🔒
There are new articles available, click to refresh the page.
Today — 18 August 2022Security News

Google blocked the largest Layer 7 DDoS reported to date

18 August 2022 at 17:57

Google announced to have blocked the largest ever HTTPs DDoS attack, which reached 46 million requests per second (RPS).

Google announced to have blocked the largest ever HTTPs DDoS attack that hit one of its Cloud Armor customers. The IT giant revealed that the attack reached 46 million requests per second (RPS).

The attack took place on June 1st, at 09:45, it started with more than 10,000 requests per second (rps) and targeted a customer’s HTTP/S Load Balancer. Eight minutes later, the attack grew to 100,000 requests per second, and two minutes later reached 46 million RPS. The DDoS attack lasted 69 minutes.

HTTPs DDoS

The company pointed out that the volume of requests per second is at least 76% more than the previous record, which was blocked by Cloudflare in June and that reached 26 million RPS.

“This is the largest Layer 7 DDoS reported to date—at least 76% larger than the previously reported record. To give a sense of the scale of the attack, that is like receiving all the daily requests to Wikipedia (one of the top 10 trafficked websites in the world) in just 10 seconds.” reported Google.

The experts reported that the attack originated from 5,256 source IPs from 132 countries, the top 4 countries contributed approximately 31% of the total attack traffic.

Approximately 22% (1,169) of the source IPs corresponded to Tor exit nodes, but experts pointed out that the request volume coming from those nodes represented just 3% of the attack traffic.

“While we believe Tor participation in the attack was incidental due to the nature of the vulnerable services, even at 3% of the peak (greater than 1.3 million rps) our analysis shows that Tor exit-nodes can send a significant amount of unwelcome traffic to web applications and services.” continues the report.

The geographic distribution and types of unsecured services that were involved in the attack suggest it was launched by a Mēris botnet.   

“The attack was stopped at the edge of Google’s network, with the malicious requests blocked upstream from the customer’s application. Before the attack started, the customer had already configured Adaptive Protection in their relevant Cloud Armor security policy to learn and establish a baseline model of the normal traffic patterns for their service. ” concludes the experts. “As a result, Adaptive Protection was able to detect the DDoS attack early in its life cycle, analyze its incoming traffic, and generate an alert with a recommended protective rule–all before the attack ramped up. The customer acted on the alert by deploying the recommended rule leveraging Cloud Armor’s recently launched rate limiting capability to throttle the attack traffic.”

Another Cloudflare customer was hit with DDoS reaching 26 million RPS.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, HTTPs DDoS)

The post Google blocked the largest Layer 7 DDoS reported to date appeared first on Security Affairs.

Researchers Detail Evasive DarkTortilla Crypter Used to Deliver Malware

18 August 2022 at 17:11
A .NET-based evasive crypter named DarkTortilla has been used by threat actors to distribute a broad array of commodity malware as well as targeted payloads like Cobalt Strike and Metasploit, likely since 2015. "It can also deliver 'add-on packages' such as additional malicious payloads, benign decoy documents, and executables," cybersecurity firm Secureworks said in a Wednesday report. "It

PayPal Phishing Scam Uses Invoices Sent Via PayPal

18 August 2022 at 15:27

Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. The missives — which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction — state that the user’s account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer.

KrebsOnSecurity recently heard from a reader who received an email from paypal.com that he immediately suspected was phony. The message’s subject read, “Billing Department of PayPal updated your invoice.”

A copy of the phishing message included in the PayPal.com invoice.

While the phishing message attached to the invoice is somewhat awkwardly worded, there are many convincing aspects of this hybrid scam. For starters, all of the links in the email lead to paypal.com. Hovering over the “View and Pay Invoice” button shows the button indeed wants to load a link at paypal.com, and clicking that link indeed brings up an active invoice at paypal.com.

Also, the email headers in the phishing message (PDF) show that it passed all email validation checks as being sent by PayPal, and that it was sent through an Internet address assigned to PayPal.

