Smart home cybersecurity news roundup [February 2021]
Spring is just around the corner, and in the midst of all your Spring cleaning, don’t forget to do a sweep through your computer with a malware scan. In this month's smart home cybersecurity roundup, we uncover a mysterious yet dormant threat native to macOS devices, Accellion's decision to deprecate their file transfer application, and the diverse slew of malware targeting gamers using Discord.
Silver Sparrow malware targets macOS devices
While nearly 30,000 macOS devices in 153 countries are known to have been infected by the malware known as Silver Sparrow, researchers suggest that there are likely still many undiscovered cases yet to be confirmed. The first thing you should know about this new strain is that it’s designed to run natively on the Apple M1 ARM64 processor.
Silver Sparrow has some rare quirks, including the ability to remove itself from a system, two separate versions of itself with different installer packages, and clockwork checks to a server for commands that, so far, have seemed to deliver nothing. The first version of this malware targeted only Intel x86_64 processors and was discovered in August 2020, but the most recent version, which can target the x86_64 and the M1 chip, was discovered this February.
While there haven’t been any payload deliveries so far, the potential threat is what worries researchers. Red Canary worked together with Malwarebytes as well as VMware Carbon Black to report on the malware:
Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice.
While the root cause of how the malware infects devices is still unknown, it's suspected that malicious search engine results are the culprit. The above report also includes information on how to detect if this malware is currently running on a system, including a list of named processes to search.
Accellion reports end of life for its file transfer software
Accellion has declared it will no longer support its prior FTA (file transfer application) software come April 30th, 2021 due to ongoing vulnerability exploits discovered as far back as December 2020. The initial exploit appeared to be an SQL injection, a method by which malicious actors can intercept data on its path between a user and an application database. Guidepoint Security posted a report detailing the malware's code that executes in a web shell and educating readers on how to recognize if an infrastructure has been affected.
This 20-year-old software was particularly useful for the internal sharing of files too large for email, and has since been used as a legacy system for many companies. Accellion explains that the deprecation of support for CENTOS 6 in November 2020 consequentially hinders their capacity to keep supporting the legacy FTA software. While support for this software will end soon, Accellion recommends an upgrade to kiteworks in the FTA end-of-life announcement:
Accellion would be honored to keep the terms at renewal time (or earlier) if you would like to upgrade to our flagship kiteworks Content Firewall platform. Accellion would assist, at no additional cost, in the migration process to kiteworks and will work with you on the time period to achieve this transition.
The kiteworks Content Firewall platform acts as a method of sharing sensitive content with the ability to maintain compliance regulations such as HIPAA, DPR, and FISMA. The software also comes complete with features such as in-transit and at-rest encryption, ongoing security updates, and granular policy controls to protect sensitive information on communication channels.
Malicious actors target Discord gamers in surge of game downloads
Researchers at Zscaler discovered that threat actors have been sharing click-bait links through the popular gaming chat app Discord, deceiving users into downloading malicious files. The attacks begin with spam emails disguised as legitimate, game-related content. The convincing templates and icons trick Discord users into engaging with a broad spectrum of malware, including ransomware, stealers, and a crypto-miner. Other Discord token grabbers were discovered attempting to gain user information as well.
The Epsilon ransomware renders a user's files inaccessible using 256-bit AES encryption before displaying a note of how to communicate with the attacker, send them payment, and allegedly receive a private key to decrypt files back to a usable form. Meanwhile, Redline Stealer is able to commandeer login credentials, autocomplete fields, credit card information, location information, and even hardware data from your computer. According to Zscaler, it's also found in an underground malware market and can be purchased under a subscription model.
The XMRig crypto-miner found in this batch of malware is capable of altering files without user permissions before it connects to a command and control server. It can also attempt to delete programs like Windows Task Manager in efforts to prevent its detection.
Fortunately, the Zscaler ThreatLabZ team was able to detect the threats and prevent consequences of these malware campaigns thanks to their Cloud Sandbox. They pledge to continue observing for threats in order to keep users safe.