Cyber Security Headlines – November 29, 2021

RATDispenser spreads multiple remote access trojans into the wild

Researchers from the HP Threat Research team have discovered a new stealthy JavaScript loader dubbed RATDispenser. They point out that the use of JavaScript is uncommon as malware file format and for this reason it is more poorly detected. The loader is highly evasive, at the time of the analysis, it had only 11% detection rate on VirusTotal. HP experts confirmed that it was employed to distribute at least eight RAT families during 2021 (STRRAT, WSHRAT, AdWind, Formbook, Remcos, Panda Stealer, GuLoader, and Ratty). The experts believe that the threat actors behind the RATDispenser may be operating a malware-as-a-service model.

(Security Affairs)

North Korea-linked Zinc group posed as Samsung recruiters to target security firms

According to a Google Threat Horizons report, the state-sponsored North Korean hackers sent fake job offers to employees at South Korean security companies that sell anti-malware solutions. Google TAG researchers reported that the same group, tracked as “Zinc,” has also targeted security researchers in past campaigns. The attackers used a malformed PDF claiming to be a job description for a role at Samsung. Being intentionally malformed, the recipients, who were not able to open the PDF, contacted the sender that in turn provided him with a link to a supposed “Secure PDF Reader” app, which in turn, established a backdoor on the victims’ devices.

(Security Affairs)

Interpol arrests over 1,000 suspects linked to cyber crime

Interpol has coordinated the arrest of 1,003 individuals linked to various cybercrimes such as romance scams, investment frauds, online money laundering, business email compromise and illegal online gambling. This crackdown results from a four-month action codenamed ‘Operation HAEICHI-II,’ which took place in twenty countries between June and September 2021. The authorities have also intercepted nearly $27,000,000 and frozen 2,350 banking accounts linked to various online crimes. A rising trend the investigators noticed during HAEICHI-II was using Squid Game as a theme for malware distribution campaigns, as threat actors took advantage of the popularity of the Netflix show to masquerade trojanized apps that were supposedly mobile games.

(Bleeping Computer)

IKEA email systems hit by ongoing cyberattack

IKEA is battling an ongoing cyberattack where threat actors are targeting employees in internal phishing attacks using stolen reply-chain emails. A reply-chain email attack is when threat actors steal legitimate corporate email and then reply to them with links to malicious documents that install malware on recipients’ devices. IKEA is warning employees of an ongoing reply-chain phishing cyber-attack targeting internal mailboxes. These emails are also being sent from other compromised IKEA organizations and business partners.

(Bleeping Computer)

Thanks to our episode sponsor, Votiro

Your users need to accept and open files to do their jobs. Keep them safe and productive with Votiro. With Votiro zero trust file sanitization API, your users can download and use any file instantly, from PDF to Autodesk CAD, with malicious code already removed—and full file usability intact. The signatureless file sanitization process happens in milliseconds without user friction. Visit Votiro.com and learn why millions of users trust Votiro to disarm billions of files each year.

U.K. government introduces PSTI bill to strengthen IoT security

The U.K. government has introduced the Product Security and Telecommunications Infrastructure (PSTI) Bill in Parliament to strengthen consumers’ Internet of Things (IoT) against rising hacker intrusions. The new legislation requires IoT manufacturers, importers, and distributors to meet certain cybersecurity standards. According to the Department for Digital, Culture, Media, and Sport (DCMS), it’s estimated that there could be up to 50 billion IoT devices across the globe by 2030, including smart baby monitors, smart bulbs, smart speakers, smart TVs, fitness trackers, smartphones and cameras.

(CISO Mag)

TrickBot phishing checks screen resolution to evade researchers

This is a new version of an old method that checks the screen resolution of a victim system to evade detection of security software and analysis by researchers. Last year, the TrickBot gang added a new feature to their malware that terminated the infection chain if a device was using non-standard screen resolutions of 800×600 and 1024×768. In a new variation spotted by threat researchers, the verification code has been added to the HTML attachment of the malspam delivered to the potential victim. Downloading malware this way is a technique known as HTML smuggling. It allows a threat actor to bypass a browser’s content filters and sneak malicious files on a target computer by including encoded JavaScript into an HTML file.

(Bleeping Computer)

Australia to introduce new laws to force media platforms to unmask online trolls

The Australian government has been looking at the extent of the responsibility of platforms such as Twitter and Facebook for defamatory material published on their sites and comes after the country’s highest court ruled that publishers can be held liable for public comments on online forums. This ruling caused some news companies like CNN to deny Australians access to their Facebook pages. The new legislation will introduce a complaints mechanism, so that if somebody thinks they are being defamed, bullied or attacked on social media, they will be able to require the platform to take the material down.

(Reuters)

GoDaddy breach widens to include reseller subsidiaries

Customers of several brands that resell GoDaddy Managed WordPress have also been caught up in the big breach, in which millions of emails, passwords and more were stolen. The additional affected companies are 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple and tsoHost. A small number of active and inactive Managed WordPress users at those brands were impacted by the security incident. No other brands are impacted. It’s unclear exactly how many additional users were affected by the widened breach.

(Threatpost)


Steve Prentice
Author, speaker, expert in the area where people and technology crash into each other, viewed from the organizational psychology perspective. Host of many podcasts, voice actor and narrator for corporate media and audiobooks. Ghost-writer for busy executives.