Both the email and the invoice state that “there is evidence that your PayPal account has been accessed unlawfully.” The message continues:

“$600.00 has been debited to your account for the Walmart Gift Card purchase. This transaction will appear in the automatically deducted amount on PayPal activity after 24 hours. If you suspect you did not make this transaction, immediately contact us at the toll-free number….”

Here’s the invoice that popped up when the “View and Pay Invoice” button was clicked:

The phony PayPal invoice, which was sent and hosted by PayPal.com.

The reader who shared this phishing email said he logged into his PayPal account and could find no signs of the invoice in question. A call to the toll-free number listed in the invoice was received by a man who answered the phone as generic “customer service,” instead of trying to spoof PayPal or Walmart. Very quickly into the conversation he suggested visiting a site called globalquicksupport[.]com to download a remote administration tool. It was clear then where the rest of this call was going.

I can see this scam tricking a great many people, especially since both the email and invoice are sent through PayPal’s systems — which practically guarantees that the message will be successfully delivered. The invoices appear to have been sent from a compromised or fraudulent PayPal Business account, which allows users to send invoices like the one shown above. Details of this scam were shared Wednesday with PayPal’s anti-abuse ([email protected]) and media relations teams.

PayPal said in a written statement that phishing attempts are common and can take many forms.

“We have a zero-tolerance policy on our platform for attempted fraudulent activity, and our teams work tirelessly to protect our customers,” PayPal said. “We are aware of this well-known phishing scam and have put additional controls in place to mitigate this specific incident. Nonetheless, we encourage customers to always be vigilant online and to contact Customer Service directly if they suspect they are a target of a scam.”

It’s remarkable how well today’s fraudsters have adapted to hijacking the very same tools that financial institutions have long used to make their customers feel safe transacting online. It’s no accident that one of the most prolific scams going right now — the Zelle Fraud Scam — starts with a text message about an unauthorized payment that appears to come from your bank. After all, financial institutions have spent years encouraging customers to sign up for mobile alerts via SMS about suspicious transactions, and to expect the occasional inbound call about possibly fraudulent transactions.

Also, today’s scammers are less interested in stealing your PayPal login than they are in phishing your entire computer and online life with remote administration software, which seems to be the whole point of so many scams these days. Because why rob just one online account when you can plunder them all?

The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.

BlackByte ransomware v2 is out with new extortion novelties

18 August 2022 at 15:24

A new version of the BlackByte ransomware appeared in the threat landscape, version 2.0 uses extortion techniques similar to LockBit ones.

BlackByte ransomware Version 2.0 appeared in the threat landscape after a short break, the latest version has a new data leak site.

It is interesting to note that the group introduced some novelties in the extortion strategy.

The gang allows victims to pay $5,000 to postpone the leaking of their data by 24 hours, download the data for $200,000, or destroy all the data by paying a $300,000 ransom. The prices are not fixed and could vary depending on the importance of the victim.

 BlackByte ransomware
BlackByte ransomware 4

Researchers from threat intelligence firm KELA noticed that the new BlackByte’s leak site lack of wallet addresses, this means that victims cannot pay the ransom.

BlackByte ransomware

The BlackByte ransomware operation has been active since September 2021, in October 2021 researchers from Trustwave’s SpiderLabs released a decryptor that can allow victims of early versions of BlackByte ransomware to restore their files for free.

In February, the US Federal Bureau of Investigation (FBI) revealed that the BlackByte ransomware gang has breached at least three organizations from US critical infrastructure sectors.

In 2021, a flaw in the operation was found that allowed a free BlackByte decryptor to be created. Unfortunately, after the weakness was reported, the threat actors fixed the flaw.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Blackbyte)

The post BlackByte ransomware v2 is out with new extortion novelties appeared first on Security Affairs.

