Tux Machines

Proprietary Software and Windows Insecurity

Posted by Roy Schestowitz on Aug 27, 2023

Programming Leftovers

Gemini Articles of Interest

How a Well-Regarded Mac App Became a Trojan Horse

↺ How a Well-Regarded Mac App Became a Trojan Horse

> In an email with Gizmodo, Robinson broke down their own investigation into the app. They found that NightOwl installs a launcher that turns the users’ computer into a kind of botnet agent for data that’s sold to third parties. The updated 0.4.5.4 version of NightOwl, released June 13, runs a local HTTP proxy without users’ direct knowledge or consent, they said. The only hint NightOwl gives to users that something’s afoot is a consent notice after they hit the download button, saying the app uses Google Analytics for anonymized tracking and bugs. The botnet settings cannot be disabled through the app, and in order to remove the modifications made to a Mac, users need to run several commands in the Mac Terminal app to excise the vestiges of the code from their system, per Robinson.

macOS: Who?s Behind This Network Connection?, (Sat, Aug 26th)

↺ macOS: Who?s Behind This Network Connection?, (Sat, Aug 26th)

> When you must investigate suspicious behavior or work on an actual incident, you could be asked to determine who's behind a network connection.

ULEZ scams: drivers targeted by dodgy websites when paying charges

↺ ULEZ scams: drivers targeted by dodgy websites when paying charges

> Unofficial websites advertising on Google may set up recurring payments

Windows TCO

Python Malware Using Postgresql for C2 Communications

↺ Python Malware Using Postgresql for C2 Communications

> I searched for similar scripts with valid credentials, but nothing was found yet. If you spotted the same kind of script, please share!

University of Minnesota Confirms Data Breach, Says Ransomware Not Involved

↺ University of Minnesota Confirms Data Breach, Says Ransomware Not Involved

> The attacker claimed to have accessed 7 million unique Social Security numbers, as the database contained records the university has been digitizing since 1989.

> Responding to a SecurityWeek inquiry, the University of Minnesota confirmed that it initially learned about the [cracker’s] claims on July 21 and that it immediately launched an investigation to verify the validity of the attacker’s claims.

[Repeat] London court finds two teenagers guilty of Lapsus$ attacks

↺ London court finds two teenagers guilty of Lapsus$ attacks

> The so-called Lapsus$ attacks were reported in 2021 and 2022 and the two who were found guilty on Wednesday were charged out of a group of seven teens arrested on 25 March 2022.

> One of the teens was not named as he is 17. The other was identified as Arion Kurtaj and was claimed to be a key member of the group which attacked a number of well-known companies.

[Repeat] New group found using Microsoft-signed certificates in attacks

↺ New group found using Microsoft-signed certificates in attacks

> This was the second attack on this gambling firm, with the technique used also being similar. On the earlier occasion, a group known as Budworm, aka LuckyMouse or APT 27, was found to be behind the attack, leading ESET to attribute the 2022 attack to the same group.

> The 2022 attack used a variant of the Korplug malware which had the word ESET in a header indicating that it may have been modified to bypass ESET products, the Symantec researchers noted.

gemini.tuxmachines.org