Earlier this month, it was reported in an article by PC Mag that security team Red Canary located a new strand of macOS malware. Upon investigation, it was determined the malware seemed to exhibit behaviors previously unheard of in regard to its execution. After consulting with popular malware detection company Malwarebytes, it was determined the strand of malware had infected nearly 30,000 macOS endpoints. These infected devices spread across 153 countries with a majority of infections occurring in the United States. Red Canary has since named the newly identified malware as “Silver Sparrow.”

Further research determined that it doesn’t appear Silver Sparrow has been responsible for delivering any malicious payloads yet. It was determined that every Mac infected with Silver Sparrow is in communication with a control tower in case there are any received commands. Researchers believe a command could be issued at any point. It was also determined the malware has the capability to remotely remove itself from an infected system.

Apple has stated that it is taking steps to revoke certain certificates that will prevent new macOS machines from being infected.

In an online forum for MalwareBytes, a staff member confirmed that they had been detecting the infection before the news had been released.

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensicsFacebookTwitterLinkedInPrintEmailShare

In a message from the director of the Michigan State Police, officers have been instructed to remove “nonstandard” applications from their provided state phones. In addition, officers must now seek authorization before downloading such apps going forward, according to a story by the Detroit Free Press.

The memo comes after various articles have detailed senior Michigan State Police members using the encrypted communication application Signal, which keeps no record of text messages sent and received. Once the messages are deleted within the Signal application, they are unable to be traced or recovered. This finding raised concerns about the potential ability to evade the Michigan Freedom of Information Act, should communications between officers be requested.

Attorney James Fett, who is representing previous officers fired by the Michigan State Police and alleging retaliation in their cases, fears that relevant text messages exchanged over the Signal application are gone and irretrievable.

Officers who would like to use a nonstandard application on their work provided devices must fill out a form to get authorization to do so. Social media apps such as Facebook, Instagram, Twitter, YouTube and LinkedIn are specified as not needing prior authorization.

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

Motherboard writers Jason Koebler, Joseph Cox and Lorenzo Franceschi-Bicchierai reported that Jones Day, one of the largest law firms in the world, was breached by hackers. Jones Day has recently been in the news as it was one of the law firms that represented the Donald Trump campaign in the challenges made to the 2020 election. The trio write “[the] hackers who run the Cl0p ransomware recently posted several gigabytes of data on a dark web site where they advertise their breaches.” If you are interested in the original site where the breach was first reported, it can be found here.

Jones Day apparently did not immediately respond to Motherboard’s request for comment; however, the Motherboard writers state “but confirmed the hack happened in a statement to The Wall Street Journal.” Jones Day has blamed the data breach on Accellion. Accellion provides file sharing systems and they were also victims of a recent hack. Information about the hack can be found here. Accellion is currently conducting an assessment of the breach and is using “an industry-leading cybersecurity forensics firm” to assist them, Motherboard reports.

There are apparently 20 caches available relating to the data breach at Jones Day, and they range from 1.5GB to 4.5GB. The original post from DataBreaches.net indicates that the hackers uploaded the data that was exfiltrated because the firm did not respond to their demands and threats.

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

A current criminal investigation into the hacking of the City of Oldsmar, FL water system is underway reports Sarah Wray of CitiesToday. The city’s water treatment plant was the victim of a cyber-incident on February 5, 2021, in which an intruder attempted to change the levels of sodium hydroxide in the water supply that provides drinking water to the city of Oldsmar. The levels of sodium hydroxide were attempted to be changed from 100 parts per million to 11,100 parts per million. “Sodium hydroxide is also known as lye or caustic soda. The chemical is used at low concentrations to regulate the PH level of potable water but at high levels it is highly corrosive and damaging to human tissue” Wray writes.

The levels of the sodium hydroxide were not changed due to an operator at the treatment plant noticing that the levels were being raised. The operator quickly solved the issue and notified a supervisor of the incident. Wray writes that “the city’s computer system was remotely accessed at 8:00 am and 1:30 ppm by an unknown party.” Preliminary investigation by the Sheriff’s Office indicates that the unknown party gained remote access to the system using the TeamViewer software, which is used by the plant for monitoring and troubleshooting of the plant systems while off-site. The investigation into the incident is still ongoing and includes parties such as the FBI, the Secret Service, and the Sheriff’s Office Digital Forensics Unit. There are currently leads in this hacking case, but there are no confirmed suspects.

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

Keith Schweigert of Fox 43 recently reported on charges made against a now former Waynesboro Pennsylvania Police officer, William Everett Sublett IV. Sublett has been charged with Aggravated Indecent Assault, Unlawful Contact with a Minor and Corruption of a Minor based on an investigation that stemmed from a report made by the 16-year-old alleged victim to her school counselor. The victim reported that she had been in contact with the officer via text and that he had even brought her to his home and fondled her. When the report came to light, Sublett was immediately placed on administrative leave and resigned his position less than a month later.

Sublett first met the minor while on a call at her residence. He continued to have contact with her while making a number of checkups at the house. The two began to communicate via text message and these messages were discovered as a result of forensic examinations of several phones recovered from Sublett throughout the course of the investigation. One of the phones even turned out to belong to the alleged victim.

The victim sent photographs of herself to Sublett via text messages and Sublett allegedly offered to buy her a burner phone and vaping products in return for naked photos of herself. Further timeline review of the messages made it clear that some texts would have even been exchanged while Sublett was actually on duty for the city. Further evidence of Sublett engaging in contact with the victim was caught on a surveillance camera at her home when he stopped by to drop a cell phone off for the girl. Sublett has apparently denied contacting the victim via text messages although the mobile device forensic results seem to contradict that.