China-backed APT41 Hackers Targeted 13 Organisations Worldwide Last Year

18 August 2022 at 13:33
The Chinese advanced persistent threat (APT) actor tracked as Winnti (aka APT41) has targeted at least 13 organizations geographically spanning across the U.S, Taiwan, India, Vietnam, and China against the backdrop of four different campaigns in 2021. "The targeted industries included the public sector, manufacturing, healthcare, logistics, hospitality, education, as well as the media and

Hackers Using Bumblebee Loader to Compromise Active Directory Services

18 August 2022 at 09:20
The malware loader known as Bumblebee is being increasingly co-opted by threat actors associated with BazarLoader, TrickBot, and IcedID in their campaigns to breach target networks for post-exploitation activities. "Bumblebee operators conduct intensive reconnaissance activities and redirect the output of executed commands to files for exfiltration," Cybereason researchers Meroujan Antonyan and

Penetration Testing or Vulnerability Scanning? What's the Difference?

18 August 2022 at 09:10
Pentesting and vulnerability scanning are often confused for the same service. The problem is, business owners often use one when they really need the other. Let's dive in and explain the differences. People frequently confuse penetration testing and vulnerability scanning, and it's easy to see why. Both look for weaknesses in your IT infrastructure by exploring your systems in the same way an

Apple fixed two new zero-day flaws exploited by threat actors

18 August 2022 at 08:36

Apple addressed two zero-day vulnerabilities, exploited by threat actors, affecting iOS, iPadOS, and macOS devices.

Apple this week released security updates for iOS, iPadOS, and macOS platforms to address two zero-day vulnerabilities exploited by threat actors. Apple did not share details about these attacks.

The two flaws are:

  • CVE-2022-32893 – An out-of-bounds issue in WebKit which. An attacker can trigger the flaw by tricking target devices into processing maliciously crafted web content to achieve arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
  • CVE-2022-32894 – An out-of-bounds issue in the OS Kernel that could be exploited by a malicious application to execute arbitrary code with the highest privileges.

The vulnerabilities have been fixed with the release iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1. The iOS and iPadOS updates are available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

The IT giant solved both the vulnerabilities with improved bounds checking.

Apple has addressed other six zero-day vulnerabilities since January, below is the list of fixed issues:

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)

The post Apple fixed two new zero-day flaws exploited by threat actors appeared first on Security Affairs.

PoC exploit code for critical Realtek RCE flaw released online

18 August 2022 at 07:10

Exploit code for a critical vulnerability affecting networking devices using Realtek RTL819x system on a chip released online.

The PoC exploit code for a critical stack-based buffer overflow issue, tracked as CVE-2022-27255 (CVSS 9.8), affecting networking devices using Realtek’s RTL819x system on a chip was released online. The issue resides in the Realtek’s SDK for the open-source eCos operating system, it was discovered by researchers from cybersecurity firm Faraday Security

“On Realtek eCos SDK-based routers, the ‘SIP ALG’ module is vulnerable to buffer overflow. The root cause of the vulnerability is insufficient validation on the received buffer, and unsafe calls to strcpy. The ‘SIP ALG’ module calls strcpy to copy some contents of SIP packets to a predefined fixed buffer and does not check the length of the copied contents.” reads the advisory published by Realtek, which published the issue in March 2022. “A remote attacker can exploit the vulnerability through a WAN interface by crafting arguments in SDP data or the SIP header to make a specific SIP packet, and the successful exploitation would cause a crash or achieve the remote code execution.”

Millions of devices, including routers and access points, are exposed to hacking.

The experts (Octavio GianatiempoOctavio GallandEmilio CoutoJavier Aguinaga) disclosed technical details of the flaw at the DEFCON hacker conference last week.

A remote attacker can exploit the flaw to execute arbitrary code without authentication by sending to the vulnerable devices specially crafted SIP packets with malicious SDP data.

The issue is very dangerous because the exploitation doesn’t require user interaction.

