Read our Cyber Weekly Digest for a rundown of the biggest cyber security news. This week we take a look at the latest individuals discovered to be involved in the most prolific ransomware operations as well as the zero day vulnerability patched by Apple. Keep reading to stay up to late with the latest cyber stories.
Seven Russian individuals have been sanctioned by the US and UK governments for their involvement in the TrickBot cybercrime group, whose malware was used to support attacks by the Conti and Ryuk ransomware operation. TrickBot is a cybercrime gang responsible for developing numerous malware families, such as TrickBot malware, BazarBackdoor, Anchor, and BumbleBee. The TrickBot malware started as a banking trojan distributed via phishing emails to steal online bank accounts. It later evolved into malware designed to provide initial access to corporate networks for the Ryuk/Conti ransomware operation. As the malware became widely detected by security software, the developers launched new malware families, such as BazarBackdoor, Anchor, and BumbleBee, to provide more stealthy infection of targets. The TrickBot group was later taken over by the Conti ransomware gang, who took charge of developing the group’s malware to support their own ransomware attacks. They were responsible for over £25 million in damage for ransomware payments. As a result, the US and UK have blocked all access to said countries and blocked all property and funds belonging to them.
Analysts discovered a new stealthy malware named “Beep” last week, featuring many tools and techniques to evade analysis and detection by security software. Analysts discovered the malware after a spike in file samples of the Beep malware was uploaded to VirusTotal. Beep is an information stealer malware that uses three separate components: a dropper, an injector, and the payload. The dropper (“big.dll”) creates a new registry key with an “AphroniaHaimavati” value that contains a base64 encoded PowerShell script. This PowerShell script is launched every 13 minutes using a Windows scheduled task. The injector is the component that uses a range of anti-debugging and anti-vm techniques to inject the payload into a legitimate system process ("WWAHost.exe") via process hollowing to evade detection from anti-virus tools running on the host. Finally, the primary payload attempts to collect data from the compromised machine, encrypt it, and send it to the C2. During the analysis, the hardcoded C2 address was offline, but the malware attempted connections even after 120 failed tries. Beep is an example of malware that heavily focuses on evasion, having implemented multiple anti-analysis mechanisms before finalising the full feature set for data theft and the execution of commands.
Emisoft has alerted that a hacker is using fake code-signing certificates to impersonate Emisoft customers using its security products, hoping to bypass their defenses. Code signing certificates are digital signatures used to sign an application so that users, software, and operating systems can verify that the software has not been tampered with since the publisher signed it. Threat actors attempt to take advantage of this by creating fake certificates whose name appears to be associated with a trustworthy entity but, in reality, are not valid certificates. In a new security advisory, Emsisoft warned that one of its customers was targeted by hackers using an executable signed by a spoofed Emsisoft certificate. The company believes this was done to trick the customer into thinking any detections were false positives and to allow the program to run. "We recently observed an incident in which a fake code-signing certificate supposedly belonging to Emsisoft was used in an attempt to obfuscate a targeted attack against one of our customers," said Emsisoft in the security advisory. While the attack failed, and Emsisoft's security software blocked the file due to the invalid signature, the company is warning its customers to stay vigilant against similar attacks. However, false positives are still a possibility because of sysadmins marking fake signed files as false positives, so it is imperative to check if the files are safe in a sandbox or segregated environment away from production.
Earlier this week Apple released security updates for iOS, iPadOS, macOS, and Safari to address a zero-day vulnerability that it said has been actively exploited in the wild. Tracked as CVE-2023-23529, the issue relates to a type confusion bug in the WebKit browser engine that could be activated when processing maliciously crafted web content, culminating in arbitrary code execution. Apple also addressed a use-after-free issue in the Kernel (CVE-2023-23514) that could permit a rogue app to execute arbitrary code with the highest privileges. Users are advised to update to iOS 16.3.1, iPadOS 16.3.1, macOS Ventura 13.2.1, and Safari 16.3.1 to mitigate potential risks.
Pepsi Bottling Ventures (PBV) has disclosed a breach of its network that resulted in the theft of employees' sensitive personal and financial information. According to the announcement, the company learned about the breach on January 10, discovering unauthorized access and connecting a deployment of info-stealing malware that occurred in December last year. PBV confirmed that impacted information includes former and current employees' names, home and email addresses, financial account information, government-issued identification numbers, digital signatures and information related to benefits and employment, including medical information.