Google warns infoseccers: Beware of North Korean spies sliding into your DMs
ALSO: Verizon turns self in for reduced fine, malvertising comes to macOS, and this week's critical vulnerabilities
Infosec in brief Watch out, cyber security researchers: Suspected North Korean-backed hackers are targeting members of the infosec community again, according to Google's Threat Analysis Group (TAG).
As was the case in 2021 when TAG made a similar claim, suspected North Korean agents are reaching out to targets using social media to build rapport before moving targets to secure services like Signal or WhatsApp. As was also the case in 2021, Google offered no explanation or conclusions.
"Once a relationship was developed with a targeted researcher, the threat actors sent a malicious file that contained at least one 0-day in a popular software package," TAG researchers wrote. Google didn't mention the affected vendor, but said efforts were underway to deploy a patch.
Per Google, shellcode in the malicious file collects information on affected systems and sends it back to C2 servers. "The shellcode used in this exploit is constructed in a similar manner to shellcode observed in previous North Korean exploits," TAG explained.
But wait – there's more.
Google has an additional warning to deliver: The threat actors also developed a standalone tool for Windows that could appeal to the infosec community. On the surface,
dbgsymbol [Github link https://github[.]com/dbgsymbol/ provided for visibility – don't download this] is used to download debugging symbol information from various sources –– handy for debugging issues in binaries, or doing vulnerability research.
"The tool also has the ability to download and execute arbitrary code from an attacker-controlled domain," TAG warned. While not including any description of what
dbgsymbol may have been used to download, Google recommends that anyone who has downloaded or run the tool "ensure your system is in a known clean stage, likely requiring a reinstall of the operating system."
Sorry – guess those weekend plans have been made for you, unlucky random GitHub project downloaders.
Critical vulnerabilities: Active exploits a go-go
If it was a quiet week for newly discovered and critically dangerous exploits, then threat actors didn't get the message. There were plenty of active exploits addressed this week.
First up, Google's monthly Android security updates for September were released, addressing several critical vulnerabilities and one that may be under active exploit. CVE-2023-35674 is an issue in Android's framework, and could be used to privilege escalation without the need for user interaction.
CISA, the FBI and the Cyber National Mission Force saw fit to issue a warning this week that multiple nation-state threat actors have been active exploiting a pair of vulnerabilities in Fortinet firewalls and Zoho's ManageEngine software to "expand targeted network access, serve as malicious infrastructure, or a mixture of both." Patch and monitor, the groups recommend.
Apache RocketMQ, an open source messaging and streaming service developed by Alibaba, is having a remote code execution vulnerability actively exploited as well, and a patch is available.
As for recently flagged vulnerabilities:
- CVSS 10.0 – Multiple CVEs: The web portal firmware for Socomec's MODULYS GP UPS systems contain a veritable grab basket of vulnerabilities that could allow an attacker to do all sorts of malicious stuff.
- CVSS 10.0 – CVE-2023-20238: A vulnerability in the single sign-on (SSO) implementation of Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform could allow an unauthenticated, remote attacker to forge the credentials required to access an affected system.
- CVSS 9.8 – Multiple CVEs: MedDream PACS health imaging server software contain a pair of vulnerabilities that, if chained together, could let an attacker leak credentials or execute arbitrary code.
- CVSS 9.6 – Multiple CVEs: Phoenix Contact's telecoms routers and cloud client software contain a series of vulnerabilities that can be exploited to cause denial of service or code execution in user browsers.
- CVSS 9.1 – Multiple CVEs: The web console for Dover Fueling Solutions MAGLINK LX tank management devices contain a chain of vulnerabilities that can give an attacker full access to vulnerable systems.
DoJ thanks Verizon for its negligence with reduced fine
Verizon may have copped to failing to properly protect General Services Administration (GSA) devices connected to public networks and failing to meet its terms of a contract for five years, but it copped to it.
In exchange, the Department of Justice has decided it'll keep the fine to a mere $4 million and change, thank you very much. "The United States acknowledged that Verizon took a number of significant steps entitling it to credit for cooperating with the government," the DoJ said.
Verizon's Managed Trusted Internet Protocol Service, or MTIPS, was used by the GSA from 2017 until 2021, during which time the feds allege the telco "did not completely satisfy three required cybersecurity controls for trusted internet connections."
Verizon blew the whistle on itself when it realized it had dropped the ball, "cooperated with the government's investigation of the issues and took prompt and substantial remedial measures," the DoJ declared.
In exchange for its cooperation (and non-admission of responsibility, naturally), Verizon gets away with forking over a mere 0.08 percent of its net income in Q2 of 2023 – and that was a down quarter.
Malvertising on Mac
Malwarebytes researchers have discovered a malware-laden advertising campaign in Google search results that's casting a wide net by targeting both Windows and Mac devices.
- Russian infosec boss gets nine years for $100M insider-trading caper using stolen data
- China reportedly bans iPhones from more government offices
- Microsoft: China stole secret key that unlocked US govt email from crash debug dump
- Microsoft DNS boo-boo breaks Hotmail for users around the globe
The Apple malware – which is the interesting feature of this campaign – is a variant of the Atomic Stealer malware that popped up earlier this year. In this case, it's a run-and-done malware that makes off with passwords, keychain data, autofill records, cookies, files and crypto wallet information.
Interestingly, this particular "variant" even comes with instructions for how to open it in a manner that bypasses the macOS Gatekeeper, which performs runtime checks to kill potential malicious executables.
In short, like all good malware for commercially available and locked-down OSes like macOS, iOS or Android, this one requires victims to fall prey to both a phishing attempt via malicious advertising and questionable prompts. ®