Take a look at this week's Cyber Weekly Digest for a rundown of the biggest cyber security news, including how some of the most notorious threat groups are starting to retarget their campaigns towards Linux and MacOS. Keep reading to stay up to date on the latest cyber security stories.
A new campaign from the North Korean-backed hacking group, Lazarus, considered part of “Operation DreamJob” has been discovered targeting Linux users with malware for the first time. This new campaign was discovered by researchers, who say it also helps confirm with high confidence that Lazarus conducted the recent supply-chain attack on VoIP provider 3CX. The attack was discovered in March 2023, compromising multiple companies that used the trojanized version of the 3CX client with information-stealing trojans. Lazarus was already suspected of being responsible for the attack, while multiple cyber security companies agreed that the threat actor who trojanized 3CX was of North Korean nexus. The attack flow of this campaign starts with targeting an individual with a fake job offer in Georgia. Next, the pdf executes an elf file that downloads a further exploitation piece called SimplexTea, which it then connects to a compromised domain “journalide[.]org”. However, the pdf file appears to be simply a decoy to download the malware.
Yellow Pages Group, a Canadian directory publisher has confirmed that it was hit by a cyberattack. The threat actor targeting Yellow Pages Group is Black Basta, an infamous ransomware and extortion gang, who have posted sensitive documents and data over the weekend. Founded in 1908, the Yellow Pages Group owns and operates the YP.ca and YellowPages.ca websites and Canada411 online services. BlackBasta has added an entry for Yellow Pages on their data extortion site, they are threatening to post sensitive personal information of customers. They are also threatening to leak internal company data such as Budget, Debt, Tax, and Financial Accounts. "We have been notifying impacted individuals and reporting to all appropriate privacy regulatory authorities regarding this incident. Substantially all of our services have now been restored." A Yellow Pages Senior Vice President Chief Financial Officer issued in a statement.
VirusTotal has released a new feature, launching a new artificial intelligence-based code analysis feature named Code Insight. The new feature is powered by the Google Cloud Security AI Workbench introduced at the RSA Conference 2023 and which uses the Sec-PaLM large language model (LLM) specifically fine-tuned for security use cases. VirusTotal Code Insight analyses potentially harmful files to explain their (malicious) behavior, and it will improve the ability to identify which of them pose actual threats. "At present, this new functionality is deployed to analyse a subset of PowerShell files uploaded to VirusTotal. The system excludes files highly similar to those previously processed, as well as excessively large files," VirusTotal founder Bernardo Quintero said. It is of course important to note that AI is not perfect and that sometimes the machine-learning engine may get things wrong, therefore security analysts should interpret Code Insight-generated information while considering contextual data relevant to the analysed file.
A financially-motivated threat actor, a subgroup of North Korean Lazarus group, is suspected to be behind a new Apple macOS malware strain called RustBucket. “[Rust Bucket] communicates with command and control (C2) servers to download and execute various payloads," Jamf Threat Labs researchers said in a technical report published last week. The Apple device management company attributed it to a threat actor known as BlueNoroff, a subgroup within the infamous Lazarus threat cluster that’s also tracked under the monikers APT28, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and TA444. The connections stem from tactical and infrastructure overlaps with a prior campaign exposed by Russian cybersecurity company Kaspersky in late December 2022. The malware is an AppleScript file that's engineered to retrieve a second-stage payload from a remote server, which also carries the same name as its predecessor. Both malicious apps are signed with an ad-hoc signature.
Dubbed as Alloy Taurus, a Chinese nation-state group, is using a Linux variant of a backdoor called PingPull as well as a new undocumented tool codenamed Sword2033. According to the researchers that discovered the recent malicious cyber activity carried out by the group targeting South Africa and Nepal. Alloy Taurus is the constellation-themed moniker assigned to a threat actor that’s known for its attacks targeting telecom companies since at least 2012. Microsoft also tracks it as Granite Typhoon (previously Gallium). PingPull was first documented in June 2022 and acts as a remote access trojan with ICMP for C2 communications. The Linux twist on the malware boasts similar functionality to its Windows counterpart, allowing it to carry out file operations and run arbitrary commands by transmitting from the C2 server a single upper-case character between A and K, and M. A closer examination of the aforementioned domain has also revealed the existence of another ELF artifact (i.e., Sword2033) that supports three basic functions, including uploading and exfiltrating files to and from the system, and executing commands.