[CyberLand News] Weekly #2 - Threats and Malware
Last news on threats, malware and vulnerabilties in the cyber land
Contents
WinorDLL64 a new Zazarus backdoor
A new backdoor named WinorDLL64 has been discovered and associated with the Wslink malware downloader, believed to be used by the North Korea-aligned Lazarus Group. The backdoor is capable of exfiltrating, overwriting, and deleting files, executing PowerShell commands, and obtaining comprehensive information about the host machine. Other features include listing active sessions, creating and terminating processes, enumerating drives, and compressing directories. The malware is highly targeted and has only been observed in Central Europe, North America, and the Middle East. ESET researchers suggest that the Lazarus Group is involved due to similarities in behavior and code with previous campaigns attributed to the group. The payload was uploaded to the VirusTotal malware database from South Korea, where some victims are located, adding to the Lazarus Group's involvement.
More details in WinorDLL64: A backdoor from the vast Lazarus arsenal?
More details in Wslink: Unique and undocumented malicious loader that runs as a server
Additiona info in [CyberThreat] APT - Lazarus Group overview
Phishing links in NPM package
Over 15,000 spam packages have been added to the npm repository by cybercriminals using automated processes, according to a report by Checkmarx. The rogue packages were created with auto-generated names and project descriptions that were closely related to each other. The attackers used referral IDs to benefit from rewards earned from retail websites. The packages were designed to look like free resources, including cheats and followers for social media platforms such as TikTok, Xbox, and Instagram. The objective was to encourage users to click on links to phishing sites. Some fake websites even featured interactive chats that created the impression of providing users with the promised cheats or followers. The npm packages were published from multiple user accounts on 20 and 21 February using a Python script to automate the process. The attack was sophisticated and demonstrated the continuing challenges of securing the software supply chain.
More details in How NPM Packages Were Used to Spread Phishing Links
More details in NPM JavaScript packages abused to create scambait links in bulk
Stealc a new InfoStealer
A new information stealer called Stealc has surfaced on the dark web and is gaining popularity among cybercriminals. The malware is being advertised on hacking forums and private Telegram channels by a user named "Plymouth" who has claimed it has extensive data-stealing capabilities and an easy-to-use administration panel. Stealc is similar to other malware of the same kind, such as Vidar, Raccoon, Mars, and Redline, and shares commonalities with them, including the downloading of legitimate third-party DLLs to pilfer sensitive data. Stealc also has a customizable file grabber that can be set to target specific file types. Security researchers at cyber threat intelligence company SEKOIA discovered more than 40 command and control servers for Stealc and several dozens of samples in the wild, indicating that the malware has attracted the interest of the cybercriminal community. SEKOIA warns that Stealc represents a significant threat as it could be adopted by less technical cybercriminals, despite its poor business model.
More details in Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity – Part 1
US Department of Defense (DoD) & its Cloud Security
The US Department of Defense (DoD) has been warned by Pentagon CIOs that its cloud security is inadequate, with systems running unmitigated vulnerabilities that increase the risk of cyber attacks, data breaches, and unauthorized disclosures. This warning comes just days before over three terabytes of military emails were exposed due to misconfigured Azure services. The Pentagon CIOs report found that DoD staff were relying on standard cybersecurity processes without fully understanding the risks and vulnerabilities of authorized commercial cloud service offerings (CSOs), as they were not reviewing documentation supporting FedRAMP and DoD authorizations. The report suggests that the DoD's staff may have assumed that FedRAMP approvals were sufficient to mitigate cloud security risks, without taking further action to ensure their cloud use is secure.
The report has been contested by some defense CIOs who argue that the recommendations could lead to reassessments of authorized commercial CSOs, which goes against the DoD's "do once - reuse many" practice based on FedRAMP and DoD authorization processes. However, the Inspector General refuted this, stating that unmitigated vulnerabilities had been identified in three commercial CSOs that did not comply with established timelines. Some responses suggest that there may be misunderstandings or crossed wires over who is responsible for adhering to existing rules around cloud security. Furthermore, the report suggests that cloud partners may not be doing their part to ensure cloud security, as they may not be fully aware of authorized commercial CSOs' systemic risks, such as vulnerabilities that could allow malicious actors to exploit user authentication or make system configuration changes.
The recent exposure of military emails due to misconfigured Azure services highlights the critical need for the DoD to improve its cloud security measures. It is essential that the DoD takes steps to fully understand the risks and vulnerabilities of authorized commercial CSOs and implement additional controls to reduce overall risks associated with using the authorized commercial CSOs.
More details in Pentagon and Microsoft Are Investigating Leak of Military Emails
More details in Pentagon CIOs slapped over cloud security by auditors days before 3TB of emails exposed
Cryptojacking mining malware for MacOS
Jamf Threat Labs has discovered trojanized versions of legitimate applications that are being used to deploy cryptocurrency mining malware on macOS systems. The XMRig coin miner is executed by means of an unauthorized modification in Final Cut Pro, a video editing software from Apple. The malware utilizes the Invisible Internet Project (i2p) to download malicious components and send mined currency to the attacker's wallet. The source of the cryptojacking apps can be traced to Pirate Bay, with the earliest uploads dating all the way back to 2019. Jamf identified three generations of the malware that chart the evolution of the campaign's sophistication and stealth. One evasion technique is a shell script that monitors the list of running processes to check for the presence of Activity Monitor and, if so, terminates the mining processes.
Although Apple has taken steps to combat such abuse by subjecting notarized apps to more stringent Gatekeeper checks in macOS Ventura, the miner was still able to execute. By the time the user receives the error message, the malware has already been installed. While the distribution vector is highly effective due to the fact that users running cracked software are willingly doing something illegal, the use of trojanized versions of legitimate applications to deploy cryptocurrency mining malware is a serious concern. The discovery of such malware highlights the need for strong security measures on all devices, including Macs, to combat increasingly sophisticated attacks.
More details in Evasive cryptojacking malware targeting macOS found lurking in pirated applications
FortiNAC vulnerability exploited
A critical vulnerability has been discovered in the FortiNAC webserver, which is part of the FortiNAC network access control solution. The vulnerability, tracked as CVE-2022-39952, is an unauthenticated file path manipulation flaw that allows attackers to remotely execute code and commands on the targeted system. Security researchers from Horizon3 released proof-of-concept exploit code for the vulnerability on Monday, and the attacks began the following day. The attackers have been targeting Internet-exposed Fortinet appliances that have not been patched with the latest security updates. Several cybersecurity companies have confirmed that they have detected attacks that exploit CVE-2022-39952, indicating that the attackers are targeting a wide range of organizations. According to CronUp, the attackers have started to install web shells on the compromised devices. Fortinet has issued a security advisory, urging customers to update their systems to the latest available version. This is not the first time that Fortinet has faced such a vulnerability. In December, the company warned customers to patch FortiOS SSL-VPN appliances against an actively exploited security bug, and two months earlier, it urged admins to patch a critical authentication bypass vulnerability that was being exploited in the wild. These incidents underscore the importance of keeping all network devices updated with the latest security patches to prevent cyberattacks.
More details in Fortinet FortiNAC CVE-2022-39952 Deep-Dive and IOCs
A.I. support for text and images