Atomic — New macOS Info-Stealer in Town
Analysis: A new info-stealing malware, Atomic macOS Stealer (AMOS), has been discovered targeting macOS users. It is designed to steal sensitive information, including local files, cookies, financial details, and passwords stored in browsers.
AMOS is available on a private telegram channel for a subscription of $1,000 per month and is flagged as malware on just one antivirus engine on VirusTotal. The malware has been seen targeting various applications such as cryptocurrency wallets and web browsers like Chrome, Microsoft Edge, Firefox, Opera, Yandex, and Vivaldi, and attempts to steal system information. Researchers suggest that an increasing number of cyber threats are looming over macOS.
Access Point recommends having an active threat hunting program, as the threat landscape is ever changing it is essential to stay in the know with all the ways that operators are targeting their victims. This includes having a dedicated team that is proactively searching within your network for any indicators of compromise such as IP ranges, file hashes, email addresses, URLs, etc. It is also essential that your threat team is blocking for IOCs associated with threat groups at all endpoint and network levels.
Source
RTM Group Launches its Linux Ransomware
Analysis: RTM group — the creator of RTM Locker RaaS — has developed a new ransomware binary aimed at Linux-based machines. This ransomware is capable of infecting Linux, ESXi, and NAS hosts and appears to be inspired by the leaked source code of Babuk ransomware.
The Linux variant of RTM Locker is specifically aimed at ESXi hosts, and it uses asymmetric and symmetric encryption, which makes it impossible to decrypt files without a private key. After successful encryption, victims are told to contact the support team within 48 hours via Tox or risk having their data published on the darkweb.
Should you find yourself in a similar situation, Access Point recommends that you do not pay the ransom. Instead, having a tried and tested incident response plan, policies, and procedures for data breach incidents like this is essential to minimize their impact. In turn, your team will be better equipped to contain and mitigate the attack without disruption to your business operations.
Source
T-Mobile discloses second data breach since the start of 2023
Analysis: T-Mobile has had its second data breach of 2023, affecting 836 customers who had their personal information exposed for over a month starting from late February. While the number of affected individuals is relatively small compared to T-Mobile's previous data breaches, the amount of exposed data is extensive and could lead to identity theft and phishing attacks.
T-Mobile has stated that call records and personal financial account information were not accessed by the attackers. However, the exposed information does include full names, contact information, account numbers and associated phone numbers, T-Mobile account PIN, Social Security number, government ID, date of birth, balance due, internal codes used by T-Mobile to service customer accounts, and the number of lines.
T-Mobile has reset the account PINs for the affected customers and offered them two years of free credit monitoring and identity theft detection through TransUnion’s myTrueIdentity service.
This is the second data breach T-Mobile has disclosed since the beginning of 2023, with the first breach affecting 37 million customers and being disclosed on January 19.
Access Point recommends the following:
- Keep all software and operating systems up to date with the latest patches and security updates
- Implement MFA for all user accounts
- Regularly backup critical data and store it securely offline
- Have a proactive approach to detecting threats
It is also essential that you have a tried and tested incident response plan and procedure should your organization be the target of an attempted attack. The plan should include those action steps necessary to contain and mitigate the threat as quickly as possible with the least amount of disruption to the business.
Source
New coercive tactics used to extort ransomware payments
Analysis: According to cybersecurity firm GuidePoint Security, the number of reported ransomware victims in Q1 2023 indicates the continued prevalence of ransomware as a global threat, targeting a wide range of industries.
In its report, GuidePoint revealed that in the first quarter of 2023, researchers tracked 849 total publicly posted ransomware victims claimed by 29 different threat groups. This marks a 27% increase in public ransomware victims compared to Q1 2022, and a 25% increase from Q4 2022. The most targeted sectors include manufacturing, technology, education, banking and finance, and healthcare.
LockBit Remains the most prolific ransomware threat group, followed by Clop, AlphV, Royal, and BianLian. These groups are increasingly using novel coercive tactics, including DDoS attacks, selective public leaks, and exfiltration of data to pressure victims into compliance with ransomware demands.
Because of the broad impact of these attack methods, Access Point recommends having automated detection and mitigation strategies in place. Security teams should also employ the following protection measures:
- Enable caching
- Deploy firewall rules and rate-limiting rules
- Enable DDoS alerting
- Have a threat hunting team to proactively search for any indicators of compromise from threat actors that may have evaded your security systems
Source
Charming Kitten Spreads BellaCiao Malware for Concentrated Attacks
Analysis: Charming Kitten, an Iranian nation-state group, has been observed using a new custom dropper malware called BellaCiao, which is designed to attack individual targets and can deploy other malicious payloads. The group has also been seen using publicly disclosed proof of concepts in its attacks.
