News Items

Earth Lusca, a threat actor with ties to China, has been observed targeting government organizations with a new Linux backdoor called SprySOCKS. Trend Micro first documented Earth Lusca in January 2022, detailing the adversary's attacks against public and private sector entities in Asia, Australia, Europe, and North America. Since 2021, the group has used spear-phishing and watering hole attacks to execute its cyber espionage schemes. Some of the group's activities overlap with another threat cluster tracked by Recorded Future as RedHotel. New findings suggest that Earth Lusca remains an active group, expanding its operations to target organizations worldwide in the first half of 2023. Foreign affairs, technology, and telecommunications-related government departments are primary targets. This article continues to discuss the China-linked threat Earth Lusca targeting government entities using a new Linux backdoor called SprySOCKS.

THN reports "Earth Lusca's New SprySOCKS Linux Backdoor Targets Government Entities"

Two Middle Eastern telecommunications organizations were recently compromised by a potentially novel threat actor using two backdoors with new methods for covertly loading malicious shellcode onto a target system. Cisco Talos dubbed the intrusion set "ShroudedSnooper" because it could not link the activity to previously identified groups. ShroudedSnooper uses two backdoors, "HTTPSnoop" and "PipeSnoop," with advanced anti-detection mechanisms, such as masquerading as popular software products and infecting low-level Windows server components. Once implanted, they execute shellcode to give cyberattackers a persistent foothold in victims' networks, allowing them to move laterally, exfiltrate data, or release additional malware. This article continues to discuss findings regarding the ShroudedSnooper set of backdoors.

Dark Reading reports "'ShroudedSnooper' Backdoors Use Ultra-Stealth in Mideast Telecom Attacks"

Clorox has recently admitted its operations are still experiencing significant disruption after the firm experienced a cyberattack a month ago. Clorox announced the attack on August 14, revealing it had observed unauthorized activity on some IT systems, which had to subsequently be taken offline while it remediated the incident. Although the company stated in an SEC filing yesterday that it "believes the unauthorized activity is contained," it warned of a significant impact to the business, as it was forced to revert to manual ordering and processing. Clorox admitted that it is operating at a lower rate of order processing and has recently begun to experience an elevated level of consumer product availability issues. Clorox noted that the attack had damaged portions of its IT infrastructure and caused "widescale disruption" to its operations. The company is repairing the infrastructure and is reintegrating the systems that were proactively taken offline. The company expects to begin the process of transitioning back to normal automated order processing the week of September 25. Clorox stated that it has already resumed production at the vast majority of its manufacturing sites and expects the ramp-up to full production to occur over time. However, at this time, the company cannot estimate how long it will take to resume fully normalized operations. Clorox is still working out the financial and business impact of the security breach, although it admitted that rising order processing delays and product outages mean that there will be a material impact on Q1 financial results.

Infosecurity reports: "Clorox Struggling to Recover From August Cyberattack"

There is a new approach to combating phishing attacks to improve online security, reduce cybercrime against individuals and businesses, and prevent attacks against governments. Computer security systems are continuously challenged by the emergence of increasingly sophisticated phishing attacks, which may also use social engineering and malware. T. Kalaichelvi of the Panimalar Engineering College in Chennai, India, and colleagues have proposed a new technique for threat modeling capable of identifying and eliminating vulnerabilities that make a computer system more vulnerable to phishing attacks. The team's method uses the STRIDE threat design methodology, a powerful tool with a 96.3 percent detection rate for phishing web addresses. Individuals and organizations can use this work to combat the phishing threat. This article continues to discuss the study on detecting phishing attempts in communications systems.

