New Apple zero-day exploit is being sold on the dark web for €2.5m
In August 2022, Apple released security updates for iOS and macOS to fix two zero-day remote code execution vulnerabilities (CVE-2022-32894, CVE-2022-32893) actively exploited by hackers. Shortly after the patches were released security researchers discovered a post on an underground forum which offered a new Apple zero-day for the price of €2.5 million. According to the seller, the exploit builds on the CVE-2022-32893 vulnerability, already patched by Apple. However, the researchers say that the exploit is for an already-fixed vulnerability.
US seizes $30m in crypto stolen by North Korean hackers from Axie Infinity
The US authorities have seized over $30 million in cryptocurrency stolen by hackers from the popular online token-based game Axie Infinity in March 2022. In April, the US accused the North Korea-linked Lazarus hacker group of the theft.
This marks the first time ever that cryptocurrency stolen by a North Korean hacking group has been seized, with the seizure representing around 10% of the total funds stolen from Axie Infinity. The detailed analysis of the attack is available in a new Chainalysis’ report.
Albania cuts diplomatic ties with Iran over July cyberattack
Albania has severed diplomatic ties with Iran as a response to the massive cyberattack in July that disrupted Albanian government services and websites and was attributed to Iranian hackers.
Albanian Prime Minister Edi Rama said in a statement that the in-depth investigation conducted by the authorities provided “indisputable evidence” that the cyberattack “was orchestrated and sponsored by the Islamic Republic of Iran through the engagement of four groups that enacted the aggression.”
The US and NATO have condemned the cyberattack against Albania, a NATO ally, and pledged to bolster the alliance member's defenses against hackers.
Zyxel releases new NAS firmware to patch an RCE vulnerability
Networking device maker Zyxel has released firmware updates to address a remote code execution (RCE) vulnerability (CVE-2022-34747) impacting three models of its Networked Attached Storage (NAS) products. The flaw exists due to a format string error. A remote attacker can use a specially crafted UDP packet and execute arbitrary code on the target system.
CVE-2022-34747 affects NAS326 (V5.21(AAZF.11)C0 and earlier), NAS540 (V5.21(AATB.8)C0 and earlier), NAS542 (V5.21(ABAG.8)C0 and earlier).
QNAP warns of DeadBolt ransomware attacks exploiting a zero-day in Photo Station
QNAP, a Taiwanese manufacturer of network-attached storage (NAS) appliances, has warned its customers of a new wave of DeadBolt ransomware attacks targeting QNAP NAS devices. While details of the attacks have been scarce, QNAP said that attackers are exploiting an RCE zero-day vulnerability in Photo Station software running on internet-facing NAS devices.
Classified NATO documents leak on the dark web following a cyberattack on the Portuguese government
Hundreds of confidential NATO documents sent to Portugal were reportedly stolen following a cyberattack on the Armed Forces General Staff agency of Portugal (EMGFA). According to local news organization Diario de Noticias, the agency learned it suffered a data breach only in August after American intelligence officials discovered that hackers put up samples of the stolen material for sale on the dark web.
The initial investigation showed that the documents were exfiltrated from systems in the EMGFA, in the secret military (CISMIL) and in the General Directorate of National Defense Resources. According to sources close to the ongoing investigation, security rules for classified information had been broken, as non-secure connections were used to receive and forward the documents.
North Korean Lazarus group uses Log4Shell to breach energy providers across the globe
Security researchers have discovered a new cyber-espionage campaign they linked to a North Korean threat actor known as Lazarus Group that targeted energy providers around the world, including those based in the United States, Canada, and Japan, between February and July 2022.
The campaign involved the exploitation of vulnerabilities in VMWare Horizon (including CVE-2021-44228 aka Log4Shell) to gain an initial foothold into targeted organizations with the goal of establishing long term access and subsequently exfiltrating data of interest. The campaign used two of known malware families - VSingle and YamaBot - as well as a recently disclosed implant called ‘MagicRAT.’