BellaCiao is highly complex and uses a unique communication approach with its C2 structure. Attackers download two IIS modules which process exfiltrating credentials and incoming instructions. The group's initial intrusion tactics possibly exploit known vulnerabilities in internet-exposed applications; once a successful intrusion is achieved, the attackers attempt to disable Microsoft Defender and establish persistence on the host.
As threat actors are continuously evolving their techniques, tactics, and procedures to evade detection, Access Point recommends the following measures:
- Implement a defense-in-depth architecture
- Limit entry points
- Patch critical vulnerabilities
- Segregate networks
- Block any malicious domains, IPs, or URLs that may be associated to a threat group’s indicators of compromise
Source
Vulnerabilities
FDA, CISA: Illumina Medical Devices Vulnerable to Remote Hacking
Analysis: The US Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued public notifications regarding serious vulnerabilities affecting the Universal Copy Service (UCS) component used in several Illumina genetic sequencing instruments.
Although there are no known attacks exploiting these vulnerabilities, the FDA warns that hackers could exploit them to remotely control a device or alter configurations, settings, software, or data on the device or user network. Additionally, exploitation could impact genomic data results in instruments intended for clinical diagnoses.
CISA's advisory indicates that Illumina Universal Copy Service has a critical vulnerability (CVE-2023-1968) which allows an unauthenticated attacker to abuse the component to listen on all IPs, including those accepting remote connections. Another flaw (CVE-2023-1966) is related to unnecessary privileges that can enable an unauthenticated hacker to remotely upload and execute code at the OS level.
Illumina's iScan, iSeq, MiniSeq, MiSeq, MiSeqDx, NextSeq, and NovaSeq products are affected by these vulnerabilities.
Illumina has released patches and mitigations, publishing an advisory to inform customers about the necessary steps to prevent potential exploitation. On April 5, 2023, the company notified affected customers and instructed them to check their instruments and medical devices for signs of potential exploitation.
The FDA recently announced that it will require medical device makers to meet specific cybersecurity requirements when submitting an application for a new product, reflecting growing concerns about the security of medical devices.
Access Point recommends that organizations using affected Illumina products promptly apply the security patches and follow the mitigations provided by the vendor. This will help reduce the risk of potential exploitation.
It is important that organizations check instruments and medical devices for any signs of exploitation, as advised by Illumina. Early detection of potential issues can help organizations take appropriate countermeasures to minimize the damage. By ensuring that all medical devices and related components are updated with the latest firmware and software versions, businesses can help reduce the risk of exploitation from these and other vulnerabilities.
It is also recommended that healthcare providers and lab personnel are trained to recognize and avoid potential security threats. This will help reduce the likelihood of successful attacks and minimize the risk of human error.
Source
Alert: Active Exploitation of TP-Link, Apache, and Oracle Vulnerabilities Detected
Analysis: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog, adding three security flaws due to evidence of active exploitation.
These vulnerabilities are tracked as:
- CVE-2023-1389 (TP-Link Archer AX-21 Command Injection Vulnerability) — CVSS 8.8
- CVE-2021-45046 (Apache Log4j2 Deserialization of Untrusted Data Vulnerability) — CVSS 9.0
- CVE-2023-21839 (Oracle WebLogic Server Unspecified Vulnerability) — CVSS 7.5
CVE-2023-1389 affects TP-Link Archer AX-21 routers and has been exploited by threat actors linked to the Mirai botnet since April 11, 2023, allowing for remote code execution.
CVE-2021-45046 is a remote code execution vulnerability impacting the Apache Log4j2 logging library, discovered in December 2021. While the specific exploitation method is unclear, GreyNoise data indicates 74 unique IP addresses have attempted exploitation in the past 30 days, including attempts related to CVE-2021-44228 (Log4Shell).
The third vulnerability, CVE-2023-21839, is a high-severity bug in Oracle WebLogic Server, enabling unauthorized access to sensitive data. Oracle has released patches for affected versions in January 2023.
Federal Civilian Executive Branch (FCEB) agencies must apply vendor-provided fixes by May 22, 2023 to protect their networks from these active threats. This update comes after VulnCheck revealed that nearly four dozen security flaws — likely weaponized in the wild in 2022 — are missing from the KEV catalog. Among the 42 vulnerabilities, a majority are related to exploitation by Mirai-like botnets (27), followed by ransomware gangs (6) and other threat actors (9).
