Take a look at this week's Cyber Weekly Digest for a rundown of the biggest cyber security news, including the latest tactics used by the infamous Emotet malware and the 3CX supply chain attack. Keep reading to stay up to date on the latest cyber security stories.
The infamous Emotet malware campaign is targeting US taxpayers by impersonating W-9 tax forms allegedly sent by the Internal Revenue Service and companies you work with. Emotet is a notorious malware infection distributed through phishing emails that in the past contained Microsoft Word and Excel documents with malicious macros that install the malware. However, after Microsoft began blocking macros in downloaded Office documents by default, Emotet switched to using Microsoft OneNote files with embedded scripts to install the Emotet malware. The OneNote documents contain a VBScript embedded inside of them, Microsoft will display a message that the files may be malicious, however, many users ignore that. Once executed, the VBScript will download the Emotet DLL and run it using regsvr32.exe. The malware will then quietly run in the background, stealing email, contacts, and waiting for further payloads to install on the device.
A new info-stealing malware named “MacStealer” is targeting Mac users, stealing their credentials stored in the iCloud Keychain and web browsers, cryptocurrency wallets, and potentially sensitive files. MacStealer is being distributed as a malware-as-a-service (MaaS), where the developer sells premade builds for $100, allowing purchasers to spread the malware in their campaigns. According to the threat researchers that discovered the new macOS malware, it can run on macOS Catalina (10.15) and up to the latest version of Apple’s OS, Ventura (13.2). MacStealer was discovered on a dark web hacking forum, where the developer has been promoting it since the end of this month. The logs that are stolen from the victims are sent the hackers Telegram channel, where the stolen data is packaged up as a ZIP file. While most MaaS operations target Windows users, macOS isn't immune to such threats, so its users should remain vigilant and avoid downloading files from untrustworthy websites.
Security analysts have uncovered a new North Korean hacking group that targets government organizations, academics, and think tanks in US, Europe, Japan, and South Korea for the past five years. The moderately-sophisticated threat actor is tracked as “APT43” and is seen engaging in espionage and financially motivated cybercrime operations that help fund its activities. Mandiant analysts who discovered the activities of APT43 for the first-time assess with high confidence that the threat actors are state-sponsored, aligning their operational goals with the North Korean government’s geopolitical aims. APT43 has created fake Cornell University login pages to gain reconnaissance into what is being restricted for North Korea’s imports. APT43 steals financial information to pay for cloud instances and deploy cryptocurrency miners using American Exchange cards and PayPal accounts. Mandiant expects APT43 to continue to be a highly active threat group unless North Korea shifts national priorities.
A digitally signed and trojanized version of the 3CX Voice Over Internet Protocol (VOIP) desktop client is reportedly being used to target the company’s customers in an ongoing supply chain attack. 3CX is a VoIP IPBX software development company whose 3CX Phone System is used by more than 600,000 companies worldwide and has over 12 million daily users. 3CX covers many companies in its company customer list with high profile companies like American Express, Coca-Cola, McDonald’s, BMW, Honda, AirFrance, NHS, Toyota, Mercedes-Benz, IKEA, and HolidayInn. According to alerts from security researchers, the attackers are targeting both Windows and macOS users of the compromised 3CX softphone app. The most common post-exploitation activity that was observed by the compromise was spawning an interactive command shell. SentinelOne detects "penetration framework or shellcode" while analyzing the 3CXDesktopApp.exe binary, ESET tags it as a "Win64/Agent.CFM" trojan, Sophos as "Troj/Loader-AF", and CrowdStrike's Falcon OverWatch managed threat hunting service warns users to investigate their systems for malicious activity "urgently."
Apple on Monday backported fixes for an actively exploited security flaw to older iPhone and iPad models. The issue, tracked as CVE-2023-23529, concerns a type confusion bug in the WebKit browser engine that could lead to arbitrary code execution. The disclosure comes as Apple rolled out iOS 16.4, iPadOS 16.4, macOS Ventura 13.3, macOS Monterey 12.6.4, macOS Big Sur 11.7.5, tvOS 16.4, and watchOS 9.4 with numerous bug fixes. Apple hasn’t realised many details as it is aware of reports that the flaw being actively exploited in the wild.