Cyber Security Headlines: APT37 exploits zero-day, Firewalls bypassed generically, Zombinder’s Android malware

North Korea-linked APT37 exploits Internet Explorer zero-day flaw

APT37 group (aka ScarCruft, Reaper, and Group123) has actively exploited an Internet Explorer zero-day vulnerability, tracked as CVE-2022-41128, in attacks aimed at South Korean users. Google Threat Analysis Group researchers discovered the zero-day vulnerability in late October 2022, and it was exploited by APT37 using specially crafted documents that attempted to capitalize on the recent Itaewon Halloween crowd tragedy to trick users into opening the weaponized document and infecting their systems.

(Security Affairs)

Firewalls of several major vendors bypassed with generic attack method

Researchers at IoT cybersecurity firm Claroty have identified a generic method for bypassing the web application firewalls (WAFs) of several major vendors. They discovered the method following an analysis of Cambium Networks’ wireless device management platform, in which they discovered an SQL injection vulnerability that could be used to obtain sensitive information, such as session cookies, tokens, SSH keys and password hashes. Analysis revealed that the WAF could be bypassed by abusing the JSON data sharing format, which is supported by all major SQL engines and is enabled by default. Firewalls affected by this bypass include products from AWS, Palo Alto Networks, Cloudflare, F5, and Imperva.


New ‘Zombinder’ platform binds Android malware with legitimate apps

A darknet platform dubbed ‘Zombinder’ allows threat actors to bind malware to legitimate Android apps, causing victims to infect themselves while still having the full functionality of the original app to evade suspicion. This new platform was discovered by cybersecurity firm ThreatFabric, which spotted malicious Windows and Android campaigns distributing multiple malware families. The campaign impersonates Wi-Fi authorization portals, supposedly helping users to access internet points as a lure to push various malware families. The site then prompts a user to download either a Windows or Adware version of the application, which in reality, is malware.

(Bleeping Computer)

Automated dark web markets sell corporate email accounts for $2

Cybercrime marketplaces are increasingly selling stolen corporate email addresses for as low as $2 to fill a growing demand by hackers who use them for business email compromise and phishing attacks or initial access to networks. Analysts at Israeli cyber-intelligence firm KELA have closely followed this trend, reporting at least 225,000 email accounts for sale on underground markets. The demand for corporate emails continues to grow, which had created the need for automated webmail shops such as Xleet and Lufix, claiming to offer access to over 100k breached corporate email accounts, obtained through brute-forcing credential stuffing and phishing, with prices ranging between $2 and $30, if not more, for highly-desirable organizations.

(Bleeping Computer)

Thanks to this week’s episode sponsor, PlexTrac

The best pentesting teams trust PlexTrac. PlexTrac can improve efficiency and effectiveness at every phase of your proactive assessments. By centralizing the data from all your automation tools, cataloging important reusable content for easy access, and promoting communication and visibility at every phase of an assessment, PlexTrac cuts reporting time in half and adds value between reports. 

Check out to learn why PlexTrac is the premier pentest reporting and collaboration platform.

Cyberattack takes down the Met’s website and box office

The Metropolitan Opera has suffered a cyberattack that put its website and box office out of commission for more than 30 hours, the company’s general manager Peter Gelb said on Wednesday. Its ticketing system typically handles about $200,000 in sales each day at this time of year, but was unable to sell any new tickets, including in its popular discounted last-minute rush ticket program, impacting performances of “Aida” and “The Hours.” Although it was not immediately clear who was responsible for the cyberattack, the Met has been outspoken in its support of Ukraine during the Russian invasion, organizing a benefit concert earlier this year, and also parting ways with Anna Netrebko, the Russian soprano, after she failed to comply with the company’s demand that she distance herself from Russian President Putin.

(New York Times)

NZ Privacy Commissioner investigates Mercury IT ransomware attack

The Office of the Privacy Commissioner in New Zealand released a public statement on Tuesday on the ransomware attack affecting technology services provider Mercury IT. “This is an evolving situation. We were notified of the cybersecurity attack on 30 November 2022,” reads the statement, continuing that they are seeking to understand the number of organizations affected, the nature of the information involved and the extent to which any information has been copied out of the system.”

(Infosecurity Magazine)

South Korean authorities issue warning about disguised North Koreans getting IT jobs

The advisory, issued yesterday, warns companies about hiring North Korean IT workers who disguise their true nationality and use their wages to help fund the country’s sanctioned nuclear weapons program. It was published by several ministries, alongside South Korea’s National Police Agency and its National Intelligence Service, requesting “enhanced due diligence and more stringent identity verification process from domestic companies to avoid hiring or engaging in business contracts with [North Korean] IT workers who disguise their nationality and identities.” This follows a similar alert in May issued by the FBI, Treasury Department, and State Department, to American companies looking to hire freelance workers.

(The Record)

Iranian hackers strike diamond industry with data-wiping malware in supply-chain attack

An Iranian APT actor known as Agrius has been identified as behind a set of data wiper attacks aimed at diamond industries in South Africa, Israel, and Hong Kong. The wiper, referred to as Fantasy by ESET, is believed to have been delivered via a supply-chain attack targeting an Israeli software suite developer as part of a campaign that began in February 2022. ESET researcher Adam Burgher disclosed in a Wednesday analysis, “the Fantasy wiper is built on the foundations of the previously reported Apostle wiper but does not attempt to masquerade as ransomware, as Apostle originally did. Instead, it goes right to work, wiping data.” Apostle was first documented by SentinelOne in May 2021 as a wiper-turned-ransomware that was deployed in destructive attacks against Israeli targets.

(The Hacker News)