By security practitioners, for security practitioners novacoast federal | Pillr | novacoast | about innovate
By security practitioners, for security practitioners

Weekly Top 10 – 11.13.2023- New North Korean-Linked MacOS Malware, Google Calendar CNC Abuse

WEEKLY TOP TEN | November 13, 2023 15:00 GMT

Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:

  1. New North Korean-Linked MacOS Malware Discovered
    BlueNoroff is a North-Korean-backed APT group with a history of financially motivated attacks. Recently, a new strain in the RustBucket malware family, dubbed ObjCShellz was discovered by Jamf Threat Labs during a threat hunt. This malware targets macOS devices and is used to gain a remote shell onto infected devices, establishing C2 (command & control) and dropping later-stage payloads.
  2. Google Calendar Abused for Command and Control

    In a Google Threat Horizons report, their offensive security team showcased a proof of concept in which Google calendar events were used for command and control of infected systems. This type of C2 framework allows attackers to use existing tools within an organization’s network, significantly reducing the complexity of infection and allowing for evasion from standard security tools. Google has reported that they have seen no indication of abuse in the wild; however, the proof-of-concept code presented along with the report has been forked into several new GitHub repositories, indicating potential for inclusion in new malware.
  3. Azure Cloud Automation Leveraged for Stealthy Crypto Mining

    Researchers have discovered a new method of cryptocurrency mining using Azure Automation services that does not incur service charges, significantly increasing the time to detection. The research team at SafeBreach, who created this technique, states that this exploit has the potential to “achieve any task that requires code execution on Azure.” These types of cloud crypto miner attacks are popular among threat actors due to the low-maintenance profit they generate.
  4. Monero Project Discloses Theft of $444k from their Community Crowdfunding Wallet

    Monero, aka XMR, is a very popular privacy-focused cryptocurrency. The Monero Project, which develops and maintains this cryptocurrency, just disclosed a theft from their Community Crowdfunding System (CSC) wallet on September 1st. The theft was a total of 2,675 XMR, which converts to $444,825.75 using the exchange rate at the time of writing. The funds in this wallet were the result of donations to the developers from community members. The Monero Project’s main wallet remains untouched by attackers.
  5. ChatGPT Outage Confirmed to be due to a DDoS Attack

    OpenAI, the creators of ChatGPT, have been working through a series of outages across several products, including ChatGPT, Dall-E, and their API. While OpenAI has not officially attributed this attack to any specific threat actor, Anonymous Sudan has claimed responsibility, claiming the attacks are due to OpenAI’s “general biasness towards Israel and against Palestine.”
  6. Clop Ransomware Deployed via a Zero Day in SysAid IT Management Software

    SysAid is an IT service management tool (ITSM), providing a service desk platform. On November 2nd, a zero-day vulnerability was discovered in this software, currently being tracked as CVE-2023-47246. As of November 9th, Microsoft Threat Intelligence has reported that in-the-wild exploitation, of this vulnerability has been observed, specifically in Clop ransomware deployments. A blog from SysAid states that this is a path traversal vulnerability that can lead to remote code execution.
  7. OKTA Customer Support Breach Affects Over One Hundred Customers

    OKTA is an enterprise identity service provider, handling authentication and user management. Recently, their support systems suffered a cyberattack, which led to the theft of several customer files that had been shared with OKTA support for troubleshooting. Some of these files were improperly sanitized and contained sensitive information such as api keys and credentials. With this information, the same threat actor launched attacks on several ofOKTA’s customers, including 1Password and Cloudflare.
  8. Malvertising Campaign Masquerades as IT News Sites to Deliver Malware

    A new malvertising campaign has been observed posing as legitimate IT new sites to deliver malware. Specifically, a trojanized version of the CPU-Z utility, a tool for troubleshooting computer hardware. To further evade detection, these sites use a technique called cloaking. This technique redirects users who are not the intended victims to a legitimate blog page; however, when a target clicks the same link, they will be redirected to a malicious download site.
  9. Jupyter Infostealer Employs New Tactics for Defense Evasion

    Jupyter infostealer malware is primarily designed to harvest information from infected systems, usually in the form of browser data and cryptocurrency wallet information. Researchers at VMWare have observed an increased number of attacks involving this malware, including enhanced defense evasion capabilities. The researchers observed using legitimate-looking PowerShell commands and binaries with valid digital signatures, which evade traditional indicator-based detection tools.
  10. Russian-Backed APT Targets Ukrainian Power Infrastructure

    The Russian-backed APT group, Sandworm, has been observed breaching Ukrainian power substations in coordination with Russian missile strikes. These attacks target the OT (operational technology) systems of substations, using malware to interact with circuit breakers and cut power to the service area. This is the same threat actor behind the infamous NotPetya attacks of 2017, with similar targets and impacts.
Previous Post

Innovator Series EP2: Masha Sedova of Elevate Security

Next Post

Weekly Top 10 – 11.20.2023- Maine State Census Breached, Security Flaw in Google Workspace, “Royal Ransomware” Possibly ReBranding, and more

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.