Researchers detail new Shikitega Linux malware
AT&T Alien Labs said it discovered a new malware targeting endpoints and IoT devices that are running Linux operating systems. Dubbed “Shikitega,” the malware is delivered in a multistage infection chain where each module responds to a part of the payload and downloads and executes the next one. An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist.
Shikitega exploits system vulnerabilities to gain high privileges, and uses a polymorphic encoder to make it more difficult to detect by anti-virus engines. It also abuses legitimate cloud services to store some of its command and control servers (C&C).
New EvilProxy PhaaS platform allows to bypass MFA
A new Phishing-as-a-Service (PhaaS) called EvilProxy has emerged on the dark web that allows cyber criminals to bypass multi-factor authentication (MFA) on accounts associated with Apple, Google, Facebook, Microsoft, Twitter, GitHub, GoDaddy, PyPI and others.
First spotted in May 2022, the platform uses reverse proxy and cookie injection techniques to bypass two-factor authentication (2FA) and is offered on a subscription basis per service, with prices ranging from $150 for ten days to $400 for a month. Google accounts will cost more - $250 for 10 days, $450 for 20 days, and $600 for 31 days.
Iranian hackers use custom Android malware to spy on targets
An Iran-linked state-sponsored hacking group known as APT42 has been using a custom Android malware to spy on targets of interest to the Iranian government. According to Mandiant, the group has carried out at least 30 operations in 14 countries since 2015.
APT42 uses highly targeted spear-phishing and social engineering techniques in order to access victims’ personal or corporate email accounts or to install Android malware on their mobile devices. The group infrequently uses Windows malware to complement their credential harvesting and surveillance efforts. APT42 operations fall into three categories: credential harvesting, surveillance operations, and malware deployment.
Worok cyber-espionage group targets governments, high-profile companies
Cybersecurity researchers at ESET released a deep dive into activities of a relatively new cyber-espionage group they dubbed “Worok.” Active since late 2020, the group is mainly focused on government organizations and high-profile firms in Asia, but also targets banks and telecommunication companies in the private sector. Worok is using an assortment of tools, including a C++ loader CLRLoad, a PowerShell backdoor PowHeartBeat, and a C# loader PNGLoad that uses steganography to extract hidden malicious payloads from PNG files.
Law enforcement operation disrupts WT1SHOP crime marketplace
A website and four domains belonging to WT1SHOP, an online crime market that sold stolen credit cards, ID cards, and login credentials, were seized as a result of an international law enforcement operation. WT1SHOP was one of the largest underground marketplaces catering to cyber criminals seeking to buy stolen personally identifying information (PII). The US authorities also charged WT1SHOP’s operator identified as Nicolai Colesnicov, a 36-year-old resident of Moldova. If found guilty, Colesnicov faces a prison sentence of up to 10 years for conspiracy and trafficking in unauthorized access devices.
Moobot botnet goes after unpatched D-Link routers
A variant of Mirai botnet known as Moobot is targeting vulnerable D-Link routers using a mix of old and new exploits. A new wave of attacks was detected in late August 2022 and targeted D-Link routers by exploiting a number of remote code execution vulnerabilities, including CVE-2015-2051 , CVE-2018-6530, CVE-2022-26258 , CVE-2022-28958.
Former Conti hackers adapt their techniques to use against Ukraine
Some ex-members of the well-known Conti ransomware group have apparently joined ranks of a hacker group security researchers track as UAC-0098 and are now adapting their tools with the purpose of attacking Ukrainian entities and hospitality industry and European humanitarian and non-profit organizations.
Between April and August 2022, the group conducted five different phishing campaigns. Some of the campaigns impersonated the National Cyber Police of Ukraine, the State Tax Service of Ukraine, or representatives of Elon Musk, StarLink and Microsoft to deliver the IcedID trojan on victims’ machines. UAC-0098 was also observed exploiting the Microsoft MSDT vulnerability (CVE-2022-30190, aka Follina) to deliver malicious payloads.