WEEKLY TOP TEN | November 13, 2023 15:00 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- New North Korean-Linked MacOS Malware Discovered
BlueNoroff is a North-Korean-backed APT group with a history of financially motivated attacks. Recently, a new strain in the RustBucket malware family, dubbed ObjCShellz was discovered by Jamf Threat Labs during a threat hunt. This malware targets macOS devices and is used to gain a remote shell onto infected devices, establishing C2 (command & control) and dropping later-stage payloads.
- Google Calendar Abused for Command and Control
In a Google Threat Horizons report, their offensive security team showcased a proof of concept in which Google calendar events were used for command and control of infected systems. This type of C2 framework allows attackers to use existing tools within an organization’s network, significantly reducing the complexity of infection and allowing for evasion from standard security tools. Google has reported that they have seen no indication of abuse in the wild; however, the proof-of-concept code presented along with the report has been forked into several new GitHub repositories, indicating potential for inclusion in new malware.
- Azure Cloud Automation Leveraged for Stealthy Crypto Mining
Researchers have discovered a new method of cryptocurrency mining using Azure Automation services that does not incur service charges, significantly increasing the time to detection. The research team at SafeBreach, who created this technique, states that this exploit has the potential to “achieve any task that requires code execution on Azure.” These types of cloud crypto miner attacks are popular among threat actors due to the low-maintenance profit they generate.
- Monero Project Discloses Theft of $444k from their Community Crowdfunding Wallet
Monero, aka XMR, is a very popular privacy-focused cryptocurrency. The Monero Project, which develops and maintains this cryptocurrency, just disclosed a theft from their Community Crowdfunding System (CSC) wallet on September 1st. The theft was a total of 2,675 XMR, which converts to $444,825.75 using the exchange rate at the time of writing. The funds in this wallet were the result of donations to the developers from community members. The Monero Project’s main wallet remains untouched by attackers.
- ChatGPT Outage Confirmed to be due to a DDoS Attack
OpenAI, the creators of ChatGPT, have been working through a series of outages across several products, including ChatGPT, Dall-E, and their API. While OpenAI has not officially attributed this attack to any specific threat actor, Anonymous Sudan has claimed responsibility, claiming the attacks are due to OpenAI’s “general biasness towards Israel and against Palestine.”
- Clop Ransomware Deployed via a Zero Day in SysAid IT Management Software
SysAid is an IT service management tool (ITSM), providing a service desk platform. On November 2nd, a zero-day vulnerability was discovered in this software, currently being tracked as CVE-2023-47246. As of November 9th, Microsoft Threat Intelligence has reported that in-the-wild exploitation, of this vulnerability has been observed, specifically in Clop ransomware deployments. A blog from SysAid states that this is a path traversal vulnerability that can lead to remote code execution.
- OKTA Customer Support Breach Affects Over One Hundred Customers
OKTA is an enterprise identity service provider, handling authentication and user management. Recently, their support systems suffered a cyberattack, which led to the theft of several customer files that had been shared with OKTA support for troubleshooting. Some of these files were improperly sanitized and contained sensitive information such as api keys and credentials. With this information, the same threat actor launched attacks on several ofOKTA’s customers, including 1Password and Cloudflare.
- Malvertising Campaign Masquerades as IT News Sites to Deliver Malware
A new malvertising campaign has been observed posing as legitimate IT new sites to deliver malware. Specifically, a trojanized version of the CPU-Z utility, a tool for troubleshooting computer hardware. To further evade detection, these sites use a technique called cloaking. This technique redirects users who are not the intended victims to a legitimate blog page; however, when a target clicks the same link, they will be redirected to a malicious download site.
- Jupyter Infostealer Employs New Tactics for Defense Evasion
Jupyter infostealer malware is primarily designed to harvest information from infected systems, usually in the form of browser data and cryptocurrency wallet information. Researchers at VMWare have observed an increased number of attacks involving this malware, including enhanced defense evasion capabilities. The researchers observed using legitimate-looking PowerShell commands and binaries with valid digital signatures, which evade traditional indicator-based detection tools.
- Russian-Backed APT Targets Ukrainian Power Infrastructure
The Russian-backed APT group, Sandworm, has been observed breaching Ukrainian power substations in coordination with Russian missile strikes. These attacks target the OT (operational technology) systems of substations, using malware to interact with circuit breakers and cut power to the service area. This is the same threat actor behind the infamous NotPetya attacks of 2017, with similar targets and impacts.