Inderscience reports "Unhooking Phishing Threats - The Detection of Phishing Attempts in Communications Systems"

The Federal Communications Commission (FCC) has proposed a cybersecurity labeling program to protect smart device users. The new initiative encompasses Internet of Things (IoT) devices such as Wi-Fi routers, digital personal assistants, home security cameras, GPS trackers, medical devices, and other Internet-connected appliances. Although the underlying problem is real and devices are often found to lack adequate cybersecurity, many, including one of the FCC's commissioners, consider the proposed solution lightweight. This article continues to discuss the effort to boost IoT security.

Cybernews reports "New Proposal Aims to Boost IoT Security With a Sticker"

The Microsoft-owned healthcare technology company Nuance has disclosed that the Clop extortion gang stole personal data on major North Carolina hospitals as part of the Progress MOVEit Transfer campaign. Companies use MOVEit Transfer to securely transmit files via SFTP, SCP, and HTTP-based uploads. Microsoft credits the Clop ransomware group, also known as Lace Tempest, with exploiting a zero-day vulnerability in the MOVEit Transfer platform, tracked as CVE-2023-34362. In June, the Clop ransomware group claimed to have compromised hundreds of businesses worldwide by exploiting the MOVEit Transfer flaw. The group's victims also include Microsoft's Nuance healthcare technology subsidiary. This article continues to discuss the Clop gang being behind a series of cyber thefts at major North Carolina hospitals.

Security Affairs reports "Clop Gang Stolen Data From Major North Carolina Hospitals"

The pro-Russian cybercrime group named NoName057(16) has recently been observed launching distributed denial-of-service (DDoS) attacks against Canadian organizations. Since March 2022, the threat actor, also known as NoName05716, 05716nnm, or Nnm05716, has been launching disruptive attacks supporting Russia's invasion of Ukraine. According to the Canadian Centre for Cyber Security, the group has targeted financial, government, military, media, supply, telecoms, and transportation organizations in Ukraine and NATO-associated targets, including the Czech Republic, Denmark, Estonia, Lithuania, Norway, and Poland. Since September 13, 2023, the Cyber Centre has been aware and responding to reports of several distributed denial of service (DDoS) campaigns targeting multiple levels within the Government of Canada, as well as the financial and transportation sector. The Cyber Centre noted that NoName057(16) uses a botnet to target the web servers of victim organizations and then boasts about its malicious activities. Canadian organizations are advised to review systems to identify potential DDoS activity, review and proactively implement DDoS protections, review the US CISA's guidance on mitigating DDoS attacks, improve internet gateways' monitoring and protections, isolate web-facing applications, and report NoName057(16)-suspected DDoS attacks to the Cyber Centre.

SecurityWeek reports: "Canadian Government Targeted With DDoS Attacks by Pro-Russia Group"

A novel cloud-native cryptojacking operation has targeted Amazon Web Services (AWS) offerings such as AWS Amplify, AWS Fargate, and Amazon SageMaker to mine cryptocurrency. Sysdig has given the malicious cyber activity the codename AMBERSQUID. The AMBERSQUID operation exploited cloud services without triggering the AWS requirement for approval of additional resources, as would have been the case if they had only spammed EC2 instances, according to Alessandro Brucato, a security researcher at Sysdig. Targeting multiple services presents extra challenges, such as incident response, as finding and eliminating all miners in each exploited service is required. Sysdig reported discovering the campaign after analyzing 1.7 million Docker Hub images, attributing it with moderate confidence to Indonesian attackers based on the use of the Indonesian language in scripts and usernames. This article continues to discuss the new AMBERSQUID cryptojacking operation.

