CyberSecurity News Byte

Hosted ByJim Guckin

Welcome to CyberSecurity News Byte with Jim Guckin, your one-stop resource for the latest cybersecurity news, updates, and discussions. Our podcast is a vital tool for CyberSecurity and IT professionals, as well as technology leaders, who need to stay on top of the ever-evolving digital landscape.

Episode 25: August 22 2022

Bullet points of key topics + chapter markers
[01:31] iPhone Users Update Now to Patch 2 Zero-Days
[08:30] Lazarus Group Targets Engineers with Malware
[15:44] Hackers Stole from Bitcoin ATMs using Zero-Day
[23:25] TA558 Group Targets Hospitality, Hotel and Travel


Show Notes:

iPhone Users Update Now to Patch 2 Zero-Days

  • Apple is urging macOS, iPhone and iPad users immediately to install respective updates
    • includes fixes for two zero-days under active attack
    • vulnerabilities that allow attackers to execute arbitrary code
      • This can ultimately lead to the full take over of the devices.
    • Patches
      • devices running iOS 15.6.1
        • Ipads and iphones
      • macOS Monterey 12.5.1
    • CVE-2022-32894 (No CVSS score yet)
      • One is a kernel bug
      • Impacts both iOS and macOS
      • out-of-bounds write issue
        • Was addressed with improved bounds checking in patches
        • allows an application to execute arbitrary code with kernel privileges
        • Apple said “may have been exploited”
      • CVE-2022-32893 (no CVSS score yet)
        • WebKit bug
          • out-of-bounds write issue
          • addressed with improved bounds checking
        • allows a maliciously crafted web content to processes code that can lead to code execution
        • also reported to be under actively exploited
        • WebKit is the browser engine that powers Safari
          • Also is an engine that all third-party browsers that work on iOS utilize
        • Not much known
          • Apples discloser
          • Credited to anonymous researcher
        • Pegasus Fears
          • nation-state APTs barraged targets with spyware
            • created by Israeli company NSO Group

Lazarus Group Targets Engineers with Malware

  • Lazarus
    • North Korean APT
    • targeting academics, journalists and professionals in various industries—particularly the defense industry–to gather intelligence and financial backing
  • targeting engineers
    • fake job posting
      • spread macOS malware
    • macOS malware
      • identified by researchers at ESET Research Labs
      • Mac executable
      • Targets both Apple and Intel chip systems
    • Operation In(ter)ception
      • Disguised as a job description
        • For Coinbase
      • claiming to seek an engineering manager for product security
      • researchers discovered uploaded to VirusTotal from Brazil
      • drops three files
        • decoy PDF document
          • pdf
          • http[://]FinderFontsUpdater[.]app
          • downloader safarifontagent
        • like a sample discovered by ESET in May
          • included a signed executable
            • disguised as a job description
            • compiled for both Apple and Intel
            • dropped a PDF decoy
          • unlike
            • recent malware is signed July 21
            • something new or a variant of the previous malware
          • Not only Apple
            • Windows version
            • dropping the same decoy
            • spotted Aug. 4
              • Malwarebytes threat intelligence researcher Jazi
            • connects to a different command and control infrastructure
              • https:[//]concrecapital[.]com/%user%[.]jpg

Hackers Stole from Bitcoin ATMs using Zero-Day

  • Bitcoin ATM manufactured by General Bytes
    • Confirmed that they were a victim of a cyberattack
      • exploited a previously unknown flaw in the software
        • steal cryptocurrency from its users
      • Currently unknown how many servers were impacted or Crypto stolen
    • Tactic
      • Threat Actor unknown
        • Scanned and identified CAS
          • Ports 7777 or 443
        • create an admin user remotely
          • CAS = Crypto Application Server
            • Self-hosted product by General Bytes
            • Allow customers manage Bitcoin ATM machines from a central location
          • CAS administrative interface
            • via a URL call on the page that is used for the default installation on the server
              • creating the first administration user
            • vulnerability has been present since version December 2020
            • modified the crypto settings of two-way machines with their wallet settings
              • Two-way ATMs started to forward coins to the attacker’s wallet when customers sent coins to [the] ATM
            • Zero Day Flaw
              • has been mitigated
                • server patch releases, 20220531.38 and 20220725.22
              • company was doing security audits
                • flaw was never identified
              • Days after it announced “Help Ukraine” feature on ATMs

TA558 Group Targets Hospitality, Hotel and Travel

  • Proofpoint tracking group
    • TA558
    • Running since April 2018
    • Considered a small crime threat actor
      • group has used consistent tactics, techniques, and procedures
      • attempted to install a variety of malware
        • Loda RAT
        • Vjw0rm
        • Revenge RAT
      • Increased Threat
        • higher tempo in 2022
        • geared towards Portuguese and Spanish speakers in Latin America
        • to a lesser extent in Western Europe and North America.
      • Phishing Campaigns
        • sending malicious spam messages
          • reservation-themed lures
          • weaponized URL and Documents
          • install trojan
            • recon
            • data theft
            • distribution of other malware
          • in past used macros to deploy
            • currently pivoting away
              • in favor of URLs and ISO files to achieve initial infection
              • most likely due to Microsoft blocking macros announcement
            • 51 campaigns
              • 27 of them are said to have incorporated URLs pointing to ISO files and ZIP archives