Access Point recommends that users apply vendor-provided patches and updates as soon as possible to mitigate the risks associated with the identified vulnerabilities. In the case of the three CVEs mentioned above, ensure the appropriate updates are applied.
Source
Zyxel Firewall Devices Vulnerable to Remote Code Execution Attacks — Patch Now
Analysis: Networking equipment manufacturer Zyxel has issued patches for a critical security vulnerability (CVE-2023-28771) affecting its firewall devices. Rated 9.8 on the CVSS scoring system, this flaw could allow an attacker to achieve remote code execution on impacted systems.
Researchers from TRAPA Security discovered the vulnerability, which involves improper error message handling in some firewall versions. Zyxel released an advisory on April 25, 2023, detailing the issue and the affected products, including ATP, USG FLEX, VPN, and ZyWALL/USG devices.
Zyxel also addressed a high-severity post-authentication command injection vulnerability (CVE-2023-27991) with a CVSS score of 8.8. This vulnerability affects select firewall versions and could allow an authenticated attacker to execute some OS commands remotely. Devices impacted by this flaw include ATP, USG FLEX, USG FLEX 50(W) / USG20(W)-VPN, and VPN devices. The issue has been resolved in ZLD V5.36.
In addition, Zyxel has released fixes for five high-severity flaws (CVE-2023-22913 to CVE-2023-22918) and one medium-severity bug, affecting several firewalls and access point (AP) devices. These vulnerabilities could result in code execution and cause a denial-of-service (DoS) condition.
Earlier this year, Nikita Abramov, a researcher from Russian cybersecurity company Positive Technologies, discovered four command injection and buffer overflow vulnerabilities in CPE, fiber ONTs, and WiFi extenders, with the most severe being CVE-2022-43389 (CVSS score: 9.8), a buffer overflow vulnerability impacting 5G NR/4G LTE CPE devices.
Access Point Technology recommends organizations using Zyxel products should promptly apply the provided patches for the mentioned vulnerabilities. This will help mitigate the risks associated with these flaws and prevent potential attacks.
Organizations should also ensure that all networking devices, including firewalls and access points, are updated with the latest firmware and software versions. Regularly updating these components can help reduce the risk of exploitation from known and unknown vulnerabilities.
It is important to continuously monitor network traffic and system logs for any unusual or suspicious activities that may indicate attempted or successful exploits. Early detection of such activities can help in taking appropriate countermeasures and reducing potential damage.
Implementing and enforcing robust security policies within the organization, including access controls, user authentication, and network segmentation will help limit potential attack vectors and minimize the impact of successful breaches.
Last, but not least, Access Point Technology recommends organizations periodically assess the security of the organization's network infrastructure and devices to identify vulnerabilities and weaknesses. This will allow for timely remediation of any discovered issues.
Source
Apple’s first Rapid Security Response patch fails to install on iPhones
Analysis: Apple has introduced the first Rapid Security Response (RSR) patches for iOS 16.4.1 and macOS 13.3.1 devices.
RSR patches are small updates designed to target iPhone, iPad, and Mac platforms, addressing security issues between major software updates. These patches can also be used to fix vulnerabilities that are actively exploited in attacks.
Users can check if RSR patches are available for their device by following specific steps for iPhone, iPad, and Mac devices. Automatic updates can be enabled to ensure that the device receives security patches promptly. If users disable automatic updates or decline to install RSR patches when offered, their device will receive the security updates as part of a future software upgrade.
However, some users have reported issues installing the RSR update on their iPhones, with "Unable to Verify Security Response" errors. Despite the devices being connected to the internet, the error indicates that the device is no longer connected. A server-side bug is likely causing the issues. Apple has not yet provided specific details about the security improvements included in the RSR patches or the installation problems users are experiencing.
Access Point Technology recommends that Apple users ensure that automatic updates are enabled on their iPhone, iPad, or Mac device to receive the RSR patches and other security updates promptly. If users encounter installation issues with the RSR patch, such as "Unable to Verify Security Response" errors, monitor Apple's support channels for updates on the situation and potential fixes.
It is important for users to stay informed about any updates from Apple regarding the specific security improvements included in the RSR patches, as well as any related issues or workarounds. If users have disabled automatic updates or declined to install RSR patches, be prepared to receive the security updates as part of a future software upgrade.
Source
.webp)
.png)
