SAN MATEO, CA, August 26, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Sponsored by NetworkTigers.
Malware-as-a-service available for $500 a month
Cato Security has identified a new macOS malware called Cthulu Stealer. Designed to “target Apple macOS hosts and harvest a wide range of information,” the stealer is available as a malware-as-a-service model for $500 a month. Cthulu Stealer disguises itself as legitimate software or popular cracking software such as CleanMyMac, Grand Theft Auto IV, and Adobe GenP. The stealer prompts users to enter their system password, at which point it can “harvest system information and dump iCloud Keychain passwords using an open-source tool called Chainbreaker.” This stolen data is then compressed into a ZIP archive and sent to a command-and-control server. Cato Security researchers say that the stealer’s main objective is “to steal credentials and cryptocurrency wallets from various stores, including game accounts.” Read more.
Qilin ransomware steals credentials from Chrome browsers
Sophos X-Ops reports that a new tactic from the Qilin ransomware gang allows for the deployment of a custom stealer that can grab credentials saved within the Google Chrome web browser. Sophos observed in a breach analysis that Qilin attackers gained access to the victim network “using compromised credentials for a VPN portal that lacked multi-factor authentication (MFA).” During an 18-day period of dormancy, it is believed that the group may have been mapping the network and “conducting reconnaissance.” The threat actors then “moved laterally to a domain controller and modified Group Policy Objects (GPOs) to execute a PowerShell script (‘IPScanner.ps1’) on all machines logged into the domain network.” A script included in the GPO was designed to collect Chrome credentials. The danger of a company-wide credential theft is the enabling of follow-up attacks, more breaches across other platforms, and the fear of a long-lasting threat that outlives the ransomware attack itself. Read more.
100,000+ WordPress sites at risk
A WordPress plugin called GiveWP has been found to harbor a major security flaw that exposes over 100,000 sites to remote code execution attacks. The flaw, tracked as CVE-2024-5932 and given the maximum CVSS score of 10, affects all versions of the plugin before version 3.14.2. GiveWP, a donation and fundraising plugin, is “vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the ‘give_title’ parameter,” states a report from Wordfence. “This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files.” Users of the plugin are urged to update their instances immediately and to only use legitimate plugins and themes for their sites. Read more.
Ransomware attackers prefer to work at night
A new report from Malwarebytes indicates that most ransomware attacks are now taking place between the hours of 1am and 5am within the victim’s time zone, hoping to take hold when security teams aren’t paying as much attention or aren’t working at all. Malwarebytes says that, to make matters worse, the time it takes to complete the entire ransomware attack chain has been shortened to a matter of hours. According to Chris Kissel, IDC research VP for security & trust, the only defense against this trend is to maintain a 24/7 detection and response team that can handle an attack even if it takes place at 2am on a Sunday. “They may have a tool to pick up the alert on Monday morning, but by then it will be too late,” he goes on to say. “Threat actors are moving fast to compromise networks, download data and deploy ransomware.” Read more.
GitHub Enterprise Server critical authentication vulnerability
Multiple versions of GitHub Enterprise Server (GHES) contain a vulnerability that could be exploited to “bypass authentication and enable an attacker to gain administrator privileges on the machine.” Tagged as CVE-2024-6800, the flaw has a severity rating of 9.5 and is an “XML signature wrapping problem that occurs when using the Security Assertion Markup Language (SAML) authentication standard with certain identity providers.” There are reportedly 36,500 instances of GHES accessible via the internet, although it is not known how many of them are using a version of the product that contains this flaw. GHES versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16 have had the issue addressed. Users are urged to ensure that the GHES version they are running is up to date. Read more.
New macOS malware may be from North Korean hackers
A new malware strain affecting macOS has been found to share “several behaviors with malware we’ve seen that originated in North Korea (DPRK) — specifically the threat actor known as BlueNoroff — such as KANDYKORN and RustBucket,” according to Kandji security researcher Christopher Lopez. The malware, dubbed TodoSwift, “is distributed in the form of a TodoTasks, which consists of a dropper component. This module is a GUI application written in SwiftUI that’s engineered to display a weaponized PDF document to the victim while covertly downloading and executing a second-stage binary.” The PDF document is a Bitcoin-related Google Drive document and the malicious component is hosted on a threat actor-controlled domain. North Korean hackers remain especially financially motivated, heavily targeting crypto-related businesses and platforms in the hopes of stealing currency. Read more.
Popular Microsoft apps for macOS expose devices to vulnerabilities
Cisco Talus has reported that eight Microsoft apps for macOS are vulnerable to library injection attacks that could allow hackers to steal app permissions and access sensitive data. The eight apps are Outlook, three versions of Teams, PowerPoint, OneNote, Excel, and Word. The vulnerability stems from attackers being able to “bypass macOS’ permission model by using existing app permissions without prompting the user for any additional verification” because macOS “trusts applications to ‘self-police’ their permissions.” Researchers at Cisco Talus say that, because these apps disable library validation, “Microsoft is circumventing the safeguards offered by the hardened runtime, potentially exposing its users to unnecessary risks.” Microsoft has since updated four of the apps to no longer have this entitlement, but Microsoft Excel, Outlook, PowerPoint, and Word all remain vulnerable. Read more.
Record-breaking ransomware profit in 2024
Companies hit with ransomware in the first half of 2024 have paid out $459,800,000 to cybercriminals, breaking last year’s record and setting the course for the most money lost to ransomware attackers in a single year if the trend continues. In spite of high profile law enforcement takedowns of major ransomware operations and an overall greater awareness of ransomware as a whole, this year’s payout is 2% higher than 2023’s. A report from Chainanlysis states that “2024 is set to be the highest-grossing year yet for ransomware payments, due in no small part to strains carrying out fewer high-profile attacks, but collecting large payments.” The report also calls out a $75 million ransom payment to the Dark Angels ransomware gang as “the largest ransomware payment ever recorded.” On a positive note, fewer organizations in general are giving in to criminal demands, yielding a record low of only 28% in the first quarter of 2024. Read more.
OpenAI blocks Iranian election interference campaign
OpenAI has joined Google and Microsoft in calling out Iranian operations set to disrupt or influence the US presidential election. The campaign is said to have been using OpenAI and ChatGPT to create both long form articles and short social media comments “which were shared across five websites posing as both progressive and conservative news outlets, as well as comments in Spanish and English posted on social media.” According to OpenAI, the efforts did “not appear to have achieved meaningful audience engagement,” the company noted, with the “majority of social media posts that we identified [receiving] few or no likes, shares or comments.” OpenAI has banned the accounts it identified as associated with the operation. Read more.
FakeBot malware spread via software lookalike sites
Researchers at Mandiant Managed Defense has identified an uptick in malware infections caused by a malvertising campaign spreading the FakeBot loader. The FakeBot loader, also called EugenLoader and PaykLoader, is attributed to a threat actor called Eugenfest and is targeting victims searching for popular software by pushing them “toward bogus lookalike sites that host booby-trapped MSI installers.” According to the researchers, “The infection utilizes a trojanized MSIX installer, which executes a PowerShell script to download a secondary payload.” What makes this particular campaign noteworthy is the use of MSIX installers disguised as Brave, KeePass, Notion, Steam, and Zoom. FakeBot can deliver malware families such as IcedID, RedLine Stealer, Lumma Stealer, SectopRAT (aka ArechClient2), and Carbanak. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