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

Recently, according to Penn State News, a virtual student involvement event including the school’s Black Caucus group was interrupted by a number of uninvited participants making racist remarks.

This type of incident, known as Zoom-Bombing” has unfortunately become much more common place with pandemic restrictions forcing many meetings, which were once held in person, online. Over the last year, Zoom and other video conferencing apps have introduced several security features to assist in securing meetings on their platforms. Unfortunately, if a meeting is not properly configured, incidents like this are still a very real threat. To learn a bit more about what changes Zoom has been making you could check out the November 18, 2020 post on Sharon Nelson’s blog, Ride the Lightning.  

The university is working with digital forensic examiners to collect evidence about the incident and those involved. The university police lauded the victims of the harassment for their quick reporting of the incident. In the course of the ongoing investigation, university police say they have consulted with both internal resources such as the school’s office of information and external entities such as the FBI. At this time the university has found no indication those who committed the disturbance were connected to Penn State in any way.

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

A Utah woman’s cell phone was searched after police believed there might be evidence related to a stabbing that occurred between her ex-boyfriend and current boyfriend. After reviewing the cell phone, investigators found incriminating evidence that not only she had lied to police regarding the fight, but also evidence of an inappropriate relationship with a minor, according to KSL.

The woman, identified as Tadiana Cooper, 20, was in a previous relationship with 21-year-old Darryl Levi Lindley. Her new boyfriend was found to be 16 years of age. After a text message argument between the ex-boyfriend and current one, the two had agreed to meet in a nearby parking lot for a fight.

The two reportedly agreed to fight without the use of weapons. However, when the two met in person to fight, Lindley began using a blade against the 16-year-old and stabbed him repeatedly. Police interviewed Cooper, who was believed to have witnessed the fight. She eventually allowed police access to her cell phone, where investigators found two videos of the attack. Additionally, investigators found deleted text messages between Cooper and Lindley that had been sent after the fight.

Cooper had told Lindley that the teenager had been badly hurt and the police were looking for him. Lindley replied to the message saying that he planned on stabbing the teenager to death. This message showed law enforcement there was intent to kill.

Detectives also found videos on the device that showed Cooper and the teenager involved in sexual activity.

Lindley has been charged with attempted murder, and Cooper has been placed in police custody for an ongoing investigation into obstructing justice and sexual exploitation of a minor.

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

Primarily, mobile device forensic tools have been used by police departments and private businesses to assist in electronic evidence review and help solve crimes. However, there is a new use for those tools that is growing in popularity. Gizmodo reviewed public documents to determine that certain school districts have been purchasing these tools for years.

Gizmodo’s search revealed that in 2020 North East Independent School District of San Antonio, purchased $6,695 worth of products from the popular mobile forensics software company, Cellebrite. Also, Cypress-Fairbanks ISD near Houston purchased around $3,000 worth of products from another popular mobile forensics company, Oxygen Forensics.

Altogether, Gizmodo reviewed similar documents from eight different school districts and determined that school administrators paid as much as approximately $11,000 for various tools able to make copies of students’ text messages, photos and application data.

The need for mobile forensic technologies in school districts vary, but technology was notably used back in 2016 when a high school student was suspected of having a romantic relationship with a school teacher. The student consented to having his phone searched by the school district and one of the resource officers attempted to recover deleted text messages by using a mobile forensic tool. After a review, it was determined the student and teacher were in frequent communication and would message each other “I love you.” The teacher was eventually arrested for sexual assault of a child.

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

Lawrence Abrams of Bleepingcomputer.com reported that the men’s clothing retailer Bonobos suffered a data breach. The threat actor known as ShinyHunters posted the full Bonobos database on a free hacker forum. The database is 70GB and contains information such as customer addresses, phone numbers, partial credit card numbers, order information and password histories. Abrams writes “After BleepingComputer contacted Bonobos about the leaked database, the clothing store told us that the threat actors did not gain access to internal systems but rather to a backup file hosted in an external cloud environment.”

Following an email from Bonobos, BleepingComputer reports that the company contacted the host of the cloud environment as soon as it was aware of the breach and that it is implementing additional security measures for systems and for their customers. Bonobos has also stated that they are still investigating the breach. The information gained by the threat actors can be used to target customers with specific phishing attacks that contain the information that they were able to access. Abrams reports that, as of January 24, 2021, Bonobos started to notify customers of the breach and what actions they could take to secure their accounts. Abrams provides some critical information about what steps a Bonobos user can take to re-secure their account and what to be looking out for in potential phishing emails.

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

The riot that took place on January 6 around the US Capitol building eventually led to the rioters breaching the building and gaining access to various offices, as well as the House and Senate floors. Since then, many law enforcement agencies have been investigating and collecting evidence about the incident. Darrell West of the Brookings Institute recently published an article entitled Digital fingerprints are identifying Capitol rioters, in which he describes the various types of electronic evidence that can and is being collected by law enforcement.

In the article, West discusses items of evidentiary value such as social media posts, text messages and emails. The evidence that can be gathered from social media seems to be one of the main focuses of the article. West writes “Identifying rioters has been easy because many of them posted pictures of themselves inside the Capitol Building.”

Not only do the pictures assist in identifying these people but that also helps build a rough timeline of when something happened as posts to most social media sites are dated and timestamped as to when they were uploaded. Other information such as file metadata would be useful as well, especially with photographs where items such as device location, date and time of the photo, and other items can be found. The article is definitely worth a read and provides an insight into what information is assisting law enforcement with their investigations.

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics