iTunes
Spotify
Episode 25: August 22 2022
Bullet points of key topics + chapter markers
[01:31] iPhone Users Update Now to Patch 2 Zero-Days
[08:30] Lazarus Group Targets Engineers with Malware
[15:44] Hackers Stole from Bitcoin ATMs using Zero-Day
[23:25] TA558 Group Targets Hospitality, Hotel and Travel
Links
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32894
https://threatpost.com/iphone-users-urged-to-update-to-patch-2-zero-days-under-attack/180448/
https://www.forbes.com/sites/kateoflahertyuk/2022/08/19/ios-1561-update-now-warning-issued-to-all-iphone-users/?sh=2a0eccf767a9
https://threatpost.com/apt-lazarus-macos-malware/180426/
https://en.wikipedia.org/wiki/Lazarus_Group
https://twitter.com/ESETresearch/status/1559553324998955010
https://threatpost.com/apt-lazarus-macos-malware/180426/
https://thehackernews.com/2022/08/hackers-stole-crypto-from-bitcoin-atms.html
Show Notes:
iPhone Users Update Now to Patch 2 Zero-Days
- Apple is urging macOS, iPhone and iPad users immediately to install respective updates
- includes fixes for two zero-days under active attack
- vulnerabilities that allow attackers to execute arbitrary code
- This can ultimately lead to the full take over of the devices.
- Patches
- devices running iOS 15.6.1
- Ipads and iphones
- macOS Monterey 12.5.1
- devices running iOS 15.6.1
- CVE-2022-32894 (No CVSS score yet)
- One is a kernel bug
- Impacts both iOS and macOS
- out-of-bounds write issue
- Was addressed with improved bounds checking in patches
- allows an application to execute arbitrary code with kernel privileges
- Apple said “may have been exploited”
- CVE-2022-32893 (no CVSS score yet)
- WebKit bug
- out-of-bounds write issue
- addressed with improved bounds checking
- allows a maliciously crafted web content to processes code that can lead to code execution
- also reported to be under actively exploited
- WebKit is the browser engine that powers Safari
- Also is an engine that all third-party browsers that work on iOS utilize
- Not much known
- Apples discloser
- Credited to anonymous researcher
- Pegasus Fears
- nation-state APTs barraged targets with spyware
- created by Israeli company NSO Group
- nation-state APTs barraged targets with spyware
- WebKit bug
Lazarus Group Targets Engineers with Malware
- Lazarus
- North Korean APT
- targeting academics, journalists and professionals in various industries—particularly the defense industry–to gather intelligence and financial backing
- targeting engineers
- fake job posting
- spread macOS malware
- macOS malware
- identified by researchers at ESET Research Labs
- Mac executable
- Targets both Apple and Intel chip systems
- Operation In(ter)ception
- Disguised as a job description
- For Coinbase
- claiming to seek an engineering manager for product security
- researchers discovered uploaded to VirusTotal from Brazil
- drops three files
- decoy PDF document
- http[://]FinderFontsUpdater[.]app
- downloader safarifontagent
- like a sample discovered by ESET in May
- included a signed executable
- disguised as a job description
- compiled for both Apple and Intel
- dropped a PDF decoy
- unlike
- recent malware is signed July 21
- something new or a variant of the previous malware
- Not only Apple
- Windows version
- dropping the same decoy
- spotted Aug. 4
- Malwarebytes threat intelligence researcher Jazi
- connects to a different command and control infrastructure
- https:[//]concrecapital[.]com/%user%[.]jpg
- included a signed executable
- decoy PDF document
- Disguised as a job description
- fake job posting
Hackers Stole from Bitcoin ATMs using Zero-Day
- Bitcoin ATM manufactured by General Bytes
- Confirmed that they were a victim of a cyberattack
- exploited a previously unknown flaw in the software
- steal cryptocurrency from its users
- Currently unknown how many servers were impacted or Crypto stolen
- exploited a previously unknown flaw in the software
- Tactic
- Threat Actor unknown
- Scanned and identified CAS
- Ports 7777 or 443
- create an admin user remotely
- CAS = Crypto Application Server
- Self-hosted product by General Bytes
- Allow customers manage Bitcoin ATM machines from a central location
- CAS administrative interface
- via a URL call on the page that is used for the default installation on the server
- creating the first administration user
- vulnerability has been present since version December 2020
- modified the crypto settings of two-way machines with their wallet settings
- Two-way ATMs started to forward coins to the attacker’s wallet when customers sent coins to [the] ATM
- Zero Day Flaw
- has been mitigated
- server patch releases, 20220531.38 and 20220725.22
- company was doing security audits
- flaw was never identified
- Days after it announced “Help Ukraine” feature on ATMs
- has been mitigated
- via a URL call on the page that is used for the default installation on the server
- CAS = Crypto Application Server
- Scanned and identified CAS
- Threat Actor unknown
- Confirmed that they were a victim of a cyberattack
TA558 Group Targets Hospitality, Hotel and Travel
- Proofpoint tracking group
- TA558
- Running since April 2018
- Considered a small crime threat actor
- group has used consistent tactics, techniques, and procedures
- attempted to install a variety of malware
- Loda RAT
- Vjw0rm
- Revenge RAT
- Increased Threat
- higher tempo in 2022
- geared towards Portuguese and Spanish speakers in Latin America
- to a lesser extent in Western Europe and North America.
- Phishing Campaigns
- sending malicious spam messages
- reservation-themed lures
- weaponized URL and Documents
- install trojan
- recon
- data theft
- distribution of other malware
- in past used macros to deploy
- currently pivoting away
- in favor of URLs and ISO files to achieve initial infection
- most likely due to Microsoft blocking macros announcement
- 51 campaigns
- 27 of them are said to have incorporated URLs pointing to ISO files and ZIP archives
- currently pivoting away
- sending malicious spam messages