SAN MATEO, CA, May 1, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Atomic macOS Stealer nabs keychain passwords and crypto
- Microsoft says Clop and LockBit gangs responsible for PaperCut server hacks
- Researchers voice concern about the metaverse version of the dark web
- CISA says election protection top priority for the next 18 months
- Charming Kitten cybercrime group using new malware against international targets
- Transient execution side-channel attacks carried out against Intel CPUs
- RustBucket macOS malware deployed by Lazarus offshoot group
- New EvilExtractor information stealer circulating on the dark web
- Improperly wiped resold routers found to contain sensitive corporate data
Atomic macOS Stealer nabs keychain passwords and crypto
A new malware targeting Mac users called Atomic macOS Stealer, or AMOS, has been seen being sold on Telegram by threat actors. For $1,000 a month, aspiring hackers can grab the tool and “steal various types of information from the victim’s machine, including Keychain passwords, complete system information, files from the desktop and documents folder, and even the macOS password,” according to researchers at Cyble. AMOS can also “extract data from web browsers and cryptocurrency wallets like Atomic, Binance, Coinomi, Electrum, and Exodus.” The developers even provide users with a web panel for managing and organizing victims. Read more.
Microsoft says Clop and LockBit gangs responsible for PaperCut server hacks
Patches were released last month that addressed vulnerabilities in the PaperCut Application Server, allowing remote code execution. The flaws have since been observed being exploited in the wild, with PaperCut strongly urging users to update. Microsoft has revealed that ransomware gangs Clop and LockBit have been behind the exploits, using them to steal corporate data. According to a tweet from Microsoft’s Threat Intelligence researchers, “Microsoft is attributing the recently reported attacks exploiting the CVE-2023-27350 and CVE-2023-27351 vulnerabilities in print management software PaperCut to deliver Clop ransomware to the threat actor tracked as Lace Tempest (overlaps with FIN11 and TA505).” Read more.
Researchers voice concern about the metaverse version of the dark web
Security researchers from Trend Micro have voiced concern over the “deepverse,” the metaverse’s version of the dark web. Given how quickly criminal enterprises, scammers and crooks adapt to and utilize new technological spaces, the researchers predict that “amplified” versions of the kinds of cybercrime we already see will increase as more people use the digital space. “What will make the darkverse a distinctly more dangerous place is the difficulty law enforcement entities will have in trying to infiltrate the criminal activities taking place on it,” researchers fear. Read more.
CISA says election protection top priority for the next 18 months
In the lead-up to the 2024 presidential election, CISA’s executive assistant director for cybersecurity says that the organization is focusing intently on ensuring that voting systems are safe from attack. “This is our top priority over the next year and a half,” he said. “We have cybersecurity advisors across the country who every day are meeting with secretaries of state and state and local election officials to make sure that they are getting the right assessment information services to meet their needs.” The FBI revealed last year that Eminent Pasargad, an Iranian cybercrime group, had engaged in operations that targeted the electoral security of the 2020 election. Read more.
Charming Kitten cybercrime group using new malware against international targets
Charming Kitten, Iran’s most notorious state-backed cybercrime group, has been observed using a new malware variant called BellaCiao. BellaCiao was discovered by researchers at Bitdefender Labs and is a dropper “capable of delivering other malware payloads onto a victim machine based on commands received from an actor-controlled server.” Researchers aren’t yet sure of how Charming Kitten is delivering BellaCiao. Still, they suspect they’re leveraging “the exploitation of known vulnerabilities in internet-exposed applications like Microsoft Exchange Server or Zoho ManageEngine.” Targeted victims thus far have been in the US, the Middle East, Europe and India. Read more.
Transient execution side-channel attacks carried out against Intel CPUs
A new side-channel attack that can be deployed against multiple generations of Intel CPUs has been discovered by researchers at Tsinghua University, the University of Maryland, and a computer lab (BUPT) run by the Chinese Ministry of Education. What sets this attack method apart is that “instead of relying on the cache system like many other side-channel attacks, this new attack leverages a flaw in transient execution that makes it possible to extract secret data from user memory space through timing analysis.” However, researchers note that this particular technique “isn’t as reliable as cache-state side-channel methods, and to get better results in recent chips, the attack would have to be repeated thousands of times.” Read more.
RustBucket macOS malware deployed by Lazarus offshoot group
A new macOS malware variant called RustBucket is believed to have been deployed by BlueNoroff, a subgroup of North Korea’s state-backed Lazarus hacker group. True to Lazarus’ tactics, BlueNoroff distributes RustBucket via malicious links tucked into fraudulent employment offers. The malware “masquerades as an ‘Internal PDF Viewer’ application to activate the infection,” although success depends on the victim manually overriding their system’s Gatekeeper protections. In recent months, groups falling under the Lazarus umbrella have increased their crypto stealing and espionage activity. Read more.
New EvilExtractor information stealer circulating on the dark web
EvilExtractor, a new malware, is being marketed on the dark web as an all-in-one info stealer for Windows-based targets. Fortinet FortiGuard Labs states EvilExtractor features “several modules that all work via an FTP service” and “also contains environment checking and Anti-VM functions.” Researchers believe that EvilExtractor’s primary function is stealing browser data. The software is being spread via phishing campaigns and can also be used to launch ransomware. Read more.
Improperly wiped resold routers found to contain sensitive corporate data
Researchers at security firm ESET found that complete configuration data was still intact in half of 18 used routers purchased in a test group. ESET discovered that the hardware had “not been properly wiped and contained network configuration data as well as information that helped identify the previous owners.” Also, some were found to contain still “router-to-router authentication keys and hashes.” ESET warns that this type of data can be used by criminals to penetrate deeply into a targeted network with relative ease. Read more.