Google warns infoseccers: Beware of North Korean spies sliding into your DMs

Trending 2 weeks ago

Infosec successful brief Watch out, cyber information researchers: Suspected North Korean-backed hackers are targeting members of nan infosec organization again, according to Google's Threat Analysis Group (TAG).

As was nan lawsuit successful 2021 erstwhile TAG made a similar claim, suspected North Korean agents are reaching retired to targets utilizing societal media to build rapport earlier moving targets to unafraid services for illustration Signal aliases WhatsApp. As was besides nan lawsuit successful 2021, Google offered nary mentation aliases conclusions.

"Once a narration was developed pinch a targeted researcher, nan threat actors sent a malicious record that contained astatine slightest 1 0-day successful a celebrated package package," TAG researchers wrote. Google didn't mention nan affected vendor, but said efforts were underway to deploy a patch. 

Per Google, shellcode successful nan malicious record collects accusation connected affected systems and sends it backmost to C2 servers. "The shellcode utilized successful this utilization is constructed successful a akin mode to shellcode observed successful erstwhile North Korean exploits," TAG explained.

But hold – there's more.

Google has an further informing to deliver: The threat actors besides developed a standalone instrumentality for Windows that could entreaty to nan infosec community. On nan surface, dbgsymbol [Github nexus https://github[.]com/dbgsymbol/ provided for visibility – don't download this] is utilized to download debugging awesome accusation from various sources –– useful for debugging issues successful binaries, aliases doing vulnerability research. 

"The instrumentality besides has nan expertise to download and execute arbitrary codification from an attacker-controlled domain," TAG warned. While not including immoderate explanation of what dbgsymbol whitethorn person been utilized to download, Google recommends that anyone who has downloaded aliases tally nan instrumentality "ensure your strategy is successful a known cleanable stage, apt requiring a reinstall of nan operating system." 

Sorry – conjecture those play plans person been made for you, unlucky random GitHub task downloaders. 

Critical vulnerabilities: Active exploits a go-go

If it was a quiet week for recently discovered and critically vulnerable exploits, past threat actors didn't get nan message. There were plentifulness of progressive exploits addressed this week.

First up, Google's monthly Android information updates for September were released, addressing respective captious vulnerabilities and 1 that whitethorn beryllium nether progressive exploit. CVE-2023-35674 is an rumor successful Android's framework, and could beryllium utilized to privilege escalation without nan request for personification interaction. 

CISA, nan FBI and nan Cyber National Mission Force saw fresh to rumor a warning this week that aggregate nation-state threat actors person been progressive exploiting a brace of vulnerabilities successful Fortinet firewalls and Zoho's ManageEngine package to "expand targeted web access, service arsenic malicious infrastructure, aliases a substance of both." Patch and monitor, nan groups recommend. 

Apache RocketMQ, an unfastened root messaging and streaming work developed by Alibaba, is having a distant codification execution vulnerability actively exploited arsenic well, and a spot is available. 

As for precocious flagged vulnerabilities:

  • CVSS 10.0 – Multiple CVEs: The web portal firmware for Socomec's MODULYS GP UPS systems incorporate a veritable drawback handbasket of vulnerabilities that could let an attacker to do each sorts of malicious stuff.
  • CVSS 10.0 – CVE-2023-20238: A vulnerability successful nan azygous sign-on (SSO) implementation of Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform could let an unauthenticated, distant attacker to forge nan credentials required to entree an affected system.
  • CVSS 9.8 – Multiple CVEs: MedDream PACS wellness imaging server package incorporate a brace of vulnerabilities that, if chained together, could fto an attacker leak credentials aliases execute arbitrary code.
  • CVSS 9.6 – Multiple CVEs: Phoenix Contact's telecoms routers and unreality customer package incorporate a bid of vulnerabilities that tin beryllium exploited to origin denial of work aliases codification execution successful personification browsers. 
  • CVSS 9.1 – Multiple CVEs: The web console for Dover Fueling Solutions MAGLINK LX vessel guidance devices incorporate a concatenation of vulnerabilities that tin springiness an attacker afloat entree to susceptible systems.

DoJ acknowledgment Verizon for its negligence pinch reduced fine

Verizon whitethorn person copped to failing to decently protect General Services Administration (GSA) devices connected to nationalist networks and failing to meet its position of a statement for 5 years, but it copped to it. 

In exchange, nan Department of Justice has decided it'll support nan good to a specified $4 cardinal and change, convey you very much. "The United States acknowledged that Verizon took a number of important steps entitling it to in installments for cooperating pinch nan government," nan DoJ said. 

Verizon's Managed Trusted Internet Protocol Service, aliases MTIPS, was utilized by nan GSA from 2017 until 2021, during which clip nan feds allege nan telco "did not wholly fulfill 3 required cybersecurity controls for trusted net connections." 

Verizon blew nan whistle connected itself erstwhile it realized it had dropped nan ball, "cooperated pinch nan government's investigation of nan issues and took punctual and important remedial measures," nan DoJ declared. 

In speech for its practice (and non-admission of responsibility, naturally), Verizon gets distant pinch forking complete a specified 0.08 percent of its nett income successful Q2 of 2023 – and that was a down quarter.

Malvertising connected Mac

Malwarebytes researchers person discovered a malware-laden advertizing run successful Google hunt results that's casting a wide nett by targeting some Windows and Mac devices.

  • Russian infosec leader gets 9 years for $100M insider-trading caper utilizing stolen data
  • China reportedly bans iPhones from much authorities offices
  • Microsoft: China stole concealed cardinal that unlocked US govt email from clang debug dump
  • Microsoft DNS boo-boo breaks Hotmail for users astir nan globe

The Apple malware – which is nan absorbing characteristic of this run – is simply a version of nan Atomic Stealer malware that popped up earlier this year. In this case, it's a run-and-done malware that makes disconnected pinch passwords, keychain data, autofill records, cookies, files and crypto wallet information.

Interestingly, this peculiar "variant" moreover comes pinch instructions for really to unfastened it successful a mode that bypasses nan macOS Gatekeeper, which performs runtime checks to termination imaginable malicious executables. 

In short, for illustration each bully malware for commercially disposable and locked-down OSes for illustration macOS, iOS aliases Android, this 1 requires victims to autumn prey to some a phishing effort via malicious advertizing and questionable prompts. ®