THN reports "New AMBERSQUID Cryptojacking Operation Targets Uncommon AWS Services"

According to security researchers at Hudson Rock, a major data breach at Airbus revealed earlier this week stemmed from a RedLine info-stealer likely hidden in a pirated copy of Microsoft software. The European aerospace giant said it has launched an investigation into the incident. The researchers stated that a threat actor known as "USDoD," claiming to work as part of the Ransomed ransomware group, posted the breached data to the BreachForums site. Personal information associated with 3200 Airbus vendors, such as Rockwell Collins and Thales Group, was apparently featured in the data dump, including names, addresses, phone numbers, and email addresses. The threat actor's claim that this had come from "employee access from a Turkish Airline" was confirmed by the researchers. The researchers stated that the computer belongs to an employee of Turkish Airlines and contains third-party login credential details for Airbus. The victim likely attempted to download a pirated version of the Microsoft .NET framework, as indicated in the malware path. The researchers noted that they consequently fell victim to a threat actor utilizing the commonly employed RedLine info-stealing family. Worryingly, USDoD has hinted that more victims in the aerospace industry may soon suffer the same fate, including US defense contractors Lockheed Martin and Raytheon.

Infosecurity reports: "Pirated Software Likely Cause of Airbus Breach"

Three high-severity Kubernetes vulnerabilities, tracked as CVE-2023-3676, CVE-2023-3893, and CVE-2023-3955, could enable attackers to remotely execute code and take control of all Windows nodes in the Kubernetes cluster. The three flaws impact all Kubernetes versions before 1.28. The Kubernetes team released updated versions at the end of August. If administrators are unable to upgrade to a patched version, Akamai has provided alternative mitigation steps. This article continues to discuss the potential exploitation and impact of the three high-severity Kubernetes vulnerabilities.

Help Net Security reports "Kubernetes Vulnerability Allows RCE on Windows Endpoints"

Machine Learning (ML) has changed how computer-related tasks are considered and performed. Its ability to identify patterns and process massive amounts of data lends itself to many applications. When it comes to malware detection, ML has streamlined a once daunting process, allowing antivirus software to detect potential attacks more efficiently and with a higher success rate. Antivirus software previously relied on knowledge of earlier attacks, comparing program code to a list of known malicious binaries to determine which programs may be harmful. ML currently uses behavioral and static artifacts to identify ever-evolving malware attacks, improving antivirus software's effectiveness. However, with new technology comes numerous unknowns, so it is the responsibility of researchers to identify potential vulnerabilities. Professor Lujo Bauer from Carnegie Mellon's Electrical and Computer Engineering and Software and Societal Systems departments noted that the first step is determining the threat model for some of the newest ML technologies, such as generative Artificial Intelligence (AI). Bauer and a team of researchers demonstrated that ML-based malware detectors can be fooled by creating variants of malicious binaries, known as adversarial examples. These are transformed in a way that preserves functionality in order to avoid detection. In their most recent paper, titled "Adversarial Training for Raw-Binary Malware Classifiers," researchers examine the effectiveness of using adversarial training methods to develop malware detection models that are more resistant to some cutting-edge attacks. To train these models, the authors of this study discovered a method to increase the efficiency and scalability of creating adversarial examples, thus making adversarial training practical. This article continues to discuss the adversarial training methods developed to improve ML-based malware detection software.

CyLab reports "Researchers Develop Adversarial Training Methods to Improve Machine Learning-Based Malware Detection Software"

According to security researchers at Palo Alto Networks' Unit 42, four out of five (80.3%) security vulnerabilities observed in organizations across all sectors come from a cloud environment. In a newly published report, the researchers outlined the most common cloud security flaws, of which 60% come from web framework takeover (22.8%), remote access services (20.1%), and IT security and networking infrastructure (17.1%). The researchers noted that constant changes in cloud offerings significantly impact the end-users' exposure. The researchers found that over 45% of most organizations' high-risk, cloud-hosted exposures in a given month were observed on new services that hadn't been present on their organization's attack surface in the month prior. The researchers noted that this finding wouldn't be too concerning if cloud providers weren't so volatile. But they are: the researchers estimated that, on average, over 20% of externally accessible cloud services change monthly. This volatility is even more acute in the transport & logistics and insurance & financial sectors, where organizations must deal with 27% and 24% of cloud offerings evolving on a monthly basis.

Infosecurity reports: "Cloud to Blame for Almost all Security Vulnerabilities"

MetaStealer, a new malware designed to steal information from Intel-based macOS computers, has been discovered in the wild. MetaStealer, not to be confused with the 'META' information stealer malware that gained popularity last year, is a Go-based malware capable of evading Apple's built-in antivirus technology XProtect. SentinelOne reports that it has been tracking the malware for the past few months and has observed a strange social engineering component in its distribution. Although the malware shares some similarities with Atomic Stealer, a Go-based macOS-targeting information stealer, the code overlap is limited, and the delivery methods differ. This article continues to discuss the MetaStealer malware that steals a wide variety of sensitive information from Intel-based macOS computers.

Bleeping Computer reports "New 'MetaStealer' Malware Targets Intel-Based macOS Systems"

A threat actor known for providing ransomware groups with initial access to enterprise systems has used Microsoft Teams to phish employees. According to Microsoft threat researchers, Storm-0324 likely relies on the publicly available TeamsPhisher tool for this activity. Storm-0324 is a temporary name designated by Microsoft to this threat actor, suggesting that the company is still not highly confident about the origin or identity of the actor behind the operation. So far, it is known that Storm-0324 has been around for more than eight years and has previously used exploit kits and email-based vectors to deliver various malware payloads, including banking trojans, information-stealing malware, ransomware, and more. Microsoft reports that Storm-0324 began using phishing lures sent over Teams with malicious links, leading to a malicious SharePoint-hosted file in July 2023. However, they do not specify what malicious payload the file contained. They also noted that this particular phishing campaign is unrelated to a similar one conducted by a Russian Advanced Persistent Threat (APT) group. This article continues to discuss the threat actor phishing employees via Microsoft Teams.

Help Net Security reports "Microsoft Teams Phishing: Enterprises Targeted by Ransomware Access Broker"

Using Wi-Fi signals, scientists have developed a technology that enables people to see objects and read letters through walls. The system, developed by UC Santa Barbara researchers, traces the edges of objects on the opposite side of solid barriers. In one experiment, the team used the technology to decipher the word "BELIEVE" from the other side of a wall by imaging each letter individually. Three off-the-shelf Wi-Fi transmitters were used to send wireless waves in an area. The receivers were on an unmanned vehicle emulating a Wi-Fi receiver grid as it moved. They measured the signal power, which was then used for imaging under the proposed method. However, the success of this strategy may raise significant privacy and security concerns. Cybercriminals could integrate this technology into an existing attack vector. This article continues to discuss the technology that enables seeing through walls, which could pose security and privacy issues.

TechRadar reports "Researchers Used Wi-Fi Signals to See Through Walls. Game-Changing Breakthrough? Or Privacy Nightmare Waiting to Happen?"

The National Security Agency (NSA) and US federal agency partners have issued new guidance regarding deepfakes. This emerging threat may pose a cybersecurity challenge for National Security Systems (NSS), the Department of Defense (DoD), and Defense Industrial Base (DIB) organizations. They issued the Cybersecurity Information Sheet (CSI) "Contextualizing Deepfake Threats to Organizations" to help organizations identify, defend against, and respond to deepfake threats. The CSI recommends that organizations consider implementing several technologies to detect deepfakes and identify the origin of multimedia. These include real-time verification capabilities, passive detection techniques, and protection for the communications of high-priority officers. The recommendations for mitigating the impact of deepfakes include information sharing, planning and rehearsing responses to exploitation attempts, and training personnel. This article continues to discuss the new guidance on deepfake threats.

NSA reports "NSA, US Federal Agencies Advise on Deepfake Threats"

According to Carnegie Mellon University (CMU) Software Engineering Institute (SEI)'s Robert Schiela, technical manager of the Secure Coding group, and Carol Woody, a principal researcher in the SEI's Computer Emergency Response Team (CERT) Division, current efforts to build secure code and implement risk-mitigation security controls are useful but insufficient to address the cybersecurity challenges of modern technology. Functional design and engineering decisions can pose security risks. The longer security is overlooked, the greater the likelihood of costly mitigations, as redesigning may be necessary. Before approving the implementation of a system, security experts could review its design and mandate redesigns. Developers should identify and address vulnerabilities as they create and unit test their code. Creators and suppliers of technology must incorporate security risk management into their standard system design and engineering practices. Software, hardware, firmware, reused components, and services must all be considered when assessing security risk. Security risk considerations must be integrated throughout the lifecycle processes, which requires effective planning and tooling as well as monitoring and measuring. This article continues to discuss making software secure by design.

Carnegie Mellon University Software Engineering Institute reports "3 Activities for Making Software Secure by Design"

New research highlights the essential elements for bolstering cybersecurity readiness. This study examines five critical factors influencing organizations' cybersecurity readiness management, which include employee expertise, awareness, organizational investment, compliance with standards, and risk assessment. Researchers from the Information Science Department at Kuwait University present several essential organizational considerations. According to the researchers, inadequacies in the five areas will inevitably compromise the organization's cybersecurity readiness. This article continues to discuss the empirical investigation into organizations' cybersecurity readiness from the Information Technology (IT) employee and manager perspectives.

Inderscience reports "An Empirical Investigation Into Organization Cyber Security Readiness From the IT Employee and Manager Perspectives"

Traceable and Ponemon Institute's research calls for more attention on Application Programming Interface (API) security. While threats continue to increase, organizations do not assess their APIs nearly enough for vulnerabilities. Traceable warns of the inherent potential risk that comes with API use. In many cases, they control the traffic between critical services and sensitive data, significantly increasing the attack surface. The survey included 1,600 cybersecurity professionals from around the world, 938 of which were in the Europe, Africa, and the Middle East (EMEA) region. Fifty-nine percent of respondents acknowledged that APIs are critical to their organization's digital initiatives. The average number of APIs maintained by surveyed organizations is 1,044. Forty-three percent admitted that API security is not a priority despite its widespread use. This article continues to discuss key findings from the research on the state of API security.

Techzine reports "API Security Doesn't Get the Priority Treatment It Needs"

The FBI has revealed that the North Korean threat group Lazarus stole $41 million in cryptocurrencies from Stake[.]com, including Ethereum. According to the FBI, its investigation has found that North Korean cyber actors moved stolen funds associated with the Ethereum, Binance Smart Chain (BSC), and Polygon networks from Stake[.]com to virtual currency addresses. The FBI says this is not the first cryptocurrency heist pulled off by Lazarus. However, the FBI stopped short of attributing cyberattacks to the Lazarus threat group specifically, instead focusing on its parent country, North Korea. This article continues to discuss the theft of $41 million from the virtual betting site by Lazarus.

Cybernews reports "Lazarus Steals $41M From Virtual Betting Site"

Endpoint security firm Emsisoft urges its users to update their anti-malware and other security products and reboot their systems after using an improperly issued digital certificate to sign them. The company stated that the problem affects its Extended Validation (EV) code signing certificate, which was renewed on August 23 and used to sign all program files compiled after that date, including the latest software version, released on September 4. GlobalSign, the certificate authority (CA) that issued the certificate, informed Emsisoft on September 4 that it introduced the wrong business number at issuance, meaning the certificate would need to be revoked and reissued. The CA has issued a new certificate and is revoking the improperly issued one today, September 8. Emsisoft noted that it has re-signed all files using the correct certificate and has made updates available for its products. Emsisoft stated that the new files are available through the online update of their products, and they expect that the vast majority of their customers will automatically receive the new version before the old certificate gets revoked. The main issue with this mishap is the fact that the security firm also used the improperly issued certificate to sign a new driver component, and updating it requires a system reboot. Emsisoft noted that when a certificate authority revokes a certificate, all software files that have been signed with it will produce a security warning, and drivers may not load at all. This essentially breaks the protection, including the ability to run online updates. According to Emsisoft, should it come to this, users would need to reinstall the affected software to restore the protection. The company is urging its customers to ensure automatic updates are enabled in Emsisoft Anti-Malware, Emsisoft Business Security, and Emsisoft Enterprise Security and reboot their computers before September 22, 2023.