The PoC code developed by the experts works against Nexxt Nebula 300 Plus routers.

“This repository contains the materials for the talk “Exploring the hidden attack surface of OEM IoT devices: pwning thousands of routers with a vulnerability in Realtek’s SDK for eCos OS.”, which was presented at DEFCON30.” reads the description provided with the exploit code on GitHub.

The repo includes:

  • analysis: Automated firmware analysis to detect the presence of CVE-2022-27255 (Run analyse_firmware.py).
  • exploits_nexxt: PoC and exploit code. The PoC should work on every affected router, however the exploit code is specific for the Nexxt Nebula 300 Plus router.
  • ghidra_scripts: Vulnerable function call searching script and CVE-2022-27255 detection script.
  • DEFCON: Slide deck & poc video.

Johannes Ullrich, Dean of Research at SANS shared a Snort rule that can be used to detect PoC exploit attempt.

“The rule looks for “INVITE” messages that contain the string “m=audio “. It triggers if there are more than 128 bytes following the string (128 bytes is the size of the buffer allocated by the Realtek SDK) and if none of those bytes is a carriage return. The rule may even work sufficiently well without the last content match. Let me know if you see any errors or improvements.” wrote the expert.

Slides for the DEFCON presentation along with exploits, and a detection script for CVE-2022-27255 are available in this GitHub repository.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Realtek)

The post PoC exploit code for critical Realtek RCE flaw released online appeared first on Security Affairs.

Apple Releases Security Updates to Patch Two New Zero-Day Vulnerabilities

18 August 2022 at 03:08
Apple on Wednesday released security updates for iOS, iPadOS, and macOS platforms to remediate two zero-day vulnerabilities previously exploited by threat actors to compromise its devices. The list of issues is below - CVE-2022-32893 - An out-of-bounds issue in WebKit which could lead to the execution of arbitrary code by processing a specially crafted web content CVE-2022-32894 - An
Yesterday — 17 August 2022Security News

China-linked RedAlpha behind multi-year credential theft campaign

17 August 2022 at 22:58

A China-linked APT group named RedAlpha is behind a long-running mass credential theft campaign aimed at organizations worldwide.

Recorded Future researchers attributed a long-running mass credential theft campaign to a Chinese nation-state actor tracked RedAlpha. The campaign targeted global humanitarian, think tank, and government organizations.

Experts believe RedAlpha is a group of contractors conducting cyber-espionage activity on behalf of China. Recorded Future identified a link between RedAlpha and a Chinese information security company, whose name appears in the registration of multiple RedAlpha domains. The company called “Nanjing Qinglan Information Technology Co., Ltd.” is now known as “Jiangsu Cimer Information Security Technology Co. Ltd.

“In this activity, RedAlpha very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations.” reads the report published by Recorded Future.

“RedAlpha’s humanitarian and human rights-linked targeting and spoofing of organizations such as Amnesty International and FIDH is particularly concerning given the CCP’s reported human rights abuses in relation to Uyghurs, Tibetans, and other ethnic and religious minority groups in China.”

Since 2019, RedAlpha registering and weaponizing hundreds of domains that were spoofing organizations such as the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), the American Institute in Taiwan (AIT), and other global government, think tank, and humanitarian organizations.

Experts also noticed that the attackers used domains spoofing major email and storage service providers like Yahoo (135 typosquat domains), Google (91 typosquat domains), and Microsoft (70 typosquat domains). The domains some cases were hosting fake login pages for popular email providers such as Outlook and Zimbra.

redAlpha

The attackers sent out phishing messages leading victims to phishing pages posing as legitimate email login portals. Experts believe attackers target individuals affiliated with the above organizations rather than imitating these organizations to target other third parties.

The attack vector is phishing emails containing PDF files that embed malicious links that point to the phishing login pages.

