CyberSecurity News Byte – Weekly

Hosted ByJim Guckin

A new podcast has taken possession of my entire soul, like these sweet mornings of spring which I enjoy with my whole heart with souls like mine.

Episode 25: August 22 2022

Bullet points of key topics + chapter markers
[01:31] iPhone Users Update Now to Patch 2 Zero-Days
[08:30] Lazarus Group Targets Engineers with Malware
[15:44] Hackers Stole from Bitcoin ATMs using Zero-Day
[23:25] TA558 Group Targets Hospitality, Hotel and Travel

Links

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32894
https://threatpost.com/iphone-users-urged-to-update-to-patch-2-zero-days-under-attack/180448/
https://www.forbes.com/sites/kateoflahertyuk/2022/08/19/ios-1561-update-now-warning-issued-to-all-iphone-users/?sh=2a0eccf767a9
https://threatpost.com/apt-lazarus-macos-malware/180426/
https://en.wikipedia.org/wiki/Lazarus_Group
https://twitter.com/ESETresearch/status/1559553324998955010
https://threatpost.com/apt-lazarus-macos-malware/180426/
https://thehackernews.com/2022/08/hackers-stole-crypto-from-bitcoin-atms.html

Show Notes:

iPhone Users Update Now to Patch 2 Zero-Days

  • Apple is urging macOS, iPhone and iPad users immediately to install respective updates
    • includes fixes for two zero-days under active attack
    • vulnerabilities that allow attackers to execute arbitrary code
      • This can ultimately lead to the full take over of the devices.
    • Patches
      • devices running iOS 15.6.1
        • Ipads and iphones
      • macOS Monterey 12.5.1
    • CVE-2022-32894 (No CVSS score yet)
      • One is a kernel bug
      • Impacts both iOS and macOS
      • out-of-bounds write issue
        • Was addressed with improved bounds checking in patches
        • allows an application to execute arbitrary code with kernel privileges
        • Apple said “may have been exploited”
      • CVE-2022-32893 (no CVSS score yet)
        • WebKit bug
          • out-of-bounds write issue
          • addressed with improved bounds checking
        • allows a maliciously crafted web content to processes code that can lead to code execution
        • also reported to be under actively exploited
        • WebKit is the browser engine that powers Safari
          • Also is an engine that all third-party browsers that work on iOS utilize
        • Not much known
          • Apples discloser
          • Credited to anonymous researcher
        • Pegasus Fears
          • nation-state APTs barraged targets with spyware
            • created by Israeli company NSO Group

Lazarus Group Targets Engineers with Malware

  • Lazarus
    • North Korean APT
    • targeting academics, journalists and professionals in various industries—particularly the defense industry–to gather intelligence and financial backing
  • targeting engineers
    • fake job posting
      • spread macOS malware
    • macOS malware
      • identified by researchers at ESET Research Labs
      • Mac executable
      • Targets both Apple and Intel chip systems
    • Operation In(ter)ception
      • Disguised as a job description
        • For Coinbase
      • claiming to seek an engineering manager for product security
      • researchers discovered uploaded to VirusTotal from Brazil
      • drops three files
        • decoy PDF document
          • pdf
          • http[://]FinderFontsUpdater[.]app
          • downloader safarifontagent
        • like a sample discovered by ESET in May
          • included a signed executable
            • disguised as a job description
            • compiled for both Apple and Intel
            • dropped a PDF decoy
          • unlike
            • recent malware is signed July 21
            • something new or a variant of the previous malware
          • Not only Apple
            • Windows version
            • dropping the same decoy
            • spotted Aug. 4
              • Malwarebytes threat intelligence researcher Jazi
            • connects to a different command and control infrastructure
              • https:[//]concrecapital[.]com/%user%[.]jpg

Hackers Stole from Bitcoin ATMs using Zero-Day

  • Bitcoin ATM manufactured by General Bytes
    • Confirmed that they were a victim of a cyberattack
      • exploited a previously unknown flaw in the software
        • steal cryptocurrency from its users
      • Currently unknown how many servers were impacted or Crypto stolen
    • Tactic
      • Threat Actor unknown
        • Scanned and identified CAS
          • Ports 7777 or 443
        • create an admin user remotely
          • CAS = Crypto Application Server
            • Self-hosted product by General Bytes
            • Allow customers manage Bitcoin ATM machines from a central location
          • CAS administrative interface
            • via a URL call on the page that is used for the default installation on the server
              • creating the first administration user
            • vulnerability has been present since version December 2020
            • modified the crypto settings of two-way machines with their wallet settings
              • Two-way ATMs started to forward coins to the attacker’s wallet when customers sent coins to [the] ATM
            • Zero Day Flaw
              • has been mitigated
                • server patch releases, 20220531.38 and 20220725.22
              • company was doing security audits
                • flaw was never identified
              • Days after it announced “Help Ukraine” feature on ATMs

TA558 Group Targets Hospitality, Hotel and Travel

  • Proofpoint tracking group
    • TA558
    • Running since April 2018
    • Considered a small crime threat actor
      • group has used consistent tactics, techniques, and procedures
      • attempted to install a variety of malware
        • Loda RAT
        • Vjw0rm
        • Revenge RAT
      • Increased Threat
        • higher tempo in 2022
        • geared towards Portuguese and Spanish speakers in Latin America
        • to a lesser extent in Western Europe and North America.
      • Phishing Campaigns
        • sending malicious spam messages
          • reservation-themed lures
          • weaponized URL and Documents
          • install trojan
            • recon
            • data theft
            • distribution of other malware
          • in past used macros to deploy
            • currently pivoting away
              • in favor of URLs and ISO files to achieve initial infection
              • most likely due to Microsoft blocking macros announcement
            • 51 campaigns
              • 27 of them are said to have incorporated URLs pointing to ISO files and ZIP archives

Leave a Reply

Your email address will not be published.