SecurityWeek reports: "Emsisoft Tells Users to Update Products, Reboot Systems Due to Certificate Mishap"

According to security researchers at Malwarebytes, a piece of malware named Atomic macOS Stealer, or AMOS, has been delivered by cyber criminals through a malvertising campaign. AMOS emerged in the spring when its creators started advertising it for $1,000 per month, promising a wide range of data theft capabilities. Its authors claimed the malware could steal keychain passwords, browser data, cryptocurrency wallets, and files from the compromised device. The researchers noted that AMOS is mostly distributed through cracked software downloads, but the company recently observed it being delivered through a malvertising campaign. The researchers stated that cybercriminals set up a fake website for the TradingView financial market tracking app and advertised the site on Google using a hacked advertiser account apparently belonging to an entity in Belarus. The malicious website is designed to look authentic, claiming to offer downloads for the TradingView app's Windows, macOS, and Linux versions. The researchers noted that while the Windows and Linux files deliver the NetSupport RAT, the Mac file delivers the AMOS malware. Once executed, the macOS malware provides instructions for opening it without getting blocked by Apple's GateKeeper security feature. The researchers stated that the malware is bundled in an ad-hoc signed app, meaning it's not an Apple certificate, so it cannot be revoked. Once executed, it will keep prompting for the user password in a never ending loop until victims finally relent and type it in. The researchers noted that logs show that the malware attempts to collect and exfiltrate passwords, autofill data, wallets, cookies, and keychain data. The researchers stated that targeting TradingView makes sense since users who are looking for the market tracking application are more likely to use software that provides access to money or cryptocurrencies.

SecurityWeek reports: "Atomic macOS Stealer Malware Delivered via Malvertising Campaign"

The US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the US Cyber Command (USCYBERCOM) published a joint advisory revealing that state-sponsored hacking groups exploited critical Zoho and Fortinet vulnerabilities to compromise a US aeronautical organization. The threat groups responsible for this breach have not yet been identified, but while the joint advisory did not attribute the attackers to a specific state, USCYBERCOM's press release connects them to Iranian exploitation efforts. CISA participated in the incident response between February and April and reported that the hacking groups had been inside the compromised aviation organization's network since at least January after hacking an Internet-exposed server running Zoho ManageEngine ServiceDesk Plus and a Fortinet firewall. This article continues to discuss key findings from the joint cybersecurity advisory on Iranian exploitation efforts that have impacted a US aeronautical organization.

Bleeping Computer reports "Iranian Hackers Breach US Aviation Org via Zoho, Fortinet Bugs"

Apple has released emergency security updates for iOS, iPadOS, macOS, and watchOS to patch two zero-day vulnerabilities exploited in the wild to deliver NSO Group's Pegasus mercenary spyware. The first vulnerability, tracked as CVE-2023-41061, is a validation issue in Wallet that could lead to arbitrary code execution when a maliciously crafted attachment is handled. The second vulnerability, tracked as CVE-2023-41064, is a buffer overflow issue in the Image I/O component that could lead to arbitrary code execution if a maliciously crafted image is processed. The Citizen Lab at the University of Toronto's Munk School disclosed that the vulnerabilities have been weaponized as part of a zero-click iMessage exploit chain dubbed BLASTPASS to launch Pegasus on fully patched iPhones running iOS 16.6. This article continues to discuss the zero-day flaws exploited to deliver NSO Group's Pegasus mercenary spyware.

THN reports "Apple Rushes to Patch Zero-Day Flaws Exploited for Pegasus Spyware on iPhones"