“RedAlpha’s activity has expanded over the past several years to include credential-phishing campaigns spoofing ministries of foreign affairs in multiple countries.” continues the report. “We observed phishing pages imitating webmail login portals for Taiwan and Portugal’s MOFAs, as well as multiple domains spoofing Brazil and Vietnam’s MOFAs.”

“Based on these findings and wider activity examined, it is very likely that RedAlpha operators are located within the PRC. Chinese intelligence services’ use of private contractors is also an established trend, with groups such as APT3, APT10, RedBravo (APT31), and APT40 all identified as contractors working for China’s Ministry of State Security (MSS) (1,2,3,4).” concludes the report. “In the case of RedAlpha, the group’s targeting closely aligns with the strategic interests of the Chinese government, such as the observed emphasis on China-focused think tanks, civil society organizations, and Taiwanese government and political entities.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, RedAlpha)

The post China-linked RedAlpha behind multi-year credential theft campaign appeared first on Security Affairs.

Bugdrop dropper includes features to circumvent Google’s security Controls

17 August 2022 at 17:58

Researchers have discovered a previously undocumented Android dropper, dubbed BugDrop, that’s still under development.

Recently, researchers from ThreatFabric discovered a previously undetected Android dropper, dubbed BugDrop, which is under active development and was designed to bypass security features that will be implemented in the next release of the Google OS.

The experts noticed something unusual in the latest sample of the malware family Xenomorph, it was an improved version of the threat that included RAT capabilities by using “Runtime modules”. The Runtime modules allow the malware to perform gestures, touches, and other operations.

The new version of Xenomorph was dropped by the BugDrop malware which is able to defeat security measures that Google will introduce to prevent malware requesting Accessibility Services privileges from victims.

The dropper was developed by a cybercriminal group known as Hadoken Security, which is the same threat actor that is behind Xenomorph and Gymdrop Android malware.

The malicious application spotted by the researchers poses as a QR code reader.

Upon launching the application it will request the Accessibility Services access to the user to perform gestures and touches on behalf of the victim.

bugdrop

“Once granted, while showing a loading screen, the dropper initiates a connection with its onion.ws C2, which relies on the TOR protocol, obtaining back its configuration and the URL of the payload to download and install.” reads the analysis of the experts. “Throughout the course of our investigation, this URL changed from being one of the samples in the open folder, to an external URL again referring to QR code scanners functionalities, which used a endpoint very similar to what was used by Gymdrop samples that we observed in the wild in the last few months.”

The presence of instructions in the dropper code to send error messages back to the C2 suggests it is still under development.

The experts noticed that starting with Android 13, Google is blocking accessibility API access to apps installed from outside of the official app store.

However, BugDrop, attempts to bypass this security measure by deploying malicious payloads via a session-based installation process.

“In this context, it is important to remind the new security features of Android 13, which will be released in fall of 2022. With this new release, Google introduced the “restricted setting” feauture, which blocks sideloaded applications from requesting Accessibility Services privileges, limiting this kind of request to applications installed with a session-based API (which is the method usually used by app stores).” states the analysis. “With this in mind, it is clear what criminals are trying to achieve. What is likely happening is that actors are using an already built malware, capable of installing new APKs on an infected device, to test a session based installation method, which would then later be incorporated in a more elaborate and refined dropper.”

Upon completing the development of the new features, BugDrop will give attackers new capabilities to target banking institutions and bypass security solutions currently being adopted by Google.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, BugDrop)

The post Bugdrop dropper includes features to circumvent Google’s security Controls appeared first on Security Affairs.

Google fixed a new Chrome Zero-Day actively exploited in the wild

17 August 2022 at 17:01

Google addressed a dozen vulnerabilities in the Chrome browser, including the fifth Chrome zero-day flaw exploited this year.

Google this week released security updates to address a dozen vulnerabilities in its Chrome browser for desktops including an actively exploited high-severity zero-day flaw in the wild.

The actively exploited flaw, tracked as CVE-2022-2856, is an Insufficient validation of untrusted input in Intents. The flaw was discovered by Ashley Shen and Christian Resell of Google Threat Analysis Group on 19 July 2022.

“Google is aware that an exploit for CVE-2022-2856 exists in the wild.” reads the advisory published by Google.

Google did not share technical details about the issue to prevent further exploitation in the wild.

The IT giant also fixed a critical issue, tracked as CVE-2022-2852, which is use after free in FedCM. This issue was reported by Google Project Zero researcher Sergei Glazunov on August 2, 2022.

Below is the list of the other issues addressed by the company:

  • [$7000][1337538] High CVE-2022-2854: Use after free in SwiftShader. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-06-18
  • [$7000][1345042] High CVE-2022-2855: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-07-16
  • [$5000][1338135] High CVE-2022-2857: Use after free in Blink. Reported by Anonymous on 2022-06-21
  • [$5000][1341918] High CVE-2022-2858: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-07-05
  • [$NA][1350097] High CVE-2022-2853: Heap buffer overflow in Downloads. Reported by Sergei Glazunov of Google Project Zero on 2022-08-04
  • [$3000][1338412] Medium CVE-2022-2859: Use after free in Chrome OS Shell. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-22
  • [$2000][1345193] Medium CVE-2022-2860: Insufficient policy enforcement in Cookies. Reported by Axel Chong on 2022-07-18
  • [$TBD][1346236] Medium CVE-2022-2861: Inappropriate implementation in Extensions API. Reported by Rong Jian of VRI on 2022-07-21

The CVE-2022-2856 is the fifth zero-day vulnerability in Chrome that Google has addressed this year, the other ones are:

  • CVE-2022-2294 (July 4) – Heap buffer overflow in the Web Real-Time Communications (WebRTC) component
  • CVE-2022-1364 (April 14) –  type confusion issue that resides in the V8 JavaScript engine
  • CVE-2022-1096 – (March 25) – type Confusion in V8 JavaScript engine
  • CVE-2022-0609 – (February 14) – use after free issue that resides in the Animation component.

Users should update to version 104.0.5112.101 for macOS and Linux and 104.0.5112.102/101 for Windows.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Chrome)

The post Google fixed a new Chrome Zero-Day actively exploited in the wild appeared first on Security Affairs.

Cybercriminals Developing BugDrop Malware to Bypass Android Security Features

17 August 2022 at 13:59
In a sign that malicious actors continue to find ways to work around Google Play Store security protections, researchers have spotted a previously undocumented Android dropper trojan that's currently in development. "This new malware tries to abuse devices using a novel technique, not seen before in Android malware, to spread the extremely dangerous Xenomorph banking trojan, allowing criminals

New Google Chrome Zero-Day Vulnerability Being Exploited in the Wild

17 August 2022 at 12:02
Google on Tuesday rolled out patches for Chrome browser for desktops to contain an actively exploited high-severity zero-day flaw in the wild. Tracked as CVE-2022-2856, the issue has been described as a case of insufficient validation of untrusted input in Intents. Security researchers Ashley Shen and Christian Resell of Google Threat Analysis Group have been credited with reporting the flaw on

Researchers Link Multi-Year Mass Credential Theft Campaign to Chinese Hackers

17 August 2022 at 10:59
A Chinese state-sponsored threat activity group named RedAlpha has been attributed to a multi-year mass credential theft campaign aimed at global humanitarian, think tank, and government organizations. "In this activity, RedAlpha very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations," Recorded Future disclosed in a new

Lean Security 101: 3 Tips for Building Your Framework

17 August 2022 at 10:50
Cobalt, Lazarus, MageCart, Evil, Revil — cybercrime syndicates spring up so fast it's hard to keep track. Until…they infiltrate your system. But you know what's even more overwhelming than rampant cybercrime? Building your organization's security framework.  CIS, NIST, PCI DSS, HIPAA, HITrust, and the list goes on. Even if you had the resources to implement every relevant industry standard and

