. Later the company said the information was inaccurate.
• BBA NBA star Shaquille O’Neal received a summons in the FTX case.
• A hacker withdrew from the Hundred Finance DeFi protocol about $7 million.
• A US resident was sentenced to a year for Silk Road fraud involving 50,000 BTC.

What to read this weekend?

In the Cryptorium educational section we explain what the ‘fraud proof’ is, on which L2 Optimistic rollups rely.