CyberSecurity News Byte

Hosted ByJim Guckin

Welcome to CyberSecurity News Byte with Jim Guckin, your one-stop resource for the latest cybersecurity news, updates, and discussions. Our podcast is a vital tool for CyberSecurity and IT professionals, as well as technology leaders, who need to stay on top of the ever-evolving digital landscape.

Website Subscribe

Episode 25: August 22 2022

August 22, 2022 Jim Guckin CyberSecurity News Byte Weekly 30:5944.06M Comments Off on Episode 25: August 22 2022

Bullet points of key topics + chapter markers
[01:31] iPhone Users Update Now to Patch 2 Zero-Days
[08:30] Lazarus Group Targets Engineers with Malware
[15:44] Hackers Stole from Bitcoin ATMs using Zero-Day
[23:25] TA558 Group Targets Hospitality, Hotel and Travel

Links

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32894
https://threatpost.com/iphone-users-urged-to-update-to-patch-2-zero-days-under-attack/180448/
https://www.forbes.com/sites/kateoflahertyuk/2022/08/19/ios-1561-update-now-warning-issued-to-all-iphone-users/?sh=2a0eccf767a9
https://threatpost.com/apt-lazarus-macos-malware/180426/
https://en.wikipedia.org/wiki/Lazarus_Group
https://twitter.com/ESETresearch/status/1559553324998955010
https://threatpost.com/apt-lazarus-macos-malware/180426/
https://thehackernews.com/2022/08/hackers-stole-crypto-from-bitcoin-atms.html

Show Notes:

iPhone Users Update Now to Patch 2 Zero-Days

  • Apple is urging macOS, iPhone and iPad users immediately to install respective updates
    • includes fixes for two zero-days under active attack
    • vulnerabilities that allow attackers to execute arbitrary code
      • This can ultimately lead to the full take over of the devices.
    • Patches
      • devices running iOS 15.6.1
        • Ipads and iphones
      • macOS Monterey 12.5.1
    • CVE-2022-32894 (No CVSS score yet)
      • One is a kernel bug
      • Impacts both iOS and macOS
      • out-of-bounds write issue
        • Was addressed with improved bounds checking in patches
        • allows an application to execute arbitrary code with kernel privileges
        • Apple said “may have been exploited”
      • CVE-2022-32893 (no CVSS score yet)
        • WebKit bug
          • out-of-bounds write issue
          • addressed with improved bounds checking
        • allows a maliciously crafted web content to processes code that can lead to code execution
        • also reported to be under actively exploited
        • WebKit is the browser engine that powers Safari
          • Also is an engine that all third-party browsers that work on iOS utilize
        • Not much known
          • Apples discloser
          • Credited to anonymous researcher
        • Pegasus Fears
          • nation-state APTs barraged targets with spyware
            • created by Israeli company NSO Group

Lazarus Group Targets Engineers with Malware

  • Lazarus
    • North Korean APT
    • targeting academics, journalists and professionals in various industries—particularly the defense industry–to gather intelligence and financial backing
  • targeting engineers
    • fake job posting
      • spread macOS malware
    • macOS malware
      • identified by researchers at ESET Research Labs
      • Mac executable
      • Targets both Apple and Intel chip systems
    • Operation In(ter)ception
      • Disguised as a job description
        • For Coinbase
      • claiming to seek an engineering manager for product security
      • researchers discovered uploaded to VirusTotal from Brazil
      • drops three files
        • decoy PDF document
          • pdf
          • http[://]FinderFontsUpdater[.]app
          • downloader safarifontagent
        • like a sample discovered by ESET in May
          • included a signed executable
            • disguised as a job description
            • compiled for both Apple and Intel
            • dropped a PDF decoy
          • unlike
            • recent malware is signed July 21
            • something new or a variant of the previous malware
          • Not only Apple
            • Windows version
            • dropping the same decoy
            • spotted Aug. 4
              • Malwarebytes threat intelligence researcher Jazi
            • connects to a different command and control infrastructure
              • https:[//]concrecapital[.]com/%user%[.]jpg

Hackers Stole from Bitcoin ATMs using Zero-Day

  • Bitcoin ATM manufactured by General Bytes
    • Confirmed that they were a victim of a cyberattack
      • exploited a previously unknown flaw in the software
        • steal cryptocurrency from its users
      • Currently unknown how many servers were impacted or Crypto stolen
    • Tactic
      • Threat Actor unknown
        • Scanned and identified CAS
          • Ports 7777 or 443
        • create an admin user remotely
          • CAS = Crypto Application Server
            • Self-hosted product by General Bytes
            • Allow customers manage Bitcoin ATM machines from a central location
          • CAS administrative interface
            • via a URL call on the page that is used for the default installation on the server
              • creating the first administration user
            • vulnerability has been present since version December 2020
            • modified the crypto settings of two-way machines with their wallet settings
              • Two-way ATMs started to forward coins to the attacker’s wallet when customers sent coins to [the] ATM
            • Zero Day Flaw
              • has been mitigated
                • server patch releases, 20220531.38 and 20220725.22
              • company was doing security audits
                • flaw was never identified
              • Days after it announced “Help Ukraine” feature on ATMs

TA558 Group Targets Hospitality, Hotel and Travel

  • Proofpoint tracking group
    • TA558
    • Running since April 2018
    • Considered a small crime threat actor
      • group has used consistent tactics, techniques, and procedures
      • attempted to install a variety of malware
        • Loda RAT
        • Vjw0rm
        • Revenge RAT
      • Increased Threat
        • higher tempo in 2022
        • geared towards Portuguese and Spanish speakers in Latin America
        • to a lesser extent in Western Europe and North America.
      • Phishing Campaigns
        • sending malicious spam messages
          • reservation-themed lures
          • weaponized URL and Documents
          • install trojan
            • recon
            • data theft
            • distribution of other malware
          • in past used macros to deploy
            • currently pivoting away
              • in favor of URLs and ISO files to achieve initial infection
              • most likely due to Microsoft blocking macros announcement
            • 51 campaigns
              • 27 of them are said to have incorporated URLs pointing to ISO files and ZIP archives

CyberSecurity News Byte is a weekly podcast, condensing the latest cybersecurity news, in an easily digestible format. News that you need to know to keep yourself and your organization safe from today’s threats.

Facebook Twitter Instagram

© 2021-2022 All Rights Reserved. Developed By Podcrease