Malicious Browser Extensions Targeted Over a Million Users So Far This Year

17 August 2022 at 08:44
More than 1.31 million users attempted to install malicious or unwanted web browser extensions at least once, new findings from cybersecurity firm Kaspersky show. "From January 2020 to June 2022, more than 4.3 million unique users were attacked by adware hiding in browser extensions, which is approximately 70% of all users affected by malicious and unwanted add-ons," the company said. As many as

North Korea-linked APT targets Job Seekers with macOS malware

17 August 2022 at 08:31

The North Korea-linked Lazarus Group has been observed targeting job seekers with macOS malware working also on Intel and M1 chipsets.

ESET researchers continue to monitor a cyberespionage campaign, tracked as “Operation In(ter)ception,” that has been active at least since June 2020. The campaign targets employees working in the aerospace and military sectors and leverages decoy job offer documents.

ESET published a series of tweets detailing the recent attacks, the experts spotted a signed Mac executable disguised as a job description for Coinbase. The malicious code was uploaded to VirusTotal from Brazil on August 11, 2022.

#ESETresearch #BREAKING A signed Mac executable disguised as a job description for Coinbase was uploaded to VirusTotal from Brazil 🇧🇷. This is an instance of Operation In(ter)ception by #Lazarus for Mac. @pkalnai @dbreitenbacher 1/7 pic.twitter.com/dXg89el5VT

— ESET research (@ESETresearch) August 16, 2022

Malware is compiled for both Intel and Apple Silicon, it drops three files: a decoy PDF document Coinbase_online_careers_2022_07.pdf, a bundle http://FinderFontsUpdater.app and a downloader safarifontagent. The discovery is similar to other attacks detected by ESET researches in May.

#ESETresearch A year ago, a signed Mach-O executable disguised as a job description was uploaded to VirusTotal from Singapore 🇸🇬. Malware is compiled for Intel and Apple Silicon and drops a PDF decoy. We think it was part of #Lazarus campaign for Mac. @pkalnai @marc_etienne_ 1/8 pic.twitter.com/DV7peRHdnJ

— ESET research (@ESETresearch) May 4, 2022

The bundle employed in the attack is signed July 21 using a certificate issued in February 2022 to a developer named Shankey Nohria and team identifier 264HFWQH63.

“The application is not notarized and Apple has revoked the certificate on August 12.” states ESET.

North Korea

Experts noticed that unlike May attacks, the downloader safarifontagent connects to a different C&C server (https://concrecapital[.]com/%user%.jpg). The C2 server did not respond at the time ESET experts analyzed this malware.

The researcher @h2jazi also discovered a Windows counterpart of this malware on August 4, it was dropping the exact same decoy.

#Lazarus #APT:
0dab8ad32f7ed4703b9217837c91cca7
Coinbase_online_careers_2022_07.exe

The decoy pdf is "Engineering Manager, Product Security" job description at Coinbase.

Next stage: (gone!)
https://docs.mktrending[.]com/marrketend.pnghttps://t.co/XETUeA5F6B pic.twitter.com/NTFUJ9AiCO

— Jazi (@h2jazi) August 4, 2022

ESET also shared Indicators of compromise (IoCs) for this threat.

IoCs:
FE336A032B564EEF07AFB2F8A478B0E0A37D9A1A6C4C1E7CD01E404CC5DD2853 (Extractor)
798020270861FDD6C293AE8BA13E86E100CE048830F86233910A2826FACD4272 (FinderFontsUpdater)
49046DFEAEFC59747E45E013F3AB5A2895B4245CFAA218DD2863D86451104506 (safarifontagent)
… 6/7

— ESET research (@ESETresearch) August 16, 2022

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, North Korea)

The post North Korea-linked APT targets Job Seekers with macOS malware appeared first on Security Affairs.

❌