Threat Source newsletter (Aug. 25, 2022) — Why aren't Lockdown modes the default setting on phones?

Why do I care? 

While Apple did not disclose any details of attacks potential exploiting these issues, it did say it was aware of a report that the issues “may have been actively exploited.” Apple says the vulnerabilities exist in iPhone 6s and later, all models of the iPad Pro, the iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later and iPod touch 7th generation. Any users of these devices should patch as soon as possible. 

So now what? 

Patch, patch and patch again if you’re using any Apple devices. 

 

Top security headlines from the week

The LockBit ransomware’s website was hit with a large distributed denial-of-service attack after threatening to leak documents belonging to a cybersecurity firm. At one point, the site displayed a warning that the ransomware gang plans to upload the targeted company’s stolen data to peer-to-peer networks. Talos’ own Azim Shukuhi first tweeted that a LockBit member told him the site's servers were receiving “400 requests a second from over 1,000 servers” in a possible “hack back” attack. DDoS attacks aim to disrupt a site’s operations by flooding it with traffic and messages, forcing it to essentially shut down for a period of time. (The Register, TechCrunch) 

Former Twitter Head of Security Peiter "Mudge" Zatko filed a complaint to the U.S. Securities and Exchange Commission alleging that Twitter is not doing enough to crack down on bot and spam accounts. Mudge is known for being involved with the “Cult of the Dead Cow” hacking group, one of the first groups of its kind in history. The testimony to the SEC also stated that too many Twitter employees have access to critical user data and the company was not actually deleting user data when it was asked to. The number of bot accounts on the social media site is central to a failed bid for Elon Musk to buy the company. (CNN, The Verge) 

The FBI is warning that threat actors are increasingly hijacking home IP addresses to disguise credential-stuffing attacks. An investigation from the FBI and their Australian counterparts uncovered two sites that contained more than 300,000 unique credentials that were for sale, warning they could be used in attacks against private companies. The actors are setting up proxies to disguise the flood of login attempts, and by using residential IP addresses, they can avoid usual detection techniques. (Cybersecurity Dive, FBI) 

Can’t get enough Talos? 

Upcoming events where you can find Talos 

Most prevalent malware files from Talos telemetry over the past week