Cyber Security Headlines: APT37 exploits zero-day, Firewalls bypassed generically, Zombinder’s Android malware

North Korea-linked APT37 exploits Internet Explorer zero-day flaw

The group, also known as ScarCruft, Reaper, and Group123 has actively exploited an Internet Explorer zero-day vulnerability tracked as CVE-2022-41128. The attacks target South Korean users. Researchers at Google’s Threat Analysis Group researchers, who discovered the vulnerability in late October, say it has been exploited by APT37 using specially crafted documents that “attempted to capitalize on the recent Itaewon Halloween crowd tragedy to trick users into opening the weaponized document and infecting their systems.”

(Security Affairs)

Firewalls of several major vendors bypassed with generic attack method

According to Security Week, “researchers at IoT cybersecurity firm Claroty have identified a generic method for bypassing the web application firewalls (WAFs) of several major vendors.” The method involves an SQL injection vulnerability that could be used to obtain sensitive information, such as session cookies, tokens, SSH keys and password hashes. It was discovered after analyzing the wireless device management platform of Cambium Networks. Analysis revealed that the WAF could be bypassed by abusing the JSON data sharing format, which is supported by all major SQL engines and is enabled by default. Firewalls affected by this bypass include products from AWS, Palo Alto Networks, Cloudflare, F5, and Imperva.

(SecurityWeek)

New ‘Zombinder’ platform binds Android malware with legitimate apps

This new platform help threat actors to “bind malware to legitimate Android apps, causing victims to infect themselves while still having the full functionality of the original app to evade suspicion.” The platform was discovered by researchers at cybersecurity firm ThreatFabric, who had spotted malicious Windows and Android campaigns distributing multiple malware families. According to Bleeping Computer, “the campaign impersonates Wi-Fi authorization portals, supposedly helping users to access internet points as a lure to push various malware families. The site then prompts a user to download either a Windows or Adware version of the application, which in reality, is malware.”

(Bleeping Computer)

Automated dark web markets sell corporate email accounts for $2

Cybercrime marketplaces continue to sell stolen corporate email addresses for as low as $2 to fill a constantly growing demand. Hackers use them for business email compromise (BEC) and phishing attacks or to gain initial access to networks. “Analysts at Israeli cyber-intelligence firm KELA have closely followed this trend, reporting at least 225,000 email accounts for sale on underground markets.” The demand for corporate emails continues to grow, which has created the need for automated webmail shops such as Xleet and Lufix, claiming to offer access to over 100k breached corporate email accounts, obtained through brute-forcing credential stuffing and phishing, with prices ranging between $2 and $30, if not more, for highly-desirable organizations.

(Bleeping Computer)

Thanks to this week’s episode sponsor, PlexTrac

PlexTrac
The best pentesting teams trust PlexTrac. PlexTrac can improve efficiency and effectiveness at every phase of your proactive assessments. By centralizing the data from all your automation tools, cataloging important reusable content for easy access, and promoting communication and visibility at every phase of an assessment, PlexTrac cuts reporting time in half and adds value between reports. 

Check out PlexTrac.com/CISOSeries to learn why PlexTrac is the premier pentest reporting and collaboration platform.

Cyberattack takes down the Met’s website and box office

According to the New York Times, “the Metropolitan Opera has suffered a cyberattack that put its website and box office out of commission for more than 30 hours, the company’s general manager Peter Gelb said on Wednesday. Its ticketing system typically handles about $200,000 in sales each day at this time of year, but was unable to sell any new tickets, including in its popular discounted last-minute rush ticket program, impacting performances of “Aida” and “The Hours.” Although it was not immediately clear who was responsible for the cyberattack, the Met has been outspoken in its support of Ukraine during the Russian invasion, organizing a benefit concert earlier this year, and also parting ways with Anna Netrebko, the Russian soprano, after she failed to comply with the company’s demand that she distance herself from Russian President Putin.”

(New York Times)

NZ Privacy Commissioner investigates Mercury IT ransomware attack

New Zealand’s Office of the Privacy Commissioner has released a public statement regarding the ransomware attack affecting technology services provider Mercury IT. “This is an evolving situation,” it says. “We were notified of the cybersecurity attack on 30 November 2022,” reads the statement, continuing that they are seeking to understand the number of organizations affected, the nature of the information involved and the extent to which any information has been copied out of the system.”

(Infosecurity Magazine and Office of the Privacy Commissioner in New Zealand)

South Korean authorities issue warning about disguised North Koreans getting IT jobs

The advisory, issued yesterday, warns companies about “hiring North Korean IT workers who disguise their true nationality and use their wages to help fund the country’s sanctioned nuclear weapons program.” It was published by several ministries, requesting “enhanced due diligence and more stringent identity verification process from domestic companies to avoid hiring or engaging in business contracts with [North Korean] IT workers who disguise their nationality and identities.” This follows a similar alert in May issued by the FBI, Treasury Department, and State Department, to American companies looking to hire freelance workers.

(The Record)

Iranian hackers strike diamond industry with data-wiping malware in supply-chain attack

An Iranian APT actor known as Agrius has been identified in connection with a set of data wiper attacks aimed at diamond industries in South Africa, Israel, and Hong Kong. The wiper, known as as Fantasy, is believed to “have been delivered via a supply-chain attack targeting an Israeli software suite developer as part of a campaign that began in February 2022.” According to ESET researcher Adam Burgher, “the Fantasy wiper is built on the foundations of the Apostle wiper but does not attempt to masquerade as ransomware, as Apostle originally did. Instead, it goes right to work, wiping data.”

(The Hacker News)

Steve Prentice
Author, speaker, expert in the area where people and technology crash into each other, viewed from the organizational psychology perspective. Host of many podcasts, voice actor and narrator for corporate media and audiobooks. Ghost-writer for busy executives.