| title | date | draft | logo |
|---|---|---|---|
July 03, 2023 |
2023-07-03 00:00:00 +0545 |
false |
images/infosec/default.png |
{{< toc >}}
Researchers have discovered an updated version of the Apple macOS malware called Rustbucket. This variant, attributed to the North Korean threat actor BlueNoroff, exhibits improved persistence capabilities and employs a dynamic network infrastructure for command-and-control. Rustbucket was initially identified as an AppleScript-based backdoor, capable of retrieving a second-stage payload from a remote server. The second-stage malware, compiled in Swift, downloads the main Rust- based binary from the command-and-control server. A .NET version of Rustbucket with similar features has also been observed. The attacks primarily target finance-related institutions in Asia, Europe, and the U.S., indicating a focus on illicit revenue generation. The malware utilizes a backdoored PDF reader and employs phishing emails and bogus social media profiles for initial intrusion. The newly identified version establishes persistence by creating a plist file and copying the binary to specific paths on the compromised system.
Apple macOS
https://thehackernews.com/2023/07/beware-new-rustbucket-malware-variant.html
• Keep macOS systems updated. • Deploy robust endpoint protection solutions. • Provide user awareness training on phishing and social engineering. • Implement email filtering to block malicious attachments. • Use application whitelisting to control authorized software. • Monitor network traffic for unusual patterns.
A new malware JokerSpy which effects macOS has been found exploiting devices across organizations. Once a device is infected, the malware connects to a C2 server and then proceeds further according to the response from the server. It creates a reverse shell and a backdoor through which the attacker can access the victim’s machine. Various victim device data such as the path to the backdoor python script along with the python version, hostname, username, domain name, OS version etc. are sent periodically to the attacker. Furthermore, within the malware’s construction, a hidden “xcc” binary was also found which contains Mach-O for x86 Intel and ARM M1 architectures. The malware was found to be collecting data related to the victim’s behaviors such as device idle time (last use of keyboard, mousepad etc.), active (frontmost) app, screen status (locked or unlocked), full disk access, screen recoding access and accessibility permission of the active app etc.
Intel and Apple Silicone Macs (x86 Intel and ARM M1 architectures)
https://cybersecuritynews.com/jokerspy-macos-malware/
• Keep the macOS up to date which will provide new and consistent security fixes. • Exercise good online hygiene when surfing the web. • Do not open malicious links or emails. • Download files only from trusted sites. • Use security options provided by some browsers like Brave when browsing the web which will ensure secure browsing.
Tracked as CVE-2023-3460 (CVSS score of 9.8), the recently identified security defect in Ultimate Member allows attackers to add a new user account to the administrators group. Due to the difference in operation between the plugin and WordPress, attackers were able to trick the plugin into updating metadata keys, including one that stores user role and capabilities, WPScan explains. The company provides indicators of compromise (IoCs) associated with the observed attacks. This has allowed attackers to register user accounts with the administrator role, and at least two site owners have observed and reported the suspicious activity. The plugin’s maintainers, who describe the issue as a privilege escalation bug, have attempted to address it in the last two versions of Ultimate Member, but they have reportedly failed to fully patch it. However, they did acknowledge the ongoing in-the-wild exploitation.
WordPress Site with ‘Ultimate Member’ Plugin
• Implement the least privilege principle for user roles. • Monitor site activity for unusual behavior. • Use reputable security plugins or firewalls.
Fortinet, a leading network security solutions provider, has resolved a critical Remote Code Execution (RCE) vulnerability affecting its FortiGate SSL VPN devices. This flaw could allow attackers to execute arbitrary code on vulnerable systems, leading to a complete compromise of the devices. Fortinet responded swiftly by releasing security patches and firmware updates to address the vulnerability, urging all users to apply them immediately. Prompt patching and adherence to security best practices, such as strong passwords and regular updates, are essential to mitigate the risk and maintain a robust security posture. The critical RCE vulnerability in FortiGate SSL VPN devices could enable attackers to execute arbitrary code with elevated privileges. Exploiting this flaw could lead to unauthorized access, tampering with network configurations, and potential data breaches. Fortinet's proactive response included the release of security patches, firmware updates, and recommendations for users to promptly apply them. Organizations utilizing FortiGate SSL VPN devices must prioritize patching and follow security best practices to protect their networks from potential exploitation and ensure a secure environment.
Fortinet Products
• Patch and update immediately
In a concerning development for mobile device users, security researchers have recently uncovered a new Android malware called FluHorse. This sophisticated malware, developed using the Flutter framework, poses a significant threat to Android devices, compromising user privacy and device security. Understanding the nature of this emerging threat is crucial for Android users to protect themselves from potential harm. FluHorse leverages the cross-platform capabilities of the Flutter framework, which is popular for developing visually appealing and high-performing mobile applications. By exploiting this framework, malware gains the ability to infect a wide range of Android devices, putting millions of users at risk. The malware operates stealthily, avoiding detection and remaining hidden within legitimate-looking applications.
Android devices running Flutter applications.
https://thehackernews.com/2023/06/fluhorse-flutter-based-android-malware.html
• Download and install applications from trusted sources, such as the official Google Play Store. • Avoid sideloading apps from third-party websites or unofficial sources, as they may contain malicious code.